Secure Controls Framework 2023 4

version 2023.
4 Secure Controls Framework (SCF) High-Level Domains
# SCF Domain SCF Identifier Cybersecurity & Data Privacy by Design (C|P) Principles Principle Intent
Execute a documented, risk-based program that supports business objectives while Organizations specify the development of an organization’s cybersecurity & data
1 Cybersecurity & Data Privacy Governance GOV encompassing appropriate cybersecurity & data protection principles that addresses protection program, including criteria to measure success, to ensure ongoing
applicable statutory, regulatory and contractual obligations. leadership engagement and risk management.
Ensure trustworthy and resilient Artificial Intelligence (AI) and autonomous Organizations ensure Artificial Intelligence (AI) and autonomous technologies are
technologies to achieve a beneficial impact by informing, advising or simplifying designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data
tasks, while minimizing emergent properties or unintended consequences. privacy-enhanced. In addition, AI-related risks are governed according to technology-
2 Artificial and Autonomous Technology AAT specific considerations to minimize emergent properties or unintended
consequences.
Manage all technology assets from purchase through disposition, both physical and Organizations ensure technology assets are properly managed throughout the
virtual, to ensure secured use, regardless of the asset’s location. lifecycle of the asset, from procurement through disposal, ensuring only authorized
devices are allowed to access the organization’s network and to protect the
3 Asset Management AST organization’s data that is stored, processed or transmitted on its assets.
Maintain a resilient capability to sustain business-critical functions while successfully Organizations establish processes that will help the organization recover from
4 Business Continuity & Disaster Recovery BCD responding to and recovering from incidents through well-documented and exercised adverse situations with minimal impact to operations, as well as provide the
processes. capability for e-discovery.
Govern the current and future capacities and performance of technology assets. Organizations prevent avoidable business interruptions caused by capacity and
performance limitations by proactively planning for growth and forecasting, as well
5 Capacity & Performance Planning CAP as requiring both technology and business leadership to maintain situational
awareness of current and future performance.
Manage change in a sustainable and ongoing manner that involves active Organizations ensure both technology and business leadership proactively manage
participation from both technology and business stakeholders to ensure that only change, including the assessment, authorization and monitoring of technical changes
6 Change Management CHG authorized changes occur. across the enterprise so as to not impact production systems uptime and allow easier
troubleshooting of issues.
Govern cloud instances as an extension of on-premise technologies with equal or Organizations govern the use of private and public cloud environments (e.g., IaaS,
greater security protections than the organization’s own internal cybersecurity & PaaS and SaaS) to holistically manage risks associated with third-party involvement
7 Cloud Security CLD data privacy controls. and architectural decisions, as well as to ensure the portability of data to change
cloud providers, if needed.
Oversee the execution of cybersecurity & data privacy controls to ensure appropriate Organizations ensure controls are in place to ensure adherence to applicable
evidence required due care and due diligence exists to meet compliance with statutory, regulatory and contractual compliance obligations, as well as internal
8 Compliance CPL applicable statutory, regulatory and contractual obligations. company standards.
Enforce secure configurations according to vendor-recommended and industry- Organizations establish and maintain the integrity of systems. Without properly
recognized secure practices that enforce the concepts of “least privilege” and “least documented and implemented configuration management controls, security features
functionality” for all systems, applications and services. can be inadvertently or deliberately omitted or rendered inoperable, allowing
9 Configuration Management CFG processing irregularities to occur or the execution of malicious code.
Maintain situational awareness of security-related events through the centralized Organizations establish and maintain ongoing situational awareness across the
collection and analysis of event logs from systems, applications and services. enterprise through the centralized collection and review of security-related event
logs. Without comprehensive visibility into infrastructure, operating system,
database, application and other logs, the organization will have “blind spots” in its
10 Continuous Monitoring MON situational awareness that could lead to system compromise, data exfiltration, or
unavailability of needed computing resources.
Utilize appropriate cryptographic solutions and industry-recognized key management Organizations ensure the confidentiality and integrity of its data through
11 Cryptographic Protections CRY practices to protect the confidentiality and integrity of sensitive/regulated data both implementing appropriate cryptographic technologies to protect systems,
at rest and in transit. applications, services and data.
Enforce a standardized data classification methodology to objectively determine the Organizations ensure that technology assets, both electronic and physical, are
sensitivity and criticality of all data and technology assets so that proper handling and properly classified and measures implemented to protect the organization’s data
disposal requirements can be followed. from unauthorized disclosure, or modification, regardless if it is being transmitted or
stored. Applicable statutory, regulatory and contractual compliance requirements
12 Data Classification & Handling DCH dictate the minimum safeguards that must be in place to protect the confidentiality,
integrity and availability of data.
Page 1 of 280
Licensed by Creative Commons Attribution-NoDerivatives
version 2023.4 Secure Controls Framework (SCF) High-Level Domains
Provide additional scrutiny to reduce the risks associated with embedded technology, Organizations specify the development, proactive management and ongoing review
based on the potential damages posed from malicious use of the technology. of security embedded technologies, including hardening of the “stack” from the
hardware, firmware and software to transmission and service protocols used for
13 Embedded Technology EMB Internet of Things (IoT) and Operational Technology (OT) devices.
Harden endpoint devices to protect against reasonable threats to those devices and Organizations ensure that endpoint devices are appropriately protected from
the data those devices store, transmit and process. security threats to the device and its data. Applicable statutory, regulatory and
contractual compliance requirements dictate the minimum safeguards that must be
14 Endpoint Security END in place to protect the confidentiality, integrity, availability and safety considerations.
Execute sound hiring practices and ongoing personnel management to cultivate a Organizations create a cybersecurity & data privacy-minded workforce and an
cybersecurity & data privacy-minded workforce. environment that is conducive to innovation, considering issues such as culture,
15 Human Resources Security HRS reward and collaboration.
Enforce the concept of “least privilege” consistently across all systems, applications Organizations implement the concept of “least privilege” through limiting access to
and services for individual, group and service accounts through a documented and the organization’s systems and data to authorized users only.
16 Identification & Authentication IAC standardized Identity and Access Management (IAM) capability.
Maintain a viable incident response capability that trains personnel on how to Organizations establish and maintain a viable and tested capability to respond to
recognize and report suspicious activities so that trained incident responders can cybersecurity or data privacy-related incidents in a timely manner, where
17 Incident Response IRO take the appropriate steps to handle incidents, in accordance with a documented organizational personnel understand how to detect and report potential incidents.
Incident Response Plan (IRP).
Execute an impartial assessment process to validate the existence and functionality Organizations ensure the adequately of cybersecurity & data privacy controls in
18 Information Assurance IAO of appropriate cybersecurity & data privacy controls, prior to a system, application or development, testing and production environments.
service being used in a production environment.
Proactively maintain technology assets, according to current vendor Organizations ensure that technology assets are properly maintained to ensure
recommendations for configurations and updates, including those supported or continued performance and effectiveness. Maintenance processes apply additional
19 Maintenance MNT hosted by third-parties. scrutiny to the security of end-of-life or unsupported assets.
Implement measures to restrict mobile device connectivity with critical infrastructure Organizations govern risks associated with mobile devices, regardless of ownership
and sensitive/regulated data that limit the attack surface and potential data exposure (organization-owned, employee-owned or third-party owned). Wherever possible,
20 Mobile Device Management MDM from mobile device usage. technologies are employed to centrally manage mobile device access and data
storage practices.
Architect and implement a secure and resilient defense-in-depth methodology that Organizations ensure sufficient cybersecurity & data privacy controls are architected
enforces the concept of “least functionality” through restricting network access to to protect the confidentiality, integrity, availability and safety of the organization’s
21 Network Security NET systems, applications and services. network infrastructure, as well as to provide situational awareness of activity on the
organization’s networks.
Protect physical environments through layers of physical security and environmental Organizations minimize physical access to the organization’s systems and data by
controls that work together to protect both physical and digital assets from theft and addressing applicable physical security controls and ensuring that appropriate
22 Physical & Environmental Security PES damage. environmental controls are in place and continuously monitored to ensure
equipment does not fail due to environmental threats.
Align data privacy practices with industry-recognized data privacy principles to Organizations align data privacy engineering decisions with the organization’s overall
implement appropriate administrative, technical and physical controls to protect data privacy strategy and industry-recognized leading practices to secure Personal
23 Data Privacy PRI regulated personal data throughout the lifecycle of systems, applications and Data (PD) that implements the concept of data privacy by design and by default.
services.
Operationalize a viable strategy to achieve cybersecurity & data privacy objectives Organizations ensure that security-related projects have both resource and
that establishes cybersecurity as a key stakeholder within project management project/program management support to ensure successful project execution.
24 Project & Resource Management PRM practices to ensure the delivery of resilient and secure solutions.
Proactively identify, assess, prioritize and remediate risk through alignment with Organizations ensure that the business unit(s) that own the assets and / or processes
industry-recognized risk management principles to ensure risk decisions adhere to involved are made aware of and understand all applicable cybersecurity & data
the organization's risk threshold. privacy-related risks. The cybersecurity & data privacy teams advise and educate on
25 Risk Management RSK risk management matters, while it is the business units and other key stakeholders
that ultimately own the risk.
Page 2 of 280
version 2023.4 Secure Controls Framework (SCF) High-Level Domains
Utilize industry-recognized secure engineering and architecture principles to deliver Organizations align cybersecurity engineering and architecture decisions with the
26 Secure Engineering & Architecture SEA secure and resilient systems, applications and services. organization’s overall technology architectural strategy and industry-recognized
leading practices to secure networked environments.
Execute the delivery of cybersecurity & data privacy operations to provide quality Organizations ensure appropriate resources and a management structure exists to
27 Security Operations OPS services and secure systems, applications and services that meet the organization's enable the service delivery of cybersecurity, physical security and data privacy
business needs. operations.
Foster a cybersecurity & data privacy-minded workforce through ongoing user Organizations develop a cybersecurity & data privacy-minded workforce through
28 Security Awareness & Training SAT education about evolving threats, compliance obligations and secure workplace continuous education activities and practical exercises.
practices.
Develop and/or acquire systems, applications and services according to a Secure Organizations ensure that cybersecurity & data privacy principles are implemented
Software Development Framework (SSDF) to reduce the potential impact of into any products/solutions, either developed internally or acquired, to make sure
29 Technology Development & Acquisition TDA undetected or unaddressed vulnerabilities and design flaws. that the concepts of “least privilege” and “least functionality” are incorporated.
Execute Supply Chain Risk Management (SCRM) practices so that only trustworthy Organizations ensure that cybersecurity & data privacy risks associated with third-
30 Third-Party Management TPM third-parties are used for products and/or service delivery. parties are minimized and enable measures to sustain operations should a third-
party become compromised, untrustworthy or defunct.
Proactively identify and assess technology-related threats, to both assets and Organizations establish a capability to proactively identify and manage technology-
31 Threat Management THR business processes, to determine the applicable risk and necessary corrective action. related threats to the cybersecurity & data privacy of the organization’s systems, data
and business processes.
Leverage industry-recognized Attack Surface Management (ASM) practices to Organizations proactively manage the risks associated with technical vulnerability
32 Vulnerability & Patch Management VPM strengthen the security and resilience systems, applications and services against management that includes ensuring good patch and change management practices
evolving and sophisticated attack vectors. are utilized.
Ensure the security and resilience of Internet-facing technologies through secure Organizations address the risks associated with Internet-accessible technologies by
33 Web Security WEB configuration management practices and monitoring for anomalous activity. hardening devices, monitoring system file integrity, enabling auditing, and
monitoring for malicious activities.
Page 3 of 280
version 2023.4 Secure Controls Framework (SCF) Authoritative Sources
Geography Mapping Column Header Source Authoritative Source - Statutory / Regulatory / Contractual / Industry Framework Version URL - Authoritative Source
AICPA
Universal TSC 2017 AICPA Service Organization Control - Trust Services Criteria (TSC) - SOC2 2017 https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
(SOC 2)
BSI
Universal Standard 200-1 BSI Standard 200-1 2022 https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Gr
CIS
Universal CSC CIS Critical Security Controls (CSC) 8.0 https://www.cisecurity.org/controls/v8/
v8.0
COBIT
Universal 2019 ISACA Control Objectives for Information and Related Technologies (COBIT) 2019 http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-Governance-and-Management-Objectives.aspx
Universal COSO
COSO Committee of Sponsoring Organizations (COSO) 2017 Framework 2017 https://www.coso.org/Shared%20Documents/2017-COSO-ERM-Integrating-with-Strategy-and-
v2017 Performance-Executive-Summary.pdf
CSA
Universal CCM CSA Cloud Controls Matrix (CCM) v4 https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview
v4
CSA
Universal IoT SCF CSA CSA IoT Security Controls Framework v2 v2 https://cloudsecurityalliance.org/artifacts/csa-iot-security-controls-framework-v2/
v2
ENISA
Universal v2.0 EU European Union Agency for Network and Information Security (ENISA) 2.0 https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-measures/Article_13a_ENISA_T
Universal GAPP AICPA Generally Accepted Privacy Principles (GAPP) N/A https://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebo
Universal IEC 62443-4-2 IEC IEC 62443-4-2:2019 - Security for industrial automation and control systems 2019 https://webstore.iec.ch/publication/34421
Part 4-2: Technical security requirements for IACS components
ISO/SAE
Universal 21434 IEC ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering 2021 https://www.iso.org/standard/70918.html
v2021
ISO
Universal 22301 ISO 22301 - Security and resilience — Business continuity management systems — Requirements 2019 https://www.iso.org/standard/75106.html
v2019
ISO
Universal 27001 ISO 27001 - Information Security Management Systems (ISMS) - Requirements 2013 https://www.iso.org/standard/54534.html
v2013
ISO
Universal 27001 ISO 27001 - Information Security Management Systems (ISMS) - Requirements 2022 https://www.iso.org/standard/27001
v2022
ISO
Universal 27002 ISO 27002 - Code of Practice for Information Security Controls 2013 https://www.iso.org/standard/54533.html
v2013
ISO
Universal 27002 ISO 27002 - Information security, cybersecurity and privacy protection - Information security controls 2022 https://www.iso.org/standard/75652.html
v2022
ISO 27017 - Information technology — Security techniques — Code of practice for information security controls
Universal 27017 ISO 2015 https://www.iso.org/standard/43757.html
v2015 based on ISO/IEC 27002 for cloud services
ISO
Universal 27018 ISO 27018 - Code of Practice for PI in Public Clouds Acting as PI Processors 2014 https://www.iso.org/standard/61498.html
v2014
Page 4 of 280
ISO 27701 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information
Universal 27701 ISO 2019 https://www.iso.org/standard/71670.html
v2019 management — Requirements and guidelines
ISO
Universal 29100 ISO 29100 - Privacy Framework 2011 https://www.iso.org/standard/45123.html
v2011
ISO
Universal 31000 ISO 31000 - Risk Management 2009 https://www.iso.org/iso-31000-risk-management.html
v2009
ISO
Universal 31010 ISO 31010 - Risk Assessment Techniques 2009 https://www.iso.org/standard/51073.html
v2009
MITRE
Universal ATT&CK MITRE MITRE ATT&CK - NIST 800-53 mappings N/A https://mitre-engenuity.org/blog/2022/01/13/nist-800-53-control-mappings/
10
MPA
Universal Content Security Program MPA MPA Content Security Best Practices Common Guidelines 5.1 https://www.motionpictures.org/what-we-do/safeguarding-creativity/additional-resources/#content-protecti
v5.1
NIAC
Universal Insurance Data Security Model Law NAIC Insurance Data Security Model Law (MDL-668) N/A https://www.naic.org/store/free/MDL-668.pdf
(MDL-668)
NIST Privacy Framework

Universal v1.0 NIST NIST Privacy Framework 1.0 https://www.nist.gov/privacy-framework
Secure Software Development Framework (SSDF):

NIST
Universal SSDF NIST Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework N/A https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04232020.pdf
(SSDF)
NIST
Universal 800-37 NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2 2 https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
rev 2
NIST
Universal 800-39 NIST SP 800-39 - Managing Information Security Risk N/A https://csrc.nist.gov/publications/detail/sp/800-39/final
NIST
Universal 800-53 NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations 4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
rev4
NIST
Universal 800-53 rev4 NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations (low baseline) 4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
[low]
NIST
Universal 800-53 rev4 NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline) 4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
[moderate]
NIST
Universal 800-53 rev4 NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations (high baseline) 4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
[high]
NIST
Universal 800-53 NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations 5 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
rev5
NIST
Universal 800-53
NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations 5 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
rev5 Privacy Baseline
[privacy]
NIST
Universal 800-53
rev5 Low Baseline
[low]
Page 5 of 280
NIST
Universal 800-53
rev5 Moderate Baseline
[moerate]
NIST
Universal 800-53
rev5 High Baseline
[high]
NIST
Universal 800-53
rev5 Select Not Otherwise Categorized (NOC) controls
[NOC]
NIST
Universal 800-63B NIST SP 800-63B - Digital Identity Guidelines (partial mapping) June 2017 https://pages.nist.gov/800-63-3/sp800-63b.html
[partial mapping]
NIST
800-82 rev3
Universal LOW NIST NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security rev 3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
OT Overlay
NIST
800-82 rev3
Universal MODERATE NIST NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security rev 3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
OT Overlay
NIST
800-82 rev3
Universal HIGH NIST NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security rev 3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
OT Overlay
NIST
Universal 800-160 NIST NIST SP 800-160 - Systems Security Engineering N/A https://csrc.nist.gov/publications/detail/sp/800-160/final
NIST
Universal 800-161 NIST NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations rev 1 https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
rev 1
NIST
800-161
Universal rev 1 NIST NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations rev 1 https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
C-SCRM Baseline
NIST
800-161
Flow Down
NIST
800-161
Level 1
NIST
800-161
Level 2
NIST
800-161
Level 3
NIST
Universal 800-171 NIST SP 800-171 - Protecting CUI in Nonfederal Systems and Organizations 2 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
rev 2
NIST
Universal 800-171 NIST NIST SP 800-171 R3 Final Public Draft (FPD) Rev 3 FPD https://csrc.nist.gov/pubs/sp/800/171/r3/fpd
rev 3 FPD
NIST
Universal 800-171A NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information N/A https://csrc.nist.gov/publications/detail/sp/800-171a/final
NIST
Universal 800-171A NIST NIST 800-171A R3 Initial Public Draft (IPD) Rev 3 IPD https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171Ar3.ipd.pdf
rev 3 IPD
Page 6 of 280
Universal NIST
NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: N/A https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
800-172 Enhanced Security Requirements for Critical Programs and High Value Assets
NIST
Universal 800-218 NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1: v1.1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
v1.1
NIST
Universal CSF NIST Cybersecurity Framework (CSF) 1.1 (Apr 19) https://www.nist.gov/cyberframework
v1.1
NIST
Universal CSF NIST Cybersecurity Framework (CSF) 2.0 Initial Public Draft (IPD) 2.0 IPD https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf
v2.0 IPD
OWASP
Universal Top 10 OWASP Top 10 Most Critical Web Application Security Risks 2021 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
v2021
PCI DSS
Universal v3.2 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) 3.2 https://www.pcisecuritystandards.org/document_library
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) 4.0 https://www.pcisecuritystandards.org/document_library
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ A 4.0 https://www.pcisecuritystandards.org/document_library
SAQ A
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ A-EP 4.0 https://www.pcisecuritystandards.org/document_library
SAQ A-EP
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ B 4.0 https://www.pcisecuritystandards.org/document_library
SAQ B
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ B-IP 4.0 https://www.pcisecuritystandards.org/document_library
SAQ B-IP
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ C 4.0 https://www.pcisecuritystandards.org/document_library
SAQ C
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ C-VT 4.0 https://www.pcisecuritystandards.org/document_library
SAQ C-VT
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Merchant 4.0 https://www.pcisecuritystandards.org/document_library
SAQ D Merchant
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Service Provider 4.0 https://www.pcisecuritystandards.org/document_library
SAQ D Service Provider
PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) - SAQ P2PE 4.0 https://www.pcisecuritystandards.org/document_library
SAQ P2PE
Universal Shared Assessments SIG 2023 Shared Assessments Shared Assessments Standard Information Gathering Questionnaire (SIG) 2023 https://sharedassessments.org/sig/
SWIFT
Universal CSF SWIFT SWIFT Customer Security Controls Framework 2021 https://www.swift.com/myswift/customer-security-programme-csp/security-controls
v2023
Page 7 of 280
TISAX
Universal ISA v5.1.0 TISAX TISAX ISA 5.1.0 https://portal.enx.com/en-us/TISAX/downloads/
UL
Universal 2900-1 UL 2900-1 - Software Cybersecurity for Network-Connectable Products N/A https://industries.ul.com/cybersecurity/ul-2900-standards-process
UN
Universal R155 United Nations UN Regulation No. 155 - Cyber security and cyber security management system N/A https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-s
UN
Universal ECE WP.29 United Nations UNECE WP.29 N/A https://unece.org/fileadmin/DAM/trans/doc/2020/wp29/ECE-TRANS-WP29-2020-079e.pdf
US
US C2M2 Federal Cybersecurity Capability Maturity Model v2.1 2.1 https://c2m2.doe.gov/
v2.1
US CERT
US RMM Federal CERT Resilience Management Model 1.2 https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508084
v1.2
US
CISA
US CPG Federal CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2022 https://www.cisa.gov/cpg
v2022
US
US CJIS Security Policy 5.9 Federal US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy 5.9 https://www.fbi.gov/file-repository/cjis_security_policy_v5-9_20200601.pdf/view
US
US CMMC 2.0 Federal Cybersecurity Maturity Model Certification (CMMC) 1.02 https://www.acq.osd.mil/cmmc/index.html
Level 1
US
Level 2
US
Level 3
US
US CMMC 2.1 (draft) Federal Cybersecurity Maturity Model Certification (CMMC) 2.1 draft https://www.reginfo.gov/public/do/PRAICList?ref_nbr=202211-0704-001
Level 1
US
Level 2
US
Level 3
US https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-MARS-E-v2-0-
US CMS Federal US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0 2.0
MARS-E v2.0 Catalog-of-Security-and-Privacy-Controls-11102015.pdf
US
US COPPA Federal Children's Online Privacy Protection Act (COPPA) N/A http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-section6501&edition=prelim
US
DFARS
US Cybersecurity Federal Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012 252.204-7008 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
252.204-70xx
US
US FACTA Federal Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA) N/A http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0111-fair-credit-reporting-act.pdf
Page 8 of 280
US
US FAR Federal Federal Acquisition Regulation (FAR) 52.204-21 https://www.acquisition.gov/far/52.204-21
52.204-21
US
US FAR Federal 52.204-27 Prohibition on a ByteDance Covered Application 52.204-27 https://www.acquisition.gov/far/52.204-27
52.204-27
US
US FAR Federal Federal Acquisition Regulation (FAR) - Section 889 889 https://www.federalregister.gov/documents/2020/07/14/2020-15293/federal-acquisition-regulation-prohibiti
Section 889
US
US FDA Federal Food & Drug Administration (FDA) 21 CFR Part 11 https://www.gpo.gov/fdsys/pkg/CFR-2012-title21-vol1/pdf/CFR-2012-title21-vol1-part11.pdf
21 CFR Part 11
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) R4 https://www.fedramp.gov/
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) (low baseline) R4 https://www.fedramp.gov/
[low]
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) (moderate baseline) R4 https://www.fedramp.gov/
[moderate]
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) (high baseline) R4 https://www.fedramp.gov/
[high]
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) (Li-SAAS) baseline) R4 https://www.fedramp.gov/
[LI-SaaS]
US
US FedRAMP Federal Federal Risk and Authorization Management Program (FedRAMP) R5 R5 https://www.fedramp.gov/
R5
US
FedRAMP
US R5 Federal Federal Risk and Authorization Management Program (FedRAMP R5) (low baseline) R5 https://www.fedramp.gov/
(low)
US
FedRAMP
US R5 Federal Federal Risk and Authorization Management Program (FedRAMP R5) (moderate baseline) R5 https://www.fedramp.gov/
(moderate)
US
FedRAMP
US R5 Federal Federal Risk and Authorization Management Program (FedRAMP R5) (high baseline) R5 https://www.fedramp.gov/
(high)
US
FedRAMP
US R5 Federal Federal Risk and Authorization Management Program (FedRAM R5P) (Li-SAAS) baseline) R5 https://www.fedramp.gov/
(LI-SaaS)
US
US FERPA Federal Family Educational Rights and Privacy Act (FERPA) N/A https://www.gpo.gov/fdsys/pkg/USCODE-2010-title20/pdf/USCODE-2010-title20-chap31-subchapIII-part4-sec
US
US FFIEC Federal Federal Financial Institutions Examination Council (FFIEC) N/A https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf
US
US FINRA Federal Financial Industry Regulatory Authority (FINRA) N/A http://www.finra.org/industry/cybersecurity
US
US FTC Act Federal Federal Trade Commission (FTC) Act N/A https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act
Page 9 of 280
US
US GLBA Federal Gramm Leach Bliley Act (GLBA) CFR 314 https://www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-
CFR 314
US
US HIPAA Federal Health Insurance Portability and Accountability Act (HIPAA) N/A https://www.hhs.gov/hipaa/for-professionals/security/index.html
HIPAA - HICP
US Small Practice Federal Health Industry Cybersecurity Practices (HICP) - Small Practice N/A https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
HIPAA - HICP
US Medium Practice Federal Health Industry Cybersecurity Practices (HICP) - Medium Practice N/A https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
HIPAA - HICP
US Large Practice Federal Health Industry Cybersecurity Practices (HICP) - Large Practice N/A https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
US
US IRS 1075 Federal Internal Revenue Service (IRS) 1075 N/A https://www.irs.gov/pub/irs-pdf/p1075.pdf
ITAR
US Part 120 Federal International Traffic in Arms Regulation (ITAR) [limited to Part 120] N/A https://www.ecfr.gov/cgi-bin/text-idx?SID=70e390c181ea17f847fa696c47e3140a&mc=true&node=pt22.1.12
[limited]
US
US NERC Federal North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) N/A http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
CIP
US
US NISPOM Federal National Industrial Security Program Operating Manual (NISPOM) N/A http://www.dss.mil/documents/odaa/nispom2006-5220.pd
US
US NNPI Federal Naval Nuclear Propulsion Information (NNPI) N/A https://www.secnav.navy.mil/doni/Directives/09000%20General%20Ship%20Design%20and%20Support/09-2
(unclass)
US
US NSTC Federal National Science & Technology Council (NSTC) NSPM-33 N/A https://www.whitehouse.gov/wp-content/uploads/2022/01/010422-NSPM-33-Implementation-Guidance.pdf
NSPM-33
US
US Privacy Shield Federal Privacy Shield N/A https://www.privacyshield.gov/article?id=Requirements-of-Participation
US Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) -
US SEC Federal 17 CFR Parts 229, 232, 239, 240, and 249 N/A https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Cybersecurity Rule
US
US SOX Federal Sarbanes Oxley Act (SOX) N/A http://www.sec.gov/about/laws/soa2002.pdf
US
SSA
US EIESR Federal Social Security Administration (SSA) Electronic Information Exchange Security Requirements 8.0 https://www.ssa.gov/dataexchange/security.html
v8.0
StateRAMP StateRAMP Low (Category 1)

US Low State N/A https://stateramp.org/documents/
Category 1
StateRAMP StateRAMP Low+ (Category 2)

US Low+ State N/A https://stateramp.org/documents/
Category 2
StateRAMP StateRAMP Moderate (Category 3)

US Moderate State N/A https://stateramp.org/documents/
Category 3
Page 10 of 280
US - AK
US PIPA State AK - Alaska Personal Information Protection Act (PIPA) N/A http://law.alaska.gov/department/civil/consumer/4548.html
US - CA
US SB327 State CA - SB327 N/A https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
US-CA
US CPRA State California Privacy Rights Act (CPRA) - November 2022 version November 2022 https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf
(Nov 2022)
US - CA
US SB1386 State CA - SB1386 N/A https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=200120020SB1386
US - CO
US Colorado Privacy Act State CO - Colorado Privacy Act N/A https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
US - IL
US BIPA State Illinois Biometric Information Privacy Act (PIPA) N/A https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
US - IL
US IPA State Illinois Identity Protection Act (IPA) N/A https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3174&ChapterID=2
US - IL
US PIPA State IL - Illinois Personal Information Protection Act (PIPA) N/A https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
US - MA
US 201 CMR 17.00 State MA - 201 CMR 17.00 N/A http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
US - NV
US SB220 State NV - SB220 N/A https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Tex
US - NY
US DFS State NY - NY DFS 23NYCRR500 N/A http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
23 NYCRR500
US - NY
US SHIELD Act State NY - SHIELD Act (SB S5575B) N/A https://legislation.nysenate.gov/pdf/bills/2019/s5575b
S5575B
US - OR
US 646A State OR - ORS 646A N/A https://www.oregonlegislature.gov/bills_laws/ors/ors646a.html
US - SC
US Insurance Data Security Act State SC - South Carolina Insurance Data Security Act N/A https://www.scstatehouse.gov/sess122_2017-2018/bills/4655.htm
US - TX
US BC521 State TX - BC521 N/A http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
US-TX
US Cybersecurity Act State TX - Cybersecurity Act N/A http://www.legis.state.tx.us/tlodocs/85R/billtext/pdf/HB00008F.pdf#navpanes=0
US US-TX DIR Control Standards 2.0 State TX - DIR Security Control Standards Catalog 2.0 https://dir.texas.gov/resource-library-item/security-controls-standards-catalog
US-TX
US TX-RAMP State TX - Texas Risk & Authorization Management Program (TX-RAMP) N/A http://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp
Page 11 of 280
US-TX
US SB820 State TX - 2019 - SB820 N/A https://www.legiscan.com/TX/text/SB820/id/2027614/Texas-2019-SB820-Enrolled.html
US-VA
US CDPA State Virginia Consumer Data Protection Act 2023 https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+CHAP0035+pdf
2023
US-VT
US Act 171 of 2018 State VT - Act 171 of 2018 (Data Broker Registration Act) N/A https://legislature.vermont.gov/Documents/2018/Docs/ACTS/ACT171/ACT171%20As%20Enacted.pdf
EMEA
EU
EMEA EBA EU European Banking Authority (EBA) Guidelines on ICT and security risk management N/A https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-m
GL/2019/04
EMEA
EMEA EU EU EU Digital Operational Resilience Act (DORA) 2023 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554&from=EN
DORA
EMEA
EMEA EU ePrivacy EU ePrivacy Directive draft http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241
[draft]
EMEA
EMEA EU EU General Data Protection Regulation (GDPR) N/A http://ec.europa.eu/justice/data-protection/reform/index_en.htm
GDPR
EMEA
EMEA EU EU ENISA NIS2 (Directive (EU) 2022/2555) N/A https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new
NIS2
EMEA
EMEA EU EU Second Payment Services Directive (PSD2) N/A https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%2
PSD2
EMEA
EMEA EU EU EU-US Data Privacy Framework N/A https://www.dataprivacyframework.gov/s/
EU-US Data Privacy Framework
EMEA
EMEA Austria Austria Federal Act concerning the Protection of Personal Data (DSG 2000) N/A https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.pdf
EMEA
EMEA Belgium Belgium Act of 8 December 1992 N/A http://www.privacycommission.be/sites/privacycommission/files/documents/Privacy_Act_1992.pdf
EMEA
EMEA Czech Republic Czech Republic Act No. 101/2000 on the Protection of Personal Data N/A https://www.uoou.cz/en/vismo/zobraz_dok.asp?id_ktg=1107&p1=1107
EMEA
EMEA Denmark Denmark Act on Processing of Personal Data (Act No. 429 of May 31, 2000) N/A http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-pe
EMEA
EMEA Finland Finland Personal Data Act (986/2000) N/A http://www.finlex.fi/en/laki/kaannokset/1999/en19990523.pdf
EMEA
EMEA France France 78 17 / 2004 8021 - Information Technology, Data Files & Civil Liberty N/A http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf
EMEA
EMEA Germany Germany Federal Data Protection Act N/A https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.pdf
EMEA
Germany
EMEA Banking Supervisory Requirements Germany Banking Supervisory Requirements for IT (BAIT) N/A https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/dl_rs_1710_ba_BAIT_en.html;jsessionid=C
for IT (BAIT)
Page 12 of 280
EMEA
EMEA Germany Germany Cloud Computing Compliance Controls Catalogue (C5) 2020 https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Criteria_Catalogue/Compliance_Criteria_C
C5:2020
EMEA
EMEA Greece Greece Protection of Individuals with Regard to the Processing of Personal Data (2472/1997) N/A http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%202472-97
EMEA
EMEA Hungary Hungary Informational Self-Determination and Freedom of Information (Act CXII of 2011) N/A http://www.naih.hu/files/Privacy_Act-CXII-of-2011_EN_201310.pdf
EMEA
EMEA Ireland Ireland Data Protection Act (2003) N/A http://www.irishstatutebook.ie/2003/en/act/pub/0006/print.html
EMEA
Israel
EMEA CDMO Israel Cybersecurity Methodology for an Organization 1.0 https://www.gov.il/BlobFolder/policy/cyber_security_methodology_for_organizations/he/Cyber1.0_english_
v1.0
EMEA
EMEA Israel Israel Protection of Privacy Law, 5741 – 1981 N/A http://unpan1.un.org/intradoc/groups/public/documents/UN-DPADM/UNPAN041914.pdf
EMEA
EMEA Italy Italy Personal Data Protection Code N/A http://www.privacy.it/privacycode-en.html
EMEA
EMEA Kenya Kenya Kenya Data Protection Act 2019 http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/TheDataProtectionAct__No24of2019.pdf
DPA 2019
EMEA
EMEA Luxembourg Luxembourg Protection of Personals with Regard to the Processing of Personal Data N/A http://www.cnpd.public.lu/fr/legislation/droit-lux/doc_loi02082002_en.pdf
EMEA
EMEA Netherlands Netherlands Personal Data Protection Act N/A https://www.akd.nl/t/Documents/17-03-2016_ENG_Wet-bescherming-persoonsgegevens.pdf
EMEA
EMEA Nigeria Nigeria Nigeria Data Protection Regulation 2019 https://nitda.gov.ng/wp-content/uploads/2020/11/NigeriaDataProtectionRegulation11.pdf
DPR 2019
EMEA
EMEA Norway Norway Personal Data Act N/A https://www.datatilsynet.no/en/regulations-and-tools/regulations-and-decisions/norwegian-privacy-law/pers
EMEA
EMEA Poland Poland Act of 29 August 1997 on the Protection of Personal Data N/A http://www.giodo.gov.pl/144/id_art/171/j/en/
EMEA
EMEA Portugal Portugal Act on the Protection of Personal Data N/A https://www.cnpd.pt/english/bin/legislation/Law6798EN.HTM
EMEA
EMEA Qatar Qatar Personal Data Privacy Protection Law (PDPPL) N/A https://compliance.qcert.org/sites/default/files/library/2020-11/Law%20No.%20%2813%29%20of%202016%
PDPPL
EMEA
EMEA Russia Russia Federal Law of 27 July 2006 N 152-FZ N/A http://www.rg.ru/2006/07/29/personaljnye-dannye-dok.html
EMEA Version 1.0

EMEA Saudi Arabia Saudi Arabia Saudi Arabian Monetary Authority - Cyber Security Framework https://www.sama.gov.sa/en-US/Laws/FinanceRules/SAMA%20Cyber%20Security%20Framework%20v1.0%20
Critical Security Controls (May 2017)
EMEA
EMEA Saudi Arabia Saudi Arabia SACS-002 - Third Party Cybersecurity Standard N/A https://www.aramco.com/-/media/downloads/working-with-us/ccc/sacs-002-third-party-cybersecurity-stand
SACS-002
Page 13 of 280
EMEA
EMEA Saudi Arabia Saudi Arabia Saudi Arabian Monetary Authoirty (SAMA) Cyber Security Framework (CSF) 2017 v1 https://www.sama.gov.sa/en-US/Laws/FinanceRules/SAMA%20Cyber%20Security%20Framework%20v1.0%20
SAMA CSFv1.0
EMEA
EMEA Saudi Arabia Saudi Arabia Essential Cybersecurity Controls (ECC – 1 : 2018) 2018 https://nca.gov.sa/files/ecc-en.pdf
ECC-1 2018
EMEA
EMEA Saudi Arabia Saudi Arabia Operational Technology Cybersecurity Controls (OTCC -1: 2022) 2022 https://nca.gov.sa/otcc_en.pdf
OTCC-1 2022
EMEA
EMEA Serbia Servia Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18) N/A http://www.ilo.org/dyn/natlex/natlex4.detail?p_lang=en&p_isn=109270&p_count=55&p_classification=01#:~
87/2018
EMEA EMEA
Slovak Republic Protection of Personal Data (122/2013) N/A https://www.dataprotection.gov.sk/uoou/sites/default/files/kcfinder/files/Act_122-2013_84-
Slovak Republic 2014_en.pdf
EMEA
EMEA South Africa South Africa Protection of Personal Information Act (POPIA) N/A http://www.justice.gov.za/legislation/acts/2013-004.pdf
EMEA
EMEA Spain Spain Royal Decree 1720/2007 (protection of personal data) N/A https://www.mjusticia.gob.es/es/AreaTematica/DocumentacionPublicaciones/Documents/Royal_Decree_app
EMEA
EMEA Spain Spain ICT Security Guide CCN-STIC 825 N/A https://www.ccn-cert.cni.es/series-ccn-stic/800-guia-esquema-nacional-de-seguridad/2148-ccn-stic-825-ens-n
CCN-STIC 825
EMEA
EMEA Sweden Sweden Personal Data Act N/A http://www.datainspektionen.se/in-english/legislation/the-personal-data-act/
EMEA
EMEA Switzerland Switzerland Federal Act on Data Protection (FADP) N/A https://www.admin.ch/opc/en/classified-compilation/19920153/index.html
EMEA
EMEA Turkey Turkey Regulation on Protection of Personal Data in Electronic Communications Sector N/A https://global.tbmm.gov.tr/docs/constitution_en.pdf
EMEA
EMEA UAE UAE Data Protection Law No. 1 of 2007 N/A https://www.difc.ae/files/5814/5448/9177/Data_Protection_Law_DIFC_Law_No._1_of_2007.pdf
EMEA
EMEA UK United Kingdom Cyber Assessment Framework 3.1 https://www.ncsc.gov.uk/files/Cyber-Assessment-Framework-v3-1.pdf
CAF v3.1
EMEA
EMEA UK United Kingdom Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850) N/A https://publicapps.caa.co.uk/modalapplication.aspx?appid=11&mode=detail&id=9295
CAP 1850
EMEA
EMEA UK United Kingdom Cyber Essentials N/A https://www.cyberessentials.ncsc.gov.uk
Cyber Essentials
EMEA
EMEA UK United Kingdom Data Protection Act N/A http://www.legislation.gov.uk/ukpga/1998/29/contents
DPA
EMEA
EMEA UK United Kingdom UK General Data Protection Regulation N/A https://www.legislation.gov.uk/eur/2016/679/data.pdf
GDPR
APAC
Australia
APAC Essential 8 Australia Australia Essential Eight N/A https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essen
ML 1
Page 14 of 280
APAC
Australia
ML 2
APAC
Australia
ML 3
APAC
APAC Australia Australia Privacy Act of 1998 N/A https://www.comlaw.gov.au/Details/C2015C00089
Privacy Act
APAC
APAC Australia Australia Australian Government Information Security Manual (ISM) December 2022 https://www.cyber.gov.au/acsc/view-all-content/ism
ISM 2022
APAC
APAC Australia Australia Australia - Code of Practice - Securing the Internet of Things for Consumers N/A https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf
IoT Code of Practice
APAC
APAC Australia Australia Prudential Standard CPS 230 - Operational Risk Management N/A https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational
Prudential Standard CPS230
APAC
APAC Australia Australia Prudential Standard CPS 234 Information Security N/A https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf
Prudential Standard CPS 234
APAC
APAC Australia Australia Australia Privacy Principles N/A https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf
Privacy Principles
APAC
APAC China China Decision on Strengthening Network Information Protection N/A http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.gov.cn/jrzg/2012-12/28/content_2301
DNSIP
APAC
APAC Hong Kong Hong Kong Personal Data Ordinance N/A http://www.blis.gov.hk/blis_pdf.nsf/CurAllEngDoc/B4DF8B4125C4214D482575EF000EC5FF/$FILE/CAP_486_e
APAC
APAC India India Information Technology Rules (Privacy Rules) N/A http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
ITR
APAC
APAC Indonesia Indonesia Government Regulation No. 82 of 2012 N/A http://uk.practicallaw.com/4-583-2387
APAC
APAC Japan Japan Act on the Protection of Personal Information June 2020 https://www.ppc.go.jp/files/pdf/APPI_english.pdf
APPI
APAC https://www.ismap.go.jp/csm/en?
APAC Japan Japan Japan Information System Security Management and Assessment Program (ISMAP) N/A id=kb_article_view&sysparm_article=KB0010301&sys_kb_id=4d06b8701b4f011013a78665cc4bcb
ISMAP d2&spa=1
APAC
APAC Malaysia Malaysia Personal Data Protection Act of 2010 N/A http://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf
APAC
APAC New Zealand Health ISF New Zealand NZ Health Information Security Framework N/A https://www.health.govt.nz/system/files/documents/publications/health-information-security-framework-de
APAC
APAC New Zealand New Zealand New Zealand Information Security Manual (NZISM) 3.6 https://www.nzism.gcsb.govt.nz/ism-document/
NZISM 3.6
APAC
APAC New Zealand Privacy Act of 2020 New Zealand Privacy Act of 2020 2020 https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
Page 15 of 280
APAC
APAC Philippines Philippines Data Privacy Act of 2012 N/A https://privacy.gov.ph/implementing-rules-and-regulations-of-republic-act-no-10173-known-as-the-data-priv
APAC
APAC Singapore Singapore Personal Data Protection Act of 2012 N/A http://statutes.agc.gov.sg/aol/download/0/0/pdf/binaryFile/pdfFile.pdf?CompId:2f46a4ee-0962-49e4-8e8d-e
APAC
APAC Singapore Singapore Cyber Hygiene Practice N/A https://www.mas.gov.sg/-/media/MAS/Notices/PDF/MAS-Notice-132.pdf
Cyber Hygiene Practice
APAC
APAC Singapore MAS Singapore Monitory Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines 2021 https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Fram
TRM 2021
APAC
APAC South Korea South Korea Personal Information Protection Act N/A http://koreanlii.or.kr/w/images/0/0e/KoreanDPAct2011.pdf
APAC
APAC Taiwan Taiwan Personal Data Protection Act N/A http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021
Americas
Americas Argentina Argentina Protection of Personal Law No. 25,326 N/A http://www.infoleg.gov.ar/infolegInternet/anexos/60000-64999/64790/norma.htm
Americas
Americas Argentina Argentina Protection of Personal Data - MEN-2018-147-APN-PTE N/A https://www.argentina.gob.ar/sites/default/files/mensaje_ndeg_147-2018_datos_personales.pdf
Reg 132/2018
Americas
Americas Bahamas Bahamas Data Protection Act N/A http://laws.bahamas.gov.bs/cms/images/LEGISLATION/PRINCIPAL/2003/2003-0003/DataProtectionPrivacyofP
Americas
Americas Bermuda Bermuda Bermuda Monetary Authority Cyber Code of Conduct N/A https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-Cyber-Risk-Management-
BMA CCC
Americas
Americas Brazil Brazil General Data Protection Law (LGPD) N/A https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-Protection-Law.pdf
Americas Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber Security Self-Assessment
Americas Canada Canada N/A https://www.osfi-bsif.gc.ca/Eng/Docs/cbrsk.pdf
CSAG Guidance
Americas
Americas Canada Canada B-13 N/A https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13-jul-let.aspx
OSFI B-13
Americas
Americas Canada Canada Personal Information Protection and Electronic Documents Act (PIPEDA) N/A http://laws-lois.justice.gc.ca/eng/acts/p-8.6/FullText.html
PIPEDA
Americas
Americas Chile Chile Act 19628 - Protection of Personal Data N/A http://www.leychile.cl/Navegar?idNorma=141599
Americas
Americas Colombia Colombia Law 1581 of 2012 N/A http://www.secretariasenado.gov.co/senado/basedoc/ley_1581_2012.html
Page 16 of 280
version 2023.4 Secure Controls Framework (SCF) 03/12/2024
SCRM SCRM SCRM

SCF Domain SCF Control SCF # Secure Controls Framework (SCF) Methods To Comply With SCF Controls Evidence Request List SCF Control Question Relative Control Function Grouping Tier 1 Tier 2 Tier 3
Control Description (ERL) # Weighting Strategic Operational Tactical
Mechanisms exist to facilitate the implementation of cybersecurity & data protection governance - Steering committee Does the organization facilitate the implementation of cybersecurity & data protection governance
controls. - Digital Security Program (DSP) controls?
- Cybersecurity & Data Protection Program (CDPP)
Cybersecurity & Data Cybersecurity & Data E-GOV-01
Protection Governance Protection Governance GOV-01 10 Identify X X X
E-GOV-02
Program
Mechanisms exist to coordinate cybersecurity, data protection and business alignment through a - Steering committee Does the organization coordinate cybersecurity, data protection and business alignment through a
steering committee or advisory board, comprised of key cybersecurity, data privacy and business - Digital Security Program (DSP) steering committee or advisory board, comprised of key cybersecurity, data privacy and business
executives, which meets formally and on a regular basis. - Cybersecurity & Data Protection Program (CDPP) executives, which meets formally and on a regular basis?
Cybersecurity & Data Steering Committee &
Protection Governance Program Oversight GOV-01.1 E-GOV-03 7 Identify X X
Mechanisms exist to provide governance oversight reporting and recommendations to those E-CPL-05 Does the organization provide governance oversight reporting and recommendations to those
entrusted to make executive decisions about matters considered material to the organization’s E-CPL-09 entrusted to make executive decisions about matters considered material to the organization’s
cybersecurity & data protection program. E-GOV-03 cybersecurity & data protection program?
Cybersecurity & Data Status Reporting To Governing GOV-01.2 E-GOV-04 5 Identify X X
Protection Governance Body E-GOV-05
E-GOV-06
E-GOV-07
E-GOV-13
Mechanisms exist to establish, maintain and disseminate cybersecurity & data protection policies, - Steering committee Does the organization establish, maintain and disseminate cybersecurity & data protection policies,
standards and procedures. - Digital Security Program (DSP) standards and procedures?
- Cybersecurity & Data Protection Program (CDPP)
Cybersecurity & Data Publishing Cybersecurity & - Governance, Risk and Compliance Solution (GRC) tool
E-GOV-08
Protection Governance Data Protection GOV-02 E-GOV-09 10 Identify X X X
Documentation (SCFConnect, SureCloud, Ostendio, ZenGRC, Archer, E-GOV-11
RSAM, MetricStream, etc.)
- Wiki
- SharePoint
Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally Does the organization prohibit exceptions to standards, except when the exception has been
assessed for risk impact, approved and recorded. formally assessed for risk impact, approved and recorded?
Cybersecurity & Data
Protection Governance Exception Management GOV-02.1 8 Protect X X X
Mechanisms exist to review the cybersecurity & data privacy program, including policies, standards - Governance, Risk and Compliance Solution (GRC) tool Does the organization review the cybersecurity & data privacy program, including policies,
and procedures, at planned intervals or if significant changes occur to ensure their continuing (SCFConnect, SureCloud, Ostendio, ZenGRC, Archer, standards and procedures, at planned intervals or if significant changes occur to ensure their
suitability, adequacy and effectiveness. RSAM, MetricStream, etc.) continuing suitability, adequacy and effectiveness?
Cybersecurity & Data Periodic Review & Update of - Steering committee
Protection Governance Cybersecurity & Data GOV-03 E-GOV-12 7 Identify X X X
Protection Program
E-HRS-01
Mechanisms exist to assign one or more qualified individuals with the mission and resources to - NIST NICE Framework E-HRS-05 Does the organization assign one or more qualified individuals with the mission and resources to
centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & - Chief Information Security Officer (CISO) E-HRS-06 centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity &
data protection program. E-HRS-07 data protection program?
Cybersecurity & Data Assigned Cybersecurity & Data
Protection Governance Protection Responsibilities GOV-04 E-HRS-08 10 Identify X X X
E-HRS-09
E-HRS-10
E-HRS-13
E-HRS-15
Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals - Documented roles and responsibilities Does the organization enforce an accountability structure so that appropriate teams and individuals
are empowered, responsible and trained for mapping, measuring and managing data and are empowered, responsible and trained for mapping, measuring and managing data and
technology-related risks. technology-related risks?
Cybersecurity & Data Stakeholder Accountability
Protection Governance Structure GOV-04.1 E-HRS-15 8 Identify X X X
Mechanisms exist to establish an authoritative chain of command with clear lines of communication - Organization chart Does the organization establish an authoritative chain of command with clear lines of
to remove ambiguity from individuals and teams related to managing data and technology-related communication to remove ambiguity from individuals and teams related to managing data and
risks. technology-related risks?
Cybersecurity & Data Authoritative Chain of GOV-04.2 E-HRS-15 7 Identify X X X
Protection Governance Command
Mechanisms exist to develop, report and monitor cybersecurity & data privacy program measures - Metrics Does the organization develop, report and monitor cybersecurity & data privacy program measures
of performance. - Governance, Risk and Compliance Solution (GRC) tool of performance?
(SCFConnect, SureCloud, Ostendio, ZenGRC, Archer,
Cybersecurity & Data RSAM, MetricStream, etc.)
Protection Governance Measures of Performance GOV-05 E-GOV-13 6 Protect X X
- Enterprise Risk Management (ERM) solution
Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist - Key Performance Indicators (KPIs) Does the organization develop, report and monitor Key Performance Indicators (KPIs) to assist
organizational management in performance monitoring and trend analysis of the cybersecurity & organizational management in performance monitoring and trend analysis of the cybersecurity &
data privacy program. data privacy program?
Cybersecurity & Data Key Performance Indicators
Protection Governance (KPIs) GOV-05.1 6 Protect X
Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior - Key Risk Indicators (KRIs) Does the organization develop, report and monitor Key Risk Indicators (KRIs) to assist senior
management in performance monitoring and trend analysis of the cybersecurity & data privacy management in performance monitoring and trend analysis of the cybersecurity & data privacy
program. program?
Protection Governance Key Risk Indicators (KRIs) GOV-05.2 6 Protect X
17 of 280
Mechanisms exist to identify and document appropriate contacts with relevant law enforcement - Threat intelligence personnel Does the organization identify and document appropriate contacts with relevant law enforcement
and regulatory bodies. - Integrated Security Incident Response Team (ISIRT) and regulatory bodies?
Protection Governance Contacts With Authorities GOV-06 5 Identify X
Mechanisms exist to establish contact with selected groups and associations within the - SANS Does the organization establish contact with selected groups and associations within the
cybersecurity & data privacy communities to: - CISO Executive Network cybersecurity & data privacy communities to:
▪ Facilitate ongoing cybersecurity & data privacy education and training for organizational - ISACA chapters ▪ Facilitate ongoing cybersecurity & data privacy education and training for organizational
Cybersecurity & Data Contacts With Groups & GOV-07 personnel; - IAPP chapters E-THR-02 personnel; 7 Identify X X
Protection Governance Associations ▪ Maintain currency with recommended cybersecurity & data privacy practices, techniques and - ISAA chapters ▪ Maintain currency with recommended cybersecurity & data privacy practices, techniques and
technologies; and technologies; and
▪ Share current cybersecurity and/or data privacy-related information including threats, ▪ Share current cybersecurity and/or data privacy-related information including threats,
vulnerabilities and incidents. vulnerabilities and incidents?
Mechanisms exist to define the context of its business model and document the mission of the Does the organization define the context of its business model and document the mission of the
organization. organization?
Cybersecurity & Data Defining Business Context &
Protection Governance Mission GOV-08 E-PRM-01 5 Identify X
Mechanisms exist to establish control objectives as the basis for the selection, implementation and Does the organization establish control objectives as the basis for the selection, implementation
management of the organization’s internal control system. and management of the organization’s internal control system?
Protection Governance Define Control Objectives GOV-09 E-GOV-10 5 Identify X X
Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and Does the organization facilitate data governance to oversee the organization's policies, standards
procedures so that sensitive/regulated data is effectively managed and maintained in accordance and procedures so that sensitive/regulated data is effectively managed and maintained in
with applicable statutory, regulatory and contractual obligations. accordance with applicable statutory, regulatory and contractual obligations?
Protection Governance Data Governance GOV-10 9 Protect X
Mechanisms exist to monitor mission/business-critical services or functions to ensure those Does the organization monitor mission/business-critical services or functions to ensure those
resources are being used consistent with their intended purpose. resources are being used consistent with their intended purpose?
Protection Governance Purpose Validation GOV-11 5 Identify X X
Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated - Board of Directors (Bod) Ethics Committee Does the organization avoid and/or constrain the forced exfiltration of sensitive / regulated
information (e.g., Intellectual Property (IP)) to the host government for purposes of market access information (e.g., Intellectual Property (IP)) to the host government for purposes of market access
or market management practices. or market management practices?
Cybersecurity & Data Forced Technology Transfer
Protection Governance (FTT) GOV-12 10 Protect X X
Mechanisms exist to constrain the host government's ability to leverage the organization's - Board of Directors (Bod) Ethics Committee Does the organization constrain the host government's ability to leverage the organization's
technology assets for economic or political espionage and/or cyberwarfare activities. technology assets for economic or political espionage and/or cyberwarfare activities?
Protection Governance State-Sponsored Espionage GOV-13 10 Protect X X
Mechanisms exist to incorporate cybersecurity & data privacy principles into Business As Usual Does the organization incorporate cybersecurity & data privacy principles into Business As Usual
(BAU) practices through executive leadership involvement. (BAU) practices through executive leadership involvement?
Cybersecurity & Data Business As Usual (BAU) Secure
Protection Governance Practices GOV-14 6 Protect X X
Mechanisms exist to compel data and/or process owners to operationalize cybersecurity & data Does the organization compel data and/or process owners to operationalize cybersecurity & data
privacy practices for each system, application and/or service under their control. privacy practices for each system, application and/or service under their control?
Cybersecurity & Data Operationalizing Cybersecurity
Protection Governance & Data Protection Practices GOV-15 9 Protect X X
Mechanisms exist to compel data and/or process owners to select required cybersecurity & data Does the organization compel data and/or process owners to select required cybersecurity & data
privacy controls for each system, application and/or service under their control. privacy controls for each system, application and/or service under their control?
Protection Governance Select Controls GOV-15.1 8 Protect X X
Mechanisms exist to compel data and/or process owners to implement required cybersecurity & Does the organization compel data and/or process owners to implement required cybersecurity &
data privacy controls for each system, application and/or service under their control. data privacy controls for each system, application and/or service under their control?
Protection Governance Implement Controls GOV-15.2 9 Protect X X
Mechanisms exist to compel data and/or process owners to assess if required cybersecurity & data Does the organization compel data and/or process owners to assess if required cybersecurity & data
privacy controls for each system, application and/or service under their control are implemented privacy controls for each system, application and/or service under their control are implemented
correctly and are operating as intended. correctly and are operating as intended?
Protection Governance Assess Controls GOV-15.3 8 Protect X X
18 of 280
Mechanisms exist to compel data and/or process owners to obtain authorization for the production Does the organization compel data and/or process owners to obtain authorization for the
use of each system, application and/or service under their control. production use of each system, application and/or service under their control?
Cybersecurity & Data Authorize Systems,
Protection Governance Applications & Services GOV-15.4 8 Protect X X
Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or Does the organization compel data and/or process owners to monitor systems, applications and/or
services under their control on an ongoing basis for applicable threats and risks, as well as to ensure services under their control on an ongoing basis for applicable threats and risks, as well as to ensure
cybersecurity & data privacy controls are operating as intended. cybersecurity & data privacy controls are operating as intended?
Protection Governance Monitor Controls GOV-15.5 8 Protect X X
Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, Does the organization ensure policies, processes, procedures and practices related to the mapping,
measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related
risks are in place, transparent and implemented effectively. risks are in place, transparent and implemented effectively?
Artificial & Autonomous Artificial Intelligence (AI) &
Technologies Autonomous Technologies AAT-01 10 Identify X X
Governance
Mechanisms exist to identify, understand, document and manage applicable statutory and Does the organization identify, understand, document and manage applicable statutory and
regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Artificial & Autonomous AI & Autonomous
Technologies Technologies-Related Legal AAT-01.1 8 Identify X X
Requirements Definition
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are
designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy- designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-
enhanced to minimize emergent properties or unintended consequences. enhanced to minimize emergent properties or unintended consequences?
Artificial & Autonomous Trustworthy AI & Autonomous AAT-01.2 10 Protect X X
Technologies Technologies
Mechanisms exist to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Does the organization sustain the value of deployed Artificial Intelligence (AI) and Autonomous
Technologies (AAT). Technologies (AAT)?
Technologies Technologies Value AAT-01.3 1 Identify X X
Sustainment
Mechanisms exist to develop and maintain an inventory of Artificial Intelligence (AI) and Does the organization develop and maintain an inventory of Artificial Intelligence (AI) and
Autonomous Technologies (AAT) (internal and third-party). Autonomous Technologies (AAT) (internal and third-party)?
Artificial & Autonomous Situational Awareness of AI &
Technologies Autonomous Technologies AAT-02 9 Identify X X X
Mechanisms exist to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use Does the organization identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use
and map those components to potential legal risks, including statutory and regulatory compliance and map those components to potential legal risks, including statutory and regulatory compliance
requirements. requirements?
Artificial & Autonomous AI & Autonomous AAT-02.1 9 Identify X X X
Technologies Technologies Risk Mapping
Mechanisms exist to identify and document internal cybersecurity & data privacy controls for Does the organization identify and document internal cybersecurity & data privacy controls for
Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Technologies Internal Controls AAT-02.2 9 Identify X X X
Mechanisms exist to establish and document the context surrounding Artificial Intelligence (AI) and Does the organization establish and document the context surrounding Artificial Intelligence (AI)
Autonomous Technologies (AAT), including: and Autonomous Technologies (AAT), including:
▪ Intended purposes; ▪ Intended purposes;
Artificial & Autonomous AI & Autonomous ▪ Potentially beneficial uses; ▪ Potentially beneficial uses;
Technologies Technologies Context AAT-03 8 Identify X X
Definition ▪ Context-specific laws and regulations; ▪ Context-specific laws and regulations;
▪ Norms and expectations; and ▪ Norms and expectations; and
▪ Prospective settings in which the system(s) will be deployed. ▪ Prospective settings in which the system(s) will be deployed?
Mechanisms exist to define and document the organization’s mission and defined goals for Artificial Does the organization define and document the organization’s mission and defined goals for
Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Mission and AAT-03.1 8 Identify X X X
Technologies
Goals Definition
Mechanisms exist to benchmark capabilities, targeted usage, goals and expected benefits and costs Does the organization benchmark capabilities, targeted usage, goals and expected benefits and
of Artificial Intelligence (AI) and Autonomous Technologies (AAT). costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Technologies Business Case AAT-04 8 Identify X X X
Mechanisms exist to assess the potential benefits of proposed Artificial Intelligence (AI) and Does the organization assess the potential benefits of proposed Artificial Intelligence (AI) and
Autonomous Technologies (AAT). Autonomous Technologies (AAT)?
Technologies Technologies Potential AAT-04.1 2 Identify X X
Benefits Analysis
19 of 280
Mechanisms exist to assess potential costs, including non-monetary costs, resulting from expected Does the organization assess potential costs, including non-monetary costs, resulting from expected
or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system
functionality and trustworthiness. functionality and trustworthiness?
Technologies Technologies Potential Costs AAT-04.2 2 Identify X X
Analysis
Mechanisms exist to specify and document the targeted application scope of the proposed use and Does the organization specify and document the targeted application scope of the proposed use
operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Targeted AAT-04.3 8 Identify X X X
Technologies
Application Scope
Mechanisms exist to map risks and benefits for all components of Artificial Intelligence (AI) and Does the organization map risks and benefits for all components of Artificial Intelligence (AI) and
Autonomous Technologies (AAT), including third-party software and data. Autonomous Technologies (AAT), including third-party software and data?
Technologies Technologies Cost / Benefit AAT-04.4 2 Identify X X
Mapping
Mechanisms exist to ensure personnel and external stakeholders are provided with position-specific Does the organization ensure personnel and external stakeholders are provided with position-
risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies
(AAT)?
Technologies Technologies Training AAT-05 5 Identify X X
Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from Does the organization prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from
unfairly identifying, profiling and/or statistically singling out a segmented population defined by unfairly identifying, profiling and/or statistically singling out a segmented population defined by
race, religion, gender identity, national origin, religion, disability or any other politically-charged race, religion, gender identity, national origin, religion, disability or any other politically-charged
Artificial & Autonomous AI & Autonomous AAT-06 identifier. identifier? 9 Identify X
Technologies Technologies Fairness & Bias
Mechanisms exist to leverage decision makers from a diversity of demographics, disciplines, Does the organization leverage decision makers from a diversity of demographics, disciplines,
experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence
(AI) and Autonomous Technologies (AAT)-related risks. (AI) and Autonomous Technologies (AAT)-related risks?
Technologies Technologies Risk AAT-07 10 Identify X X X
Management Decisions
Mechanisms exist to characterize the impacts of proposed Artificial Intelligence (AI) and Does the organization characterize the impacts of proposed Artificial Intelligence (AI) and
Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society?
Technologies Technologies Impact AAT-07.1 8 Identify X X
Characterization
Mechanisms exist to define the potential likelihood and impact of each identified risk based on Does the organization define the potential likelihood and impact of each identified risk based on
expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in
similar contexts. similar contexts?
Technologies Likelihood & AAT-07.2 10 Identify X X X
Technologies
Impact Risk Analysis
Mechanisms exist to continuously improve Artificial Intelligence (AI) and Autonomous Technologies Does the organization continuously improve Artificial Intelligence (AI) and Autonomous
(AAT) capabilities to maximize benefits and minimize negative impacts associated with AAT. Technologies (AAT) capabilities to maximize benefits and minimize negative impacts associated with
AAT?
Technologies Technologies Continuous AAT-07.3 8 Identify X X X
Improvements
Mechanisms exist to define and differentiate roles and responsibilities for human-AI configurations Does the organization define and differentiate roles and responsibilities for human-AI configurations
and oversight of AI systems. and oversight of AI systems?
Artificial & Autonomous Assigned Responsibilities for AI
Technologies & Autonomous Technologies AAT-08 9 Identify X X X
Mechanisms exist to document the risks and potential impacts of Artificial Intelligence (AI) and Does the organization document the risks and potential impacts of Artificial Intelligence (AI) and
Autonomous Technologies (AAT) designed, developed, deployed, evaluated and used. Autonomous Technologies (AAT) designed, developed, deployed, evaluated and used?
Artificial & Autonomous AI & Autonomous AAT-09 9 Identify X
Technologies Technologies Risk Profiling
Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI Does the organization implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI
TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related
testing, identification of incidents and information sharing. testing, identification of incidents and information sharing?
Artificial & Autonomous Artificial Intelligence Test,
Technologies Evaluation, Validation & AAT-10 E-IAO-02 10 Detect X X X
Verification (AI TEVV)
Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for Does the organization evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for
trustworthy behavior and operation including security, anonymization and disaggregation of trustworthy behavior and operation including security, anonymization and disaggregation of
captured and stored data for approved purposes. captured and stored data for approved purposes?
Artificial & Autonomous AI TEVV Trustworthiness
Technologies Assessment AAT-10.1 10 Detect X
20 of 280
Mechanisms exist to document test sets, metrics and details about the tools used during Artificial Does the organization document test sets, metrics and details about the tools used during Artificial
Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices. Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices?
Artificial & Autonomous
Technologies AI TEVV Tools AAT-10.2 7 Detect X X
Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies Does the organization demonstrate the Artificial Intelligence (AI) and Autonomous Technologies
(AAT) to be deployed is valid, reliable and operate as intended based on approved designs. (AAT) to be deployed is valid, reliable and operate as intended based on approved designs?
Artificial & Autonomous AI TEVV Trustworthiness AAT-10.3 9 Detect X X
Technologies Demonstration
Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies Does the organization demonstrate the Artificial Intelligence (AI) and Autonomous Technologies
(AAT) to be deployed are safe, residual risk does not exceed the organization's risk tolerance and (AAT) to be deployed are safe, residual risk does not exceed the organization's risk tolerance and
can fail safely, particularly if made to operate beyond its knowledge limits. can fail safely, particularly if made to operate beyond its knowledge limits?
Technologies AI TEVV Safety Demonstration AAT-10.4 10 Detect X X
Mechanisms exist to evaluate the security and resilience of Artificial Intelligence (AI) and Does the organization evaluate the security and resilience of Artificial Intelligence (AI) and
Autonomous Technologies (AAT) to be deployed. Autonomous Technologies (AAT) to be deployed?
Technologies AI TEVV Resiliency Assessment AAT-10.5 6 Detect X X
Mechanisms exist to examine risks associated with transparency and accountability of Artificial Does the organization examine risks associated with transparency and accountability of Artificial
Intelligence (AI) and Autonomous Technologies (AAT) to be deployed. Intelligence (AI) and Autonomous Technologies (AAT) to be deployed?
Artificial & Autonomous AI TEVV Transparency & AAT-10.6 7 Detect X X
Technologies Accountability Assessment
Mechanisms exist to examine the data privacy risk of Artificial Intelligence (AI) and Autonomous Does the organization examine the data privacy risk of Artificial Intelligence (AI) and Autonomous
Technologies (AAT) to be deployed. Technologies (AAT) to be deployed?
Technologies AI TEVV Privacy Assessment AAT-10.7 9 Detect X X
Mechanisms exist to examine fairness and bias of Artificial Intelligence (AI) and Autonomous Does the organization examine fairness and bias of Artificial Intelligence (AI) and Autonomous
Technologies (AAT) to be deployed. Technologies (AAT) to be deployed?
Artificial & Autonomous AI TEVV Fairness & Bias
Technologies Assessment AAT-10.8 9 Detect X X
Mechanisms exist to validate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) Does the organization validate the Artificial Intelligence (AI) and Autonomous Technologies (AAT)
model. model?
Artificial & Autonomous AI & Autonomous AAT-10.9 5 Detect X X X
Technologies Technologies Model Validation
Mechanisms exist to evaluate the results of Artificial Intelligence Test, Evaluation, Validation & Does the organization evaluate the results of Artificial Intelligence Test, Evaluation, Validation &
Verification (AI TEVV) to determine the viability of the proposed Artificial Intelligence (AI) and Verification (AI TEVV) to determine the viability of the proposed Artificial Intelligence (AI) and
Technologies AI TEVV Results Evaluation AAT-10.10 10 Detect X X
Mechanisms exist to evaluate the effectiveness of the processes utilized to perform Artificial Does the organization evaluate the effectiveness of the processes utilized to perform Artificial
Intelligence Test, Evaluation, Validation & Verification (AI TEVV). Intelligence Test, Evaluation, Validation & Verification (AI TEVV)?
Technologies AI TEVV Effectiveness AAT-10.11 5 Detect X
Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related Does the organization evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-
performance or the assurance criteria demonstrated for conditions similar to deployment settings. related performance or the assurance criteria demonstrated for conditions similar to deployment
settings?
Artificial & Autonomous AI TEVV Comparable AAT-10.12 5 Identify X X
Technologies Deployment Settings
Mechanisms exist to proactively and continuously monitor deployed Artificial Intelligence (AI) and Does the organization proactively and continuously monitor deployed Artificial Intelligence (AI) and
Artificial & Autonomous AI TEVV Post-Deployment
Technologies Monitoring AAT-10.13 9 Detect X X X
Mechanisms exist to integrate continual improvements for deployed Artificial Intelligence (AI) and Does the organization integrate continual improvements for deployed Artificial Intelligence (AI) and
Artificial & Autonomous Updating AI & Autonomous
Technologies Technologies AAT-10.14 9 Identify X X
21 of 280
Mechanisms exist to compel ongoing engagement with relevant Artificial Intelligence (AI) and Does the organization compel ongoing engagement with relevant Artificial Intelligence (AI) and
Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and
unanticipated impacts. unanticipated impacts?
Artificial & Autonomous Robust Stakeholder
Technologies Engagement for AI & AAT-11 9 Protect X X X
Autonomous Technologies
Mechanisms exist to regularly collect, consider, prioritize and integrate risk-related feedback from Does the organization regularly collect, consider, prioritize and integrate risk-related feedback from
those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous
Technologies (AAT). Technologies (AAT)?
Technologies Stakeholder AAT-11.1 9 Protect X X
Technologies
Feedback Integration
Mechanisms exist to conduct regular assessments of Artificial Intelligence (AI) and Autonomous Does the organization conduct regular assessments of Artificial Intelligence (AI) and Autonomous
Technologies (AAT) with independent assessors and stakeholders not involved in the development Technologies (AAT) with independent assessors and stakeholders not involved in the development
of the AAT. of the AAT?
Technologies Technologies Ongoing AAT-11.2 9 Protect X
Assessments
Mechanisms exist to collect and integrate feedback from end users and impacted communities into Does the organization collect and integrate feedback from end users and impacted communities
Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics. into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation
metrics?
Technologies Technologies End User AAT-11.3 7 Protect X X
Feedback
Mechanisms exist to communicate Artificial Intelligence (AI) and Autonomous Technologies (AAT)- Does the organization communicate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-
related incidents and/or errors to relevant stakeholders, including affected communities. related incidents and/or errors to relevant stakeholders, including affected communities?
Technologies Incident & Error AAT-11.4 9 Protect X X
Technologies
Reporting
Mechanisms exist to identify data sources for Artificial Intelligence (AI) and Autonomous Does the organization identify data sources for Artificial Intelligence (AI) and Autonomous
Technologies (AAT) to prevent third-party Intellectual Property (IP) rights infringement. Technologies (AAT) to prevent third-party Intellectual Property (IP) rights infringement?
AI & Autonomous
Artificial & Autonomous Technologies Intellectual
Technologies Property Infringement AAT-12 10 Protect X
Protections
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)
stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain
and user experience expertise. and user experience expertise?
Technologies Technologies Stakeholder AAT-13 8 Identify X
Diversity
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related
operator and practitioner proficiency requirements for Artificial Intelligence (AI) and Autonomous operator and practitioner proficiency requirements for Artificial Intelligence (AI) and Autonomous
Technologies (AAT) are defined, assessed and documented. Technologies (AAT) are defined, assessed and documented?
Technologies Stakeholder AAT-13.1 9 Identify X X
Technologies
Competencies
Mechanisms exist to take socio-technical implications into account to address risks associated with Does the organization take socio-technical implications into account to address risks associated with
Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Technologies Requirements AAT-14 8 Identify X X X
Definitions
Mechanisms exist to define the tasks that Artificial Intelligence (AI) and Autonomous Technologies Does the organization define the tasks that Artificial Intelligence (AI) and Autonomous Technologies
(AAT) will support (e.g., classifiers, generative models, recommenders). (AAT) will support (e.g., classifiers, generative models, recommenders)?
Technologies Technologies Implementation AAT-14.1 8 Protect X X
Tasks Definition
Mechanisms exist to identify and document knowledge limits of Artificial Intelligence (AI) and Does the organization identify and document knowledge limits of Artificial Intelligence (AI) and
Autonomous Technologies (AAT) to provide sufficient information to assist relevant stakeholder Autonomous Technologies (AAT) to provide sufficient information to assist relevant stakeholder
decision making. decision making?
Artificial & Autonomous AI & Autonomous AAT-14.2 10 Identify X X X
Technologies Technologies Knowledge Limits
Mechanisms exist to define the criteria as to whether Artificial Intelligence (AI) and Autonomous Does the organization define the criteria as to whether Artificial Intelligence (AI) and Autonomous
Technologies (AAT) achieved intended purposes and stated objectives to determine whether its Technologies (AAT) achieved intended purposes and stated objectives to determine whether its
development or deployment should proceed. development or deployment should proceed?
Technologies Technologies Viability AAT-15 10 Protect X X X
Decisions
Mechanisms exist to identify and document negative, residual risks (defined as the sum of all Does the organization identify and document negative, residual risks (defined as the sum of all
unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and
Technologies Technologies Negative AAT-15.1 9 Protect X X
Residual Risks
22 of 280
Mechanisms exist to define the criteria and responsible party(ies) for superseding, disengaging or Does the organization define the criteria and responsible party(ies) for superseding, disengaging or
deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) that demonstrate deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) that demonstrate
Responsibility To Supersede, performance or outcomes inconsistent with intended use. performance or outcomes inconsistent with intended use?
Artificial & Autonomous Deactivate and/or Disengage
Technologies AI & Autonomous AAT-15.2 10 Protect X X X
Technologies
Mechanisms exist to monitor the functionality and behavior of the deployed Artificial Intelligence Does the organization monitor the functionality and behavior of the deployed Artificial Intelligence
(AI) and Autonomous Technologies (AAT). (AI) and Autonomous Technologies (AAT)?
Technologies Production AAT-16 9 Detect X X
Technologies
Monitoring
Mechanisms exist to measure Artificial Intelligence (AI) and Autonomous Technologies (AAT)- Does the organization measure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-
related risks to deployment context(s) through review and consultation with industry experts, related risks to deployment context(s) through review and consultation with industry experts,
domain specialists and end users. domain specialists and end users?
Technologies Technologies Measurement AAT-16.1 8 Detect X
Approaches
Mechanisms exist to regularly assess the effectiveness of existing controls, including reports of Does the organization regularly assess the effectiveness of existing controls, including reports of
errors and potential impacts on affected communities. errors and potential impacts on affected communities?
Artificial & Autonomous Measuring AI & Autonomous
Technologies Technologies Effectiveness AAT-16.2 5 Detect X
Mechanisms exist to identify and document unmeasurable risks or trustworthiness characteristics. Does the organization identify and document unmeasurable risks or trustworthiness
characteristics?
Artificial & Autonomous Unmeasurable AI &
Autonomous Technologies AAT-16.3 7 Detect X X
Technologies
Risks
Mechanisms exist to gather and assess feedback about the efficacy of Artificial Intelligence (AI) and Does the organization gather and assess feedback about the efficacy of Artificial Intelligence (AI)
Autonomous Technologies (AAT)-related measurements. and Autonomous Technologies (AAT)-related measurements?
Artificial & Autonomous Efficacy of AI & Autonomous
Technologies Technologies Measurement AAT-16.4 5 Detect X X
Mechanisms exist to utilize input from domain experts and relevant stakeholders to validate Does the organization utilize input from domain experts and relevant stakeholders to validate
whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as
intended. intended?
Technologies Technologies Domain Expert AAT-16.5 8 Protect X
Reviews
Mechanisms exist to evaluate performance improvements or declines with domain experts and Does the organization evaluate performance improvements or declines with domain experts and
relevant stakeholders to define context-relevant risks and trustworthiness issues. relevant stakeholders to define context-relevant risks and trustworthiness issues?
Technologies Performance AAT-16.6 10 Protect X X X
Technologies
Changes
Mechanisms exist to validate the information sources and quality of pre-trained models used in Does the organization validate the information sources and quality of pre-trained models used in
Artificial Intelligence (AI) and Autonomous Technologies (AAT training, maintenance and Artificial Intelligence (AI) and Autonomous Technologies (AAT training, maintenance and
improvement-related activities. improvement-related activities?
Artificial & Autonomous Pre-Trained AI & Autonomous
Technologies Technologies Models AAT-16.7 8 Protect X
Mechanisms exist to proactively prevent harm by regularly identifying and tracking existing, Does the organization proactively prevent harm by regularly identifying and tracking existing,
unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related
risks. risks?
Technologies Technologies Harm Prevention AAT-17 10 Protect X X X
Mechanisms exist to protect human subjects from harm. Does the organization protect human subjects from harm?

Technologies Human Subject AAT-17.1 10 Protect X X X
Technologies
Protections
Mechanisms exist to assess and document the environmental impacts and sustainability of Artificial Does the organization assess and document the environmental impacts and sustainability of
Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Technologies Technologies Environmental AAT-17.2 9 Protect X X
Impact & Sustainability
Mechanisms exist to respond to and recover from a previously unknown Artificial Intelligence (AI) Does the organization respond to and recover from a previously unknown Artificial Intelligence (AI)
and Autonomous Technologies (AAT)-related risk when it is identified. and Autonomous Technologies (AAT)-related risk when it is identified?
Artificial & Autonomous Previously Unknown AI &
Technologies Autonomous Technologies AAT-17.3 9 Protect X X X
Threats & Risks
23 of 280
Mechanisms exist to track Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related Does the organization track Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related
risks are difficult to assess using currently available measurement techniques or where metrics are risks are difficult to assess using currently available measurement techniques or where metrics are
not yet available. not yet available?
Technologies Technologies Risk Tracking AAT-18 9 Protect X X X
Approaches
Mechanisms exist to prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Does the organization prioritize, respond to and remediate Artificial Intelligence (AI) and
Technologies (AAT)-related risks based on assessments and other analytical output. Autonomous Technologies (AAT)-related risks based on assessments and other analytical output?
Artificial & Autonomous AI & Autonomous AAT-18.1 10 Protect X X X
Technologies Technologies Risk Response
Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage - Generally Accepted Accounting Principles (GAAP) Does the organization facilitate an IT Asset Management (ITAM) program to implement and manage
asset management controls. - ITIL - Configuration Management Database (CMDB) asset management controls?
- IT Asset Management (ITAM) program
Asset Management Asset Governance AST-01 E-AST-01 10 Identify X X X
Mechanisms exist to identify and assess the security of technology assets that support more than Does the organization identify and assess the security of technology assets that support more than
one critical business function. one critical business function?
Asset Management Asset-Service Dependencies AST-01.1 E-BCM-09 5 Identify X X
Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and Does the organization identify and involve pertinent stakeholders of critical systems, applications
services to support the ongoing secure management of those assets. and services to support the ongoing secure management of those assets?
Asset Management Stakeholder Identification & AST-01.2 E-CPL-03 5 Identify X

Involvement
Mechanisms exist to implement a scalable, standardized naming convention for systems, Does the organization implement a scalable, standardized naming convention for systems,
applications and services that avoids asset naming conflicts. applications and services that avoids asset naming conflicts?
Standardized Naming
Asset Management Convention AST-01.3 5 Identify X
Mechanisms exist to perform inventories of technology assets that: - ManageEngine AssetExplorer Does the organization perform inventories of technology assets that:
▪ Accurately reflects the current systems, applications and services in use; - LANDesk IT Asset Management Suite ▪ Accurately reflects the current systems, applications and services in use;
▪ Identifies authorized software products, including business justification details; - ServiceNow (https://www.servicenow.com/) E-AST-04 ▪ Identifies authorized software products, including business justification details;
Asset Management Asset Inventories AST-02 ▪ Is at the level of granularity deemed necessary for tracking and reporting; - SolarWinds (https://www.solarwinds.com/) E-AST-05 ▪ Is at the level of granularity deemed necessary for tracking and reporting; 10 Identify X X
▪ Includes organization-defined information deemed necessary to achieve effective property - CrowdStrike E-AST-07 ▪ Includes organization-defined information deemed necessary to achieve effective property
accountability; and - JAMF accountability; and
▪ Is available for review and audit by designated organizational personnel. - ITIL - Configuration Management Database (CMDB) ▪ Is available for review and audit by designated organizational personnel?
Mechanisms exist to update asset inventories as part of component installations, removals and - CrowdStrike Does the organization update asset inventories as part of component installations, removals and
asset upgrades. - JAMF asset upgrades?
- ITIL - Configuration Management Database (CMDB)
Asset Management Updates During Installations / AST-02.1 7 Identify X
Removals
Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, - CimTrak Integrity Suite Does the organization use automated mechanisms to detect and alert upon the detection of
software and firmware components. (https://www.cimcor.com/cimtrak/) unauthorized hardware, software and firmware components?
- DHCP logging
Automated Unauthorized - Active discovery tools
Asset Management Component Detection AST-02.2 3 Detect X
- NNT Change Tracker
(https://www.newnettechnologies.com)
- Vectra
- Tripwire Enterprise
Mechanisms exist to establish and maintain an authoritative source and repository to provide a -(https://www.tripwire.com/products/tripwire-
ITIL - Configuration Management Database (CMDB) Does the organization establish and maintain an authoritative source and repository to provide a
trusted source and accountability for approved and implemented system components that prevents -enterprise/)
Manual or automated process trusted source and accountability for approved and implemented system components that prevents
assets from being duplicated in other asset inventories. assets from being duplicated in other asset inventories?
Component Duplication
Asset Management Avoidance AST-02.3 2 Identify X X
Mechanisms exist to document and govern instances of approved deviations from established - CimTrak Integrity Suite Does the organization document and govern instances of approved deviations from established
baseline configurations. (https://www.cimcor.com/cimtrak/) baseline configurations?
Asset Management Approved Baseline Deviations AST-02.4 (https://www.newnettechnologies.com) E-RSK-03 8 Identify X
- Tripwire Enterprise E-TDA-14
(https://www.tripwire.com/products/tripwire-
enterprise/)
- SCCM
Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, - Cisco NAC Does the organization use automated mechanisms to employ Network Access Control (NAC), or a
which is capable of detecting unauthorized devices and disable network access to those - Aruba Networks similar technology, which is capable of detecting unauthorized devices and disable network access
unauthorized devices. - Juniper NAC to those unauthorized devices?
Asset Management Network Access Control (NAC) AST-02.5 - Packet Fence 4 Protect X X
- Symantec NAC
- Sophos NAC
- Bradford Networks NAC Director
- Cisco ISE
Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve - Splunk Does the organization enable Dynamic Host Configuration Protocol (DHCP) server logging to
asset inventories and assist in detecting unknown systems. - Manual Process improve asset inventories and assist in detecting unknown systems?
- Build Automation Tools
Dynamic Host Configuration - NNT Log Tracker
Asset Management Protocol (DHCP) Server Logging AST-02.6 E-MON-04 3 Identify X
(https://www.newnettechnologies.com/event-log-
management.html)
- Chef (https://www.chef.io/) (https://www.chef.io/)
- Puppet (https://puppet.com/)
24 of 280
Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions. - Manual Process Does the organization protect Intellectual Property (IP) rights with software licensing restrictions?
Asset Management Software Licensing Restrictions AST-02.7 enterprise/) 8 Identify X
Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated - Visio Does the organization create and maintain a map of technology assets where sensitive/regulated
data is stored, transmitted or processed. - Lucid Chart data is stored, transmitted or processed?
Asset Management Data Action Mapping AST-02.8 E-DCH-05 9 Identify X X
Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or - Configuration Management Database (CMDB) Does the organization implement and manage a Configuration Management Database (CMDB), or
similar technology, to monitor and govern technology asset-specific information. similar technology, to monitor and govern technology asset-specific information?
Configuration Management
Asset Management Database (CMDB) AST-02.9 5 Identify X
Mechanisms exist to track the geographic location of system components. Does the organization track the geographic location of system components?
Automated Location
Asset Management Tracking AST-02.10 5 Identify X X
Mechanisms exist to bind components to a specific system. Does the organization bind components to a specific system?
Asset Management Component Assignment AST-02.11 3 Identify X
Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at Does the organization ensure asset ownership responsibilities are assigned, tracked and managed at
a team, individual, or responsible organization level to establish a common understanding of a team, individual, or responsible organization level to establish a common understanding of
requirements for asset protection. requirements for asset protection?
E-AST-01
Asset Management Asset Ownership Assignment AST-03 E-CPL-03 8 Identify X
Mechanisms exist to include capturing the name, position and/or role of individuals Does the organization include capturing the name, position and/or role of individuals
responsible/accountable for administering assets as part of the technology asset inventory process. responsible/accountable for administering assets as part of the technology asset inventory process?
Asset Management Accountability Information AST-03.1 E-AST-01 5 Identify X
Mechanisms exist to track the origin, development, ownership, location and changes to systems, Does the organization track the origin, development, ownership, location and changes to systems,
system components and associated data. system components and associated data?
Asset Management Provenance AST-03.2 E-AST-22 8 Identify X X
Mechanisms exist to maintain network architecture diagrams that: - High-Level Diagram (HLD) Does the organization maintain network architecture diagrams that:
▪ Contain sufficient detail to assess the security of the network's architecture; - Low-Level Diagram (LLD) ▪ Contain sufficient detail to assess the security of the network's architecture;
▪ Reflect the current architecture of the network environment; and - Data Flow Diagram (DFD) E-DCH-03 ▪ Reflect the current architecture of the network environment; and
Network Diagrams & Data ▪ Document all sensitive/regulated data flows. - SolarWinds (https://www.solarwinds.com/) ▪ Document all sensitive/regulated data flows?
Asset Management Flow Diagrams (DFDs) AST-04 E-DCH-04 10 Identify X X
- Paessler E-DCH-05
- PRTG
Mechanisms exist to determine cybersecurity & data privacy control applicability by identifying, Does the organization determine cybersecurity & data privacy control applicability by identifying,
assigning and documenting the appropriate asset scope categorization for all systems, applications, assigning and documenting the appropriate asset scope categorization for all systems, applications,
services and personnel (internal and third-parties). E-AST-02 services and personnel (internal and third-parties)?
E-CPL-02
Asset Management Asset Scope Classification AST-04.1 E-DCH-01 8 Identify X
E-DCH-02
Mechanisms exist to ensure control applicability is appropriately-determined for systems, Does the organization ensure control applicability is appropriately-determined for systems,
applications, services and third parties by graphically representing applicable boundaries. applications, services and third parties by graphically representing applicable boundaries?
Asset Management Control Applicability Boundary AST-04.2 E-AST-02 6 Identify X X

Graphical Representation E-CPL-02
Mechanisms exist to create and maintain a current inventory of systems, applications and services Does the organization create and maintain a current inventory of systems, applications and services
that are in scope for statutory, regulatory and/or contractual compliance obligations that provides that are in scope for statutory, regulatory and/or contractual compliance obligations that provides
sufficient detail to determine control applicability, based on asset scope categorization. sufficient detail to determine control applicability, based on asset scope categorization?
Compliance-Specific Asset E-AST-02
Asset Management Identification AST-04.3 E-CPL-02 6 Identify X X
Mechanisms exist to maintain strict control over the internal or external distribution of any kind of - ITIL - Configuration Management Database (CMDB) Does the organization maintain strict control over the internal or external distribution of any kind of
sensitive/regulated media. - Definitive Software Library (DSL) sensitive/regulated media?
Asset Management Security of Assets & Media AST-05 8 Identify X
25 of 280
Mechanisms exist to obtain management approval for any sensitive / regulated media that is Does the organization obtain management approval for any sensitive / regulated media that is
transferred outside of the organization's facilities. transferred outside of the organization's facilities?
Management Approval For
Asset Management External Media Transfer AST-05.1 8 Protect X X
Mechanisms exist to implement enhanced protection measures for unattended systems to protect - CimTrak Integrity Suite Does the organization implement enhanced protection measures for unattended systems to protect
against tampering and unauthorized access. (https://www.cimcor.com/cimtrak/) against tampering and unauthorized access?
- File Integrity Monitoring (FIM)
Asset Management Unattended End-User AST-06 - Lockable casings 9 Protect X
Equipment - Tamper detection tape
- Full Disk Encryption (FDE)
Mechanisms exist to educate users on the need to physically secure laptops and other mobile - Security awareness training Does the organization educate users on the need to physically secure laptops and other mobile
devices out of site when traveling, preferably in the trunk of a vehicle. - Gamification devices out of site when traveling, preferably in the trunk of a vehicle?
Asset Management Asset Storage In Automobiles AST-06.1 7 Protect X
Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct - CimTrak Integrity Suite Does the organization appropriately protect devices that capture sensitive/regulated data via direct
physical interaction from tampering and substitution. (https://www.cimcor.com/cimtrak/) physical interaction from tampering and substitution?
Kiosks & Point of Interaction - Lockable casings
Asset Management (PoI) Devices AST-07 8 Protect X X
- Tamper detection tape
- Chip & PIN
Mechanisms exist to periodically inspect systems and system components for Indicators of - "Burner" phones & laptops Does the organization periodically inspect systems and system components for Indicators of
Compromise (IoC). - Tamper tape Compromise (IoC)?
Asset Management Tamper Detection AST-08 9 Detect X
Mechanisms exist to securely dispose of, destroy or repurpose system components using - Shred-it Does the organization securely dispose of, destroy or repurpose system components using
organization-defined techniques and methods to prevent information being recovered from these - Iron Mountain organization-defined techniques and methods to prevent information being recovered from these
components. - sdelete (sysinternals) components?
Secure Disposal, Destruction or - Bootnukem
Asset Management Re-Use of Equipment AST-09 E-AST-03 10 Identify X X
Mechanisms exist to ensure that employees and third-party users return all organizational assets in - Termination checklist Does the organization ensure that employees and third-party users return all organizational assets
their possession upon termination of employment, contract or agreement. - Manual Process in their possession upon termination of employment, contract or agreement?
- Native OS and Device Asset Tracking capabilities
Asset Management Return of Assets AST-10 E-AST-01 8 Protect X
Mechanisms exist to authorize, control and track technology assets entering and exiting - RFID asset tagging Does the organization authorize, control and track technology assets entering and exiting
organizational facilities. - RFID proximity sensors at access points organizational facilities?
- Asset management software
Asset Management Removal of Assets AST-11 8 Protect X
Mechanisms exist to restrict the possession and usage of personally-owned technology devices - BYOD policy Does the organization restrict the possession and usage of personally-owned technology devices
within organization-controlled facilities. within organization-controlled facilities?
Asset Management Use of Personal Devices AST-12 10 Protect X
Mechanisms exist to reduce the risk associated with third-party assets that are attached to the - NAC Does the organization reduce the risk associated with third-party assets that are attached to the
network from harming organizational assets or exfiltrating organizational data. - Separate SSIDs for wireless networks network from harming organizational assets or exfiltrating organizational data?
- SIEM monitoring/alerting
Asset Management Use of Third-Party Devices AST-13 - Manual process to disable network all unused ports 9 Protect X
- Network Access Control (NAC)
- Mobile Device Management (MDM) software
- Data Loss Prevention (DLP)
Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused - CimTrak Integrity Suite Does the organization monitor and enforce usage parameters that limit the potential damage
from the unauthorized or unintentional alteration of system parameters. (https://www.cimcor.com/cimtrak/) caused from the unauthorized or unintentional alteration of system parameters?
Asset Management Usage Parameters AST-14 (https://www.newnettechnologies.com) 7 Identify X
Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Does the organization prevent the usage of Bluetooth and wireless devices (e.g., Near Field
Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened
building. building?
Asset Management Bluetooth & Wireless Devices AST-14.1 7 Protect X X
Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an Does the organization prevent line of sight and reflected infrared (IR) communications use in an
unsecured space. unsecured space?
Asset Management Infrared Communications AST-14.2 5 Protect X X
26 of 280
Mechanisms exist to verify logical configuration settings and the physical integrity of critical - CimTrak Integrity Suite Does the organization verify logical configuration settings and the physical integrity of critical
technology assets throughout their lifecycle. (https://www.cimcor.com/cimtrak/) technology assets throughout their lifecycle?
Asset Management Tamper Protection AST-15 - File Integrity Monitoring (FIM) 6 Protect X X X
Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of -enterprise/)
CimTrak Integrity Suite Does the organization physically and logically inspect critical technology assets to detect evidence of
tampering. (https://www.cimcor.com/cimtrak/) tampering?
Asset Management Inspection of Systems, AST-15.1 - File Integrity Monitoring (FIM) 6 Detect X X
Components & Devices - NNT Change Tracker
Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk -enterprise/)
AirWatch Does the organization implement and govern a Bring Your Own Device (BYOD) program to reduce
associated with personally-owned devices in the workplace. - SCCM risk associated with personally-owned devices in the workplace?
- Casper
Bring Your Own Device (BYOD) - BYOD policy
Asset Management Usage AST-16 10 Identify X X
Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the Does the organization govern Supply Chain Risk Management (SCRM) sanctions that require the
removal and prohibition of certain technology services and/or equipment that are designated as removal and prohibition of certain technology services and/or equipment that are designated as
supply chain threats by a statutory or regulatory body. supply chain threats by a statutory or regulatory body?
Prohibited Equipment &
Asset Management Services AST-17 E-AST-10 9 Protect X X
Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product Does the organization provision and protect the confidentiality, integrity and authenticity of
supplier keys and data that can be used as a “roots of trust” basis for integrity verification. product supplier keys and data that can be used as a “roots of trust” basis for integrity verification?
Asset Management Roots of Trust Protection AST-18 4 Protect X X
Mechanisms exist to establish usage restrictions and implementation guidance for Does the organization establish usage restrictions and implementation guidance for
telecommunication equipment to prevent potential damage or unauthorized modification and to telecommunication equipment to prevent potential damage or unauthorized modification and to
prevent potential eavesdropping. prevent potential eavesdropping?
Telecommunications
Asset Management Equipment AST-19 9 Protect X X
Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices Does the organization implement secure Video Teleconference (VTC) capabilities on endpoint
and in designated conference rooms, to prevent potential eavesdropping. devices and in designated conference rooms, to prevent potential eavesdropping?
Video Teleconference (VTC)
Asset Management Security AST-20 8 Protect X X
Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically Does the organization implement secure Internet Protocol Telephony (IPT) that logically or
separates Voice Over Internet Protocol (VoIP) traffic from data networks. physically separates Voice Over Internet Protocol (VoIP) traffic from data networks?
Asset Management Voice Over Internet Protocol AST-21 8 Protect X

(VoIP) Security
Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web Does the organization configure assets to prohibit the use of endpoint-based microphones and web
cameras in secure areas or where sensitive/regulated information is discussed. cameras in secure areas or where sensitive/regulated information is discussed?
Asset Management Microphones & Web Cameras AST-22 8 Protect X X
Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry- Does the organization securely configure Multi-Function Devices (MFD) according to industry-
recognized secure practices for the type of device. recognized secure practices for the type of device?
Asset Management Multi-Function Devices (MFD) AST-23 E-TPM-01 8 Protect X
Mechanisms exist to issue personnel travelling overseas with temporary, loaner or "travel-only" end Does the organization issue personnel travelling overseas with temporary, loaner or "travel-only"
user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries
higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals
Asset Management Travel-Only Devices AST-24 private companies. and private companies? 8 Protect X X
Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when Does the organization re-image end user technology (e.g., laptops and mobile devices) when
returning from overseas travel to an authoritarian country with a higher-than average risk for returning from overseas travel to an authoritarian country with a higher-than average risk for
Intellectual Property (IP) theft or espionage against individuals and private companies. Intellectual Property (IP) theft or espionage against individuals and private companies?
Re-Imaging Devices After
Asset Management Travel AST-25 8 Protect X X
Mechanisms exist to develop, implement and govern system administration processes, with Does the organization develop, implement and govern system administration processes, with
corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems,
applications and services. applications and services?
System Administrative
Asset Management Processes AST-26 9 Identify X
27 of 280
Mechanisms exist to conduct remote system administrative functions via a "jump box" or "jump Does the organization conduct remote system administrative functions via a "jump box" or "jump
server" that is located in a separate network zone to user workstations. server" that is located in a separate network zone to user workstations?
Asset Management Jump Server AST-27 7 Protect X X
Mechanisms exist to develop, implement and govern database management processes, with Does the organization develop, implement and govern database management processes, with
corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases. corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases?
Asset Management Database Administrative AST-28 9 Identify X

Processes
Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where Does the organization implement and maintain Database Management Systems (DBMSs), where
applicable. applicable?
Database Management System
Asset Management (DBMS) AST-28.1 6 Protect X X
Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure Does the organization securely govern Radio Frequency Identification (RFID) deployments to ensure
RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the
compromise of secure spaces. compromise of secure spaces?
Radio Frequency Identification
Asset Management (RFID) Security AST-29 3 Protect X X
Mechanisms exist to securely configure contactless access control systems incorporating contactless Does the organization securely configure contactless access control systems incorporating
RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the
of secure spaces. compromise of secure spaces?
Asset Management Contactless Access Control AST-29.1 3 Protect X X
Systems
Mechanisms exist to ensure systems, applications and services are properly decommissioned so Does the organization ensure systems, applications and services are properly decommissioned so
that data is properly transitioned to new systems or archived in accordance with applicable that data is properly transitioned to new systems or archived in accordance with applicable
organizational standards, as well as statutory, regulatory and contractual obligations. organizational standards, as well as statutory, regulatory and contractual obligations?
Asset Management Decommissioning AST-30 4 Protect X X
Mechanisms exist to categorize technology assets. Does the organization categorize technology assets?
Asset Management Asset Categorization AST-31 E-AST-24 9 Identify X X X
Mechanisms exist to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT)?
Categorize Artificial
Asset Management Intelligence (AI)-Related AST-31.1 E-AST-24 9 Identify X X X
Technologies
Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure - Business Continuity Plan (BCP) Does the organization facilitate the implementation of contingency planning controls to help ensure
resilient assets and services (e.g., Continuity of Operations Plan (COOP) or Business Continuity & - Disaster Recovery Plan (DRP) resilient assets and services (e.g., Continuity of Operations Plan (COOP) or Business Continuity &
Disaster Recovery (BC/DR) playbooks). - Continuity of Operations Plan (COOP) Disaster Recovery (BC/DR) playbooks)?
Business Continuity & Business Continuity - Business Impact Analysis (BIA)
Disaster Recovery Management System (BCMS) BCD-01 E-BCM-01 10 Recover X X X
- Criticality assessments
Mechanisms exist to coordinate contingency plan development with internal and external elements - Cybersecurity Incident Response Plan (IIRP) Does the organization coordinate contingency plan development with internal and external
responsible for related plans. elements responsible for related plans?
Business Continuity &
Disaster Recovery Coordinate with Related Plans BCD-01.1 5 Recover X X
Mechanisms exist to coordinate internal contingency plans with the contingency plans of external - Business Continuity Plan (BCP) Does the organization coordinate internal contingency plans with the contingency plans of external
service providers to ensure that contingency requirements can be satisfied. - Disaster Recovery Plan (DRP) service providers to ensure that contingency requirements can be satisfied?
- Continuity of Operations Plan (COOP)
Business Continuity & Coordinate With External BCD-01.2 5 Recover X
Disaster Recovery Service Providers
Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution Does the organization redeploy personnel to other roles during a disruptive event or in the
of a continuity plan. execution of a continuity plan?
Business Continuity & Transfer to Alternate
Disaster Recovery Processing / Storage Site BCD-01.3 5 Recover X
Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives Does the organization facilitate recovery operations in accordance with Recovery Time Objectives
(RTOs) and Recovery Point Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs)?
Business Continuity & Recovery Time / Point E-BCM-02
Disaster Recovery Objectives (RTO / RPO) BCD-01.4 E-BCM-03 5 Recover X
28 of 280
Mechanisms exist to identify and document the critical systems, applications and services that - Business Impact Analysis (BIA) Does the organization identify and document the critical systems, applications and services that
support essential missions and business functions. - Criticality assessments support essential missions and business functions?
Disaster Recovery Identify Critical Assets BCD-02 E-BCM-08 9 Recover X
Mechanisms exist to resume all missions and business functions within Recovery Time Objectives - Disaster Recovery Plan (DRP) Does the organization resume all missions and business functions within Recovery Time Objectives
(RTOs) of the contingency plan's activation. - Continuity of Operations Plan (COOP) (RTOs) of the contingency plan's activation?
- Disaster recovery software
Business Continuity & Resume All Missions & BCD-02.1 8 Recover X
Disaster Recovery Business Functions
Mechanisms exist to continue essential missions and business functions with little or no loss of - Disaster Recovery Plan (DRP) Does the organization continue essential missions and business functions with little or no loss of
operational continuity and sustain that continuity until full system restoration at primary processing - Continuity of Operations Plan (COOP) operational continuity and sustain that continuity until full system restoration at primary processing
and/or storage sites. and/or storage sites?
Business Continuity & Continue Essential Mission &
Disaster Recovery Business Functions BCD-02.2 8 Recover X
Mechanisms exist to resume essential missions and business functions within an organization- - Business Continuity Plan (BCP) Does the organization resume essential missions and business functions within an organization-
defined time period of contingency plan activation. - Disaster Recovery Plan (DRP) defined time period of contingency plan activation?
- Continuity of Operations Plan (COOP)
Business Continuity & Resume Essential Missions &
Disaster Recovery Business Functions BCD-02.3 8 Recover X
Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / Does the organization perform periodic security reviews of storage locations that contain sensitive /
regulated data. regulated data?
Business Continuity & Data Storage Location Reviews BCD-02.4 E-AST-23 8 Recover X
Disaster Recovery
Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their - NIST NICE Framework Does the organization adequately train contingency personnel and applicable stakeholders in their
contingency roles and responsibilities. - Tabletop exercises contingency roles and responsibilities?
Disaster Recovery Contingency Training BCD-03 E-BCM-07 5 Recover X X
Mechanisms exist to incorporate simulated events into contingency training to facilitate effective - Tabletop exercises Does the organization incorporate simulated events into contingency training to facilitate effective
response by personnel in crisis situations. response by personnel in crisis situations?
Disaster Recovery Simulated Events BCD-03.1 E-BCM-06 3 Recover X X
Automated mechanisms exist to provide a more thorough and realistic contingency training Does the organization use automated mechanisms to provide a more thorough and realistic
environment. contingency training environment?
Business Continuity & Automated Training BCD-03.2 1 Recover X X
Disaster Recovery Environments
Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness - Simulated disasters / emergencies Does the organization conduct tests and/or exercises to evaluate the contingency plan's
and the organization’s readiness to execute the plan. effectiveness and the organization’s readiness to execute the plan?
Business Continuity & Contingency Plan Testing & E-BCM-06
Disaster Recovery Exercises BCD-04 E-BCM-07 6 Recover X X
Mechanisms exist to coordinate contingency plan testing with internal and external elements - Playbooks Does the organization coordinate contingency plan testing with internal and external elements
responsible for related plans. - Enterprise-wide Continuity of Operations Plan (COOP) responsible for related plans?
Business Continuity & Coordinated Testing with
Disaster Recovery Related Plans BCD-04.1 3 Recover X
Mechanisms exist to test contingency plans at alternate storage & processing sites to both Does the organization test contingency plans at alternate storage & processing sites to both
familiarize contingency personnel with the facility and evaluate the capabilities of the alternate familiarize contingency personnel with the facility and evaluate the capabilities of the alternate
processing site to support contingency operations. processing site to support contingency operations?
Business Continuity & Alternate Storage & Processing BCD-04.2 5 Recover X
Disaster Recovery Sites
Mechanisms exist to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time - Standardized Operating Procedures (SOP) Does the organization conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time
the contingency plan is activated. - Disaster Recovery Plan (DRP) the contingency plan is activated?
- Business Continuity Plan (BCP)
Business Continuity & Contingency Plan Root Cause - Continuity of Operations Plan (COOP)
Disaster Recovery Analysis (RCA) & Lessons BCD-05 E-BCM-04 9 Detect X X
Learned
Mechanisms exist to keep contingency plans current with business needs, technology changes and - Offline / offsite documentation Does the organization keep contingency plans current with business needs, technology changes and
feedback from contingency plan testing activities. feedback from contingency plan testing activities?
Business Continuity & Contingency Planning &
Disaster Recovery Updates BCD-06 E-BCM-05 8 Recover X X
29 of 280
Mechanisms exist to implement alternative or compensating controls to satisfy security functions - Business Impact Analysis (BIA) Does the organization implement alternative or compensating controls to satisfy security functions
when the primary means of implementing the security function is unavailable or compromised. - Criticality assessments when the primary means of implementing the security function is unavailable or compromised?
Disaster Recovery Alternative Security Measures BCD-07 9 Protect X X
Mechanisms exist to establish an alternate storage site that includes both the assets and necessary - SunGard Does the organization establish an alternate storage site that includes both the assets and
agreements to permit the storage and recovery of system backup information. - AWS necessary agreements to permit the storage and recovery of system backup information?
- Azure
Business Continuity & Alternate Storage Site BCD-08 9 Protect X X
Disaster Recovery
Mechanisms exist to separate the alternate storage site from the primary storage site to reduce - SunGard Does the organization separate the alternate storage site from the primary storage site to reduce
susceptibility to similar threats. - AWS susceptibility to similar threats?
- Azure
Disaster Recovery Separation from Primary Site BCD-08.1 7 Protect X X
Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage - SunGard Does the organization identify and mitigate potential accessibility problems to the alternate storage
site in the event of an area-wide disruption or disaster. - AWS site in the event of an area-wide disruption or disaster?
- Azure
Disaster Recovery Accessibility BCD-08.2 5 Protect X
Mechanisms exist to establish an alternate processing site that provides security measures - SunGard Does the organization establish an alternate processing site that provides security measures
equivalent to that of the primary site. - AWS equivalent to that of the primary site?
- Azure
Business Continuity & Alternate Processing Site BCD-09 9 Protect X X
Disaster Recovery
Mechanisms exist to separate the alternate processing site from the primary processing site to - SunGard Does the organization separate the alternate processing site from the primary processing site to
reduce susceptibility to similar threats. - AWS reduce susceptibility to similar threats?
- Azure
Disaster Recovery Separation from Primary Site BCD-09.1 7 Protect X
Mechanisms exist to identify and mitigate potential accessibility problems to the alternate - Business Continuity Plan (BCP) Does the organization identify and mitigate potential accessibility problems to the alternate
processing site and possible mitigation actions, in the event of an area-wide disruption or disaster. - Continuity of Operations Plan (COOP) processing site and possible mitigation actions, in the event of an area-wide disruption or disaster?
Disaster Recovery Accessibility BCD-09.2 5 Recover X
Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites - Hot / warm / cold site contracts Does the organization address priority-of-service provisions in alternate processing and storage sites
that support availability requirements, including Recovery Time Objectives (RTOs). that support availability requirements, including Recovery Time Objectives (RTOs)?
Business Continuity & Alternate Site Priority of BCD-09.3 E-TPM-04 6 Recover X
Disaster Recovery Service
Mechanisms exist to prepare the alternate processing alternate to support essential missions and Does the organization prepare the alternate processing alternate to support essential missions and
business functions so that the alternate site is capable of being used as the primary site. business functions so that the alternate site is capable of being used as the primary site?
Disaster Recovery Preparation for Use BCD-09.4 5 Protect X
Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude Does the organization plan and prepare for both natural and manmade circumstances that preclude
returning to the primary processing site. returning to the primary processing site?
Business Continuity & Inability to Return to Primary
Disaster Recovery Site BCD-09.5 5 Protect X X
Mechanisms exist to reduce the likelihood of a single point of failure with primary - Alternate telecommunications services are maintained Does the organization reduce the likelihood of a single point of failure with primary
telecommunications services. with multiple ISP / network providers telecommunications services?
Business Continuity & Telecommunications Services BCD-10 6 Recover X X
Disaster Recovery Availability
Mechanisms exist to formalize primary and alternate telecommunications service agreements - Hot / warm / cold site contracts Does the organization formalize primary and alternate telecommunications service agreements
contain priority-of-service provisions that support availability requirements, including Recovery contain priority-of-service provisions that support availability requirements, including Recovery
Time Objectives (RTOs). Time Objectives (RTOs)?
Business Continuity & Telecommunications Priority of
Disaster Recovery Service Provisions BCD-10.1 E-TPM-04 6 Recover X
Mechanisms exist to obtain alternate telecommunications services from providers that are Does the organization obtain alternate telecommunications services from providers that are
separated from primary service providers to reduce susceptibility to the same threats. separated from primary service providers to reduce susceptibility to the same threats?
Business Continuity & Separation of Primary /
Disaster Recovery Alternate Providers BCD-10.2 5 Protect X X
30 of 280
Mechanisms exist to contractually-require external service providers to have contingency plans that Does the organization contractually-require external service providers to have contingency plans
meet organizational contingency requirements. that meet organizational contingency requirements?
Disaster Recovery Provider Contingency Plan BCD-10.3 5 Protect X X
Mechanisms exist to maintain command and control capabilities via alternate communications Does the organization maintain command and control capabilities via alternate communications
channels and designating alternative decision makers if primary decision makers are unavailable. channels and designating alternative decision makers if primary decision makers are unavailable?
Business Continuity & Alternate Communications BCD-10.4 5 Protect X X X
Disaster Recovery Paths
Mechanisms exist to create recurring backups of data, software and/or system images, as well as - Backup technologies & procedures Does the organization create recurring backups of data, software and/or system images, as well as
verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery - Offline storage verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery
Time Objectives (RTOs) and Recovery Point Objectives (RPOs). E-BCM-10 Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?
Business Continuity & E-BCM-11
Disaster Recovery Data Backups BCD-11 E-BCM-12 10 Protect X X X
E-BCM-13
Mechanisms exist to routinely test backups that verify the reliability of the backup process, as well - CimTrak Integrity Suite Does the organization routinely test backups that verify the reliability of the backup process, as well
as the integrity and availability of the data. (https://www.cimcor.com/cimtrak/) as the integrity and availability of the data?
Business Continuity & Testing for Reliability &
Disaster Recovery Integrity BCD-11.1 9 Recover X X X
Mechanisms exist to store backup copies of critical software and other security-related information - IronMountain Does the organization store backup copies of critical software and other security-related
in a separate facility or in a fire-rated container that is not collocated with the system being backed information in a separate facility or in a fire-rated container that is not collocated with the system
up. E-AST-08 being backed up?
Business Continuity & Separate Storage for Critical BCD-11.2 E-BCM-11 8 Protect X X
Disaster Recovery Information E-BCM-12
E-BCM-13
Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images - CimTrak Integrity Suite Does the organization reimage assets from configuration-controlled and integrity-protected images
that represent a secure, operational state. (https://www.cimcor.com/cimtrak/) that represent a secure, operational state?
- Acronis
Business Continuity & - Docker (https://www.docker.com/)
Disaster Recovery Information System Imaging BCD-11.3 8 Recover X
- VMWare
Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of - Backup technologies & procedures Are cryptographic mechanisms utilized to prevent the unauthorized disclosure and/or modification
backup information. of backup information?
Disaster Recovery Cryptographic Protection BCD-11.4 9 Protect X
Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of Does the organization utilize sampling of available backups to test recovery capabilities as part of
business continuity plan testing. business continuity plan testing?
Business Continuity & Test Restoration Using BCD-11.5 5 Protect X
Disaster Recovery Sampling
Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of Does the organization transfer backup data to the alternate storage site at a rate that is capable of
meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)?
Business Continuity & Transfer to Alternate Storage
Disaster Recovery Site BCD-11.6 5 Protect X X
Mechanisms exist to maintain a failover system, which is not collocated with the primary system, Does the organization maintain a failover system, which is not collocated with the primary system,
application and/or service, which can be activated with little-to-no loss of information or disruption application and/or service, which can be activated with little-to-no loss of information or disruption
to operations. to operations?
Disaster Recovery Redundant Secondary System BCD-11.7 5 Protect X X X
Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of Does the organization implement and enforce dual authorization for the deletion or destruction of
sensitive backup media and data. sensitive backup media and data?
Business Continuity & Dual Authorization For Backup BCD-11.8 5 Protect X
Disaster Recovery Media Destruction
Mechanisms exist to restrict access to backups to privileged users with assigned roles for data Does the organization restrict access to backups to privileged users with assigned roles for data
backup and recovery operations. backup and recovery operations?
Disaster Recovery Backup Access BCD-11.9 9 Protect X X
Mechanisms exist to restrict access to modify and/or delete backups to privileged users with Does the organization restrict access to modify and/or delete backups to privileged users with
assigned data backup and recovery operations roles. assigned data backup and recovery operations roles?
Business Continuity & Backup Modification and/or
Disaster Recovery Destruction BCD-11.10 9 Protect X X
31 of 280
Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state - CimTrak Integrity Suite Does the organization ensure the secure recovery and reconstitution of systems to a known state
after a disruption, compromise or failure. (https://www.cimcor.com/cimtrak/) after a disruption, compromise or failure?
Business Continuity & Information System Recovery
Disaster Recovery & Reconstitution BCD-12 9 Protect X X X
Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for Does the organization utilize specialized backup mechanisms that will allow transaction recovery for
transaction-based applications and services in accordance with Recovery Point Objectives (RPOs). transaction-based applications and services in accordance with Recovery Point Objectives (RPOs)?
Business Continuity & Transaction Recovery BCD-12.1 9 Recover X X X
Disaster Recovery
Mechanisms exist to implement real-time or near-real-time failover capability to maintain - Load balancers Does the organization implement real-time or near-real-time failover capability to maintain
availability of critical systems, applications and/or services. - High Availability (HA) firewalls availability of critical systems, applications and/or services?
Disaster Recovery Failover Capability BCD-12.2 8 Recover X X X
Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived Does the organization utilize electronic discovery (eDiscovery) that covers current and archived
communication transactions. communication transactions?
Business Continuity & Electronic Discovery
Disaster Recovery (eDiscovery) BCD-12.3 8 Respond X X X
Mechanisms exist to restore systems, applications and/or services within organization-defined - CimTrak Integrity Suite Does the organization restore systems, applications and/or services within organization-defined
restoration time-periods from configuration-controlled and integrity-protected information; (https://www.cimcor.com/cimtrak/) restoration time-periods from configuration-controlled and integrity-protected information;
representing a known, operational state for the asset. representing a known, operational state for the asset?
Business Continuity & Restore Within Time Period BCD-12.4 5 Respond X X X
Disaster Recovery
Mechanisms exist to protect backup and restoration hardware and software. Does the organization protect backup and restoration hardware and software?
Business Continuity & Backup & Restoration

Disaster Recovery Hardware Protection BCD-13 8 Protect X X X
Mechanisms exist to utilize an isolated, non-production environment to perform data backup and Does the organization utilize an isolated, non-production environment to perform data backup and
recovery operations through offline, cloud or off-site capabilities. recovery operations through offline, cloud or off-site capabilities?
Disaster Recovery Isolated Recovery Environment BCD-14 5 Recover X X X
Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure Does the organization purchase and maintain a sufficient reserve of spare hardware to ensure
essential missions and business functions can be maintained in the event of a supply chain essential missions and business functions can be maintained in the event of a supply chain
disruption. disruption?
Business Continuity & Reserve Hardware BCD-15 7 Recover X X
Disaster Recovery
Mechanisms exist to handle failures or incidents with Artificial Intelligence (AI) and Autonomous Does the organization handle failures or incidents with Artificial Intelligence (AI) and Autonomous
Technologies (AAT) deemed to be high-risk. Technologies (AAT) deemed to be high-risk?
Business Continuity & AI & Autonomous
Disaster Recovery Technologies Incidents BCD-16 10 Respond X X X
Mechanisms exist to facilitate the implementation of capacity management controls to ensure - Splunk Does the organization facilitate the implementation of capacity management controls to ensure
optimal system performance to meet expected and anticipated future capacity requirements. - Resource monitoring optimal system performance to meet expected and anticipated future capacity requirements?
Capacity & Performance Capacity & Performance
Planning Management CAP-01 8 Protect X
Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service - Splunk Does the organization control resource utilization of systems that are susceptible to Denial of
(DoS) attacks to limit and prioritize the use of resources. - Resource monitoring Service (DoS) attacks to limit and prioritize the use of resources?
Capacity & Performance Resource Priority CAP-02 8 Protect X
Planning
Mechanisms exist to conduct capacity planning so that necessary capacity for information Does the organization conduct capacity planning so that necessary capacity for information
processing, telecommunications and environmental support will exist during contingency processing, telecommunications and environmental support will exist during contingency
operations. operations?
Capacity & Performance
Planning Capacity Planning CAP-03 8 Protect X X
Automated mechanisms exist to centrally-monitor and alert on the operating state and health Does the organization use automated mechanisms to centrally-monitor and alert on the operating
status of critical systems, applications and services. state and health status of critical systems, applications and services?
Capacity & Performance
Planning Performance Monitoring CAP-04 7 Detect X X
32 of 280
Mechanisms exist to facilitate the implementation of a change management program. - CimTrak Integrity Suite Does the organization facilitate the implementation of a change management program?
(https://www.cimcor.com/cimtrak/)
- VisibleOps methodology
Change Management Change Management Program CHG-01 - ITIL infrastructure library E-CHG-02 10 Protect X X
- ServiceNow (https://www.servicenow.com/)
- Remedy
Mechanisms exist to govern the technical configuration change control processes. - CimTrak Integrity Suite Does the organization govern the technical configuration change control processes?
- Change Control Board (CCB)
Change Management Configuration Change Control CHG-02 - Configuration Management Database (CMDB) E-CHG-02 8 Protect X X
enterprise/) Enterprise
- Chef (https://www.chef.io/) (https://www.chef.io/)
Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests - CimTrak Integrity Suite Does the organization prohibit unauthorized changes, unless organization-approved change
are received. (https://www.cimcor.com/cimtrak/) requests are received?
Change Management Prohibition Of Changes CHG-02.1 - ITIL infrastructure library 10 Protect X X
- Manual processes/workflows
- Application whitelisting
Mechanisms exist to appropriately test and document proposed changes in a non-production - CimTrak Integrity Suite Does the organization appropriately test and document proposed changes in a non-production
environment before changes are implemented in a production environment. (https://www.cimcor.com/cimtrak/) environment before changes are implemented in a production environment?
Test, Validate & Document - ITIL infrastructure library
Change Management Changes CHG-02.2 E-CHG-03 9 Protect X X
- VMware
- Docker (https://www.docker.com/)
Mechanisms exist to include a cybersecurity and/or data privacy representative in the configuration - Change Control Board (CCB) Does the organization include a cybersecurity and/or data privacy representative in the
change control review process. - Change Advisory Board (CAB) configuration change control review process?
Cybersecurity & Data Privacy - VisibleOps methodology
Change Management Representative for Asset CHG-02.3 - ITIL infrastructure library E-CHG-04 7 Protect X X
Lifecycle Changes
Automated mechanisms exist to implement remediation actions upon the detection of - CimTrak Integrity Suite Does the organization use automated mechanisms to implement remediation actions upon the
unauthorized baseline configurations change(s). (https://www.cimcor.com/cimtrak/) detection of unauthorized baseline configurations change(s)?
Change Management Automated Security Response CHG-02.4 5 Protect X X
Mechanisms exist to govern assets involved in providing cryptographic protections according to the Does the organization govern assets involved in providing cryptographic protections according to
organization's configuration management processes. the organization's configuration management processes?
Change Management Cryptographic Management CHG-02.5 5 Protect X X
Mechanisms exist to analyze proposed changes for potential security impacts, prior to the - VisibleOps methodology Does the organization analyze proposed changes for potential security impacts, prior to the
implementation of the change. - ITIL infrastructure library implementation of the change?
- Change management software
Change Management Security
Changes
Impact Analysis for CHG-03 9 Protect X
Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to - CimTrak Integrity Suite Does the organization enforce configuration restrictions in an effort to restrict the ability of users to
conduct unauthorized changes. (https://www.cimcor.com/cimtrak/) conduct unauthorized changes?
Change Management Access Restriction For Change CHG-04 - ITIL infrastructure library 8 Protect X X
- Role-based permissions
- Mandatory Access Control (MAC)
- Application whitelisting
Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any - CimTrak Integrity Suite Does the organization perform after-the-fact reviews of configuration change logs to discover any
unauthorized changes. (https://www.cimcor.com/cimtrak/) unauthorized changes?
Automated Access - ITIL infrastructure library
Change Management Enforcement / Auditing CHG-04.1 3 Detect X
- Manual review processes
Mechanisms exist to prevent the installation of software and firmware components without -(https://www.tripwire.com/products/tripwire-
Privileged Account Management (PAM) Does the organization prevent the installation of software and firmware components without
verification that the component has been digitally signed using an organization-approved certificate -enterprise/)
Patch management tools verification that the component has been digitally signed using an organization-approved certificate
authority. - OS configuration standards authority?
Change Management Signed Components CHG-04.2 3 Protect X
Mechanisms exist to enforce a two-person rule for implementing changes to critical assets. - Separation of Duties (SoD) Does the organization enforce a two-person rule for implementing changes to critical assets?
Change Management Dual Authorization for Change CHG-04.3 6 Protect X X
Mechanisms exist to limit operational privileges for implementing changes. - CimTrak Integrity Suite Does the organization limit operational privileges for implementing changes?
- Separation of Duties (SoD)
Limit Production / Operational - Privileged Account Management (PAM)
Change Management Privileges (Incompatible Roles) CHG-04.4 6 Protect X
33 of 280
Mechanisms exist to restrict software library privileges to those individuals with a pertinent - Privileged Account Management (PAM) Does the organization restrict software library privileges to those individuals with a pertinent
business need for access. business need for access?
Change Management Library Privileges CHG-04.5 8 Protect X
Mechanisms exist to ensure stakeholders are made aware of and understand the impact of - Change management procedures Does the organization ensure stakeholders are made aware of and understand the impact of
proposed changes. - VisibleOps methodology proposed changes?
- ITIL infrastructure library
Change Management Stakeholder
Changes
Notification of CHG-05 9 Protect X X
Mechanisms exist to verify the functionality of cybersecurity controls when anomalies are - Information Assurance Program (IAP) Does the organization verify the functionality of cybersecurity controls when anomalies are
discovered. - Security Test & Evaluation (STE) discovered?
Cybersecurity Functionality
Change Management Verification CHG-06 9 Protect X
Mechanisms exist to report the results of cybersecurity & data privacy function verification to - CimTrak Integrity Suite Does the organization report the results of cybersecurity & data privacy function verification to
appropriate organizational management. (https://www.cimcor.com/cimtrak/) appropriate organizational management?
Change Management Report Verification Results CHG-06.1 (https://www.newnettechnologies.com) 5 Identify X
Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud - Data Protection Impact Assessment (DPIA) Does the organization facilitate the implementation of cloud management controls to ensure cloud
instances are secure and in-line with industry practices. instances are secure and in-line with industry practices?
Cloud Security Cloud Services CLD-01 E-AST-06 10 Protect X X X
Mechanisms exist to ensure cloud services are designed and configured so systems, applications Does the organization ensure cloud services are designed and configured so systems, applications
and processes are secured in accordance with applicable organizational standards, as well as and processes are secured in accordance with applicable organizational standards, as well as
statutory, regulatory and contractual obligations. statutory, regulatory and contractual obligations?
Cloud Infrastructure
Cloud Security Onboarding CLD-01.1 9 Protect X X
Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned Does the organization ensure cloud services are decommissioned so that data is securely
to new systems or archived in accordance with applicable organizational standards, as well as transitioned to new systems or archived in accordance with applicable organizational standards, as
statutory, regulatory and contractual obligations. well as statutory, regulatory and contractual obligations?
Cloud Infrastructure
Cloud Security Offboarding CLD-01.2 9 Protect X X
Mechanisms exist to ensure the cloud security architecture supports the organization's technology - Architectural review board Does the organization ensure the cloud security architecture supports the organization's technology
strategy to securely design, configure and maintain cloud employments. - System Security Plan (SSP) strategy to securely design, configure and maintain cloud employments?
- Security architecture roadmaps
Cloud Security Cloud Security Architecture CLD-02 E-TDA-09 8 Protect X
Mechanisms exist to host security-specific technologies in a dedicated subnet. - Security management subnet Does the organization host security-specific technologies in a dedicated subnet?
Cloud Infrastructure Security

Cloud Security Subnet CLD-03 6 Protect X X
Mechanisms exist to ensure support for secure interoperability between components with - Use only open and published APIs Does the organization ensure support for secure interoperability between components with
Application & Program Interfaces (APIs). Application & Program Interfaces (APIs)?
Application & Program
Cloud Security Interface (API) Security CLD-04 9 Protect X X
Mechanisms exist to ensure the integrity of virtual machine images at all times. - CimTrak Integrity Suite Does the organization ensure the integrity of virtual machine images at all times?
Cloud Security Virtual Machine Images CLD-05 - Docker (https://www.docker.com/) 8 Protect X
Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are - Security architecture review Does the organization ensure multi-tenant owned or managed assets (physical and virtual) are
designed and governed such that provider and customer (tenant) user access is appropriately - Defined processes to segment at the network, designed and governed such that provider and customer (tenant) user access is appropriately
segmented from other tenant users. application, databases layers segmented from other tenant users?
Cloud Security Multi-Tenant Environments CLD-06 9 Protect X X
Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating - Customer Responsibility Matrix (CRM) Does the organization formally document a Customer Responsibility Matrix (CRM), delineating
assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers. - Shared Responsibility Matrix (SRM) assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers?
- Responsible, Accountable, Supporting, Consulted and
Customer Responsibility Matrix Informed (RASCI) matrix
Cloud Security (CRM) CLD-06.1 E-CPL-03 8 Identify X X X
34 of 280
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging
capabilities for its customers that are consistent with applicable statutory, regulatory and/or capabilities for its customers that are consistent with applicable statutory, regulatory and/or
contractual obligations. contractual obligations?
Multi-Tenant Event Logging
Cloud Security Capabilities CLD-06.2 8 Identify X
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic
investigations in the event of a suspected or confirmed security incident. investigations in the event of a suspected or confirmed security incident?
Cloud Security Multi-Tenant Forensics CLD-06.3 8 Identify X

Capabilities
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to Does the organization ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to
suspected or confirmed security incidents and vulnerabilities, including timely notification to suspected or confirmed security incidents and vulnerabilities, including timely notification to
affected customers. affected customers?
Multi-Tenant Incident
Cloud Security Response Capabilities CLD-06.4 8 Identify X
Mechanisms exist to ensure cloud providers use secure protocols for the import, export and - Data Protection Impact Assessment (DPIA) Does the organization ensure cloud providers use secure protocols for the import, export and
management of data in cloud-based services. - Security architecture review management of data in cloud-based services?
- Encrypted data transfers (e.g. TLS or VPNs)
Cloud Security Data Handling & Portability CLD-07 4 Protect X
Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized - CimTrak Integrity Suite Does the organization ensure interoperability by requiring cloud providers to use industry-
formats and provide documentation of custom changes for review. (https://www.cimcor.com/cimtrak/) recognized formats and provide documentation of custom changes for review?
- Data Protection Impact Assessment (DPIA)
Cloud Security Standardized Virtualization CLD-08 - Manual review process 4 Protect X X
Formats - Vendor risk assessments
- Independent vendor compliance assessments
Mechanisms exist to control the location of cloud processing/storage based on business - Data Protection Impact Assessment (DPIA) Does the organization control the location of cloud processing/storage based on business
requirements that includes statutory, regulatory and contractual obligations. requirements that includes statutory, regulatory and contractual obligations?
Geolocation Requirements for E-AST-06
Cloud Security Processing, Storage and CLD-09 E-AST-23 10 Protect X X
Service Locations
Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud - Data Protection Impact Assessment (DPIA) Does the organization limit and manage the storage of sensitive/regulated data in public cloud
providers. - Security and network architecture diagrams providers?
- Data Flow Diagram (DFD)
Sensitive Data In Public Cloud
Cloud Security Providers CLD-10 E-AST-08 6 Protect X
Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and - Next Generation Firewall (NGF) Does the organization utilize Cloud Access Points (CAPs) to provide boundary protection and
monitoring functions that both provide access to the cloud and protect the organization from the - Web Application Firewall (WAF) monitoring functions that both provide access to the cloud and protect the organization from the
cloud. - Network Routing / Switching cloud?
Cloud Security Cloud Access Point (CAP) CLD-11 - Intrusion Detection / Protection (IDS / IPS) 7 Protect X
- Data Loss Prevention (DLP)
- Full Packet Capture
Mechanisms exist to prevent "side channel attacks" when using a Content Delivery Network (CDN) Does the organization prevent "side channel attacks" when using a Content Delivery Network (CDN)
by restricting access to the origin server's IP address to the CDN and an authorized management by restricting access to the origin server's IP address to the CDN and an authorized management
network. network?
Cloud Security Side Channel Attack Prevention CLD-12 3 Protect X
Mechanisms exist to specify applicable cybersecurity & data protection controls that must be - Customer Responsibility Matrix (CRM) Does the organization specify applicable cybersecurity & data protection controls that must be
implemented on external systems, consistent with the contractual obligations established with the - Shared Responsibility Matrix (SRM) implemented on external systems, consistent with the contractual obligations established with the
External Service Providers (ESP) owning, operating and/or maintaining external systems, - Responsible, Accountable, Supporting, Consulted and External Service Providers (ESP) owning, operating and/or maintaining external systems,
Hosted Systems, Applications applications and/or services. Informed (RASCI) matrix applications and/or services?
Cloud Security & Services CLD-13 9 Protect X X
Mechanisms exist to authorize specified individuals to access External Service Providers (ESP) - Responsible, Accountable, Supporting, Consulted and Does the organization authorize specified individuals to access External Service Providers (ESP)
owned, operated and/or maintained external systems, applications and/or services. Informed (RASCI) matrix owned, operated and/or maintained external systems, applications and/or services?
Authorized Individuals For
Cloud Security Hosted Systems, Applications CLD-13.1 9 Protect X X
& Services
Mechanisms exist to define formal processes to store, process and/or transmit sensitive/regulated Does the organization define formal processes to store, process and/or transmit sensitive/regulated
data using External Service Providers (ESP) owned, operated and/or maintained external systems, data using External Service Providers (ESP) owned, operated and/or maintained external systems,
Sensitive/Regulated Data On applications and/or services , in accordance with all applicable statutory, regulatory and/or applications and/or services , in accordance with all applicable statutory, regulatory and/or
Cloud Security Hosted Systems, Applications CLD-13.2 contractual obligations. contractual obligations? 9 Protect X X
& Services
Mechanisms exist to prohibit access to, or usage of, hosted systems, applications and/or services Does the organization prohibit access to, or usage of, hosted systems, applications and/or services
until applicable cybersecurity & data protection control implementation is verified. until applicable cybersecurity & data protection control implementation is verified?
Prohibition On Unverified
Cloud Security Hosted Systems, Applications CLD-14 8 Protect X X
& Services
35 of 280
Mechanisms exist to facilitate the identification and implementation of relevant statutory, - Governance, Risk and Compliance Solution (GRC) tool Does the organization facilitate the identification and implementation of relevant statutory,
regulatory and contractual controls. (SCFConnect, SureCloud,Ostendio, ZenGRC, Archer, regulatory and contractual controls?
Statutory, Regulatory & - Steering committee E-CPL-01
Compliance Contractual Compliance CPL-01 E-GOV-10 10 Identify X X
Mechanisms exist to document and review instances of non-compliance with statutory, regulatory Does the organization document and review instances of non-compliance with statutory, regulatory
and/or contractual obligations to develop appropriate risk mitigation actions. and/or contractual obligations to develop appropriate risk mitigation actions?
Compliance Non-Compliance Oversight CPL-01.1 E-CPL-05 9 Respond X
Mechanisms exist to document and validate the scope of cybersecurity & data privacy controls that Does the organization document and validate the scope of cybersecurity & data privacy controls
are determined to meet statutory, regulatory and/or contractual compliance obligations. that are determined to meet statutory, regulatory and/or contractual compliance obligations?
E-AST-02
Compliance Compliance Scope CPL-01.2 E-CPL-02 10 Identify X X X
E-GOV-10
Mechanisms exist to provide a cybersecurity & data protection controls oversight function that - Governance, Risk and Compliance Solution (GRC) tool E-CPL-07 Does the organization provide a cybersecurity & data protection controls oversight function that
reports to the organization's executive leadership. (SCFConnect, SureCloud,Ostendio, ZenGRC, Archer, E-CPL-09 reports to the organization's executive leadership?
RSAM, MetricStream, etc.) E-GOV-04
Cybersecurity & Data - Steering committee
Compliance Protection Controls Oversight CPL-02 E-GOV-05 10 Detect X X X
- Formalized SDLC program E-GOV-06
- Formalized DevOps program E-GOV-13
- Information Assurance Program (IAP) E-RSK-03
- Security Test & Evaluation (STE)
Mechanisms exist to implement an internal audit function that is capable of providing senior Does the organization implement an internal audit function that is capable of providing senior
organization management with insights into the appropriateness of the organization's technology organization management with insights into the appropriateness of the organization's technology
and information governance processes. and information governance processes?
Compliance Internal Audit Function CPL-02.1 E-CPL-04 5 Detect X
E-CPL-07
Mechanisms exist to ensure managers regularly review the processes and documented procedures - Information Assurance Program (IAP) Does the organization ensure managers regularly review the processes and documented
within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, - Security Test & Evaluation (STE) procedures within their area of responsibility to adhere to appropriate cybersecurity & data
standards and other applicable requirements. - Governance, Risk and Compliance Solution (GRC) tool protection policies, standards and other applicable requirements?
Cybersecurity & Data (SCFConnect, SureCloud,Ostendio, ZenGRC, Archer, E-CPL-05
Compliance Protection Assessments CPL-03 E-CPL-07 10 Detect X X
Mechanisms exist to utilize independent assessors to evaluate cybersecurity & data protection - Information Assurance Program (IAP) Does the organization utilize independent assessors to evaluate cybersecurity & data protection
controls at planned intervals or when the system, service or project undergoes significant changes. - Security Test & Evaluation (STE) controls at planned intervals or when the system, service or project undergoes significant changes?
Compliance Independent Assessors CPL-03.1 E-CPL-07 6 Detect X
Mechanisms exist to regularly review technology assets for adherence to the organization’s - CimTrak Integrity Suite Does the organization regularly review technology assets for adherence to the organization’s
cybersecurity & data protection policies and standards. (https://www.cimcor.com/cimtrak/) cybersecurity & data protection policies and standards?
Functional Review Of - Internal audit program
Compliance Cybersecurity & Data CPL-03.2 - NNT Change Tracker E-CPL-08 8 Detect X X X
Protection Controls (https://www.newnettechnologies.com)
- Operational review processes
- Regular/yearly policy and standards review process
- Governance, Risk and Compliance Solution (GRC)
Mechanisms exist to thoughtfully plan audits by including input from operational risk and (ZenGRC, Archer,
- Internal audit RSAM, Metric stream, etc.)
program Does the organization thoughtfully plan audits by including input from operational risk and
compliance partners to minimize the impact of audit-related activities on business operations. compliance partners to minimize the impact of audit-related activities on business operations?
Compliance Audit Activities CPL-04 5 Identify X
Mechanisms exist to determine whether a government agency has an applicable and valid legal Does the organization determine whether a government agency has an applicable and valid legal
basis to request data from the organization and what further steps need to be taken, if necessary. basis to request data from the organization and what further steps need to be taken, if necessary?
Legal Assessment of
Compliance Investigative Inquires CPL-05 2 Respond X
Mechanisms exist to notify customers about investigation request notifications, unless the Does the organization notify customers about investigation request notifications, unless the
applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal
prosecution). prosecution)?
Compliance Investigation Request CPL-05.1 2 Respond X
Notifications
Mechanisms exist to support official investigations by provisioning government investigators with Does the organization support official investigations by provisioning government investigators with
"least privileges" and "least functionality" to ensure that government investigators only have access "least privileges" and "least functionality" to ensure that government investigators only have access
to the data and systems needed to perform the investigation. to the data and systems needed to perform the investigation?
Investigation Access
Compliance Restrictions CPL-05.2 2 Protect X
Mechanisms exist to constrain the host government from having unrestricted and non-monitored - Board of Directors (Bod) Ethics Committee Does the organization constrain the host government from having unrestricted and non-monitored
access to the organization's systems, applications and services that could potentially violate other access to the organization's systems, applications and services that could potentially violate other
applicable statutory, regulatory and/or contractual obligations. applicable statutory, regulatory and/or contractual obligations?
Compliance Government Surveillance CPL-06 10 Protect X X X
36 of 280
Mechanisms exist to facilitate the implementation of configuration management controls. - NNT Change Tracker Does the organization facilitate the implementation of configuration management controls?
- Configuration Management Database (CMDB)
Configuration Configuration Management - Baseline hardening standards
Management Program CFG-01 9 Protect X X X
- Formalized DevOps program
- Information Assurance Program (IAP)
- Security Test & Evaluation (STE)
Mechanisms exist to implement a segregation of duties for configuration management that - CimTrak Integrity Suite Does the organization implement a segregation of duties for configuration management that
prevents developers from performing production configuration management duties. (https://www.cimcor.com/cimtrak/) prevents developers from performing production configuration management duties?
Configuration Assignment of Responsibility CFG-01.1 5 Identify X X
Management
E-AST-12
Mechanisms exist to develop, document and maintain secure baseline configurations for technology - CimTrak Integrity Suite E-AST-13 Does the organization develop, document and maintain secure baseline configurations for
platforms that are consistent with industry-accepted system hardening standards. (https://www.cimcor.com/cimtrak/) E-AST-14 technology platforms that are consistent with industry-accepted system hardening standards?
- Defense Information Security Agency (DISA) Secure E-AST-15
Configuration System Hardening Through Technology Implementation Guides (STIGs) E-AST-16
Management Baseline Configurations CFG-02 10 Protect X X X
- Center for Internet Security (CIS) Benchmarks E-AST-17
- NNT Change Tracker E-AST-18
(https://www.newnettechnologies.com) E-AST-19
E-AST-20
Mechanisms exist to review and update baseline configurations: - CimTrak Integrity Suite E-AST-21 Does the organization review and update baseline configurations:
▪ At least annually; (https://www.cimcor.com/cimtrak/) ▪ At least annually;
▪ When required due to so; or - Defense Information Security Agency (DISA) Secure ▪ When required due to so; or
Configuration ▪ As part of system component installations and upgrades. Technology Implementation Guides (STIGs) ▪ As part of system component installations and upgrades?
Management Reviews & Updates CFG-02.1 8 Detect X X
- Center for Internet Security (CIS) Benchmarks
Automated mechanisms exist to govern and report on baseline configurations of the systems. - CimTrak Integrity Suite Does the organization use automated mechanisms to govern and report on baseline configurations
(https://www.cimcor.com/cimtrak/) of the systems?
Configuration Automated Central CFG-02.2 (https://www.newnettechnologies.com) 7 Detect X
Management Management & Verification
Mechanisms exist to retain previous versions of baseline configuration to support roll back. - CimTrak Integrity Suite Does the organization retain previous versions of baseline configuration to support roll back?
Configuration Retention Of Previous (https://www.newnettechnologies.com)
Management Configurations CFG-02.3 3 Identify X X
Mechanisms exist to manage baseline configurations for development and test environments - CimTrak Integrity Suite Does the organization manage baseline configurations for development and test environments
separately from operational baseline configurations to minimize the risk of unintentional changes. (https://www.cimcor.com/cimtrak/) separately from operational baseline configurations to minimize the risk of unintentional changes?
Configuration Development & Test (https://www.newnettechnologies.com)
Management Environment Configurations CFG-02.4 5 Protect X X
E-AST-12
Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline - NNT Change Tracker E-AST-13 Does the organization configure systems utilized in high-risk areas with more restrictive baseline
configurations. (https://www.newnettechnologies.com) E-AST-14 configurations?
Configure Systems, E-AST-15
Configuration Components or Services for CFG-02.5 E-AST-16 8 Protect X X
Management E-AST-17
High-Risk Areas
E-AST-18
E-AST-19
E-AST-20
Mechanisms exist to configure network devices to synchronize startup and running configuration - CimTrak Integrity Suite E-AST-21 Does the organization configure network devices to synchronize startup and running configuration
files. (https://www.cimcor.com/cimtrak/) files?
Configuration Network Device Configuration (https://www.newnettechnologies.com)
Management File Synchronization CFG-02.6 7 Protect X
Mechanisms exist to document, assess risk and approve or deny deviations to standardized - CimTrak Integrity Suite Does the organization document, assess risk and approve or deny deviations to standardized
configurations. (https://www.cimcor.com/cimtrak/) configurations?
Configuration Approved Configuration (https://www.newnettechnologies.com)
Management Deviations CFG-02.7 9 Protect X X
Mechanisms exist to respond to unauthorized changes to configuration settings as security - CimTrak Integrity Suite Does the organization respond to unauthorized changes to configuration settings as security
incidents. (https://www.cimcor.com/cimtrak/) incidents?
- Service Level Agreements (SLAs)
Configuration Respond To Unauthorized CFG-02.8 - NNT Change Tracker 9 Respond X
Management Changes (https://www.newnettechnologies.com)
Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined - DISA STIGs Does the organization allow baseline controls to be specialized or customized by applying a defined
set of tailoring actions that are specific to: - CIS Benchmarks set of tailoring actions that are specific to:
▪ Mission / business functions; ▪ Mission / business functions;
Configuration ▪ Operational environment; ▪ Operational environment;
Management Baseline Tailoring CFG-02.9 9 Protect X X
▪ Specific threats or vulnerabilities; or ▪ Specific threats or vulnerabilities; or
▪ Other conditions or situations that could affect mission / business success. ▪ Other conditions or situations that could affect mission / business success?
Mechanisms exist to configure systems to provide only essential capabilities by specifically - CimTrak Integrity Suite Does the organization configure systems to provide only essential capabilities by specifically
prohibiting or restricting the use of ports, protocols, and/or services. (https://www.cimcor.com/cimtrak/) prohibiting or restricting the use of ports, protocols, and/or services?
Configuration (https://www.newnettechnologies.com)
Management Least Functionality CFG-03 10 Protect X
37 of 280
Mechanisms exist to periodically review system configurations to identify and disable unnecessary - NNT Change Tracker Does the organization periodically review system configurations to identify and disable unnecessary
and/or non-secure functions, ports, protocols and services. (https://www.newnettechnologies.com) and/or non-secure functions, ports, protocols and services?
Configuration
Management Periodic Review CFG-03.1 8 Detect X X
Mechanisms exist to configure systems to prevent the execution of unauthorized software - CimTrak Integrity Suite Does the organization configure systems to prevent the execution of unauthorized software
programs. (https://www.cimcor.com/cimtrak/) programs?
Configuration Prevent Unauthorized CFG-03.2 (https://www.newnettechnologies.com) 7 Protect X
Management Software Execution
Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to - Microsoft Windows Defender Application Control Does the organization whitelist or blacklist applications in an order to limit what is authorized to
execute on systems. (WDAC) (replaced AppLocker) execute on systems?
Unauthorized or Authorized - CimTrak Integrity Suite
Configuration (https://www.cimcor.com/cimtrak/)
Management Software (Blacklisting or CFG-03.3 5 Protect X X
Whitelisting) - NNT Change Tracker
Mechanisms exist to prevent split tunneling for remote devices unless the split tunnel is securely Does the organization prevent split tunneling for remote devices unless the split tunnel is securely
provisioned using organization-defined safeguards. provisioned using organization-defined safeguards?
Configuration Prevent split tunneling for remote devices unless the split tunnel is securely provisioned using
Management Split Tunneling CFG-03.4 8 Protect X
organization-defined safeguards?
Mechanisms exist to enforce software usage restrictions to comply with applicable contract Does the organization enforce software usage restrictions to comply with applicable contract
agreements and copyright laws. agreements and copyright laws?
Configuration Software Usage Restrictions CFG-04 9 Protect X X
Management
Mechanisms exist to establish parameters for the secure use of open source software. - Acceptable Use Policy (AUP) Does the organization establish parameters for the secure use of open source software?
Configuration
Management Open Source Software CFG-04.1 9 Protect X X
Mechanisms exist to allow only approved Internet browsers and email clients to run on systems. Does the organization allow only approved Internet browsers and email clients to run on systems?
Configuration Unsupported Internet

Management Browsers & Email Clients CFG-04.2 7 Protect X X
Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software. - Privileged Account Management (PAM) Does the organization restrict the ability of non-privileged users to install unauthorized software?
Configuration User-Installed Software CFG-05 10 Protect X X X

Management
Mechanisms exist to configure systems to generate an alert when the unauthorized installation of - CimTrak Integrity Suite Does the organization configure systems to generate an alert when the unauthorized installation of
software is detected. (https://www.cimcor.com/cimtrak/) software is detected?
Configuration Unauthorized Installation (https://www.newnettechnologies.com)
Management Alerts CFG-05.1 8 Detect X
Mechanisms exist to configure systems to prevent the installation of software, unless the action is Does the organization configure systems to prevent the installation of software, unless the action is
performed by a privileged user or service. performed by a privileged user or service?
Configuration Restrict Roles Permitted To
Management Install Software CFG-05.2 9 Protect X
Automated mechanisms exist to monitor, enforce and report on configurations for endpoint Does the organization use automated mechanisms to monitor, enforce and report on configurations
devices. for endpoint devices?
Configuration Configuration Enforcement CFG-06 7 Protect X X
Management
Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to Does the organization implement Zero-Touch Provisioning (ZTP), or similar technology, to
automatically and securely configure devices upon being added to a network. automatically and securely configure devices upon being added to a network?
Configuration
Management Zero-Touch Provisioning (ZTP) CFG-07 8 Protect X
Mechanisms exist to configure systems, applications and processes to restrict access to Does the organization configure systems, applications and processes to restrict access to
sensitive/regulated data. sensitive/regulated data?
Configuration Sensitive / Regulated Data
Management Access Enforcement CFG-08 E-DCH-08 7 Protect X X
38 of 280
Automated mechanisms exist to generate event logs whenever sensitive/regulated data is Does the organization use automated mechanisms to generate event logs whenever
collected, created, updated, deleted and/or archived. sensitive/regulated data is collected, created, updated, deleted and/or archived?
Configuration Sensitive / Regulated Data
Management Actions CFG-08.1 7 Protect X
Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls. - Splunk Does the organization facilitate the implementation of enterprise-wide monitoring controls?
- CimTrak Integrity Suite
Continuous Monitoring Continuous Monitoring MON-01 - NNT Change Tracker 10 Detect X X X
Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies - CimTrak Integrity Suite Does the organization implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies
on critical systems, key network segments and network choke points. (https://www.cimcor.com/cimtrak/) on critical systems, key network segments and network choke points?
Intrusion Detection & (https://www.newnettechnologies.com)
Continuous Monitoring Prevention Systems (IDS & IPS) MON-01.1 9 Detect X
Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to - CimTrak Integrity Suite Does the organization utilize a Security Incident Event Manager (SIEM), or similar automated tool,
support near real-time analysis and incident escalation. (https://www.cimcor.com/cimtrak/) to support near real-time analysis and incident escalation?
Automated Tools for Real-Time (https://www.newnettechnologies.com) E-MON-01
Continuous Monitoring Analysis MON-01.2 E-MON-05 9 Detect X
Mechanisms exist to continuously monitor inbound and outbound communications traffic for - CimTrak Integrity Suite Does the organization continuously monitor inbound and outbound communications traffic for
unusual or unauthorized activities or conditions. (https://www.cimcor.com/cimtrak/) unusual or unauthorized activities or conditions?
Continuous Monitoring Inbound & Outbound
Communications Traffic MON-01.3 (https://www.newnettechnologies.com) 9 Detect X X
Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, data - CimTrak Integrity Suite Does the organization monitor, correlate and respond to alerts from physical, cybersecurity, data
privacy and supply chain activities to achieve integrated situational awareness. (https://www.cimcor.com/cimtrak/) privacy and supply chain activities to achieve integrated situational awareness?
Continuous Monitoring System Generated Alerts MON-01.4 (https://www.newnettechnologies.com) 7 Detect X
Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to - CimTrak Integrity Suite Does the organization utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to
identify rogue wireless devices and to detect attack attempts via wireless networks. (https://www.cimcor.com/cimtrak/) identify rogue wireless devices and to detect attack attempts via wireless networks?
Wireless Intrusion Detection (https://www.newnettechnologies.com)
Continuous Monitoring System (WIDS) MON-01.5 5 Detect X
Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to - CimTrak Integrity Suite Does the organization utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to
actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (https://www.cimcor.com/cimtrak/) actively alert on or block unwanted activities and send logs to a Security Incident Event Manager
(SIEM), or similar automated tool, to maintain situational awareness. - NNT Change Tracker (SIEM), or similar automated tool, to maintain situational awareness?
Continuous Monitoring Host-Based Devices MON-01.6 (https://www.newnettechnologies.com) 8 Detect X
Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, - CimTrak Integrity Suite Does the organization utilize a File Integrity Monitor (FIM), or similar change-detection technology,
on critical assets to generate alerts for unauthorized modifications. (https://www.cimcor.com/cimtrak/) on critical assets to generate alerts for unauthorized modifications?
Continuous Monitoring File Integrity Monitoring (FIM) MON-01.7 (https://www.newnettechnologies.com) 9 Detect X
Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance - Security Incident Event Manager (SIEM) Does the organization review event logs on an ongoing basis and escalate incidents in accordance
with established timelines and procedures. - Splunk with established timelines and procedures?
E-MON-01
Continuous Monitoring Reviews & Updates MON-01.8 E-MON-02 10 Detect X X X
E-MON-05
Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and - CimTrak Integrity Suite Does the organization log all Internet-bound requests, in order to identify prohibited activities and
assist incident handlers with identifying potentially compromised systems. (https://www.cimcor.com/cimtrak/) assist incident handlers with identifying potentially compromised systems?
Continuous Monitoring Proxy Logging MON-01.9 (https://www.newnettechnologies.com) 8 Detect X
Mechanisms exist to monitor deactivated accounts for attempted usage. - CimTrak Integrity Suite Does the organization monitor deactivated accounts for attempted usage?
- Security Incident Event Manager (SIEM)
Continuous Monitoring Deactivated Account Activity MON-01.10 - Splunk 9 Detect X X
Mechanisms exist to automatically implement pre-determined corrective actions in response to Does the organization automatically implement pre-determined corrective actions in response to
detected events that have security incident implications. detected events that have security incident implications?
Automated Response to
Continuous Monitoring Suspicious Events MON-01.11 5 Detect X
39 of 280
Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous Does the organization automatically alert incident response personnel to inappropriate or
activities that have potential security incident implications. anomalous activities that have potential security incident implications?
Continuous Monitoring Automated Alerts MON-01.12 5 Detect X
Mechanisms exist to "tune" event monitoring technologies through analyzing communications Does the organization "tune" event monitoring technologies through analyzing communications
traffic/event patterns and developing profiles representing common traffic patterns and/or events. traffic/event patterns and developing profiles representing common traffic patterns and/or events?
Continuous Monitoring Alert Threshold Tuning MON-01.13 5 Detect X X
Mechanisms exist to implement enhanced activity monitoring for individuals who have been Does the organization implement enhanced activity monitoring for individuals who have been
identified as posing an increased level of risk. identified as posing an increased level of risk?
Continuous Monitoring Individuals Posing Greater Risk MON-01.14 E-MON-03 5 Detect X X
Mechanisms exist to implement enhanced activity monitoring for privileged users. Does the organization implement enhanced activity monitoring for privileged users?
Continuous Monitoring Privileged User Oversight MON-01.15 E-MON-03 5 Detect X
Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of Does the organization assess the organization's needs for monitoring and prioritize the monitoring
assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes. of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes?
Continuous Monitoring Analyze and Prioritize

Monitoring Requirements MON-01.16 5 Detect X
Mechanisms exist to enable authorized personnel the ability to remotely view and hear content Does the organization enable authorized personnel the ability to remotely view and hear content
related to an established user session in real time, in accordance with organizational standards, as related to an established user session in real time, in accordance with organizational standards, as
well as statutory, regulatory and contractual obligations. well as statutory, regulatory and contractual obligations?
Continuous Monitoring Real-Time Session Monitoring MON-01.17 4 Detect X X
Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to - Security Incident Event Manager (SIEM) Does the organization utilize a Security Incident Event Manager (SIEM) or similar automated tool, to
support the centralized collection of security-related event logs. - Splunk support the centralized collection of security-related event logs?
Centralized Collection of E-MON-01
Continuous Monitoring Security Event Logs MON-02 E-MON-05 10 Detect X X X
Automated mechanisms exist to correlate both technical and non-technical information from across - CimTrak Integrity Suite Does the organization use automated mechanisms to correlate both technical and non-technical
the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance (https://www.cimcor.com/cimtrak/) information from across the enterprise by a Security Incident Event Manager (SIEM) or similar
organization-wide situational awareness. - Security Incident Event Manager (SIEM) automated tool, to enhance organization-wide situational awareness?
Continuous Monitoring Correlate Monitoring
Information MON-02.1 - Splunk 9 Detect X X
Automated mechanisms exist to centrally collect, review and analyze audit records from multiple - CimTrak Integrity Suite Does the organization use automated mechanisms to centrally collect, review and analyze audit
sources. (https://www.cimcor.com/cimtrak/) records from multiple sources?
E-MON-01
Continuous Monitoring Central Review & Analysis MON-02.2 E-MON-02 5 Detect X X X
E-MON-05
Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability Does the organization use automated mechanisms to integrate the analysis of audit records with
scanners, network performance, system monitoring and other sources to further enhance the analysis of vulnerability scanners, network performance, system monitoring and other sources to
ability to identify inappropriate or unusual activity. further enhance the ability to identify inappropriate or unusual activity?
Integration of Scanning &
Continuous Monitoring Other Monitoring Information MON-02.3 5 Detect X X
Automated mechanisms exist to correlate information from audit records with information Does the organization use automated mechanisms to correlate information from audit records with
obtained from monitoring physical access to further enhance the ability to identify suspicious, information obtained from monitoring physical access to further enhance the ability to identify
inappropriate, unusual or malevolent activity. suspicious, inappropriate, unusual or malevolent activity?
Continuous Monitoring Correlation
Monitoring
with Physical MON-02.4 5 Detect X X
Mechanisms exist to specify the permitted actions for both users and systems associated with the Does the organization specify the permitted actions for both users and systems associated with the
review, analysis and reporting of audit information. review, analysis and reporting of audit information?
Continuous Monitoring Permitted Actions MON-02.5 5 Protect X X
Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving Does the organization adjust the level of audit review, analysis and reporting based on evolving
threat information from law enforcement, industry associations or other credible sources of threat threat information from law enforcement, industry associations or other credible sources of threat
intelligence. intelligence?
Continuous Monitoring Audit Level Adjustments MON-02.6 5 Detect X X
40 of 280
Automated mechanisms exist to compile audit records into an organization-wide audit trail that is Does the organization use automated mechanisms to compile audit records into an organization-
time-correlated. wide audit trail that is time-correlated?
System-Wide / Time-
Continuous Monitoring Correlated Audit Trail MON-02.7 5 Detect X
Mechanisms exist to provide privileged users or roles the capability to change the auditing to be - CimTrak Integrity Suite Does the organization provide privileged users or roles the capability to change the auditing to be
performed on specified information system components, based on specific event criteria within (https://www.cimcor.com/cimtrak/) performed on specified information system components, based on specific event criteria within
specified time thresholds. specified time thresholds?
Continuous Monitoring Changes by Authorized
Individuals MON-02.8 5 Detect X X
Mechanisms exist to configure systems to produce event logs that contain sufficient information to, - CimTrak Integrity Suite Does the organization configure systems to produce event logs that contain sufficient information
at a minimum: (https://www.cimcor.com/cimtrak/) to, at a minimum:
▪ Establish what type of event occurred; ▪ Establish what type of event occurred;
Continuous Monitoring Content of Event Logs MON-03 ▪ When (date and time) the event occurred; ▪ When (date and time) the event occurred; 10 Detect X X X
▪ Where the event occurred; ▪ Where the event occurred;
▪ The source of the event; ▪ The source of the event;
▪ The outcome (success or failure) of the event; and ▪ The outcome (success or failure) of the event; and
▪ The identity of any user/subject associated with the event. ▪ The identity of any user/subject associated with the event?
Mechanisms exist to protect sensitive/regulated data contained in log files. Does the organization protect sensitive/regulated data contained in log files?
Continuous Monitoring Sensitive Audit Information MON-03.1 8 Detect X
Mechanisms exist to link system access to individual users or service accounts. Does the organization link system access to individual users or service accounts?
Continuous Monitoring Audit Trails MON-03.2 10 Detect X
Mechanisms exist to log and review the actions of users and/or services with elevated privileges. - Security Incident Event Manager (SIEM) Does the organization log and review the actions of users and/or services with elevated privileges?
- Splunk
Continuous Monitoring Privileged Functions Logging MON-03.3 8 Detect X
Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network Does the organization verbosely log all traffic (both allowed and blocked) arriving at network
boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and
inbound and outbound proxies. inbound and outbound proxies?
Verbosity Logging for
Continuous Monitoring Boundary Devices MON-03.4 5 Detect X
Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified - Data Protection Impact Assessment (DPIA) Does the organization limit Personal Data (PD) contained in audit records to the elements identified
in the data privacy risk assessment. in the data privacy risk assessment?
Continuous Monitoring Limit Personal Data (PD) In

Audit Records MON-03.5 8 Detect X X
Mechanisms exist to centrally manage and configure the content required to be captured in audit Does the organization centrally manage and configure the content required to be captured in audit
records generated by organization-defined information system components. records generated by organization-defined information system components?
Centralized Management of
Continuous Monitoring Planned Audit Record Content MON-03.6 5 Detect X X X
Mechanisms exist to ensure databases produce audit records that contain sufficient information to Does the organization ensure databases produce audit records that contain sufficient information to
monitor database activities. monitor database activities?
Continuous Monitoring Database Logging MON-03.7 8 Detect X
Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce Does the organization allocate and proactively manage sufficient event log storage capacity to
the likelihood of such capacity being exceeded. reduce the likelihood of such capacity being exceeded?
Continuous Monitoring Event Log Storage Capacity MON-04 8 Detect X X
Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take - CimTrak Integrity Suite Does the organization alert appropriate personnel in the event of a log processing failure and take
actions to remedy the disruption. (https://www.cimcor.com/cimtrak/) actions to remedy the disruption?
Response To Event Log - Splunk
Continuous Monitoring Processing Failures MON-05 8 Detect X X
Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log - CimTrak Integrity Suite Does the organization provide 24x7x365 near real-time alerting capability when an event log
processing failure occurs. (https://www.cimcor.com/cimtrak/) processing failure occurs?
Real-Time Alerts of Event - Splunk
Continuous Monitoring Logging Failure MON-05.1 6 Detect X
41 of 280
Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an Does the organization use automated mechanisms to alert appropriate personnel when the
organization-defined percentage of maximum event log storage capacity. allocated volume reaches an organization-defined percentage of maximum event log storage
capacity?
Event Log Storage Capacity
Continuous Monitoring Alerting MON-05.2 5 Detect X
Mechanisms exist to provide an event log report generation capability to aid in detecting and - CimTrak Integrity Suite Does the organization provide an event log report generation capability to aid in detecting and
assessing anomalous activities. (https://www.cimcor.com/cimtrak/) assessing anomalous activities?
Continuous Monitoring Monitoring Reporting MON-06 - Splunk 7 Detect X X
Mechanisms exist to provide and implement the capability for auditing the parameters of user Does the organization provide and implement the capability for auditing the parameters of user
query events for data sets containing Personal Data (PD). query events for data sets containing Personal Data (PD)?
Query Parameter Audits of
Continuous Monitoring Personal Data (PD) MON-06.1 3 Detect X X
Mechanisms exist to employ trend analyses to determine if security control implementations, the Does the organization employ trend analyses to determine if security control implementations, the
frequency of continuous monitoring activities, and/or the types of activities used in the continuous frequency of continuous monitoring activities, and/or the types of activities used in the continuous
monitoring process need to be modified based on empirical data. monitoring process need to be modified based on empirical data?
Continuous Monitoring Trend Analysis Reporting MON-06.2 5 Detect X
Mechanisms exist to configure systems to use an authoritative time source to generate time stamps Does the organization configure systems to use an authoritative time source to generate time
for event logs. stamps for event logs?
Continuous Monitoring Time Stamps MON-07 10 Detect X
Mechanisms exist to synchronize internal system clocks with an authoritative time source. - Network Time Protocol (NTP) Does the organization synchronize internal system clocks with an authoritative time source?
Synchronization With
Continuous Monitoring Authoritative Time Source MON-07.1 8 Detect X
Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and - CimTrak Integrity Suite Does the organization protect event logs and audit tools from unauthorized access, modification
deletion. (https://www.cimcor.com/cimtrak/) and deletion?
Continuous Monitoring Protection of Event Logs MON-08 - Splunk 10 Detect X X
Mechanisms exist to back up event logs onto a physically different system or system component - CimTrak Integrity Suite Does the organization back up event logs onto a physically different system or system component
than the Security Incident Event Manager (SIEM) or similar automated tool. (https://www.cimcor.com/cimtrak/) than the Security Incident Event Manager (SIEM) or similar automated tool?
Event Log Backup on Separate - Security Incident Event Manager (SIEM)
Continuous Monitoring Physical Systems / MON-08.1 - Splunk 5 Detect X X
Components
Mechanisms exist to restrict access to the management of event logs to privileged users with a - Security Incident Event Manager (SIEM) Does the organization restrict access to the management of event logs to privileged users with a
specific business need. - Splunk specific business need?
Access by Subset of Privileged
Continuous Monitoring Users MON-08.2 8 Detect X X
Cryptographic mechanisms exist to protect the integrity of event logs and audit tools. - CimTrak Integrity Suite Are cryptographic mechanisms utilized to protect the integrity of event logs and audit tools?
Cryptographic Protection of
Continuous Monitoring Event Log Information MON-08.3 5 Protect X
Automated mechanisms exist to enforce dual authorization for the movement or deletion of event Does the organization use automated mechanisms to enforce dual authorization for the movement
logs. or deletion of event logs?
Continuous Monitoring Dual Authorization for Event

Log Movement MON-08.4 5 Protect X X
Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely - CimTrak Integrity Suite Does the organization utilize a non-repudiation capability to protect against an individual falsely
denying having performed a particular action. (https://www.cimcor.com/cimtrak/) denying having performed a particular action?
Continuous Monitoring Non-Repudiation MON-09 8 Protect X
Mechanisms exist to bind the identity of the information producer to the information generated. Does the organization bind the identity of the information producer to the information generated?
Continuous Monitoring Identity Binding MON-09.1 4 Protect X X
42 of 280
Mechanisms exist to retain event logs for a time period consistent with records retention - CimTrak Integrity Suite Does the organization retain event logs for a time period consistent with records retention
requirements to provide support for after-the-fact investigations of security incidents and to meet (https://www.cimcor.com/cimtrak/) requirements to provide support for after-the-fact investigations of security incidents and to meet
statutory, regulatory and contractual retention requirements. statutory, regulatory and contractual retention requirements?
Continuous Monitoring Event Log Retention MON-10 E-AST-11 10 Detect X X
Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public - Content filtering solution Does the organization monitor for evidence of unauthorized exfiltration or disclosure of non-public
information. - Review of social media outlets information?
Continuous Monitoring Monitoring

Disclosure
For Information MON-11 8 Detect X X
Automated mechanisms exist to analyze network traffic to detect covert data exfiltration. Does the organization use automated mechanisms to analyze network traffic to detect covert data
exfiltration?
Analyze Traffic for Covert
Continuous Monitoring Exfiltration MON-11.1 5 Detect X X
Automated mechanisms exist to detect unauthorized network services and alert incident response Does the organization use automated mechanisms to detect unauthorized network services and
personnel. alert incident response personnel?
Unauthorized Network
Continuous Monitoring Services MON-11.2 5 Detect X X
Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC). - CimTrak Integrity Suite Does the organization use automated mechanisms to identify and alert on Indicators of
(https://www.cimcor.com/cimtrak/) Compromise (IoC)?
Continuous Monitoring Monitoring for Indicators of

Compromise (IOC) MON-11.3 5 Detect X X
Mechanisms exist to provide session audit capabilities that can: - NNT Change Tracker Does the organization provide session audit capabilities that can:
▪ Capture and log all content related to a user session; and (https://www.newnettechnologies.com) ▪ Capture and log all content related to a user session; and
▪ Remotely view all content related to an established user session in real time. ▪ Remotely view all content related to an established user session in real time?
Continuous Monitoring Session Audit MON-12 7 Detect X X
Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary - CimTrak Integrity Suite Does the organization provide an alternate event logging capability in the event of a failure in
audit capability. (https://www.cimcor.com/cimtrak/) primary audit capability?
Alternate Event Logging (https://www.newnettechnologies.com)
Continuous Monitoring Capability MON-13 3 Detect X X
Mechanisms exist to coordinate sanitized event logs among external organizations to identify Does the organization coordinate sanitized event logs among external organizations to identify
anomalous events when event logs are shared across organizational boundaries, without giving anomalous events when event logs are shared across organizational boundaries, without giving
away sensitive or critical business data. away sensitive or critical business data?
Continuous Monitoring Cross-Organizational
Monitoring MON-14 3 Detect X X
Mechanisms exist to share event logs with third-party organizations based on specific cross- - Veris (incident sharing) (http://veriscommunity.net) Does the organization share event logs with third-party organizations based on specific cross-
organizational sharing agreements. organizational sharing agreements?
Continuous Monitoring Sharing of Event Logs MON-14.1 5 Detect X X
Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are Does the organization conduct covert channel analysis to identify aspects of communications that
potential avenues for covert channels. are potential avenues for covert channels?
Continuous Monitoring Covert Channel Analysis MON-15 3 Detect X X
Mechanisms exist to detect and respond to anomalous behavior that could indicate account - CimTrak Integrity Suite Does the organization detect and respond to anomalous behavior that could indicate account
compromise or other malicious activities. (https://www.cimcor.com/cimtrak/) compromise or other malicious activities?
Continuous Monitoring Anomalous Behavior MON-16 (https://www.newnettechnologies.com) 10 Detect X X
Mechanisms exist to monitor internal personnel activity for potential security incidents. - CimTrak Integrity Suite Does the organization monitor internal personnel activity for potential security incidents?
Continuous Monitoring Insider Threats MON-16.1 (https://www.newnettechnologies.com) 8 Detect X X
Mechanisms exist to monitor third-party personnel activity for potential security incidents. - CimTrak Integrity Suite Does the organization monitor third-party personnel activity for potential security incidents?
Continuous Monitoring Third-Party Threats MON-16.2 (https://www.newnettechnologies.com) 8 Detect X X
43 of 280
Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and - CimTrak Integrity Suite Does the organization monitor for unauthorized activities, accounts, connections, devices and
software. (https://www.cimcor.com/cimtrak/) software?
Continuous Monitoring Unauthorized Activities MON-16.3 (https://www.newnettechnologies.com) 8 Detect X X
Automated mechanisms exist to generate event logs for permissions changes to privileged accounts Does the organization use automated mechanisms to generate event logs for permissions changes
and/or groups. to privileged accounts and/or groups?
Continuous Monitoring Account Creation and

Modification Logging MON-16.4 7 Detect X
Mechanisms exist to facilitate the implementation of cryptographic protections controls using - Key and certificate management solutions Does the organization facilitate the implementation of cryptographic protections controls using
known public standards and trusted cryptographic technologies. - Microsoft BitLocker (https://www.microsoft.com/en- known public standards and trusted cryptographic technologies?
us/download/details.aspx?id=53006)
Cryptographic - Symantec Endpoint Encryption
Protections Use of Cryptographic Controls CRY-01 10 Protect X X X
(https://www.symantec.com/products/endpoint-
protection)
- Vormetric Transparent Encryption
(https://www.thalesesecurity.com/products/data-
Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternative encryption/vormetric-transparent-encryption) Are cryptographic mechanisms utilized to prevent unauthorized disclosure of information as an
to physical safeguards. alternative to physical safeguards?
Cryptographic
Protections Alternate Physical Protection CRY-01.1 5 Protect X
Mechanisms exist to address the exporting of cryptographic technologies in compliance with Does the organization address the exporting of cryptographic technologies in compliance with
relevant statutory and regulatory requirements. relevant statutory and regulatory requirements?
Cryptographic Export-Controlled Technology CRY-01.2 5 Protect X
Protections
Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during Are cryptographic mechanisms utilized to ensure the confidentiality and integrity of information
preparation for transmission and during reception. during preparation for transmission and during reception?
Cryptographic Pre/Post Transmission
Protections Handling CRY-01.3 5 Protect X
Cryptographic mechanisms exist to conceal or randomize communication patterns. Are cryptographic mechanisms utilized to conceal or randomize communication patterns?
Cryptographic Conceal / Randomize

Protections Communications CRY-01.4 5 Protect X
Mechanisms exist to identify, document and review deployed cryptographic cipher suites and Does the organization identify, document and review deployed cryptographic cipher suites and
protocols to proactively respond to industry trends regarding the continued viability of utilized protocols to proactively respond to industry trends regarding the continued viability of utilized
cryptographic cipher suites and protocols. cryptographic cipher suites and protocols?
Cryptographic Cryptographic Cipher Suites CRY-01.5 9 Protect X X X
Protections and Protocols Inventory
Automated mechanisms exist to enable systems to authenticate to a cryptographic module. - Yubico (https://www.yubico.com) Does the organization use automated mechanisms to enable systems to authenticate to a
cryptographic module?
Cryptographic Cryptographic Module
Protections Authentication CRY-02 8 Protect X
Cryptographic mechanisms exist to protect the confidentiality of data being transmitted. - SSL / TLS protocols Are cryptographic mechanisms utilized to protect the confidentiality of data being transmitted?
- IPSEC Tunnels
- Native MPLS encrypted tunnel configurations
Cryptographic - Custom encrypted payloads
Protections Transmission Confidentiality CRY-03 E-CRY-01 10 Protect X X
Cryptographic mechanisms exist to protect the integrity of data being transmitted. Are cryptographic mechanisms utilized to protect the integrity of data being transmitted?
Cryptographic Transmission Integrity CRY-04 E-CRY-01 10 Protect X X

Protections
Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest. - Symantec Endpoint Encryption Are cryptographic mechanisms utilized to prevent unauthorized disclosure of data at rest?
(https://www.symantec.com/products/endpoint-
protection)
Cryptographic
Protections Encrypting Data At Rest CRY-05 10 Protect X X
Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive/regulated - Native Storage Area Network (SAN) encryption Are cryptographic mechanisms utilized to protect the confidentiality and integrity of
data residing on storage media. functionality sensitive/regulated data residing on storage media?
- BitLocker and EFS
Cryptographic
Protections Storage Media CRY-05.1 8 Protect X X
44 of 280
Mechanisms exist to remove unused data from online storage and archive it off-line in a secure Does the organization remove unused data from online storage and archive it off-line in a secure
location until it can be disposed of according to data retention requirements. location until it can be disposed of according to data retention requirements?
Cryptographic
Protections Offline Storage CRY-05.2 5 Protect X X
Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of Does the organization ensure that database servers utilize encryption to protect the confidentiality
the data within the databases. of the data within the databases?
Cryptographic Database Encryption CRY-05.3 8 Protect X
Protections
Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console Are cryptographic mechanisms utilized to protect the confidentiality and integrity of non-console
administrative access. administrative access?
Cryptographic Non-Console Administrative
Protections Access CRY-06 9 Protect X
Mechanisms exist to protect wireless access via secure authentication and encryption. Does the organization protect wireless access via secure authentication and encryption?
Cryptographic Wireless Access Authentication

Protections & Encryption CRY-07 9 Protect X X X
Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or - Microsoft Active Directory (AD) Certificate Services Does the organization securely implement an internal Public Key Infrastructure (PKI) infrastructure
obtain PKI services from a reputable PKI service provider. - Digitcert (https://www.digicert.com) or obtain PKI services from a reputable PKI service provider?
- Entrust (https://www.entrust.com)
Cryptographic Public Key Infrastructure (PKI) CRY-08 - Comodo (https://www.comodo.com) 9 Protect X X X
Protections - Vault (https://www.vaultproject.io/)
Resiliency mechanisms exist to ensure the availability of data in the event of the loss of Does the organization ensure the availability of data in the event of the loss of cryptographic keys?
cryptographic keys.
Cryptographic
Protections Availability CRY-08.1 9 Recover X X X
Mechanisms exist to facilitate cryptographic key management controls to protect the - Microsoft Active Directory (AD) Certificate Services Does the organization facilitate cryptographic key management controls to protect the
confidentiality, integrity and availability of keys. - Digitcert (https://www.digicert.com) confidentiality, integrity and availability of keys?
- Entrust (https://www.entrust.com)
Cryptographic Cryptographic Key - Comodo (https://www.comodo.com)
Protections Management CRY-09 E-CRY-01 10 Protect X X X
- Vault (https://www.vaultproject.io/)
Mechanisms exist to facilitate the production and management of symmetric cryptographic keys Does the organization facilitate the production and management of symmetric cryptographic keys
using Federal Information Processing Standards (FIPS)-compliant key management technology and using Federal Information Processing Standards (FIPS)-compliant key management technology and
processes. processes?
Cryptographic Symmetric Keys CRY-09.1 E-CRY-01 9 Protect X X
Protections
Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys Does the organization facilitate the production and management of asymmetric cryptographic keys
using Federal Information Processing Standards (FIPS)-compliant key management technology and using Federal Information Processing Standards (FIPS)-compliant key management technology and
processes that protect the user’s private key. processes that protect the user’s private key?
Cryptographic
Protections Asymmetric Keys CRY-09.2 E-CRY-01 9 Protect X X
Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic - Escrowing of encryption keys is a common practice for Does the organization ensure the availability of information in the event of the loss of cryptographic
keys by individual users. ensuring availability in the event of loss of keys. keys by individual users?
Cryptographic Cryptographic Key Loss or
Protections Change CRY-09.3 8 Protect X X X
Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic Does the organization facilitate the secure distribution of symmetric and asymmetric cryptographic
keys using industry recognized key management technology and processes. keys using industry recognized key management technology and processes?
Cryptographic Control & Distribution of CRY-09.4 9 Protect X X X
Protections Cryptographic Keys
Mechanisms exist to ensure cryptographic keys are bound to individual identities. Does the organization ensure cryptographic keys are bound to individual identities?
Cryptographic
Protections Assigned Owners CRY-09.5 8 Protect X X
Mechanisms exist to ensure customers are provided with appropriate key management guidance Does the organization ensure customers are provided with appropriate key management guidance
whenever cryptographic keys are shared. whenever cryptographic keys are shared?
Cryptographic
Protections Third-Party Cryptographic Keys CRY-09.6 7 Protect X
45 of 280
Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or Does the organization maintain control of cryptographic keys for encrypted material stored or
transmitted through an external system. transmitted through an external system?
Cryptographic External System Cryptographic
Protections Key Control CRY-09.7 5 Protect X
Mechanisms exist to ensure systems associate security attributes with information exchanged - Integrity checking Does the organization ensure systems associate security attributes with information exchanged
between systems. between systems?
Cryptographic Transmission of Cybersecurity CRY-10 5 Protect X
Protections & Data Privacy Attributes
Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) Does the organization use automated mechanisms to enable the use of organization-defined
to facilitate the establishment of protected sessions. Certificate Authorities (CAs) to facilitate the establishment of protected sessions?
Cryptographic
Protections Certificate Authorities CRY-11 8 Protect X X
Mechanisms exist to facilitate the implementation of data protection controls. Does the organization facilitate the implementation of data protection controls?
Data Classification &

Handling Data Protection DCH-01 10 Protect X X
Mechanisms exist to ensure data stewardship is assigned, documented and communicated. Does the organization ensure data stewardship is assigned, documented and communicated?
Data Classification & Data Stewardship DCH-01.1 10 Protect X X X

Handling
Mechanisms exist to protect sensitive/regulated data wherever it is stored. Does the organization protect sensitive/regulated data wherever it is stored?
Data Classification & Sensitive / Regulated Data

Handling Protection DCH-01.2 9 Protect X X X
Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient Does the organization ensure media records for sensitive/regulated data contain sufficient
information to determine the potential impact in the event of a data loss incident. information to determine the potential impact in the event of a data loss incident?
Data Classification & Sensitive / Regulated Media
Handling Records DCH-01.3 6 Protect X
Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical Does the organization explicitly define authorizations for specific individuals and/or roles for logical
and /or physical access to sensitive/regulated data. and /or physical access to sensitive/regulated data?
Data Classification & Defining Access Authorizations DCH-01.4 9 Protect x x
Handling for Sensitive/Regulated Data
Mechanisms exist to ensure data and assets are categorized in accordance with applicable Does the organization ensure data and assets are categorized in accordance with applicable
statutory, regulatory and contractual requirements. statutory, regulatory and contractual requirements?
Data Classification & E-DCH-01
Handling Data & Asset Classification DCH-02 E-DCH-02 10 Identify X X X
Mechanisms exist to ensure that systems, applications and services are classified according to the Does the organization ensure that systems, applications and services are classified according to the
highest level of data sensitivity that is stored, transmitted and/or processed. highest level of data sensitivity that is stored, transmitted and/or processed?
Handling Highest Classification Level DCH-02.1 8 Protect X X X
Mechanisms exist to control and restrict access to digital and non-digital media to authorized - Data Loss Prevention (DLP) Does the organization control and restrict access to digital and non-digital media to authorized
individuals. individuals?
Data Classification & Media Access DCH-03 8 Protect X X
Handling
Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a Does the organization restrict the disclosure of sensitive / regulated data to authorized parties with
need to know. a need to know?
Handling Disclosure of Information DCH-03.1 10 Protect X X
Mechanisms exist to apply data masking to sensitive/regulated information that is displayed or Does the organization apply data masking to sensitive/regulated information that is displayed or
printed. printed?
Handling Masking Displayed Data DCH-03.2 7 Protect X X
46 of 280
Automated mechanisms exist to validate cybersecurity & data privacy attributes prior to releasing Does the organization use automated mechanisms to validate cybersecurity & data privacy
information to external systems. attributes prior to releasing information to external systems?
Handling Controlled Release DCH-03.3 4 Protect
Mechanisms exist to mark media in accordance with data protection requirements so that Does the organization mark media in accordance with data protection requirements so that
personnel are alerted to distribution limitations, handling caveats and applicable security personnel are alerted to distribution limitations, handling caveats and applicable security
Data Classification & Media Marking DCH-04 7 Protect X X
Handling
Automated mechanisms exist to mark physical media and digital files to indicate the distribution Does the organization use automated mechanisms to mark physical media and digital files to
limitations, handling requirements and applicable security markings (if any) of the information to indicate the distribution limitations, handling requirements and applicable security markings (if any)
aid Data Loss Prevention (DLP) technologies. of the information to aid Data Loss Prevention (DLP) technologies?
Handling Automated Marking DCH-04.1 2 Protect X
Mechanisms exist to bind cybersecurity & data privacy attributes to information as it is stored, Does the organization bind cybersecurity & data privacy attributes to information as it is stored,
transmitted and processed. transmitted and processed?
Data Classification & Cybersecurity & Data Privacy
Handling Attributes DCH-05 2 Protect X
Mechanisms exist to dynamically associate cybersecurity & data privacy attributes with individuals Does the organization dynamically associate cybersecurity & data privacy attributes with individuals
and objects as information is created, combined, or transformed, in accordance with organization- and objects as information is created, combined, or transformed, in accordance with organization-
defined cybersecurity and data privacy policies. defined cybersecurity and data privacy policies?
Data Classification & Dynamic Attribute Association DCH-05.1 2 Protect X
Handling
Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the Does the organization provide authorized individuals (or processes acting on behalf of individuals)
capability to define or change the value of associated cybersecurity & data privacy attributes. the capability to define or change the value of associated cybersecurity & data privacy attributes?
Data Classification & Attribute Value Changes By
Handling Authorized Individuals DCH-05.2 8 Protect X
Mechanisms exist to maintain the association and integrity of cybersecurity & data privacy Does the organization maintain the association and integrity of cybersecurity & data privacy
attributes to individuals and objects. attributes to individuals and objects?
Data Classification & Maintenance of Attribute
Handling Associations By System DCH-05.3 2 Protect X
Mechanisms exist to provide the capability to associate cybersecurity & data privacy attributes with Does the organization provide the capability to associate cybersecurity & data privacy attributes
individuals and objects by authorized individuals (or processes acting on behalf of individuals). with individuals and objects by authorized individuals (or processes acting on behalf of individuals)?
Data Classification & Association of Attributes By DCH-05.4 2 Protect X
Handling Authorized Individuals
Mechanisms exist to display cybersecurity & data privacy attributes in human-readable form on Does the organization display cybersecurity & data privacy attributes in human-readable form on
each object that the system transmits to output devices to identify special dissemination, handling each object that the system transmits to output devices to identify special dissemination, handling
or distribution instructions using human-readable, standard naming conventions. or distribution instructions using human-readable, standard naming conventions?
Data Classification & Attribute Displays for Output
Handling Devices DCH-05.5 8 Protect X
Mechanisms exist to require personnel to associate and maintain the association of cybersecurity & Does the organization require personnel to associate and maintain the association of cybersecurity
data privacy attributes with individuals and objects in accordance with cybersecurity and data & data privacy attributes with individuals and objects in accordance with cybersecurity and data
privacy policies. privacy policies?
Data Classification & Data Subject Attribute
Handling Associations DCH-05.6 2 Protect X
Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of Does the organization provide a consistent, organizationally agreed upon interpretation of
cybersecurity & data privacy attributes employed in access enforcement and flow enforcement cybersecurity & data privacy attributes employed in access enforcement and flow enforcement
decisions between distributed system components. decisions between distributed system components?
Data Classification & Consistent Attribute DCH-05.7 2 Protect X
Handling Interpretation
Mechanisms exist to associate cybersecurity & data privacy attributes to information. Does the organization associate cybersecurity & data privacy attributes to information?
Data Classification & Identity Association

Handling Techniques & Technologies DCH-05.8 2 Protect X X
Mechanisms exist to reclassify data as required, due to changing business/technical requirements. Does the organization reclassify data as required, due to changing business/technical requirements?

Handling Attribute Reassignment DCH-05.9 7 Protect X X
47 of 280
Mechanisms exist to provide authorized individuals the capability to define or change the type and Does the organization provide authorized individuals the capability to define or change the type and
value of cybersecurity & data privacy attributes available for association with subjects and objects. value of cybersecurity & data privacy attributes available for association with subjects and objects?
Data Classification & Attribute Configuration By
Handling Authorized Individuals DCH-05.10 8 Protect X X
Mechanisms exist to audit changes to cybersecurity & data privacy attributes and responds to - CimTrak Integrity Suite Does the organization audit changes to cybersecurity & data privacy attributes and responds to
events in accordance with incident response procedures. (https://www.cimcor.com/cimtrak/) events in accordance with incident response procedures?
Data Classification & Audit Changes DCH-05.11 7 Detect X X
Handling
Mechanisms exist to: Does the organization:

▪ Physically control and securely store digital and non-digital media within controlled areas using ▪ Physically control and securely store digital and non-digital media within controlled areas using
organization-defined security measures; and organization-defined security measures; and
Data Classification & ▪ Protect system media until the media are destroyed or sanitized using approved equipment, ▪ Protect system media until the media are destroyed or sanitized using approved equipment,
Handling Media Storage DCH-06 8 Protect X X X
techniques and procedures. techniques and procedures?
Mechanisms exist to physically secure all media that contains sensitive information. - Lockbox Does the organization physically secure all media that contains sensitive information?

Handling Physically Secure All Media DCH-06.1 9 Protect X
Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media Does the organization maintain inventory logs of all sensitive media and conduct sensitive media
inventories at least annually. inventories at least annually?
Data Classification & Sensitive Data Inventories DCH-06.2 E-AST-08 9 Detect X
Handling
Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or Does the organization periodically scan unstructured data sources for sensitive/regulated data or
data requiring special protection measures by statutory, regulatory or contractual obligations. data requiring special protection measures by statutory, regulatory or contractual obligations?
Data Classification & Periodic Scans for Sensitive
Handling Data DCH-06.3 7 Detect X X
Mechanisms exist to ensure sensitive/regulated data is rendered human unreadable anywhere Does the organization ensure sensitive/regulated data is rendered human unreadable anywhere
sensitive/regulated data is stored. sensitive/regulated data is stored?
Data Classification & Making Sensitive Data
Handling Unreadable In Storage DCH-06.4 9 Protect X X
Mechanisms exist to prohibit the storage of sensitive transaction authentication data after Does the organization prohibit the storage of sensitive transaction authentication data after
authorization. authorization?
Data Classification & Storing Authentication Data DCH-06.5 5 Protect X X
Handling
Mechanisms exist to protect and control digital and non-digital media during transport outside of - Assigned couriers Does the organization protect and control digital and non-digital media during transport outside of
controlled areas using appropriate security measures. controlled areas using appropriate security measures?
Handling Media Transportation DCH-07 9 Protect X X
Mechanisms exist to identify custodians throughout the transport of digital or non-digital media. - Chain of custody Does the organization identify custodians throughout the transport of digital or non-digital media?

Handling Custodians DCH-07.1 9 Protect X
Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on Are cryptographic mechanisms utilized to protect the confidentiality and integrity of information
digital media during transport outside of controlled areas. stored on digital media during transport outside of controlled areas?
Data Classification & Encrypting Data In Storage DCH-07.2 5 Protect X X
Handling Media
Mechanisms exist to securely dispose of media when it is no longer required, using formal - Shred-it Does the organization securely dispose of media when it is no longer required, using formal
procedures. - IronMountain procedures?
- DoD-strength data erasers
Handling Physical Media Disposal DCH-08 E-AST-03 10 Protect X X
Mechanisms exist to sanitize system media with the strength and integrity commensurate with the Does the organization sanitize system media with the strength and integrity commensurate with
classification or sensitivity of the information prior to disposal, release out of organizational control the classification or sensitivity of the information prior to disposal, release out of organizational
or release for reuse. control or release for reuse?
Data Classification & E-AST-03
Handling System Media Sanitization DCH-09 E-DCH-07 10 Protect X X
48 of 280
Mechanisms exist to supervise, track, document and verify system media sanitization and disposal - Certificate of destruction Does the organization supervise, track, document and verify system media sanitization and disposal
actions. actions?
Data Classification & System Media Sanitization E-AST-03
Handling Documentation DCH-09.1 E-DCH-07 7 Protect X
Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is Does the organization test sanitization equipment and procedures to verify that the intended result
achieved. is achieved?
Data Classification & Equipment Testing DCH-09.2 5 Detect X X
Handling
Mechanisms exist to facilitate the sanitization of Personal Data (PD). - De-identifying PI Does the organization facilitate the sanitization of Personal Data (PD)?
Data Classification & Sanitization of Personal Data

Handling (PD) DCH-09.3 9 Protect X X
Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior Does the organization apply nondestructive sanitization techniques to portable storage devices
to first use. prior to first use?
Handling First Time Use Sanitization DCH-09.4 5 Protect X X
Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital Does the organization enforce dual authorization for the destruction, disposal or sanitization of
media that contains sensitive / regulated data. digital media that contains sensitive / regulated data?
Data Classification & Dual Authorization for DCH-09.5 5 Protect X X
Handling Sensitive Data Destruction
Mechanisms exist to restrict the use of types of digital media on systems or system components. Does the organization restrict the use of types of digital media on systems or system components?

Handling Media Use DCH-10 8 Protect X
Mechanisms exist to restrict the use and distribution of sensitive / regulated data. Does the organization restrict the use and distribution of sensitive / regulated data?

Handling Limitations on Use DCH-10.1 10 Protect X
Mechanisms exist to prohibit the use of portable storage devices in organizational information Does the organization prohibit the use of portable storage devices in organizational information
systems when such devices have no identifiable owner. systems when such devices have no identifiable owner?
Data Classification & Prohibit Use Without Owner DCH-10.2 5 Protect X X
Handling
Mechanisms exist to reclassify data, including associated systems, applications and services, Does the organization reclassify data, including associated systems, applications and services,
commensurate with the security category and/or classification level of the information. commensurate with the security category and/or classification level of the information?
Handling Data Reclassification DCH-11 8 Protect X X
Mechanisms exist to restrict removable media in accordance with data handling and acceptable Does the organization restrict removable media in accordance with data handling and acceptable
usage parameters. usage parameters?
Handling Removable Media Security DCH-12 10 Protect X X X
Mechanisms exist to govern how external parties, systems and services are used to securely store, Does the organization govern how external parties, systems and services are used to securely store,
process and transmit data. process and transmit data?
Data Classification & Use of External Information DCH-13 9 Protect X X X
Handling Systems
Mechanisms exist to prohibit external parties, systems and services from storing, processing and Does the organization prohibit external parties, systems and services from storing, processing and
transmitting data unless authorized individuals first: transmitting data unless authorized individuals first:
▪ Verifying the implementation of required security controls; or ▪ Verifying the implementation of required security controls; or
Data Classification & ▪ Retaining a processing agreement with the entity hosting the external systems or service. ▪ Retaining a processing agreement with the entity hosting the external systems or service?
Handling Limits of Authorized Use DCH-13.1 8 Protect X X
Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external Does the organization restrict or prohibit the use of portable storage devices by users on external
systems. systems?
Handling Portable Storage Devices DCH-13.2 9 Protect X X
49 of 280
Mechanisms exist to ensure that the requirements for the protection of sensitive information - NIST 800-171 Compliance Criteria (NCC) Does the organization ensure that the requirements for the protection of sensitive information
processed, stored or transmitted on external systems, are implemented in accordance with (ComplianceForge) processed, stored or transmitted on external systems, are implemented in accordance with
applicable statutory, regulatory and contractual obligations. applicable statutory, regulatory and contractual obligations?
Data Classification & Protecting Sensitive Data on
Handling External Systems DCH-13.3 10 Protect X X X
Mechanisms exist to restrict the use of non-organizationally owned information systems, system Does the organization restrict the use of non-organizationally owned information systems, system
components or devices to process, store or transmit organizational information. components or devices to process, store or transmit organizational information?
Data Classification & Non-Organizationally Owned
Handling Systems / Components / DCH-13.4 5 Protect X X
Devices
Mechanisms exist to utilize a process to assist users in making information sharing decisions to - ShareFile Does the organization utilize a process to assist users in making information sharing decisions to
ensure data is appropriately protected. - SmartVault ensure data is appropriately protected?
- Veris (incident sharing) (http://veriscommunity.net)
Handling Information Sharing DCH-14 9 Protect X X
Mechanisms exist to ensure information systems implement data search and retrieval functions Does the organization ensure information systems implement data search and retrieval functions
that properly enforce data protection / sharing restrictions. that properly enforce data protection / sharing restrictions?
Handling Information Search & Retrieval DCH-14.1 5 Protect X X
Mechanisms exist to verify that individuals or systems transferring data between interconnecting Does the organization verify that individuals or systems transferring data between interconnecting
systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring
said data. said data?
Data Classification & Transfer Authorizations DCH-14.2 8 Protect X
Handling
Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Does the organization develop a data-specific Access Control List (ACL) or Data Information Sharing
Agreement (DISA) to determine the parties with whom sensitive/regulated data is shared. Agreement (DISA) to determine the parties with whom sensitive/regulated data is shared?
Handling Data Access Mapping DCH-14.3 9 Identify X X
Mechanisms exist to control publicly-accessible content. - Designate individuals authorized to post information Does the organization control publicly-accessible content?
onto systems that are publicly accessible.
- Train authorized individuals to ensure that publicly
Data Classification & accessible information does not contain nonpublic
Handling Publicly Accessible Content DCH-15 10 Protect X X
information.
- Review the proposed content of publicly accessible
information for nonpublic information prior to posting.
- Remove nonpublic information from the publicly
Mechanisms exist to protect data storage objects against unauthorized data mining and data accessible system. Does the organization protect data storage objects against unauthorized data mining and data
harvesting techniques. harvesting techniques?
Data Classification & Data Mining Protection DCH-16 7 Protect X X
Handling
Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties. - ShareFile Does the organization secure ad-hoc exchanges of large digital files with internal or external
- Box parties?
Handling Ad-Hoc Transfers DCH-17 8 Protect X X
Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and - Data Protection Impact Assessment (DPIA) Does the organization retain media and data in accordance with applicable statutory, regulatory
contractual obligations. and contractual obligations?
Handling Media & Data Retention DCH-18 E-AST-11 8 Protect X X
Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to - Data Protection Impact Assessment (DPIA) Does the organization limit Personal Data (PD) being processed in the information lifecycle to
elements identified in the Data Protection Impact Assessment (DPIA). elements identified in the Data Protection Impact Assessment (DPIA)?
Data Classification & Minimize Personal Data (PD) DCH-18.1 8 Protect X
Handling
Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in - Data Protection Impact Assessment (DPIA) Does the organization minimize the use of Personal Data (PD) for research, testing, or training, in
accordance with the Data Protection Impact Assessment (DPIA). accordance with the Data Protection Impact Assessment (DPIA)?
Data Classification & Limit Personal Data (PD)
Handling Elements In Testing, Training & DCH-18.2 8 Protect X X
Research
Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data Does the organization perform periodic checks of temporary files for the existence of Personal Data
(PD). (PD)?
Data Classification & Temporary Files Containing
Handling Personal Data (PD) DCH-18.3 5 Protect X
50 of 280
Mechanisms exist to inventory, document and maintain data flows for data that is resident Does the organization inventory, document and maintain data flows for data that is resident
(permanently or temporarily) within a service's geographically distributed applications (physical and (permanently or temporarily) within a service's geographically distributed applications (physical and
virtual), infrastructure, systems components and/or shared with other third-parties. virtual), infrastructure, systems components and/or shared with other third-parties?
Handling Geographic Location of Data DCH-19 E-AST-23 9 Identify X X
Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and Does the organization protect archived data in accordance with applicable statutory, regulatory and
contractual obligations. contractual obligations?
Data Classification & Archived Data Sets DCH-20 8 Protect X
Handling
Mechanisms exist to securely dispose of, destroy or erase information. - Shred-it Does the organization securely dispose of, destroy or erase information?
- IronMountain
Handling Information Disposal DCH-21 10 Protect X X X
Mechanisms exist to check for the accuracy, relevance, timeliness, impact, completeness and de- - Data Protection Impact Assessment (DPIA) Does the organization check for the accuracy, relevance, timeliness, impact, completeness and de-
identification of information across the information lifecycle. identification of information across the information lifecycle?
Handling Data Quality Operations DCH-22 5 Protect X X
Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or - Data Protection Impact Assessment (DPIA) Does the organization utilize technical controls to correct Personal Data (PD) that is inaccurate or
outdated, incorrectly determined regarding impact, or incorrectly de-identified. outdated, incorrectly determined regarding impact, or incorrectly de-identified?
Data Classification & Updating & Correcting DCH-22.1 6 Protect X
Handling Personal Data (PD)
Mechanisms exist to utilize data tags to automate tracking of sensitive/regulated data across the - Data Protection Impact Assessment (DPIA) Does the organization utilize data tags to automate tracking of sensitive/regulated data across the
information lifecycle. information lifecycle?
Handling Data Tags DCH-22.2 3 Protect X
Mechanisms exist to collect Personal Data (PD) directly from the individual. - Data Protection Impact Assessment (DPIA) Does the organization collect Personal Data (PD) directly from the individual?
Data Classification & Primary Source Personal Data

Handling (PD) Collection DCH-22.3 8 Identify X
Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets. - Data Protection Impact Assessment (DPIA) Does the organization anonymize data by removing Personal Data (PD) from datasets?
Data Classification & De-Identification DCH-23 8 Protect X X

Handling (Anonymization)
Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD). - Data Protection Impact Assessment (DPIA) Does the organization de-identify the dataset upon collection by not collecting Personal Data (PD)?
Data Classification & De-Identify Dataset Upon

Handling Collection DCH-23.1 8 Protect X
Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a - Data Protection Impact Assessment (DPIA) Does the organization refrain from archiving Personal Data (PD) elements if those elements in a
dataset will not be needed after the dataset is archived. dataset will not be needed after the dataset is archived?
Handling Archiving DCH-23.2 8 Protect X
Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those - Data Protection Impact Assessment (DPIA) Does the organization remove Personal Data (PD) elements from a dataset prior to its release if
elements in the dataset do not need to be part of the data release. those elements in the dataset do not need to be part of the data release?
Data Classification & Release DCH-23.3 8 Protect X
Handling
Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset. - Data Protection Impact Assessment (DPIA) Does the organization remove, mask, encrypt, hash or replace direct identifiers in a dataset?
Data Classification & Removal, Masking, Encryption,

Handling Hashing or Replacement of DCH-23.4 8 Protect X X
Direct Identifiers
Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that Does the organization manipulate numerical data, contingency tables and statistical findings so that
no person or organization is identifiable in the results of the analysis. no person or organization is identifiable in the results of the analysis?
Handling Statistical Disclosure Control DCH-23.5 1 Protect X
51 of 280
Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to - Data Protection Impact Assessment (DPIA) Does the organization prevent disclosure of Personal Data (PD) by adding non-deterministic noise to
the results of mathematical operations before the results are reported. the results of mathematical operations before the results are reported?
Handling Differential Data Privacy DCH-23.6 1 Protect X
Mechanisms exist to perform de-identification of sensitive/regulated data, using validated - Data Protection Impact Assessment (DPIA) Does the organization perform de-identification of sensitive/regulated data, using validated
algorithms and software to implement the algorithms. algorithms and software to implement the algorithms?
Data Classification & Automated De-Identification of DCH-23.7 1 Protect X
Handling Sensitive Data
Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if Does the organization perform a motivated intruder test on the de-identified dataset to determine
the identified data remains or if the de-identified data can be re-identified. if the identified data remains or if the de-identified data can be re-identified?
Handling Motivated Intruder DCH-23.8 3 Protect X
Mechanisms exist to use aliases to name assets, which are mission-critical and/or contain highly- Does the organization use aliases to name assets, which are mission-critical and/or contain highly-
sensitive/regulated data, are unique and not readily associated with a product, project or type of sensitive/regulated data, are unique and not readily associated with a product, project or type of
data. data?
Handling Code Names DCH-23.9 1 Protect X
Mechanisms exist to identify and document the location of information and the specific system - Data Flow Diagram (DFD) Does the organization identify and document the location of information and the specific system
components on which the information resides. components on which the information resides?
Data Classification & Information Location DCH-24 E-AST-23 10 Identify X X
Handling
Automated mechanisms exist to identify by data classification type to ensure adequate Does the organization use automated mechanisms to identify by data classification type to ensure
cybersecurity & data privacy controls are in place to protect organizational information and adequate cybersecurity & data privacy controls are in place to protect organizational information
individual data privacy. and individual data privacy?
Data Classification & Automated Tools to Support
Handling Information Location DCH-24.1 6 Identify X X
Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third- - Model contracts Does the organization restrict and govern the transfer of sensitive and/or regulated data to third-
countries or international organizations. - Privacy Shield countries or international organizations?
- Binding Corporate Rules (BCR)
Data Classification & Transfer of Sensitive and/or
Handling Regulated Data DCH-25 10 Protect X
Mechanisms exist to establish organization-defined "normal business activities" to identify Does the organization establish organization-defined "normal business activities" to identify
anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or
receiving (inbound) fraudulent actions. receiving (inbound) fraudulent actions?
Data Classification & Transfer Activity Limits DCH-25.1 7 Protect X
Handling
Mechanisms exist to constrain the impact of "digital sovereignty laws," that require localized data - Board of Directors (Bod) Ethics Committee Does the organization constrain the impact of "digital sovereignty laws," that require localized data
within the host country, where data and processes may be subjected to arbitrary enforcement within the host country, where data and processes may be subjected to arbitrary enforcement
actions that potentially violate other applicable statutory, regulatory and/or contractual obligations. actions that potentially violate other applicable statutory, regulatory and/or contractual
Data Classification & obligations?
Handling Data Localization DCH-26 10 Protect X X X
Mechanisms exist to facilitate the implementation of embedded technology controls. Does the organization facilitate the implementation of embedded technology controls?
Embedded Technology
Embedded Technology Security Program EMB-01 E-AST-07 10 Protect X X X
Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Does the organization proactively manage the cybersecurity & data privacy risks associated with
Internet of Things (IoT). Internet of Things (IoT)?
Embedded Technology Internet of Things (IOT) EMB-02 9 Protect X
Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Does the organization proactively manage the cybersecurity & data privacy risks associated with
Operational Technology (OT). Operational Technology (OT)?
Embedded Technology Operational Technology (OT) EMB-03 9 Protect X
Mechanisms exist to protect embedded devices against unauthorized use of the physical factory Does the organization protect embedded devices against unauthorized use of the physical factory
diagnostic and test interface(s). diagnostic and test interface(s)?
Embedded Technology Interface Security EMB-04 4 Protect X
52 of 280
Mechanisms exist to generate log entries on embedded devices when configuration changes or Does the organization generate log entries on embedded devices when configuration changes or
attempts to access interfaces are detected. attempts to access interfaces are detected?
Embedded Technology
Embedded Technology Configuration Monitoring EMB-05 6 Detect X X
Mechanisms exist to protect embedded devices by preventing the unauthorized installation and Does the organization protect embedded devices by preventing the unauthorized installation and
execution of software. execution of software?
Embedded Technology Prevent Alterations EMB-06 6 Protect X
Mechanisms exist to securely update software and upgrade functionality on embedded devices. Does the organization securely update software and upgrade functionality on embedded devices?
Embedded Technology
Embedded Technology Maintenance EMB-07 6 Protect X X
Mechanisms exist to configure embedded technology to be resilient to data network and power Does the organization configure embedded technology to be resilient to data network and power
outages. outages?
Embedded Technology Resilience To Outages EMB-08 2 Protect X X
Automated mechanisms exist to monitor the power levels of embedded technologies for decreased Does the organization use automated mechanisms to monitor the power levels of embedded
or excessive power usage, including battery drainage, to investigate for device tampering. technologies for decreased or excessive power usage, including battery drainage, to investigate for
device tampering?
Embedded Technology Power Level Monitoring EMB-09 4 Detect X
Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at Does the organization perform evaluations of deployed embedded technologies as needed, or at
least on an annual basis, to ensure that necessary updates to mitigate the risks associated with least on an annual basis, to ensure that necessary updates to mitigate the risks associated with
legacy embedded technologies are identified and implemented. legacy embedded technologies are identified and implemented?
Embedded Technology
Embedded Technology Reviews EMB-10 8 Identify X X
Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic. Does the organization enforce the security of Message Queuing Telemetry Transport (MQTT)
traffic?
Message Queuing Telemetry
Embedded Technology Transport (MQTT) Security EMB-11 7 Protect X
Mechanisms exist to require embedded technologies to initiate all communications and drop new, Does the organization require embedded technologies to initiate all communications and drop new,
incoming communications. incoming communications?
Embedded Technology Restrict Communications EMB-12 8 Protect X
Mechanisms exist to restrict embedded technologies to communicate only with authorized peers Does the organization restrict embedded technologies to communicate only with authorized peers
and service endpoints. and service endpoints?
Embedded Technology Authorized Communications EMB-13 8 Protect X
Mechanisms exist to determine if embedded technologies are certified for secure use in the Does the organization determine if embedded technologies are certified for secure use in the
proposed operating environment. proposed operating environment?
Operating Environment
Embedded Technology Certification EMB-14 9 Identify X X
Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, Does the organization evaluate the safety aspects of embedded technologies via a fault tree
or similar method, to determine possible consequences of misuse, misconfiguration and/or failure. analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or
failure?
Embedded Technology Safety Assessment EMB-15 9 Identify X X
Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, Does the organization enforce certificate-based authentication for embedded technologies (e.g.,
OT, etc.) and their supporting services. IoT, OT, etc.?) and their supporting services?
Certificate-Based
Embedded Technology Authentication EMB-16 5 Protect X
Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust Does the organization implement embedded technologies that utilize pre-provisioned cloud trust
anchors to support secure bootstrap and Zero Touch Provisioning (ZTP). anchors to support secure bootstrap and Zero Touch Provisioning (ZTP)?
Embedded Technology Chip-To-Cloud Security EMB-17 6 Protect X
53 of 280
Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Does the organization ensure embedded technologies utilize a securely configured Real-Time
Operating System (RTOS). Operating System (RTOS)?
Real-Time Operating System
Embedded Technology (RTOS) Security EMB-18 5 Protect X
Mechanisms exist to continuously validate autonomous systems that trigger an automatic state Does the organization continuously validate autonomous systems that trigger an automatic state
change when safe operation is no longer assured. change when safe operation is no longer assured?
Embedded Technology Safe Operations EMB-19 9 Protect X X
Mechanisms exist to facilitate the implementation of endpoint security controls. - CimTrak Integrity Suite Does the organization facilitate the implementation of endpoint security controls?
- Group Policy Objects (GPOs)
Endpoint Security Endpoint Security END-01 - Antimalware technologies 10 Protect X X X
- Software firewalls
- Host-based IDS/IPS technologies
Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint - CimTrak Integrity Suite Does the organization protect the confidentiality, integrity, availability and safety of endpoint
devices. (https://www.cimcor.com/cimtrak/) devices?
Endpoint Security Endpoint Protection Measures END-02 (https://www.newnettechnologies.com) 9 Protect X X
Automated mechanisms exist to prohibit software installations without explicitly assigned privileged - CimTrak Integrity Suite Does the organization use automated mechanisms to prohibit software installations without
status. (https://www.cimcor.com/cimtrak/) explicitly assigned privileged status?
- Removal of local admin rights
Endpoint Security Prohibit Installation Without END-03 - Privileged Account Management (PAM) 9 Protect X X X
Privileged Status - NNT Change Tracker
Mechanisms exist to generate an alert when new software is detected. - CimTrak Integrity Suite Does the organization generate an alert when new software is detected?
Endpoint Security Software Installation Alerts END-03.1 (https://www.newnettechnologies.com) 8 Protect X
Mechanisms exist to define, document, approve and enforce access restrictions associated with - CimTrak Integrity Suite Does the organization define, document, approve and enforce access restrictions associated with
changes to systems. (https://www.cimcor.com/cimtrak/) changes to systems?
Governing Access Restriction
Endpoint Security for Change END-03.2 8 Protect X X
Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code. - CimTrak Integrity Suite Does the organization utilize antimalware technologies to detect and eradicate malicious code?
- Antimalware software
Endpoint Security Malicious Code Protection END-04 - NNT Change Tracker 10 Detect X X
(Anti-Malware) (https://www.newnettechnologies.com)
Mechanisms exist to automatically update antimalware technologies, including signature - Antimalware software Does the organization automatically update antimalware technologies, including signature
definitions. definitions?
Automatic Antimalware
Endpoint Security Signature Updates END-04.1 9 Protect X X
Mechanisms exist to document antimalware technologies. Does the organization document antimalware technologies?
Documented Protection
Endpoint Security Measures END-04.2 3 Identify X
Mechanisms exist to centrally-manage antimalware technologies. - Antimalware software Does the organization centrally-manage antimalware technologies?
Endpoint Security Centralized Management of END-04.3 E-MON-02 8 Detect X X X

Antimalware Technologies
Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities. - Antimalware software Does the organization utilize heuristic / nonsignature-based antimalware detection capabilities?
Heuristic / Nonsignature-Based
Endpoint Security Detection END-04.4 8 Detect X X
Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading - EICAR test file Does the organization test antimalware technologies by introducing a known benign, non-spreading
test case into the system and subsequently verifying that both detection of the test case and test case into the system and subsequently verifying that both detection of the test case and
associated incident reporting occurs. associated incident reporting occurs?
Malware Protection
Endpoint Security Mechanism Testing END-04.5 5 Detect X X
54 of 280
Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that Does the organization perform periodic evaluations evolving malware threats to assess systems that
are generally not considered to be commonly affected by malicious software. are generally not considered to be commonly affected by malicious software?
Endpoint Security Evolving Malware Threats END-04.6 3 Detect X
Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time - Antimalware software Does the organization ensure that anti-malware technologies are continuously running in real-time
and cannot be disabled or altered by non-privileged users, unless specifically authorized by and cannot be disabled or altered by non-privileged users, unless specifically authorized by
management on a case-by-case basis for a limited time period. management on a case-by-case basis for a limited time period?
Endpoint Security Always On Protection END-04.7 9 Detect X
Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information - NNT Change Tracker Does the organization utilize host-based firewall software, or a similar technology, on all
systems, where technically feasible. (https://www.newnettechnologies.com) information systems, where technically feasible?
Endpoint Security Software Firewall END-05 9 Protect X
Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report - CimTrak Integrity Suite Does the organization utilize File Integrity Monitor (FIM) technology to detect and report
unauthorized changes to system files and configurations. (https://www.cimcor.com/cimtrak/) unauthorized changes to system files and configurations?
Endpoint File Integrity (https://www.newnettechnologies.com)
Endpoint Security Monitoring (FIM) END-06 8 Protect X X
- File Integrity Monitor (FIM)
Mechanisms exist to validate configurations through integrity checking of software and firmware. - CimTrak Integrity Suite Does the organization validate configurations through integrity checking of software and firmware?
Endpoint Security Integrity Checks END-06.1 (https://www.newnettechnologies.com) 6 Detect X
Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity - CimTrak Integrity Suite Does the organization detect and respond to unauthorized configuration changes as cybersecurity
incidents. (https://www.cimcor.com/cimtrak/) incidents?
Integration of Detection & (https://www.newnettechnologies.com)
Endpoint Security Response END-06.2 9 Respond X
Automated mechanisms exist to alert incident response personnel upon discovering discrepancies - CimTrak Integrity Suite Does the organization use automated mechanisms to alert incident response personnel upon
during integrity verification. (https://www.cimcor.com/cimtrak/) discovering discrepancies during integrity verification?
Automated Notifications of
Endpoint Security Integrity Violations END-06.3 5 Respond X
Automated mechanisms exist to implement remediation actions when integrity violations are - CimTrak Integrity Suite Does the organization use automated mechanisms to implement remediation actions when
discovered. (https://www.cimcor.com/cimtrak/) integrity violations are discovered?
Endpoint Security Automated Response to END-06.4 5 Respond X

Integrity Violations
Automated mechanisms exist to verify the integrity of the boot process of information systems. Does the organization use automated mechanisms to verify the integrity of the boot process of
information systems?
Endpoint Security Boot Process Integrity END-06.5 5 Protect X
Automated mechanisms exist to protect the integrity of boot firmware in information systems. Does the organization use automated mechanisms to protect the integrity of boot firmware in
information systems?
Endpoint Security Protection of Boot Firmware END-06.6 5 Protect X
Mechanisms exist to prohibit the use of binary or machine-executable code from sources with Does the organization prohibit the use of binary or machine-executable code from sources with
limited or no warranty and without access to source code. limited or no warranty and without access to source code?
Endpoint Security Binary or Machine-Executable END-06.7 5 Protect X X

Code
Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on - CimTrak Integrity Suite Does the organization utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on
sensitive systems. (https://www.cimcor.com/cimtrak/) sensitive systems?
Host Intrusion Detection and - NNT Change Tracker
Endpoint Security Prevention Systems (HIDS / END-07 (https://www.newnettechnologies.com) 9 Protect X X
HIPS) - File Integrity Monitor (FIM)
Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take Does the organization utilize anti-phishing and spam protection technologies to detect and take
action on unsolicited messages transported by electronic mail. action on unsolicited messages transported by electronic mail?
Endpoint Security Phishing & Spam Protection END-08 10 Protect X X
55 of 280
Mechanisms exist to centrally-manage anti-phishing and spam protection technologies. Does the organization centrally-manage anti-phishing and spam protection technologies?
Endpoint Security Central Management END-08.1 5 Protect X X X
Mechanisms exist to automatically update anti-phishing and spam protection technologies when Does the organization automatically update anti-phishing and spam protection technologies when
new releases are available in accordance with configuration and change management practices. new releases are available in accordance with configuration and change management practices?
Endpoint Security Automatic Spam and Phishing END-08.2 8 Protect X

Protection Updates
Mechanisms exist to establish a trusted communications path between the user and the security - Active Directory (AD) Ctrl+Alt+Del login process Does the organization establish a trusted communications path between the user and the security
functions of the operating system. functions of the operating system?
Endpoint Security Trusted Path END-09 9 Protect X
Mechanisms exist to address mobile code / operating system-independent applications. Does the organization address mobile code / operating system-independent applications?
Endpoint Security Mobile Code END-10 4 Detect X X
Mechanisms exist to configure thin nodes to have minimal functionality and information storage. Does the organization configure thin nodes to have minimal functionality and information storage?
Endpoint Security Thin Nodes END-11 4 Protect X X
Mechanisms exist to physically disable or remove unnecessary connection ports or input/output Does the organization physically disable or remove unnecessary connection ports or input/output
devices from sensitive systems. devices from sensitive systems?
Port & Input / Output (I/O)
Endpoint Security Device Access END-12 6 Protect X X
Mechanisms exist to configure embedded sensors on systems to: Does the organization configure embedded sensors on systems to:
▪ Prohibit the remote activation of sensing capabilities; and ▪ Prohibit the remote activation of sensing capabilities; and
▪ Provide an explicit indication of sensor use to users. ▪ Provide an explicit indication of sensor use to users?
Endpoint Security Sensor Capability END-13 7 Protect X X
Mechanisms exist to utilize organization-defined measures so that data or information collected by Does the organization utilize organization-defined measures so that data or information collected
sensors is only used for authorized purposes. by sensors is only used for authorized purposes?
Endpoint Security Authorized Use END-13.1 8 Protect X
Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors. - Visible or auditory alert Does the organization notify individuals that Personal Data (PD) is collected by sensors?
- Data Protection Impact Assessment (DPIA)
Endpoint Security Notice of Collection END-13.2 6 Identify X X
Mechanisms exist to utilize sensors that are configured to minimize the collection of information Does the organization utilize sensors that are configured to minimize the collection of information
about individuals. about individuals?
Endpoint Security Collection Minimization END-13.3 8 Protect X
Mechanisms exist to verify embedded technology sensors are configured so that data collected by Does the organization verify embedded technology sensors are configured so that data collected by
the sensor(s) is only reported to authorized individuals or roles. the sensor(s) is only reported to authorized individuals or roles?
Embedded Technology Sensor Delivery Verification END-13.4 4 Protect X
Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices - Unplug devices when not needed Does the organization unplug or prohibit the remote activation of collaborative computing devices
with the following exceptions: with the following exceptions:
▪ Networked whiteboards; ▪ Networked whiteboards;
Collaborative Computing ▪ Video teleconference cameras; and ▪ Video teleconference cameras; and
Endpoint Security Devices END-14 9 Protect X X
▪ Teleconference microphones. ▪ Teleconference microphones?
Mechanisms exist to disable or remove collaborative computing devices from critical information Does the organization disable or remove collaborative computing devices from critical information
systems and secure work areas. systems and secure work areas?
Disabling / Removal In Secure
Endpoint Security Work Areas END-14.1 5 Protect X X
56 of 280
Automated mechanisms exist to provide an explicit indication of current participants in online Does the organization use automated mechanisms to provide an explicit indication of current
meetings and teleconferences. participants in online meetings and teleconferences?
Explicitly Indicate Current
Endpoint Security Participants END-14.2 5 Protect X X
Mechanisms exist to restrict access to hypervisor management functions or administrative consoles Does the organization restrict access to hypervisor management functions or administrative
for systems hosting virtualized systems. consoles for systems hosting virtualized systems?
Endpoint Security Hypervisor Access END-15 9 Protect X X
Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce - Windows Defender Device Guard Does the organization ensure security functions are restricted to authorized individuals and enforce
least privilege control requirements for necessary job functions. least privilege control requirements for necessary job functions?
Restrict Access To Security
Endpoint Security Functions END-16 7 Protect X X
Mechanisms exist to implement underlying software separation mechanisms to facilitate security - Windows Defender Device Guard Does the organization implement underlying software separation mechanisms to facilitate security
function isolation. function isolation?
Host-Based Security Function
Endpoint Security Isolation END-16.1 7 Protect X
Mechanisms exist to facilitate the implementation of personnel security controls. Does the organization facilitate the implementation of personnel security controls?
Human Resources Human Resources Security HRS-01 10 Protect X X X

Security Management
Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions Does the organization manage personnel security risk by assigning a risk designation to all positions
and establishing screening criteria for individuals filling those positions. E-HRS-01 and establishing screening criteria for individuals filling those positions?
E-HRS-02
Human Resources E-HRS-03
Security Position Categorization HRS-02 E-HRS-04 8 Identify X
E-HRS-11
E-HRS-22
Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits Does the organization ensure that every user accessing a system that processes, stores, or transmits
sensitive information is cleared and regularly trained to handle the information in question. E-HRS-02 sensitive information is cleared and regularly trained to handle the information in question?
Security Users With Elevated Privileges HRS-02.1 E-HRS-04 10 Identify X
E-HRS-11
E-HRS-22
Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their Does the organization identify newly onboarded personnel for enhanced monitoring during their
probationary period. probationary period?
Human Resources Probationary Periods HRS-02.2 1 Detect X
Security
Mechanisms exist to define cybersecurity responsibilities for all personnel. - NIST NICE framework E-HRS-01 Does the organization define cybersecurity responsibilities for all personnel?
- RACI diagram E-HRS-02
E-HRS-03
Security Roles & Responsibilities HRS-03 10 Identify X X
E-HRS-11
E-HRS-13
E-HRS-18
E-HRS-22
Mechanisms exist to communicate with users about their roles and responsibilities to maintain a Does the organization communicate with users about their roles and responsibilities to maintain a
safe and secure working environment. safe and secure working environment?
E-HRS-01
Security User Awareness HRS-03.1 E-HRS-16 9 Identify X
E-HRS-18
Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals Does the organization ensure that all security-related positions are staffed by qualified individuals
who have the necessary skill set. who have the necessary skill set?
Human Resources Competency Requirements for HRS-03.2 E-HRS-21 9 Identify X
Security Security-Related Positions E-HRS-23
Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing - Criminal, education and employment background Does the organization manage personnel security risk by screening individuals prior to authorizing
access. checks access?
Security Personnel Screening HRS-04 E-HRS-21 10 Identify X X
Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes - Security clearances for classified information. Does the organization ensure that individuals accessing a system that stores, transmits or processes
information requiring special protection satisfy organization-defined personnel screening criteria. information requiring special protection satisfy organization-defined personnel screening criteria?
Human Resources Roles With Special Protection E-HRS-17
Security Measures HRS-04.1 E-HRS-21 9 Identify X
57 of 280
Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting Does the organization verify that individuals accessing a system processing, storing, or transmitting
sensitive information are formally indoctrinated for all the relevant types of information to which sensitive information are formally indoctrinated for all the relevant types of information to which
they have access on the system. they have access on the system?
Human Resources
Security Formal Indoctrination HRS-04.2 E-HRS-18 7 Identify X
Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting Does the organization verify that individuals accessing a system processing, storing, or transmitting
sensitive information meet applicable statutory, regulatory and/or contractual requirements for sensitive information meet applicable statutory, regulatory and/or contractual requirements for
citizenship. citizenship?
Human Resources Citizenship Requirements HRS-04.3 5 Identify X
Security
Mechanisms exist to identify foreign nationals, including by their specific citizenship. Does the organization identify foreign nationals, including by their specific citizenship?
Human Resources
Security Citizenship Identification HRS-04.4 3 Identify X X
Mechanisms exist to require all employees and contractors to apply cybersecurity & data privacy - Acceptable Use Policy (AUP) Does the organization require all employees and contractors to apply cybersecurity & data privacy
principles in their daily work. - Rules of behavior principles in their daily work?
Security Terms of Employment HRS-05 E-HRS-22 10 Identify X
Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of - Acceptable Use Policy (AUP) Does the organization define acceptable and unacceptable rules of behavior for the use of
technologies, including consequences for unacceptable behavior. - Rules of behavior technologies, including consequences for unacceptable behavior?
Human Resources Rules of Behavior HRS-05.1 E-HRS-22 10 Identify X X X
Security
Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social - Acceptable Use Policy (AUP) Does the organization define rules of behavior that contain explicit restrictions on the use of social
media and networking sites, posting information on commercial websites and sharing account - Rules of behavior media and networking sites, posting information on commercial websites and sharing account
information. information?
Human Resources Social Media & Social
Security Networking Restrictions HRS-05.2 E-HRS-22 9 Identify X X
Mechanisms exist to establish usage restrictions and implementation guidance for communications - Acceptable Use Policy (AUP) Does the organization establish usage restrictions and implementation guidance for
technologies based on the potential to cause damage to systems, if used maliciously. - Rules of behavior communications technologies based on the potential to cause damage to systems, if used
maliciously?
Human Resources Use of Communications
Security Technology HRS-05.3 E-HRS-22 10 Identify X X
Mechanisms exist to govern usage policies for critical technologies. Does the organization govern usage policies for critical technologies?
Human Resources Use of Critical Technologies HRS-05.4 E-HRS-22 9 Identify X X

Security
Mechanisms exist to manage business risks associated with permitting mobile device access to - Acceptable Use Policy (AUP) Does the organization manage business risks associated with permitting mobile device access to
organizational resources. - Rules of behavior organizational resources?
- BYOD policy
Human Resources
Security Use of Mobile Devices HRS-05.5 E-HRS-22 9 Identify X X
Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded Does the organization prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded
sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets. sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets?
Human Resources
Security Security-Minded Dress Code HRS-05.6 1 Protect X
Mechanisms exist to ensure personnel receive recurring familiarization with the organization’s Does the organization ensure personnel receive recurring familiarization with the organization’s
cybersecurity & data privacy policies and provide acknowledgement. cybersecurity & data privacy policies and provide acknowledgement?
Human Resources Policy Familiarization & E-HRS-18
Security Acknowledgement HRS-05.7 E-SAT-02 8 Identify X
E-SAT-04
Mechanisms exist to require internal and third-party users to sign appropriate access agreements Does the organization require internal and third-party users to sign appropriate access agreements
prior to being granted access. prior to being granted access?
Human Resources
Security Access Agreements HRS-06 E-HRS-16 10 Identify X X
Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality - Non-Disclosure Agreements (NDAs) Does the organization require Non-Disclosure Agreements (NDAs) or similar confidentiality
agreements that reflect the needs to protect data and operational details, or both employees and agreements that reflect the needs to protect data and operational details, or both employees and
third-parties. third-parties?
Human Resources
Security Confidentiality Agreements HRS-06.1 E-HRS-20 10 Identify X X
58 of 280
Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment Does the organization notify terminated individuals of applicable, legally-binding post-employment
requirements for the protection of sensitive organizational information. requirements for the protection of sensitive organizational information?
Human Resources
Security Post-Employment Obligations HRS-06.2 E-HRS-19 5 Protect X
Mechanisms exist to sanction personnel failing to comply with established security policies, Does the organization sanction personnel failing to comply with established security policies,
standards and procedures. standards and procedures?
Human Resources Personnel Sanctions HRS-07 9 Respond X X
Security
Mechanisms exist to conduct employee misconduct investigations when there is reasonable Does the organization conduct employee misconduct investigations when there is reasonable
assurance that a policy has been violated. assurance that a policy has been violated?
Human Resources
Security Workplace Investigations HRS-07.1 8 Respond X X
Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon Does the organization adjust logical and physical access authorizations to systems and facilities
personnel reassignment or transfer, in a timely manner. upon personnel reassignment or transfer, in a timely manner?
Human Resources
Security Personnel Transfer HRS-08 9 Identify X
Mechanisms exist to govern the termination of individual employment. Does the organization govern the termination of individual employment?
Human Resources Personnel Termination HRS-09 E-HRS-19 9 Protect X

Security
Mechanisms exist to retrieve organization-owned assets upon termination of an individual's Does the organization retrieve organization-owned assets upon termination of an individual's
employment. employment?
Human Resources
Security Asset Collection HRS-09.1 E-HRS-19 9 Protect X
Mechanisms exist to expedite the process of removing "high risk" individual’s access to systems and Does the organization expedite the process of removing "high risk" individual’s access to systems
applications upon termination, as determined by management. and applications upon termination, as determined by management?
Human Resources
Security High-Risk Terminations HRS-09.2 E-HRS-19 9 Protect X X
Mechanisms exist to govern former employee behavior by notifying terminated individuals of - Non-Disclosure Agreements (NDAs) Does the organization govern former employee behavior by notifying terminated individuals of
applicable, legally binding post-employment requirements for the protection of organizational applicable, legally binding post-employment requirements for the protection of organizational
information. information?
Human Resources Post-Employment HRS-09.3 E-HRS-19 8 Protect X
Security Requirements
Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles Does the organization use automated mechanisms to notify Identity and Access Management (IAM)
upon termination of an individual employment or contract. personnel or roles upon termination of an individual employment or contract?
Human Resources Automated Employment
Security Status Notifications HRS-09.4 5 Protect X X
Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party - Independent background check service Does the organization govern third-party personnel by reviewing and monitoring third-party
cybersecurity & data privacy roles and responsibilities. cybersecurity & data privacy roles and responsibilities?
Security Third-Party Personnel Security HRS-10 E-HRS-18 10 Identify X
E-HRS-22
Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential Does the organization implement and maintain Separation of Duties (SoD) to prevent potential
inappropriate activity without collusion. inappropriate activity without collusion?
Human Resources Separation of Duties (SoD) HRS-11 E-HRS-25 7 Protect X X
Security
Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing Does the organization avoid incompatible development-specific roles through limiting and
developer privileges to change hardware, software and firmware components within a reviewing developer privileges to change hardware, software and firmware components within a
production/operational environment. production/operational environment?
Human Resources
Security Incompatible Roles HRS-12 E-HRS-25 8 Protect X
Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems. Does the organization enforce a two-person rule for implementing changes to sensitive systems?
Human Resources
Security Two-Person Rule HRS-12.1 7 Protect X
59 of 280
Mechanisms exist to evaluate the critical cybersecurity & data privacy skills needed to support the Does the organization evaluate the critical cybersecurity & data privacy skills needed to support the
organization’s mission and identify gaps that exist. organization’s mission and identify gaps that exist?
Security Identify Critical Skills & Gaps HRS-13 E-HRS-24 5 Protect X X
Mechanisms exist to remediate critical skills deficiencies necessary to support the organization’s Does the organization remediate critical skills deficiencies necessary to support the organization’s
mission and business functions. mission and business functions?
Human Resources Remediate Identified Skills HRS-13.1 E-HRS-24 5 Protect X X
Security Deficiencies
Mechanisms exist to identify vital cybersecurity & data privacy staff. Does the organization identify vital cybersecurity & data privacy staff?
Human Resources Identify Vital Cybersecurity &

Security Data Privacy Staff HRS-13.2 E-HRS-26 5 Protect X X
Mechanisms exist to establish redundancy for vital cybersecurity & data privacy staff. Does the organization establish redundancy for vital cybersecurity & data privacy staff?
Human Resources Establish Redundancy for Vital

Security Cybersecurity & Data Privacy HRS-13.3 5 Protect X X
Staff
Mechanisms exist to perform succession planning for vital cybersecurity & data privacy roles. Does the organization perform succession planning for vital cybersecurity & data privacy roles?
Human Resources Perform Succession Planning HRS-13.4 5 Protect X X

Security
Mechanisms exist to facilitate the implementation of identification and access management Does the organization facilitate the implementation of identification and access management
controls. controls?
Identification & Identity & Access Management
Authentication (IAM) IAC-01 10 Protect X X X
Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all Does the organization retain a record of personnel accountability to ensure there is a record of all
access granted to an individual (system and application-wise), who provided the authorization, access granted to an individual (system and application-wise), who provided the authorization,
when the authorization was granted and when the access was last reviewed. when the authorization was granted and when the access was last reviewed?
Identification &
Authentication Retain Access Records IAC-01.1 3 Protect X
Mechanisms exist to strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions, Does the organization strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions,
both on-premises and those hosted by an External Service Provider (ESP). both on-premises and those hosted by an External Service Provider (ESP)?
Identification & Authenticate, Authorize and IAC-01.2 9 Protect x x
Authentication Audit (AAA)
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA)
organizational users and processes acting on behalf of organizational users. organizational users and processes acting on behalf of organizational users?
Identification & Identification & Authentication
Authentication for Organizational Users IAC-02 9 Protect X X X
Mechanisms exist to require individuals to be authenticated with an individual authenticator when Does the organization require individuals to be authenticated with an individual authenticator when
a group authenticator is utilized. a group authenticator is utilized?
Identification &
Authentication Group Authentication IAC-02.1 7 Protect X X
Automated mechanisms exist to employ replay-resistant authentication. Does the organization use automated mechanisms to employ replay-resistant authentication?
Identification & Replay-Resistant IAC-02.2 9 Protect X X

Authentication Authentication
Mechanisms exist to accept and electronically verify organizational Personal Identity Verification - Personal Identity Verification (PIV) credentials Does the organization accept and electronically verify organizational Personal Identity Verification
(PIV) credentials. (PIV) credentials?
Identification &
Authentication Acceptance of PIV Credentials IAC-02.3 2 Protect X X
Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions. Does the organization implement Out-of-Band Authentication (OOBA) under specific conditions?
Identification & Out-of-Band Authentication

Authentication (OOBA) IAC-02.4 5 Protect X X
60 of 280
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third- Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-
party users and processes that provide services to the organization. party users and processes that provide services to the organization?
Authentication for Non-Organizational Users IAC-03 9 Protect X X
Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials Does the organization accept and electronically verify Personal Identity Verification (PIV) credentials
from third-parties. from third-parties?
Identification & Acceptance of PIV Credentials IAC-03.1 2 Protect X X
Authentication from Other Organizations
Automated mechanisms exist to accept Federal Identity, Credential and Access Management Does the organization use automated mechanisms to accept Federal Identity, Credential and Access
(FICAM)-approved third-party credentials. Management (FICAM)-approved third-party credentials?
Identification & Acceptance of Third-Party
Authentication Credentials IAC-03.2 2 Protect X X
Mechanisms exist to conform systems to Federal Identity, Credential and Access Management Does the organization conform systems to Federal Identity, Credential and Access Management
(FICAM)-issued profiles. (FICAM)-issued profiles?
Identification &
Authentication Use of FICAM-Issued Profiles IAC-03.3 2 Protect X X
Mechanisms exist to disassociate user attributes or credential assertion relationships among Does the organization disassociate user attributes or credential assertion relationships among
individuals, credential service providers and relying parties. individuals, credential service providers and relying parties?
Identification & Disassociability IAC-03.4 2 Protect X X
Authentication
Mechanisms exist to restrict the use of external authenticators to those that are National Institute Does the organization restrict the use of external authenticators to those that are National Institute
of Standards and Technology (NIST)-compliant and maintain a list of accepted external of Standards and Technology (NIST)-compliant and maintain a list of accepted external
authenticators. authenticators?
Identification & Acceptance of External
Authentication Authenticators IAC-03.5 4 Protect X X
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) - Active Directory (AD) Kerberos Does the organization uniquely identify and centrally Authenticate, Authorize and Audit (AAA)
devices before establishing a connection using bidirectional authentication that is cryptographically- devices before establishing a connection using bidirectional authentication that is cryptographically-
based and replay resistant. based and replay resistant?
Authentication for Devices IAC-04 9 Protect X X X
Mechanisms exist to ensure device identification and authentication is accurate by centrally- Does the organization ensure device identification and authentication is accurate by centrally-
managing the joining of systems to the domain as part of the initial asset configuration managing the joining of systems to the domain as part of the initial asset configuration
management process. management process?
Identification & Device Attestation IAC-04.1 5 Protect X X
Authentication
Mechanisms exist to identify and authenticate third-party systems and services. Does the organization identify and authenticate third-party systems and services?

Authentication for Third Party Systems & IAC-05 9 Protect X X
Services
Mechanisms exist to ensure external service providers provide current and accurate information for Does the organization ensure external service providers provide current and accurate information
any third-party user with access to the organization's data or assets. for any third-party user with access to the organization's data or assets?
Identification & Sharing Identification &
Authentication Authentication Information IAC-05.1 5 Protect X X
Mechanisms exist to prohibit privileged access by non-organizational users. Does the organization prohibit privileged access by non-organizational users?
Identification & Privileged Access by Non- IAC-05.2 9 Protect

Authentication Organizational Users
Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for: - Multi-Factor Authentication (MFA) Does the organization use automated mechanisms to enforce Multi-Factor Authentication (MFA)
▪ Remote network access; - Microsoft Active Directory (AD) Certificate Services for:
▪ Third-party systems, applications and/or services; and/ or - Yubico (https://www.yubico.com) ▪ Remote network access;
Identification & Multi-Factor Authentication ▪ Non-console access to critical systems or systems that store, transmit and/or process - Duo (https://www.duo.com) ▪ Third-party systems, applications and/or services; and/ or
Authentication (MFA) IAC-06 9 Protect X X
sensitive/regulated data. ▪ Non-console access to critical systems or systems that store, transmit and/or process
sensitive/regulated data?
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for - Multi-Factor Authentication (MFA) Does the organization utilize Multi-Factor Authentication (MFA) to authenticate network access for
privileged accounts. - Microsoft Active Directory (AD) Certificate Services privileged accounts?
- Yubico (https://www.yubico.com)
Identification & Network Access to Privileged - Duo (https://www.duo.com)
Authentication Accounts IAC-06.1 9 Protect X X
61 of 280
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for - Multi-Factor Authentication (MFA) Does the organization utilize Multi-Factor Authentication (MFA) to authenticate network access for
non-privileged accounts. - Microsoft Active Directory (AD) Certificate Services non-privileged accounts?
Identification & Network Access to Non- - Duo (https://www.duo.com)
Authentication Privileged Accounts IAC-06.2 7 Protect X X
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for - Multi-Factor Authentication (MFA) Does the organization utilize Multi-Factor Authentication (MFA) to authenticate local access for
privileged accounts. - Microsoft Active Directory (AD) Certificate Services privileged accounts?
Identification & Local Access to Privileged IAC-06.3 - Duo (https://www.duo.com) 5 Protect X X
Authentication Accounts
Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged Does the organization implement Multi-Factor Authentication (MFA) for remote access to privileged
and non-privileged accounts such that one of the factors is securely provided by a device separate and non-privileged accounts such that one of the factors is securely provided by a device separate
from the system gaining access. from the system gaining access?
Identification & Out-of-Band Multi-Factor
Authentication Authentication IAC-06.4 5 Protect X X
Mechanisms exist to utilize a formal user registration and de-registration process that governs the Does the organization utilize a formal user registration and de-registration process that governs the
assignment of access rights. assignment of access rights?
Identification & User Provisioning & De- E-HRS-12
Authentication Provisioning IAC-07 E-HRS-18 10 Protect X X
E-HRS-19
Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no Does the organization revoke user access rights following changes in personnel roles and duties, if
longer necessary or permitted. no longer necessary or permitted?
Identification & Change of Roles & Duties IAC-07.1 E-HRS-12 10 Protect X
Authentication E-HRS-19
Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment Does the organization revoke user access rights in a timely manner, upon termination of
or contract. employment or contract?
Identification &
Authentication Termination of Employment IAC-07.2 E-HRS-19 10 Protect X X
Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources - Role-Based Access Control (RBAC) Does the organization enforce a Role-Based Access Control (RBAC) policy over users and resources
that applies need-to-know and fine-grained access control for sensitive/regulated data access. that applies need-to-know and fine-grained access control for sensitive/regulated data access?
Identification & Role-Based Access Control E-HRS-12
Authentication (RBAC) IAC-08 E-IAM-02 9 Protect X X
Mechanisms exist to govern naming standards for usernames and systems. Does the organization govern naming standards for usernames and systems?
Identification & Identifier Management (User IAC-09 9 Protect X X

Authentication Names)
Mechanisms exist to ensure proper user identification management for non-consumer users and Does the organization ensure proper user identification management for non-consumer users and
administrators. administrators?
Identification &
Authentication User Identity (ID) Management IAC-09.1 9 Protect X X
Mechanisms exist to identify contractors and other third-party users through unique username Does the organization identify contractors and other third-party users through unique username
characteristics. characteristics?
Identification &
Authentication Identity User Status IAC-09.2 7 Protect X X
Mechanisms exist to dynamically manage usernames and system identifiers. - Microsoft Active Directory (AD) Does the organization dynamically manage usernames and system identifiers?
Identification & Dynamic Management IAC-09.3 5 Protect X X

Authentication
Mechanisms exist to coordinate username identifiers with external organizations for cross- Does the organization coordinate username identifiers with external organizations for cross-
organization management of identifiers. organization management of identifiers?
Identification & Cross-Organization
Authentication Management IAC-09.4 5 Protect X X X
Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged Does the organization uniquely manage privileged accounts to identify the account as a privileged
user or service. user or service?
Identification &
Authentication Privileged Account Identifiers IAC-09.5 9 Protect X X
62 of 280
Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information Does the organization generate pairwise pseudonymous identifiers with no identifying information
about a data subject to discourage activity tracking and profiling of the data subject. about a data subject to discourage activity tracking and profiling of the data subject?
Identification & Pairwise Pseudonymous
Authentication Identifiers (PPID) IAC-09.6 1 Protect X X
Mechanisms exist to securely manage authenticators for users and devices. Does the organization securely manage authenticators for users and devices?
Identification & Authenticator Management IAC-10 10 Protect X X

Authentication
Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong Does the organization enforce complexity, length and lifespan considerations to ensure strong
criteria for password-based authentication. criteria for password-based authentication?
Identification & Password-Based
Authentication Authentication IAC-10.1 9 Protect X
Automated mechanisms exist to validate certificates by constructing and verifying a certification Does the organization use automated mechanisms to validate certificates by constructing and
path to an accepted trust anchor including checking certificate status information for PKI-based verifying a certification path to an accepted trust anchor including checking certificate status
authentication. information for PKI-based authentication?
Identification &
Authentication PKI-Based Authentication IAC-10.2 9 Protect X
Mechanisms exist to conduct in-person or trusted third-party identify verification before user Does the organization conduct in-person or trusted third-party identify verification before user
accounts for third-parties are created. accounts for third-parties are created?
Identification & In-Person or Trusted Third- IAC-10.3 9 Protect X
Authentication Party Registration
Automated mechanisms exist to determine if password authenticators are sufficiently strong Does the organization use automated mechanisms to determine if password authenticators are
enough to satisfy organization-defined password length and complexity requirements. sufficiently strong enough to satisfy organization-defined password length and complexity
requirements?
Identification & Automated Support For
Authentication Password Strength IAC-10.4 5 Protect X
Mechanisms exist to protect authenticators commensurate with the sensitivity of the information Does the organization protect authenticators commensurate with the sensitivity of the information
to which use of the authenticator permits access. to which use of the authenticator permits access?
Identification &
Authentication Protection of Authenticators IAC-10.5 10 Protect X X
Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in Does the organization ensure that unencrypted, static authenticators are not embedded in
applications, scripts or stored on function keys. applications, scripts or stored on function keys?
Identification & No Embedded Unencrypted IAC-10.6 10 Protect X
Authentication Static Authenticators
Automated mechanisms exist to ensure organization-defined token quality requirements are - Tokens are sufficiently encrypted or do not reveal Does the organization use automated mechanisms to ensure organization-defined token quality
satisfied for hardware token-based authentication. credentials or passwords within the token. requirements are satisfied for hardware token-based authentication?
Identification & Hardware Token-Based
Authentication Authentication IAC-10.7 9 Protect X
Mechanisms exist to ensure vendor-supplied defaults are changed as part of the installation - CimTrak Integrity Suite Does the organization ensure vendor-supplied defaults are changed as part of the installation
process. (https://www.cimcor.com/cimtrak/) process?
Identification & (https://www.newnettechnologies.com)
Authentication Vendor-Supplied Defaults IAC-10.8 10 Protect X X
Mechanisms exist to implement security safeguards to manage the risk of compromise due to Does the organization implement security safeguards to manage the risk of compromise due to
individuals having accounts on multiple information systems. individuals having accounts on multiple information systems?
Identification & Multiple Information System IAC-10.9 5 Protect X
Authentication Accounts
Automated mechanisms exist to prohibit the use of cached authenticators after organization- Does the organization use automated mechanisms to prohibit the use of cached authenticators
defined time period. after organization-defined time period?
Identification & Expiration of Cached
Authentication Authenticators IAC-10.10 5 Protect X
Mechanisms exist to protect and store passwords via a password manager tool. Does the organization protect and store passwords via a password manager tool?
Identification &
Authentication Password Managers IAC-10.11 8 Protect X
63 of 280
Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric Does the organization ensure biometric-based authentication satisfies organization-defined
quality requirements for false positives and false negatives. biometric quality requirements for false positives and false negatives?
Identification &
Authentication Biometric Authentication IAC-10.12 5 Protect X X
Mechanisms exist to obscure the feedback of authentication information during the authentication Does the organization obscure the feedback of authentication information during the
process to protect the information from possible exploitation/use by unauthorized individuals. authentication process to protect the information from possible exploitation/use by unauthorized
individuals?
Identification & Authenticator Feedback IAC-11 6 Protect X
Authentication
Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and - FIPS 140-2 Does the organization ensure cryptographic modules adhere to applicable statutory, regulatory and
contractual requirements for security strength. contractual requirements for security strength?
Identification & Cryptographic Module
Authentication Authentication IAC-12 8 Protect X
Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators Does the organization use automated mechanisms to utilize Hardware Security Modules (HSM) to
on which the component relies. protect authenticators on which the component relies?
Identification & Hardware Security Modules
Authentication (HSM) IAC-12.1 3 Protect X
Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific Does the organization allow individuals to utilize alternative methods of authentication under
circumstances or situations. specific circumstances or situations?
Identification & Adaptive Identification & IAC-13 5 Protect X
Authentication Authentication
Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and Does the organization provide a Single Sign-On (SSO) capability to the organization's systems and
services. services?
Identification &
Authentication Single Sign-On (SSO) IAC-13.1 5 Protect X
Mechanisms exist to federate credentials to allow cross-organization authentication of individuals Does the organization federate credentials to allow cross-organization authentication of individuals
and devices. and devices?
Identification & Federated Credential
Authentication Management IAC-13.2 4 Protect X
Mechanisms exist to force users and devices to re-authenticate according to organization-defined Does the organization force users and devices to re-authenticate according to organization-defined
circumstances that necessitate re-authentication. circumstances that necessitate re-authentication?
Identification & Re-Authentication IAC-14 8 Protect X
Authentication
Mechanisms exist to proactively govern account management of individual, group, system, service, - Service accounts prohibit interactive login - users Does the organization proactively govern account management of individual, group, system,
application, guest and temporary accounts. cannot log into systems with those accounts. service, application, guest and temporary accounts?
Identification &
Authentication Account Management IAC-15 10 Protect X X
Automated mechanisms exist to support the management of system accounts (e.g., directory - Service accounts prohibit interactive login - users Does the organization use automated mechanisms to support the management of system
services). cannot log into systems with those accounts. accounts?
Identification & Automated System Account
Authentication Management (Directory IAC-15.1 5 Protect X
Services)
Automated mechanisms exist to disable or remove temporary and emergency accounts after an Does the organization use automated mechanisms to disable or remove temporary and emergency
organization-defined time period for each type of account. accounts after an organization-defined time period for each type of account?
Identification & Removal of Temporary / IAC-15.2 9 Protect X
Authentication Emergency Accounts
Automated mechanisms exist to disable inactive accounts after an organization-defined time Does the organization use automated mechanisms to disable inactive accounts after an
period. organization-defined time period?
Identification &
Authentication Disable Inactive Accounts IAC-15.3 10 Protect X
Automated mechanisms exist to audit account creation, modification, enabling, disabling and Does the organization use automated mechanisms to audit account creation, modification,
removal actions and notify organization-defined personnel or roles. enabling, disabling and removal actions and notify organization-defined personnel or roles?
Identification &
Authentication Automated Audit Actions IAC-15.4 5 Protect X
64 of 280
Mechanisms exist to authorize the use of shared/group accounts only under certain organization- Does the organization authorize the use of shared/group accounts only under certain organization-
defined conditions. defined conditions?
Identification & Restrictions on Shared
Authentication Groups / Accounts IAC-15.5 10 Protect X X
Mechanisms exist to disable accounts immediately upon notification for users posing a significant Does the organization disable accounts immediately upon notification for users posing a significant
risk to the organization. risk to the organization?
Identification & Account Disabling for High Risk IAC-15.6 10 Protect X X
Authentication Individuals
Mechanisms exist to review all system accounts and disable any account that cannot be associated Does the organization review all system accounts and disables any account that cannot be
with a business process and owner. associated with a business process and owner?
Identification &
Authentication System Account Reviews IAC-15.7 10 Protect X
Automated mechanisms exist to enforce usage conditions for users and/or roles. Does the organization use automated mechanisms to enforce usage conditions for users and/or
roles?
Identification &
Authentication Usage Conditions IAC-15.8 5 Protect X X
Mechanisms exist to establish and control "emergency access only" accounts. Does the organization establish and control "emergency access only" accounts?
Identification & Emergency Accounts IAC-15.9 5 Respond X X

Authentication
Mechanisms exist to restrict and control privileged access rights for users and services. Does the organization restrict and control privileged access rights for users and services?
Identification & Privileged Account

Authentication Management (PAM) IAC-16 E-IAM-03 10 Protect X X
Mechanisms exist to inventory all privileged accounts and validate that each person with elevated Does the organization inventory all privileged accounts and validate that each person with elevated
privileges is authorized by the appropriate level of organizational management. privileges is authorized by the appropriate level of organizational management?
Identification &
Authentication Privileged Account Inventories IAC-16.1 E-IAM-03 10 Protect X
Mechanisms exist to separate privileged accounts between infrastructure environments to reduce Does the organization separate privileged accounts between infrastructure environments to reduce
the risk of a compromise in one infrastructure environment from laterally affecting other the risk of a compromise in one infrastructure environment from laterally affecting other
infrastructure environments. infrastructure environments?
Identification & Privileged Account Separation IAC-16.2 4 Protect X
Authentication
Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts Does the organization periodically-review the privileges assigned to individuals and service accounts
to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary. to validate the need for such privileges and reassign or remove unnecessary privileges, as
E-HRS-12 necessary?
Identification & Periodic Review of Account
Authentication Privileges IAC-17 E-HRS-14 10 Detect X X
E-IAM-01
Mechanisms exist to compel users to follow accepted practices in the use of authentication - Employment contract Does the organization compel users to follow accepted practices in the use of authentication
mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, - Rules of Behavior mechanisms (e?g?, passwords, passphrases, physical or logical security tokens, smart cards,
certificates, etc.). - Formalized password policy certificates, etc?)?
Identification & User Responsibilities for
Authentication Account Management IAC-18 10 Protect X
Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication Does the organization prevent the sharing of generic IDs, passwords or other generic authentication
methods. methods?
Identification & Credential Sharing IAC-19 10 Protect X
Authentication
Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle Does the organization enforce Logical Access Control (LAC) permissions that conform to the
of "least privilege." principle of "least privilege?"
Identification &
Authentication Access Enforcement IAC-20 10 Protect X X
Mechanisms exist to limit access to sensitive/regulated data to only those individuals whose job Does the organization limit access to sensitive/regulated data to only those individuals whose job
requires such access. requires such access?
Does the organization explicitly define authorizations for specific individuals and/or roles for logical
Identification & Access To Sensitive / Regulated and /orphysical access to sensitive/regulated data?
Authentication Data IAC-20.1 10 Protect X X
65 of 280
Mechanisms exist to restrict access to databases containing sensitive/regulated data to only Does the organization restrict access to databases containing sensitive/regulated data to only
necessary services or those individuals whose job requires such access. necessary services or those individuals whose job requires such access?
Identification &
Authentication Database Access IAC-20.2 10 Protect X
Mechanisms exist to restrict and tightly control utility programs that are capable of overriding Does the organization restrict and tightly control utility programs that are capable of overriding
system and application controls. system and application controls?
Identification & Use of Privileged Utility IAC-20.3 9 Protect X
Authentication Programs
Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a - Jump hosts Does the organization restrict executing administrative tasks or tasks requiring elevated access to a
dedicated machine. dedicated machine?
Identification & Dedicated Administrative
Authentication Machines IAC-20.4 8 Protect X X
Automated mechanisms exist to enforce dual authorization for privileged commands. Does the organization use automated mechanisms to enforce dual authorization for privileged
commands?
Identification & Dual Authorization for
Authentication Privileged Commands IAC-20.5 5 Protect X
Mechanisms exist to revoke logical and physical access authorizations. Does the organization revoke logical and physical access authorizations?
Identification & Revocation of Access IAC-20.6 9 Protect x x

Authentication Authorizations
Mechanisms exist to define and document the types of accounts allowed and prohibited on Does the organization define and document the types of accounts allowed and prohibited on
systems, applications and services. systems, applications and services?
Identification &
Authentication Authorized System Accounts IAC-20.7 9 Protect x x
Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to Does the organization utilize the concept of least privilege, allowing only authorized access to
processes necessary to accomplish assigned tasks in accordance with organizational business processes necessary to accomplish assigned tasks in accordance with organizational business
functions. functions?
Identification &
Authentication Least Privilege IAC-21 10 Protect X
Mechanisms exist to limit access to security functions to explicitly-authorized privileged users. Does the organization limit access to security functions to explicitly-authorized privileged users?
Identification & Authorize Access to Security IAC-21.1 9 Protect X

Authentication Functions
Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non- Does the organization prohibit privileged users from using privileged accounts, while performing
security functions. non-security functions?
Identification & Non-Privileged Access for Non-
Authentication Security Functions IAC-21.2 9 Protect X
Mechanisms exist to restrict the assignment of privileged accounts to organization-defined Does the organization restrict the assignment of privileged accounts to organization-defined
personnel or roles without management approval. personnel or roles without management approval?
Identification &
Authentication Privileged Accounts IAC-21.3 10 Protect X X
Mechanisms exist to audit the execution of privileged functions. Does the organization audit the execution of privileged functions?
Identification & Auditing Use of Privileged IAC-21.4 9 Detect X

Authentication Functions
Mechanisms exist to prevent non-privileged users from executing privileged functions to include Does the organization prevent non-privileged users from executing privileged functions to include
disabling, circumventing or altering implemented security safeguards / countermeasures. disabling, circumventing or altering implemented security safeguards / countermeasures?
Identification & Prohibit Non-Privileged Users
Authentication from Executing Privileged IAC-21.5 9 Protect X
Functions
Mechanisms exist to authorize remote access to perform privileged commands on critical systems Does the organization authorize remote access to perform privileged commands on critical systems
or where sensitive/regulated data is stored, transmitted and/or processed only for compelling or where sensitive/regulated data is stored, transmitted and/or processed only for compelling
operational needs. operational needs?
Identification & Network Access to Privileged
Authentication Commands IAC-21.6 5 Protect X X
66 of 280
Automated mechanisms exist to prevent applications from executing at higher privilege levels than Does the organization use automated mechanisms to prevent applications from executing at higher
the user's privileges. privilege levels than the user's privileges?
Identification & Privilege Levels for Code
Authentication Execution IAC-21.7 5 Protect X
Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an Does the organization enforce a limit for consecutive invalid login attempts by a user during an
organization-defined time period and automatically locks the account when the maximum number organization-defined time period and automatically locks the account when the maximum number
of unsuccessful attempts is exceeded. of unsuccessful attempts is exceeded?
Identification & Account Lockout IAC-22 9 Protect X
Authentication
Mechanisms exist to limit the number of concurrent sessions for each system account. Does the organization limit the number of concurrent sessions for each system account?
Identification &
Authentication Concurrent Session Control IAC-23 6 Protect X
Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or Does the organization initiate a session lock after an organization-defined time period of inactivity,
upon receiving a request from a user and retain the session lock until the user reestablishes access or upon receiving a request from a user and retain the session lock until the user reestablishes
using established identification and authentication methods. access using established identification and authentication methods?
Identification &
Authentication Session Lock IAC-24 9 Protect X
Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on Does the organization implement pattern-hiding displays to conceal information previously visible
the display during the session lock. on the display during the session lock?
Identification & Pattern-Hiding Displays IAC-24.1 9 Protect X
Authentication
Automated mechanisms exist to log out users, both locally on the network and for remote sessions, Does the organization use automated mechanisms to log out users, both locally on the network and
at the end of the session or after an organization-defined period of inactivity. for remote sessions, at the end of the session or after an organization-defined period of inactivity?
Identification &
Authentication Session Termination IAC-25 9 Protect X
Mechanisms exist to provide a logout capability and display an explicit logout message to users Does the organization provide a logout capability and display an explicit logout message to users
indicating the reliable termination of the session. indicating the reliable termination of the session?
Identification & User-Initiated Logouts /
Authentication Message Displays IAC-25.1 5 Protect X
Mechanisms exist to identify and document the supporting rationale for specific user actions that Does the organization identify and document the supporting rationale for specific user actions that
can be performed on a system without identification or authentication. can be performed on a system without identification or authentication?
Identification & Permitted Actions Without IAC-26 8 Protect X
Authentication Identification or Authorization
Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small Does the organization implement a reference monitor that is tamperproof, always-invoked, small
enough to be subject to analysis / testing and the completeness of which can be assured. enough to be subject to analysis / testing and the completeness of which can be assured?
Identification &
Authentication Reference Monitor IAC-27 1 Protect X
Mechanisms exist to verify the identity of a user before modifying any permissions or - Professional references Does the organization verify the identity of a user before modifying any permissions or
authentication factor. - Education / certification transcripts authentication factor?
- Driver's license
Identification & Identity Proofing (Identity - Passport
Authentication Verification) IAC-28 10 Protect X
Mechanisms exist to ensure management approvals are required for new accounts or changes in Does the organization ensure management approvals are required for new accounts or changes in
permissions to existing accounts. permissions to existing accounts?
Identification & Management Approval For IAC-28.1 10 Detect X X X
Authentication New or Changed Accounts
Mechanisms exist to require evidence of individual identification to be presented to the registration - Driver's license Does the organization require evidence of individual identification to be presented to the
authority. - Passport registration authority?
Identification &
Authentication Identity Evidence IAC-28.2 5 Protect X
Mechanisms exist to require that the presented identity evidence be validated and verified through - Employment verification Does the organization require that the presented identity evidence be validated and verified
organizational-defined methods of validation and verification. - Credit check through organizational-defined methods of validation and verification?
- Criminal history check
Identification & Identity Evidence Validation & - Education verification
Authentication Verification IAC-28.3 5 Protect X
67 of 280
Mechanisms exist to require that the validation and verification of identity evidence be conducted - In-person validation of government-issued Does the organization require that the validation and verification of identity evidence be conducted
in person before a designated registration authority. photograph identification in person before a designated registration authority?
Identification & In-Person Validation &
Authentication Verification IAC-28.4 5 Protect X
Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel Does the organization require that a notice of proofing be delivered through an out-of-band
to verify the user's address (physical or digital). channel to verify the user's address (physical or digital)?
Identification & Address Confirmation IAC-28.5 1 Protect X
Authentication
Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic - NIST Special Publication 800-162 Does the organization enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic
authorizations that supports the secure sharing of information. authorizations that supports the secure sharing of information?
Identification & Attribute-Based Access Control
Authentication (ABAC) IAC-29 5 Identify X
Mechanisms exist to implement and govern processes and documentation to facilitate an Does the organization implement and govern processes and documentation to facilitate an
organization-wide response capability for cybersecurity & data privacy-related incidents. organization-wide response capability for cybersecurity & data privacy-related incidents?
Incident Response Incident Response Operations IRO-01 9 Protect X X X
Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, - ITIL Infrastructure Library - Incident and problem Does the organization cover the preparation, automated detection or intake of incident reporting,
analysis, containment, eradication and recovery. management analysis, containment, eradication and recovery?
Incident Response Incident Handling IRO-02 E-IRO-03 10 Respond X X
Automated mechanisms exist to support the incident handling process. - CimTrak Integrity Suite Does the organization use automated mechanisms to support the incident handling process?
Automated Incident Handling
Incident Response Processes IRO-02.1 1 Respond X X
Mechanisms exist to implement and govern an insider threat program. Does the organization implement and govern an insider threat program?
Insider Threat Response

Incident Response Capability IRO-02.2 5 Protect X X X
Automated mechanisms exist to dynamically reconfigure information system components as part of - CimTrak Integrity Suite Does the organization use automated mechanisms to dynamically reconfigure information system
the incident response capability. (https://www.cimcor.com/cimtrak/) components as part of the incident response capability?
Incident Response Dynamic Reconfiguration IRO-02.3 5 Respond X
Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of Does the organization identify classes of incidents and actions to take to ensure the continuation of
organizational missions and business functions. organizational missions and business functions?
Incident Classification &
Incident Response Prioritization IRO-02.4 5 Respond X X
Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization Does the organization coordinate with approved third-parties to achieve a cross-organization
perspective on incident awareness and more effective incident responses. perspective on incident awareness and more effective incident responses?
Correlation with External
Incident Response Organizations IRO-02.5 5 Respond X
Mechanisms exist to automatically disable systems, upon detection of a possible incident that Does the organization automatically disable systems, upon detection of a possible incident that
meets organizational criteria, which allows for forensic analysis to be performed. meets organizational criteria, which allows for forensic analysis to be performed?
Incident Response Automatic Disabling of System IRO-02.6 6 Respond X X
Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential - Indicators of Compromise (IoC) Does the organization define specific Indicators of Compromise (IOC) to identify the signs of
cybersecurity events. - Incident Response Plan (IRP) potential cybersecurity events?
- Strake (https://9yahds.com/)
Indicators of Compromise - CimTrak Integrity Suite
Incident Response (IOC) IRO-03 E-IRO-02 8 Respond X X
Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) - Incident Response Plan (IRP) Does the organization maintain and make available a current and viable Incident Response Plan
to all stakeholders. - Hard copy of IRP (IRP) to all stakeholders?
Incident Response Incident Response Plan (IRP) IRO-04 E-IRO-01 9 Respond X X X
68 of 280
Mechanisms exist to address data breaches, or other incidents involving the unauthorized Does the organization address data breaches, or other incidents involving the unauthorized
disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual
obligations. obligations?
Incident Response Data Breach IRO-04.1 8 Respond X X X
Mechanisms exist to regularly review and modify incident response practices to incorporate lessons Does the organization regularly review and modify incident response practices to incorporate
learned, business process changes and industry developments, as necessary. lessons learned, business process changes and industry developments, as necessary?
Incident Response IRP Update IRO-04.2 E-IRO-07 8 Respond X X X
Mechanisms exist to use qualitative and quantitative data from incident response testing to: Does the organization use qualitative and quantitative data from incident response testing to:
▪Determine the effectiveness of incident response processes; ▪Determine the effectiveness of incident response processes;
▪Continuously improve incident response processes; and ▪Continuously improve incident response processes; and
Continuous Incident Response ▪Provide incident response measures and metrics that are accurate, consistent, and in a ▪Provide incident response measures and metrics that are accurate, consistent, and in a
Incident Response Improvements IRO-04.3 3 Identify X
reproducible format. reproducible format?
Mechanisms exist to train personnel in their incident response roles and responsibilities. - ITIL Infrastructure Library - Incident and problem Does the organization train personnel in their incident response roles and responsibilities?
management
- Incident Response Plan (IRP)
- Strake (https://9yahds.com/) E-IRO-05
Incident Response Incident Response Training IRO-05 E-IRO-06 9 Respond X X
Mechanisms exist to incorporate simulated events into incident response training to facilitate Does the organization incorporate simulated events into incident response training to facilitate
effective response by personnel in crisis situations. effective response by personnel in crisis situations?
Incident Response Simulated Incidents IRO-05.1 5 Respond X
Automated mechanisms exist to provide a more thorough and realistic incident response training Does the organization use automated mechanisms to provide a more thorough and realistic
environment. incident response training environment?
Automated Incident Response
Incident Response Training Environments IRO-05.2 5 Respond X
Mechanisms exist to formally test incident response capabilities through realistic exercises to - Strake (https://9yahds.com/) Does the organization formally test incident response capabilities through realistic exercises to
determine the operational effectiveness of those capabilities. - "Table Top" incident response exercises (rock drills) determine the operational effectiveness of those capabilities?
- "Red team vs blue team" exercises
Incident Response Incident Response Testing IRO-06 - EICAR test file antimalware detection and response E-IRO-04 9 Respond X X
exercises
Mechanisms exist to coordinate incident response testing with organizational elements responsible Does the organization coordinate incident response testing with organizational elements
for related plans. responsible for related plans?
Incident Response Coordination with Related IRO-06.1 7 Protect X

Plans
Mechanisms exist to establish an integrated team of cybersecurity, IT and business function - Full-time employees only Does the organization establish an integrated team of cybersecurity, IT and business function
representatives that are capable of addressing cybersecurity & data privacy incident response representatives that are capable of addressing cybersecurity & data privacy incident response
Integrated Security Incident
Incident Response Response Team (ISIRT) IRO-07 9 Respond X X
Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in - Chain of custody procedures Does the organization perform digital forensics and maintain the integrity of the chain of custody, in
accordance with applicable laws, regulations and industry-recognized secure practices. - Encase accordance with applicable laws, regulations and industry-recognized secure practices?
- Forensic Tool Kit (FTK)
Incident Response Chain of Custody & Forensics IRO-08 9 Respond X X
Mechanisms exist to document, monitor and report the status of cybersecurity & data privacy - Incident Response Plan (IRP) Does the organization document, monitor and report the status of cybersecurity & data privacy
incidents to internal stakeholders all the way through the resolution of the incident. - Strake (https://9yahds.com/) incidents to internal stakeholders all the way through the resolution of the incident?
Incident Response Situational Awareness For IRO-09 E-IRO-03 8 Detect X X

Incidents
Automated mechanisms exist to assist in the tracking, collection and analysis of information from - Strake (https://9yahds.com/) Does the organization use automated mechanisms to assist in the tracking, collection and analysis
actual and potential cybersecurity & data privacy incidents. of information from actual and potential cybersecurity & data privacy incidents?
Automated Tracking, Data
Incident Response Collection & Analysis IRO-09.1 1 Detect X X
Mechanisms exist to timely-report incidents to applicable: Does the organization timely-report incidents to applicable:
▪ Internal stakeholders; ▪ Internal stakeholders;
▪ Affected clients & third-parties; and ▪ Affected clients & third-parties; and
Incident Response Incident Stakeholder Reporting IRO-10 ▪ Regulatory authorities. ▪ Regulatory authorities? 9 Respond X X
69 of 280
Automated mechanisms exist to assist in the reporting of cybersecurity & data privacy incidents. - Strake (https://9yahds.com/) Does the organization use automated mechanisms to assist in the reporting of cybersecurity & data
privacy incidents?
Incident Response Automated Reporting IRO-10.1 9 Detect X X
Mechanisms exist to report sensitive/regulated data incidents in a timely manner. Does the organization report sensitive/regulated data incidents in a timely manner?
Incident Response Cyber Incident Reporting for IRO-10.2 9 Detect X

Sensitive Data
Mechanisms exist to report system vulnerabilities associated with reported cybersecurity & data Does the organization report system vulnerabilities associated with reported cybersecurity & data
privacy incidents to organization-defined personnel or roles. privacy incidents to organization-defined personnel or roles?
Vulnerabilities Related To
Incident Response Incidents IRO-10.3 8 Respond X
Mechanisms exist to provide cybersecurity & data privacy incident information to the provider of Does the organization provide cybersecurity & data privacy incident information to the provider of
the product or service and other organizations involved in the supply chain for systems or system the product or service and other organizations involved in the supply chain for systems or system
components related to the incident. components related to the incident?
Incident Response Supply Chain Coordination IRO-10.4 7 Respond X X
Mechanisms exist to provide incident response advice and assistance to users of systems for the - ITIL Infrastructure Library - Incident and problem Does the organization provide incident response advice and assistance to users of systems for the
handling and reporting of actual and potential cybersecurity & data privacy incidents. management handling and reporting of actual and potential cybersecurity & data privacy incidents?
Incident Response Incident Reporting Assistance IRO-11 5 Respond X
Automated mechanisms exist to increase the availability of incident response-related information Does the organization use automated mechanisms to increase the availability of incident response-
and support. related information and support?
Automation Support of
Incident Response Availability of Information / IRO-11.1 1 Respond X X
Support
Mechanisms exist to establish a direct, cooperative relationship between the organization's incident Does the organization establish a direct, cooperative relationship between the organization's
response capability and external service providers. incident response capability and external service providers?
Coordination With External
Incident Response Providers IRO-11.2 5 Respond X X
Mechanisms exist to respond to sensitive information spills. Does the organization respond to sensitive information spills?
Incident Response Information Spillage Response IRO-12 8 Respond X X
Mechanisms exist to formally assign personnel or roles with responsibility for responding to Does the organization formally assign personnel or roles with responsibility for responding to
sensitive information spills. sensitive information spills?
Incident Response Responsible Personnel IRO-12.1 8 Respond X X
Mechanisms exist to ensure incident response training material provides coverage for sensitive Does the organization ensure incident response training material provides coverage for sensitive
information spillage response. information spillage response?
Incident Response Training IRO-12.2 8 Respond X
Mechanisms exist to ensure that organizational personnel impacted by sensitive information spills Does the organization ensure that organizational personnel impacted by sensitive information spills
can continue to carry out assigned tasks while contaminated systems are undergoing corrective can continue to carry out assigned tasks while contaminated systems are undergoing corrective
actions. actions?
Incident Response Post-Spill Operations IRO-12.3 8 Respond X X
Mechanisms exist to address security safeguards for personnel exposed to sensitive information Does the organization address security safeguards for personnel exposed to sensitive information
that is not within their assigned access authorizations. that is not within their assigned access authorizations?
Exposure to Unauthorized
Incident Response Personnel IRO-12.4 8 Respond X
Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity & data Does the organization incorporate lessons learned from analyzing and resolving cybersecurity &
privacy incidents to reduce the likelihood or impact of future incidents. data privacy incidents to reduce the likelihood or impact of future incidents?
Root Cause Analysis (RCA) &
Incident Response Lessons Learned IRO-13 E-IRO-08 8 Respond X X X
70 of 280
Mechanisms exist to maintain incident response contacts with applicable regulatory and law Does the organization maintain incident response contacts with applicable regulatory and law
enforcement agencies. enforcement agencies?
Regulatory & Law Enforcement
Incident Response Contacts IRO-14 9 Identify X
Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially- - Separate network with "sacrificial" systems where Does the organization utilize a detonation chamber capability to detect and/or block potentially-
malicious files and email attachments. potential malware can be evaluated without impacting malicious files and email attachments?
the production network.
Incident Response Detonation Chambers IRO-15 5 Respond X X
(Sandboxes)
Mechanisms exist to proactively manage public relations associated with incidents and employ Does the organization proactively manage public relations associated with incidents and employ
appropriate measures to prevent further reputational damage and develop plans to repair any appropriate measures to prevent further reputational damage and develop plans to repair any
damage to the organization's reputation. damage to the organization's reputation?
Public Relations & Reputation
Incident Response Repair IRO-16 6 Recover X X
Mechanisms exist to facilitate the implementation of cybersecurity & data privacy assessment and - Information Assurance (IA) program Does the organization facilitate the implementation of cybersecurity & data privacy assessment and
authorization controls. - VisibleOps security management authorization controls?
Information Assurance (IA)
Information Assurance Operations IAO-01 E-IAO-01 10 Protect X X X
Mechanisms exist to establish the scope of assessments by defining the assessment boundary, Does the organization establish the scope of assessments by defining the assessment boundary,
according to people, processes and technology that directly or indirectly impact the confidentiality, according to people, processes and technology that directly or indirectly impact the confidentiality,
integrity, availability and safety of the data and systems under review. integrity, availability and safety of the data and systems under review?
Information Assurance Assessment Boundaries IAO-01.1 E-AST-02 9 Identify X X
Mechanisms exist to formally assess the cybersecurity & data privacy controls in systems, - Information Assurance (IA) program Does the organization formally assess the cybersecurity & data privacy controls in systems,
applications and services through Information Assurance Program (IAP) activities to determine the - VisibleOps security management applications and services through Information Assurance Program (IAP) activities to determine the
extent to which the controls are implemented correctly, operating as intended and producing the - Information Assurance Program (IAP) extent to which the controls are implemented correctly, operating as intended and producing the
Information Assurance Assessments IAO-02 desired outcome with respect to meeting expected requirements. desired outcome with respect to meeting expected requirements? 10 Protect X X
Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to - Information Assurance (IA) program Does the organization ensure assessors or assessment teams have the appropriate independence to
conduct cybersecurity & data privacy control assessments. - VisibleOps security management conduct cybersecurity & data privacy control assessments?
Information Assurance Assessor Independence IAO-02.1 9 Protect X X
Mechanisms exist to conduct specialized assessments for: - Information Assurance (IA) program Does the organization conduct specialized assessments for:
▪ Statutory, regulatory and contractual compliance obligations; - VisibleOps security management ▪ Statutory, regulatory and contractual compliance obligations;
▪ Monitoring capabilities; - CimTrak Integrity Suite ▪ Monitoring capabilities;
Information Assurance Specialized Assessments IAO-02.2 ▪ Mobile devices; (https://www.cimcor.com/cimtrak/) ▪ Mobile devices; 9 Protect X
▪ Databases; - NNT Change Tracker ▪ Databases;
▪ Application security; (https://www.newnettechnologies.com) ▪ Application security;
▪ Embedded technologies (e.g., IoT, OT, etc.); ▪ Embedded technologies (e?g?, IoT, OT, etc?);
▪ Vulnerability management; ▪ Vulnerability management;
Mechanisms exist to accept and respond to the results of external assessments that are performed - Audit steering committee Does the organization accept and respond to the results of external assessments that are
by impartial, external organizations. - Information Assurance (IA) program performed by impartial, external organizations?
- VisibleOps security management
Information Assurance Third-Party Assessments IAO-02.3 9 Protect X
Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security Does the organization produce a Security Assessment Report (SAR) at the conclusion of a security
assessment to certify the results of the assessment and assist with any remediation actions. assessment to certify the results of the assessment and assist with any remediation actions?
Security Assessment Report
Information Assurance (SAR) IAO-02.4 7 Identify X
Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document - Information Assurance (IA) program Does the organization generate System Security & Privacy Plans (SSPPs), or similar document
repositories, to identify and maintain key architectural information on each critical system, - VisibleOps security management repositories, to identify and maintain key architectural information on each critical system,
application or service, as well as influence inputs, entities, systems, applications and processes, application or service, as well as influence inputs, entities, systems, applications and processes,
Information Assurance System
(SSPP)
Security & Privacy Plan IAO-03 providing a historical record of the data and its origins. E-TDA-14 providing a historical record of the data and its origins? 7 Identify X
Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with - Audit steering committee Does the organization plan and coordinate Information Assurance Program (IAP) activities with
affected stakeholders before conducting such activities in order to reduce the potential impact on - Information Assurance (IA) program affected stakeholders before conducting such activities in order to reduce the potential impact on
operations. - VisibleOps security management operations?
Plan / Coordinate with Other - Information Assurance Program (IAP)
Information Assurance Organizational Entities IAO-03.1 5 Protect X X
Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, - Information Assurance (IA) program Does the organization protect sensitive / regulated data that is collected, developed, received,
transmitted, used or stored in support of the performance of a contract. - VisibleOps security management transmitted, used or stored in support of the performance of a contract?
Adequate Security for Sensitive
Information Assurance / Regulated Data In Support of IAO-03.2 7 Protect X X X
Contracts
71 of 280
Mechanisms exist to require system developers and integrators to create and execute a Security - Information Assurance (IA) program Does the organization require system developers and integrators to create and execute a Security
Test and Evaluation (ST&E) plan to identify and remediate flaws during development. - VisibleOps security management Test and Evaluation (ST&E) plan to identify and remediate flaws during development?
Threat Analysis & Flaw - Security Test & Evaluation (ST&E)
Information Assurance Remediation During IAO-04 10 Protect X X X
Development
Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to - Information Assurance (IA) program Does the organization generate a Plan of Action and Milestones (POA&M), or similar risk register, to
document planned remedial actions to correct weaknesses or deficiencies noted during the - VisibleOps security management document planned remedial actions to correct weaknesses or deficiencies noted during the
assessment of the security controls and to reduce or eliminate known vulnerabilities. - Plan of Action & Milestones (POA&M) assessment of the security controls and to reduce or eliminate known vulnerabilities?
Information Assurance Plan of Action & Milestones
(POA&M) IAO-05 9 Detect X X
Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar - Governance, Risk & Compliance (GRC) Does the organization use automated mechanisms to help ensure the Plan of Action and Milestones
risk register, is accurate, up-to-date and readily-available. (POA&M), or similar risk register, is accurate, up-to-date and readily-available?
Plan of Action & Milestones
Information Assurance (POA&M) Automation IAO-05.1 2 Detect X
Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, - Information Assurance (IA) program Does the organization perform Information Assurance Program (IAP) activities to evaluate the
implementation and effectiveness of technical cybersecurity & data privacy controls. - VisibleOps security management design, implementation and effectiveness of technical cybersecurity & data privacy controls?
- Information Assurance Program (IAP)
Information Assurance Technical Verification IAO-06 8 Protect X X
Mechanisms exist to ensure systems, projects and services are officially authorized prior to "go live" - Information Assurance (IA) program Does the organization ensure systems, projects and services are officially authorized prior to "go
in a production environment. - VisibleOps security management live" in a production environment?
Information Assurance Security Authorization IAO-07 10 Protect X X X
Mechanisms exist to develop, disseminate, review & update procedures to facilitate the Does the organization develop, disseminate, review & update procedures to facilitate the
implementation of maintenance controls across the enterprise. implementation of maintenance controls across the enterprise?
E-MNT-02
Maintenance Maintenance Operations MNT-01 E-MNT-04 9 Protect X X X
Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the - VisibleOps security management Does the organization conduct controlled maintenance activities throughout the lifecycle of the
system, application or service. system, application or service?
Maintenance Controlled Maintenance MNT-02 E-MNT-04 10 Protect X X X
Automated mechanisms exist to schedule, conduct and document maintenance and repairs. Does the organization use automated mechanisms to schedule, conduct and document
maintenance and repairs?
Maintenance Automated Maintenance MNT-02.1 5 Protect X

Activities
Mechanisms exist to obtain maintenance support and/or spare parts for systems within a defined Does the organization obtain maintenance support and/or spare parts for systems within a defined
Recovery Time Objective (RTO). Recovery Time Objective (RTO)?
Maintenance Timely Maintenance MNT-03 E-MNT-04 9 Protect X
Mechanisms exist to perform preventive maintenance on critical systems, applications and services. Does the organization perform preventive maintenance on critical systems, applications and
services?
Maintenance Preventative Maintenance MNT-03.1 E-MNT-04 5 Protect X X
Mechanisms exist to perform predictive maintenance on critical systems, applications and services. Does the organization perform predictive maintenance on critical systems, applications and
services?
Maintenance Predictive Maintenance MNT-03.2 5 Protect X X
Automated mechanisms exist to transfer predictive maintenance data to a computerized Does the organization use automated mechanisms to transfer predictive maintenance data to a
maintenance management system. computerized maintenance management system?
Automated Support For
Maintenance Predictive Maintenance MNT-03.3 5 Protect X
Mechanisms exist to control and monitor the use of system maintenance tools. - VisibleOps security management Does the organization control and monitor the use of system maintenance tools?
Maintenance Maintenance Tools MNT-04 5 Protect X X
72 of 280
Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for Does the organization inspect maintenance tools carried into a facility by maintenance personnel
improper or unauthorized modifications. for improper or unauthorized modifications?
Maintenance Inspect Tools MNT-04.1 5 Protect X
Mechanisms exist to check media containing diagnostic and test programs for malicious code before Does the organization check media containing diagnostic and test programs for malicious code
the media are used. before the media are used?
Maintenance Inspect Media MNT-04.2 5 Protect X
Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that Does the organization prevent or control the removal of equipment undergoing maintenance that
containing organizational information. containing organizational information?
Maintenance Prevent Unauthorized Removal MNT-04.3 9 Protect X
Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance Does the organization use automated mechanisms to restrict the use of maintenance tools to
personnel and/or roles. authorized maintenance personnel and/or roles?
Maintenance Restrict Tool Usage MNT-04.4 5 Protect X X
Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic Does the organization authorize, monitor and control remote, non-local maintenance and
activities. diagnostic activities?
Maintenance Remote Maintenance MNT-05 9 Protect X X
Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review Does the organization audit remote, non-local maintenance and diagnostic sessions, as well as
the maintenance action performed during remote maintenance sessions. review the maintenance action performed during remote maintenance sessions?
Maintenance Auditing Remote Maintenance MNT-05.1 9 Detect X X X
Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, Does the organization require maintenance personnel to notify affected stakeholders when remote,
non-local maintenance is planned (e.g., date/time). non-local maintenance is planned (e?g?, date/time)?
Remote Maintenance
Maintenance Notifications MNT-05.2 9 Protect X X X
Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local Are cryptographic mechanisms utilized to protect the integrity and confidentiality of remote, non-
maintenance and diagnostic communications. local maintenance and diagnostic communications?
Maintenance Remote Maintenance MNT-05.3 9 Protect X

Cryptographic Protection
Mechanisms exist to provide remote disconnect verification to ensure remote, non-local Does the organization provide remote disconnect verification to ensure remote, non-local
maintenance and diagnostic sessions are properly terminated. maintenance and diagnostic sessions are properly terminated?
Remote Maintenance
Maintenance Disconnect Verification MNT-05.4 9 Protect X
Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for - VisibleOps security management Does the organization require maintenance personnel to obtain pre-approval and scheduling for
remote, non-local maintenance sessions. remote, non-local maintenance sessions?
Remote Maintenance Pre-
Maintenance Approval MNT-05.5 7 Protect X X
Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic Does the organization require systems performing remote, non-local maintenance and / or
services implement a security capability comparable to the capability implemented on the system diagnostic services implement a security capability comparable to the capability implemented on
Remote Maintenance being serviced. the system being serviced?
Maintenance Comparable Security & MNT-05.6 5 Protect X X
Sanitization
Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are Does the organization protect maintenance sessions through replay-resistant sessions that are
physically or logically separated communications paths from other network sessions. physically or logically separated communications paths from other network sessions?
Separation of Maintenance
Maintenance Sessions MNT-05.7 1 Protect X
Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel. - VisibleOps security management Does the organization maintain a current list of authorized maintenance organizations or
personnel?
Authorized Maintenance
Maintenance Personnel MNT-06 9 Protect X X
73 of 280
Mechanisms exist to ensure the risks associated with maintenance personnel who do not have - VisibleOps security management Does the organization ensure the risks associated with maintenance personnel who do not have
appropriate access authorizations, clearances or formal access approvals are appropriately appropriate access authorizations, clearances or formal access approvals are appropriately
mitigated. mitigated?
Maintenance Personnel
Maintenance Without Appropriate Access MNT-06.1 E-MNT-01 7 Protect X X
Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities Does the organization ensure that non-escorted personnel performing non-IT maintenance
in the physical proximity of IT systems have required access authorizations. activities in the physical proximity of IT systems have required access authorizations?
Maintenance Non-System Related MNT-06.2 5 Protect X

Maintenance
Mechanisms exist to maintain proper physical security and configuration control over technology Does the organization maintain proper physical security and configuration control over technology
assets awaiting service or repair. assets awaiting service or repair?
Maintain Configuration Control
Maintenance During Maintenance MNT-07 8 Protect X X
Mechanisms exist to securely conduct field maintenance on geographically deployed assets. Does the organization securely conduct field maintenance on geographically deployed assets?
Maintenance Field Maintenance MNT-08 8 Protect X X
Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) Does the organization ensure off-site maintenance activities are conducted securely and the asset(s)
undergoing maintenance actions are secured during physical transfer and storage while off-site. undergoing maintenance actions are secured during physical transfer and storage while off-site?
Maintenance Off-Site Maintenance MNT-09 8 Protect X X
Mechanisms exist to validate maintenance activities were appropriately performed according to the Does the organization validate maintenance activities were appropriately performed according to
work order and that security controls are operational. the work order and that security controls are operational?
Maintenance Maintenance Validation MNT-10 6 Detect X X
Mechanisms exist to maintain situational awareness of the quality and reliability of systems and Does the organization maintain situational awareness of the quality and reliability of systems and
components through tracking maintenance activities and component failure rates. components through tracking maintenance activities and component failure rates?
Maintenance Maintenance Monitoring MNT-11 6 Detect X
Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Does the organization develop, govern & update procedures to facilitate the implementation of
mobile device management controls. mobile device management controls?
Mobile Device Centralized Management Of MDM-01 10 Protect X X X
Management Mobile Devices
Mechanisms exist to enforce access control requirements for the connection of mobile devices to Does the organization enforce access control requirements for the connection of mobile devices to
organizational systems. organizational systems?
Mobile Device Access Control For Mobile
Management Devices MDM-02 9 Protect X X
Cryptographic mechanisms exist to protect the confidentiality and integrity of information on Are cryptographic mechanisms utilized to protect the confidentiality and integrity of information on
mobile devices through full-device or container encryption. mobile devices through full-device or container encryption?
Mobile Device Full Device & Container-Based
Management Encryption MDM-03 9 Protect X
Mechanisms exist to protect mobile devices from tampering through inspecting devices returning Does the organization protect mobile devices from tampering through inspecting devices returning
from locations that the organization deems to be of significant risk, prior to the device being from locations that the organization deems to be of significant risk, prior to the device being
connected to the organization’s network. connected to the organization’s network?
Mobile Device Mobile Device Tampering MDM-04 9 Protect X X
Management
Mechanisms exist to remotely purge selected information from mobile devices. Does the organization remotely purge selected information from mobile devices?
Mobile Device
Management Remote Purging MDM-05 9 Protect X X
Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational Does the organization restrict the connection of personally-owned, mobile devices to organizational
systems and networks. systems and networks?
Mobile Device Personally-Owned Mobile
Management Devices MDM-06 8 Protect X X X
74 of 280
Mechanisms exist to prohibit the installation of non-approved applications or approved applications Does the organization prohibit the installation of non-approved applications or approved
not obtained through the organization-approved application store. applications not obtained through the organization-approved application store?
Mobile Device Organization-Owned Mobile
Management Devices MDM-07 8 Protect X X
Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and Does the organization limit data retention on mobile devices to the smallest usable dataset and
timeframe. timeframe?
Mobile Device Mobile Device Data Retention MDM-08 7 Protect X
Management Limitations
Mechanisms exist to restrict the functionality of mobile devices based on geographic location. Does the organization restrict the functionality of mobile devices based on geographic location?
Mobile Device
Management Mobile Device Geofencing MDM-09 7 Protect X X X
Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate Does the organization enforce a separate device workspace on applicable mobile devices to
work-related and personal-related applications and data. separate work-related and personal-related applications and data?
Mobile Device Separate Mobile Device
Management Profiles MDM-10 7 Protect X X X
Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating Does the organization restrict the connectivity of unauthorized mobile devices from communicating
with systems, applications and services. with systems, applications and services?
Mobile Device Restricting Access To MDM-11 8 Protect X X
Management Authorized Devices
Mechanisms exist to develop, govern & update procedures to facilitate the implementation of - CimTrak Integrity Suite Does the organization develop, govern & update procedures to facilitate the implementation of
Network Security Controls (NSC). (https://www.cimcor.com/cimtrak/) Network Security Controls (NSC)?
Network Security Controls (https://www.newnettechnologies.com)
Network Security (NSC) NET-01 10 Protect X X X
Mechanisms exist to treat all users and devices as potential threats and prevent access to data and Does the organization treat all users and devices as potential threats and prevent access to data and
resources until the users can be properly authenticated and their access authorized. resources until the users can be properly authenticated and their access authorized?
Network Security Zero Trust Architecture (ZTA) NET-01.1 8 Protect X X X
Mechanisms exist to implement security functions as a layered structure that minimizes interactions Does the organization implement security functions as a layered structure that minimizes
between layers of the design and avoids any dependence by lower layers on the functionality or interactions between layers of the design and avoids any dependence by lower layers on the
correctness of higher layers. E-DCH-03 functionality or correctness of higher layers?
Network Security Layered Network Defenses NET-02 E-DCH-04 9 Protect X
E-DCH-05
Automated mechanisms exist to protect against or limit the effects of denial of service attacks. Does the organization use automated mechanisms to protect against or limit the effects of denial of
service attacks?
Denial of Service (DoS)
Network Security Protection NET-02.1 9 Protect X X
Mechanisms exist to implement and manage a secure guest network. Does the organization implement and manage a secure guest network?
Network Security Guest Networks NET-02.2 6 Protect X
Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks Does the organization implement a Cross Domain Solution (CDS) to mitigate the specific security
of accessing or transferring information between security domains. risks of accessing or transferring information between security domains?
Network Security Cross Domain Solution (CDS) NET-02.3 6 Protect X
Mechanisms exist to monitor and control communications at the external network boundary and at Does the organization monitor and control communications at the external network boundary and
key internal boundaries within the network. at key internal boundaries within the network?
Network Security Boundary Protection NET-03 10 Protect X
Mechanisms exist to limit the number of concurrent external network connections to its systems. Does the organization limit the number of concurrent external network connections to its systems?
Network Security Limit Network Connections NET-03.1 9 Protect X
75 of 280
Mechanisms exist to maintain a managed interface for each external telecommunication service - Outbound content filtering Does the organization maintain a managed interface for each external telecommunication service
that protects the confidentiality and integrity of the information being transmitted across each that protects the confidentiality and integrity of the information being transmitted across each
interface. interface?
External Telecommunications
Network Security Services NET-03.2 7 Protect X X
Mechanisms exist to prevent the public disclosure of internal network information. Does the organization prevent the public disclosure of internal network information?
Network Security Prevent Discovery of Internal NET-03.3 7 Protect X

Information
Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD). - Data Loss Prevention (DLP) Does the organization apply network-based processing rules to data elements of Personal Data
(PD)?
Network Security Personal Data (PD) NET-03.4 7 Protect X X
Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive/regulated data Does the organization use automated mechanisms to prevent the unauthorized exfiltration of
across managed interfaces. sensitive/regulated data across managed interfaces?
Prevent Unauthorized
Network Security Exfiltration NET-03.5 5 Protect X X
Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during Does the organization use automated mechanisms to dynamically isolate (e?g?, sandbox) untrusted
runtime, where the component is isolated in a fault-contained environment but it can still components during runtime, where the component is isolated in a fault-contained environment but
collaborate with the application. it can still collaborate with the application?
Network Security Dynamic Isolation & NET-03.6 5 Protect X
Segregation (Sandboxing)
Mechanisms exist to employ boundary protections to isolate systems, services and processes that Does the organization employ boundary protections to isolate systems, services and processes that
support critical missions and/or business functions. support critical missions and/or business functions?
Isolation of Information
Network Security System Components NET-03.7 5 Protect X
Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to Does the organization implement separate network addresses (e?g?, different subnets) to connect
systems in different security domains. to systems in different security domains?
Separate Subnet for
Network Security Connecting to Different NET-03.8 5 Protect X
Security Domains
Mechanisms exist to design, implement and review firewall and router configurations to restrict - CimTrak Integrity Suite Does the organization design, implement and review firewall and router configurations to restrict
connections between untrusted networks and internal systems. (https://www.cimcor.com/cimtrak/) connections between untrusted networks and internal systems?
Network Security Data Flow Enforcement – NET-04 (https://www.newnettechnologies.com) E-AST-12 10 Protect X X
Access Control Lists (ACLs) E-AST-19
Mechanisms exist to configure firewall and router configurations to deny network traffic by default Does the organization configure firewall and router configurations to deny network traffic by
and allow network traffic by exception (e.g., deny all, permit by exception). default and allow network traffic by exception (e?g?, deny all, permit by exception)?
Deny Traffic by Default & Allow E-AST-12
Network Security Traffic by Exception NET-04.1 E-AST-19 10 Protect X X
Mechanisms exist to associate security attributes with information, source and destination objects - NNT Change Tracker Does the organization associate security attributes with information, source and destination objects
to enforce defined information flow control configurations as a basis for flow control decisions. (https://www.newnettechnologies.com) to enforce defined information flow control configurations as a basis for flow control decisions?
Network Security Object Security Attributes NET-04.2 5 Protect X
Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms. Does the organization prevent encrypted data from bypassing content-checking mechanisms?
Network Security Content Check for Encrypted NET-04.3 4 Protect X

Data
Mechanisms exist to enforce limitations on embedding data within other data types. - Prevent exfiltration through steganography Does the organization enforce limitations on embedding data within other data types?
Network Security Embedded Data Types NET-04.4 2 Protect X
Mechanisms exist to enforce information flow controls based on metadata. Does the organization enforce information flow controls based on metadata?
Network Security Metadata NET-04.5 2 Protect X X
76 of 280
Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar Does the organization enforce the use of human reviews for Access Control Lists (ACLs) and similar
rulesets on a routine basis. rulesets on a routine basis?
Network Security Human Reviews NET-04.6 E-AST-12 9 Detect X
Automated mechanisms exist to enforce information flow control using security policy filters as a Does the organization use automated mechanisms to enforce information flow control using
basis for flow control decisions. security policy filters as a basis for flow control decisions?
Network Security Security Policy Filters NET-04.7 5 Protect X X
Automated mechanisms exist to utilize data type identifiers to validate data essential for Does the organization use automated mechanisms to utilize data type identifiers to validate data
information flow decisions when transferring information between different security domains. essential for information flow decisions when transferring information between different security
domains?
Network Security Data Type Identifiers NET-04.8 5 Protect X
Automated mechanisms exist to decompose information into policy-relevant subcomponents for Does the organization use automated mechanisms to decompose information into policy-relevant
submission to policy enforcement mechanisms, when transferring information between different subcomponents for submission to policy enforcement mechanisms, when transferring information
security domains. between different security domains?
Decomposition Into Policy-
Network Security Related Subcomponents NET-04.9 5 Protect X
Automated mechanisms exist to implement security policy filters requiring fully enumerated Does the organization use automated mechanisms to implement security policy filters requiring
formats that restrict data structure and content, when transferring information between different fully enumerated formats that restrict data structure and content, when transferring information
security domains. between different security domains?
Network Security Detection of Unsanctioned NET-04.10 5 Detect X X
Information
Automated mechanisms exist to examine information for the presence of unsanctioned information Does the organization use automated mechanisms to examine information for the presence of
and prohibits the transfer of such information, when transferring information between different unsanctioned information and prohibits the transfer of such information, when transferring
security domains. information between different security domains?
Network Security Approved Solutions NET-04.11 5 Protect X
Automated mechanisms exist to uniquely identify and authenticate source and destination points Does the organization use automated mechanisms to uniquely identify and authenticate source and
for information transfer. destination points for information transfer?
Network Security Cross Domain Authentication NET-04.12 5 Protect
Automated mechanisms exist to apply cybersecurity and/or data privacy filters on metadata. Does the organization use automated mechanisms to apply cybersecurity and/or data privacy filters
on metadata?
Network Security Metadata Validation NET-04.13 2 Protect
Mechanisms exist to authorize connections from systems to other systems using Interconnection - VisibleOps security management Does the organization authorize connections from systems to other systems using Interconnection
Security Agreements (ISAs) that document, for each interconnection, the interface characteristics, Security Agreements (ISAs) that document, for each interconnection, the interface characteristics,
cybersecurity & data privacy requirements and the nature of the information communicated. cybersecurity & data privacy requirements and the nature of the information communicated?
Network Security System Interconnections NET-05 9 Protect X
Mechanisms exist to prohibit the direct connection of a sensitive system to an external network Does the organization prohibit the direct connection of a sensitive system to an external network
without the use of an organization-defined boundary protection device. without the use of an organization-defined boundary protection device?
Network Security External System Connections NET-05.1 8 Protect X
Mechanisms exist to control internal system connections through authorizing internal connections Does the organization control internal system connections through authorizing internal connections
of systems and documenting, for each internal connection, the interface characteristics, security of systems and documenting, for each internal connection, the interface characteristics, security
requirements and the nature of the information communicated. requirements and the nature of the information communicated?
Network Security Internal System Connections NET-05.2 7 Protect X
Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, - Subnetting Does the organization ensure network architecture utilizes network segmentation to isolate
applications and services that protections from other network resources. - VLANs systems, applications and services that protections from other network resources?
Network Security Network Segmentation NET-06 10 Protect X
Mechanisms exist to implement security management subnets to isolate security tools and support Does the organization implement security management subnets to isolate security tools and
components from other internal system components by implementing separate subnetworks with support components from other internal system components by implementing separate
managed interfaces to other components of the system. subnetworks with managed interfaces to other components of the system?
Network Security Security Management Subnets NET-06.1 9 Protect X
77 of 280
Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a - Virtual Local Area Network (VLAN) Does the organization enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a
network to directly communicate with other devices on the subnet and limit an attacker's ability to network to directly communicate with other devices on the subnet and limit an attacker's ability to
laterally move to compromise neighboring systems. laterally move to compromise neighboring systems?
Virtual Local Area Network
Network Security (VLAN) Separation NET-06.2 9 Protect X
Mechanisms exist to implement segmentation controls to restrict inbound and outbound Does the organization implement segmentation controls to restrict inbound and outbound
connectivity for sensitive / regulated data enclaves (secure zones). connectivity for sensitive / regulated data enclaves (secure zones)?
Network Security Sensitive / Regulated Data NET-06.3 10 Protect X

Enclave (Secure Zone)
Mechanisms exist to isolate sensitive / regulated data enclaves (secure zones) from corporate- Does the organization isolate sensitive / regulated data enclaves (secure zones) from corporate-
provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, provided IT resources by providing enclave-specific IT services (e?g?, directory services, DNS, NTP,
ITAM, antimalware, patch management, etc.) to those isolated network segments. ITAM, antimalware, patch management, etc?) to those isolated network segments?
Segregation From Enterprise
Network Security Services NET-06.4 4 Protect X
Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive / regulated data Does the organization prohibit, or strictly-control, Internet access from sensitive / regulated data
enclaves (secure zones). enclaves (secure zones)?
Direct Internet Access
Network Security Restrictions NET-06.5 6 Protect X
Mechanisms exist to terminate remote sessions at the end of the session or after an organization- Does the organization terminate remote sessions at the end of the session or after an organization-
defined time period of inactivity. defined time period of inactivity?
Network Security Remote Session Termination NET-07 8 Protect X
Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to Does the organization employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to
detect and/or prevent intrusions into the network. detect and/or prevent intrusions into the network?
Network Intrusion Detection /
Network Security Prevention Systems (NIDS / NET-08 9 Protect X X
NIPS)
Mechanisms exist to monitor De-Militarized Zone (DMZ) network segments to separate untrusted - Architectural review board Does the organization monitor De-Militarized Zone (DMZ) network segments to separate untrusted
networks from trusted networks. - System Security Plan (SSP) networks from trusted networks?
Network Security DMZ Networks NET-08.1 8 Protect X X
Mechanisms exist to monitor wireless network segments to implement Wireless Intrusion Detection Does the organization monitor wireless network segments to implement Wireless Intrusion
/ Prevention Systems (WIDS/WIPS) technologies. Detection / Prevention Systems (WIDS/WIPS) technologies?
Wireless Intrusion Detection /
Network Security Prevention Systems (WIDS / NET-08.2 8 Protect X X
WIPS)
Mechanisms exist to protect the authenticity and integrity of communications sessions. - PKI for non-repudiation Does the organization protect the authenticity and integrity of communications sessions?
Network Security Session Integrity NET-09 8 Protect X
Automated mechanisms exist to invalidate session identifiers upon user logout or other session Does the organization use automated mechanisms to invalidate session identifiers upon user logout
termination. or other session termination?
Invalidate Session Identifiers at
Network Security Logout NET-09.1 5 Protect X
Automated mechanisms exist to generate and recognize unique session identifiers for each session. Does the organization use automated mechanisms to generate and recognize unique session
identifiers for each session?
Network Security Unique System-Generated NET-09.2 3 Protect X

Session Identifiers
Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and Does the organization ensure Domain Name Service (DNS) resolution is designed, implemented and
managed to protect the security of name / address resolution. managed to protect the security of name / address resolution?
Domain Name Service (DNS)
Network Security Resolution NET-10 10 Protect X X
Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) Does the organization ensure systems that collectively provide Domain Name Service (DNS)
resolution service are fault-tolerant and implement internal/external role separation. resolution service are fault-tolerant and implement internal/external role separation?
Architecture & Provisioning for
Network Security Name / Address Resolution NET-10.1 9 Protect X
Service
78 of 280
Mechanisms exist to perform data origin authentication and data integrity verification on the Does the organization perform data origin authentication and data integrity verification on the
Domain Name Service (DNS) resolution responses received from authoritative sources when Domain Name Service (DNS) resolution responses received from authoritative sources when
Secure Name / Address requested by client systems. requested by client systems?
Network Security Resolution Service (Recursive NET-10.2 9 Protect X
or Caching Resolver)
Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Does the organization validate the legitimacy of email communications through configuring a
Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses
hostnames that are authorized to send email from the specified domain. and/or hostnames that are authorized to send email from the specified domain?
Network Security Sender Policy Framework (SPF) NET-10.3 8 Protect X X
Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by Does the organization lock the domain name registrar to prevent a denial of service caused by
unauthorized deletion, transfer or other unauthorized modification of a domain’s registration unauthorized deletion, transfer or other unauthorized modification of a domain’s registration
details. details?
Network Security Domain Registrar Security NET-10.4 9 Protect X X X
Mechanisms exist to utilize out-of-band channels for the electronic transmission of information - Signature delivery (courier service) Does the organization utilize out-of-band channels for the electronic transmission of information
and/or the physical shipment of system components or devices to authorized individuals. and/or the physical shipment of system components or devices to authorized individuals?
Network Security Out-of-Band Channels NET-11 9 Protect X X
Cryptographic mechanisms exist to implement strong cryptography and security protocols to Are cryptographic mechanisms utilized to implement strong cryptography and security protocols to
safeguard sensitive/regulated data during transmission over open, public networks. safeguard sensitive/regulated data during transmission over open, public networks?
Network Security Safeguarding Data Over Open NET-12 8 Protect X X X

Networks
Mechanisms exist to protect external and internal wireless links from signal parameter attacks Does the organization protect external and internal wireless links from signal parameter attacks
through monitoring for unauthorized wireless connections, including scanning for unauthorized through monitoring for unauthorized wireless connections, including scanning for unauthorized
wireless access points and taking appropriate action, if an unauthorized connection is discovered. wireless access points and taking appropriate action, if an unauthorized connection is discovered?
Network Security Wireless Link Protection NET-12.1 8 Protect X
Mechanisms exist to prohibit the transmission of unprotected sensitive/regulated data by end-user - Acceptable Use Policy (AUP) Does the organization prohibit the transmission of unprotected sensitive/regulated data by end-
messaging technologies. - Data Loss Prevention (DLP) user messaging technologies?
End-User Messaging
Network Security Technologies NET-12.2 9 Protect X X
Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging Does the organization protect the confidentiality, integrity and availability of electronic messaging
communications. communications?
Network Security Electronic Messaging NET-13 10 Protect X X
Mechanisms exist to define, control and review organization-approved, secure remote access Does the organization define, control and review organization-approved, secure remote access
methods. methods?
Network Security Remote Access NET-14 E-NET-03 10 Protect X X
Automated mechanisms exist to monitor and control remote access sessions. Does the organization use automated mechanisms to monitor and control remote access sessions?
Automated Monitoring &

Network Security Control NET-14.1 1 Detect X
Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access Are cryptographic mechanisms utilized to protect the confidentiality and integrity of remote access
sessions (e.g., VPN). sessions (e?g?, VPN)?
Network Security Protection of Confidentiality / NET-14.2 9 Protect X

Integrity Using Encryption
Mechanisms exist to route all remote accesses through managed network access control points Does the organization route all remote accesses through managed network access control points
(e.g., VPN concentrator). (e?g?, VPN concentrator)?
Managed Access Control
Network Security Points NET-14.3 9 Protect X X
Mechanisms exist to restrict the execution of privileged commands and access to security-relevant Does the organization restrict the execution of privileged commands and access to security-relevant
information via remote access only for compelling operational needs. information via remote access only for compelling operational needs?
Remote Privileged Commands
Network Security & Sensitive Data Access NET-14.4 8 Protect X X
79 of 280
Mechanisms exist to define secure telecommuting practices and govern remote access to systems Does the organization define secure telecommuting practices and govern remote access to systems
and data for remote workers. and data for remote workers?
Work From Anywhere (WFA) -
Network Security Telecommuting Security NET-14.5 E-NET-03 10 Protect X X X
Mechanisms exist to proactively control and monitor third-party accounts used to access, support, Does the organization proactively control and monitor third-party accounts used to access, support,
or maintain system components via remote access. or maintain system components via remote access?
Network Security Third-Party Remote Access NET-14.6 8 Protect X X

Governance
Mechanisms exist to validate software versions/patch levels and control remote devices connecting - CimTrak Integrity Suite Does the organization validate software versions/patch levels and control remote devices
to corporate networks or storing and accessing organization information. (https://www.cimcor.com/cimtrak/) connecting to corporate networks or storing and accessing organization information?
Network Security Endpoint Security Validation NET-14.7 (https://www.newnettechnologies.com) 6 Protect X X
Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote Does the organization provide the capability to expeditiously disconnect or disable a user's remote
access session. access session?
Expeditious Disconnect /
Network Security Disable Capability NET-14.8 8 Protect X X
Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless Does the organization control authorized wireless usage and monitor for unauthorized wireless
access. access?
Network Security Wireless Networking NET-15 9 Protect X X X
Mechanisms exist to protect wireless access through authentication and strong encryption. Does the organization protect wireless access through authentication and strong encryption?
Network Security Authentication & Encryption NET-15.1 9 Protect X
Mechanisms exist to disable unnecessary wireless networking capabilities that are internally Does the organization disable unnecessary wireless networking capabilities that are internally
embedded within system components prior to issuance to end users. embedded within system components prior to issuance to end users?
Network Security Disable Wireless Networking NET-15.2 5 Protect X
Mechanisms exist to identify and explicitly authorize users who are allowed to independently Does the organization identify and explicitly authorize users who are allowed to independently
configure wireless networking capabilities. configure wireless networking capabilities?
Network Security Restrict Configuration By Users NET-15.3 8 Protect X
Mechanisms exist to confine wireless communications to organization-controlled boundaries. Does the organization confine wireless communications to organization-controlled boundaries?
Network Security Wireless Boundaries NET-15.4 5 Protect X X
Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all Does the organization test for the presence of Wireless Access Points (WAPs) and identify all
authorized and unauthorized WAPs within the facility(ies). authorized and unauthorized WAPs within the facility(ies)?
Network Security Rogue Wireless Detection NET-15.5 E-NET-02 8 Detect X X
Mechanisms exist to establish trust relationships with other organizations owning, operating, Does the organization establish trust relationships with other organizations owning, operating,
and/or maintaining intranet systems, allowing authorized individuals to: and/or maintaining intranet systems, allowing authorized individuals to:
▪ Access the intranet from external systems; and ▪ Access the intranet from external systems; and
Network Security Intranets NET-16 ▪ Process, store, and/or transmit organization-controlled information using the external systems. ▪ Process, store, and/or transmit organization-controlled information using the external systems? 8 Protect X X
Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive - Data Loss Prevention (DLP) Does the organization use automated mechanisms to implement Data Loss Prevention (DLP) to
information as it is stored, transmitted and processed. protect sensitive information as it is stored, transmitted and processed?
Network Security Data Loss Prevention (DLP) NET-17 8 Protect X X
Mechanisms exist to force Internet-bound network traffic through a proxy device for URL content Does the organization force Internet-bound network traffic through a proxy device for URL content
filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet
sites. sites?
Network Security DNS & Content Filtering NET-18 E-NET-01 9 Protect X X
80 of 280
Mechanisms exist to route internal communications traffic to external networks through Does the organization route internal communications traffic to external networks through
organization-approved proxy servers at managed interfaces. organization-approved proxy servers at managed interfaces?
Network Security Route Traffic to Proxy Servers NET-18.1 E-NET-01 9 Protect X
Mechanisms exist to configure the proxy to make encrypted communications traffic visible to Does the organization configure the proxy to make encrypted communications traffic visible to
monitoring tools and mechanisms. monitoring tools and mechanisms?
Network Security Visibility of Encrypted NET-18.2 5 Detect X X

Communications
Automated mechanisms exist to route networked, privileged accesses through a dedicated, Does the organization use automated mechanisms to route networked, privileged accesses through
managed interface for purposes of access control and auditing. a dedicated, managed interface for purposes of access control and auditing?
Route Privileged Network
Network Security Access NET-18.3 1 Detect X
Mechanisms exist to facilitate the operation of physical and environmental protection controls. Does the organization facilitate the operation of physical and environmental protection controls?
Physical & Physical & Environmental

Environmental Security Protections PES-01 E-PES-01 9 Protect X X X
Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications Does the organization document a Site Security Plan (SitePlan) for each server and communications
room to summarize the implemented security controls to protect physical access to technology room to summarize the implemented security controls to protect physical access to technology
assets, as well as applicable risks and threats. assets, as well as applicable risks and threats?
Physical &
Environmental Security Site Security Plan (SitePlan) PES-01.1 E-PES-04 4 Identify X X
Physical access control mechanisms exist to maintain a current list of personnel with authorized Does the organization maintain a current list of personnel with authorized access to organizational
access to organizational facilities (except for those areas within the facility officially designated as facilities (except for those areas within the facility officially designated as publicly accessible)?
publicly accessible).
Physical &
Environmental Security Physical Access Authorizations PES-02 E-PES-03 7 Protect X X
Physical access control mechanisms exist to authorize physical access to facilities based on the Does the organization authorize physical access to facilities based on the position or role of the
position or role of the individual. individual?
Physical &
Environmental Security Role-Based Physical Access PES-02.1 E-PES-03 9 Protect X X
Mechanisms exist to enforce a "two-person rule" for physical access by requiring two authorized Does the organization enforce a "two-person rule" for physical access by requiring two authorized
individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high- individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e?g?, safe,
security cage, etc.). high-security cage, etc?)?
Physical & Dual Authorization for Physical PES-02.2 2 Protect X
Environmental Security Access
Physical access control mechanisms exist to enforce physical access authorizations for all physical - Security guards Does the organization enforce physical access authorizations for all physical access points (including
access points (including designated entry/exit points) to facilities (excluding those areas within the - Verify individual access authorizations before granting designated entry/exit points) to facilities (excluding those areas within the facility officially
facility officially designated as publicly accessible). access to the facility. designated as publicly accessible)?
Physical & - Control entry to the facility containing the system
Environmental Security Physical Access Control PES-03 E-PES-02 10 Protect X X
using physical access devices and/or guards.
- Control access to areas officially designated as publicly
accessible in accordance with the organization’s
assessment of risk.
Physical access control mechanisms exist to limit and monitor physical access through controlled Does the organization limit and monitor physical access through controlled ingress and egress
ingress and egress points. points?
Physical & Controlled Ingress & Egress
Environmental Security Points PES-03.1 9 Protect X
Physical access control mechanisms exist to protect system components from unauthorized physical - CCTV Does the organization protect system components from unauthorized physical access (e?g?,
access (e.g., lockable physical casings). - Lockable server/network racks lockable physical casings)?
- Logged access badges to access server rooms
Physical &
Environmental Security Lockable Physical Casings PES-03.2 5 Protect X X
Physical access control mechanisms exist to generate a log entry for each access through controlled - Visitor logbook Does the organization generate a log entry for each access through controlled ingress and egress
ingress and egress points. - iLobby (https://goilobby.com/) points?
- The Receptionist (https://thereceptionist.com/)
Physical & - LobbyGuard (http://lobbyguard.com/)
Environmental Security Physical Access Logs PES-03.3 E-PES-02 6 Protect X X
Physical access control mechanisms exist to enforce physical access to critical information systems Does the organization enforce physical access to critical information systems or sensitive/regulated
or sensitive/regulated data, in addition to the physical access controls for the facility. data, in addition to the physical access controls for the facility?
Physical &
Environmental Security Access To Information Systems PES-03.4 5 Protect X X
81 of 280
Mechanisms exist to identify systems, equipment and respective operating environments that - "clean desk" policy Does the organization identify systems, equipment and respective operating environments that
require limited physical access so that appropriate physical access controls are designed and - Management spot checks require limited physical access so that appropriate physical access controls are designed and
implemented for offices, rooms and facilities. implemented for offices, rooms and facilities?
Physical & Physical Security of Offices,
Environmental Security Rooms & Facilities PES-04 10 Protect X
Physical security mechanisms exist to allow only authorized personnel access to secure areas. - Visitor escorts Does the organization allow only authorized personnel access to secure areas?
Physical &
Environmental Security Working in Secure Areas PES-04.1 10 Protect X
Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., Does the organization inspect personnel and their personal effects (e?g?, personal property
personal property ordinarily worn or carried by the individual, including vehicles) to prevent the ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized
unauthorized exfiltration of data and technology assets. exfiltration of data and technology assets?
Physical &
Environmental Security Searches PES-04.2 1 Detect X
Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in Does the organization temporarily store undelivered packages or deliveries in a dedicated, secure
a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and area (e?g?, security cage, secure room) that is locked, access-controlled and monitored with
monitored with surveillance cameras and/or security guards. surveillance cameras and/or security guards?
Physical &
Environmental Security Temporary Storage PES-04.3 2 Protect X
Physical access control mechanisms exist to monitor for, detect and respond to physical security Does the organization monitor for, detect and respond to physical security incidents?
incidents.
Physical &
Environmental Security Monitoring Physical Access PES-05 7 Detect X X X
Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance - CCTV Does the organization monitor physical intrusion alarms and surveillance equipment?
equipment.
Physical & Intrusion Alarms / Surveillance
Environmental Security Equipment PES-05.1 9 Detect X X
Facility security mechanisms exist to monitor physical access to critical information systems or Does the organization monitor physical access to critical information systems or sensitive/regulated
sensitive/regulated data, in addition to the physical access monitoring of the facility. data, in addition to the physical access monitoring of the facility?
Physical & Monitoring Physical Access To
Environmental Security Information Systems PES-05.2 5 Detect X X
Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing - Visitor logbook Does the organization identify, authorize and monitor visitors before allowing access to the facility
access to the facility (other than areas designated as publicly accessible). - iLobby (https://goilobby.com/) (other than areas designated as publicly accessible)?
- The Receptionist (https://thereceptionist.com/)
Physical & - LobbyGuard (http://lobbyguard.com/)
Environmental Security Visitor Control PES-06 E-PES-02 9 Protect X
Physical access control mechanisms exist to easily distinguish between onsite personnel and - Visible badges for visitors that are different from Does the organization easily distinguish between onsite personnel and visitors, especially in areas
visitors, especially in areas where sensitive/regulated data is accessible. organizational personnel where sensitive/regulated data is accessible?
Physical & Distinguish Visitors from On-
Environmental Security Site Personnel PES-06.1 8 Protect X
Physical access control mechanisms exist to requires at least one (1) form of government-issued or Does the organization require at least one (1) form of government-issued or organization-issued
organization-issued photo identification to authenticate individuals before they can gain access to photo identification to authenticate individuals before they can gain access to the facility?
the facility.
Physical &
Environmental Security Identification Requirement PES-06.2 8 Protect X
Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with Does the organization restrict unescorted access to facilities to personnel with required security
required security clearances, formal access authorizations and validate the need for access. clearances, formal access authorizations and validate the need for access?
Physical &
Environmental Security Restrict Unescorted Access PES-06.3 10 Protect X
Automated mechanisms exist to facilitate the maintenance and review of visitor access records. Does the organization use automated mechanisms to facilitate the maintenance and review of
visitor access records?
Physical & Automated Records
Environmental Security Management & Review PES-06.4 E-PES-02 5 Protect X X
Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access Does the organization minimize the collection of Personal Data (PD) contained in visitor access
records. records?
Physical & Minimize Visitor Personal Data
Environmental Security (PD) PES-06.5 3 Protect X X
82 of 280
Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before Does the organization ensure visitor badges, or other issued identification, are surrendered before
visitors leave the facility or are deactivated at a pre-determined time/date of expiration. visitors leave the facility or are deactivated at a pre-determined time/date of expiration?
Physical &
Environmental Security Visitor Access Revocation PES-06.6 7 Protect X X
Facility security mechanisms exist to protect power equipment and power cabling for the system Does the organization protect power equipment and power cabling for the system from damage
from damage and destruction. and destruction?
Physical &
Environmental Security Supporting Utilities PES-07 E-PES-01 9 Protect X
Facility security mechanisms exist to utilize automatic voltage controls for critical system Does the organization utilize automatic voltage controls for critical system components?
components.
Physical &
Environmental Security Automatic Voltage Controls PES-07.1 8 Protect X
Facility security mechanisms exist to shut off power in emergency situations by: Does the organization shut off power in emergency situations by:
▪ Placing emergency shutoff switches or devices in close proximity to systems or system ▪ Placing emergency shutoff switches or devices in close proximity to systems or system
components to facilitate safe and easy access for personnel; and components to facilitate safe and easy access for personnel; and
Physical & ▪ Protecting emergency power shutoff capability from unauthorized activation. ▪ Protecting emergency power shutoff capability from unauthorized activation?
Environmental Security Emergency Shutoff PES-07.2 8 Protect X
Facility security mechanisms exist to supply alternate power, capable of maintaining minimally- Does the organization supply alternate power, capable of maintaining minimally-required
required operational capability, in the event of an extended loss of the primary power source. operational capability, in the event of an extended loss of the primary power source?
Physical &
Environmental Security Emergency Power PES-07.3 8 Protect X
Facility security mechanisms exist to utilize and maintain automatic emergency lighting that Does the organization utilize and maintain automatic emergency lighting that activates in the event
activates in the event of a power outage or disruption and that covers emergency exits and of a power outage or disruption and that covers emergency exits and evacuation routes within the
evacuation routes within the facility. facility?
Physical &
Environmental Security Emergency Lighting PES-07.4 7 Protect X
Facility security mechanisms exist to protect systems from damage resulting from water leakage by - Water leak sensors Does the organization protect systems from damage resulting from water leakage by providing
providing master shutoff valves that are accessible, working properly and known to key personnel. - Humidity sensors master shutoff valves that are accessible, working properly and known to key personnel?
Physical &
Environmental Security Water Damage Protection PES-07.5 8 Protect X
Facility security mechanisms exist to detect the presence of water in the vicinity of critical Does the organization detect the presence of water in the vicinity of critical information systems
information systems and alert facility maintenance and IT personnel. and alert facility maintenance and IT personnel?
Physical & Automation Support for Water PES-07.6 5 Protect X
Environmental Security Damage Protection
Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure Does the organization employ redundant power cabling paths that are physically separated to
that power continues to flow in the event one of the cables is cut or otherwise damaged. ensure that power continues to flow in the event one of the cables is cut or otherwise damaged?
Physical &
Environmental Security Redundant Cabling PES-07.7 2 Protect X
Facility security mechanisms exist to utilize and maintain fire suppression and detection Does the organization utilize and maintain fire suppression and detection devices/systems for the
devices/systems for the system that are supported by an independent energy source. system that are supported by an independent energy source?
Physical &
Environmental Security Fire Protection PES-08 E-PES-01 7 Protect X
Facility security mechanisms exist to utilize and maintain fire detection devices/systems that Does the organization utilize and maintain fire detection devices/systems that activate
activate automatically and notify organizational personnel and emergency responders in the event automatically and notify organizational personnel and emergency responders in the event of a fire?
of a fire.
Physical &
Environmental Security Fire Detection Devices PES-08.1 9 Detect X
Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic Does the organization utilize fire suppression devices/systems that provide automatic notification of
notification of any activation to organizational personnel and emergency responders. any activation to organizational personnel and emergency responders?
Physical &
Environmental Security Fire Suppression Devices PES-08.2 3 Protect X
Facility security mechanisms exist to employ an automatic fire suppression capability for critical Does the organization employ an automatic fire suppression capability for critical information
information systems when the facility is not staffed on a continuous basis. systems when the facility is not staffed on a continuous basis?
Physical &
Environmental Security Automatic Fire Suppression PES-08.3 5 Respond X X
83 of 280
Facility security mechanisms exist to maintain and monitor temperature and humidity levels within Does the organization maintain and monitor temperature and humidity levels within the facility?
the facility.
Physical & Temperature & Humidity
Environmental Security Controls PES-09 E-PES-01 9 Protect X X
Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity Does the organization trigger an alarm or notification of temperature and humidity changes that be
changes that be potentially harmful to personnel or equipment. potentially harmful to personnel or equipment?
Physical & Monitoring with Alarms / PES-09.1 8 Detect X X
Environmental Security Notifications
Physical security mechanisms exist to isolate information processing facilities from points such as Does the organization isolate information processing facilities from points such as delivery and
delivery and loading areas and other points to avoid unauthorized access. loading areas and other points to avoid unauthorized access?
Physical &
Environmental Security Delivery & Removal PES-10 8 Protect X X
Physical security mechanisms exist to utilize appropriate management, operational and technical Does the organization utilize appropriate management, operational and technical controls at
controls at alternate work sites. alternate work sites?
Physical &
Environmental Security Alternate Work Site PES-11 8 Protect X X
Physical security mechanisms exist to locate system components within the facility to minimize Does the organization locate system components within the facility to minimize potential damage
potential damage from physical and environmental hazards and to minimize the opportunity for from physical and environmental hazards and to minimize the opportunity for unauthorized access?
unauthorized access.
Physical &
Environmental Security Equipment Siting & Protection PES-12 9 Protect X X X
Physical security mechanisms exist to protect power and telecommunications cabling carrying data Does the organization protect power and telecommunications cabling carrying data or supporting
or supporting information services from interception, interference or damage. information services from interception, interference or damage?
Physical &
Environmental Security Transmission Medium Security PES-12.1 9 Protect X X
Physical security mechanisms exist to restrict access to printers and other system output devices to - Printer management (print only when at the printer Does the organization restrict access to printers and other system output devices to prevent
prevent unauthorized individuals from obtaining the output. with proximity card or code) unauthorized individuals from obtaining the output?
Physical & Access Control for Output
Environmental Security Devices PES-12.2 8 Protect X X
Facility security mechanisms exist to protect the system from information leakage due to Does the organization protect the system from information leakage due to electromagnetic signals
electromagnetic signals emanations. emanations?
Physical & Information Leakage Due To
Environmental Security Electromagnetic Signals PES-13 5 Protect X
Emanations
Physical security mechanisms exist to employ asset location technologies that track and monitor the - RFID tagging Does the organization employ asset location technologies that track and monitor the location and
location and movement of organization-defined assets within organization-defined controlled areas. movement of organization-defined assets within organization-defined controlled areas?
Physical &
Environmental Security Asset Monitoring and Tracking PES-14 6 Detect X X
Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) - EMP shielding (Faraday cages) Does the organization employ safeguards against Electromagnetic Pulse (EMP) damage for systems
damage for systems and system components. and system components?
Physical & Electromagnetic Pulse (EMP)
Environmental Security Protection PES-15 1 Protect X
Physical security mechanisms exist to mark system hardware components indicating the impact or Does the organization mark system hardware components indicating the impact or classification
classification level of the information permitted to be processed, stored or transmitted by the level of the information permitted to be processed, stored or transmitted by the hardware
hardware component. component?
Physical &
Environmental Security Component Marking PES-16 3 Protect X
Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to Does the organization use automated mechanisms to monitor physical proximity to robotic or
reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario. autonomous platforms to reduce applied force or stop the operation when sensors indicate a
potentially dangerous scenario?
Physical &
Environmental Security Proximity Sensor PES-17 9 Protect X
X
Mechanisms exist to ensure client-specific Intellectual Property (IP) is isolated from other data when Does the organization ensure client-specific Intellectual Property (IP) is isolated from other data
client-specific IP is processed or stored within multi-client workspaces. when client-specific IP is processed or stored within multi-client workspaces?
Physical &
Environmental Security On-Site Client Segregation PES-18 6 Protect X X
84 of 280
Mechanisms exist to facilitate the implementation and operation of data privacy controls. Does the organization facilitate the implementation and operation of data privacy controls?
E-GOV-02
Data Privacy Data Privacy Program PRI-01 E-GOV-08 10 Identify X X X
Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, Does the organization appoints a Chief Privacy Officer (CPO) or similar role, with the authority,
mission, accountability and resources to coordinate, develop and implement, applicable data mission, accountability and resources to coordinate, develop and implement, applicable data
privacy requirements and manage data privacy risks through the organization-wide data privacy privacy requirements and manage data privacy risks through the organization-wide data privacy
Data Privacy Chief Privacy Officer (CPO) PRI-01.1 program. E-HRS-08 program? 3 Identify X X
Mechanisms exist to provide additional formal notice to individuals from whom the information is Does the organization provide additional formal notice to individuals from whom the information is
being collected that includes: being collected that includes:
▪ Notice of the authority of organizations to collect Personal Data (PD); ▪ Notice of the authority of organizations to collect Personal Data (PD);
Data Privacy Privacy Act Statements PRI-01.2 ▪ Whether providing Personal Data (PD) is mandatory or optional; ▪ Whether providing Personal Data (PD) is mandatory or optional; 2 Identify X
▪ The principal purpose or purposes for which the Personal Data (PD) is to be used; ▪ The principal purpose or purposes for which the Personal Data (PD) is to be used;
▪ The intended disclosures or routine uses of the information; and ▪ The intended disclosures or routine uses of the information; and
▪ The consequences of not providing all or some portion of the information requested. ▪ The consequences of not providing all or some portion of the information requested?

▪ Ensure that the public has access to information about organizational data privacy activities and ▪ Ensure that the public has access to information about organizational data privacy activities and
can communicate with its Chief Privacy Officer (CPO) or similar role; can communicate with its Chief Privacy Officer (CPO) or similar role;
Dissemination of Data Privacy ▪ Ensure that organizational data privacy practices are publicly available through organizational ▪ Ensure that organizational data privacy practices are publicly available through organizational
Data Privacy Program Information PRI-01.3 5 Identify X X
websites or otherwise; and websites or otherwise; and
▪ Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback ▪ Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback
and/or direct questions to data privacy office(s) regarding data privacy practices. and/or direct questions to data privacy office(s) regarding data privacy practices?
Mechanisms exist to appoint a Data Protection Officer (DPO): Does the organization appoint a Data Protection Officer (DPO):
▪ Based on the basis of professional qualities; and ▪ Based on the basis of professional qualities; and
▪ To be involved in all issues related to the protection of personal data. ▪ To be involved in all issues related to the protection of personal data?
Data Privacy Data Protection Officer (DPO) PRI-01.4 E-HRS-10 7 Identify X X
Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing Does the organization implement and manage Binding Corporate Rules (BCR) (e?g?, data sharing
agreement) to legally-bind all parties engaged in a joint economic activity that contractually states agreement) to legally-bind all parties engaged in a joint economic activity that contractually states
enforceable rights on data subjects with regard to the processing of their personal data. enforceable rights on data subjects with regard to the processing of their personal data?
Data Privacy Binding Corporate Rules (BCR) PRI-01.5 E-PRI-05 5 Identify X X
Mechanisms exist to ensure Personal Data (PD) is protected by security safeguards that are Does the organization ensure Personal Data (PD) is protected by security safeguards that are
sufficient and appropriately scoped to protect the confidentiality and integrity of the PD. sufficient and appropriately scoped to protect the confidentiality and integrity of the PD?
Data Privacy Security of Personal Data PRI-01.6 7 Protect X X
Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole Does the organization limit the disclosure of Personal Data (PD) to authorized parties for the sole
purpose for which the PD was obtained. purpose for which the PD was obtained?
Data Privacy Limiting Personal Data PRI-01.7 7 Protect X

Disclosures

▪ Make data privacy notice(s) available to individuals upon first interacting with an organization and ▪ Make data privacy notice(s) available to individuals upon first interacting with an organization and
subsequently as necessary; subsequently as necessary;
Data Privacy Data Privacy Notice PRI-02 ▪ Ensure that data privacy notices are clear and easy-to-understand, expressing information about E-PRI-08 ▪ Ensure that data privacy notices are clear and easy-to-understand, expressing information about 7 Identify X
Personal Data (PD) processing in plain language that meet all legal obligations; and Personal Data (PD) processing in plain language that meet all legal obligations; and
▪ Define the scope of PD processing activities, including the geographic locations and third-party ▪ Define the scope of PD processing activities, including the geographic locations and third-party
recipients that process the PD within the scope of the data privacy notice. recipients that process the PD within the scope of the data privacy notice?
Mechanisms exist to identify and document the purpose(s) for which Personal Data (PD) is Does the organization identify and document the purpose(s) for which Personal Data (PD) is
collected, used, maintained and shared in its data privacy notices. collected, used, maintained and shared in its data privacy notices?
Data Privacy Purpose Specification PRI-02.1 7 Identify X
Automated mechanisms exist to adjust data that is able to be collected, created, used, The organization should identify and address Does the organization use automated mechanisms to adjust data that is able to be collected,
disseminated, maintained, retained and/or disclosed, based on updated data subject obligations, including legal obligations, to the PD created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject
authorization(s). principals resulting from decisions made by the authorization(s)?
Data Privacy Automated Data Management PRI-02.2 organization which are related to the PD principal 1 Identify X X
Processes based solely on automated processing of PD.
Mechanisms exist to publish Computer Matching Agreements (CMA) on the public website of the Does the organization publish Computer Matching Agreements (CMA) on the public website of the
organization. organization?
Computer Matching
Data Privacy Agreements (CMA) PRI-02.3 1 Identify X X
Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in Does the organization draft, publish and keep System of Records Notices (SORN) updated in
accordance with regulatory guidance. accordance with regulatory guidance?
System of Records Notice
Data Privacy (SORN) PRI-02.4 1 Identify X X
85 of 280
Mechanisms exist to review all routine uses of data published in the System of Records Notices Does the organization review all routine uses of data published in the System of Records Notices
(SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible
with the purpose for which the information was collected. with the purpose for which the information was collected?
System of Records Notice
Data Privacy (SORN) Review Process PRI-02.5 1 Identify X
Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices Does the organization review all Privacy Act exemptions claimed for the System of Records Notices
(SORN) to ensure they remain appropriate and accurate. (SORN) to ensure they remain appropriate and accurate?
Data Privacy Privacy Act Exemptions PRI-02.6 1 Identify X
Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected Does the organization provide real-time and/or layered notice when Personal Data (PD) is collected
that provides data subjects with a summary of key points or more detailed information that is that provides data subjects with a summary of key points or more detailed information that is
specific to the organization's data privacy notice. specific to the organization's data privacy notice?
Data Privacy Real-Time or Layered Notice PRI-02.7 2 Identify X
Mechanisms exist to authorize the processing of their Personal Data (PD) prior to its collection that: - "opt in" vs "opt out" user selections Does the organization authorize the processing of their Personal Data (PD) prior to its collection
▪ Uses plain language and provide examples to illustrate the potential data privacy risks of the that:
authorization; and ▪ Uses plain language and provide examples to illustrate the potential data privacy risks of the
Data Privacy Choice & Consent PRI-03 ▪ Provides a means for users to decline the authorization. authorization; and 7 Identify X
▪ Provides a means for users to decline the authorization?
Mechanisms exist to allow data subjects to modify the use permissions to selected attributes of Does the organization allow data subjects to modify the use permissions to selected attributes of
their Personal Data (PD). their Personal Data (PD)?
Data Privacy Tailored Consent PRI-03.1 1 Identify X
Mechanisms exist to present authorizations to process Personal Data (PD) in conjunction with the Does the organization present authorizations to process Personal Data (PD) in conjunction with the
data action, when: data action, when:
▪ The original circumstances under which an individual gave consent have changed; or ▪ The original circumstances under which an individual gave consent have changed; or
Just-In-Time Notice & Updated ▪ A significant amount of time has passed since an individual gave consent. ▪ A significant amount of time has passed since an individual gave consent?
Data Privacy Consent PRI-03.2 1 Identify X
Mechanisms exist to prevent the sale or sharing of Personal Data (PD) when instructed by the data Does the organization prevent the sale or sharing of Personal Data (PD) when instructed by the data
subject. subject?
Prohibition Of Selling or
Data Privacy Sharing Personal Data PRI-03.3 5 Identify X
Mechanisms exist to allow data subjects to revoke consent to the processing of their Personal Data Does the organization allow data subjects to revoke consent to the processing of their Personal
(PD). Data (PD)?
Data Privacy Revoke Consent PRI-03.4 3 Respond X
Mechanisms exist to prohibit the refusal of products and/or services on the grounds that a data - Privacy Program Does the organization prohibit the refusal of products and/or services on the grounds that a data
subject does not agree to the processing of Personal Data (PD) or withdraws consent. subject does not agree to the processing of Personal Data (PD) or withdraws consent?
Product or Service Delivery
Data Privacy Restrictions PRI-03.5 7 Identify X X
Mechanisms exist to allow data subjects to authorize another person or entity, acting on the data Does the organization allow data subjects to authorize another person or entity, acting on the data
subject's behalf, to make Personal Data (PD) processing decisions. subject's behalf, to make Personal Data (PD) processing decisions?
Data Privacy Authorized Agent PRI-03.6 6 Protect X
Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the Does the organization compel data subjects to select the level of consent deemed appropriate by
data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.). the data subject for the relevant business purpose (e?g?, opt-in, opt-out, accept all cookies, etc?)?
Data Privacy Active Participation By Data PRI-03.7 3 Protect X

Subjects
Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected Does the organization use automated mechanisms to provide data subjects with functionality to
opt-out preferences (e.g., opt-out signal). exercise pre-selected opt-out preferences (e?g?, opt-out signal)?
Data Privacy Global Privacy Control (GPC) PRI-03.8 5 Protect X
Mechanisms exist to collect Personal Data (PD) only for the purposes identified in the data privacy Does the organization collect Personal Data (PD) only for the purposes identified in the data privacy
notice and includes protections against collecting PD from minors without appropriate parental, or notice and includes protections against collecting PD from minors without appropriate parental, or
legal guardian, consent. legal guardian, consent?
Restrict Collection To
Data Privacy Identified Purpose PRI-04 E-PRI-02 7 Identify X
86 of 280
Mechanisms exist to determine and document the legal authority that permits the collection, use, Does the organization determine and document the legal authority that permits the collection, use,
maintenance and sharing of Personal Data (PD), either generally or in support of a specific program maintenance and sharing of Personal Data (PD), either generally or in support of a specific program
Authority To Collect, Use, or system need. or system need?
Data Privacy Maintain & Share Personal PRI-04.1 E-PRI-02 7 Identify X
Data
Mechanisms exist to ensure information is directly collected from the data subject, whenever Does the organization ensure information is directly collected from the data subject, whenever
possible. possible?
Data Privacy Primary Sources PRI-04.2 7 Identify X
Mechanisms exist to restrict the collection, processing, storage and sharing of photographic and/or - Privacy Program Does the organization restrict the collection, processing, storage and sharing of photographic
video surveillance image collection that can identify individuals to legitimate business needs. and/or video surveillance image collection that can identify individuals to legitimate business
needs?
Data Privacy Identifiable Image Collection PRI-04.3 7 Identify X X
Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Does the organization promptly inform data subjects of the utilization purpose when their Personal
Data (PD) is acquired and not received directly from the data subject, except where that utilization Data (PD) is acquired and not received directly from the data subject, except where that utilization
purpose was disclosed in advance to the data subject. purpose was disclosed in advance to the data subject?
Data Privacy Acquired Personal Data PRI-04.4 6 Identify X
Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Does the organization ensure that the data subject, or authorized representative, validate Personal
Data (PD) during the collection process. Data (PD) during the collection process?
Data Privacy Validate Collected Personal PRI-04.5 1 Identify X

Data
Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Does the organization ensure that the data subject, or authorized representative, re-validate that
Personal Data (PD) acquired during the collection process is still accurate. Personal Data (PD) acquired during the collection process is still accurate?
Re-Validate Collected Personal
Data Privacy Data PRI-04.6 1 Identify X

▪ Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill ▪ Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill
the purpose(s) identified in the notice or as required by law; the purpose(s) identified in the notice or as required by law;
Personal Data Retention & ▪ Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and E-AST-11 ▪ Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and
Data Privacy Disposal PRI-05 E-PRI-02 8 Identify X X
▪ Use organization-defined techniques or methods to ensure secure deletion or destruction of PD ▪ Use organization-defined techniques or methods to ensure secure deletion or destruction of PD
(including originals, copies and archived records). (including originals, copies and archived records)?
Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research Does the organization address the use of Personal Data (PD) for internal testing, training and
that: research that:
Internal Use of Personal Data ▪ Takes measures to limit or minimize the amount of PD used for internal testing, training and ▪ Takes measures to limit or minimize the amount of PD used for internal testing, training and
Data Privacy For Testing, Training and PRI-05.1 research purposes; and E-PRI-02 research purposes; and 8 Identify X
Research ▪ Authorizes the use of PD when such information is required for internal testing, training and ▪ Authorizes the use of PD when such information is required for internal testing, training and
research. research?
Mechanisms exist to confirm the accuracy and relevance of Personal Data (PD) throughout the Does the organization confirm the accuracy and relevance of Personal Data (PD) throughout the
information lifecycle. information lifecycle?
Personal Data Accuracy &
Data Privacy Integrity PRI-05.2 5 Identify X
Mechanisms exist to mask sensitive information through data anonymization, pseudonymization, Does the organization mask sensitive information through data anonymization, pseudonymization,
redaction or de-identification. redaction or de-identification?
Data Privacy Data Masking PRI-05.3 8 Identify X X
Mechanisms exist to restrict the use of Personal Data (PD) to only the authorized purpose(s) Does the organization restrict the use of Personal Data (PD) to only the authorized purpose(s)
consistent with applicable laws, regulations and in data privacy notices. consistent with applicable laws, regulations and in data privacy notices?
Data Privacy Usage Restrictions of Sensitive PRI-05.4 8 Identify X X

Personal Data
Mechanisms exist to establish, maintain and update an inventory that contains a listing of all Does the organization establish, maintain and update an inventory that contains a listing of all
programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD). programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD)?
Data Privacy Inventory of Personal Data PRI-05.5 E-AST-08 8 Identify X
Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form. Does the organization use automated mechanisms to determine if Personal Data (PD) is maintained
in electronic form?
Personal Data Inventory
Data Privacy Automation Support PRI-05.6 1 Identify X X
87 of 280
Mechanisms exist to define and implement data handling and protection requirements for specific Does the organization define and implement data handling and protection requirements for specific
categories of sensitive Personal Data (PD). categories of sensitive Personal Data (PD)?
Data Privacy Personal Data Categories PRI-05.7 E-PRI-07 5 Identify X
Mechanisms exist to provide data subjects the ability to access their Personal Data (PD) maintained Does the organization provide data subjects the ability to access their Personal Data (PD)
in organizational systems of records. maintained in organizational systems of records?
Data Privacy Data Subject Access PRI-06 E-PRI-06 6 Identify X
Mechanisms exist to establish and implement a process for: - Data Protection Impact Assessment (DPIA) Does the organization establish and implement a process for:
▪ Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or ▪ Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or
amended; and amended; and
Correcting Inaccurate Personal ▪ Disseminating corrections or amendments of PD to other authorized users of the PD. ▪ Disseminating corrections or amendments of PD to other authorized users of the PD?
Data Privacy Data PRI-06.1 5 Respond X
Mechanisms exist to notify affected data subjects if their Personal Data (PD) has been corrected or The organization should, in the case of having general Does the organization notify affected data subjects if their Personal Data (PD) has been corrected or
amended. written authorization, inform the customer of any amended?
intended changes concerning the addition or
Notice of Correction or replacement of subcontractors to process PD, thereby
Data Privacy Processing Change PRI-06.2 4 Respond X
giving the customer the opportunity to object to such
changes.
Mechanisms exist to provide an organization-defined process for data subjects to appeal an adverse Does the organization provide an organization-defined process for data subjects to appeal an
decision and have incorrect information amended. adverse decision and have incorrect information amended?
Data Privacy Appeal Adverse Decision PRI-06.3 4 Respond X X
Mechanisms exist to implement a process for receiving and responding to complaints, concerns or Does the organization implement a process for receiving and responding to complaints, concerns or
questions from data subjects about the organizational data privacy practices. questions from data subjects about the organizational data privacy practices?
Data Privacy User Feedback Management PRI-06.4 5 Respond X X
Mechanisms exist to erase personal data of a data subject, without delay. Does the organization erase personal data of a data subject, without delay?
Data Privacy Right to Erasure PRI-06.5 5 Respond X
Mechanisms exist to export Personal Data (PD) in a structured, commonly used and machine- Does the organization export Personal Data (PD) in a structured, commonly used and machine-
readable format that allows the data subject to transmit the data to another controller without readable format that allows the data subject to transmit the data to another controller without
hindrance. hindrance?
Data Privacy Data Portability PRI-06.6 3 Identify X X
Mechanisms exist to digitally export Personal Data (PD) in a secure manner upon request by the Does the organization digitally export Personal Data (PD) in a secure manner upon request by the
data subject. data subject?
Data Privacy Personal Data Exportability PRI-06.7 5 Identify X
Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in - Veris (incident sharing) (http://veriscommunity.net) Does the organization disclose Personal Data (PD) to third-parties only for the purposes identified in
the data privacy notice and with the implicit or explicit consent of the data subject. the data privacy notice and with the implicit or explicit consent of the data subject?
Information Sharing With Third E-PRI-05
Data Privacy Parties PRI-07 E-TPM-01 9 Identify X X
Mechanisms exist to include data privacy requirements in contracts and other acquisition-related Does the organization include data privacy requirements in contracts and other acquisition-related
documents that establish data privacy roles and responsibilities for contractors and service documents that establish data privacy roles and responsibilities for contractors and service
Data Privacy Requirements for providers. providers?
Data Privacy Contractors & Service PRI-07.1 E-PRI-05 10 Identify X X X
E-TPM-01
Providers
Mechanisms exist to clearly define and communicate the organization's role in processing Personal Does the organization clearly define and communicate the organization's role in processing Personal
Data (PD) in the data processing ecosystem. Data (PD) in the data processing ecosystem?
Joint Processing of Personal E-PRI-05
Data Privacy Data PRI-07.2 E-TPM-01 5 Identify X
Mechanisms exist to inform applicable third-parties of any modification, deletion or other change - CimTrak Integrity Suite Does the organization inform applicable third-parties of any modification, deletion or other change
that affects shared Personal Data (PD). (https://www.cimcor.com/cimtrak/) that affects shared Personal Data (PD)?
Obligation To Inform Third-
Data Privacy Parties PRI-07.3 5 Identify X
88 of 280
Mechanisms exist to reject unauthorized disclosure requests. - Authorized Agent Does the organization reject unauthorized disclosure requests?
Reject Unauthorized Disclosure

Data Privacy Requests PRI-07.4 5 Identify X
Mechanisms exist to conduct cybersecurity & data privacy testing, training and monitoring activities Does the organization conduct cybersecurity & data privacy testing, training and monitoring
activities
Data Privacy Testing, Training & Monitoring PRI-08 8 Identify X X
Mechanisms exist to utilize a record of processing activities to maintain a record of Personal Data The organization should determine and securely Does the organization utilize a record of processing activities to maintain a record of Personal Data
(PD) that is stored, transmitted and/or processed under the organization's responsibility. maintain the necessary records in support of its (PD) that is stored, transmitted and/or processed under the organization's responsibility?
obligations for the processing of PD.
Data Privacy Personal Data Lineage PRI-09 5 Identify X
Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, Does the organization issue guidelines ensuring and maximizing the quality, utility, objectivity,
integrity, impact determination and de-identification of Personal Data (PD) across the information integrity, impact determination and de-identification of Personal Data (PD) across the information
lifecycle. lifecycle?
Data Privacy Data Quality Management PRI-10 5 Identify X X
Automated mechanisms exist to support the evaluation of data quality across the information Does the organization use automated mechanisms to support the evaluation of data quality across
lifecycle. the information lifecycle?
Data Privacy Automation PRI-10.1 1 Identify X X
Mechanisms exist to evaluate its analytical processes for potential bias. Does the organization evaluate its analytical processes for potential bias?
Data Privacy Data Analytics Bias PRI-10.2 5 Identify X
Mechanisms exist to issue data modeling guidelines to support tagging of sensitive/regulated data. Does the organization issue data modeling guidelines to support tagging of sensitive/regulated
data?
Data Privacy Data Tagging PRI-11 3 Identify X X
Mechanisms exist to develop processes to identify and record the method under which Personal Does the organization develop processes to identify and record the method under which Personal
Data (PD) is updated and the frequency that such updates occur. Data (PD) is updated and the frequency that such updates occur?
Data Privacy Updating Personal Data (PD) PRI-12 9 Identify X X
Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned - Data Management Board (DMB) Does the organization establish a written charter for a Data Management Board (DMB) and assigned
organization-defined roles to the DMB. organization-defined roles to the DMB?
Data Privacy Data Management Board PRI-13 3 Identify X X
Mechanisms exist to maintain data privacy-related records and develop, disseminate and update Does the organization maintain data privacy-related records and develop, disseminate and update
reports to internal senior management, as well as external oversight bodies, as appropriate, to reports to internal senior management, as well as external oversight bodies, as appropriate, to
demonstrate accountability with specific statutory and regulatory data privacy program mandates. demonstrate accountability with specific statutory and regulatory data privacy program mandates?
Data Privacy Records &
Data Privacy Reporting PRI-14 8 Identify X X
Mechanisms exist to develop and maintain an accounting of disclosures of Personal Data (PD) held Does the organization develop and maintain an accounting of disclosures of Personal Data (PD) held
by the organization and make the accounting of disclosures available to the person named in the by the organization and make the accounting of disclosures available to the person named in the
record, upon request. record, upon request?
Data Privacy Accounting of Disclosures PRI-14.1 E-PRI-01 8 Identify X X
Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD). Does the organization notify data subjects of applicable legal requests to disclose Personal Data
(PD)?
Notification of Disclosure
Data Privacy Request To Data Subject PRI-14.2 5 Identify X
Mechanisms exist to register as a data controller and/or data processor, including registering Does the organization register as a data controller and/or data processor, including registering
databases containing Personal Data (PD) with the appropriate Data Authority, when necessary. databases containing Personal Data (PD) with the appropriate Data Authority, when necessary?
Register As A Data Controller
Data Privacy and/or Data Processor PRI-15 E-PRI-03 3 Identify X
89 of 280
Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host - Board of Directors (Bod) Ethics Committee Does the organization constrain the supply of physical and/or digital activity logs to the host
government that can directly lead to contravention of the Universal Declaration of Human Rights government that can directly lead to contravention of the Universal Declaration of Human Rights
(UDHR), as well as other applicable statutory, regulatory and/or contractual obligations. (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations?
Data Privacy Potential Human Rights Abuses PRI-16 10 Protect X X
Mechanisms exist to craft disclosures and communications to data subjects such that the material is Does the organization craft disclosures and communications to data subjects such that the material
readily accessible and written in a manner that is concise, unambiguous and understandable by a is readily accessible and written in a manner that is concise, unambiguous and understandable by a
reasonable person. reasonable person?
Data Privacy Data Subject Communications PRI-17 6 Protect X X
Mechanisms exist to include a conspicuous link to the organization's data privacy notice on all Does the organization include a conspicuous link to the organization's data privacy notice on all
consumer-facing websites and mobile applications. consumer-facing websites and mobile applications?
Conspicuous Link To Data
Data Privacy Privacy Notice PRI-17.1 4 Protect X X
Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the Does the organization provide data subjects with a Notice of Financial Incentive that explains the
material terms of a financial incentive, price or service difference so the data subject can make an material terms of a financial incentive, price or service difference so the data subject can make an
informed decision about whether to participate. informed decision about whether to participate?
Data Privacy Notice of Financial Incentive PRI-17.2 2 Identify X
Mechanisms exist to facilitate the implementation of cybersecurity & data privacy-related resource Does the organization facilitate the implementation of cybersecurity & data privacy-related
planning controls that define a viable plan for achieving cybersecurity & data privacy objectives. resource planning controls that define a viable plan for achieving cybersecurity & data privacy
objectives?
Project & Resource Cybersecurity & Data Privacy PRM-01 E-PRM-02 8 Identify X X
Management Portfolio Management
Mechanisms exist to establish a strategic cybersecurity & data privacy-specific business plan and set Does the organization establish a strategic cybersecurity & data privacy-specific business plan and
of objectives to achieve that plan. set of objectives to achieve that plan?
Project & Resource
Management Strategic Plan & Objectives PRM-01.1 E-PRM-01 5 Identify X
Mechanisms exist to define and identify targeted capability maturity levels. Does the organization define and identify targeted capability maturity levels?
Project & Resource Targeted Capability Maturity

Management Levels PRM-01.2 E-PRM-04 5 Identify X X
Mechanisms exist to address all capital planning and investment requests, including the resources Does the organization address all capital planning and investment requests, including the resources
needed to implement the cybersecurity & data privacy programs and document all exceptions to needed to implement the cybersecurity & data privacy programs and document all exceptions to
this requirement. this requirement?
Project & Resource Cybersecurity & Data Privacy PRM-02 E-PRM-02 8 Identify X X X
Management Resource Management
Mechanisms exist to identify and allocate resources for management, operational, technical and Does the organization identify and allocate resources for management, operational, technical and
data privacy requirements within business process planning for projects / initiatives. data privacy requirements within business process planning for projects / initiatives?
Project & Resource E-PRM-01
Management Allocation of Resources PRM-03 E-PRM-02 8 Identify X X
Mechanisms exist to assess cybersecurity & data privacy controls in system project development to Does the organization assess cybersecurity & data privacy controls in system project development
determine the extent to which the controls are implemented correctly, operating as intended and to determine the extent to which the controls are implemented correctly, operating as intended
producing the desired outcome with respect to meeting the requirements. and producing the desired outcome with respect to meeting the requirements?
Project & Resource Cybersecurity & Data Privacy In
Management Project Management PRM-04 E-PRM-03 10 Identify X X
Mechanisms exist to identify critical system components and functions by performing a criticality - Secure Development Life Cycle (SDLC) Does the organization identify critical system components and functions by performing a criticality
analysis for critical systems, system components or services at pre-defined decision points in the analysis for critical systems, system components or services at pre-defined decision points in the
Secure Development Life Cycle (SDLC). Secure Development Life Cycle (SDLC)?
Project & Resource Cybersecurity & Data Privacy PRM-05 E-PRM-03 9 Identify X X X
Management Requirements Definition
Mechanisms exist to define business processes with consideration for cybersecurity & data privacy Does the organization define business processes with consideration for cybersecurity & data privacy
that determines: that determines:
▪ The resulting risk to organizational operations, assets, individuals and other organizations; and ▪ The resulting risk to organizational operations, assets, individuals and other organizations; and
Project & Resource ▪ Information protection needs arising from the defined business processes and revises the ▪ Information protection needs arising from the defined business processes and revises the
Management Business Process Definition PRM-06 E-PRM-03 7 Identify X X X
processes as necessary, until an achievable set of protection needs is obtained. processes as necessary, until an achievable set of protection needs is obtained?
Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) - CimTrak Integrity Suite Does the organization ensure changes to systems within the Secure Development Life Cycle (SDLC)
are controlled through formal change control procedures. (https://www.cimcor.com/cimtrak/) are controlled through formal change control procedures?
Project & Resource Secure Development Life Cycle
Management (SDLC) Management PRM-07 E-PRM-03 10 Protect X X X
90 of 280
Mechanisms exist to manage the organizational knowledge of the cybersecurity & data privacy staff. Does the organization manage the organizational knowledge of the cybersecurity & data privacy
staff?
Project & Resource Manage Organizational
Management Knowledge PRM-08 5 Protect X X
Mechanisms exist to facilitate the implementation of risk management controls. - Risk Management Program (RMP) Does the organization facilitate the implementation of risk management controls?
Risk Management Risk Management Program RSK-01 E-RSK-01 10 Identify X X X
Mechanisms exist to identify: - Risk Management Program (RMP) Does the organization identify:
▪ Assumptions affecting risk assessments, risk response and risk monitoring; ▪ Assumptions affecting risk assessments, risk response and risk monitoring;
▪ Constraints affecting risk assessments, risk response and risk monitoring; ▪ Constraints affecting risk assessments, risk response and risk monitoring;
Risk Management Risk Framing RSK-01.1 ▪ The organizational risk tolerance; and ▪ The organizational risk tolerance; and 9 Identify X X
▪ Priorities and trade-offs considered by the organization for managing risk. ▪ Priorities and trade-offs considered by the organization for managing risk?
Mechanisms exist to reduce the magnitude or likelihood of potential impacts by resourcing the Does the organization reduce the magnitude or likelihood of potential impacts by resourcing the
capability required to manage technology-related risks. capability required to manage technology-related risks?
Risk Management Risk Management Resourcing RSK-01.2 8 Protect X X
Mechanisms exist to define organizational risk tolerance, the specified range of acceptable results. - Defined risk tolerance Does the organization define organizational risk tolerance, the specified range of acceptable
results?
Risk Management Risk Tolerance RSK-01.3 E-RSK-06 9 Identify X X X
Mechanisms exist to define organizational risk threshold, the level of risk exposure above which - Defined risk threshold Does the organization define organizational risk threshold, the level of risk exposure above which
risks are addressed and below which risks may be accepted. risks are addressed and below which risks may be accepted?
Risk Management Risk Threshold RSK-01.4 E-RSK-07 9 Identify X X X
Mechanisms exist to define organizational risk appetite, the degree of uncertainty the organization - Defined risk tolerance Does the organization define organizational risk appetite, the degree of uncertainty the
is willing to accept in anticipation of a reward. organization is willing to accept in anticipation of a reward?
Risk Management Risk Appetite RSK-01.5 E-RSK-08 9 Identify X X X
Mechanisms exist to categorize systems and data in accordance with applicable local, state and - Risk Management Program (RMP) Does the organization categorize systems and data in accordance with applicable local, state and
Federal laws that: Federal laws that:
▪ Document the security categorization results (including supporting rationale) in the security plan ▪ Document the security categorization results (including supporting rationale) in the security plan
Risk Management Risk-Based Security RSK-02 for systems; and for systems; and 9 Identify X X X
Categorization ▪ Ensure the security categorization decision is reviewed and approved by the asset owner. ▪ Ensure the security categorization decision is reviewed and approved by the asset owner?
Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent Does the organization prioritize the impact level for systems, applications and/or services to
potential disruptions. prevent potential disruptions?
Risk Management Impact-Level Prioritization RSK-02.1 9 Identify X X
Mechanisms exist to identify and document risks, both internal and external. - Risk Management Program (RMP) Does the organization identify and document risks, both internal and external?
Risk Management Risk Identification RSK-03 9 Identify X
Mechanisms exist to develop and keep current a catalog of applicable risks associated with the Does the organization develop and keep current a catalog of applicable risks associated with the
organization's business operations and technologies in use. organization's business operations and technologies in use?
Risk Management Risk Catalog RSK-03.1 5 Protect X X X
Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and - Risk Management Program (RMP) Does the organization conduct recurring assessments of risk that includes the likelihood and
magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or - Risk assessment magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or
destruction of the organization's systems and data. - Business Impact Analysis (BIA) destruction of the organization's systems and data?
Risk Management Risk Assessment RSK-04 - Data Protection Impact Assessment (DPIA) E-RSK-04 10 Identify X X X
Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks. - Risk Management Program (RMP) Does the organization maintain a risk register that facilitates monitoring and reporting of risks?
- Risk register
- Governance, Risk and Compliance Solution (GRC) tool
Risk Management Risk Register RSK-04.1 (SCFConnect, SureCloud,Ostendio, ZenGRC, Archer, E-RSK-03 10 Identify X
91 of 280
Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities - Risk Management Program (RMP) Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities
that is based on industry-recognized practices. that is based on industry-recognized practices?
Risk Management Risk Ranking RSK-05 9 Identify X
Mechanisms exist to remediate risks to an acceptable level. - Risk Management Program (RMP) Does the organization remediate risks to an acceptable level?
Risk Management Risk Remediation RSK-06 10 Identify X X X
Mechanisms exist to respond to findings from cybersecurity & data privacy assessments, incidents - Risk Management Program (RMP) Does the organization respond to findings from cybersecurity & data privacy assessments, incidents
and audits to ensure proper remediation has been performed. and audits to ensure proper remediation has been performed?
Risk Management Risk Response RSK-06.1 9 Identify X X X
Mechanisms exist to identify and implement compensating countermeasures to reduce risk and Does the organization identify and implement compensating countermeasures to reduce risk and
exposure to threats. exposure to threats?
Compensating
Risk Management Countermeasures RSK-06.2 9 Respond X
Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new - Risk Management Program (RMP) Does the organization routinely update risk assessments and react accordingly upon identifying new
security vulnerabilities, including using outside sources for security vulnerability information. security vulnerabilities, including using outside sources for security vulnerability information?
Risk Management Risk Assessment Update RSK-07 9 Identify X
Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity - Risk Management Program (RMP) Does the organization conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity
and data protection risks. - Data Protection Impact Assessment (DPIA) and data protection risks?
- Business Impact Analysis (BIA)
Risk Management Business Impact Analysis (BIA) RSK-08 E-CHG-01 8 Identify X X
Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the - Risk Management Program (RMP) Does the organization develop a plan for Supply Chain Risk Management (SCRM) associated with
development, acquisition, maintenance and disposal of systems, system components and services, the development, acquisition, maintenance and disposal of systems, system components and
including documenting selected mitigating actions and monitoring performance against those plans. services, including documenting selected mitigating actions and monitoring performance against
Supply Chain Risk those plans?
Risk Management Management (SCRM) Plan RSK-09 E-RSK-02 10 Identify X X X
Mechanisms exist to periodically assess supply chain risks associated with systems, system - Risk Management Program (RMP) Does the organization periodically assess supply chain risks associated with systems, system
components and services. - Data Protection Impact Assessment (DPIA) components and services?
Risk Management Supply Chain Risk Assessment RSK-09.1 E-RSK-05 9 Identify X X
Mechanisms exist to address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related Does the organization address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-
risks and benefits arising from the organization's supply chain, including third-party software and related risks and benefits arising from the organization's supply chain, including third-party software
AI & Autonomous data. and data?
Risk Management Technologies Supply Chain RSK-09.2 8 Protect X X
Impacts
Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications - Risk Management Program (RMP) Does the organization conduct a Data Protection Impact Assessment (DPIA) on systems, applications
and services that store, process and/or transmit Personal Data (PD) to identify and remediate - Data Protection Impact Assessment (DPIA) and services that store, process and/or transmit Personal Data (PD) to identify and remediate
reasonably-expected risks. - Privacy Impact Assessment (PIA) reasonably-expected risks?
Data Protection Impact
Risk Management Assessment (DPIA) RSK-10 E-PRI-04 9 Identify X X
Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring Does the organization ensure risk monitoring as an integral part of the continuous monitoring
strategy that includes monitoring the effectiveness of cybersecurity & data privacy controls, strategy that includes monitoring the effectiveness of cybersecurity & data privacy controls,
compliance and change management. compliance and change management?
Risk Management Risk Monitoring RSK-11 9 Detect X
Mechanisms exist to ensure teams are committed to a culture that considers and communicates Does the organization ensure teams are committed to a culture that considers and communicates
technology-related risk. technology-related risk?
Risk Management Risk Culture RSK-12 4 Identify X
Mechanisms exist to facilitate the implementation of industry-recognized cybersecurity & data Does the organization facilitate the implementation of industry-recognized cybersecurity & data
privacy practices in the specification, design, development, implementation and modification of E-TDA-01 privacy practices in the specification, design, development, implementation and modification of
systems and services. E-TDA-02 systems and services?
Secure Engineering &
Architecture Secure Engineering Principles SEA-01 E-TDA-04 10 Protect X X X
E-TDA-08
E-TDA-09
92 of 280
Mechanisms exist to centrally-manage the organization-wide management and implementation of Does the organization centrally-manage the organization-wide management and implementation of
cybersecurity & data privacy controls and related processes. cybersecurity & data privacy controls and related processes?
Secure Engineering & Centralized Management of
Architecture Cybersecurity & Data Privacy SEA-01.1 9 Protect X X
Controls
Mechanisms exist to achieve resilience requirements in normal and adverse situations. Does the organization achieve resilience requirements in normal and adverse situations?
Secure Engineering & Achieving Resilience SEA-01.2 4 Protect X X

Architecture Requirements
Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading - Administrative controls through corporate policies, Does the organization develop an enterprise architecture, aligned with industry-recognized leading
practices, with consideration for cybersecurity & data privacy principles that addresses risk to standards & procedures. practices, with consideration for cybersecurity & data privacy principles that addresses risk to
organizational operations, assets, individuals, other organizations. - NIST 800-160 organizational operations, assets, individuals, other organizations?
Secure Engineering & Alignment With Enterprise - Enterprise architecture committee E-TDA-04
Architecture Architecture SEA-02 E-TDA-09 9 Protect X X X
Mechanisms exist to standardize technology and process terminology to reduce confusion amongst Does the organization standardize technology and process terminology to reduce confusion
groups and departments. amongst groups and departments?
Architecture Standardized Terminology SEA-02.1 3 Protect X
Mechanisms exist to identify non-essential functions or services that are capable of being Does the organization identify non-essential functions or services that are capable of being
outsourced to external service providers and align with the organization's enterprise architecture outsourced to external service providers and align with the organization's enterprise architecture
and security standards. and security standards?
Secure Engineering & Outsourcing Non-Essential SEA-02.2 3 Protect X
Architecture Functions or Services
Mechanisms exist to conduct ongoing “technical debt” reviews of hardware and software Does the organization conduct ongoing “technical debt” reviews of hardware and software
technologies to remediate outdated and/or unsupported technologies. technologies to remediate outdated and/or unsupported technologies?
Architecture Technical Debt Reviews SEA-02.3 9 Protect X X
Mechanisms exist to implement security functions as a layered structure minimizing interactions Does the organization implement security functions as a layered structure minimizing interactions
between layers of the design and avoiding any dependence by lower layers on the functionality or between layers of the design and avoiding any dependence by lower layers on the functionality or
correctness of higher layers. correctness of higher layers?
Secure Engineering & Defense-In-Depth (DiD) E-TDA-04
Architecture Architecture SEA-03 E-TDA-09 10 Protect X X
Mechanisms exist to partition systems so that partitions reside in separate physical domains or Does the organization partition systems so that partitions reside in separate physical domains or
environments. environments?
Secure Engineering & System Partitioning SEA-03.1 8 Protect X
Architecture
Mechanisms exist to separate user functionality from system management functionality. - Separate interface for non-privileged users. Does the organization separate user functionality from system management functionality?

Architecture Application Partitioning SEA-03.2 8 Protect X
Mechanisms exist to implement a separate execution domain for each executing process. Does the organization implement a separate execution domain for each executing process?

Architecture Process Isolation SEA-04 7 Protect X
Mechanisms exist to isolate security functions from non-security functions. Does the organization isolate security functions from non-security functions?
Secure Engineering & Security Function Isolation SEA-04.1 7 Protect X

Architecture
Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process Does the organization implement underlying hardware separation mechanisms to facilitate process
separation. separation?
Architecture Hardware Separation SEA-04.2 7 Protect X
Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded Does the organization maintain a separate execution domain for each thread in multi-threaded
processing. processing?
Architecture Thread Separation SEA-04.3 7 Protect X
93 of 280
Mechanisms exist to prevent unauthorized and unintended information transfer via shared system Does the organization prevent unauthorized and unintended information transfer via shared system
resources. resources?
Secure Engineering & Information In Shared
Architecture Resources SEA-05 8 Protect X X
Automated mechanisms exist to prevent the execution of unauthorized software programs. Does the organization use automated mechanisms to prevent the execution of unauthorized
software programs?
Secure Engineering & Prevent Program Execution SEA-06 8 Protect X
Architecture
Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific - Mean Time to Failure (MTTF) Does the organization determine the Mean Time to Failure (MTTF) for system components in
environments of operation. specific environments of operation?
Architecture Predictable Failure Analysis SEA-07 5 Protect X X
Mechanisms exist to manage the usable lifecycles of technology assets. - Computer Lifecycle Program (CLP) Does the organization manage the usable lifecycles of technology assets?
- Technology Asset Management (TAM)
Secure Engineering & Technology Lifecycle
Architecture Management SEA-07.1 E-AST-09 7 Protect X X X
Mechanisms exist to enable systems to fail to an organization-defined known-state for types of Does the organization enable systems to fail to an organization-defined known-state for types of
failures, preserving system state information in failure. failures, preserving system state information in failure?
Secure Engineering & Fail Secure SEA-07.2 8 Protect X X
Architecture
Mechanisms exist to implement fail-safe procedures when failure conditions occur. Does the organization implement fail-safe procedures when failure conditions occur?

Architecture Fail Safe SEA-07.3 8 Protect X X
Mechanisms exist to implement non-persistent system components and services that are initiated Does the organization implement non-persistent system components and services that are initiated
in a known state and terminated upon the end of the session of use or periodically at an in a known state and terminated upon the end of the session of use or periodically at an
organization-defined frequency. organization-defined frequency?
Architecture Non-Persistence SEA-08 9 Protect X
Mechanisms exist to ensure that software and data needed for information system component and - CimTrak Integrity Suite Does the organization ensure that software and data needed for information system component
service refreshes are obtained from trusted sources. (https://www.cimcor.com/cimtrak/) and service refreshes are obtained from trusted sources?
Secure Engineering & Refresh from Trusted Sources SEA-08.1 5 Protect X X
Architecture
Mechanisms exist to validate information output from software programs and/or applications to Does the organization validate information output from software programs and/or applications to
ensure that the information is consistent with the expected content. ensure that the information is consistent with the expected content?
Architecture Information Output Filtering SEA-09 8 Protect X
Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements - Data Protection Impact Assessment (DPIA) Does the organization limit the dissemination of Personal Data (PD) to organization-defined
identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized
purposes. purposes?
Secure Engineering & Limit Personal Data (PD)
Architecture Dissemination SEA-09.1 8 Protect X X
Mechanisms exist to implement security safeguards to protect system memory from unauthorized - Puppet (https://puppet.com/) Does the organization implement security safeguards to protect system memory from unauthorized
code execution. - Chef (https://www.chef.io/) (https://www.chef.io/) code execution?
Secure Engineering & Memory Protection SEA-10 8 Protect X
Architecture
Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious Does the organization utilize honeypots that are specifically designed to be the target of malicious
attacks for the purpose of detecting, deflecting and analyzing such attacks. attacks for the purpose of detecting, deflecting and analyzing such attacks?
Architecture Honeypots SEA-11 3 Protect X X
Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or Does the organization utilize honeyclients that proactively seek to identify malicious websites
web-based malicious code. and/or web-based malicious code?
Architecture Honeyclients SEA-12 3 Protect X X
94 of 280
Mechanisms exist to utilize a diverse set of technologies for system components to reduce the Does the organization utilize a diverse set of technologies for system components to reduce the
impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM). impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM)?
Architecture Heterogeneity SEA-13 3 Protect X X
Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of Does the organization utilize virtualization techniques to support the employment of a diversity of
operating systems and applications. operating systems and applications?
Secure Engineering & Virtualization Techniques SEA-13.1 6 Protect X X
Architecture
Mechanisms exist to utilize concealment and misdirection techniques for systems to confuse and Does the organization utilize concealment and misdirection techniques for systems to confuse and
mislead adversaries. mislead adversaries?
Architecture Concealment & Misdirection SEA-14 2 Protect X X
Automated mechanisms exist to introduce randomness into organizational operations and assets. Does the organization use automated mechanisms to introduce randomness into organizational
operations and assets?
Architecture Randomness SEA-14.1 5 Protect X X
Automated mechanisms exist to change the location of processing and/or storage at random time Does the organization use automated mechanisms to change the location of processing and/or
intervals. storage at random time intervals?
Secure Engineering & Change Processing & Storage SEA-14.2 5 Protect X X
Architecture Locations
Mechanisms exist to distribute processing and storage across multiple physical locations. Does the organization distribute processing and storage across multiple physical locations?
Secure Engineering & Distributed Processing &

Architecture Storage SEA-15 4 Protect X X
Mechanisms exist to utilize non-modifiable executable programs that load and execute the Does the organization utilize non-modifiable executable programs that load and execute the
operating environment and applications from hardware-enforced, read-only media. operating environment and applications from hardware-enforced, read-only media?
Secure Engineering & Non-Modifiable Executable
Architecture Programs SEA-16 1 Protect X
Mechanisms exist to utilize a trusted communications path between the user and the security - Active Directory (AD) Ctrl+Alt+Del login process Does the organization utilize a trusted communications path between the user and the security
functions of the system. functions of the system?
Secure Engineering & Secure Log-On Procedures SEA-17 8 Protect X X
Architecture
Mechanisms exist to utilize system use notification / logon banners that display an approved system - Logon banner Does the organization utilize system use notification / logon banners that display an approved
use notification message or banner before granting access to the system that provides cybersecurity - System use notifications system use notification message or banner before granting access to the system that provides
& data privacy notices. - CimTrak Integrity Suite cybersecurity & data privacy notices?
Secure Engineering & System Use Notification (Logon (https://www.cimcor.com/cimtrak/)
Architecture Banner) SEA-18 9 Protect X X
Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon - Active Directory (AD) Ctrl+Alt+Del login process Does the organization configure Microsoft Windows-based systems to display an approved logon
banner before granting access to the system that provides cybersecurity & data privacy notices. - CimTrak Integrity Suite banner before granting access to the system that provides cybersecurity & data privacy notices?
Secure Engineering & Standardized Microsoft - NNT Change Tracker
Architecture Windows Banner SEA-18.1 9 Protect X X
Mechanisms exist to utilize a truncated system use notification / logon banner on systems not - Logon banner Does the organization utilize a truncated system use notification / logon banner on systems not
capable of displaying a logon banner from a centralized source, such as Active Directory. - System use notifications capable of displaying a logon banner from a centralized source, such as Active Directory?
Secure Engineering & Truncated Banner SEA-18.2 (https://www.cimcor.com/cimtrak/) 9 Protect X X
Architecture - NNT Change Tracker
Mechanisms exist to configure systems that process, store or transmit sensitive/regulated data to - Network Time Protocol (NTP) Does the organization configure systems that process, store or transmit sensitive/regulated data to
notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last
successful logon. successful logon?
Architecture Previous Logon Notification SEA-19 3 Protect X
Mechanisms exist to utilize time-synchronization technology to synchronize all critical system - Network Time Protocol (NTP) Does the organization utilize time-synchronization technology to synchronize all critical system
clocks. clocks?
Architecture Clock Synchronization SEA-20 9 Protect X
95 of 280
Mechanisms exist to facilitate the implementation of operational security controls. - Standardized Operating Procedures (SOP) Does the organization facilitate the implementation of operational security controls?
- ITIL v4
- COBIT 2019
Security Operations Operations Security OPS-01 8 Protect X X
Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar - Standardized Operating Procedures (SOP) Does the organization identify and document Standardized Operating Procedures (SOP), or similar
documentation, to enable the proper execution of day-to-day / assigned tasks. documentation, to enable the proper execution of day-to-day / assigned tasks?
Security Operations Standardized Operating OPS-01.1 E-GOV-11 9 Protect X

Procedures (SOP)
Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan Does the organization develop a security Concept of Operations (CONOPS), or a similarly-defined
for achieving cybersecurity objectives, that documents management, operational and technical plan for achieving cybersecurity objectives, that documents management, operational and technical
measures implemented to apply defense-in-depth techniques that is communicated to all measures implemented to apply defense-in-depth techniques that is communicated to all
Security Concept Of appropriate stakeholders. appropriate stakeholders?
Security Operations Operations (CONOPS) OPS-02 9 Protect X X X
Mechanisms exist to define supporting business processes and implement appropriate governance - ITIL v4 Does the organization define supporting business processes and implement appropriate governance
and service management to ensure appropriate planning, delivery and support of the organization's - COBIT 2019 and service management to ensure appropriate planning, delivery and support of the organization's
technology capabilities supporting business functions, workforce, and/or customers based on technology capabilities supporting business functions, workforce, and/or customers based on
Service Delivery industry-recognized standards to achieve the specific goals of the process area. industry-recognized standards to achieve the specific goals of the process area?
Security Operations (Business Process Support) OPS-03 E-TPM-04 7 Protect X X
Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a Does the organization establish and maintain a Security Operations Center (SOC) that facilitates a
24x7 response capability. 24x7 response capability?
Security Operations Security Operations Center OPS-04 8 Protect X X

(SOC)
Mechanisms exist to provide guidelines and recommendations for the secure use of products Does the organization provide guidelines and recommendations for the secure use of products
and/or services to assist in the configuration, installation and use of the product and/or service. and/or services to assist in the configuration, installation and use of the product and/or service?
Security Operations Secure Practices Guidelines OPS-05 7 Protect X
Mechanisms exist to facilitate the implementation of security workforce development and Does the organization facilitate the implementation of security workforce development and
awareness controls. awareness controls?
Security Awareness & Cybersecurity & Data Privacy-
Training Minded Workforce SAT-01 8 Protect X X
Mechanisms exist to provide all employees and contractors appropriate awareness education and Does the organization provide all employees and contractors appropriate awareness education and
training that is relevant for their job function. training that is relevant for their job function?
Security Awareness & Cybersecurity & Data Privacy SAT-02 E-SAT-02 8 Protect X X
Training Awareness Training
Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are Does the organization include simulated actual cyber-attacks through practical exercises that are
aligned with current threat scenarios. aligned with current threat scenarios?
Security Awareness & Simulated Cyber Attack
Training Scenario Training SAT-02.1 E-SAT-03 3 Protect X
Mechanisms exist to include awareness training on recognizing and reporting potential and actual Does the organization include awareness training on recognizing and reporting potential and actual
instances of social engineering and social mining. instances of social engineering and social mining?
Security Awareness &
Training Social Engineering & Mining SAT-02.2 E-SAT-02 5 Protect X
Mechanisms exist to provide role-based cybersecurity & data privacy-related training: Does the organization provide role-based cybersecurity & data privacy-related training:
▪ Before authorizing access to the system or performing assigned duties; ▪ Before authorizing access to the system or performing assigned duties;
▪ When required by system changes; and ▪ When required by system changes; and
Security Awareness & Role-Based Cybersecurity & SAT-03 ▪ Annually thereafter. E-SAT-05 ▪ Annually thereafter? 8 Protect X
Training Data Privacy Training
Mechanisms exist to include practical exercises in cybersecurity & data privacy training that Does the organization include practical exercises in cybersecurity & data privacy training that
reinforce training objectives. reinforce training objectives?
Training Practical Exercises SAT-03.1 E-SAT-03 3 Protect X
Mechanisms exist to provide training to personnel on organization-defined indicators of malware to Does the organization provide training to personnel on organization-defined indicators of malware
recognize suspicious communications and anomalous behavior. to recognize suspicious communications and anomalous behavior?
Security Awareness & Suspicious Communications &
Training Anomalous System Behavior SAT-03.2 9 Protect X
96 of 280
Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting Does the organization ensure that every user accessing a system processing, storing or transmitting
sensitive information is formally trained in data handling requirements. sensitive information is formally trained in data handling requirements?
Security Awareness & Sensitive Information Storage,
Training Handling & Processing SAT-03.3 9 Protect X
Mechanisms exist to incorporate vendor-specific security training in support of new technology Does the organization incorporate vendor-specific security training in support of new technology
initiatives. initiatives?
Security Awareness & Vendor Cybersecurity & Data SAT-03.4 E-SAT-04 7 Protect X
Training Privacy Training E-SAT-05
Mechanisms exist to provide specific training for privileged users to ensure privileged users Does the organization provide specific training for privileged users to ensure privileged users
understand their unique roles and responsibilities understand their unique roles and responsibilities
Training Privileged Users SAT-03.5 E-SAT-05 9 Protect X
Mechanisms exist to provide role-based cybersecurity & data privacy awareness training that is Does the organization provide role-based cybersecurity & data privacy awareness training that is
specific to the cyber threats that the user might encounter the user's specific day-to-day business specific to the cyber threats that the user might encounter the user's specific day-to-day business
Training Cyber Threat Environment SAT-03.6 E-SAT-04 8 Identify X
Mechanisms exist to ensure cybersecurity & data privacy personnel receive Continuing Professional Does the organization ensure cybersecurity & data privacy personnel receive Continuing
Education (CPE) training to maintain currency and proficiency with industry-recognized secure Professional Education (CPE) training to maintain currency and proficiency with industry-recognized
practices that are pertinent to their assigned roles and responsibilities. secure practices that are pertinent to their assigned roles and responsibilities?
Security Awareness & Continuing Professional
Education (CPE) - Cybersecurity SAT-03.7 E-SAT-01 8 Identify X
Training E-SAT-04
& Data Privacy Personnel
Mechanisms exist to ensure application development and operations (DevOps) personnel receive Does the organization ensure application development and operations (DevOps) personnel receive
Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP)
to appropriately address evolving threats. to appropriately address evolving threats?
Security Awareness & Continuing Professional
Training Education (CPE) - DevOps SAT-03.8 8 Identify X
Personnel
Mechanisms exist to document, retain and monitor individual training activities, including basic - KnowB4 (https://www.knowbe4.com/) Does the organization document, retain and monitor individual training activities, including basic
cybersecurity & data privacy awareness training, ongoing awareness training and specific-system cybersecurity & data privacy awareness training, ongoing awareness training and specific-system
training. E-SAT-02 training?
Security Awareness & Cybersecurity & Data Privacy E-SAT-03
Training Training Records SAT-04 E-SAT-04 9 Protect X
E-SAT-05
Mechanisms exist to facilitate the implementation of tailored development and acquisition Does the organization facilitate the implementation of tailored development and acquisition
strategies, contract tools and procurement methods to meet unique business needs. strategies, contract tools and procurement methods to meet unique business needs?
Technology Technology Development & E-TDA-01
Development & Acquisition TDA-01 E-TDA-02 10 Protect X X X
Acquisition E-TDA-08
Mechanisms exist to design and implement product management processes to update products, Does the organization design and implement product management processes to update products,
including systems, software and services, to improve functionality and correct security deficiencies. E-CPL-06 including systems, software and services, to improve functionality and correct security deficiencies?
Technology E-TDA-05
Development & Product Management TDA-01.1 E-TDA-06 10 Protect X X
E-TDA-15
Mechanisms exist to utilize integrity validation mechanisms for security updates. - Checksum comparison Does the organization utilize integrity validation mechanisms for security updates?
Technology (https://www.cimcor.com/cimtrak/)
Integrity Mechanisms for - NNT Change Tracker
Development & Software / Firmware Updates TDA-01.2 E-TDA-15 5 Protect X X
Acquisition (https://www.newnettechnologies.com)
Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware - CimTrak Integrity Suite Does the organization utilize at least one (1) malware detection tool to identify if any known
exists in the final binaries of the product or security update. (https://www.cimcor.com/cimtrak/) malware exists in the final binaries of the product or security update?
Technology - NNT Change Tracker
Development & Malware Testing Prior to TDA-01.3 (https://www.newnettechnologies.com) 9 Protect X X
Release
Acquisition
Mechanisms exist to ensure risk-based technical and functional specifications are established to Does the organization ensure risk-based technical and functional specifications are established to
define a Minimum Viable Product (MVP). define a Minimum Viable Product (MVP)?
Technology Minimum Viable Product
Development & (MVP) Security Requirements TDA-02 E-TDA-06 9 Protect X X X
Acquisition
Mechanisms exist to require the developers of systems, system components or services to identify - Ports, Protocols & Services (PPS) Does the organization require the developers of systems, system components or services to identify
early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services
Technology intended for use. intended for use?
Ports, Protocols & Services In E-CPL-06
Development & Use TDA-02.1 E-TDA-07 8 Protect X X
Acquisition
97 of 280
Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA- - FIPS 201 Does the organization limit the use of commercially-provided Information Assurance (IA) and IA-
enabled IT products to those products that have been successfully evaluated against a National enabled IT products to those products that have been successfully evaluated against a National
Technology Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module
Information Assurance Enabled is FIPS-validated or NSA-approved. is FIPS-validated or NSA-approved?
Development & Products TDA-02.2 2 Protect X X
Acquisition
Mechanisms exist to require software vendors / manufacturers to demonstrate that their software Does the organization require software vendors / manufacturers to demonstrate that their software
development processes employ industry-recognized secure practices for secure programming, development processes employ industry-recognized secure practices for secure programming,
Technology engineering methods, quality control processes and validation techniques to minimize flawed or engineering methods, quality control processes and validation techniques to minimize flawed or
Development & Development Methods, TDA-02.3 malformed software. E-TDA-04 malformed software? 5 Identify X X X
Techniques & Processes
Acquisition
Mechanisms exist to ensure vendors / manufacturers: Does the organization ensure vendors / manufacturers:
▪ Deliver the system, component, or service with a pre-established, secure configuration ▪ Deliver the system, component, or service with a pre-established, secure configuration
Technology implemented; and implemented; and
Pre-Established Secure ▪ Use the pre-established, secure configuration as the default for any subsequent system, ▪ Use the pre-established, secure configuration as the default for any subsequent system,
Development & Configurations TDA-02.4 8 Protect X X
Acquisition component, or service reinstallation or upgrade. component, or service reinstallation or upgrade?
Mechanisms exist to require process owners to identify, document and justify the business need for Does the organization require process owners to identify, document and justify the business need
the ports, protocols and other services necessary to operate their technology solutions. for the ports, protocols and other services necessary to operate their technology solutions?
Technology Identification & Justification of E-CPL-06
Development & Ports, Protocols & Services TDA-02.5 E-TDA-07 8 Identify X X
Acquisition
Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and Does the organization mitigate the risk associated with the use of insecure ports, protocols and
services necessary to operate technology solutions. services necessary to operate technology solutions?
Technology Insecure Ports, Protocols &
Development & Services TDA-02.6 9 Protect X X
Acquisition
Mechanisms exist to include appropriate cybersecurity & data privacy representatives in the Does the organization include appropriate cybersecurity & data privacy representatives in the
product feature and/or functionality change control review process. product feature and/or functionality change control review process?
Technology Cybersecurity & Data Privacy
Development & Representatives For Product TDA-02.7 10 Identify X X
Acquisition Changes
Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products. Does the organization utilize only Commercial Off-the-Shelf (COTS) security products?
Technology Commercial Off-The-Shelf

Development & (COTS) Security Solutions TDA-03 5 Protect X X
Acquisition
Mechanisms exist to obtain cybersecurity & data privacy technologies from different suppliers to - Supplier diversity Does the organization obtain cybersecurity & data privacy technologies from different suppliers to
minimize supply chain risk. minimize supply chain risk?
Technology
Development & Supplier Diversity TDA-03.1 3 Protect X X
Acquisition
Mechanisms exist to obtain, protect and distribute administrator documentation for systems that Does the organization obtain, protect and distribute administrator documentation for systems that
describe: describe:
Technology ▪ Secure configuration, installation and operation of the system; E-CPL-06 ▪ Secure configuration, installation and operation of the system;
Development & Documentation Requirements TDA-04 ▪ Effective use and maintenance of security features/functions; and E-TDA-06 ▪ Effective use and maintenance of security features/functions; and 8 Protect X
Acquisition ▪ Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) E-TDA-10 ▪ Known vulnerabilities regarding configuration and use of administrative (e?g?, privileged)
functions. functions?
Mechanisms exist to require vendors/contractors to provide information describing the functional - SSAE-16 SOC2 report Does the organization require vendors/contractors to provide information describing the functional
properties of the security controls to be utilized within systems, system components or services in properties of the security controls to be utilized within systems, system components or services in
sufficient detail to permit analysis and testing of the controls. E-CPL-06 sufficient detail to permit analysis and testing of the controls?
Technology E-TDA-06
Development & Functional Properties TDA-04.1 E-TDA-10 8 Protect X X
Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and Does the organization require a Software Bill of Materials (SBOM) for systems, applications and
services that lists software packages in use, including versions and applicable licenses. services that lists software packages in use, including versions and applicable licenses?
Technology Software Bill of Materials
Development & (SBOM) TDA-04.2 E-TDA-12 9 Identify X X
Acquisition
Mechanisms exist to require the developers of systems, system components or services to produce Does the organization require the developers of systems, system components or services to
a design specification and security architecture that: produce a design specification and security architecture that:
Technology ▪ Is consistent with and supportive of the organization’s security architecture which is established ▪ Is consistent with and supportive of the organization’s security architecture which is established
Developer Architecture & within and is an integrated part of the organization’s enterprise architecture; within and is an integrated part of the organization’s enterprise architecture;
Development & Design TDA-05 E-TDA-04 8 Protect X X
Acquisition ▪ Accurately and completely describes the required security functionality and the allocation of ▪ Accurately and completely describes the required security functionality and the allocation of
security controls among physical and logical components; and security controls among physical and logical components; and
▪ Expresses how individual security functions, mechanisms and services work together to provide ▪ Expresses how individual security functions, mechanisms and services work together to provide
required security capabilities and a unified approach to protection. required security capabilities and a unified approach to protection?
Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse. Does the organization secure physical diagnostic and test interfaces to prevent misuse?
Technology Physical Diagnostic & Test

Development & Interfaces TDA-05.1 5 Detect X
Acquisition
98 of 280
Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to Does the organization enable endpoint devices to log events and generate alerts for attempts to
access diagnostic and test interfaces. access diagnostic and test interfaces?
Technology Diagnostic & Test Interface
Development & Monitoring TDA-05.2 3 Detect X
Acquisition
Mechanisms exist to develop applications based on secure coding principles. - OWASP's Application Security Verification Standard Does the organization develop applications based on secure coding principles?
(ASVS)
Technology - Mobile Application Security Verification Standard
Development & Secure Coding TDA-06 (MASVS) E-TDA-08 10 Protect X X X
E-TDA-11
Acquisition
Mechanisms exist to require the developer of the system, system component or service to perform - Secure Development Life Cycle (SDLC) Does the organization require the developer of the system, system component or service to
a criticality analysis at organization-defined decision points in the Secure Development Life Cycle perform a criticality analysis at organization-defined decision points in the Secure Development Life
Technology (SDLC). Cycle (SDLC)?
Development & Criticality Analysis TDA-06.1 9 Protect X X
Acquisition
Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that Does the organization perform threat modelling and other secure design techniques, to ensure that
threats to software and solutions are identified and accounted for. threats to software and solutions are identified and accounted for?
Technology E-TDA-03
Development & Threat Modeling TDA-06.2 E-TDA-10 7 Identify X X
Acquisition E-THR-05
Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure Does the organization utilize a Software Assurance Maturity Model (SAMM) to govern a secure
development lifecycle for the development of systems, applications and services. development lifecycle for the development of systems, applications and services?
Technology Software Assurance Maturity E-TDA-04
Development & Model (SAMM) TDA-06.3 E-TDA-11 9 Identify X
Acquisition
Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of Does the organization use automated mechanisms to improve the accuracy, consistency and
secure practices throughout the asset's lifecycle. comprehensiveness of secure practices throughout the asset's lifecycle?
Technology
Development & Supporting Toolchain TDA-06.4 6 Identify X X
Acquisition
Mechanisms exist to have an independent review of the software design to confirm that all Does the organization have an independent review of the software design to confirm that all
cybersecurity & data privacy requirements are met and that any identified risks are satisfactorily cybersecurity & data privacy requirements are met and that any identified risks are satisfactorily
Technology addressed. addressed?
Development & Software Design Review TDA-06.5 E-TDA-05 10 Detect X X
Acquisition
Mechanisms exist to maintain a segmented development network to ensure a secure development Does the organization maintain a segmented development network to ensure a secure
environment. development environment?
Technology Secure Development
Development & Environments TDA-07 9 Protect X X X
Acquisition
Mechanisms exist to manage separate development, testing and operational environments to Does the organization manage separate development, testing and operational environments to
reduce the risks of unauthorized access or changes to the operational environment and to ensure reduce the risks of unauthorized access or changes to the operational environment and to ensure
Technology Separation of Development, no impact to production systems. no impact to production systems?
Development & Testing and Operational TDA-08 10 Protect X X
Acquisition Environments
Mechanisms exist to ensure secure migration practices purge systems, applications and services of Does the organization ensure secure migration practices purge systems, applications and services of
test/development/staging data and accounts before it is migrated into a production environment. test/development/staging data and accounts before it is migrated into a production environment?
Technology
Development & Secure Migration Practices TDA-08.1 8 Protect X X
Acquisition
Mechanisms exist to require system developers/integrators consult with cybersecurity & data - Security Test & Evaluation (ST&E) Does the organization require system developers/integrators consult with cybersecurity & data
privacy personnel to: privacy personnel to:
Technology Cybersecurity & Data Privacy ▪ Create and implement a Security Test and Evaluation (ST&E) plan; ▪ Create and implement a Security Test and Evaluation (ST&E) plan;
Development & Testing Throughout TDA-09 ▪ Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified E-TDA-03 ▪ Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified 9 Protect X X X
during the security testing and evaluation process; and E-TDA-05 during the security testing and evaluation process; and
Acquisition Development
▪ Document the results of the security testing/evaluation and flaw remediation processes. ▪ Document the results of the security testing/evaluation and flaw remediation processes?
Mechanisms exist to require the developers of systems, system components or services to produce Does the organization require the developers of systems, system components or services to
a plan for the continuous monitoring of cybersecurity & data privacy control effectiveness. produce a plan for the continuous monitoring of cybersecurity & data privacy control effectiveness?
Technology
Development & Continuous Monitoring Plan TDA-09.1 E-TDA-03 9 Detect X X
Acquisition
Mechanisms exist to require the developers of systems, system components or services to employ Does the organization require the developers of systems, system components or services to employ
static code analysis tools to identify and remediate common flaws and document the results of the static code analysis tools to identify and remediate common flaws and document the results of the
Technology analysis. analysis?
Development & Static Code Analysis TDA-09.2 E-TDA-03 9 Detect X
Acquisition
99 of 280
Mechanisms exist to require the developers of systems, system components or services to employ Does the organization require the developers of systems, system components or services to employ
dynamic code analysis tools to identify and remediate common flaws and document the results of dynamic code analysis tools to identify and remediate common flaws and document the results of
Technology the analysis. the analysis?
Development & Dynamic Code Analysis TDA-09.3 E-TDA-03 9 Detect X
Acquisition
Mechanisms exist to utilize testing methods to ensure systems, services and products continue to - CimTrak Integrity Suite Does the organization utilize testing methods to ensure systems, services and products continue to
operate as intended when subject to invalid or unexpected inputs on its interfaces. (https://www.cimcor.com/cimtrak/) operate as intended when subject to invalid or unexpected inputs on its interfaces?
Technology - NNT Change Tracker
Development & Malformed Input Testing TDA-09.4 (https://www.newnettechnologies.com) E-TDA-03 7 Detect X
Acquisition
Mechanisms exist to perform application-level penetration testing of custom-made applications and - NNT Change Tracker Does the organization perform application-level penetration testing of custom-made applications
services. (https://www.newnettechnologies.com) and services?
Technology Application Penetration
Development & Testing TDA-09.5 E-TDA-03 9 Detect X
Acquisition
Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of Does the organization implement secure configuration settings by default to reduce the likelihood
software being deployed with weak security settings that would put the asset at a greater risk of of software being deployed with weak security settings that would put the asset at a greater risk of
Technology compromise. compromise?
Development & Secure Settings By Default TDA-09.6 E-TDA-03 9 Protect X X X
Acquisition
Mechanisms exist to require the developers of systems, system components or services to employ a Does the organization require the developers of systems, system components or services to employ
manual code review process to identify and remediate unique flaws that require knowledge of the a manual code review process to identify and remediate unique flaws that require knowledge of the
Technology application’s requirements and design. application’s requirements and design?
Development & Manual Code Review TDA-09.7 5 Detect X X
Acquisition
Mechanisms exist to approve, document and control the use of live data in development and test Does the organization approve, document and control the use of live data in development and test
environments. environments?
Technology
Development & Use of Live Data TDA-10 9 Protect X X
Acquisition
Mechanisms exist to ensure the integrity of test data through existing cybersecurity & data privacy - CimTrak Integrity Suite Does the organization ensure the integrity of test data through existing cybersecurity & data privacy
controls. (https://www.cimcor.com/cimtrak/) controls?
Technology
Development & Test Data Integrity TDA-10.1 8 Protect X X
Acquisition
Mechanisms exist to maintain awareness of component authenticity by developing and Does the organization maintain awareness of component authenticity by developing and
implementing Product Tampering and Counterfeiting (PTC) practices that include the means to implementing Product Tampering and Counterfeiting (PTC) practices that include the means to
Technology detect and prevent counterfeit components. detect and prevent counterfeit components?
Development & Product Tampering and TDA-11 9 Protect X X X
Counterfeiting (PTC)
Acquisition
Mechanisms exist to train personnel to detect counterfeit system components, including hardware, Does the organization train personnel to detect counterfeit system components, including
software and firmware. hardware, software and firmware?
Technology
Development & Anti-Counterfeit Training TDA-11.1 6 Protect X X
Acquisition
[deprecated - incorporated into AST-09] [deprecated - incorporated into AST-09]

Mechanisms exist to dispose of system components using organization-defined techniques and Does the organization dispose of system components using organization-defined techniques and
Technology methods to prevent such components from entering the gray market. methods to prevent such components from entering the gray market?
Development & Component Disposal TDA-11.2 9 Protect X X
Acquisition
Mechanisms exist to custom-develop critical system components, when Commercial Off The Shelf - OWASP Does the organization custom-develop critical system components, when Commercial Off The Shelf
(COTS) solutions are unavailable. (COTS) solutions are unavailable?
Technology Customized Development of
Development & Critical Components TDA-12 8 Protect X X
Acquisition
Mechanisms exist to ensure that the developers of systems, applications and/or services have the Does the organization ensure that the developers of systems, applications and/or services have the
requisite skillset and appropriate access authorizations. requisite skillset and appropriate access authorizations?
Technology
Development & Developer Screening TDA-13 9 Protect X X
Acquisition
Mechanisms exist to require system developers and integrators to perform configuration Does the organization require system developers and integrators to perform configuration
management during system design, development, implementation and operation. management during system design, development, implementation and operation?
Technology Developer Configuration
Development & Management TDA-14 9 Protect X X
Acquisition
100 of 280
Mechanisms exist to require developer of systems, system components or services to enable - CimTrak Integrity Suite Does the organization require developer of systems, system components or services to enable
integrity verification of software and firmware components. (https://www.cimcor.com/cimtrak/) integrity verification of software and firmware components?
Technology Software / Firmware Integrity
Development & Verification TDA-14.1 8 Protect X X
Acquisition
Mechanisms exist to require developer of systems, system components or services to enable Does the organization require developer of systems, system components or services to enable
integrity verification of hardware components. integrity verification of hardware components?
Technology
Development & Hardware Integrity Verification TDA-14.2 5 Protect X
Acquisition
Mechanisms exist to require system developers and integrators to create a Security Test and - Security Test and Evaluation (ST&E) plan Does the organization require system developers and integrators to create a Security Test and
Evaluation (ST&E) plan and implement the plan under the witness of an independent party. Evaluation (ST&E) plan and implement the plan under the witness of an independent party?
Technology Developer Threat Analysis &
Development & Flaw Remediation TDA-15 9 Protect X X
Acquisition
Mechanisms exist to require the developers of systems, system components or services to provide Does the organization require the developers of systems, system components or services to provide
training on the correct use and operation of the system, system component or service. training on the correct use and operation of the system, system component or service?
Technology
Development & Developer-Provided Training TDA-16 9 Protect X X
Acquisition
Mechanisms exist to prevent unsupported systems by: Does the organization prevent unsupported systems by:
▪ Replacing systems when support for the components is no longer available from the developer, ▪ Replacing systems when support for the components is no longer available from the developer,
Technology vendor or manufacturer; and vendor or manufacturer; and
Development & Unsupported Systems TDA-17 ▪ Requiring justification and documented approval for the continued use of unsupported system E-AST-09 ▪ Requiring justification and documented approval for the continued use of unsupported system 10 Protect X X
Acquisition components required to satisfy mission/business needs. components required to satisfy mission/business needs?
Mechanisms exist to provide in-house support or contract external providers for support with Does the organization provide in-house support or contract external providers for support with
unsupported system components. unsupported system components?
Technology Alternate Sources for
Development & Continued Support TDA-17.1 8 Protect X X
Acquisition
Mechanisms exist to check the validity of information inputs. Does the organization check the validity of information inputs?
Technology
Development & Input Data Validation TDA-18 9 Protect X X X
Acquisition
Mechanisms exist to handle error conditions by: Does the organization handle error conditions by:
▪ Identifying potentially security-relevant error conditions; ▪ Identifying potentially security-relevant error conditions;
Technology ▪ Generating error messages that provide information necessary for corrective actions without ▪ Generating error messages that provide information necessary for corrective actions without
Development & Error Handling TDA-19 revealing sensitive or potentially harmful information in error logs and administrative messages that revealing sensitive or potentially harmful information in error logs and administrative messages that 9 Protect X X
Acquisition could be exploited; and could be exploited; and
▪ Revealing error messages only to authorized personnel. ▪ Revealing error messages only to authorized personnel?
Mechanisms exist to limit privileges to change software resident within software libraries. - Source code escrow Does the organization limit privileges to change software resident within software libraries?
Technology Access to Program Source

Development & Code TDA-20 9 Protect X X
Acquisition
Mechanisms exist to publish integrity verification information for software releases. Does the organization publish integrity verification information for software releases?
Technology Software Release Integrity

Development & Verification TDA-20.1 6 Protect X X
Acquisition
Mechanisms exist to archive software releases and all of their components (e.g., code, package files, Does the organization archive software releases and all of their components (e?g?, code, package
third-party libraries, documentation) to maintain integrity verification information. files, third-party libraries, documentation) to maintain integrity verification information?
Technology
Development & Archiving Software Releases TDA-20.2 8 Protect X X
Acquisition
Mechanisms exist to escrow source code and supporting documentation to ensure software Does the organization escrow source code and supporting documentation to ensure software
availability in the event the software provider goes out of business or is unable to provide support. availability in the event the software provider goes out of business or is unable to provide support?
Technology
Development & Software Escrow TDA-20.3 E-TDA-13 7 Protect X X X
Acquisition
Mechanisms exist to facilitate the implementation of third-party management controls. - Procurement program Does the organization facilitate the implementation of third-party management controls?
- Contract reviews
Third-Party
Management Third-Party Management TPM-01 E-TPM-03 10 Identify X X X
101 of 280
Mechanisms exist to maintain a current, accurate and complete list of External Service Providers Does the organization maintain a current, accurate and complete list of External Service Providers
(ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of
the organization's systems, applications, services and data. the organization's systems, applications, services and data?
Third-Party E-AST-06
Management Third-Party Inventories TPM-01.1 E-DCH-06 8 Identify X X
Mechanisms exist to identify, prioritize and assess suppliers and partners of critical systems, - Data Protection Impact Assessment (DPIA) Does the organization identify, prioritize and assess suppliers and partners of critical systems,
components and services using a supply chain risk assessment process relative to their importance components and services using a supply chain risk assessment process relative to their importance
in supporting the delivery of high-value services. in supporting the delivery of high-value services?
Third-Party Third-Party Criticality TPM-02 E-TPM-02 9 Identify X X X
Management Assessments
Mechanisms exist to evaluate security risks associated with the services and product supply chain. - Data Protection Impact Assessment (DPIA) Does the organization evaluate security risks associated with the services and product supply chain?
Third-Party
Management Supply Chain Protection TPM-03 E-RSK-02 9 Identify X X X
Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods - Data Protection Impact Assessment (DPIA) Does the organization utilize tailored acquisition strategies, contract tools and procurement
for the purchase of unique systems, system components or services. methods for the purchase of unique systems, system components or services?
Third-Party Acquisition Strategies, Tools &
Management Methods TPM-03.1 9 Identify X X X
Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who - Data Protection Impact Assessment (DPIA) Does the organization utilize security safeguards to limit harm from potential adversaries who
identify and target the organization's supply chain. - Liability clause in contracts identify and target the organization's supply chain?
Third-Party Limit Potential Harm TPM-03.2 9 Identify X X
Management
Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply - Data Protection Impact Assessment (DPIA) Does the organization address identified weaknesses or deficiencies in the security of the supply
chain chain
Third-Party Processes To Address
Management Weaknesses or Deficiencies TPM-03.3 9 Identify X X X
Mechanisms exist to develop and implement a spare parts strategy to ensure that an adequate Does the organization develop and implement a spare parts strategy to ensure that an adequate
supply of critical components is available to meet operational needs. supply of critical components is available to meet operational needs?
Third-Party
Management Adequate Supply TPM-03.4 9 Protect x x
Mechanisms exist to mitigate the risks associated with third-party access to the organization’s - Conduct an organizational assessment of risk prior to Does the organization mitigate the risks associated with third-party access to the organization’s
systems and data. the acquisition or outsourcing of services. systems and data?
- Maintain and implement policies and procedures to
Third-Party Third-Party Services TPM-04 manage service providers (e.g., Software-as-a-Service E-CPL-06 10 Identify X X
Management (SaaS), web hosting companies, collocation providers,
or email providers), through observation, review of
policies and procedures and review of supporting
documentation.
Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of - Conduct an organizational assessment of risk prior to Does the organization conduct a risk assessment prior to the acquisition or outsourcing of
technology-related services. the acquisition or outsourcing of services. technology-related services?
- Maintain a list of service providers.
Third-Party Third-Party Risk Assessments & - Maintain and implement controls to manage security
Management Approvals TPM-04.1 9 Identify X X
providers (e.g., backup tape storage facilities or security
service providers), through observation, review of
policies and procedures and review of supporting
documentation.
Mechanisms exist to require External Service Providers (ESPs) to identify and document the Does the organization require External Service Providers (ESPs) to identify and document the
business need for ports, protocols and other services it requires to operate its processes and business need for ports, protocols and other services it requires to operate its processes and
External Connectivity technologies. technologies?
Third-Party E-CPL-06
Management Requirements - Identification TPM-04.2 E-TDA-07 7 Identify X X
of Ports, Protocols & Services
Mechanisms exist to ensure that the interests of external service providers are consistent with and - Third-party contract requirements for cybersecurity Does the organization ensure that the interests of external service providers are consistent with and
reflect organizational interests. controls reflect organizational interests?
Third-Party Conflict of Interests TPM-04.3 8 Identify X
Management
Mechanisms exist to restrict the location of information processing/storage based on business Does the organization restrict the location of information processing/storage based on business
Third-Party Third-Party Processing, Storage
Management and Service Locations TPM-04.4 E-AST-23 10 Identify X
Mechanisms exist to identify, regularly review and document third-party confidentiality, Non- - Non-Disclosure Agreements (NDAs) Does the organization identify, regularly review and document third-party confidentiality, Non-
Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect
systems and data. systems and data?
Third-Party Third-Party Contract E-TPM-01
Management Requirements TPM-05 E-TPM-03 10 Identify X X X
102 of 280
Mechanisms exist to compel External Service Providers (ESPs) to provide notification of actual or Does the organization compel External Service Providers (ESPs) to provide notification of actual or
potential compromises in the supply chain that can potentially affect or have adversely affected potential compromises in the supply chain that can potentially affect or have adversely affected
systems, applications and/or services that the organization utilizes. systems, applications and/or services that the organization utilizes?
Third-Party Security Compromise
Management Notification Agreements TPM-05.1 9 Detect X X
Mechanisms exist to ensure cybersecurity & data privacy requirements are included in contracts Does the organization ensure cybersecurity & data privacy requirements are included in contracts
that flow-down to applicable sub-contractors and suppliers. that flow-down to applicable sub-contractors and suppliers?
Third-Party Contract Flow-Down TPM-05.2 9 Protect X X
Management Requirements
Mechanisms exist to ensure External Service Providers (ESPs) use unique authentication factors for Does the organization ensure External Service Providers (ESPs) use unique authentication factors for
each of its customers. each of its customers?
Third-Party Third-Party Authentication
Management Practices TPM-05.3 8 Protect X X
Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & - Customer Responsibility Matrix (CRM) Does the organization document and maintain a Responsible, Accountable, Supportive, Consulted &
Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity & - Shared Responsibility Matrix (SRM) Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity &
Responsible, Accountable, data privacy controls between internal stakeholders and External Service Providers (ESPs). - Responsible, Accountable, Supporting, Consulted and data privacy controls between internal stakeholders and External Service Providers (ESPs)?
Third-Party Informed (RASCI) matrix
Management Supportive, Consulted & TPM-05.4 E-CPL-03 8 Identify X X X
Informed (RASCI) Matrix
Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Does the organization perform recurring validation of the Responsible, Accountable, Supportive,
Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity & data Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity & data
privacy control assignments accurately reflect current business practices, compliance obligations, privacy control assignments accurately reflect current business practices, compliance obligations,
Third-Party Third-Party Scope Review TPM-05.5 technologies and stakeholders. E-TPM-03 technologies and stakeholders? 10 Identify X X X
Management
Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable External Service Does the organization obtain a First-Party Declaration (1PD) from applicable External Service
Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and
contractual obligations for cybersecurity & data privacy controls, including any flow-down contractual obligations for cybersecurity & data privacy controls, including any flow-down
Third-Party requirements to subcontractors. requirements to subcontractors?
Management First-Party Declaration (1PD) TPM-05.6 7 Identify X
Mechanisms exist to include "break clauses" within contracts for failure to meet contract criteria for Does the organization include "break clauses" within contracts for failure to meet contract criteria
cybersecurity and/or data privacy controls. for cybersecurity and/or data privacy controls?
Third-Party
Management Break Clauses TPM-05.7 E-TPM-05 9 Protect X X
Mechanisms exist to control personnel security requirements including security roles and Does the organization control personnel security requirements including security roles and
responsibilities for third-party providers. responsibilities for third-party providers?
Third-Party Third-Party Personnel Security TPM-06 9 Identify X
Management
Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of Does the organization monitor for evidence of unauthorized exfiltration or disclosure of
organizational information. organizational information?
Third-Party Monitoring for Third-Party
Management Information Disclosure TPM-07 8 Identify X
Mechanisms exist to monitor, regularly review and audit External Service Providers (ESPs) for Does the organization monitor, regularly review and audit External Service Providers (ESPs) for
compliance with established contractual requirements for cybersecurity & data privacy controls. compliance with established contractual requirements for cybersecurity & data privacy controls?
Third-Party
Management Review of Third-Party Services TPM-08 E-TPM-03 9 Identify X X
Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during Does the organization address weaknesses or deficiencies in supply chain elements identified during
independent or organizational assessments of such elements. independent or organizational assessments of such elements?
Third-Party Third-Party Deficiency TPM-09 E-TPM-03 9 Identify X X
Management Remediation
Mechanisms exist to control changes to services by suppliers, taking into account the criticality of - Contact requirement to report changes to service Does the organization control changes to services by suppliers, taking into account the criticality of
business information, systems and processes that are in scope by the third-party. offerings that may impact the contract. business information, systems and processes that are in scope by the third-party?
Third-Party Managing Changes To Third- (https://www.cimcor.com/cimtrak/)
Management Party Services TPM-10 8 Identify X X X
Mechanisms exist to ensure response/recovery planning and testing are conducted with critical Does the organization ensure response/recovery planning and testing are conducted with critical
suppliers/providers. suppliers/providers?
Third-Party Third-Party Incident Response
Management & Recovery Capabilities TPM-11 8 Identify X
103 of 280
Mechanisms exist to implement a threat intelligence program that includes a cross-organization Does the organization implement a threat intelligence program that includes a cross-organization
information-sharing capability that can influence the development of the system and security information-sharing capability that can influence the development of the system and security
architectures, selection of security solutions, monitoring, threat hunting, response and recovery architectures, selection of security solutions, monitoring, threat hunting, response and recovery
Threat Management Threat Intelligence Program THR-01 activities. E-THR-04 activities? 8 Identify X X X
Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors - Indicators of Exposure (IoE) Does the organization develop Indicators of Exposure (IOE) to understand the potential attack
that attackers could use to attack the organization. vectors that attackers could use to attack the organization?
Threat Management Indicators of Exposure (IOE) THR-02 E-THR-01 8 Identify X X X
Mechanisms exist to maintain situational awareness of evolving threats by leveraging the - US-CERT mailing lists & feeds Does the organization maintain situational awareness of evolving threats by leveraging the
knowledge of attacker tactics, techniques and procedures to facilitate the implementation of - InfraGard knowledge of attacker tactics, techniques and procedures to facilitate the implementation of
preventative and compensating controls. - Internal newsletters preventative and compensating controls?
Threat Management Threat Intelligence Feeds THR-03 E-THR-03 8 Identify X X X
Mechanisms exist to implement an insider threat program that includes a cross-discipline insider - Insider threat program Does the organization implement an insider threat program that includes a cross-discipline insider
threat incident handling team. threat incident handling team?
Threat Management Insider Threat Program THR-04 E-THR-04 8 Identify X X X
Mechanisms exist to utilize security awareness training on recognizing and reporting potential Does the organization utilize security awareness training on recognizing and reporting potential
indicators of insider threat. indicators of insider threat?
Threat Management Insider Threat Awareness THR-05 8 Identify X
Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure - "bug bounty" program Does the organization establish a Vulnerability Disclosure Program (VDP) to assist with the secure
development and maintenance of products and services that receives unsolicited input from the development and maintenance of products and services that receives unsolicited input from the
public about vulnerabilities in organizational systems, services and processes. public about vulnerabilities in organizational systems, services and processes?
Vulnerability Disclosure
Threat Management Program (VDP) THR-06 E-TDA-16 8 Detect X X X
Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to Does the organization perform cyber threat hunting that uses Indicators of Compromise (IoC) to
detect, track and disrupt threats that evade existing security controls. detect, track and disrupt threats that evade existing security controls?
Threat Management Threat Hunting THR-07 E-THR-05 4 Detect X X X
Mechanisms exist to embed false data or steganographic data in files to enable the organization to Does the organization embed false data or steganographic data in files to enable the organization to
determine if data has been exfiltrated and provide a means to identify the individual(s) involved. determine if data has been exfiltrated and provide a means to identify the individual(s) involved?
Threat Management Tainting THR-08 1 Detect X X X
Mechanisms exist to develop and keep current a catalog of applicable internal and external threats Does the organization develop and keep current a catalog of applicable internal and external threats
to the organization, both natural and manmade. to the organization, both natural and manmade?
Threat Management Threat Catalog THR-09 5 Protect X X X
Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and Does the organization identify, assess, prioritize and document the potential impact(s) and
likelihood(s) of applicable internal and external threats. likelihood(s) of applicable internal and external threats?
Threat Management Threat Analysis THR-10 7 Protect X X X
Mechanisms exist to facilitate the implementation and monitoring of vulnerability management - Vulnerability & Patch Management Program Does the organization facilitate the implementation and monitoring of vulnerability management
controls. (ComplianceForge) controls?
Vulnerability & Patch Vulnerability & Patch E-MNT-03
Management Management Program (VPMP) VPM-01 E-THR-05 9 Protect X X
E-VPM-01
Mechanisms exist to define and manage the scope for its attack surface management activities. Does the organization define and manage the scope for its attack surface management activities?
Vulnerability & Patch

Management Attack Surface Scope VPM-01.1 5 Protect X X
Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated. - CimTrak Integrity Suite Does the organization ensure that vulnerabilities are properly identified, tracked and remediated?
Vulnerability & Patch Vulnerability Remediation (https://www.newnettechnologies.com)
Management Process VPM-02 10 Protect X X X
104 of 280
Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities - US-CERT Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities
using reputable outside sources for security vulnerability information. using reputable outside sources for security vulnerability information?
Management Vulnerability Ranking VPM-03 8 Identify X
Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and Does the organization identify, assess, prioritize and document the potential impact(s) and
likelihood(s) of applicable internal and external threats exploiting known vulnerabilities. likelihood(s) of applicable internal and external threats exploiting known vulnerabilities?
Vulnerability & Patch Vulnerability Exploitation VPM-03.1 5 Protect X X
Management Analysis
Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets - NNT Change Tracker Does the organization address new threats and vulnerabilities on an ongoing basis and ensure
are protected against known attacks. (https://www.newnettechnologies.com) assets are protected against known attacks?
Vulnerability & Patch Continuous Vulnerability E-MNT-03
Management Remediation Activities VPM-04 E-THR-05 8 Protect X
Mechanisms exist to install the latest stable version of any software and/or security-related updates Does the organization install the latest stable version of any software and/or security-related
on all applicable systems. updates on all applicable systems?
Management Stable Versions VPM-04.1 8 Identify X X
Mechanisms exist to identify and correct flaws related to the collection, usage, processing or Does the organization identify and correct flaws related to the collection, usage, processing or
dissemination of Personal Data (PD). dissemination of Personal Data (PD)?
Vulnerability & Patch Flaw Remediation with VPM-04.2 8 Identify X
Management Personal Data (PD)
Mechanisms exist to conduct software patching for all deployed operating systems, applications and - Patch management tools Does the organization conduct software patching for all deployed operating systems, applications
firmware. and firmware?
Management Software & Firmware Patching VPM-05 E-MNT-03 10 Protect X X
Mechanisms exist to centrally-manage the flaw remediation process. - Patch management tools Does the organization centrally-manage the flaw remediation process?
Vulnerability & Patch Centralized Management of

Management Flaw Remediation Processes VPM-05.1 9 Protect X X X
Automated mechanisms exist to determine the state of system components with regard to flaw - Vulnerability scanning tools Does the organization use automated mechanisms to determine the state of system components
remediation. - CimTrak Integrity Suite with regard to flaw remediation?
Vulnerability & Patch Automated Remediation VPM-05.2 9 Protect X
Management Status
Mechanisms exist to track the effectiveness of remediation operations through metrics reporting. - CimTrak Integrity Suite Does the organization track the effectiveness of remediation operations through metrics reporting?
Time To Remediate / - NNT Change Tracker
Vulnerability & Patch (https://www.newnettechnologies.com)
Management Benchmarks For Corrective VPM-05.3 6 Protect X X
Action
Automated mechanisms exist to install the latest stable versions of security-relevant software and Does the organization use automated mechanisms to install the latest stable versions of security-
firmware updates. relevant software and firmware updates?
Vulnerability & Patch Automated Software &
Management Firmware Updates VPM-05.4 5 Protect X
Mechanisms exist to remove old versions of software and firmware components after updated Does the organization remove old versions of software and firmware components after updated
versions have been installed. versions have been installed?
Vulnerability & Patch Removal of Previous Versions VPM-05.5 5 Protect X X
Management
Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability - External vulnerability scans (unauthenticated) Does the organization detect vulnerabilities and configuration errors by recurring vulnerability
scanning of systems and web applications. - Internal vulnerability scans (authenticated) scanning of systems and web applications?
- Nessus
Vulnerability & Patch (https://www.tenable.com/products/nessus/nessus-
Management Vulnerability Scanning VPM-06 E-VPM-05 9 Detect X X
professional)
- Qualys (https://www.qualys.com/)
- Rapid7 (https://www.rapid7.com/)
Mechanisms exist to update vulnerability scanning tools. (https://www.cimcor.com/cimtrak/) Does the organization update vulnerability scanning tools?

Management Update Tool Capability VPM-06.1 8 Protect X X
105 of 280
Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that - CimTrak Integrity Suite Does the organization identify the breadth and depth of coverage for vulnerability scanning that
define the system components scanned and types of vulnerabilities that are checked for. (https://www.cimcor.com/cimtrak/) define the system components scanned and types of vulnerabilities that are checked for?
Vulnerability & Patch (https://www.newnettechnologies.com)
Management Breadth / Depth of Coverage VPM-06.2 8 Protect X X
Mechanisms exist to implement privileged access authorization for selected vulnerability scanning - Authenticated scans Does the organization implement privileged access authorization for selected vulnerability scanning
activities. activities?
Vulnerability & Patch Privileged Access VPM-06.3 9 Protect X
Management
Automated mechanisms exist to compare the results of vulnerability scans over time to determine - CimTrak Integrity Suite Does the organization use automated mechanisms to compare the results of vulnerability scans
trends in system vulnerabilities. (https://www.cimcor.com/cimtrak/) over time to determine trends in system vulnerabilities?
Management Trend Analysis VPM-06.4 9 Identify X X
Mechanisms exist to review historical event logs to determine if identified vulnerabilities have been Does the organization review historical event logs to determine if identified vulnerabilities have
previously exploited. been previously exploited?
Management Review Historical Event Logs VPM-06.5 9 Detect X X
Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's Does the organization perform quarterly external vulnerability scans (outside the organization's
network looking inward) via a reputable vulnerability service provider, which include rescans until network looking inward) via a reputable vulnerability service provider, which include rescans until
passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common
Vulnerability & Patch External Vulnerability VPM-06.6 Vulnerability Scoring System (CVSS). E-VPM-05 Vulnerability Scoring System (CVSS)? 9 Detect X X
Management Assessment Scans
Mechanisms exist to perform quarterly internal vulnerability scans, which includes all segments of Does the organization perform quarterly internal vulnerability scans, which includes all segments of
the organization's internal network, as well as rescans until passing results are obtained or all “high” the organization's internal network, as well as rescans until passing results are obtained or all “high”
vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS). vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?
Vulnerability & Patch Internal Vulnerability
Management Assessment Scans VPM-06.7 E-VPM-05 9 Detect X X
Mechanisms exist to define what information is allowed to be discoverable by adversaries and take Does the organization define what information is allowed to be discoverable by adversaries and
corrective actions to remediated non-compliant systems. take corrective actions to remediated non-compliant systems?
Vulnerability & Patch Acceptable Discoverable
Management Information VPM-06.8 5 Protect X
Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine Does the organization use automated mechanisms to correlate the output from vulnerability
the presence of multi-vulnerability/multi-hop attack vectors. scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors?
Vulnerability & Patch Correlate Scanning Information VPM-06.9 5 Detect X X
Management
Mechanisms exist to conduct penetration testing on systems and web applications. Does the organization conduct penetration testing on systems and web applications?
Vulnerability & Patch E-VPM-02

Management Penetration Testing VPM-07 E-VPM-03 9 Detect X
Mechanisms exist to utilize an independent assessor or penetration team to perform penetration Does the organization utilize an independent assessor or penetration team to perform penetration
testing. testing?
Vulnerability & Patch Independent Penetration
Management Agent or Team VPM-07.1 E-VPM-04 6 Detect X
Mechanisms exist to utilize a technical surveillance countermeasures survey. - Facility sweeping for "bugs" or other unauthorized Does the organization utilize a technical surveillance countermeasures survey?
surveillance technologies.
Vulnerability & Patch Technical Surveillance VPM-08 1 Detect X
Management Countermeasures Security
Mechanisms exist to monitor logs associated with scanning activities and associated administrator - Security Incident Event Manager (SIEM) Does the organization monitor logs associated with scanning activities and associated administrator
accounts to ensure that those activities are limited to the timeframes of legitimate scans. accounts to ensure that those activities are limited to the timeframes of legitimate scans?
Vulnerability & Patch Reviewing Vulnerability
Management Scanner Usage VPM-09 3 Detect X X
106 of 280
Assessment Objectives (AOs)
SCF # SCF AO # SCF Assessment Objective (AO) SCF Assessment Objective (AO) Origin
In addition to relevant policies, standards and procedures, the assessor shall examine, interview, and/or test to determine if appropriately scoped evidence exists to support the claim that:
GOV-01 GOV-01_A01 an organization-wide cybersecurity & privacy governance program is developed. 53A_R5_PM-01a.[01]
GOV-01 GOV-01_A02 the cybersecurity & privacy governance program is protected from unauthorized disclosure. 53A_R5_PM-01c.[01]
GOV-01 GOV-01_A03 the cybersecurity & privacy governance program is protected from unauthorized modification. 53A_R5_PM-01c.[02]
GOV-01 GOV-01_A04 the cybersecurity & privacy governance program is disseminated. 53A_R5_PM-01a.[02]
GOV-01 GOV-01_A05 the cybersecurity & privacy governance program provides an overview of the requirements for the security program. 53A_R5_PM-01a.01[01]
GOV-01 GOV-01_A06 the cybersecurity & privacy governance program provides a description of the security program management controls in place or planned for meeting those requirements. 53A_R5_PM-01a.01[02]
GOV-01 GOV-01_A07 the cybersecurity & privacy governance program provides a description of the common controls in place or planned for meeting those requirements. 53A_R5_PM-01a.01[03]
GOV-01 GOV-01_A08 the cybersecurity & privacy governance program includes the identification and assignment of roles. 53A_R5_PM-01a.02[01]
GOV-01 GOV-01_A09 the cybersecurity & privacy governance program includes the identification and assignment of responsibilities. 53A_R5_PM-01a.02[02]
GOV-01 GOV-01_A10 the cybersecurity & privacy governance program addresses management commitment. 53A_R5_PM-01a.02[03]
GOV-01 GOV-01_A11 the cybersecurity & privacy governance program addresses coordination among organizational entities. 53A_R5_PM-01a.02[04]
GOV-01 GOV-01_A12 the cybersecurity & privacy governance program addresses statutory, regulatory and/or contractual compliance obligations. 53A_R5_PM-01a.02[05]
GOV-01 GOV-01_A13 the cybersecurity & privacy governance program reflects the coordination among the organizational entities responsible for cybersecurity & privacy. 53A_R5_PM-01a.03
GOV-01 GOV-01_A14 the cybersecurity & privacy governance program is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations. 53A_R5_PM-01a.04
GOV-01 GOV-01_A15 the frequency at which to review and update the organization-wide cybersecurity & privacy governance program is defined. 53A_R5_PM-01_ODP[01]
GOV-01 GOV-01_A16 events that trigger the review and update of the organization-wide cybersecurity & privacy governance program are defined. 53A_R5_PM-01_ODP[02]
GOV-01 GOV-01_A17 the cybersecurity & privacy governance program is reviewed and updated frequently. 53A_R5_PM-01b.[01]
GOV-01 GOV-01_A18 the cybersecurity & privacy governance program is reviewed and updated following events. 53A_R5_PM-01b.[02]
GOV-01.1 GOV-01.1_A01 an executive steering committee, or advisory board, is formed and is comprised of key cybersecurity, technology, risk, privacy and business executives. SCF Created
GOV-01.1 GOV-01.1_A02 the executive steering committee, or advisory board, coordinates cybersecurity, technology, risk, privacy and business alignment through recurring, formal meetings. 53A_R5_AC-01_ODP[04]
SCF Created
53A_R5_AT-01_ODP[04]
53A_R5_AU-01_ODP[04]
53A_R5_CA-01_ODP[04]
53A_R5_CM-01_ODP[04]
53A_R5_CP-01_ODP[04]
GOV-01.2 GOV-01.2_A01 the executive steering committee, or advisory board, makes executive decisions about matters considered material to the organization’s cybersecurity and privacy program. 53A_R5_AC-01a.[01]
53A_R5_IA-01_ODP[04]
SCF Created
53A_R5_AT-01a.[01]
53A_R5_IR-01_ODP[04]
53A_R5_AU-01a.[01]
53A_R5_MA-01_ODP[04]
53A_R5_CA-01a.[01]
53A_R5_MP-01_ODP[04]
53A_R5_CM-01a.[01]
53A_R5_PE-01_ODP[04]
53A_R5_CP-01a.[01]
53A_R5_PL-01_ODP[04]
GOV-02 GOV-02_A01 an official to manage the governance of cybersecurity & privacy policies and procedures is defined. 53A_R5_IA-01a.[01]
53A_R5_PS-01_ODP[04]
53A_R5_IR-01a.[01]
53A_R5_PT-01_ODP[04]
53A_R5_MA-01a.[01]
53A_R5_RA-01_ODP[04]
53A_R5_AC-01a.01(a)[01]
53A_R5_MP-01a.[01]
53A_R5_SA-01_ODP[04]
53A_R5_AT-01a.01(a)[01]
53A_R5_PE-01a.[01]
53A_R5_SC-01_ODP[04]
53A_R5_AU-01a.01(a)[01]
53A_R5_PL-01a.[01]
53A_R5_SI-01_ODP[04]
GOV-02 GOV-02_A02 security and privacy policies are developed and documented. 53A_R5_CA-01a.01(a)[01]
53A_R5_PS-01a.[01]
53A_R5_SR-01_ODP[04]
53A_R5_CM-01a.01(a)[01]
53A_R5_PT-01a.[01]
171A_3.4.9[a]
53A_R5_CP-01a.01(a)[01]
53A_R5_RA-01a.[01]
171A_3.9.2[a]
53A_R5_AC-01a.01(a)[02]
53A_R5_IA-01a.01(a)[01]
53A_R5_SA-01a.[01]
53A_R5_AC-02a.[03]
53A_R5_AT-01a.01(a)[02]
53A_R5_IR-01a.01(a)[01]
53A_R5_SC-01a.[01]
53A_R5_AC-04(25)_ODP[02]
53A_R5_AU-01a.01(a)[02]
53A_R5_MA-01a.01(a)[01]
53A_R5_SI-01a.[01]
53A_R5_IA-04(05)_ODP
53A_R5_CA-01a.01(a)[02]
GOV-02 GOV-02_A03 the cybersecurity & privacy policies addresses purpose. 53A_R5_MP-01a.01(a)[01]
53A_R5_SR-01a.[01]
53A_R5_SR-11a.[03]
53A_R5_CM-01a.01(a)[02]
53A_R5_PE-01a.01(a)[01]
171A_3.4.9[a]
53A_R5_CP-01a.01(a)[02]
53A_R5_PL-01a.01(a)[01]
171A_3.9.2[a]
53A_R5_AC-01a.01(a)[03]
53A_R5_IA-01a.01(a)[02]
53A_R5_PS-01a.01(a)[01]
53A_R5_AC-02a.[03]
53A_R5_AT-01a.01(a)[03]
53A_R5_IR-01a.01(a)[02]
53A_R5_PT-01a.01(a)[01]
53A_R5_AC-04(25)_ODP[02]
53A_R5_AU-01a.01(a)[03]
53A_R5_MA-01a.01(a)[02]
53A_R5_RA-01a.01(a)[01]
53A_R5_IA-04(05)_ODP
53A_R5_CA-01a.01(a)[03]
GOV-02 GOV-02_A04 the cybersecurity & privacy policies addresses scope. 53A_R5_MP-01a.01(a)[02]
53A_R5_SA-01a.01(a)[01]
53A_R5_SR-11a.[03]
53A_R5_CM-01a.01(a)[03]
53A_R5_PE-01a.01(a)[02]
53A_R5_SC-01a.01(a)[01]
53A_R5_CP-01a.01(a)[03]
53A_R5_PL-01a.01(a)[02]
53A_R5_SI-01a.01(a)[01]
53A_R5_AC-01a.01(a)[04]
53A_R5_IA-01a.01(a)[03]
53A_R5_PS-01a.01(a)[02]
53A_R5_SR-01a.01(a)[01]
53A_R5_AT-01a.01(a)[04]
53A_R5_IR-01a.01(a)[03]
53A_R5_PT-01a.01(a)[02]
53A_R5_AU-01a.01(a)[04]
53A_R5_MA-01a.01(a)[03]
53A_R5_RA-01a.01(a)[02]
GOV-02 GOV-02_A05 the cybersecurity & privacy policies addresses roles. 53A_R5_CA-01a.01(a)[04]
53A_R5_MP-01a.01(a)[03]
53A_R5_SA-01a.01(a)[02]
53A_R5_CM-01a.01(a)[04]
53A_R5_PE-01a.01(a)[03]
53A_R5_SC-01a.01(a)[02]
53A_R5_CP-01a.01(a)[04]
53A_R5_PL-01a.01(a)[03]
53A_R5_SI-01a.01(a)[02]
53A_R5_AC-01a.01(a)[05]
53A_R5_IA-01a.01(a)[04]
53A_R5_PS-01a.01(a)[03]
53A_R5_SR-01a.01(a)[02]
53A_R5_AT-01a.01(a)[05]
53A_R5_IR-01a.01(a)[04]
53A_R5_PT-01a.01(a)[03]
53A_R5_AU-01a.01(a)[05]
53A_R5_MA-01a.01(a)[04]
53A_R5_RA-01a.01(a)[03]
GOV-02 GOV-02_A06 the cybersecurity & privacy policies address responsibilities. 53A_R5_CA-01a.01(a)[05]
53A_R5_MP-01a.01(a)[04]
53A_R5_SA-01a.01(a)[03]
53A_R5_CM-01a.01(a)[05]
53A_R5_PE-01a.01(a)[04]
53A_R5_SC-01a.01(a)[03]
53A_R5_CP-01a.01(a)[05]
53A_R5_PL-01a.01(a)[04]
53A_R5_SI-01a.01(a)[03]
53A_R5_AC-01a.01(a)[06]
53A_R5_IA-01a.01(a)[05]
53A_R5_PS-01a.01(a)[04]
53A_R5_SR-01a.01(a)[03]
53A_R5_AT-01a.01(a)[06]
53A_R5_IR-01a.01(a)[05]
53A_R5_PT-01a.01(a)[04]
53A_R5_AU-01a.01(a)[06]
53A_R5_MA-01a.01(a)[05]
53A_R5_RA-01a.01(a)[04]
GOV-02 GOV-02_A07 the cybersecurity & privacy policies address management commitment. 53A_R5_CA-01a.01(a)[06]
53A_R5_MP-01a.01(a)[05]
53A_R5_SA-01a.01(a)[04]
53A_R5_CM-01a.01(a)[06]
53A_R5_PE-01a.01(a)[05]
53A_R5_SC-01a.01(a)[04]
53A_R5_CP-01a.01(a)[06]
53A_R5_PL-01a.01(a)[05]
53A_R5_SI-01a.01(a)[04]
53A_R5_AC-01a.01(a)[07]
53A_R5_IA-01a.01(a)[06]
53A_R5_PS-01a.01(a)[05]
53A_R5_SR-01a.01(a)[04]
53A_R5_AT-01a.01(a)[07]
53A_R5_IR-01a.01(a)[06]
53A_R5_PT-01a.01(a)[05]
53A_R5_AU-01a.01(a)[07]
53A_R5_MA-01a.01(a)[06]
53A_R5_RA-01a.01(a)[05]
GOV-02 GOV-02_A08 the cybersecurity & privacy policies address coordination among organizational entities. 53A_R5_CA-01a.01(a)[07]
53A_R5_MP-01a.01(a)[06]
53A_R5_SA-01a.01(a)[05]
53A_R5_CM-01a.01(a)[07]
53A_R5_PE-01a.01(a)[06]
53A_R5_SC-01a.01(a)[05]
53A_R5_CP-01a.01(a)[07]
53A_R5_PL-01a.01(a)[06]
53A_R5_SI-01a.01(a)[05]
53A_R5_AC-01a.01(b)
53A_R5_IA-01a.01(a)[07]
53A_R5_PS-01a.01(a)[06]
53A_R5_SR-01a.01(a)[05]
53A_R5_AT-01a.01(b)
53A_R5_IR-01a.01(a)[07]
53A_R5_PT-01a.01(a)[06]
53A_R5_AU-01a.01(b)
53A_R5_MA-01a.01(a)[07]
53A_R5_RA-01a.01(a)[06]
GOV-02 GOV-02_A09 the cybersecurity & privacy policies address compliance. 53A_R5_CA-01a.01(b)
53A_R5_MP-01a.01(a)[07]
53A_R5_SA-01a.01(a)[06]
53A_R5_CM-01a.01(b)
53A_R5_PE-01a.01(a)[07]
53A_R5_SC-01a.01(a)[06]
53A_R5_CP-01a.01(b)
53A_R5_PL-01a.01(a)[07]
53A_R5_SI-01a.01(a)[06]
53A_R5_AC-01_ODP[01]
53A_R5_IA-01a.01(b)
53A_R5_PS-01a.01(a)[07]
53A_R5_SR-01a.01(a)[06]
53A_R5_AT-01_ODP[01]
53A_R5_IR-01a.01(b)
53A_R5_PT-01a.01(a)[07]
53A_R5_AU-01_ODP[01]
53A_R5_MA-01a.01(b)
53A_R5_RA-01a.01(a)[07]
GOV-02 GOV-02_A10 the cybersecurity & privacy policies are consistent with applicable laws, regulations and contractual obligations. 53A_R5_CA-01_ODP[01]
53A_R5_MP-01a.01(b)
53A_R5_SA-01a.01(a)[07]
53A_R5_CM-01_ODP[01]
53A_R5_PE-01a.01(b)
53A_R5_SC-01a.01(a)[07]
53A_R5_CP-01_ODP[01]
53A_R5_PL-01a.01(b)
53A_R5_SI-01a.01(a)[07]
53A_R5_AC-01a.[02]
53A_R5_IA-01_ODP[01]
53A_R5_PS-01a.01(b)
53A_R5_SR-01a.01(a)[07]
53A_R5_AT-01a.[02]
53A_R5_IR-01_ODP[01]
53A_R5_PT-01a.01(b)
53A_R5_AU-01a.[02]
53A_R5_MA-01_ODP[01]
53A_R5_RA-01a.01(b)
GOV-02 GOV-02_A11 personnel or roles to whom the cybersecurity & privacy policies are to be disseminated is/are defined. 53A_R5_CA-01a.[02]
53A_R5_MP-01_ODP[01]
53A_R5_SA-01a.01(b)
53A_R5_CM-01a.[02]
53A_R5_PE-01_ODP[01]
53A_R5_SC-01a.01(b)
53A_R5_CP-01a.[02]
53A_R5_PL-01_ODP[01]
53A_R5_SI-01a.01(b)
53A_R5_AC-01b
53A_R5_IA-01a.[02]
53A_R5_PS-01_ODP[01]
53A_R5_SR-01a.01(b)
53A_R5_AT-01b
53A_R5_IR-01a.[02]
53A_R5_PT-01_ODP[01]
53A_R5_AU-01b
53A_R5_MA-01a.[02]
53A_R5_RA-01_ODP[01]
GOV-02 GOV-02_A12 the cybersecurity & privacy policies are disseminated to personnel or roles. 53A_R5_CA-01b
53A_R5_MP-01a.[02]
53A_R5_SA-01_ODP[01]
53A_R5_CM-01b
53A_R5_PE-01a.[02]
53A_R5_SC-01_ODP[01]
53A_R5_CP-01b
53A_R5_PL-01a.[02]
53A_R5_SI-01_ODP[01]
53A_R5_IA-01b
53A_R5_PS-01a.[02]
53A_R5_SR-01_ODP[01]
53A_R5_IR-01b
53A_R5_PT-01a.[02]
53A_R5_MA-01b
53A_R5_RA-01a.[02]
GOV-02 GOV-02_A13 the official is designated to manage the development, documentation and dissemination of the cybersecurity & privacy policies and procedures. 53A_R5_MP-01b
53A_R5_SA-01a.[02]
53A_R5_PE-01b
53A_R5_SC-01a.[02]
53A_R5_PL-01b
53A_R5_SI-01a.[02]
53A_R5_PS-01b
53A_R5_SR-01a.[02]
53A_R5_PT-01b
53A_R5_RA-01b
GOV-02.1 GOV-02.1_A01 exception requests to standards are formally submitted for review, along with a business justification for the deviation and proposed compensating controls. SCF Created
53A_R5_SA-01b
53A_R5_SC-01b
53A_R5_SI-01b
53A_R5_SR-01b
Licensed by Creative Commons Attribution-NoDerivatives 107 of 280

GOV-02.1 GOV-02.1_A02 the exception request undergoes a risk assessment to evaluate the business justification and proposed compensating controls. SCF Created
GOV-02.1 GOV-02.1_A03 a determination is made to approve or deny the exception request, The determination is documented. SCF Created
53A_R5_AC-01_ODP[05]
53A_R5_AT-01_ODP[05]
53A_R5_AU-01_ODP[05]
GOV-02.1 GOV-02.1_A04 the requestor of the exception is provided a response on the determination including required actions, if applicable. 53A_R5_CA-01_ODP[05]
SCF Created
53A_R5_CM-01_ODP[05]
53A_R5_CP-01_ODP[05]
53A_R5_AC-01_ODP[06]
53A_R5_IA-01_ODP[05]
53A_R5_AT-01_ODP[06]
53A_R5_IR-01_ODP[05]
53A_R5_AU-01_ODP[06]
53A_R5_MA-01_ODP[05]
GOV-03 GOV-03_A01 the frequency at which the cybersecurity & privacy policies are reviewed and updated is defined. 53A_R5_CA-01_ODP[06]
53A_R5_MP-01_ODP[05]
53A_R5_CM-01_ODP[06]
53A_R5_PE-01_ODP[05]
53A_R5_CP-01_ODP[06]
53A_R5_PL-01_ODP[05]
53A_R5_AC-01c.01[01]
53A_R5_IA-01_ODP[06]
53A_R5_PS-01_ODP[05]
53A_R5_AT-01c.01[01]
53A_R5_IR-01_ODP[06]
53A_R5_PT-01_ODP[05]
53A_R5_AU-01c.01[01]
53A_R5_MA-01_ODP[06]
53A_R5_RA-01_ODP[05]
GOV-03 GOV-03_A02 events that would require the current cybersecurity & privacy policies to be reviewed and updated are defined. 53A_R5_CA-01c.01[01]
53A_R5_MP-01_ODP[06]
53A_R5_SA-01_ODP[05]
53A_R5_CM-01c.01[01]
53A_R5_PE-01_ODP[06]
53A_R5_SC-01_ODP[05]
53A_R5_CP-01c.01[01]
53A_R5_PL-01_ODP[06]
53A_R5_SI-01_ODP[05]
53A_R5_AC-01c.01[02]
53A_R5_IA-01c.01[01]
53A_R5_PS-01_ODP[06]
53A_R5_SR-01_ODP[05]
53A_R5_AT-01c.01[02]
53A_R5_IR-01c.01[01]
53A_R5_PT-01_ODP[06]
53A_R5_AU-01c.01[02]
53A_R5_MA-01c.01[01]
53A_R5_RA-01_ODP[06]
GOV-03 GOV-03_A03 the organization's cybersecurity & privacy policies are reviewed and updated frequently. 53A_R5_CA-01c.01[02]
53A_R5_MP-01c.01[01]
53A_R5_SA-01_ODP[06]
53A_R5_CM-01c.01[02]
53A_R5_PE-01c.01[01]
53A_R5_SC-01_ODP[06]
53A_R5_CP-01c.01[02]
53A_R5_PL-01c.01[01]
53A_R5_SI-01_ODP[06]
53A_R5_IA-01c.01[02]
53A_R5_PS-01c.01[01]
53A_R5_SR-01_ODP[06]
53A_R5_IR-01c.01[02]
53A_R5_PT-01c.01[01]
53A_R5_MA-01c.01[02]
53A_R5_RA-01c.01[01]
GOV-03 GOV-03_A04 the cybersecurity & privacy policies are reviewed and updated following events. 53A_R5_MP-01c.01[02]
53A_R5_SA-01c.01[01]
53A_R5_PE-01c.01[02]
53A_R5_SC-01c.01[01]
53A_R5_PL-01c.01[02]
53A_R5_SI-01c.01[01]
53A_R5_PS-01c.01[02]
53A_R5_SR-01c.01[01]
53A_R5_PT-01c.01[02]
53A_R5_RA-01c.01[02]
GOV-04 GOV-04_A01 a senior organizational cybersecurity position is appointed. 53A_R5_PM-02[01]
53A_R5_SA-01c.01[02]
53A_R5_SC-01c.01[02]
53A_R5_SI-01c.01[02]
53A_R5_SR-01c.01[02]
GOV-04 GOV-04_A02 the senior organizational cybersecurity position is provided with the mission and resources to coordinate an organization-wide cybersecurity program. 53A_R5_PM-02[02]
GOV-04 GOV-04_A03 the senior organizational cybersecurity position is provided with the mission and resources to develop an organization-wide cybersecurity program. 53A_R5_PM-02[03]
GOV-04 GOV-04_A04 the senior organizational cybersecurity position is provided with the mission and resources to implement an organization-wide cybersecurity program. 53A_R5_PM-02[04]
GOV-04 GOV-04_A05 the senior organizational cybersecurity position is provided with the mission and resources to maintain an organization-wide cybersecurity program. 53A_R5_PM-02[05]
GOV-04.1 GOV-04.1_A01 the cybersecurity & privacy governance program includes the identification and assignment of roles. 53A_R5_PM-01a.02[01]
GOV-04.1 GOV-04.1_A02 the cybersecurity & privacy governance program includes the identification and assignment of responsibilities. 53A_R5_PM-01a.02[02]
GOV-04.2 GOV-04.2_A01 a formal organization structure is published. SCF Created
GOV-04.2 GOV-04.2_A02 an individual's chain of command is clearly delineated. SCF Created
GOV-05 GOV-05_A01 cybersecurity measures of performance are developed. 53A_R5_PM-06[01]
GOV-05 GOV-05_A02 cybersecurity measures of performance are monitored. 53A_R5_PM-06[02]
GOV-05 GOV-05_A03 the results of cybersecurity measures of performance are reported. 53A_R5_PM-06[03]
GOV-05 GOV-05_A04 privacy measures of performance are developed. 53A_R5_PM-06[04]
GOV-05 GOV-05_A05 privacy measures of performance are monitored. 53A_R5_PM-06[05]
GOV-05 GOV-05_A06 the results of privacy measures of performance are reported. 53A_R5_PM-06[06]
GOV-05.1 GOV-05.1_A01 Key Performance Indicators (KPIs) are developed to assist organizational management in performance monitoring and trend analysis of specific aspects of the organization's cybersecurity & privacy program. SCF Created
GOV-05.2 GOV-05.2_A01 Key Risk Indicators (KRIs) are developed to assist senior management in performance monitoring and trend analysis of specific aspects of the organization's cybersecurity & privacy program. SCF Created
GOV-06 GOV-06_A01 relevant law enforcement and/or regulatory bodies are identified that necessitate communications. SCF Created
GOV-06 GOV-06_A02 contacts with relevant law enforcement and/or regulatory bodies are established and documented. SCF Created
GOV-07 GOV-07_A01 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to facilitate ongoing security education and training for organizational personnel. 53A_R5_PM-15a.[01]
53A_R5_PM-15a.[02]
53A_R5_PM-15b.[01]
GOV-07 GOV-07_A02 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to maintain currency with recommended security practices, techniques and technologies.
53A_R5_PM-15b.[02]
GOV-07 GOV-07_A03 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to share current security information, including threats, vulnerabilities and incidents. 53A_R5_PM-15c.[01]
53A_R5_PM-15c.[02]
GOV-08 GOV-08_A01 the organization's mission is clearly defined and documented. SCF Created
GOV-08 GOV-08_A02 the organization's executive leadership defines and documents a formal business strategy that is used to provide operational guidance to key business leaders across the organization. SCF Created
GOV-09 GOV-09_A01 security and privacy-related control objectives are established as the basis for the selection, implementation and management of the organization’s internal control system. SCF Created
GOV-10 GOV-10_A01 the roles of the organization's data governance body are defined. 53A_R5_PM-23_ODP[01]
GOV-10 GOV-10_A02 the responsibilities of a the organization's data governance body are defined. 53A_R5_PM-23_ODP[02]
GOV-10 GOV-10_A03 the organization's data governance body has defined roles with established responsibilities. 53A_R5_PM-23
GOV-10 GOV-10_A04 a data integrity board/function is established. 53A_R5_PM-24

GOV-10 GOV-10_A05 the data integrity board/function reviews proposals to conduct or participate in a matching program. 53A_R5_PM-24a.
GOV-10 GOV-10_A06 the data integrity board/function conducts an annual review of all matching programs in which the organization has participated. 53A_R5_PM-24b.
GOV-11 GOV-11_A01 systems or system components supporting mission-essential services or functions are defined. 53A_R5_PM-32_ODP
GOV-11 GOV-11_A02 systems or system components supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose. 53A_R5_PM-32
GOV-12 GOV-12_A01 an executive steering committee, or advisory board, evaluates business practices for possible forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to a host government for purposes of SCF Created
market access or market management practices.
GOV-12 GOV-12_A02 measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate host nation business practices to identify potential instances that exist for forced exfiltration of sensitive / SCF Created
regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.
GOV-12 GOV-12_A03 actions are taken to prevent and/or block potential instances that enable the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market SCF Created
access or market management practices.
GOV-13 GOV-13_A01 an executive steering committee, or advisory board, evaluates business practices for possible instances where host nation business practices could leverage the organization's technology assets for economic or political SCF Created
espionage and/or cyberwarfare activities.
GOV-13 GOV-13_A02 measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate host nation business practices to leverage the organization's technology assets for economic or political SCF Created
espionage and/or cyberwarfare activities.
GOV-13 GOV-13_A03 actions are taken to prevent and/or block potential instances where host nation business practices could leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities. SCF Created
GOV-14 GOV-14_A01 the executive steering committee, or advisory board, directs organization leadership to incorporate cybersecurity and privacy principles into Business As Usual (BAU) practices. SCF Created
GOV-14 GOV-14_A02 cybersecurity incidents are reviewed to identify incidents that occurred due to cybersecurity and/or privacy principles not being adopted as Business As Usual (BAU) practices. SCF Created
GOV-14 GOV-14_A03 identified deficiencies of cybersecurity and/or privacy principles not being adopted as Business As Usual (BAU) practices are tracked via a Plan of Action and Milestones (POA&M), or risk register, through remediation. SCF Created
GOV-15 GOV-15_A01 roles and responsibilities exist to compel data and/or process owners to operationalize cybersecurity and privacy practices for each system, application and/or service under their control. SCF Created
GOV-15 GOV-15_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners operationalized cybersecurity and privacy practices for each system, application and/or service under their control. SCF Created
GOV-15.1 GOV-15.1_A01 roles and responsibilities exist to compel data and/or process owners to select required cybersecurity and privacy controls for each system, application and/or service under their control. SCF Created
GOV-15.1 GOV-15.1_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners select required cybersecurity and privacy controls for each system, application and/or service under their control. SCF Created
GOV-15.2 GOV-15.2_A01 roles and responsibilities exist to compel data and/or process owners to implement required cybersecurity and privacy controls for each system, application and/or service under their control. SCF Created
GOV-15.2 GOV-15.2_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners implement required cybersecurity and privacy controls for each system, application and/or service under their control. SCF Created
GOV-15.3 GOV-15.3_A01 roles and responsibilities exist to compel data and/or process owners to assess if required cybersecurity and privacy controls for each system, application and/or service under their control are implemented correctly SCF Created
and are operating as intended.
GOV-15.3 GOV-15.3_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners assess if required cybersecurity and privacy controls for each system, application and/or service under their control are SCF Created
implemented correctly and are operating as intended.
GOV-15.4 GOV-15.4_A01 roles and responsibilities exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control. SCF Created
GOV-15.4 GOV-15.4_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners obtain authorization for the production use of each system, application and/or service under their control. SCF Created
roles and responsibilities exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure
GOV-15.5 GOV-15.5_A01 SCF Created
cybersecurity and privacy controls are operating as intended.
GOV-15.5 GOV-15.5_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as SCF Created
to ensure cybersecurity and privacy controls are operating as intended.
AAT-01 AAT-01_A01 Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific policies, standards and procedures are developed and documented. SCF Created
AAT-01 AAT-01_A02 Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific policies, standards and procedures are implemented effectively. SCF Created
AAT-01.1 AAT-01.1_A01 the organization analyzes its business practices to determine applicable statutory, regulatory and/or contractual obligations for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-01.2 AAT-01.2_A01 secure engineering principles are defined. 53A_R5_SA-08_ODP[01]
AAT-01.2 AAT-01.2_A02 privacy engineering principles are defined. 53A_R5_SA-08_ODP[02]
AAT-01.3 AAT-01.3_A01 the organization analyzes its business practices for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-01.3 AAT-01.3_A02 the organization continuously improves its business practices to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-02 AAT-02_A01 an inventory of systems and system components that is at the level of granularity deemed necessary for tracking and reporting is documented. 53A_R5_CM-08a.04
AAT-02.1 AAT-02.1_A01 a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented. SCF Created
AAT-02.1 AAT-02.1_A02 a compliance catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific laws, regulations and contractual obligations are documented. SCF Created
AAT-02.1 AAT-02.1_A03 the organization maps its risk catalog to its compliance catalog for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created

AAT-02.2 AAT-02.2_A01 roles and responsibilities exist to compel data and/or process owners to select required cybersecurity and privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT) under their control. SCF Created
AAT-02.2 AAT-02.2_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners operationalized cybersecurity and privacy practices for Artificial Intelligence (AI) and Autonomous Technologies (AAT) under their SCF Created
control.
AAT-03 AAT-03_A01 the context for the intended purpose(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03 AAT-03_A02 the context for the potentially beneficial use(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03 AAT-03_A03 the context for the legal and regulatory compliance for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03 AAT-03_A04 the context for the norms and expectations for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03 AAT-03_A05 the context for the proposed deployment setting(s) for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03.1 AAT-03.1_A01 the mission for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-03.1 AAT-03.1_A02 the relevant goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is clearly documented. SCF Created
AAT-04 AAT-04_A01 capabilities for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked. SCF Created
AAT-04 AAT-04_A02 targeted usage for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked. SCF Created
AAT-04 AAT-04_A03 goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked. SCF Created
AAT-04 AAT-04_A04 expected benefits for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked. SCF Created
AAT-04 AAT-04_A05 expected costs for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is benchmarked. SCF Created
AAT-04.1 AAT-04.1_A01 documented methods exist to viably assess the potential benefits of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-04.2 AAT-04.2_A01 documented methods exist to viably assess the potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI)-related errors or system functionality and trustworthiness. SCF Created
AAT-04.3 AAT-04.3_A01 the scope for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is defined. SCF Created
AAT-04.4 AAT-04.4_A02 a compliance catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific laws, regulations and contractual obligations are documented. SCF Created
AAT-04.4 AAT-04.4_A03 a Third-Party Service Provider (TSP) catalog that includes Software as a Service (SaaS) is documented. SCF Created
AAT-04.4 AAT-04.4_A04 the organization maps its risk catalog across its compliance and Third-Party Service Provider (TSP) catalog for Artificial Intelligence (AI) and Autonomous Technologies (AAT) to determine the scope and potential impact SCF Created
of AAT-related risks.
AAT-05 AAT-05_A01 roles and responsibilities for role-based cybersecurity & privacy training are defined for Artificial Intelligence (AI) and Autonomous Technologies (AAT) internal and external stakeholders. SCF Created
AAT-05 AAT-05_A02 the frequency at which to provide role-based cybersecurity & privacy training to Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders after initial training is defined. SCF Created
AAT-05 AAT-05_A03 events that require role-based training content for Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be updated are defined. SCF Created
AAT-05 AAT-05_A04 role-based privacy training is provided to organization-defined roles and responsibilities before authorizing access to Artificial Intelligence (AI) and Autonomous Technologies (AAT) or performing assigned duties. SCF Created
AAT-05 AAT-05_A05 role-based cybersecurity & privacy training for Artificial Intelligence (AI) and Autonomous Technologies (AAT) is provided to organization-defined frequency thereafter. SCF Created
AAT-06 AAT-06_A01 a documented methodology prioritizes workforce diversity, equity, inclusion and accessibility processes in the mapping, measuring and managing of Artificial Intelligence (AI)-related risks throughout the AAT lifecycle. SCF Created
AAT-07 AAT-07_A01 the organization leverages decision makers from a diversity of demographics for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel SCF Created
AAT-07 AAT-07_A02 the organization leverages decision makers from a diversity of disciplines for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel SCF Created
AAT-07 AAT-07_A03 the organization leverages decision makers from a diversity of experience for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel SCF Created
AAT-07 AAT-07_A04 the organization leverages decision makers from a diversity of expertise for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel SCF Created
AAT-07 AAT-07_A05 the organization leverages decision makers from a diversity of backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks leverage personnel SCF Created
AAT-07.1 AAT-07.1_A01 the organization characterizes the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals. SCF Created
AAT-07.1 AAT-07.1_A02 the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on groups. SCF Created
AAT-07.1 AAT-07.1_A03 the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on communities SCF Created
AAT-07.1 AAT-07.1_A04 the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on organizations. SCF Created

AAT-07.1 AAT-07.1_A05 the organization characterizes the impact of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on society. SCF Created
AAT-07.2 AAT-07.2_A01 the potential likelihood is documented for each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. SCF Created
AAT-07.2 AAT-07.2_A02 the potential impact is documented for each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. SCF Created
AAT-07.3 AAT-07.3_A01 a documented strategy exists to implement continuously monitoring of Artificial Intelligence (AI) and Autonomous Technologies (AAT) that maximize benefits, while minimizing negative impacts. SCF Created
AAT-08 AAT-08_A01 cybersecurity & privacy roles and responsibilities are incorporated into organizational position descriptions. 53A_R5_PS-09[01]
53A_R5_PS-09[02]
AAT-08 AAT-08_A02 users are formally made aware of their roles and responsibilities to maintain a safe and secure working environment. SCF Created
AAT-08 AAT-08_A03 acknowledgement of user awareness is maintained by the organization. SCF Created
AAT-08 AAT-08_A04 the frequency at which to review and update position risk designations is defined. 53A_R5_PS-02_ODP
AAT-08 AAT-08_A05 a risk designation is assigned to all organizational positions. 53A_R5_PS-02a.
AAT-09 AAT-09_A01 a risk catalog of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-specific risks is documented. SCF Created
AAT-09 AAT-09_A02 the organization maps its risk catalog, including potential impacts, to instances where Artificial Intelligence (AI) and Autonomous Technologies (AAT) is designed, developed, deployed, evaluated and used. SCF Created
AAT-10 AAT-10_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability is organization-wide. 53A_R5_CA-01_ODP[03]
AAT-10 AAT-10_A02 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems are developed. 53A_R5_PM-14a.01[01]
53A_R5_PM-14a.01[03]
AAT-10 AAT-10_A03 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems are maintained. 53A_R5_PM-14a.01[02]
53A_R5_PM-14a.01[04]
AAT-10 AAT-10_A04 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems continue to be executed. 53A_R5_PM-14a.02[01]
53A_R5_PM-14a.02[02]
AAT-10 AAT-10_A05 the authorization processes are integrated into an organization-wide risk management program. 53A_R5_PM-10c.
AAT-10.1 AAT-10.1_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy characteristics. SCF Created
AAT-10.2 AAT-10.2_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents test sets used during AI TEVV. SCF Created
AAT-10.2 AAT-10.2_A02 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents metrics used during AI TEVV. SCF Created
AAT-10.2 AAT-10.2_A03 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability documents details about the tools used during AI TEVV. SCF Created
AAT-10.3 AAT-10.3_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes demonstrating the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed is valid SCF Created
and reliable.
AAT-10.4 AAT-10.4_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed is safe SCF Created
AAT-10.4 AAT-10.4_A02 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates residual, negative risk from Artificial Intelligence (AI) and Autonomous Technologies (AAT) does not SCF Created
exceed the organization's risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits.
the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability demonstrates Artificial Intelligence (AI) and Autonomous Technologies (AAT) can fail safely, particularly if made to
AAT-10.4 AAT-10.4_A03 SCF Created
operate beyond its knowledge limits.
AAT-10.5 AAT-10.5_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates the security of the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed. SCF Created
AAT-10.5 AAT-10.5_A02 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability evaluates the resilience of the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed. SCF Created
AAT-10.6 AAT-10.6_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability is integrated into an organization-wide risk management program. SCF Created
the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability examines risks associated with transparency and accountability of Artificial Intelligence (AI) and Autonomous
Technologies (AAT) to be deployed.
AAT-10.7 AAT-10.7_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes a Data Protection Impact Assessment (DPIA) to identify and remediate reasonably-expected risks to SCF Created
Personal Data (PD).
the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes examining fairness and bias of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be
deployed.
AAT-10.9 AAT-10.9_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes validating the engineering model used in the design of the Artificial Intelligence (AI) and Autonomous SCF Created
Technologies (AAT) to be deployed.
the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes a determination on the viability of the proposed Artificial Intelligence (AI) and Autonomous Technologies
(AAT).
AAT-10.11 AAT-10.11_A01 After Action Reviews (AARs), or similar lessons learned exercises, are conducted after each Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) cycle to evaluate the effectiveness of the AI TEVV SCF Created
processes.
results from Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) findings are evaluated against Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related performance demonstrated
for conditions similar to deployment settings.
AAT-10.12 AAT-10.12_A02 results from Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) findings are evaluated against Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related assurance criteria SCF Created
demonstrated for conditions similar to deployment settings.
the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability includes proactive and continuous monitoring of deployed Artificial Intelligence (AI) and Autonomous Technologies
(AAT).

AAT-10.14 AAT-10.14_A01 the organization's Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) capability integrates continual improvements for deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-11 AAT-11_A01 roles and responsibilities exist to compel data and/or process owners to compel robust, ongoing engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage SCF Created
feedback about positive, negative and unanticipated impacts.
AAT-11 AAT-11_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners conducted engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage SCF Created
feedback about positive, negative and unanticipated impacts.
AAT-11.1 AAT-11.1_A01 roles and responsibilities exist to compel data and/or process owners to regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed Artificial SCF Created
Intelligence (AI) and Autonomous Technologies (AAT).
AAT-11.1 AAT-11.1_A02 Individual Contributor (IC) performance reviews cover how data and/or process owners regularly collected, considered, prioritized and integrated risk-related feedback on Artificial Intelligence (AI) and Autonomous SCF Created
Technologies (AAT).
AAT-11.2 AAT-11.2_A01 independent assessors and/or internal stakeholders, who did not serve as front-line developers, are utilized for regular assessments and updates of deployed Artificial Intelligence (AI) and Autonomous Technologies SCF Created
(AAT).
AAT-11.3 AAT-11.3_A01 the organization collects feedback from end users and impacted communities into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics. SCF Created
AAT-11.3 AAT-11.3_A02 evaluation metrics from end users and impacted communities are integrated into Artificial Intelligence (AI) and Autonomous Technologies (AAT) developments. SCF Created
AAT-11.4 AAT-11.4_A01 pertinent information from Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related incidents and/or errors are communicated to relevant stakeholders, including affected communities. SCF Created
AAT-12 AAT-12_A01 an executive steering committee, or advisory board, evaluates business practices that want to or currently use Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-12 AAT-12_A02 measures exist for the executive steering committee, or advisory board, to proactively identify and evaluate third-party Intellectual Property (IP) infringement risks from Artificial Intelligence (AI) and Autonomous SCF Created
Technologies (AAT) usage.
AAT-12 AAT-12_A03 actions are taken to prevent and/or block Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities that infringe upon another party's Intellectual Property (IP). SCF Created
AAT-13 AAT-13_A01 stakeholder competencies, skills and capacities incorporate demographic diversity. SCF Created
AAT-13 AAT-13_A02 stakeholder competencies, skills and capacities incorporate broad domain expertise. SCF Created
AAT-13 AAT-13_A03 stakeholder competencies, skills and capacities incorporate broad user experience expertise. SCF Created
AAT-13.1 AAT-13.1_A01 roles and responsibilities exist to compel data and/or process owners to be proficient in Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-13.1 AAT-13.1_A02 the organization routinely assesses Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements. SCF Created
AAT-13.1 AAT-13.1_A03 roles and responsibilities are updated as Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements evolve. SCF Created
AAT-14 AAT-14_A01 the organization takes socio-technical implications into account to address risks associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-14.1 AAT-14.1_A01 Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related stakeholders define the tasks that AAT will support (e.g., classifiers, generative models, recommenders). SCF Created
AAT-14.2 AAT-14.2_A01 the knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are identified and documented. SCF Created
AAT-14.2 AAT-14.2_A02 stakeholders are provided the knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to assist in decision making. SCF Created
AAT-15 AAT-15_A01 an executive steering committee, or advisory board, defines criteria as to whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) achieved intended purposes and stated objectives. SCF Created
AAT-15 AAT-15_A02 measures exist for the executive steering committee, or advisory board, to determine whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) development or deployment should proceed. SCF Created
AAT-15.1 AAT-15.1_A01 residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT) are identified. SCF Created
residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT) documented in a Plan of Action & Milestones
(POA&M), or similar risk register.
AAT-15.2 AAT-15.2_A01 an executive steering committee, or advisory board, defines criteria for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
an executive steering committee, or advisory board, assigns responsibility to responsible party(ies) for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) when
designated criteria is demonstrated.
AAT-16 AAT-16_A01 responsible party(ies) monitor the functionality and behavior of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) for anomalous performance or outcomes inconsistent with intended use. SCF Created
AAT-16.1 AAT-16.1_A02 Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are identified through consultation with domain experts and other end users. SCF Created
AAT-16.2 AAT-16.2_A01 cybersecurity & privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are regularly assessed for errors and potential impacts on affected communities. SCF Created
AAT-16.3 AAT-16.3_A01 responsible party(ies) that monitor the functionality and behavior of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT) are trained on identifying unmeasurable risks or trustworthiness SCF Created
characteristics.
AAT-16.3 AAT-16.3_A02 unmeasurable risks or trustworthiness characteristics are reported in accordance with the organization's Incident Response Plan (IRP). SCF Created
AAT-16.4 AAT-16.4_A01 responsible party(ies) gather feedback about efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements. SCF Created
AAT-16.4 AAT-16.4_A02 an executive steering committee, or advisory board, assesses the efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements. SCF Created

AAT-16.5 AAT-16.5_A01 input from domain experts and relevant stakeholders is utilized to validate whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as intended. SCF Created
AAT-16.6 AAT-16.6_A01 an executive steering committee, or advisory board, evaluates performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues. SCF Created
AAT-16.7 AAT-16.7_A01 the organization utilizes pre-trained models for Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related monitoring and maintenance. SCF Created
AAT-17 AAT-17_A01 the organization proactively identifies unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. SCF Created
AAT-17 AAT-17_A02 the organization tracking existing, unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks in a Plan of Action & Milestones (POA&M), or similar risk register. SCF Created
AAT-17.1 AAT-17.1_A01 an executive steering committee, or advisory board, evaluates business practices that could pose harm to human subjects from Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-17.1 AAT-17.1_A02 measures exist for the executive steering committee, or advisory board, to implement safeguards to protect human subjects from harm due to Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-17.2 AAT-17.2_A01 an executive steering committee, or advisory board, evaluates the environmental impacts of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-17.2 AAT-17.2_A02 an executive steering committee, or advisory board, evaluates the sustainability of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SCF Created
AAT-17.3 AAT-17.3_A01 an incident response capability exists to appropriately respond to previously unknown Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk when it is identified. SCF Created
AAT-18 AAT-18_A01 an executive steering committee, or advisory board, tracks Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are difficult to assess using currently available measurement techniques or where SCF Created
metrics are not yet available.
AAT-18.1 AAT-18.1_A01 responsible party(ies) prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks based on assessments and other analytical output. SCF Created
AST-01 AST-01_A01 an authoritative source and repository are established to provide a trusted source and accountability for approved and implemented systems and system components. 172A_3.4.1e[c]
172A_3.4.1e[d]
AST-01 AST-01_A02 the frequency at which to review and update the system and system component inventory is defined. 53A_R5_CM-08_ODP[02]
AST-01 AST-01_A04 an inventory of systems and system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented. 53A_R5_CM-08a.04
AST-01.1 AST-01.1_A01 asset-service dependencies are identified and documented. SCF Created
AST-01.1 AST-01.1_A02 asset-service dependencies are assessed to evaluate cybersecurity & privacy concerns for technology assets that support more than one critical business function. SCF Created
AST-01.2 AST-01.2_A01 pertinent stakeholders of critical systems, applications and services are identified and documented. SCF Created
AST-01.2 AST-01.2_A02 pertinent stakeholders of critical systems, applications and services are involved in supporting the ongoing secure management of those assets. SCF Created
AST-01.3 AST-01.3_A01 a scalable, standardized naming convention exists for systems, applications and services that avoids asset naming conflicts. SCF Created
172A_3.4.3e[b]
171A_3.4.1[d]
172A_3.4.1e[b]
AST-02 AST-02_A01 a documented, up-to-date, complete, accurate and readily available inventory of systems and system components exists. 53A_R5_CM-08a.01
53A_R5_CM-08a.02
53A_R5_CM-08a.05
53A_R5_PM-05[01]
AST-02 AST-02_A02 the system inventory includes hardware, software, firmware and documentation. 171A_3.4.1[e]
AST-02 AST-02_A03 the inventory is maintained (reviewed and updated) throughout the system development life cycle. 171A_3.4.1[f]
53A_R5_CM-08b.
AST-02 AST-02_A04 approved systems and system components are identified. 172A_3.4.1e[a]
AST-02 AST-02_A05 information deemed necessary to achieve effective systems and system component accountability is defined. 53A_R5_CM-08_ODP[01]
AST-02 AST-02_A06 the frequency at which to update the inventory of systems and system components is defined. 53A_R5_PM-05_ODP
AST-02 AST-02_A07 the inventory of systems and system components is updated per an organization-defined frequency. 53A_R5_PM-05[02]
AST-02.1 AST-02.1_A01 the inventory of systems and system components is updated as part of component installations. 53A_R5_CM-08(01)[01]
AST-02.1 AST-02.1_A02 the inventory of systems and system components is updated as part of component removals. 53A_R5_CM-08(01)[02]
AST-02.1 AST-02.1_A03 the inventory of systems and system components is updated as part of system updates. 53A_R5_CM-08(01)[03]
AST-02.2 AST-02.2_A01 automated mechanisms used to detect the presence of unauthorized hardware within the system are defined. 53A_R5_CM-08(03)_ODP[01]
53A_R5_CM-08(03)(a)[01]
53A_R5_CM-08(03)_ODP[02]
AST-02.2 AST-02.2_A02 automated mechanisms used to detect the presence of unauthorized software within the system are defined.
53A_R5_CM-08(03)(a)[02]
AST-02.2 AST-02.2_A03 automated mechanisms used to detect the presence of unauthorized firmware within the system are defined. 53A_R5_CM-08(03)_ODP[03]
53A_R5_CM-08(03)(a)[03]
AST-02.2 AST-02.2_A04 the frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined. 53A_R5_CM-08(03)_ODP[04]
AST-02.2 AST-02.2_A05 automated mechanisms disable network access by unauthorized components, isolate unauthorized components and/or notify organization-defined personnel or roles. 53A_R5_CM-08(03)_ODP[05]
AST-02.2 AST-02.2_A06 personnel or roles to be notified when unauthorized components are detected is/are defined. 53A_R5_CM-08(03)_ODP[06]

53A_R5_CM-08(03)(b)[01]
AST-02.2 AST-02.2_A07 organization-defined actions are taken when unauthorized hardware, software and/or firmware is/are detected. 53A_R5_CM-08(03)(b)[02]
53A_R5_CM-08(03)(b)[03]
AST-02.3 AST-02.3_A01 an inventory of system components that accurately reflects the system is developed and documented. 53A_R5_CM-08a.01
AST-02.3 AST-02.3_A02 an inventory of system components that includes all components within the system is developed and documented. 53A_R5_CM-08a.02
AST-02.3 AST-02.3_A03 an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented. 53A_R5_CM-08a.03
AST-02.3 AST-02.3_A04 an inventory of system components that includes information is developed and documented. 53A_R5_CM-08a.05
AST-02.3 AST-02.3_A05 the system component inventory is reviewed and updated frequently. 53A_R5_CM-08b.
AST-02.4 AST-02.4_A01 assessed component configurations are included in the system component inventory. 53A_R5_CM-08(06)[01]
AST-02.4 AST-02.4_A02 any approved deviations to current deployed configurations are included in the system component inventory. 53A_R5_CM-08(06)[02]
AST-02.5 AST-02.5_A01 system components that are known, authenticated, in a properly configured state or in a trust profile are identified. 172A_3.5.3e[a]
AST-02.5 AST-02.5_A02 automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified. 172A_3.5.3e[b]
AST-02.5 AST-02.5_A03 automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state 172A_3.5.3e[c]
or in a trust profile.
AST-02.5 AST-02.5_A04 configuration management process to be employed to handle device identification and authentication based on attestation is defined. 53A_R5_IA-03(04)_ODP
AST-02.5 AST-02.5_A05 device identification and authentication are handled based on attestation by configuration management process. 53A_R5_IA-03(04)
AST-02.6 AST-02.6_A01 Dynamic Host Configuration Protocol (DHCP) server logging is implemented. SCF Created
AST-02.6 AST-02.6_A02 DHCP server logging is utilized to detect unknown systems. SCF Created
AST-02.7 AST-02.7_A01 administrative practices identify software licensing restrictions to ensure compliance with End User Licensing Agreements (EULA). SCF Created
AST-02.7 AST-02.7_A02 software inventories are automatically or manually reviewed for software licensing compliance. SCF Created
AST-02.8 AST-02.8_A01 a map of system data actions is developed and documented. 53A_R5_CM-13
AST-02.9 AST-02.9_A01 a centralized repository for the system and system component inventory is provided. 53A_R5_CM-08(07)
AST-02.9 AST-02.9_A02 automated mechanisms used to maintain the currency of the system component inventory are defined. 53A_R5_CM-08(02)_ODP[01]
53A_R5_CM-08(02)[01]
AST-02.9 AST-02.9_A03 automated mechanisms used to maintain the completeness of the system component inventory are defined. 53A_R5_CM-08(02)_ODP[02]
53A_R5_CM-08(02)[02]
AST-02.9 AST-02.9_A04 automated mechanisms used to maintain the accuracy of the system component inventory are defined. 53A_R5_CM-08(02)_ODP[03]
53A_R5_CM-08(02)[03]
AST-02.9 AST-02.9_A05 automated mechanisms used to maintain the availability of the system component inventory are defined. 53A_R5_CM-08(02)_ODP[04]
53A_R5_CM-08(02)[04]
AST-02.10 AST-02.10_A01 automated mechanisms for tracking components are defined. 53A_R5_CM-08(08)_ODP
AST-02.10 AST-02.10_A02 organization-defined automated mechanisms are used to support the tracking of system components by geographic location. 53A_R5_CM-08(08)
AST-02.11 AST-02.11_A01 personnel or roles from which to receive an acknowledgement is/are defined. 53A_R5_CM-08(09)_ODP
AST-02.11 AST-02.11_A02 system components are assigned to a system. 53A_R5_CM-08(09)(a)
AST-02.11 AST-02.11_A03 an acknowledgement of the component assignment is received from organization-defined personnel or roles. 53A_R5_CM-08(09)(b)
AST-03 AST-03_A01 name, position and/or role of data ownership is documented. 53A_R5_CM-08(04)_ODP
AST-03.1 AST-03.1_A01 individuals responsible and accountable for administering system components are identified by organization-defined criteria in the system component inventory. 53A_R5_CM-08(04)
AST-03.2 AST-03.2_A01 systems, system components and associated data that require valid provenance are defined. 53A_R5_SR-04_ODP
AST-03.2 AST-03.2_A02 valid provenance is documented for systems, system components and associated data. 53A_R5_SR-04[01]
AST-03.2 AST-03.2_A03 valid provenance is monitored for systems, system components and associated data. 53A_R5_SR-04[02]
AST-03.2 AST-03.2_A04 valid provenance is maintained for systems, system components and associated data. 53A_R5_SR-04[03]
AST-03.2 AST-03.2_A05 supply chain elements, processes and personnel associated with systems and critical system components that require unique identification are defined. 53A_R5_SR-04(01)_ODP
AST-03.2 AST-03.2_A06 unique identification of supply chain elements, processes and personnel is established. 53A_R5_SR-04(01)[01]

AST-03.2 AST-03.2_A07 unique identification of supply chain elements, processes and personnel is maintained. 53A_R5_SR-04(01)[02]
AST-03.2 AST-03.2_A08 systems and critical system components that require unique identification for tracking through the supply chain are defined. 53A_R5_SR-04(02)_ODP
AST-03.2 AST-03.2_A09 the unique identification of systems and critical system components is established for tracking through the supply chain. 53A_R5_SR-04(02)[01]
AST-03.2 AST-03.2_A10 the unique identification of systems and critical system components is maintained for tracking through the supply chain. 53A_R5_SR-04(02)[02]
AST-04 AST-04_A01 sensitive data flows are identified and documented. SCF Created
AST-04 AST-04_A02 a Data Flow Diagram (DFD) exists for each type of sensitive/regulated data that is stored, processed and/or transmitted. SCF Created
AST-04 AST-04_A03 a process exists to review DFDs for accuracy. SCF Created
AST-04 AST-04_A04 a process exists to update DFDs upon technology or business practice changes that affect where sensitive/regulated data is stored, processed and/or transmitted. SCF Created
AST-04 AST-04_A05 one or more high-level network diagrams exist as a schematic to identify the logical placement of systems, applications and services at a conceptual level. SCF Created
AST-04 AST-04_A06 one or more low-level network diagrams exist as a schematic to identify the detailed logical and physical placement of systems, applications and services. SCF Created
AST-04 AST-04_A07 a process exists to review network diagrams for accuracy. SCF Created
AST-04 AST-04_A08 a process exists to update network diagrams upon technologies change. SCF Created
AST-04.1 AST-04.1_A01 system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined. 53A_R5_PE-22_ODP
AST-04.1 AST-04.1_A02 system hardware components are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. 53A_R5_PE-22
AST-04.2 AST-04.2_A01 one or more diagrams graphically depict control applicability boundaries for systems, applications, services and third parties to clarify "in-scope versus out-of-scope" determinations. SCF Created
AST-04.3 AST-04.3_A01 an inventory of systems, applications and services exists for each specific statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset SCF Created
scope categorization.
AST-04.3 AST-04.3_A02 inventories of systems, applications and services are kept current for each specific statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based SCF Created
on asset scope categorization.
AST-05 AST-05_A01 strict control is maintained over the internal or external distribution of any kind of sensitive/regulated media. SCF Created
AST-05.1 AST-05.1_A01 written management approval is obtained prior to the transfer of any sensitive / regulated media outside of the organization's facilities. SCF Created
AST-06 AST-06_A01 enhanced protection measures for unattended systems are implemented to protect against tampering and unauthorized access. SCF Created
AST-06.1 AST-06.1_A01 users are educated on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle. SCF Created
AST-07 AST-07_A01 devices that capture sensitive/regulated data via direct physical interaction are appropriately protected from tampering and substitution. SCF Created
AST-08 AST-08_A01 mobile devices are inspected for evidence of tampering upon return from geographic regions of concern or other known hostile environments that could lead to device compromise. SCF Created
AST-08 AST-08_A02 mobile devices that show signs of tampering are confiscated for forensic examination. SCF Created
53A_R5_SR-12_ODP[01]
AST-09 AST-09_A01 data, documentation, tools or system components to be disposed of are defined. 53A_R5_MP-06_ODP[01]
53A_R5_MP-06_ODP[02]
53A_R5_MP-06_ODP[03]
53A_R5_SR-12_ODP[02]
53A_R5_MP-06_ODP[04]
AST-09 AST-09_A02 techniques and methods for disposing of data, documentation, tools or system components are defined.
53A_R5_MP-06_ODP[05]
53A_R5_MP-06_ODP[06]
AST-09 AST-09_A03 data, documentation, tools or system components are disposed of using techniques and methods. 53A_R5_SR-12
AST-09 AST-09_A04 system media is sanitized using sanitization techniques and procedures prior to disposal. 53A_R5_MP-06a.[01]
AST-09 AST-09_A05 system media is sanitized using sanitization techniques and procedures prior to release from organizational control. 53A_R5_MP-06a.[02]
AST-09 AST-09_A06 system media is sanitized using sanitization techniques and procedures prior to release for reuse. 53A_R5_MP-06a.[03]
AST-09 AST-09_A07 sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed. 53A_R5_MP-06b.
AST-10 AST-10_A01 the organization governs a process to ensure that employees return all organizational assets in their possession upon termination of employment. SCF Created
AST-10 AST-10_A02 the organization governs a process to ensure that third-party users return all organizational assets in their possession upon termination of contract or agreement. SCF Created
AST-11 AST-11_A01 facility egress points are controlled by physical security measures. SCF Created
AST-11 AST-11_A02 prior management authorization is required for the removal of technology assets from organizational facilities. SCF Created
AST-11 AST-11_A03 the organization controls and tracks technology assets entering and exiting organizational facilities. SCF Created

AST-12 AST-12_A01 the possession of personally-owned technology devices is restricted within organization-controlled facilities. SCF Created
AST-12 AST-12_A02 the usage of personally-owned technology devices is restricted within organization-controlled facilities. SCF Created
AST-13 AST-13_A01 technology configurations prohibit third-party technology assets from connecting to the organization's internal network(s). SCF Created
AST-14 AST-14_A01 the components for which usage restrictions and implementation guidance are to be established are defined. 53A_R5_SC-43_ODP
AST-14 AST-14_A02 usage restrictions and implementation guidelines are established for components. 53A_R5_SC-43a.
AST-14 AST-14_A03 the use of components is authorized within the system. 53A_R5_SC-43b.[01]
AST-14 AST-14_A04 the use of components is monitored within the system. 53A_R5_SC-43b.[02]
AST-14 AST-14_A05 the use of components is controlled within the system. 53A_R5_SC-43b.[03]
AST-14.1 AST-14.1_A01 the possession of unauthorized Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) is prohibited in sensitive areas. SCF Created
AST-14.1 AST-14.1_A02 the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) is prohibited in sensitive areas, unless use is in a Radio Frequency (RF)-screened building. SCF Created
AST-14.2 AST-14.2_A01 the possession of unauthorized Infrared (IR) communications devices is prohibited in sensitive areas. SCF Created
AST-14.2 AST-14.2_A02 Infrared (IR) communications are configured to prevent line of sight and reflected use in unsecured spaces. SCF Created
AST-15 AST-15_A01 a tamper protection program is implemented for the system, system component or system service. 53A_R5_SR-09
AST-15 AST-15_A02 anti-tamper technologies, tools and techniques are employed throughout the system development life cycle. 53A_R5_SR-09(01)
AST-15.1 AST-15.1_A01 systems or system components that require inspection are defined. 53A_R5_SR-10_ODP[01]
AST-15.1 AST-15.1_A02 the frequency at which to inspect systems or system components is defined. 53A_R5_SR-10_ODP[02]
53A_R5_SR-10_ODP[03]
AST-15.1 AST-15.1_A03 indications of the need for an inspection of systems or system components are defined. 53A_R5_SR-10_ODP[04]
AST-15.1 AST-15.1_A04 systems or system components are inspected to detect tampering. 53A_R5_SR-10
AST-16 AST-16_A01 a Bring Your Own Device (BYOD) program is implemented and governed to reduce risk associated with personally-owned devices in the workplace. SCF Created
AST-17 AST-17_A01 Supply Chain Risk Management (SCRM) practices require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body. SCF Created
AST-18 AST-18_A01 security-critical or essential software is defined. 172A_3.14.1e_ODP[1]
AST-18 AST-18_A02 root of trust mechanisms or cryptographic signatures are identified. 172A_3.14.1e[a]
AST-18 AST-18_A03 the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures. 172A_3.14.1e[b]
AST-19 AST-19_A01 implementation guidance for telecommunication equipment is established to prevent damage, unauthorized modification and potential eavesdropping. SCF Created
AST-20 AST-20_A01 Video Teleconference (VTC) capabilities are secured in designated conference rooms to prevent potential eavesdropping. SCF Created
AST-20 AST-20_A02 personnel are trained to use Video Teleconference (VTC) capabilities on endpoint devices outside of conference rooms in a secure manner that prevents eavesdropping. SCF Created
AST-21 AST-21_A01 Internet Protocol Telephony (IPT) is securely implemented that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks. SCF Created
AST-22 AST-22_A01 assets are configured to prohibit the use of endpoint-based microphones and/or web cameras in secure areas or where sensitive information is discussed. SCF Created
AST-23 AST-23_A01 Multi-Function Devices (MFD) are securely configured according to industry-recognized secure practices for the type of device. SCF Created
AST-24 AST-24_A01 the organization maintains a pool of temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices). SCF Created
AST-24 AST-24_A02 personnel travelling overseas request and are issued a temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average SCF Created
risk for Intellectual Property (IP) theft or espionage against individuals and private companies.
AST-25 AST-25_A01 upon return from travel to authoritarian counties, the issued temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) is wiped / re-imaged before being re-issued. SCF Created
AST-26 AST-26_A01 system administration processes, with corresponding Standardized Operating Procedures (SOP), are developed, implemented and governed for operating and maintaining systems, applications and services. SCF Created
AST-27 AST-27_A01 a "jump box" or "jump server" is established in secure enclaves that are in a separate network zone to user workstations. SCF Created
AST-27 AST-27_A02 non-console system administrative functions are restricted to connect to secure enclaves via a "jump box" or "jump server" that is located in a separate network zone to user workstations. SCF Created
AST-28 AST-28_A01 database management processes, with corresponding Standardized Operating Procedures (SOP), are developed, implemented and governed for operating and maintaining databases. SCF Created

AST-28.1 AST-28.1_A01 Database Management Systems (DBMSs) are implemented and maintained. SCF Created
AST-29 AST-29_A01 secure baseline configurations exist for Radio Frequency Identification (RFID) devices to protect the confidentiality and integrity of data being stored, processed and/or transmitted. SCF Created
AST-29 AST-29_A02 Radio Frequency Identification (RFID) devices are secured according to defined secure baseline configurations. SCF Created
AST-29.1 AST-29.1_A01 secure baseline configurations exist for contactless access control systems to protect the confidentiality and integrity of data being stored, processed and/or transmitted. SCF Created
AST-29.1 AST-29.1_A02 contactless access control systems that are secured according to defined secure baseline configurations. SCF Created
AST-30 AST-30_A01 systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory SCF Created
and contractual obligations.
AST-31 AST-31_A01 the organization utilizes a defined methodology to categorize its technology assets based on data sensitivity and criticality. SCF Created
AST-31.1 AST-31.1_A01 the organization utilizes a defined methodology to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT) based on data sensitivity and criticality. SCF Created
BCD-01 BCD-01_A26 cybersecurity issues are addressed in the development of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[01]
BCD-01 BCD-01_A27 cybersecurity issues are addressed in the documentation of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[02]
BCD-01 BCD-01_A28 cybersecurity issues are addressed in the update of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[03]
BCD-01 BCD-01_A29 privacy issues are addressed in the development of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[04]
BCD-01 BCD-01_A30 privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[05]
BCD-01 BCD-01_A31 privacy issues are addressed in the update of a critical infrastructure and key resources protection plan. 53A_R5_PM-08[06]
BCD-01.1 BCD-01.1_A01 contingency plan development is coordinated with organizational elements responsible for related plans. 53A_R5_CP-02(01)
BCD-01.2 BCD-01.2_A01 the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. 53A_R5_CP-02(07)
BCD-01.3 BCD-01.3_A01 the transfer of organization-defined criteria mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for. 53A_R5_CP-02(06)[01]
BCD-01.3 BCD-01.3_A02 operational continuity is sustained until full system restoration at primary processing and/or storage sites. 53A_R5_CP-02(06)[02]
BCD-01.4 BCD-01.4_A01 time period consistent with recovery time and recovery point objectives for the recovery of the system is determined. 53A_R5_CP-10_ODP[01]
BCD-01.4 BCD-01.4_A02 time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined. 53A_R5_CP-10_ODP[02]
BCD-01.4 BCD-01.4_A03 the recovery of the system to a known state is provided within a specified time period after a disruption, compromise or failure. 53A_R5_CP-10[01]
BCD-01.4 BCD-01.4_A04 a reconstitution of the system to a known state is provided within an organization-defined time period after a disruption, compromise or failure. 53A_R5_CP-10[02]
BCD-01.4 BCD-01.4_A05 the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives. 53A_R5_CP-06(02)[01]
BCD-01.4 BCD-01.4_A06 the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives. 53A_R5_CP-06(02)[02]
53A_R5_CP-02(03)_ODP[01]
BCD-02 BCD-02_A01 systems, applications and services that support essential missions and business functions are identified. 53A_R5_CP-02(05)_ODP
53A_R5_CP-02(06)_ODP
53A_R5_CP-02(08)_ODP
BCD-02 BCD-02_A02 critical system assets supporting organization-defined criteria mission and business functions are identified. 53A_R5_CP-02(08)
BCD-02.1 BCD-02.1_A02 the contingency plan activation time period within which to resume all mission and business functions is defined. 53A_R5_CP-02(03)_ODP[02]
BCD-02.1 BCD-02.1_A03 the resumption of all mission and business functions are planned for within an organization-defined time period of contingency plan activation. 53A_R5_CP-02(03)
BCD-02.2 BCD-02.2_A02 the continuance of organization-defined criteria mission and business functions with minimal or no loss of operational continuity is planned for. 53A_R5_CP-02(05)[01]
BCD-02.2 BCD-02.2_A03 continuity is sustained until full system restoration at primary processing and/or storage sites. 53A_R5_CP-02(05)[02]
BCD-02.3 BCD-02.3_A02 the contingency plan activation time period within which to resume essential mission and business functions is defined. 53A_R5_CP-02(03)_ODP[02]
BCD-02.3 BCD-02.3_A03 the resumption of essential mission and business functions are planned for within an organization-defined time period of contingency plan activation. 53A_R5_CP-02(03)
BCD-02.4 BCD-02.4_A01 periodic security reviews of storage locations that contain sensitive / regulated data are performed. SCF Created
BCD-02.4 BCD-02.4_A02 identified deficiencies identified during reviews of storage locations are tracked via a Plan of Action and Milestones (POA&M), or risk register, through remediation. SCF Created
BCD-03 BCD-03_A01 the time period within which to provide contingency training after assuming a contingency role or responsibility is defined. 53A_R5_CP-03_ODP[01]
BCD-03 BCD-03_A02 the frequency at which to provide training to system users with a contingency role or responsibility is defined. 53A_R5_CP-03_ODP[02]

BCD-03 BCD-03_A03 the frequency at which to review and update contingency training content is defined. 53A_R5_CP-03_ODP[03]
BCD-03 BCD-03_A04 events necessitating review and update of contingency training are defined. 53A_R5_CP-03_ODP[04]
BCD-03 BCD-03_A05 contingency training is provided to system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility. 53A_R5_CP-03a.01
BCD-03 BCD-03_A06 contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes. 53A_R5_CP-03a.02
BCD-03 BCD-03_A07 contingency training is provided to system users consistent with assigned roles and responsibilities and frequency thereafter. 53A_R5_CP-03a.03
BCD-03 BCD-03_A08 the contingency plan training content is reviewed and updated frequently. 53A_R5_CP-03b.[01]
BCD-03 BCD-03_A09 the contingency plan training content is reviewed and updated following events. 53A_R5_CP-03b.[02]
BCD-03.1 BCD-03.1_A01 simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations. 53A_R5_CP-03(01)
BCD-03.2 BCD-03.2_A01 mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment. 53A_R5_CP-03(02)
BCD-04 BCD-04_A01 the frequency of testing the contingency plan for the system is defined. 53A_R5_CP-04_ODP[01]
BCD-04 BCD-04_A02 tests for determining the effectiveness of the contingency plan are defined. 53A_R5_CP-04_ODP[02]
BCD-04 BCD-04_A03 tests for determining readiness to execute the contingency plan are defined. 53A_R5_CP-04_ODP[03]
BCD-04 BCD-04_A04 the contingency plan for the system is tested frequently. 53A_R5_CP-04a.[01]
BCD-04 BCD-04_A05 tests are used to determine the effectiveness of the plan. 53A_R5_CP-04a.[02]
BCD-04 BCD-04_A06 tests are used to determine the readiness to execute the plan. 53A_R5_CP-04a.[03]
BCD-04.1 BCD-04.1_A01 contingency plan testing is coordinated with organizational elements responsible for related plans. 53A_R5_CP-04(01)
BCD-04.2 BCD-04.2_A01 the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources. 53A_R5_CP-04(02)(a)
BCD-04.2 BCD-04.2_A02 the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. 53A_R5_CP-04(02)(b)
BCD-05 BCD-05_A01 the contingency plan test results are reviewed. 53A_R5_CP-04b.
BCD-05 BCD-05_A02 corrective actions to remediate contingency plan deficiencies are initiated, if needed. 53A_R5_CP-04c.
BCD-06 BCD-06_A01 personnel or roles to review a contingency plan is/are defined. 53A_R5_CP-02_ODP[01]
BCD-06 BCD-06_A02 personnel or roles to approve a contingency plan is/are defined. 53A_R5_CP-02_ODP[02]
BCD-06 BCD-06_A03 key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined. 53A_R5_CP-02_ODP[03]
BCD-06 BCD-06_A04 key contingency organizational elements to which copies of the contingency plan are distributed are defined. 53A_R5_CP-02_ODP[04]
BCD-06 BCD-06_A05 the frequency of contingency plan review is defined. 53A_R5_CP-02_ODP[05]
BCD-06 BCD-06_A06 key contingency personnel (identified by name and/or by role) to communicate changes to are defined. 53A_R5_CP-02_ODP[06]
BCD-06 BCD-06_A07 key contingency organizational elements to communicate changes to are defined. 53A_R5_CP-02_ODP[07]
BCD-06 BCD-06_A08 a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements. 53A_R5_CP-02a.01
BCD-06 BCD-06_A09 a contingency plan for the system is developed that provides recovery objectives. 53A_R5_CP-02a.02[01]
BCD-06 BCD-06_A10 a contingency plan for the system is developed that provides restoration priorities. 53A_R5_CP-02a.02[02]
BCD-06 BCD-06_A11 a contingency plan for the system is developed that provides metrics. 53A_R5_CP-02a.02[03]
BCD-06 BCD-06_A12 a contingency plan for the system is developed that addresses contingency roles. 53A_R5_CP-02a.03[01]
BCD-06 BCD-06_A13 a contingency plan for the system is developed that addresses contingency responsibilities. 53A_R5_CP-02a.03[02]
BCD-06 BCD-06_A14 a contingency plan for the system is developed that addresses assigned individuals with contact information. 53A_R5_CP-02a.03[03]
BCD-06 BCD-06_A15 a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise or failure. 53A_R5_CP-02a.04
BCD-06 BCD-06_A16 a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented. 53A_R5_CP-02a.05

BCD-06 BCD-06_A17 a contingency plan for the system is developed that addresses the sharing of contingency information. 53A_R5_CP-02a.06
BCD-06 BCD-06_A18 a contingency plan for the system is developed that is reviewed by personnel or roles. 53A_R5_CP-02a.07[01]
BCD-06 BCD-06_A19 a contingency plan for the system is developed that is approved by personnel or roles. 53A_R5_CP-02a.07[02]
BCD-06 BCD-06_A20 copies of the contingency plan are distributed to key contingency personnel. 53A_R5_CP-02b.[01]
BCD-06 BCD-06_A21 copies of the contingency plan are distributed to organizational elements. 53A_R5_CP-02b.[02]
BCD-06 BCD-06_A22 contingency planning activities are coordinated with incident handling activities. 53A_R5_CP-02c.
BCD-06 BCD-06_A23 the contingency plan for the system is reviewed frequently. 53A_R5_CP-02d.
BCD-06 BCD-06_A24 the contingency plan is updated to address changes to the organization, system or environment of operation. 53A_R5_CP-02e.[01]
BCD-06 BCD-06_A25 the contingency plan is updated to address problems encountered during contingency plan implementation, execution or testing. 53A_R5_CP-02e.[02]
BCD-06 BCD-06_A26 contingency plan changes are communicated to key contingency personnel. 53A_R5_CP-02f.[01]
BCD-06 BCD-06_A27 contingency plan changes are communicated to organizational elements. 53A_R5_CP-02f.[02]
BCD-06 BCD-06_A28 lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing. 53A_R5_CP-02g.[01]
BCD-06 BCD-06_A29 lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training. 53A_R5_CP-02g.[02]
BCD-06 BCD-06_A30 the contingency plan is protected from unauthorized disclosure. 53A_R5_CP-02h.[01]
BCD-06 BCD-06_A31 the contingency plan is protected from unauthorized modification. 53A_R5_CP-02h.[02]
BCD-07 BCD-07_A01 alternative or supplemental security mechanisms are defined. 53A_R5_CP-13_ODP[01]
BCD-07 BCD-07_A02 security functions are defined. 53A_R5_CP-13_ODP[02]
BCD-07 BCD-07_A03 alternative or supplemental security mechanisms are employed for satisfying security functions when the primary means of implementing the security function is unavailable or compromised. 53A_R5_CP-13
BCD-08 BCD-08_A01 an alternate storage site is established. 53A_R5_CP-06a.[01]
BCD-08 BCD-08_A02 establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information. 53A_R5_CP-06a.[02]
BCD-08 BCD-08_A03 the alternate storage site provides controls equivalent to that of the primary site. 53A_R5_CP-06b.
BCD-08 BCD-08_A04 the location or site of the facility where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.
BCD-08.1 BCD-08.1_A01 an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats. 53A_R5_CP-06(01)
BCD-08.2 BCD-08.2_A01 potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified. 53A_R5_CP-06(03)[01]
BCD-08.2 BCD-08.2_A02 explicit mitigation actions to address identified accessibility problems are outlined. 53A_R5_CP-06(03)[02]
BCD-09 BCD-09_A01 system operations for essential mission and business functions are defined. 53A_R5_CP-07_ODP[01]
BCD-09 BCD-09_A02 time period consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-07_ODP[02]
an alternate processing site, including necessary agreements to permit the transfer and resumption of system operations for essential mission and business functions, is established within an organization-defined time
BCD-09 BCD-09_A03 53A_R5_CP-07a.
period when the primary processing capabilities are unavailable.
BCD-09 BCD-09_A04 the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within an organization-specified time period for 53A_R5_CP-07b.[01]
transfer.
the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within an organization-defined time period for
BCD-09 BCD-09_A05 53A_R5_CP-07b.[02]
resumption.
BCD-09 BCD-09_A06 controls provided at the alternate processing site are equivalent to those at the primary site. 53A_R5_CP-07c.
BCD-09 BCD-09_A07 the location or site of the facility where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.
BCD-09.1 BCD-09.1_A01 an alternate processing site is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified. 53A_R5_CP-07(01)
BCD-09.2 BCD-09.2_A01 potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified. 53A_R5_CP-07(02)[01]
BCD-09.2 BCD-09.2_A02 explicit mitigation actions to address identified accessibility problems are outlined. 53A_R5_CP-07(02)[02]
BCD-09.3 BCD-09.3_A01 alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed. 53A_R5_CP-07(03)

BCD-09.4 BCD-09.4_A01 the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions. 53A_R5_CP-07(04)
BCD-09.5 BCD-09.5_A01 circumstances that preclude returning to the primary processing site are planned for. 53A_R5_CP-07(06)[01]
BCD-09.5 BCD-09.5_A02 circumstances that preclude returning to the primary processing site are prepared for. 53A_R5_CP-07(06)[02]
BCD-10 BCD-10_A01 alternative communications protocols in support of maintaining continuity of operations are defined. 53A_R5_CP-11_ODP
BCD-10 BCD-10_A02 the capability to employ alternative communications protocols are provided in support of maintaining continuity of operations. 53A_R5_CP-11
BCD-10 BCD-10_A03 system operations to be resumed for essential mission and business functions are defined. 53A_R5_CP-08_ODP[01]
BCD-10 BCD-10_A04 time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined. 53A_R5_CP-08_ODP[02]
BCD-10 BCD-10_A05 alternate telecommunications services, including necessary agreements to permit the resumption of system operations, are established for essential mission and business functions within an organization-defined time 53A_R5_CP-08
period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
BCD-10 BCD-10_A06 alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained. 53A_R5_CP-08(02)
BCD-10.1 BCD-10.1_A01 primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed. 53A_R5_CP-08(01)(a)[01]
BCD-10.1 BCD-10.1_A02 alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed. 53A_R5_CP-08(01)(a)[02]
BCD-10.1 BCD-10.1_A03 Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a 53A_R5_CP-08(01)(b)
common carrier.
BCD-10.2 BCD-10.2_A01 alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats. 53A_R5_CP-08(03)
BCD-10.3 BCD-10.3_A01 the frequency at which to obtain evidence of contingency testing by providers is defined. 53A_R5_CP-08(04)_ODP[01]
BCD-10.3 BCD-10.3_A02 the frequency at which to obtain evidence of contingency training by providers is defined. 53A_R5_CP-08(04)_ODP[02]
BCD-10.3 BCD-10.3_A03 primary telecommunications service providers are required to have contingency plans. 53A_R5_CP-08(04)(a)[01]
BCD-10.3 BCD-10.3_A04 alternate telecommunications service providers are required to have contingency plans. 53A_R5_CP-08(04)(a)[02]
BCD-10.3 BCD-10.3_A05 provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements. 53A_R5_CP-08(04)(b)
BCD-10.3 BCD-10.3_A06 evidence of contingency testing by providers is obtained frequency. 53A_R5_CP-08(04)(c)[01]
BCD-10.3 BCD-10.3_A07 evidence of contingency training by providers is obtained frequency. 53A_R5_CP-08(04)(c)[02]
BCD-10.4 BCD-10.4_A01 alternate communication paths for system operations and operational command and control are defined. 53A_R5_SC-47_ODP
BCD-10.4 BCD-10.4_A02 alternate communication paths are established for system operations and operational command and control. 53A_R5_SC-47
BCD-11 BCD-11_A01 the confidentiality of backup sensitive / regulated data is protected at storage locations. 171A_3.8.9
BCD-11 BCD-11_A02 system components for which to conduct backups of user-level information are defined. 53A_R5_CP-09_ODP[01]
BCD-11 BCD-11_A03 the frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-09_ODP[02]
BCD-11 BCD-11_A04 the frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-09_ODP[03]
BCD-11 BCD-11_A05 the frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-09_ODP[04]
BCD-11 BCD-11_A06 backups of user-level information contained in system components are conducted frequently. 53A_R5_CP-09a.
BCD-11 BCD-11_A07 backups of system-level information contained in the system are conducted frequently. 53A_R5_CP-09b.
BCD-11 BCD-11_A08 backups of system documentation, including security- and privacy-related documentation are conducted frequently. 53A_R5_CP-09c.
BCD-11 BCD-11_A09 the confidentiality of backup information is protected. 53A_R5_CP-09d.[01]
BCD-11 BCD-11_A10 the integrity of backup information is protected. 53A_R5_CP-09d.[02]
BCD-11 BCD-11_A11 the availability of backup information is protected. 53A_R5_CP-09d.[03]
BCD-11.1 BCD-11.1_A01 the frequency at which to test backup information for media reliability is defined. 53A_R5_CP-09(01)_ODP[01]
BCD-11.1 BCD-11.1_A02 the frequency at which to test backup information for information integrity is defined. 53A_R5_CP-09(01)_ODP[02]
BCD-11.1 BCD-11.1_A03 backup information is tested frequently to verify media reliability. 53A_R5_CP-09(01)[01]

BCD-11.1 BCD-11.1_A04 backup information is tested frequently to verify information integrity. 53A_R5_CP-09(01)[02]
BCD-11.2 BCD-11.2_A01 critical system software and other security-related information backups to be stored in a separate facility are defined. 53A_R5_CP-09(03)_ODP
BCD-11.2 BCD-11.2_A02 backup copies of critical system software and other security-related information are stored in a separate facility or in a fire rated container that is not collocated with the operational system. 53A_R5_CP-09(03)
BCD-11.3 BCD-11.3_A01 assets are reimaged from configuration-controlled images. SCF Created
BCD-11.3 BCD-11.3_A02 images are integrity-protected that represent a secure, operational state. SCF Created
BCD-11.4 BCD-11.4_A01 the confidentiality of backup sensitive / regulated data is protected at storage locations. 171A_3.8.9
BCD-11.4 BCD-11.4_A02 backup information to protect against unauthorized disclosure and modification is defined. 53A_R5_CP-09(08)_ODP
BCD-11.4 BCD-11.4_A03 cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of backup information. 53A_R5_CP-09(08)
BCD-11.5 BCD-11.5_A01 a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing. 53A_R5_CP-09(02)
BCD-11.6 BCD-11.6_A01 time period consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-09(05)_ODP[01]
BCD-11.6 BCD-11.6_A02 transfer rate consistent with recovery time and recovery point objectives is defined. 53A_R5_CP-09(05)_ODP[02]
BCD-11.6 BCD-11.6_A03 system backup information is transferred to the alternate storage site for an organization-defined time period. 53A_R5_CP-09(05)[01]
BCD-11.6 BCD-11.6_A04 system backup information is transferred to the alternate storage site transfer rate. 53A_R5_CP-09(05)[02]
BCD-11.7 BCD-11.7_A01 system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system. 53A_R5_CP-09(06)[01]
BCD-11.7 BCD-11.7_A02 system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations. 53A_R5_CP-09(06)[02]
BCD-11.8 BCD-11.8_A01 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified. 172A_3.1.1e[a]
BCD-11.8 BCD-11.8_A02 dual authorization is employed to execute critical or sensitive system and organizational operations. 172A_3.1.1e[b]
BCD-11.8 BCD-11.8_A03 backup information for which to enforce dual authorization in order to delete or destroy is defined. 53A_R5_CP-09(07)_ODP
BCD-11.8 BCD-11.8_A04 dual authorization for the deletion or destruction of backup information is enforced. 53A_R5_CP-09(07)
BCD-11.9 BCD-11.9_A01 Role Based Access Controls (RBAC) are utilized to logically restrict access to backups to privileged users with assigned roles for data backup and recovery operations. SCF Created
BCD-11.9 BCD-11.9_A02 Physical Access Controls (PAC) are utilized to physically restrict access to backups to privileged users with assigned roles for data backup and recovery operations. SCF Created
BCD-11.10 BCD-11.10_A01 Role Based Access Controls (RBAC) are utilized to logically restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles. SCF Created
BCD-12 BCD-12_A01 secure baseline configurations exist for systems, applications and/or services protect the confidentiality and integrity of data being stored, processed and/or transmitted. SCF Created
BCD-12 BCD-12_A02 systems, applications and/or services are securely recovered / reconstituted to a known, trusted state after a disruption, compromise or failure. SCF Created
BCD-12.1 BCD-12.1_A01 transaction recovery is implemented for systems that are transaction-based. 53A_R5_CP-10(02)
BCD-12.2 BCD-12.2_A01 system components for which Mean Time to Failure (MTTF) should be determined are defined. 53A_R5_SI-13_ODP[01]
BCD-12.2 BCD-12.2_A02 Mean Time to Failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined. 53A_R5_SI-13_ODP[02]
BCD-12.2 BCD-12.2_A03 Mean Time to Failure (MTTF) is determined for system components in specific environments of operation. 53A_R5_SI-13a.
BCD-12.2 BCD-12.2_A04 substitute system components and a means to exchange active and standby components are provided in accordance with Mean Time to Failure (MTTF) substitution criteria. 53A_R5_SI-13b.
BCD-12.3 BCD-12.3_A01 electronic discovery (eDiscovery) capabilities cover current and archived communication transactions. SCF Created
BCD-12.4 BCD-12.4_A01 restoration time period within which to restore system components to a known, operational state is defined. 53A_R5_CP-10(04)_ODP
the capability to restore system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the
BCD-12.4 BCD-12.4_A02 53A_R5_CP-10(04)
components is provided.
BCD-13 BCD-13_A01 system components used for recovery and reconstitution are protected. 53A_R5_CP-10(06)
BCD-14 BCD-14_A01 the organization utilizes an isolated, non-production environment to perform data backups via offline, cloud or off-site capabilities. SCF Created
BCD-14 BCD-14_A02 the organization utilizes an isolated, non-production environment to perform recovery operations through offline, cloud or off-site capabilities. SCF Created
BCD-15 BCD-15_A01 an inventory of systems and system components that are required for critical business functions to operate exists. SCF Created

BCD-15 BCD-15_A02 Mean Time Between Failure (MTBF) is defined for systems and system components that are required for critical business functions. SCF Created
BCD-15 BCD-15_A03 Recovery Time Objectives (RTOs) are defined for systems and system components that are required for critical business functions. SCF Created
BCD-15 BCD-15_A04 Recovery Point Objectives (RPOs) are defined for systems and system components that are required for critical business functions. SCF Created
BCD-15 BCD-15_A05 systems and system components that are or may be hard to replace in a supply chain disruption are identified. SCF Created
BCD-15 BCD-15_A06 resources are allocated to obtain hard to replace identified systems and system components for critical business functions. SCF Created
BCD-15 BCD-15_A07 a pool of hard to replace identified systems and system components for critical business functions is maintained. SCF Created
BCD-16 BCD-16_A01 an incident handling capability for incidents involving Artificial Intelligence (AI) and Autonomous Technologies (AAT) exists. SCF Created
BCD-16 BCD-16_A02 processes are in place to handle failures or incidents in third-party data or Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk. SCF Created
CAP-01 CAP-01_A01 resources to be allocated to protect the availability of resources are defined. 53A_R5_SC-06_ODP[01]
CAP-01 CAP-01_A02 controls to protect the availability of resources are defined. 53A_R5_SC-06_ODP[02]
53A_R5_SC-06_ODP[03]
CAP-01 CAP-01_A03 the availability of resources is protected by allocating resources per organization-defined criteria. 53A_R5_SC-06
CAP-02 CAP-02_A01 types of denial-of-service events to be protected against or limited are defined. 53A_R5_SC-05_ODP[01]
CAP-02 CAP-02_A02 resource prioritization is designed to limit negative effects of denial-of-service events. 53A_R5_SC-05_ODP[02]
CAP-02 CAP-02_A03 controls to achieve the denial-of-service objective by type of denial-of-service event are defined. 53A_R5_SC-05_ODP[03]
CAP-02 CAP-02_A04 the effects of types of denial-of-service events are organizationally-defined. 53A_R5_SC-05a.
CAP-02 CAP-02_A05 controls by type of denial-of-service event are employed to achieve the denial-of-service protection objective. 53A_R5_SC-05b.
CAP-03 CAP-03_A01 capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing. 53A_R5_CP-02(02)[01]
CAP-03 CAP-03_A02 capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications. 53A_R5_CP-02(02)[02]
CAP-03 CAP-03_A03 capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support. 53A_R5_CP-02(02)[03]
CAP-04 CAP-04_A01 the operating state and health status of critical systems is centrally-monitored. SCF Created
CAP-04 CAP-04_A02 the operating state and health status of critical applications is centrally-monitored. SCF Created
CAP-04 CAP-04_A03 the operating state and health status of services is centrally-monitored. SCF Created
CHG-01 CHG-01_A01 the time period to retain records of configuration-controlled changes is defined. 53A_R5_CM-03_ODP[01]
CHG-01 CHG-01_A02 the configuration change control element responsible for coordinating and overseeing change control activities is defined. 53A_R5_CM-03_ODP[02]
CHG-01 CHG-01_A03 the frequency at which the configuration control element convenes is defined. 53A_R5_CM-03_ODP[03]
53A_R5_CM-03_ODP[04]
CHG-01 CHG-01_A04 configuration change conditions that prompt the configuration control element to convene are defined. 53A_R5_CM-03_ODP[05]
CHG-01 CHG-01_A05 the types of changes to the system that are configuration-controlled are determined and documented. 53A_R5_CM-03a.
CHG-01 CHG-01_A06 proposed configuration-controlled changes to the system are reviewed. 53A_R5_CM-03b.[01]
CHG-01 CHG-01_A07 proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for cybersecurity & privacy impact analyses. 53A_R5_CM-03b.[02]
CHG-01 CHG-01_A08 configuration change decisions associated with the system are documented. 53A_R5_CM-03c.
CHG-01 CHG-01_A09 approved configuration-controlled changes to the system are implemented. 53A_R5_CM-03d.
CHG-01 CHG-01_A10 records of configuration-controlled changes to the system are retained for organization-defined time period. 53A_R5_CM-03e.
CHG-01 CHG-01_A11 activities associated with configuration-controlled changes to the system are monitored. 53A_R5_CM-03f.[01]
CHG-01 CHG-01_A12 activities associated with configuration-controlled changes to the system are reviewed. 53A_R5_CM-03f.[02]
CHG-01 CHG-01_A13 configuration change control activities are coordinated and overseen by organization-defined configuration change control element. 53A_R5_CM-03g.[01]
CHG-01 CHG-01_A14 the configuration control element convenes organization-defined criteria. 53A_R5_CM-03g.[02]

CHG-02 CHG-02_A01 changes to the system are tracked. 171A_3.4.3[a]
CHG-02 CHG-02_A02 changes to the system are reviewed. 171A_3.4.3[b]
CHG-02 CHG-02_A03 changes to the system are approved or disapproved. 171A_3.4.3[c]
CHG-02 CHG-02_A04 changes to the system are logged. 171A_3.4.3[d]
CHG-02.1 CHG-02.1_A01 mechanisms used to automate configuration change control are defined. 53A_R5_CM-03(01)_ODP[01]
CHG-02.1 CHG-02.1_A02 approval authorities to be notified of and request approval for proposed changes to the system are defined. 53A_R5_CM-03(01)_ODP[02]
CHG-02.1 CHG-02.1_A03 the time period after which to highlight changes that have not been approved or disapproved is defined. 53A_R5_CM-03(01)_ODP[03]
CHG-02.1 CHG-02.1_A04 personnel to be notified when approved changes are complete is/are defined. 53A_R5_CM-03(01)_ODP[04]
CHG-02.1 CHG-02.1_A05 organization-defined automated mechanisms are used to document proposed changes to the system. 53A_R5_CM-03(01)(a)
CHG-02.1 CHG-02.1_A06 organization-defined automated mechanisms are used to notify organization-defined approval authorities of proposed changes to the system and request change approval. 53A_R5_CM-03(01)(b)
CHG-02.1 CHG-02.1_A07 organization-defined time period. 53A_R5_CM-03(01)(c)
CHG-02.1 CHG-02.1_A08 organization-defined automated mechanisms are used to prohibit changes to the system until designated approvals are received. 53A_R5_CM-03(01)(d)
CHG-02.1 CHG-02.1_A09 organization-defined automated mechanisms are used to document all changes to the system. 53A_R5_CM-03(01)(e)
CHG-02.1 CHG-02.1_A10 organization-defined automated mechanisms are used to notify organization-defined personnel when approved changes to the system are completed. 53A_R5_CM-03(01)(f)
CHG-02.2 CHG-02.2_A01 changes to the system are tested before finalizing the implementation of the changes. 53A_R5_CM-03(02)[01]
CHG-02.2 CHG-02.2_A02 changes to the system are validated before finalizing the implementation of the changes. 53A_R5_CM-03(02)[02]
CHG-02.2 CHG-02.2_A03 changes to the system are documented before finalizing the implementation of the changes. 53A_R5_CM-03(02)[03]
CHG-02.2 CHG-02.2_A04 the frequency at which changes are to be reviewed is defined. 53A_R5_CM-03(07)_ODP[01]
CHG-02.2 CHG-02.2_A05 the circumstances under which changes are to be reviewed are defined. 53A_R5_CM-03(07)_ODP[02]
CHG-02.2 CHG-02.2_A06 changes to the system are reviewed organization-defined frequency or when organization-defined circumstances to determine whether unauthorized changes have occurred. 53A_R5_CM-03(07)
CHG-02.2 CHG-02.2_A07 systems or system components that implement the security design principle of secure system modification are defined. 53A_R5_SA-08(31)_ODP
CHG-02.2 CHG-02.2_A08 systems or system components implement the security design principle of secure system modification. 53A_R5_SA-08(31)
CHG-02.3 CHG-02.3_A01 security representatives required to be members of the change control element are defined. 53A_R5_CM-03(04)_ODP[01]
CHG-02.3 CHG-02.3_A02 privacy representatives required to be members of the change control element are defined. 53A_R5_CM-03(04)_ODP[02]
CHG-02.3 CHG-02.3_A03 the configuration change control element of which the cybersecurity & privacy representatives are to be members is defined. 53A_R5_CM-03(04)_ODP[03]
CHG-02.3 CHG-02.3_A04 organization-defined security representatives are required to be members of the organization-defined configuration change control element. 53A_R5_CM-03(04)[01]
CHG-02.3 CHG-02.3_A05 organization-defined privacy representatives are required to be members of the organization-defined configuration change control element. 53A_R5_CM-03(04)[02]
CHG-02.4 CHG-02.4_A01 security responses to be automatically implemented are defined. 53A_R5_CM-03(05)_ODP
CHG-02.4 CHG-02.4_A02 organization-defined security responses are automatically implemented if baseline configurations are changed in an unauthorized manner. 53A_R5_CM-03(05)
CHG-02.4 CHG-02.4_A03 automated mechanisms place misconfigured or unauthorized system components in a quarantine or remediation network. 172A_3.4.2e_ODP[1]
CHG-02.4 CHG-02.4_A04 automated mechanisms to detect misconfigured or unauthorized system components are identified. 172A_3.4.2e[a]
CHG-02.4 CHG-02.4_A05 automated mechanisms are employed to detect misconfigured or unauthorized system components. 172A_3.4.2e[b]
CHG-02.4 CHG-02.4_A06 misconfigured or unauthorized system components are detected. 172A_3.4.2e[c]
CHG-02.4 CHG-02.4_A07 after detection, system components are removed and/or placed in a quarantine or remediation network to facilitate patching, re-configuration or other mitigations. 172A_3.4.2e[d]
CHG-02.5 CHG-02.5_A01 controls provided by cryptographic mechanisms that are to be under configuration management are defined. 53A_R5_CM-03(06)_ODP
CHG-02.5 CHG-02.5_A02 cryptographic mechanisms used to provide organization-defined controls are under configuration management. 53A_R5_CM-03(06)

CHG-03 CHG-03_A01 the security impact of changes to the system is analyzed prior to implementation. 171A_3.4.4
CHG-03 CHG-03_A02 changes to the system are analyzed to determine potential security impacts prior to change implementation. 53A_R5_CM-04[01]
CHG-03 CHG-03_A03 changes to the system are analyzed to determine potential privacy impacts prior to change implementation. 53A_R5_CM-04[02]
171A_3.4.5[e]
CHG-04 CHG-04_A01 logical access restrictions associated with changes to the system are defined and documented. 171A_3.4.5[f]
53A_R5_CM-05[04]
CHG-04 CHG-04_A02 logical access restrictions associated with changes to the system are approved. 171A_3.4.5[g]
53A_R5_CM-05[05]
CHG-04 CHG-04_A03 logical access restrictions associated with changes to the system are enforced. 171A_3.4.5[h]
53A_R5_CM-05[06]
171A_3.4.5[a]
CHG-04 CHG-04_A04 physical access restrictions associated with changes to the system are defined and documented. 171A_3.4.5[b]
53A_R5_CM-05[01]
CHG-04 CHG-04_A05 physical access restrictions associated with changes to the system are approved. 171A_3.4.5[c]
53A_R5_CM-05[02]
CHG-04 CHG-04_A06 physical access restrictions associated with changes to the system are enforced. 171A_3.4.5[d]
53A_R5_CM-05[03]
CHG-04.1 CHG-04.1_A01 mechanisms used to automate the enforcement of access restrictions are defined. 53A_R5_CM-05(01)_ODP
CHG-04.1 CHG-04.1_A02 access restrictions for change are enforced using organization-defined automated mechanisms. 53A_R5_CM-05(01)(a)
CHG-04.1 CHG-04.1_A03 audit records of enforcement actions are automatically generated. 53A_R5_CM-05(01)(b)
CHG-04.2 CHG-04.2_A01 software components requiring verification of a digitally signed certificate before installation are defined. 53A_R5_CM-14_ODP[01]
CHG-04.2 CHG-04.2_A02 firmware components requiring verification of a digitally signed certificate before installation are defined. 53A_R5_CM-14_ODP[02]
CHG-04.2 CHG-04.2_A03 the installation of software components is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization. 53A_R5_CM-14[01]
CHG-04.2 CHG-04.2_A04 the installation of firmware components is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization. 53A_R5_CM-14[02]
CHG-04.2 CHG-04.2_A05 software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined. 53A_R5_SI-07(15)_ODP
CHG-04.2 CHG-04.2_A06 cryptographic mechanisms are implemented to authenticate software or firmware components prior to installation. 53A_R5_SI-07(15)
172A_3.1.1e[a]
CHG-04.3 CHG-04.3_A01 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified. 53A_R5_CM-05(04)_ODP[01]
53A_R5_CM-05(04)_ODP[02]
172A_3.1.1e[b]
CHG-04.3 CHG-04.3_A02 dual authorization is employed to execute critical or sensitive system and organizational operations. 53A_R5_CM-05(04)[01]
53A_R5_CM-05(04)[02]
CHG-04.4 CHG-04.4_A01 frequency at which to review privileges is defined. 53A_R5_CM-05(05)_ODP[01]
CHG-04.4 CHG-04.4_A02 frequency at which to reevaluate privileges is defined. 53A_R5_CM-05(05)_ODP[02]
CHG-04.4 CHG-04.4_A03 privileges to change system components within a production or operational environment are limited. 53A_R5_CM-05(05)(a)[01]
CHG-04.4 CHG-04.4_A04 privileges to change system-related information within a production or operational environment are limited. 53A_R5_CM-05(05)(a)[02]
CHG-04.4 CHG-04.4_A05 privileges are reviewed organization-defined frequency. 53A_R5_CM-05(05)(b)[01]
CHG-04.4 CHG-04.4_A06 privileges are reevaluated organization-defined frequency. 53A_R5_CM-05(05)(b)[02]
CHG-04.5 CHG-04.5_A01 privileges to change software resident within software libraries are limited. 53A_R5_CM-05(06)
CHG-05 CHG-05_A01 as part of the organization's change management processes, stakeholders are alerted to spread awareness of the potential impact(s) from proposed changes. SCF Created
CHG-06 CHG-06_A01 security functions to be verified for correct operation are defined. 53A_R5_SI-06_ODP[01]
CHG-06 CHG-06_A02 privacy functions to be verified for correct operation are defined. 53A_R5_SI-06_ODP[02]
CHG-06 CHG-06_A03 system transitional states requiring the verification of cybersecurity & privacy functions are defined. 53A_R5_SI-06_ODP[04]
CHG-06 CHG-06_A04 frequency at which to verify the correct operation of cybersecurity & privacy functions is defined. 53A_R5_SI-06_ODP[05]
CHG-06 CHG-06_A05 alternative action(s) to be performed when anomalies are discovered are defined. 53A_R5_SI-06_ODP[08]
53A_R5_SI-06a.[01]
53A_R5_SI-06b.[01]
CHG-06 CHG-06_A06 security and/or privacy functions are verified to be operating correctly.
53A_R5_CM-03(02)[01]
53A_R5_CM-03(02)[02]
CHG-06 CHG-06_A07 personnel or roles to be alerted of failed cybersecurity & privacy verification tests is/are defined. 53A_R5_SI-06_ODP[06]
53A_R5_SI-06c.[01]
CHG-06 CHG-06_A08 pertinent personnel or roles is/are alerted to failed security and/or privacy verification tests.
53A_R5_SI-06c.[02]

CHG-06 CHG-06_A09 organization-defined activities are initiated when anomalies are discovered. 53A_R5_SI-06d.
53A_R5_SI-06_ODP[07]
CHG-06.1 CHG-06.1_A01 personnel or roles designated to receive the results of security and/or privacy function verification is/are defined. 53A_R5_SI-06(03)_ODP
CHG-06.1 CHG-06.1_A02 the results of security and/or function verification are reported to pertinent personnel or roles. 53A_R5_SI-06(03)[01]
53A_R5_SI-06(03)[02]
CLD-01 CLD-01_A01 secure baseline configurations exist for cloud-based systems, applications and services to protect the confidentiality, integrity and availability of data being stored, processed and/or transmitted. SCF Created
CLD-01 CLD-01_A02 the organization facilitates the implementation of cloud management controls to ensure cloud instances are securely configured and maintained. SCF Created
CLD-01.1 CLD-01.1_A01 the design and configuration process for cloud services is formally governed so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory SCF Created
CLD-01.2 CLD-01.2_A01 the decommission process for cloud services is formally governed so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory SCF Created
CLD-02 CLD-02_A01 a cloud security architecture is defined to address cloud employments that support the organization's mission. SCF Created
CLD-02 CLD-02_A02 the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments. SCF Created
CLD-03 CLD-03_A01 cloud security management subnets are logically isolated. 53A_R5_SC-07(29)_ODP[01]
CLD-03 CLD-03_A02 cloud security management subnet system components and functions to be isolated are defined. 53A_R5_SC-07(29)_ODP[02]
CLD-03 CLD-03_A03 organization-defined criteria are used to isolate cloud security management subnets. 53A_R5_SC-07(29)
CLD-04 CLD-04_A01 information processing interoperability is supported. SCF Created
CLD-04 CLD-04_A02 information/data exchange supports secure data portability. SCF Created
CLD-05 CLD-05_A01 virtual machine images are protected to ensure continued integrity. SCF Created
CLD-05 CLD-05_A02 virtual machine images are governed according to the organization's established change control processes. SCF Created
CLD-06 CLD-06_A01 multi-tenant owned / managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users. SCF Created
CLD-06.1 CLD-06.1_A01 a documented Customer Responsibility Matrix (CRM) delineates assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers. SCF Created
CLD-06.2 CLD-06.2_A01 for Multi-Tenant Service Providers (MTSP), established security event logging capabilities for its customers are consistent with the customer's applicable statutory, regulatory and/or contractual obligations. SCF Created
CLD-06.3 CLD-06.3_A01 for Multi-Tenant Service Providers (MTSP), there is a capability to conduct prompt forensic investigations in the event of a suspected or confirmed security incident. SCF Created
CLD-06.4 CLD-06.4_A01 for Multi-Tenant Service Providers (MTSP), there is a capability to conduct prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers. SCF Created
CLD-07 CLD-07_A01 cloud providers use secure protocols for information/data exchange to support secure data portability. SCF Created
CLD-08 CLD-08_A01 cloud providers use industry-recognized formats to support secure interoperability. SCF Created
CLD-08 CLD-08_A02 cloud providers provide documentation of custom changes to virtualization formats for review by affected stakeholders. SCF Created
CLD-09 CLD-09_A01 locations where information processing and data storage is/are to be restricted are defined. 53A_R5_SA-09(05)_ODP[01]
53A_R5_SA-09(05)_ODP[02]
CLD-09 CLD-09_A02 requirements or conditions for restricting the location of information processing, information storage or information services are defined. 53A_R5_SA-09(05)_ODP[03]
CLD-09 CLD-09_A03 based on requirements, information processing, information storage or information services is/are restricted to locations. 53A_R5_SA-09(05)
CLD-09 CLD-09_A04 the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States. 53A_R5_SA-09(08)
CLD-10 CLD-10_A01 sensitive/regulated data in public cloud providers is identified and documented. SCF Created
CLD-10 CLD-10_A02 the storage of sensitive/regulated data in public cloud providers is controlled. SCF Created
CLD-11 CLD-11_A01 Cloud Access Points (CAPs) are utilized to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud. SCF Created
CLD-12 CLD-12_A01 Content Delivery Networks (CDNs) are configured to prevent side channel attacks by restricting access from the origin server's IP address to the CDN and authorized management networks. SCF Created
CLD-13 CLD-13_A01 applicable cybersecurity & data protection controls are specified that must be implemented on external systems, consistent with the contractual obligations established with the External Service Providers (ESP) SCF Created
owning, operating and/or maintaining external systems, applications and/or services.
CLD-13.1 CLD-13.1_A01 specified individuals are authoriezed to access External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services. SCF Created
CLD-13.2 CLD-13.2_A01 formal processes are defined to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services , in SCF Created
accordance with all applicable statutory, regulatory and/or contractual obligations.
CLD-14 CLD-14_A01 access to, or usage of, hosted systems, applications and/or services is prohibited until applicable cybersecurity & data protection control implementation is verified. SCF Created

CPL-01 CPL-01_A01 the organization analyzes its business practices to determine applicable statutory, regulatory and/or contractual obligations. SCF Created
CPL-02 CPL-01_A02 a compliance catalog of applicable laws, regulations and contractual obligations are documented. SCF Created
instances of non-compliance with statutory, regulatory and/or contractual obligations are documented, including the reason(s) for non-compliance.
CPL-01.1 CPL-01.1_A01 SCF Created
instances of non-compliance with statutory, regulatory and/or contractual obligations are formally-reviewed.
CPL-01.1 CPL-01.1_A03 instances of non-compliance with statutory, regulatory and/or contractual obligations are centrally-governed to maintain appropriate situational awareness. SCF Created
CPL-01.1 CPL-01.1_A04 instances of non-compliance with statutory, regulatory and/or contractual obligations are assigned to individuals or teams for remediation. SCF Created
CPL-01.1 CPL-01.1_A05 remediation plans for instances of non-compliance with statutory, regulatory and/or contractual obligations are documented. SCF Created
CPL-01.2 CPL-01.2_A01 the organization's applicable cybersecurity and privacy controls are determined through the analysis of business practices to determine required statutory, regulatory and/or contractual compliance obligations. SCF Created
CPL-01.2 CPL-01.2_A02 a recurring process exists to validate the scope of cybersecurity and privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations. SCF Created
CPL-02 CPL-02_A01 a continuous monitoring strategy is developed for cybersecurity & privacy controls. 53A_R5_CA-07[01]
CPL-02 CPL-02_A02 continuous control monitoring is implemented in accordance with the organization's continuous monitoring strategy. 53A_R5_CA-07[02]
171A_3.12.1[a]
53A_R5_CA-07_ODP[02]
CPL-02 CPL-02_A03 the frequency of security and/or privacy control assessments is defined. 53A_R5_CA-07_ODP[03]
53A_R5_CA-07b.[01]
53A_R5_CA-07b.[02]
CPL-02 CPL-02_A04 security and/or privacy controls are assessed with the defined frequency to determine if the controls are effective in their application. 171A_3.12.1[b]
53A_R5_CA-07c.
CPL-02 CPL-02_A05 security and/or privacy controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. 171A_3.12.3
CPL-02 CPL-02_A06 personnel or roles to whom the security and/or privacy status of the system is reported are defined. 53A_R5_CA-07_ODP[04]
53A_R5_CA-07_ODP[06]
CPL-02 CPL-02_A07 frequency at which the security and/or privacy status of the system is reported is defined. 53A_R5_CA-07_ODP[05]
53A_R5_CA-07_ODP[07]
CPL-02 CPL-02_A08 system-level continuous monitoring includes reporting the cybersecurity & privacy status of the system to pertinent personnel or roles according to an organization-defined frequency. 53A_R5_CA-07g.[01]
53A_R5_CA-07g.[02]
CPL-02 CPL-02_A09 control monitoring metrics are defined. 53A_R5_CA-07_ODP[01]

53A_R5_CA-07a.
CPL-02 CPL-02_A10 system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy. 53A_R5_CA-07d.
CPL-02 CPL-02_A11 system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring. 53A_R5_CA-07e.
CPL-02 CPL-02_A12 system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information. 53A_R5_CA-07f.
CPL-02 CPL-02_A13 the personnel or roles for reporting the security status of organizational systems to is/are defined. 53A_R5_PM-31_ODP[04]
CPL-02 CPL-02_A14 the personnel or roles for reporting the privacy status of organizational systems to is/are defined. 53A_R5_PM-31_ODP[05]
CPL-02 CPL-02_A15 the frequency at which to report the security status of organizational systems is defined. 53A_R5_PM-31_ODP[06]
CPL-02 CPL-02_A16 the frequency at which to report the privacy status of organizational systems is defined. 53A_R5_PM-31_ODP[07]
53A_R5_PM-31
CPL-02 CPL-02_A17 an organization-wide continuous monitoring strategy is developed.
53A_R5_PM-31_ODP[01]
CPL-02 CPL-02_A18 continuous monitoring programs are implemented that include establishing metrics to be monitored. 53A_R5_PM-31a.
53A_R5_PM-31b.[01]
CPL-02 CPL-02_A19 continuous monitoring programs are implemented that establish frequency for monitoring.
53A_R5_PM-31_ODP[02]
CPL-02 CPL-02_A20 continuous monitoring programs are implemented that establish frequency for assessment of control effectiveness. 53A_R5_PM-31b.[02]
53A_R5_PM-31_ODP[03]
CPL-02 CPL-02_A21 continuous monitoring programs are implemented that include monitoring metrics on an ongoing basis in accordance with the continuous monitoring strategy. 53A_R5_PM-31c.
CPL-02 CPL-02_A22 continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring. 53A_R5_PM-31d.[01]
CPL-02 CPL-02_A23 continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring. 53A_R5_PM-31d.[02]
CPL-02 CPL-02_A24 continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information. 53A_R5_PM-31e.[01]
CPL-02 CPL-02_A25 continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information. 53A_R5_PM-31e.[02]
CPL-02 CPL-02_A26 continuous monitoring programs are implemented that include reporting the security status of organizational systems to personnel or roles frequency. 53A_R5_PM-31f.[01]
CPL-02 CPL-02_A27 continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to personnel or roles frequency. 53A_R5_PM-31f.[02]

CPL-02.1 CPL-02.1_A01 an internal audit function exists that is comprised of stakeholders who have the subject matter expertise to serve in an advisory capability on audit-related matters. SCF Created
CPL-02.1 CPL-02.1_A02 an internal audit function formally defines audit-related priorities for the organization. SCF Created
CPL-02.1 CPL-02.1_A03 an internal audit function tracks audit findings that require remediation efforts. SCF Created
CPL-02.1 CPL-02.1_A04 an internal audit function provides the organization's executive leadership with insights into the appropriateness of the organization's technology and information governance processes. SCF Created
CPL-03 CPL-03_A01 the frequency at which to assess controls in the system and its environment of operation is defined. 53A_R5_CA-02_ODP[01]
CPL-03 CPL-03_A02 individuals or roles to whom control assessment results are to be provided are defined. 53A_R5_CA-02_ODP[02]
CPL-03 CPL-03_A03 an appropriate assessor or assessment team is selected for the type of assessment to be conducted. 53A_R5_CA-02a.
CPL-03 CPL-03_A04 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment. 53A_R5_CA-02b.01
CPL-03 CPL-03_A05 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness. 53A_R5_CA-02b.02
CPL-03 CPL-03_A06 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment. 53A_R5_CA-02b.03[01]
CPL-03 CPL-03_A07 a control assessment plan is developed that describes the scope of the assessment, including the assessment team. 53A_R5_CA-02b.03[02]
CPL-03 CPL-03_A08 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities. 53A_R5_CA-02b.03[03]
CPL-03 CPL-03_A09 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment. 53A_R5_CA-02c.
CPL-03.1 CPL-03.1_A01 independent assessors or assessment teams are employed to monitor in-scope controls on an ongoing basis. 53A_R5_CA-07(01)
CPL-03.2 CPL-03.2_A01 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[01]
outcome with respect to meeting established security requirements.
CPL-03.2 CPL-03.2_A02 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[02]
outcome with respect to meeting established privacy requirements.
CPL-03.2 CPL-03.2_A03 a control assessment report is produced that documents the results of the assessment. 53A_R5_CA-02e.
CPL-03.2 CPL-03.2_A04 the results of the control assessment are provided to individuals or roles. 53A_R5_CA-02f.
CPL-04 CPL-04_A01 an internal audit function formally defines audit-related priorities for the organization. SCF Created
CPL-04 CPL-04_A02 audits are thoughtfully planned to minimize the impact of audit-related activities on business operations. SCF Created
CPL-05 CPL-05_A01 a formal process exists to intake requests, document the request and determine whether a government agency has an applicable and valid legal basis to request data from the organization. SCF Created
CPL-05 CPL-05_A02 based on an applicable and valid legal basis for a data request by a government agency, data request fulfillment actions are formally assigned to an individual or group with explicitly-specified criteria to minimize SCF Created
inappropriate data sharing.
CPL-05.1 CPL-05.1_A01 a formal process exists to intake and document government investigation requests. SCF Created
CPL-05.1 CPL-05.1_A02 a formal process exists to evaluate government investigation requests for legal requirements the organization must comply with. SCF Created
CPL-05.1 CPL-05.1_A03 processes exist to notify affected customer(s) about investigation requests, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution). SCF Created
CPL-05.2 CPL-05.2_A01 a formal process exists to intake and document government access requests. SCF Created
CPL-05.2 CPL-05.2_A02 a formal process exists to evaluate government access requests for legal requirements the organization must comply with. SCF Created
the organization supports official investigations by provisioning government investigators with "least privileges" and "least functionality" to ensure that government investigators only have access to the data and
systems needed to perform the investigation.
CPL-06 CPL-06_A01 a formal process exists to intake and document access requests from host governments for unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate SCF Created
other applicable statutory, regulatory and/or contractual obligations.
executive leadership, along with legal counsel, formally identifies risks associated with non-compliance (e.g., fines, operational impacts, etc.).
CPL-06 CPL-06_A02 SCF Created
CPL-06 CPL-06_A03 executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance). SCF Created
CPL-06 CPL-06_A04 executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements). SCF Created
CPL-06 CPL-06_A05 executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.). SCF Created
executive leadership, along with legal counsel, formally adopts an action plan to respond to host government requests for unrestricted and non-monitored access to the organization's systems, applications and services
CPL-06 CPL-06_A06 SCF Created
that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
CFG-01 CFG-01_A01 the scope for the configuration management plan is organization-wide. 53A_R5_CM-01_ODP[03]
CFG-01 CFG-01_A02 the current configuration management policy is reviewed and updated organization-defined frequency. 53A_R5_CM-01c.01[01]

CFG-01 CFG-01_A03 the current configuration management policy is reviewed and updated following organization-defined events. 53A_R5_CM-01c.01[02]
CFG-01 CFG-01_A04 personnel or roles to review and approve the configuration management plan is/are defined. 53A_R5_CM-09_ODP
CFG-01 CFG-01_A05 a configuration management plan for the system is developed and documented. 53A_R5_CM-09[01]
CFG-01 CFG-01_A06 a configuration management plan for the system is implemented. 53A_R5_CM-09[02]
CFG-01 CFG-01_A07 the configuration management plan addresses roles. 53A_R5_CM-09a.[01]
CFG-01 CFG-01_A08 the configuration management plan addresses responsibilities. 53A_R5_CM-09a.[02]
CFG-01 CFG-01_A09 the configuration management plan addresses configuration management processes and procedures. 53A_R5_CM-09a.[03]
CFG-01 CFG-01_A10 the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle. 53A_R5_CM-09b.[01]
CFG-01 CFG-01_A11 the configuration management plan establishes a process for managing the configuration of the configuration items. 53A_R5_CM-09b.[02]
CFG-01 CFG-01_A12 the configuration management plan defines the configuration items for the system. 53A_R5_CM-09c.[01]
CFG-01 CFG-01_A13 the configuration management plan places the configuration items under configuration management. 53A_R5_CM-09c.[02]
CFG-01 CFG-01_A14 the configuration management plan is reviewed and approved by organization-defined personnel or roles. 53A_R5_CM-09d.
CFG-01 CFG-01_A15 the configuration management plan is protected from unauthorized disclosure. 53A_R5_CM-09e.[01]
CFG-01 CFG-01_A16 the configuration management plan is protected from unauthorized modification. 53A_R5_CM-09e.[02]
CFG-01.1 CFG-01.1_A01 the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development. 53A_R5_CM-09(01)
CFG-02 CFG-02_A01 security configuration settings for information technology products employed in the system are established and included in the baseline configuration. 171A_3.4.2[a]
CFG-02 CFG-02_A02 a current baseline configuration of the system, application or service is developed and documented. 171A_3.4.1[a]
53A_R5_CM-02a.[01]
CFG-02 CFG-02_A03 the baseline configuration includes hardware, software, firmware and documentation. 171A_3.4.1[b]
CFG-02 CFG-02_A04 the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle under configuration control. 171A_3.4.1[c]
53A_R5_CM-02a.[02]
CFG-02 CFG-02_A05 security configuration settings for information technology products employed in the system are enforced. 171A_3.4.2[b]
53A_R5_CM-06b.
CFG-02 CFG-02_A06 configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common 53A_R5_CM-06a.
secure configurations.
CFG-02 CFG-02_A07 a control baseline for the system is selected. 53A_R5_PL-10
CFG-02 CFG-02_A08 thresholds to which attack surfaces are to be reduced are defined. 53A_R5_SA-15(05)_ODP
CFG-02 CFG-02_A09 the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds. 53A_R5_SA-15(05)
CFG-02.1 CFG-02.1_A01 the frequency of baseline configuration review and update is defined. 53A_R5_CM-02_ODP[01]
CFG-02.1 CFG-02.1_A02 the circumstances requiring baseline configuration review and update are defined. 53A_R5_CM-02_ODP[02]
CFG-02.1 CFG-02.1_A03 the baseline configuration of the system is reviewed and updated organization-defined frequency. 53A_R5_CM-02b.01
CFG-02.1 CFG-02.1_A04 the baseline configuration of the system is reviewed and updated when required due to organization-defined circumstances. 53A_R5_CM-02b.02
CFG-02.1 CFG-02.1_A05 the baseline configuration of the system is reviewed and updated when system components are installed or upgraded. 53A_R5_CM-02b.03
53A_R5_CM-06(01)_ODP[01]
CFG-02.2 CFG-02.2_A01 system components for which to manage, apply and verify configuration settings are defined. 53A_R5_CM-06(01)_ODP[03]
53A_R5_CM-06(01)_ODP[04]
172A_3.4.3e[a]
CFG-02.2 CFG-02.2_A02 automated discovery and management tools for the inventory of system components are identified. 53A_R5_CM-02(02)_ODP
53A_R5_CM-06(01)_ODP[02]
172A_3.4.3e[b]
CFG-02.2 CFG-02.2_A03 an up-to-date, complete, accurate and readily available inventory of system components exists. 53A_R5_CM-02(02)[01]
53A_R5_CM-02(02)[02]
172A_3.4.3e[c]
53A_R5_CM-02(02)[03]
CFG-02.2 CFG-02.2_A04 automated discovery and management tools are employed to maintain an up-to-date, complete, accurate and readily available inventory of system components. 53A_R5_CM-02(02)[04]
53A_R5_CM-06(01)[01]
53A_R5_CM-06(01)[02]
53A_R5_CM-06(01)[03]
CFG-02.3 CFG-02.3_A01 the number of previous baseline configuration versions to be retained is defined. 53A_R5_CM-02(03)_ODP
CFG-02.3 CFG-02.3_A02 organization-defined number of previous baseline configuration version(s) of the system is/are retained to support rollback. 53A_R5_CM-02(03)
CFG-02.4 CFG-02.4_A01 a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained. 53A_R5_CM-02(06)[01]

CFG-02.4 CFG-02.4_A02 a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained. 53A_R5_CM-02(06)[02]
CFG-02.5 CFG-02.5_A01 the systems or system components to be issued when individuals travel to high-risk areas are defined. 53A_R5_CM-02(07)_ODP[01]
53A_R5_CM-02(07)_ODP[02]
CFG-02.5 CFG-02.5_A02 configurations for systems or system components to be issued when individuals travel to high-risk areas are defined. 172A_3.14.3e_ODP[1]
172A_3.14.3e[a]
172A_3.14.3e[b]
CFG-02.5 CFG-02.5_A03 organization-defined systems or system components with organization-defined configurations are issued to individuals traveling to locations that the organization deems to be of significant risk. 53A_R5_CM-02(07)(a)
53A_R5_CM-02(07)_ODP[03]
CFG-02.5 CFG-02.5_A04 organization-defined controls are applied to the systems or system components when the individuals return from travel. 53A_R5_CM-02(07)(b)
CFG-02.6 CFG-02.6_A01 network devices are configured to synchronize startup and running configuration files. SCF Created
CFG-02.7 CFG-02.7_A01 common secure configurations to establish and document configuration settings for components employed within the system are defined. 53A_R5_CM-06_ODP[01]
CFG-02.7 CFG-02.7_A02 system components for which approval of deviations is needed are defined. 53A_R5_CM-06_ODP[02]
CFG-02.7 CFG-02.7_A03 operational requirements necessitating approval of deviations are defined. 53A_R5_CM-06_ODP[03]
CFG-02.7 CFG-02.7_A04 configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using common secure 53A_R5_CM-06a.
configurations.
CFG-02.7 CFG-02.7_A05 any deviations from established configuration settings for system components are identified and documented based on operational requirements. 53A_R5_CM-06c.[01]
CFG-02.7 CFG-02.7_A06 any deviations from established configuration settings for system components are approved. 53A_R5_CM-06c.[02]
CFG-02.7 CFG-02.7_A07 changes to the configuration settings are monitored in accordance with organizational policies and procedures. 53A_R5_CM-06d.[01]
CFG-02.7 CFG-02.7_A08 changes to the configuration settings are controlled in accordance with organizational policies and procedures. 53A_R5_CM-06d.[02]
53A_R5_CM-06b.
CFG-02.8 CFG-02.8_A01 actions to be taken upon an unauthorized change are defined. 53A_R5_CM-06(02)_ODP[01]
CFG-02.8 CFG-02.8_A02 configuration settings requiring action upon an unauthorized change are defined. 53A_R5_CM-06(02)_ODP[02]
CFG-02.8 CFG-02.8_A03 organization-defined actions are taken in response to unauthorized changes to organization-defined configuration settings. 53A_R5_CM-06(02)
CFG-02.9 CFG-02.9_A01 the selected control baseline is tailored by applying specified tailoring actions. 53A_R5_PL-11
CFG-03 CFG-03_A01 essential system capabilities are defined based on the principle of least functionality. 171A_3.4.6[a]
53A_R5_CM-07_ODP[01]
CFG-03 CFG-03_A02 the system is configured to provide only the defined essential capabilities. 171A_3.4.6[b]
53A_R5_CM-07a.
CFG-03 CFG-03_A03 functions to be prohibited or restricted are defined. 53A_R5_CM-07_ODP[02]
CFG-03 CFG-03_A04 ports to be prohibited or restricted are defined. 53A_R5_CM-07_ODP[03]
CFG-03 CFG-03_A05 protocols to be prohibited or restricted are defined. 53A_R5_CM-07_ODP[04]
CFG-03 CFG-03_A06 software to be prohibited or restricted is defined. 53A_R5_CM-07_ODP[05]
CFG-03 CFG-03_A07 services to be prohibited or restricted are defined. 53A_R5_CM-07_ODP[06]
CFG-03 CFG-03_A08 the use of organization-defined functions is prohibited or restricted. 53A_R5_CM-07b.[01]
CFG-03 CFG-03_A09 the use of organization-defined ports is prohibited or restricted. 53A_R5_CM-07b.[02]
CFG-03 CFG-03_A10 the use of organization-defined protocols is prohibited or restricted. 53A_R5_CM-07b.[03]
CFG-03 CFG-03_A11 the use of organization-defined software is prohibited or restricted. 53A_R5_CM-07b.[04]
CFG-03 CFG-03_A12 the use of organization-defined services is prohibited or restricted. 53A_R5_CM-07b.[05]
CFG-03.1 CFG-03.1_A01 the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined. 53A_R5_CM-07(01)(a)
53A_R5_CM-07(01)_ODP[01]
CFG-03.1 CFG-03.1_A02 essential programs are defined. 171A_3.4.7[a]
CFG-03.1 CFG-03.1_A03 essential functions are defined. 171A_3.4.7[d]
CFG-03.1 CFG-03.1_A04 essential ports are defined. 171A_3.4.7[g]
CFG-03.1 CFG-03.1_A05 essential protocols are defined. 171A_3.4.7[j]
CFG-03.1 CFG-03.1_A06 essential services are defined. 171A_3.4.7[m]

CFG-03.1 CFG-03.1_A07 the use of nonessential programs is defined. 171A_3.4.7[b]
CFG-03.1 CFG-03.1_A08 the use of nonessential programs is restricted, disabled or prevented as defined. 171A_3.4.7[c]
CFG-03.1 CFG-03.1_A09 the use of nonessential functions is defined. 171A_3.4.7[e]
CFG-03.1 CFG-03.1_A10 the use of nonessential functions is restricted, disabled or prevented as defined. 171A_3.4.7[f]
CFG-03.1 CFG-03.1_A11 the use of nonessential ports is defined. 171A_3.4.7[h]
CFG-03.1 CFG-03.1_A12 the use of nonessential protocols is defined. 171A_3.4.7[k]
CFG-03.1 CFG-03.1_A13 the use of nonessential ports is restricted, disabled or prevented as defined. 171A_3.4.7[i]
CFG-03.1 CFG-03.1_A14 the use of nonessential protocols is restricted, disabled or prevented as defined. 171A_3.4.7[l]
CFG-03.1 CFG-03.1_A15 the use of nonessential services is defined. 171A_3.4.7[n]
CFG-03.1 CFG-03.1_A16 the use of nonessential services is restricted, disabled or prevented as defined. 171A_3.4.7[o]
CFG-03.1 CFG-03.1_A17 functions to be disabled or removed when deemed unnecessary or non-secure are defined. 53A_R5_CM-07(01)_ODP[02]
CFG-03.1 CFG-03.1_A18 ports to be disabled or removed when deemed unnecessary or non-secure are defined. 53A_R5_CM-07(01)_ODP[03]
CFG-03.1 CFG-03.1_A19 protocols to be disabled or removed when deemed unnecessary or non-secure are defined. 53A_R5_CM-07(01)_ODP[04]
CFG-03.1 CFG-03.1_A20 software to be disabled or removed when deemed unnecessary or non-secure is defined. 53A_R5_CM-07(01)_ODP[05]
CFG-03.1 CFG-03.1_A21 services to be disabled or removed when deemed unnecessary or non-secure are defined. 53A_R5_CM-07(01)_ODP[06]
CFG-03.1 CFG-03.1_A22 organization-defined functions deemed to be unnecessary and/or non-secure are disabled or removed. 53A_R5_CM-07(01)(b)[01]
CFG-03.1 CFG-03.1_A23 organization-defined ports deemed to be unnecessary and/or non-secure are disabled or removed. 53A_R5_CM-07(01)(b)[02]
CFG-03.1 CFG-03.1_A24 organization-defined protocols deemed to be unnecessary and/or non-secure are disabled or removed. 53A_R5_CM-07(01)(b)[03]
CFG-03.1 CFG-03.1_A25 organization-defined software deemed to be unnecessary and/or non-secure is disabled or removed. 53A_R5_CM-07(01)(b)[04]
CFG-03.1 CFG-03.1_A26 organization-defined services deemed to be unnecessary and/or non-secure are disabled or removed. 53A_R5_CM-07(01)(b)[05]
CFG-03.2 CFG-03.2_A01 policies, rules of behavior, and/or access agreements regarding unauthorized software program usage and restrictions are defined. 53A_R5_CM-07(02)_ODP[01]
53A_R5_CM-07(02)_ODP[02]
CFG-03.2 CFG-03.2_A02 program execution is prevented in accordance with organization-defined criteria (e.g., policies, rules of behavior, and/or access agreements). 53A_R5_CM-07(02)
53A_R5_CM-07(02)_ODP[01]
CFG-03.3 CFG-03.3_A01 a policy specifying whether whitelisting or blacklisting is to be implemented is specified. 171A_3.4.8[a]
CFG-03.3 CFG-03.3_A02 the software allowed to execute under whitelisting or denied use under blacklisting is specified. 171A_3.4.8[b]
CFG-03.3 CFG-03.3_A03 whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. 171A_3.4.8[c]
CFG-03.3 CFG-03.3_A04 registration requirements for functions, ports, protocols and services are defined. 53A_R5_CM-07(03)_ODP
CFG-03.3 CFG-03.3_A05 organization-defined registration requirements are complied with. 53A_R5_CM-07(03)
CFG-03.3 CFG-03.3_A06 software programs not authorized to execute on the system are defined. 53A_R5_CM-07(04)_ODP[01]
CFG-03.3 CFG-03.3_A07 frequency at which to review and update the list of unauthorized software programs is defined. 53A_R5_CM-07(04)_ODP[02]
53A_R5_CM-07(04)(a)
CFG-03.3 CFG-03.3_A08 organization-defined software programs are identified.
53A_R5_CM-07(05)(a)
CFG-03.3 CFG-03.3_A09 an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system. 53A_R5_CM-07(04)(b)
CFG-03.3 CFG-03.3_A10 the list of unauthorized software programs is reviewed and updated organization-defined frequency. 53A_R5_CM-07(04)(c)
CFG-03.3 CFG-03.3_A11 software programs authorized to execute on the system are defined. 53A_R5_CM-07(05)_ODP[01]
CFG-03.3 CFG-03.3_A12 frequency at which to review and update the list of authorized software programs is defined. 53A_R5_CM-07(05)_ODP[02]
CFG-03.3 CFG-03.3_A13 a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed. 53A_R5_CM-07(05)(b)
CFG-03.3 CFG-03.3_A14 the list of authorized software programs is reviewed and updated organization-defined frequency. 53A_R5_CM-07(05)(c)

CFG-03.3 CFG-03.3_A15 the automatic execution of mobile code in organization-defined software applications is prevented. 53A_R5_SC-18(04)[01]
CFG-03.3 CFG-03.3_A16 organization-defined actions are enforced prior to executing mobile code. 53A_R5_SC-18(04)[02]
CFG-03.4 CFG-03.4_A01 safeguards to securely provision split tunneling are defined. 53A_R5_SC-07(07)_ODP
CFG-03.4 CFG-03.4_A02 remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (e.g., split tunneling). 171A_3.13.7
53A_R5_SC-07(07)
CFG-04 CFG-04_A01 software and associated documentation are used in accordance with contract agreements and copyright laws. 53A_R5_CM-10a.
CFG-04 CFG-04_A02 the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution. 53A_R5_CM-10b.
CFG-04 CFG-04_A03 the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance or reproduction of copyrighted 53A_R5_CM-10c.
work.
CFG-04.1 CFG-04.1_A01 restrictions on the use of open-source software are defined. 53A_R5_CM-10(01)_ODP
CFG-04.1 CFG-04.1_A02 organization-defined restrictions are established for the use of open-source software. 53A_R5_CM-10(01)
CFG-04.2 CFG-04.2_A01 security configuration settings for authorized Internet browsers are established. SCF Created
CFG-04.2 CFG-04.2_A02 security configuration settings for authorized email clients are established. SCF Created
CFG-04.2 CFG-04.2_A03 users are prevented from installing unauthorized Internet browsers and/or email clients through technical and/or administrative mechanisms. SCF Created
CFG-04.2 CFG-04.2_A04 unauthorized Internet browsers and/or email clients are responded to an security incident, per established incident response procedures. SCF Created
171A_3.4.9[b]
CFG-05 CFG-05_A01 policies governing the installation of software by users are defined. 53A_R5_CM-11_ODP[01]
53A_R5_CM-11a.
CFG-05 CFG-05_A02 methods used to enforce software installation policies are defined. 53A_R5_CM-11_ODP[02]
CFG-05 CFG-05_A03 software installation policies are enforced through organization-defined methods. 53A_R5_CM-11b.
171A_3.4.9[c]
CFG-05 CFG-05_A04 installation of software by users is monitored. 53A_R5_CM-11_ODP[03]
53A_R5_CM-11c.
CFG-05.1 CFG-05.1_A01 compliance with software installation policies is enforced using organization-defined automated mechanisms. 53A_R5_CM-11(03)[01]
CFG-05.1 CFG-05.1_A02 frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined. 53A_R5_CM-08(03)_ODP[04]
CFG-05.1 CFG-05.1_A03 automated mechanisms used to monitor compliance are defined. 53A_R5_CM-11(03)_ODP[02]
CFG-05.2 CFG-05.2_A01 user installation of software is allowed only with explicit privileged status. 53A_R5_CM-11(02)
CFG-06 CFG-06_A01 the circumstances under which changes are to be prevented or restricted are defined. 53A_R5_CM-03(08)_ODP
CFG-06 CFG-06_A02 changes to the configuration of the system are prevented or restricted under organization-defined circumstances. 53A_R5_CM-03(08)
CFG-06 CFG-06_A03 automated mechanisms used to enforce configuration enforcement are defined. 53A_R5_CM-11(03)_ODP[01]
CFG-06 CFG-06_A04 automated mechanisms used to monitor configuration enforcement are defined. 53A_R5_CM-11(03)_ODP[02]
CFG-06 CFG-06_A05 compliance with software installation policies is enforced using automated mechanisms. 53A_R5_CM-11(03)[01]
CFG-06 CFG-06_A06 compliance with software installation policies is monitored using automated mechanisms. 53A_R5_CM-11(03)[02]
CFG-07 CFG-07_A01 automated mechanisms used to perform Zero-Touch Provisioning (ZTP) are defined. SCF Created
CFG-07 CFG-07_A02 an automated mechanism performs Zero-Touch Provisioning (ZTP) to deploy secure baseline configurations upon devices being added to a network. SCF Created
CFG-08 CFG-08_A01 information types requiring restricted access to data repositories are defined. 53A_R5_AC-03(11)_ODP
CFG-08 CFG-08_A02 access to data repositories containing organization-defined information types is restricted. 53A_R5_AC-03(11)
CFG-08.1 CFG-08.1_A01 an automated mechanism generates event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived. SCF Created
MON-01 MON-01_A01 the continuous monitoring program is organization-wide. 53A_R5_AU-01_ODP[03]
MON-01 MON-01_A02 monitoring objectives to detect attacks and indicators of potential attacks on the system are defined. 53A_R5_SI-04_ODP[01]
MON-01 MON-01_A03 techniques and methods used to identify unauthorized use of the system are defined. 53A_R5_SI-04_ODP[02]
53A_R5_SI-04_ODP[03]
MON-01 MON-01_A04 system monitoring information to be provided to personnel or roles is defined.
53A_R5_SI-04g.

MON-01 MON-01_A05 personnel or roles to whom system monitoring information is to be provided is/are defined. 53A_R5_SI-04_ODP[04]
MON-01 MON-01_A06 a frequency for providing system monitoring to personnel or roles is defined. 53A_R5_SI-04_ODP[05]
53A_R5_SI-04_ODP[06]
MON-01 MON-01_A07 the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations or the Nation. 53A_R5_SI-04e.
MON-01 MON-01_A08 a legal opinion regarding system monitoring activities is obtained. 53A_R5_SI-04f.
MON-01.1 MON-01.1_A01 individual intrusion detection tools are connected to a system-wide intrusion detection system. 53A_R5_SI-04(01)[01]
MON-01.1 MON-01.1_A02 individual intrusion detection tools are configured into a system-wide intrusion detection system. 53A_R5_SI-04(01)[02]
MON-01.1 MON-01.1_A03 visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices. 53A_R5_SI-04(25)[01]
MON-01.1 MON-01.1_A04 visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices. 53A_R5_SI-04(25)[02]
MON-01.2 MON-01.2_A01 automated tools and mechanisms are employed to support a near real-time analysis of events. 53A_R5_SI-04(02)
MON-01.3 MON-01.3_A01 anomalous or suspicious behavior is defined. 172A_3.14.2e[a]
MON-01.3 MON-01.3_A02 the system is monitored to detect attacks and indicators of potential attacks. 171A_3.14.6[a]
MON-01.3 MON-01.3_A03 criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined. 53A_R5_SI-04(04)(a)[01]
MON-01.3 MON-01.3_A04 criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined. 53A_R5_SI-04(04)(a)[02]
MON-01.3 MON-01.3_A05 unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined. 53A_R5_SI-04(04)_ODP[04]
171A_3.14.6[b]
MON-01.3 MON-01.3_A06 inbound communications traffic is monitored to detect attacks and indicators of potential attacks. 53A_R5_SI-04(04)(b)[01]
53A_R5_SI-04(04)_ODP[02]
171A_3.14.6[c]
MON-01.3 MON-01.3_A07 outbound communications traffic is monitored to detect attacks and indicators of potential attacks. 53A_R5_SI-04(04)(b)[02]
53A_R5_SI-04(04)_ODP[03]
MON-01.3 MON-01.3_A08 the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined. 53A_R5_SI-04(04)_ODP[01]
MON-01.4 MON-01.4_A01 personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined. 53A_R5_SI-04(05)_ODP[01]
MON-01.4 MON-01.4_A02 compromise indicators are defined. 53A_R5_SI-04(05)_ODP[02]
MON-01.4 MON-01.4_A03 personnel or roles are alerted when system-generated compromise indicators occur. 53A_R5_SI-04(05)
MON-01.5 MON-01.5_A01 a wireless intrusion detection system is employed to identify rogue wireless devices. 53A_R5_SI-04(14)[01]
MON-01.5 MON-01.5_A02 a wireless intrusion detection system is employed to detect attack attempts on the system. 53A_R5_SI-04(14)[02]
MON-01.5 MON-01.5_A03 a wireless intrusion detection system is employed to detect potential compromises or breaches to the system. 53A_R5_SI-04(14)[03]
MON-01.5 MON-01.5_A04 an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. 53A_R5_SI-04(15)
MON-01.6 MON-01.6_A01 host-based monitoring mechanisms to be implemented on system components are defined. 53A_R5_SI-04(23)_ODP[01]
MON-01.6 MON-01.6_A02 system components where host-based monitoring is to be implemented are defined. 53A_R5_SI-04(23)_ODP[02]
MON-01.6 MON-01.6_A03 host-based monitoring mechanisms are implemented on system components. 53A_R5_SI-04(23)
MON-01.7 MON-01.7_A01 sources that provide Indicators of Compromise (IOC) are defined. 53A_R5_SI-04(24)_ODP[01]
MON-01.7 MON-01.7_A02 personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined. 53A_R5_SI-04(24)_ODP[02]
MON-01.7 MON-01.7_A03 Indicators of Compromise (IOC) provided by sources are discovered. 53A_R5_SI-04(24)[01]
MON-01.7 MON-01.7_A04 Indicators of Compromise (IOC) provided by sources are collected. 53A_R5_SI-04(24)[02]
MON-01.7 MON-01.7_A05 Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles. 53A_R5_SI-04(24)[03]
MON-01.8 MON-01.8_A01 a process for determining when to review logged events is defined. 171A_3.3.3[a]
MON-01.8 MON-01.8_A02 event types being logged are reviewed in accordance with the defined review process. 171A_3.3.3[b]
MON-01.8 MON-01.8_A03 event types being logged are updated based on the review. 171A_3.3.3[c]
MON-01.8 MON-01.8_A04 response actions to system security alerts and advisories are identified. 171A_3.14.3[a]

MON-01.8 MON-01.8_A05 system security alerts and advisories are monitored. 171A_3.14.3[b]
MON-01.8 MON-01.8_A06 actions in response to system security alerts and advisories are taken. 171A_3.14.3[c]
MON-01.9 MON-01.9_A01 all external-bound requests are logged in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems. SCF Created
MON-01.10 MON-01.10_A01 directory services are configured to generate a log for attempted usage of deactivated accounts. SCF Created
MON-01.10 MON-01.10_A02 personnel or roles are alerted when system-generated alerts from attempted usage of deactivated accounts occur. SCF Created
MON-01.11 MON-01.11_A01 security violations that automatically disable a system are defined. 53A_R5_IR-04(05)_ODP
MON-01.11 MON-01.11_A02 least-disruptive actions to terminate suspicious events are defined. 53A_R5_SI-04(07)_ODP[02]
MON-01.11 MON-01.11_A03 a configurable capability is implemented to automatically disable the system if security violations are detected. 53A_R5_IR-04(05)
MON-01.11 MON-01.11_A04 least-disruptive actions are taken upon the detection of suspicious events. 53A_R5_SI-04(07)(b)
MON-01.11 MON-01.11_A05 incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined. 53A_R5_SI-04(07)_ODP[01]
MON-01.11 MON-01.11_A06 incident response personnel are notified of detected suspicious events. 53A_R5_SI-04(07)(a)
MON-01.12 MON-01.12_A01 personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined. 53A_R5_SI-04(12)_ODP[01]
MON-01.12 MON-01.12_A02 automated mechanisms used to alert personnel or roles are defined. 53A_R5_SI-04(12)_ODP[02]
MON-01.12 MON-01.12_A03 activities that trigger alerts to personnel or are defined. 53A_R5_SI-04(12)_ODP[03]
MON-01.12 MON-01.12_A04 personnel or roles is/are alerted using automated mechanisms when activities that trigger alerts indicate inappropriate or unusual activities with security or privacy implications. 53A_R5_SI-04(12)
MON-01.13 MON-01.13_A01 communications traffic for the system is analyzed. 53A_R5_SI-04(13)(a)[01]
MON-01.13 MON-01.13_A02 event patterns for the system are analyzed. 53A_R5_SI-04(13)(a)[02]
MON-01.13 MON-01.13_A03 profiles representing common traffic are developed. 53A_R5_SI-04(13)(b)[01]
MON-01.13 MON-01.13_A04 profiles representing event patterns are developed. 53A_R5_SI-04(13)(b)[02]
MON-01.13 MON-01.13_A05 traffic profiles are used in tuning system-monitoring devices. 53A_R5_SI-04(13)(c)[01]
MON-01.13 MON-01.13_A06 event profiles are used in tuning system-monitoring devices. 53A_R5_SI-04(13)(c)[02]
MON-01.14 MON-01.14_A01 additional monitoring of individuals who have been identified as posing an increased level of risk is defined. 53A_R5_SI-04(19)_ODP[01]
MON-01.14 MON-01.14_A02 sources that identify individuals who pose an increased level of risk are defined. 53A_R5_SI-04(19)_ODP[02]
MON-01.14 MON-01.14_A03 additional monitoring is implemented on individuals who have been identified by sources as posing an increased level of risk. 53A_R5_SI-04(19)
MON-01.15 MON-01.15_A01 additional monitoring of privileged users is defined. 53A_R5_SI-04(20)_ODP
MON-01.15 MON-01.15_A02 additional monitoring of privileged users is implemented. 53A_R5_SI-04(20)
MON-01.16 MON-01.16_A01 the organization formally identifies its needs for monitoring. SCF Created
MON-01.16 MON-01.16_A02 monitoring needs are prioritized by asset, based on (1) asset criticality and (2) the sensitivity of the data it stores, transmits and processes. SCF Created
MON-01.17 MON-01.17_A01 the capability for authorized users to remotely view and hear content related to an established user session in real time is provided. 53A_R5_AU-14(03)[01]
MON-01.17 MON-01.17_A02 the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented. 53A_R5_AU-14(03)[02]
MON-02 MON-02_A01 automated mechanisms used for integrating audit record review, analysis and reporting processes are defined. 53A_R5_AU-06(01)_ODP
MON-02 MON-02_A02 audit record review, analysis and reporting processes are integrated using organization-defined automated mechanisms. 53A_R5_AU-06(01)
MON-02 MON-02_A03 the frequency or situation requiring logging for each specified event type is defined. 53A_R5_AU-06_ODP[01]
53A_R5_AU-02_ODP[03]
MON-02 MON-02_A04 the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. 53A_R5_AU-02b.
MON-02 MON-02_A05 the event types selected for logging are reviewed and updated organization-defined frequency. 53A_R5_AU-02e.
MON-02 MON-02_A06 a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents. 53A_R5_AU-02d.

MON-02 MON-02_A07 system audit records are reviewed and analyzed per an organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual 53A_R5_AU-06a.
activity.
MON-02 MON-02_A08 findings are reported to organization-defined personnel or roles. 53A_R5_AU-06b.
MON-02 MON-02_A09 the level of audit record review, analysis and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information or other credible sources of 53A_R5_AU-06c.
information.
MON-02.1 MON-02.1_A01 audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity are defined. 171A_3.3.5[a]
MON-02.1 MON-02.1_A02 defined audit record review, analysis and reporting processes are correlated. 171A_3.3.5[b]
MON-02.1 MON-02.1_A03 authorized use of the system is defined. 171A_3.14.7[a]
MON-02.1 MON-02.1_A04 unauthorized use of the system is identified. 171A_3.14.7[b]
MON-02.1 MON-02.1_A05 incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response. 53A_R5_IR-04(04)
53A_R5_AU-06(03)
MON-02.1 MON-02.1_A06 audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness. 53A_R5_IR-04(04)
53A_R5_SI-04(16)
MON-02.2 MON-02.2_A01 the capability to centrally review and analyze audit records from multiple components within the system is provided. 53A_R5_AU-06(04)[01]
MON-02.2 MON-02.2_A02 the capability to centrally review and analyze audit records from multiple components within the system is implemented. 53A_R5_AU-06(04)[02]
MON-02.3 MON-02.3_A01 data/information collected from other sources to be analyzed is defined. 53A_R5_AU-06(05)_ODP[02]
MON-02.3 MON-02.3_A02 information from monitoring physical, cyber and supply chain activities are correlated to achieve integrated, organization-wide situational awareness. 53A_R5_SI-04(17)
53A_R5_AU-06(05)_ODP[01]
MON-02.3 MON-02.3_A03 analysis of audit records is integrated with analysis of organization-specific criteria to further enhance the ability to identify inappropriate or unusual activity. 53A_R5_AU-06(05)
MON-02.4 MON-02.4_A01 information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity. 53A_R5_AU-06(06)
MON-02.5 MON-02.5_A01 the permitted actions for each organization-defined criteria (e.g., system process, role or user) associated with the review, analysis and reporting of audit record information are specified. 53A_R5_AU-06(07)
53A_R5_AU-06(07)_ODP
MON-02.6 MON-02.6_A01 frequency at which system audit records are reviewed and analyzed is defined. 53A_R5_AU-06_ODP[01]
MON-02.6 MON-02.6_A02 inappropriate or unusual activity is defined. 53A_R5_AU-06_ODP[02]
MON-02.6 MON-02.6_A03 personnel or roles to receive findings from reviews and analyses of system records is/are defined. 53A_R5_AU-06_ODP[03]
MON-02.6 MON-02.6_A04 system audit records are reviewed and analyzed per an organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual 53A_R5_AU-06a.
activity.
MON-02.6 MON-02.6_A05 findings are reported to organization-defined personnel or roles. 53A_R5_AU-06b.
MON-02.6 MON-02.6_A06 the level of audit record review, analysis and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information or other credible sources of 53A_R5_AU-06c.
information.
MON-02.7 MON-02.7_A01 system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined. 53A_R5_AU-12(01)_ODP[01]
MON-02.7 MON-02.7_A02 level of tolerance for the relationship between timestamps of individual records in the audit trail is defined. 53A_R5_AU-12(01)_ODP[02]
MON-02.7 MON-02.7_A03 audit records from organization-defined system components are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance. 53A_R5_AU-12(01)
MON-02.8 MON-02.8_A01 individuals or roles authorized to change the logging on system components are defined. 53A_R5_AU-12(03)_ODP[01]
MON-02.8 MON-02.8_A02 system components on which logging is to be performed are defined. 53A_R5_AU-12(03)_ODP[02]
MON-02.8 MON-02.8_A03 selectable event criteria with which change logging is to be performed are defined. 53A_R5_AU-12(03)_ODP[03]
MON-02.8 MON-02.8_A04 the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within 53A_R5_AU-12(03)[01]
organization-defined time thresholds is provided. 53A_R5_AU-12(03)_ODP[04]
the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within
MON-02.8 MON-02.8_A05 53A_R5_AU-12(03)[02]
organization-defined time thresholds is implemented.
MON-03 MON-03_A01 a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents. 53A_R5_AU-02d.
MON-03 MON-03_A02 event logs needed (e.g., event types to be logged) to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity are specified. 171A_3.3.1[a]
171A_3.3.1[b]
171A_3.3.2[a]
MON-03 MON-03_A03 the content of audit records needed to support monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity is defined. 53A_R5_AU-02_ODP[01]
53A_R5_AU-02_ODP[02]
53A_R5_AU-02a.
53A_R5_AU-02c.[01]
171A_3.3.1[d]
MON-03 MON-03_A04 audit records, once created, contain the defined content.
171A_3.3.2[b]
MON-03 MON-03_A05 audit records contain information that establishes what type of event occurred. 53A_R5_AU-03a.
53A_R5_AU-02c.[02]
53A_R5_AU-03b.
MON-03 MON-03_A06 audit records contain information that establishes when the event occurred.
53A_R5_AU-02c.[02]

MON-03 MON-03_A07 audit records contain information that establishes where the event occurred. 53A_R5_AU-03c.
53A_R5_AU-02c.[02]
MON-03 MON-03_A08 audit records contain information that establishes the source of the event. 53A_R5_AU-03d.
53A_R5_AU-02c.[02]
MON-03 MON-03_A09 audit records contain information that establishes the outcome of the event. 53A_R5_AU-03e.
53A_R5_AU-02c.[02]
MON-03 MON-03_A10 audit records contain information that establishes the identity of any individuals, subjects or objects/entities associated with the event. 53A_R5_AU-03f.
MON-03 MON-03_A11 the frequency of event types selected for logging are reviewed and updated. 53A_R5_AU-02_ODP[04]
MON-03.1 MON-03.1_A01 additional information to be included in audit records is defined. 53A_R5_AU-03(01)_ODP
MON-03.1 MON-03.1_A02 generated audit records contain the following organization-defined additional information. 53A_R5_AU-03(01)
171A_3.3.2[a]
53A_R5_AU-02_ODP[01]
MON-03.2 MON-03.2_A01 the content of the audit records needed to support the ability to uniquely trace users to their actions is defined. 53A_R5_AU-02_ODP[02]
53A_R5_AU-02a.
53A_R5_AU-02c.[01]
MON-03.2 MON-03.2_A02 audit records are created (generated). 171A_3.3.1[c]
MON-03.2 MON-03.2_A03 audit records contain information that establishes the identity of any individuals, subjects or objects/entities associated with the event. 53A_R5_AU-03f.
MON-03.3 MON-03.3_A01 a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed. 53A_R5_AU-06(08)
MON-03.4 MON-03.4_A01 the level of verbosity for information to be included in audit records is defined. 53A_R5_AU-03(01)_ODP
MON-03.4 MON-03.4_A02 generated audit records contain the specified level of verbosity. 53A_R5_AU-03(01)
MON-03.5 MON-03.5_A01 elements identified in the privacy risk assessment are defined. 53A_R5_AU-03(03)_ODP
MON-03.5 MON-03.5_A02 personal data contained in audit records is limited to organization-defined elements identified in the privacy risk assessment. 53A_R5_AU-03(03)
MON-03.6 MON-03.6_A01 cybersecurity and privacy controls and related processes to be centrally managed are defined. 53A_R5_PL-09_ODP
MON-03.6 MON-03.6_A02 cybersecurity and privacy controls and related processes are centrally managed. 53A_R5_PL-09
171A_3.3.2[a]
53A_R5_AU-02_ODP[01]
MON-03.7 MON-03.7_A01 the content of database audit records needed to support the ability to uniquely trace account actions is defined. 53A_R5_AU-02_ODP[02]
53A_R5_AU-02a.
53A_R5_AU-02c.[01]
MON-03.7 MON-03.7_A02 database audit records contain information that establishes the identity of any individuals, subjects or objects/entities associated with the event. 53A_R5_AU-03f.
MON-04 MON-04_A01 event log retention requirements are defined. 53A_R5_AU-04_ODP
MON-04 MON-04_A02 event log storage capacity is allocated to accommodate organization-defined event log retention requirements. 53A_R5_AU-04
171A_3.3.4[a]
MON-05 MON-05_A01 personnel or roles to be alerted in the event of an event logging process failure are identified. 53A_R5_AU-05_ODP[01]
53A_R5_AU-05a.
MON-05 MON-05_A02 types of event logging process failures for which alert will be generated are defined. 171A_3.3.4[b]
MON-05 MON-05_A03 identified personnel or roles are alerted in the event of an event logging process failure. 171A_3.3.4[c]
MON-05 MON-05_A04 time period for personnel or roles receiving event logging process failure alerts is defined. 53A_R5_AU-05_ODP[02]
53A_R5_AU-05_ODP[03]
MON-05 MON-05_A05 additional actions to be taken in the event of an event logging process failure are defined.
53A_R5_AU-05b.
MON-05.1 MON-05.1_A01 real-time period requiring alerts when event log failure events occur is defined. 53A_R5_AU-05(02)_ODP[01]
53A_R5_AU-05(02)_ODP[02]
MON-05.1 MON-05.1_A02 personnel, roles, and/or locations to be alerted in real time when event log failure events occur is/are defined.
53A_R5_SI-04(12)_ODP[01]
MON-05.1 MON-05.1_A03 event logging failure events requiring real-time alerts are defined. 53A_R5_AU-05(02)_ODP[03]
53A_R5_SI-04(12)_ODP[03]
53A_R5_AU-05(02)
MON-05.1 MON-05.1_A04 an alert is provided within organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined event logging failure events requiring real-time alerts occur. 53A_R5_SI-04(12)_ODP[02]
53A_R5_SI-04(12)
MON-05.2 MON-05.2_A01 personnel, roles, and/or locations to be warned when allocated event log storage volume reaches a percentage of repository maximum event log storage capacity. 53A_R5_AU-05(01)_ODP[01]
MON-05.2 MON-05.2_A02 time period for defined personnel, roles, and/or locations to be warned when allocated event log storage volume reaches a percentage of repository maximum event log storage capacity is defined. 53A_R5_AU-05(01)_ODP[02]
MON-05.2 MON-05.2_A03 percentage of repository maximum event log storage capacity is defined. 53A_R5_AU-05(01)_ODP[03]
MON-05.2 MON-05.2_A04 a warning is provided per an organization-defined time period when allocated event log storage volume reaches organization-defined percentage of repository maximum event log storage capacity. 53A_R5_AU-05(01)
MON-06 MON-06_A01 system components that provide an audit record generation capability for the events types are defined. 53A_R5_AU-12_ODP[01]
MON-06 MON-06_A02 audit records include organization-defined audit record content requirements. 53A_R5_AU-12c.

MON-06 MON-06_A03 personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined. 53A_R5_AU-12_ODP[02]
171A_3.3.6[a]
MON-06 MON-06_A04 an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis and reporting requirements and after-the-fact investigations of incident that does not alter 53A_R5_AU-07a.[01]
the original content or time ordering of audit records.
53A_R5_AU-07b.[01]
171A_3.3.6[b]
53A_R5_AU-07a.[02]
53A_R5_AU-07b.[02]
MON-06 MON-06_A05 an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis and reporting requirements and after-the-fact investigations of incidents that does not
alter the original content or time ordering of audit records. 53A_R5_AU-07(01)[01]
53A_R5_AU-07(01)[02]
53A_R5_AU-12a.
53A_R5_AU-12b.
MON-06 MON-06_A06 fields within audit records that can be processed, sorted or searched are defined. 53A_R5_AU-07(01)_ODP
MON-06.1 MON-06.1_A01 the capability to audit the parameters of user query events for data sets containing personal data is provided. 53A_R5_AU-12(04)[01]
MON-06.1 MON-06.1_A02 the capability to audit the parameters of user query events for data sets containing personal data is implemented. 53A_R5_AU-12(04)[02]
MON-06.2 MON-06.2_A01 trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data. 53A_R5_CA-07(03)[01]
MON-06.2 MON-06.2_A02 trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data. 53A_R5_CA-07(03)[02]
MON-06.2 MON-06.2_A03 trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data. 53A_R5_CA-07(03)[03]
MON-07 MON-07_A01 timestamps are recorded for audit records that meet organization-defined granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time or 53A_R5_AU-08b.
include the local time offset as part of the timestamp. 171A_3.3.7[b]
MON-07 MON-07_A02 internal system clocks are used to generate time stamps for audit records. 171A_3.3.7[a]
MON-07.1 MON-07.1_A01 an authoritative source with which to compare and synchronize internal system clocks is specified. 171A_3.3.7[b]
53A_R5_SC-45(01)_ODP[02]
171A_3.3.7[c]
MON-07.1 MON-07.1_A02 internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. 53A_R5_SC-45(01)(a)
53A_R5_SC-45(01)_ODP[03]
MON-07.1 MON-07.1_A03 system clocks are synchronized within and between systems and system components. 53A_R5_SC-45
MON-07.1 MON-07.1_A04 the frequency at which to compare the internal system clocks with the authoritative time source is defined. 53A_R5_SC-45(01)_ODP[01]
MON-07.1 MON-07.1_A05 the internal system clocks are synchronized with the authoritative time source when the time difference is greater than an organization-defined time period. 53A_R5_SC-45(01)(b)
MON-08 MON-08_A01 audit information is protected from unauthorized access. 171A_3.3.8[a]

53A_R5_AU-09a.
MON-08 MON-08_A02 audit information is protected from unauthorized modification. 171A_3.3.8[b]

53A_R5_AU-09a.
MON-08 MON-08_A03 audit information is protected from unauthorized deletion. 171A_3.3.8[c]

53A_R5_AU-09a.
MON-08 MON-08_A04 event logging tools are protected from unauthorized access. 171A_3.3.8[d]
53A_R5_AU-09a.
MON-08 MON-08_A05 event logging tools are protected from unauthorized modification. 171A_3.3.8[e]
53A_R5_AU-09a.
MON-08 MON-08_A06 event logging tools are protected from unauthorized deletion. 171A_3.3.8[f]
53A_R5_AU-09a.
MON-08 MON-08_A07 personnel or roles to be alerted upon detection of unauthorized access, modification or deletion of audit information is/are defined. 53A_R5_AU-09_ODP
MON-08 MON-08_A08 organization-defined personnel or roles are alerted upon detection of unauthorized access, modification or deletion of audit information. 53A_R5_AU-09b.
MON-08.1 MON-08.1_A01 the frequency of event logs transferred to a different system, system component or media other than the system or system component conducting the logging is defined. 53A_R5_AU-04(01)_ODP
53A_R5_AU-09(02)_ODP
MON-08.1 MON-08.1_A02 event logs are transferred per an organization-defined frequency to a different system, system component or media other than the system or system component conducting the logging. 53A_R5_AU-04(01)
MON-08.1 MON-08.1_A03 audit records are stored per an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited. 53A_R5_AU-09(02)
171A_3.3.9[a]
MON-08.2 MON-08.2_A01 a subset of privileged users or roles authorized to access management of event logging functionality is defined.
53A_R5_AU-09(04)_ODP
MON-08.2 MON-08.2_A02 access to management of event logging functionality is authorized only to organization-defined subset of privileged users or roles. 171A_3.3.9[b]
53A_R5_AU-09(04)
MON-08.3 MON-08.3_A01 cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented. 53A_R5_AU-09(03)
172A_3.1.1e[a]
MON-08.4 MON-08.4_A01 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified. 53A_R5_CM-05(04)_ODP[01]
53A_R5_AU-09(05)_ODP[01]
53A_R5_AU-09(05)_ODP[02]
172A_3.1.1e[b]
53A_R5_AU-09(05)
MON-08.4 MON-08.4_A02 dual authorization is employed to execute critical or sensitive system and organizational operations.
53A_R5_CM-05(04)[01]
53A_R5_CM-05(04)[02]
MON-09 MON-09_A01 actions to be covered by non-repudiation are defined. 53A_R5_AU-10_ODP
MON-09 MON-09_A02 irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed organization-defined actions. 53A_R5_AU-10
MON-09.1 MON-09.1_A01 the strength of binding between the identity of the information producer and the information is defined. 53A_R5_AU-10(01)_ODP
MON-09.1 MON-09.1_A02 the identity of the information producer is bound with the information to organization-defined strength of binding. 53A_R5_AU-10(01)(a)

MON-09.1 MON-09.1_A03 the means for authorized individuals to determine the identity of the producer of the information is provided. 53A_R5_AU-10(01)(b)
MON-09.1 MON-09.1_A04 the frequency at which to validate the binding of the information producer identity to the information is defined. 53A_R5_AU-10(02)_ODP[01]
MON-09.1 MON-09.1_A05 the actions to be performed in the event of a validation error are defined. 53A_R5_AU-10(02)_ODP[02]
MON-09.1 MON-09.1_A06 the binding of the information producer identity to the information is validated at organization-defined frequency. 53A_R5_AU-10(02)(a)
MON-09.1 MON-09.1_A07 organization-defined actions in the event of a validation error are performed. 53A_R5_AU-10(02)(b)
MON-10 MON-10_A01 a time period to retain audit records that is consistent with the records retention policy is defined. 171A_3.3.1[e]
53A_R5_AU-11_ODP
MON-10 MON-10_A02 audit records are retained for organization-defined time period to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. 171A_3.3.1[f]
53A_R5_AU-11
MON-11 MON-11_A01 open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined. 53A_R5_AU-13_ODP[01]
MON-11 MON-11_A02 the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined. 53A_R5_AU-13_ODP[02]
53A_R5_AU-13a.
MON-11 MON-11_A03 personnel or roles to be notified if an information disclosure is discovered is/are defined. 53A_R5_AU-13_ODP[03]
MON-11 MON-11_A04 additional actions to be taken if an information disclosure is discovered are defined. 53A_R5_AU-13_ODP[04]
MON-11 MON-11_A05 personnel or roles are notified if an information disclosure is discovered. 53A_R5_AU-13b.01
MON-11 MON-11_A06 additional actions are taken if an information disclosure is discovered. 53A_R5_AU-13b.02
MON-11.1 MON-11.1_A02 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior. 172A_3.14.2e[b]
MON-11.1 MON-11.1_A03 outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information. 53A_R5_SI-04(18)[01]
MON-11.1 MON-11.1_A04 interior points of the network are monitored to detect covert exfiltration of information. 53A_R5_SI-04(18)_ODP
53A_R5_SI-04(18)[02]
MON-11.2 MON-11.2_A01 authorization or approval processes for network services are defined. 53A_R5_SI-04(22)_ODP[01]
MON-11.2 MON-11.2_A03 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior. 172A_3.14.2e[b]
MON-11.2 MON-11.2_A04 personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined. 53A_R5_SI-04(22)_ODP[02]
53A_R5_SI-04(22)_ODP[03]
MON-11.2 MON-11.2_A05 network services that have not been authorized or approved by authorization or approval processes are detected. 53A_R5_SI-04(22)(a)
MON-11.2 MON-11.2_A06 organization-defined actions are initiated when network services that have not been authorized or approved by authorization or approval processes are detected. 53A_R5_SI-04(22)(b)
172A_3.14.6e[e]
MON-11.3 MON-11.3_A01 threat indicator information and effective mitigations obtained from external organizations are used to guide and inform intrusion detection and threat hunting.
172A_3.14.6e_ODP[1]
MON-11.3 MON-11.3_A02 Indicators of Compromise (IOC) are defined. 172A_3.11.2e[a]

172A_3.14.6e[a]
53A_R5_SI-04(24)_ODP[01]
MON-11.3 MON-11.3_A03 sources that provide Indicators of Compromise (IOC) are defined.
53A_R5_SI-04(24)[01]
MON-11.3 MON-11.3_A04 Indicators of Compromise (IOC) provided by sources are collected. 53A_R5_SI-04(24)[02]
MON-11.3 MON-11.3_A05 personnel or roles to whom Indicators of Compromise (IOC) are to be distributed is/are defined. 53A_R5_SI-04(24)_ODP[02]
MON-11.3 MON-11.3_A06 Indicators of Compromise (IOC) provided by sources are distributed to personnel or roles. 53A_R5_SI-04(24)[03]
MON-11.3 MON-11.3_A07 organizational systems to search for Indicators of Compromise (IOC) are defined. 172A_3.11.2e_ODP[4]
MON-11.3 MON-11.3_A08 effective mitigations are identified. 172A_3.14.6e[b]
MON-11.3 MON-11.3_A09 intrusion detection approaches are identified. 172A_3.14.6e[c]
MON-11.3 MON-11.3_A10 threat hunting activities are identified. 172A_3.14.6e[d]
MON-11.3 MON-11.3_A11 unauthorized use of the system is identified through techniques and methods. 53A_R5_SI-04b.
MON-11.3 MON-11.3_A12 internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information. 53A_R5_SI-04c.01
MON-11.3 MON-11.3_A13 internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization. 53A_R5_SI-04c.02

MON-11.3 MON-11.3_A14 advanced automation and analytics capabilities are used to predict and identify risks to organizations, systems and system components are identified. 172A_3.11.3e[a]
MON-11.3 MON-11.3_A15 analysts are used to predict and identify risks to organizations, systems and system components are identified. 172A_3.11.3e[b]
MON-11.3 MON-11.3_A16 advanced automation and analytics capabilities are employed in support of analysts to predict and identify risks to organizations, systems and system components. 172A_3.11.3e[c]
MON-12 MON-12_A01 user session auditing practices are defined (e.g., record, view, hear or log). 53A_R5_AU-14_ODP[02]
MON-12 MON-12_A02 users or roles who can audit the content of a user session are defined. 53A_R5_AU-14_ODP[01]
MON-12 MON-12_A03 circumstances under which the content of a user session can be audited are defined. 53A_R5_AU-14_ODP[03]
MON-12 MON-12_A04 designated users or roles are provided with the capability to audit the content of a user session under organization-defined circumstances. 53A_R5_AU-14a.[01]
MON-12 MON-12_A05 the capability for organization's the content of a user session under organization-defined circumstances is implemented. 53A_R5_AU-14a.[02]
MON-12 MON-12_A06 session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines. 53A_R5_AU-14b.[01]
MON-12 MON-12_A07 session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines. 53A_R5_AU-14b.[02]
MON-12 MON-12_A08 session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards and guidelines. 53A_R5_AU-14b.[03]
MON-13 MON-13_A01 an alternate event logging functionality in the event of a failure in primary event logging capability is defined. 53A_R5_AU-05(05)_ODP
MON-13 MON-13_A02 an alternate event logging capability is provided in the event of a failure in primary event logging capability that implements organization-defined alternate event logging functionality. 53A_R5_AU-05(05)
MON-14 MON-14_A01 methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined. 53A_R5_AU-16_ODP[01]
MON-14 MON-14_A02 audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined. 53A_R5_AU-16_ODP[02]
MON-14 MON-14_A03 organization-defined methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are employed. 53A_R5_AU-16
MON-14.1 MON-14.1_A01 organizations with which cross-organizational audit information is to be shared are defined. 53A_R5_AU-16(02)_ODP[01]
MON-14.1 MON-14.1_A02 cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined. 53A_R5_AU-16(02)_ODP[02]
MON-14.1 MON-14.1_A03 cross-organizational audit information is provided to organization-defined organizations based on organization-defined cross-organizational sharing agreements. 53A_R5_AU-16(02)
MON-15 MON-15_A01 a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert channels (e.g., storage and/or timing). 53A_R5_SC-31a.
53A_R5_SC-31_ODP
MON-15 MON-15_A02 the maximum bandwidth of those channels is estimated. 53A_R5_SC-31b.
MON-16 MON-16_A01 anomalous or suspicious behavior is defined. 172A_3.14.2e[a]

53A_R5_AC-02(12)_ODP[01]
MON-16 MON-16_A02 environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined. 53A_R5_SI-04(11)_ODP
53A_R5_IR-04(13)_ODP
MON-16 MON-16_A03 personnel or roles to report atypical usage is/are defined. 53A_R5_AC-02(12)_ODP[02]
172A_3.14.2e[b]
MON-16 MON-16_A04 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior. 53A_R5_AC-02(12)(a)
53A_R5_SI-04a.01
MON-16 MON-16_A05 systems are monitored to detect unauthorized local connections. 53A_R5_SI-04a.02[01]
MON-16 MON-16_A06 systems are monitored to detect unauthorized network connections. 53A_R5_SI-04a.02[02]
MON-16 MON-16_A07 systems are monitored to detect unauthorized remote connections. 53A_R5_SI-04a.02[03]
MON-16 MON-16_A08 outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies. 53A_R5_SI-04(11)[01]
MON-16 MON-16_A09 outbound communications traffic at interior points is analyzed to discover anomalies. 53A_R5_SI-04(11)[02]
MON-16 MON-16_A10 atypical usage of system accounts is reported to organization-defined personnel or roles. 53A_R5_AC-02(12)(b)
53A_R5_SI-04g.
53A_R5_IR-04(13)
MON-16 MON-16_A11 anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed. 53A_R5_SI-04d.[01]
53A_R5_SI-04d.[02]
MON-16.1 MON-16.1_A01 a legal opinion regarding insider threat monitoring is obtained. SCF Created
MON-16.1 MON-16.1_A02 monitoring activities for insider threats is defined. SCF Created
MON-16.1 MON-16.1_A03 organization-defined mechanisms are employed to monitor internal personnel activity for potential security incidents. SCF Created
MON-16.2 MON-16.2_A01 a legal opinion regarding third-party threat monitoring is obtained. SCF Created

MON-16.2 MON-16.2_A02 monitoring activities for third-party threats is defined. SCF Created
MON-16.2 MON-16.2_A03 organization-defined mechanisms are employed to monitor third-party activities for potential security incidents. SCF Created
MON-16.3 MON-16.3_A01 unauthorized activities are defined. SCF Created
MON-16.3 MON-16.3_A02 personnel or roles to be notified when unauthorized activities are detected is/are defined. SCF Created
MON-16.3 MON-16.3_A03 methods to detect unauthorized activities are identified. SCF Created
MON-16.3 MON-16.3_A04 monitoring mechanisms are configured to detect unauthorized activities. SCF Created
MON-16.3 MON-16.3_A05 personnel or roles are notified when unauthorized activities are detected. SCF Created
MON-16.4 MON-16.4_A01 an automated mechanism generates event logs for permissions changes to privileged accounts and/or groups. SCF Created
53A_R5_SC-08(02)_ODP
CRY-01 CRY-01_A01 cryptographic uses are identified / defined. 53A_R5_SC-13_ODP[01]
53A_R5_SC-13a.
CRY-01 CRY-01_A02 types of cryptography for each specified cryptographic use are defined. 53A_R5_SC-13_ODP[02]
171A_3.13.8[a]
CRY-01 CRY-01_A03 types of cryptography for each specified cryptographic use are implemented. 53A_R5_SC-13b.
CRY-01 CRY-01_A04 as necessary for compliance requirements, FIPS-validated cryptography is employed to protect the confidentiality of sensitive / regulated data. 171A_3.13.11
CRY-01.1 CRY-01.1_A01 either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of sensitive / regulated data during transmission. 171A_3.13.8[c]
53A_R5_SC-08(04)
CRY-01.1 CRY-01.1_A02 alternative physical controls to protect against unauthorized disclosure of communication patterns are defined. 53A_R5_SC-08(04)_ODP
171A_3.13.8[b]
CRY-01 CRY-01.1_A03 security critical or essential software is defined. 172A_3.14.1e_ODP[1]
CRY-01 CRY-01.1_A04 root of trust mechanisms or cryptographic signatures are identified. 172A_3.14.1e[a]
CRY-01 CRY-01.1_A05 the integrity of security critical or essential software is verified using root of trust mechanisms or cryptographic signatures. 172A_3.14.1e[b]
CRY-01 CRY-01.1_A06 cryptographic mechanisms are implemented to detect unauthorized changes to software. 53A_R5_SI-07(06)[01]
CRY-01 CRY-01.1_A07 cryptographic mechanisms are implemented to detect unauthorized changes to firmware. 53A_R5_SI-07(06)[02]
CRY-01 CRY-01.1_A08 cryptographic mechanisms are implemented to detect unauthorized changes to information. 53A_R5_SI-07(06)[03]
CRY-01.2 CRY-01.2_A01 a legal opinion regarding exporting cryptographic technologies is obtained. SCF Created
CRY-01.2 CRY-01.2_A02 cryptographic uses are defined. 53A_R5_SC-13_ODP[01]

53A_R5_SC-13a.
CRY-01.2 CRY-01.2_A03 types of cryptography for each specified cryptographic use are defined. 53A_R5_SC-13_ODP[02]
53A_R5_SC-08(02)[01]
CRY-01.3 CRY-01.3_A01 the confidentiality of information is maintained during preparation for transmission.
53A_R5_SC-08(02)_ODP
CRY-01.3 CRY-01.3_A02 the integrity of information is maintained during preparation for transmission. 53A_R5_SC-08(02)[01]
53A_R5_SC-08(02)_ODP
53A_R5_SC-08(02)[02]
CRY-01.3 CRY-01.3_A03 the confidentiality of information is maintained during reception.
53A_R5_SC-08(02)_ODP
CRY-01.3 CRY-01.3_A04 the integrity of information is maintained during reception. 53A_R5_SC-08(02)[02]

53A_R5_SC-08(02)_ODP
CRY-01.4 CRY-01.4_A01 technical and procedural means to confuse and mislead adversaries are defined. 172A_3.13.3e_ODP[1]
CRY-01.4 CRY-01.4_A02 technical and procedural means are employed to confuse and mislead adversaries. 172A_3.13.3e[a]
CRY-01.5 CRY-01.5_A01 an inventory of cryptographic cipher suites and protocols is maintained. SCF Created
CRY-01.5 CRY-01.5_A02 cryptographic uses are defined. 53A_R5_SC-13_ODP[01]

53A_R5_SC-13a.
CRY-01.5 CRY-01.5_A03 types of cryptography for each specified cryptographic use are defined. 53A_R5_SC-13_ODP[02]
CRY-01.5 CRY-01.5_A04 deployed cryptographic cipher suites and protocols are periodically reviewed to identify industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols. SCF Created
CRY-01.5 CRY-01.5_A05 proactive measures are taken to respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols. SCF Created
CRY-02 CRY-02_A01 mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards and guidelines for such 53A_R5_IA-07
authentication.
53A_R5_SC-08
53A_R5_SC-08_ODP
CRY-03 CRY-03_A01 the confidentiality of transmitted information is/are protected.
53A_R5_SC-08(01)
53A_R5_SC-08(01)_ODP

CRY-04 CRY-04_A01 cryptographic uses are defined. 53A_R5_SC-13_ODP[01]
CRY-04 CRY-04_A02 information requiring cryptographic protection is defined. 53A_R5_SC-28(01)_ODP[01]
CRY-04 CRY-04_A03 system components or media requiring cryptographic protection is/are defined. 53A_R5_SC-28(01)_ODP[02]
CRY-04 CRY-04_A05 the integrity of transmitted information is/are protected. 53A_R5_SC-08

53A_R5_SC-08_ODP
CRY-04 CRY-04_A06 the integrity of transmitted security / privacy attributes is verified. 53A_R5_SC-16(01)[01]
53A_R5_SC-16(01)[02]
CRY-04 CRY-04_A07 cryptographic mechanisms are implemented to prevent unauthorized disclosure of information at rest on system components or media. 53A_R5_SC-28(01)[01]
CRY-04 CRY-04_A08 cryptographic mechanisms are implemented to prevent unauthorized modification of information at rest on system components or media. 53A_R5_SC-28(01)[02]
CRY-05 CRY-05_A01 cryptographic uses are defined. 53A_R5_SC-13_ODP[01]

53A_R5_SC-13a.
CRY-05 CRY-05_A02 information requiring cryptographic protection is defined. 53A_R5_SC-28(01)_ODP[01]
CRY-05 CRY-05_A03 system components or media requiring cryptographic protection is/are defined. 53A_R5_SC-28(01)_ODP[02]
CRY-05 CRY-05_A05 the confidentiality of sensitive / regulated data stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. 171A_3.8.6
53A_R5_SC-13b.
CRY-05.1 CRY-05.1_A01 storage media types are defined. SCF Created
CRY-05.1 CRY-05.1_A02 cryptographic mechanisms protect the confidentiality and integrity of the sensitive data residing on storage media. SCF Created
CRY-05.2 CRY-05.2_A01 persistent organizational storage locations are identified. 172A_3.14.5e[a]
CRY-05.2 CRY-05.2_A02 the frequency with which to conduct reviews of persistent organizational storage locations is defined. 172A_3.14.5e_ODP[1]
CRY-05.2 CRY-05.2_A03 recurring reviews of persistent organizational storage locations are conducted to identify sensitive / regulated data that is no longer needed. 172A_3.14.5e[b]
CRY-05.2 CRY-05.2_A04 information to be removed from online storage and stored offline in a secure location is defined. 53A_R5_SC-28(02)_ODP
CRY-05.2 CRY-05.2_A05 information is removed from online storage. 53A_R5_SC-28(02)[01]
CRY-05.2 CRY-05.2_A06 information is stored offline in a secure location. 53A_R5_SC-28(02)[02]
CRY-05.3 CRY-05.3_A01 secure baseline configurations require database servers to utilize cryptographic mechanisms that are appropriate to protect the confidentiality of sensitive data within its databases. SCF Created
CRY-06 CRY-06_A01 cryptographic mechanisms are utilized to protect the confidentiality and integrity of non-console administrative access. SCF Created
CRY-07 CRY-07_A01 configuration requirements are established for each type of wireless access. 53A_R5_AC-18a.[01]
CRY-07 CRY-07_A02 connection requirements are established for each type of wireless access. 53A_R5_AC-18a.[02]
CRY-07 CRY-07_A03 implementation guidance is established for each type of wireless access. 53A_R5_AC-18a.[03]
CRY-08 CRY-08_A01 requirements for key generation, distribution, storage, access and destruction are defined. 53A_R5_SC-12_ODP
CRY-08 CRY-08_A02 a certificate policy for issuing public key certificates is defined. 53A_R5_SC-17_ODP
CRY-08 CRY-08_A03 public key certificates are issued under an organization-defined certificate policy or public key certificates are obtained from an approved service provider. 53A_R5_SC-17a.
CRY-08 CRY-08_A04 only approved trust anchors are included in trust stores or certificate stores managed by the organization. 53A_R5_SC-17b.
CRY-08 CRY-08_A05 cryptographic keys are established when cryptography is employed within the system in accordance with organization-defined requirements. 53A_R5_SC-12[01]
171A_3.13.10[a]
53A_R5_SC-12[02]
CRY-08 CRY-08_A06 cryptographic keys are managed when cryptography is employed within the system in accordance with organization-defined requirements.
171A_3.13.10[b]
CRY-08.1 CRY-08.1_A01 resiliency mechanisms ensure the availability of data in the event of the loss of cryptographic keys when utilizing a centrally-managed cryptographic key management solution. SCF Created
CRY-09 CRY-09_A01 safeguards for protecting the storage of cryptographic keys are defined. 53A_R5_SC-28(03)_ODP[02]
CRY-09 CRY-09_A02 protected storage for cryptographic keys is provided using organization-defined criteria. 53A_R5_SC-28(03)
53A_R5_SC-28(03)_ODP[01]
CRY-09.1 CRY-09.1_A01 symmetric cryptographic keys are produced using organization-defined values key management technology and processes. 53A_R5_SC-12(02)[01]

CRY-09.1 CRY-09.1_A02 symmetric cryptographic keys are controlled using organization-defined values for key management technology and processes. 53A_R5_SC-12(02)[02]
53A_R5_SC-12(02)_ODP
CRY-09.1 CRY-09.1_A03 symmetric cryptographic keys are distributed using organization-defined values key management technology and processes. 53A_R5_SC-12(02)[03]
one of the following organization-defined values is selected:

(1) NSA-approved key management technology and processes.
CRY-09.2 CRY-09.2_A01 (2) prepositioned keying material. 53A_R5_SC-12(03)_ODP
(3) DoD-approved or DoD-issued Medium Assurance PKI certificates.
(4) DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key. or
(5) certificates issued in accordance with organization-defined requirements.
CRY-09.2 CRY-09.2_A02 asymmetric cryptographic keys are produced using organization-defined criteria. 53A_R5_SC-12(03)[01]
CRY-09.2 CRY-09.2_A03 asymmetric cryptographic keys are controlled using organization-defined criteria. 53A_R5_SC-12(03)[02]
CRY-09.2 CRY-09.2_A04 asymmetric cryptographic keys are distributed using organization-defined criteria. 53A_R5_SC-12(03)[03]
CRY-09.3 CRY-09.3_A01 information availability is maintained in the event of the loss of cryptographic keys by users. 53A_R5_SC-12(01)
CRY-09.4 CRY-09.4_A01 a centrally-managed cryptographic key management solution facilitates the secure distribution of symmetric and asymmetric cryptographic keys. SCF Created
CRY-09.5 CRY-09.5_A01 secure baseline configurations ensure cryptographic keys are bound to individual identities. SCF Created
CRY-09.6 CRY-09.6_A01 Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared. SCF Created
CRY-09.7 CRY-09.7_A01 exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system. 53A_R5_SA-09(06)
CRY-10 CRY-10_A01 security / privacy attributes associated with information exchanged are defined. 53A_R5_SC-16_ODP[01]
53A_R5_SC-16_ODP[02]
CRY-10 CRY-10_A02 security / privacy attributes are associated with information exchanged between systems. 53A_R5_SC-16[01]
53A_R5_SC-16[03]
CRY-10 CRY-10_A03 security /privacy attributes are associated with information exchanged between system components. 53A_R5_SC-16[02]
53A_R5_SC-16[04]
CRY-10 CRY-10_A04 the integrity of transmitted security / privacy attributes is verified. 53A_R5_SC-16(01)[01]
53A_R5_SC-16(01)[02]
CRY-11 CRY-11_A01 certificate authorities to be allowed for verification of the establishment of protected sessions are defined. 53A_R5_SC-23(05)_ODP
CRY-11 CRY-11_A02 only the use of organization-defined certificated authorities for verification of the establishment of protected sessions is allowed. 53A_R5_SC-23(05)
DCH-01 DCH-01_A01 paper media containing sensitive / regulated data is physically controlled. 171A_3.8.1[a]
DCH-01 DCH-01_A02 digital media containing sensitive / regulated data is physically controlled. 171A_3.8.1[b]
DCH-01 DCH-01_A03 paper media containing sensitive / regulated data is securely stored. 171A_3.8.1[c]
DCH-01 DCH-01_A04 digital media containing sensitive / regulated data is securely stored. 171A_3.8.1[d]
DCH-01.1 DCH-01.1_A01 organizational data ownership requirements are defined. SCF Created
DCH-01.1 DCH-01.1_A02 data ownership is formally assigned to an individual through defined roles and responsibilities. SCF Created
DCH-01.2 DCH-01.2_A01 sensitive/regulated data inventories exist. SCF Created
DCH-01.2 DCH-01.2_A02 protection mechanisms are defined for each type of sensitive/regulated data. SCF Created
DCH-01.2 DCH-01.2_A03 organization-defined mechanisms protect sensitive/regulated data wherever it is stored. SCF Created
DCH-01.3 DCH-01.3_A01 data stewards document the potential impact in the event of a data loss incident. SCF Created
DCH-02 DCH-02_A01 a data classification scheme is defined that covers reasonable data types to address the organization's operational needs. SCF Created
DCH-02 DCH-02_A02 data and assets are categorized in accordance with the data classification scheme that addresses applicable statutory, regulatory and contractual requirements. SCF Created
data stewards formally categorize systems, applications and services in a System cybersecurity & privacy Plan (SSPP) or similar documentation, according to the highest level of data sensitivity that is stored, transmitted
DCH-02.1 DCH-02.1_A01 SCF Created
and/or processed.
DCH-02.1 DCH-02.1_A02 a validation process exists to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed. SCF Created
DCH-03 DCH-03_A01 types of digital media to which access is restricted are defined. 53A_R5_MP-02_ODP[01]
DCH-03 DCH-03_A02 personnel or roles authorized to access digital media is/are defined. 53A_R5_MP-02_ODP[02]
DCH-03 DCH-03_A03 types of non-digital media to which access is restricted are defined. 53A_R5_MP-02_ODP[03]
DCH-03 DCH-03_A04 personnel or roles authorized to access non-digital media is/are defined. 53A_R5_MP-02_ODP[04]
53A_R5_MP-02[01]
DCH-03 DCH-03_A05 access to types of digital media is restricted to personnel or roles.
171A_3.8.2

DCH-03 DCH-03_A06 access to types of non-digital media is restricted to personnel or roles. 53A_R5_MP-02[02]
171A_3.8.2
DCH-03.1 DCH-03.1_A01 a documented data classification scheme exists that covers data protection controls associated with sharing information with third-parties. SCF Created
DCH-03.1 DCH-03.1_A02 data stewards establish formalized business process-specific procedures to limit the disclosure of data to authorized parties. SCF Created
DCH-03.2 DCH-03.2_A01 automated mechanisms apply data masking to sensitive information that is displayed or printed, where technically feasible. SCF Created
DCH-03.3 DCH-03.3_A01 the external system or system component to which to release information is/are defined. 53A_R5_AC-03(09)_ODP[01]
DCH-03.3 DCH-03.3_A02 controls to be provided by the external system or system component are defined. 53A_R5_AC-03(09)_ODP[02]
DCH-03.3 DCH-03.3_A03 controls used to validate appropriateness of information to be released are defined. 53A_R5_AC-03(09)_ODP[03]
DCH-03.3 DCH-03.3_A04 information is released outside of the system only if the receiving system or system component provides organization-defined controls. 53A_R5_AC-03(09)(a)
DCH-03.3 DCH-03.3_A05 information is released outside of the system only if organization-defined controls are used to validate the appropriateness of the information designated for release. 53A_R5_AC-03(09)(b)
DCH-04 DCH-04_A01 media is marked with applicable sensitive / regulated data markings. 171A_3.8.4[a]
DCH-04 DCH-04_A02 media is marked to indicate distribution limitations, handling caveats and applicable security markings (if any) of the information. 171A_3.8.4[b]
53A_R5_MP-03a.
DCH-04 DCH-04_A03 types of media exempt from marking when remaining in controlled areas are defined. 53A_R5_MP-03_ODP[01]
DCH-04 DCH-04_A04 controlled areas where media is exempt from marking are defined. 53A_R5_MP-03_ODP[02]
DCH-04 DCH-04_A05 types of media exempted from marking remain within controlled areas. 53A_R5_MP-03b.
DCH-04.1 DCH-04.1_A01 automated mechanisms mark media and system output to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to enable the use of Data Loss SCF Created
Prevention (DLP) and similar automated data protection technologies.
53A_R5_AC-16_ODP[01]
53A_R5_AC-16_ODP[03]
53A_R5_AC-16_ODP[05]
DCH-05 DCH-05_A01 types of security attributes associated with cybersecurity attribute values for information in storage, in process, and/or in transmission are defined. 53A_R5_AC-16_ODP[07]
53A_R5_AC-16_ODP[09]
53A_R5_AC-16c.[01]
53A_R5_AC-16_ODP[02]
53A_R5_AC-16d.
53A_R5_AC-16_ODP[04]
53A_R5_AC-16_ODP[06]
DCH-05 DCH-05_A02 types of privacy attributes associated with privacy attribute values for information in storage, in process, and/or in transmission are defined. 53A_R5_AC-16_ODP[08]
53A_R5_AC-16_ODP[09]
53A_R5_AC-16c.[02]
53A_R5_AC-16d.
DCH-05 DCH-05_A03 the frequency at which to review security and/or privacy attributes for applicability is defined. 53A_R5_AC-16_ODP[10]
53A_R5_AC-16_ODP[11]
DCH-05 DCH-05_A04 the means to associate organization-defined types of security attributes with organization-defined security attribute values for information in storage, in process, and/or in transmission are provided. 53A_R5_AC-16a.[01]
DCH-05 DCH-05_A05 the means to associate organization-defined types of privacy attributes with organization-defined privacy attribute values for information in storage, in process, and/or in transmission are provided. 53A_R5_AC-16a.[02]
DCH-05 DCH-05_A06 attribute associations are made. 53A_R5_AC-16b.[01]
DCH-05 DCH-05_A07 attribute associations are retained with the information. 53A_R5_AC-16b.[02]
DCH-05 DCH-05_A08 changes to attributes are audited. 53A_R5_AC-16e.
53A_R5_AC-16f.[01]
DCH-05 DCH-05_A09 attributes are reviewed according to an organization-defined frequency.
53A_R5_AC-16f.[02]
DCH-05.1 DCH-05.1_A01 subjects with which security attributes are to be dynamically associated as information is created and combined are defined. 53A_R5_AC-16(01)_ODP[01]
DCH-05.1 DCH-05.1_A02 objects with which security attributes are to be dynamically associated as information is created and combined are defined. 53A_R5_AC-16(01)_ODP[02]
DCH-05.1 DCH-05.1_A03 subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined. 53A_R5_AC-16(01)_ODP[03]
DCH-05.1 DCH-05.1_A04 objects with which privacy attributes are to be dynamically associated as information is created and combined are defined. 53A_R5_AC-16(01)_ODP[04]
DCH-05.1 DCH-05.1_A05 security policies requiring dynamic association of security attributes with subjects and objects are defined. 53A_R5_AC-16(01)_ODP[05]
DCH-05.1 DCH-05.1_A06 privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined. 53A_R5_AC-16(01)_ODP[06]
DCH-05.1 DCH-05.1_A07 security attributes are dynamically associated with organization-defined subjects as information is created or combined. 53A_R5_AC-16(01)[01]
DCH-05.1 DCH-05.1_A08 security attributes are dynamically associated with organization-defined objects as information is created or combined. 53A_R5_AC-16(01)[02]
DCH-05.1 DCH-05.1_A09 privacy attributes are dynamically associated with organization-defined subjects as information is created or combined. 53A_R5_AC-16(01)[03]
DCH-05.1 DCH-05.1_A10 privacy attributes are dynamically associated with organization-defined objects as information is created or combined. 53A_R5_AC-16(01)[04]
DCH-05.2 DCH-05.2_A01 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes. 53A_R5_AC-16(02)[01]
DCH-05.2 DCH-05.2_A02 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes. 53A_R5_AC-16(02)[02]

DCH-05.3 DCH-05.3_A01 security attributes that require association and integrity maintenance are defined. 53A_R5_AC-16(03)_ODP[01]
DCH-05.3 DCH-05.3_A02 privacy attributes that require association and integrity maintenance are defined. 53A_R5_AC-16(03)_ODP[02]
DCH-05.3 DCH-05.3_A03 subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined. 53A_R5_AC-16(03)_ODP[03]
DCH-05.3 DCH-05.3_A04 objects requiring the association and integrity of security attributes to such objects to be maintained are defined. 53A_R5_AC-16(03)_ODP[04]
DCH-05.3 DCH-05.3_A05 subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined. 53A_R5_AC-16(03)_ODP[05]
DCH-05.3 DCH-05.3_A06 objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined. 53A_R5_AC-16(03)_ODP[06]
DCH-05.3 DCH-05.3_A07 the association and integrity of organization-defined security attributes to organization-defined subjects is maintained. 53A_R5_AC-16(03)[01]
DCH-05.3 DCH-05.3_A08 the association and integrity of organization-defined security attributes to organization-defined objects is maintained. 53A_R5_AC-16(03)[02]
DCH-05.3 DCH-05.3_A09 the association and integrity of organization-defined privacy attributes to organization-defined subjects is maintained. 53A_R5_AC-16(03)[03]
DCH-05.3 DCH-05.3_A10 the association and integrity of organization-defined privacy attributes to organization-defined objects is maintained. 53A_R5_AC-16(03)[04]
DCH-05.4 DCH-05.4_A01 security attributes associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[01]
DCH-05.4 DCH-05.4_A02 security attributes associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[02]
DCH-05.4 DCH-05.4_A03 privacy attributes associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[03]
DCH-05.4 DCH-05.4_A04 privacy attributes associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[04]
DCH-05.4 DCH-05.4_A05 subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[05]
DCH-05.4 DCH-05.4_A06 subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[07]
DCH-05.4 DCH-05.4_A07 objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[06]
DCH-05.4 DCH-05.4_A08 objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined. 53A_R5_AC-16(04)_ODP[08]
DCH-05.4 DCH-05.4_A09 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined security attributes with organization-defined subjects. 53A_R5_AC-16(04)[01]
DCH-05.4 DCH-05.4_A10 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined security attributes with organization-defined objects. 53A_R5_AC-16(04)[02]
DCH-05.4 DCH-05.4_A11 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined privacy attributes with organization-defined subjects. 53A_R5_AC-16(04)[03]
DCH-05.4 DCH-05.4_A12 authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate organization-defined privacy attributes with organization-defined objects. 53A_R5_AC-16(04)[04]
DCH-05.5 DCH-05.5_A01 special dissemination, handling or distribution instructions to be used for each object that the system transmits to output devices are defined. 53A_R5_AC-16(05)_ODP[01]
DCH-05.5 DCH-05.5_A02 human-readable, standard naming conventions for the cybersecurity & privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined. 53A_R5_AC-16(05)_ODP[02]
DCH-05.5 DCH-05.5_A03 security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify organization-defined instructions using organization-defined naming conventions. 53A_R5_AC-16(05)[01]
DCH-05.5 DCH-05.5_A04 privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify organization-defined instructions using organization-defined naming conventions. 53A_R5_AC-16(05)[02]
DCH-05.6 DCH-05.6_A01 security attributes associated with subjects are defined. 53A_R5_AC-16(06)_ODP[01]
DCH-05.6 DCH-05.6_A02 security attributes associated with objects are defined. 53A_R5_AC-16(06)_ODP[02]
DCH-05.6 DCH-05.6_A03 privacy attributes associated with subjects are defined. 53A_R5_AC-16(06)_ODP[03]
DCH-05.6 DCH-05.6_A04 privacy attributes associated with objects are defined. 53A_R5_AC-16(06)_ODP[04]
DCH-05.6 DCH-05.6_A05 subjects to be associated with cybersecurity attributes are defined. 53A_R5_AC-16(06)_ODP[05]
DCH-05.6 DCH-05.6_A06 objects to be associated with cybersecurity attributes are defined. 53A_R5_AC-16(06)_ODP[06]
DCH-05.6 DCH-05.6_A07 subjects to be associated with privacy attributes are defined. 53A_R5_AC-16(06)_ODP[07]
DCH-05.6 DCH-05.6_A08 objects to be associated with privacy attributes are defined. 53A_R5_AC-16(06)_ODP[08]
DCH-05.6 DCH-05.6_A09 security policies that require personnel to associate and maintain the association of cybersecurity & privacy attributes with subjects and objects. 53A_R5_AC-16(06)_ODP[09]
DCH-05.6 DCH-05.6_A10 privacy policies that require personnel to associate and maintain the association of cybersecurity & privacy attributes with subjects and objects. 53A_R5_AC-16(06)_ODP[10]

DCH-05.6 DCH-05.6_A11 personnel are required to associate and maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies. 53A_R5_AC-16(06)[01]
DCH-05.6 DCH-05.6_A12 personnel are required to associate and maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies. 53A_R5_AC-16(06)[02]
DCH-05.6 DCH-05.6_A13 personnel are required to associate and maintain the association of organization-defined privacy attributes with organization-defined subjects in accordance with organization-defined privacy policies. 53A_R5_AC-16(06)[03]
DCH-05.6 DCH-05.6_A14 personnel are required to associate and maintain the association of organization-defined privacy attributes with organization-defined objects in accordance with organization-defined privacy policies. 53A_R5_AC-16(06)[04]
DCH-05.7 DCH-05.7_A01 a consistent interpretation of security attributes transmitted between distributed system components is provided. 53A_R5_AC-16(07)[01]
DCH-05.7 DCH-05.7_A02 a consistent interpretation of privacy attributes transmitted between distributed system components is provided. 53A_R5_AC-16(07)[02]
DCH-05.8 DCH-05.8_A01 techniques and technologies to be implemented in associating security attributes to information are defined. 53A_R5_AC-16(08)_ODP[01]
DCH-05.8 DCH-05.8_A02 techniques and technologies to be implemented in associating privacy attributes to information are defined. 53A_R5_AC-16(08)_ODP[02]
DCH-05.8 DCH-05.8_A03 organization-defined techniques and technologies are implemented in associating security attributes to information. 53A_R5_AC-16(08)[01]
DCH-05.8 DCH-05.8_A04 organization-defined techniques and technologies are implemented in associating privacy attributes to information. 53A_R5_AC-16(08)[02]
DCH-05.9 DCH-05.9_A01 techniques or procedures used to validate regarding mechanisms for security attributes are defined. 53A_R5_AC-16(09)_ODP[01]
DCH-05.9 DCH-05.9_A02 techniques or procedures used to validate regarding mechanisms for privacy attributes are defined. 53A_R5_AC-16(09)_ODP[02]
DCH-05.9 DCH-05.9_A03 security attributes associated with information are changed only via regarding mechanisms validated using organization-defined techniques or procedures. 53A_R5_AC-16(09)[01]
DCH-05.9 DCH-05.9_A04 privacy attributes associated with information are changed only via regarding mechanisms validated using organization-defined techniques or procedures. 53A_R5_AC-16(09)[02]
DCH-05.10 DCH-05.10_A01 authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects. 53A_R5_AC-16(10)[01]
DCH-05.10 DCH-05.10_A02 authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects. 53A_R5_AC-16(10)[02]
DCH-05.11 DCH-05.11_A01 documented procedures exist to perform reviews of changes to cybersecurity & privacy attributes. SCF Created
DCH-05.11 DCH-05.11_A02 actions taken actions to respond to unauthorized changes are per the organization's Incident Response Plan (IRP) or similar documented procedures. SCF Created
DCH-06 DCH-06_A01 types of digital media to be securely stored are defined. 53A_R5_MP-04_ODP[03]
DCH-06 DCH-06_A02 types of non-digital media to be securely stored are defined. 53A_R5_MP-04_ODP[04]
DCH-06 DCH-06_A03 controlled areas within which to securely store digital media are defined. 53A_R5_MP-04_ODP[05]
DCH-06 DCH-06_A04 controlled areas within which to securely store non-digital media are defined. 53A_R5_MP-04_ODP[06]
DCH-06 DCH-06_A05 types of digital media are securely stored within controlled areas. 53A_R5_MP-04a.[03]
DCH-06 DCH-06_A06 types of non-digital media are securely stored within controlled areas. 53A_R5_MP-04a.[04]
DCH-06 DCH-06_A07 system media types are protected until the media are destroyed or sanitized using approved equipment, techniques and procedures. 53A_R5_MP-04b.
DCH-06.1 DCH-06.1_A01 types of digital media to be physically controlled are defined. 53A_R5_MP-04_ODP[01]
DCH-06.1 DCH-06.1_A02 types of non-digital media to be physically controlled are defined. 53A_R5_MP-04_ODP[02]
DCH-06.1 DCH-06.1_A03 types of digital media are physically controlled. 53A_R5_MP-04a.[01]
DCH-06.1 DCH-06.1_A04 types of non-digital media are physically controlled. 53A_R5_MP-04a.[02]
DCH-06.1 DCH-06.1_A05 system media types are protected until the media are destroyed or sanitized using approved equipment, techniques and procedures. 53A_R5_MP-04b.
DCH-06.2 DCH-06.2_A01 an inventory is maintained for all sensitive/regulated data. SCF Created
DCH-06.2 DCH-06.2_A02 recurring inventories keep sensitive/regulated data inventories current and accurate. SCF Created
DCH-06.3 DCH-06.3_A01 periodic scans of unstructured data sources are used to identify sensitive/regulated data or data requiring special protection measures per statutory, regulatory or contractual obligations. SCF Created
DCH-06.3 DCH-06.3_A02 actions taken actions to respond to the discovery of unauthorized sensitive/regulated data repositories are per the organization's Incident Response Plan (IRP) or similar documented procedures. SCF Created
DCH-06.4 DCH-06.4_A01 the organization only uses current and supported technologies that are capable of implementing secure configurations. SCF Created
DCH-06.4 DCH-06.4_A02 secure baseline configurations ensure sensitive/regulated data is rendered human unreadable anywhere that data is stored. SCF Created

DCH-06.5 DCH-06.5_A01 the storage of sensitive authentication data after authorization is prohibited. SCF Created
DCH-06.5 DCH-06.5_A02 secure baseline configurations ensure authentication data is not stored after authorization. SCF Created
DCH-07 DCH-07_A01 access to media containing sensitive / regulated data is controlled. 171A_3.8.5[a]
DCH-07 DCH-07_A02 accountability for media containing sensitive / regulated data is maintained during transport outside of controlled areas. 171A_3.8.5[b]
DCH-07 DCH-07_A03 types of system media to protect and control during transport outside of controlled areas are defined. 53A_R5_MP-05_ODP[01]
DCH-07 DCH-07_A04 controls used to protect system media outside of controlled areas are defined. 53A_R5_MP-05_ODP[02]
DCH-07 DCH-07_A05 controls used to control system media outside of controlled areas are defined. 53A_R5_MP-05_ODP[03]
DCH-07 DCH-07_A06 types of system media are protected during transport outside of controlled areas using controls. 53A_R5_MP-05a.[01]
DCH-07 DCH-07_A07 types of system media are controlled during transport outside of controlled areas using controls. 53A_R5_MP-05a.[02]
DCH-07 DCH-07_A08 accountability for system media is maintained during transport outside of controlled areas. 53A_R5_MP-05b.
DCH-07 DCH-07_A09 activities associated with the transport of system media are documented. 53A_R5_MP-05c.
DCH-07 DCH-07_A10 personnel authorized to conduct media transport activities is/are identified. 53A_R5_MP-05d.[01]
DCH-07 DCH-07_A11 activities associated with the transport of system media are restricted to identified authorized personnel. 53A_R5_MP-05d.[02]
DCH-07.1 DCH-07.1_A01 a custodian to transport system media outside of controlled areas is identified. 53A_R5_MP-05(03)[01]
DCH-07.1 DCH-07.1_A02 the identified custodian is employed during the transport of system media outside of controlled areas. 53A_R5_MP-05(03)[02]
DCH-07.2 DCH-07.2_A01 information requiring cryptographic protection is defined. 53A_R5_SC-28(01)_ODP[01]
DCH-07.2 DCH-07.2_A02 system components or media requiring cryptographic protection is/are defined. 53A_R5_SC-28(01)_ODP[02]
DCH-07.2 DCH-07.2_A03 cryptographic mechanisms are implemented to prevent unauthorized disclosure and/or modification of information at rest on organization-defined system components or media. 53A_R5_SC-28(01)[01]
53A_R5_SC-28(01)[02]
DCH-08 DCH-08_A01 system media to be sanitized prior to disposal is defined. 53A_R5_MP-06_ODP[01]
DCH-08 DCH-08_A02 system media to be sanitized prior to release from organizational control is defined. 53A_R5_MP-06_ODP[02]
DCH-08 DCH-08_A03 system media to be sanitized prior to release for reuse is defined. 53A_R5_MP-06_ODP[03]
DCH-08 DCH-08_A04 sanitization techniques and procedures to be used for sanitization prior to disposal are defined. 53A_R5_MP-06_ODP[04]
DCH-08 DCH-08_A05 sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined. 53A_R5_MP-06_ODP[05]
DCH-08 DCH-08_A06 sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined. 53A_R5_MP-06_ODP[06]
DCH-08 DCH-08_A07 system media is sanitized using sanitization techniques and procedures prior to disposal. 53A_R5_MP-06a.[01]
DCH-08 DCH-08_A08 system media is sanitized using sanitization techniques and procedures prior to release from organizational control. 53A_R5_MP-06a.[02]
DCH-08 DCH-08_A09 system media is sanitized using sanitization techniques and procedures prior to release for reuse. 53A_R5_MP-06a.[03]
DCH-08 DCH-08_A10 sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed. 53A_R5_MP-06b.
DCH-09 DCH-09_A01 system media to be sanitized prior to disposal is defined. 53A_R5_MP-06_ODP[01]
DCH-09 DCH-09_A02 system media to be sanitized prior to release from organizational control is defined. 53A_R5_MP-06_ODP[02]
DCH-09 DCH-09_A03 system media to be sanitized prior to release for reuse is defined. 53A_R5_MP-06_ODP[03]
DCH-09 DCH-09_A04 sanitization techniques and procedures to be used for sanitization prior to disposal are defined. 53A_R5_MP-06_ODP[04]
DCH-09 DCH-09_A05 sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined. 53A_R5_MP-06_ODP[05]
DCH-09 DCH-09_A06 sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined. 53A_R5_MP-06_ODP[06]
DCH-09 DCH-09_A07 system media is sanitized using sanitization techniques and procedures prior to disposal. 53A_R5_MP-06a.[01]
53A_R5_MP-06a.[02]
DCH-09 DCH-09_A08 system media is sanitized using sanitization techniques and procedures prior to release from organizational control.
171A_3.7.3

DCH-09 DCH-09_A09 system media is sanitized using sanitization techniques and procedures prior to release for reuse. 53A_R5_MP-06a.[03]
DCH-09 DCH-09_A10 sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed. 53A_R5_MP-06b.
DCH-09 DCH-09_A11 circumstances requiring sanitization of portable storage devices are defined. 53A_R5_MP-06(03)_ODP
DCH-09 DCH-09_A12 non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances. 53A_R5_MP-06(03)
DCH-09 DCH-09_A13 system media containing sensitive / regulated data is sanitized or destroyed before disposal. 171A_3.8.3[a]
DCH-09 DCH-09_A14 system media containing sensitive / regulated data is sanitized before it is released for reuse. 171A_3.8.3[b]
DCH-09.1 DCH-09.1_A01 media sanitization and disposal actions are reviewed. 53A_R5_MP-06(01)[01]
DCH-09.1 DCH-09.1_A02 media sanitization and disposal actions are approved. 53A_R5_MP-06(01)[02]
DCH-09.1 DCH-09.1_A03 media sanitization and disposal actions are tracked. 53A_R5_MP-06(01)[03]
DCH-09.1 DCH-09.1_A04 media sanitization and disposal actions are documented. 53A_R5_MP-06(01)[04]
DCH-09.1 DCH-09.1_A05 media sanitization and disposal actions are verified. 53A_R5_MP-06(01)[05]
DCH-09.2 DCH-09.2_A01 frequency with which to test sanitization equipment is defined. 53A_R5_MP-06(02)_ODP[01]
DCH-09.2 DCH-09.2_A02 frequency with which to test sanitization procedures is defined. 53A_R5_MP-06(02)_ODP[02]
DCH-09.2 DCH-09.2_A03 sanitization equipment is tested frequently to ensure that the intended sanitization is achieved. 53A_R5_MP-06(02)[01]
DCH-09.2 DCH-09.2_A04 sanitization procedures are tested frequently to ensure that the intended sanitization is achieved. 53A_R5_MP-06(02)[02]
DCH-09.3 DCH-09.3_A01 system media to be sanitized prior to disposal is defined. 53A_R5_MP-06_ODP[01]
DCH-09.3 DCH-09.3_A02 types of personal data to be sanitized prior to disposal are defined. SCF Created
DCH-09.3 DCH-09.3_A03 sanitization techniques and procedures to be used for sanitization of Personal Data are defined. SCF Created
DCH-09.3 DCH-09.3_A04 sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed for the sanitization of Personal Data. SCF Created
DCH-09.3 DCH-09.3_A05 circumstances requiring sanitization of portable storage devices are defined. 53A_R5_MP-06(03)_ODP
DCH-09.3 DCH-09.3_A06 non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances. 53A_R5_MP-06(03)
DCH-09.4 DCH-09.4_A01 circumstances requiring sanitization of portable storage devices are defined. 53A_R5_MP-06(03)_ODP
DCH-09.4 DCH-09.4_A02 non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances. 53A_R5_MP-06(03)
DCH-09.5 DCH-09.5_A01 system media to be sanitized using dual authorization is defined. 53A_R5_MP-06(07)_ODP
DCH-09.5 DCH-09.5_A02 dual authorization for sanitization of system media is enforced. 53A_R5_MP-06(07)
171A_3.8.7
DCH-10 DCH-10_A01 the use of removable media on system components is controlled.
53A_R5_MP-07_ODP[02]
DCH-10 DCH-10_A02 types of system media to be restricted or prohibited from use on systems or system components are defined. 53A_R5_MP-07_ODP[01]
DCH-10 DCH-10_A03 systems or system components on which the use of specific types of system media to be restricted or prohibited are defined. 53A_R5_MP-07_ODP[03]
DCH-10 DCH-10_A04 controls to restrict or prohibit the use of specific types of system media on systems or system components are defined. 53A_R5_MP-07_ODP[04]
53A_R5_MP-07_ODP[02]
DCH-10 DCH-10_A05 the use of types of system media is organization-defined criteria on systems or system components using controls. 53A_R5_MP-07a.
DCH-10 DCH-10_A06 the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner. 53A_R5_MP-07b.
the use of sensitive/regulated data is restricted to approved business practices.

DCH-10.1 DCH-10.1_A01 SCF Created
DCH-10.1 DCH-10.1_A02 the distribution of sensitive/regulated data is restricted to authorized personnel. SCF Created
DCH-10.2 DCH-10.2_A01 the use of portable storage devices is prohibited when such devices have no identifiable owner. 171A_3.8.8
DCH-11 DCH-11_A01 a system media downgrading process is defined. 53A_R5_MP-08_ODP[01]
DCH-11 DCH-11_A02 system media requiring downgrading is defined. 53A_R5_MP-08_ODP[02]

DCH-11 DCH-11_A03 a system media downgrading process is established. 53A_R5_MP-08a.[01]
DCH-11 DCH-11_A04 the system media downgrading process includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information. 53A_R5_MP-08a.[02]
DCH-11 DCH-11_A05 there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed. 53A_R5_MP-08b.[01]
DCH-11 DCH-11_A06 there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information. 53A_R5_MP-08b.[02]
DCH-11 DCH-11_A07 system media requiring downgrading is identified. 53A_R5_MP-08c.
DCH-11 DCH-11_A08 the identified system media is downgraded using the system media downgrading process. 53A_R5_MP-08d.
DCH-11 DCH-11_A09 system media containing sensitive and/or regulated information is identified. 53A_R5_MP-08(03)[01]
DCH-11 DCH-11_A10 system media containing sensitive and/or regulated information is downgraded prior to public release. 53A_R5_MP-08(03)[02]
DCH-12 DCH-12_A01 removable media restrictions are in accordance with data handling and acceptable usage requirements. SCF Created
DCH-13 DCH-13_A01 connections to external systems are identified. 171A_3.1.20[a]
DCH-13 DCH-13_A02 the use of external systems is identified. 171A_3.1.20[b]
DCH-13 DCH-13_A03 connections to external systems are verified. 171A_3.1.20[c]
DCH-13 DCH-13_A04 the use of external systems is verified. 171A_3.1.20[d]
DCH-13 DCH-13_A05 connections to external systems are controlled/limited. 171A_3.1.20[e]
DCH-13 DCH-13_A06 the use of external systems is controlled/limited. 171A_3.1.20[f]
DCH-13 DCH-13_A07 terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined. 53A_R5_AC-20_ODP[01]
53A_R5_AC-20_ODP[02]
DCH-13 DCH-13_A08 controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined. 53A_R5_AC-20_ODP[03]
DCH-13 DCH-13_A09 types of external systems prohibited from use are defined. 53A_R5_AC-20_ODP[04]
DCH-13 DCH-13_A10 organization-defined criteria are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the 53A_R5_AC-20a.01
system from external systems (if applicable).
DCH-13 DCH-13_A11 organization-defined criteria consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store or 53A_R5_AC-20a.02
transmit organization-controlled information using external systems (if applicable).
DCH-13 DCH-13_A12 the use of organization-defined prohibited types of external systems is prohibited (if applicable). 53A_R5_AC-20b.
DCH-13.1 DCH-13.1_A01 authorized individuals are permitted to use an external system to access the system or to process, store or transmit organization-controlled information only after verification of the implementation of controls on the 53A_R5_AC-20(01)(a)
external system as specified in the organization’s cybersecurity & privacy policies and cybersecurity & privacy plans (if applicable).
DCH-13.1 DCH-13.1_A02 authorized individuals are permitted to use an external system to access the system or to process, store or transmit organization-controlled information only after retention of approved system connection or 53A_R5_AC-20(01)(b)
processing agreements with the organizational entity hosting the external system (if applicable).
DCH-13.2 DCH-13.2_A01 the use of portable storage devices containing sensitive / regulated data on external systems is identified and documented. 171A_3.1.21[a]
DCH-13.2 DCH-13.2_A02 limits on the use of portable storage devices containing sensitive / regulated data on external systems are defined. 171A_3.1.21[b]
DCH-13.2 DCH-13.2_A03 the use of portable storage devices containing sensitive / regulated data on external systems is limited as defined. 171A_3.1.21[c]
DCH-13.2 DCH-13.2_A04 restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined. 53A_R5_AC-20(02)_ODP
DCH-13.2 DCH-13.2_A05 the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using organization-defined restrictions. 53A_R5_AC-20(02)
DCH-13.3 DCH-13.3_A02 the frequency at which to review and update the procedures is defined. 53A_R5_PM-17_ODP[02]
organizational controls ensure that requirements for the protection of sensitive and/or regulated information that is processed, stored or transmitted on external systems are implemented in accordance with
DCH-13.3 DCH-13.3_A03 53A_R5_PM-17a.[01]
applicable laws, executive orders, directives, policies, regulations and standards.
DCH-13.3 DCH-13.3_A04 procedures are established to ensure that requirements for the protection of sensitive and/or regulated information that is processed, stored or transmitted on external systems are implemented in accordance with 53A_R5_PM-17a.[02]
applicable laws, executive orders, directives, policies, regulations and standards.
DCH-13.3 DCH-13.3_A06 procedures are reviewed and updated frequently 53A_R5_PM-17b.[02]
DCH-13.4 DCH-13.4_A01 information resources that are owned, provisioned or issued by the organization are identified. 172A_3.1.2e[a]
DCH-13.4 DCH-13.4_A02 access to systems and system components is restricted to only those information resources that are owned, provisioned or issued by the organization. 172A_3.1.2e[b]
DCH-13.4 DCH-13.4_A03 restrictions on the use of non-organizationally owned systems or system components to process, store or transmit organizational information are defined. 53A_R5_AC-20(03)_ODP
DCH-13.4 DCH-13.4_A04 the use of non-organizationally owned systems or system components to process, store or transmit organizational information is restricted using organization-defined restrictions. 53A_R5_AC-20(03)

DCH-14 DCH-14_A01 information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined. 53A_R5_AC-21_ODP[01]
DCH-14 DCH-14_A02 automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined. 53A_R5_AC-21_ODP[02]
53A_R5_AC-21b.
DCH-14 DCH-14_A03 authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for organization-defined information-sharing circumstances. 53A_R5_AC-21a.
DCH-14.1 DCH-14.1_A01 information-sharing restrictions to be enforced by information search and retrieval services are defined. 53A_R5_AC-21(02)_ODP
DCH-14.1 DCH-14.1_A02 information search and retrieval services that enforce organization-defined information-sharing restrictions are implemented. 53A_R5_AC-21(02)
DCH-14.2 DCH-14.2_A01 individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to accepting such data. 53A_R5_CA-03(06)
DCH-14.3 DCH-14.3_A01 a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) is documented to determine the personnel with whom sensitive/regulated data is shared. SCF Created
DCH-15 DCH-15_A01 individuals authorized to post or process information on publicly accessible systems are identified. 171A_3.1.22[a]
53A_R5_AC-22a.
DCH-15 DCH-15_A02 procedures to ensure sensitive / regulated data is not posted or processed on publicly accessible systems are identified. 171A_3.1.22[b]
DCH-15 DCH-15_A03 the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included. 171A_3.1.22[c]
53A_R5_AC-22c.
DCH-15 DCH-15_A04 content on publicly accessible systems is reviewed to ensure that it does not include sensitive / regulated data. 171A_3.1.22[d]
DCH-15 DCH-15_A05 mechanisms are in place to remove and address improper posting of sensitive / regulated data. 171A_3.1.22[e]
DCH-15 DCH-15_A06 the frequency at which to review the content on the publicly accessible system for non-public information is defined. 53A_R5_AC-22_ODP
DCH-15 DCH-15_A07 authorized individuals are trained to ensure that publicly accessible information does not contain non-public information. 53A_R5_AC-22b.
DCH-16 DCH-16_A01 data mining prevention and detection techniques are defined. 53A_R5_AC-23_ODP[01]
DCH-16 DCH-16_A02 data storage objects to be protected against unauthorized data mining are defined. 53A_R5_AC-23_ODP[02]
DCH-16 DCH-16_A03 mechanisms are employed for organization-defined data storage objects to detect and protect against unauthorized data mining. 53A_R5_AC-23
DCH-17 DCH-17_A01 ad-hoc exchanges of large digital files with internal or external parties are secured according to organization-defined protection criteria. SCF Created
DCH-18 DCH-18_A01 the frequency with which to conduct reviews of persistent organizational storage locations is defined. 172A_3.14.5e_ODP[1]
DCH-18 DCH-18_A02 persistent organizational storage locations are identified. 172A_3.14.5e[a]
DCH-18 DCH-18_A03 reviews of persistent organizational storage locations are conducted per an organization-defined frequency to identify sensitive / regulated data that is no longer needed. 172A_3.14.5e[b]
DCH-18 DCH-18_A04 sensitive / regulated data that is no longer needed is removed. 172A_3.14.5e[c]
DCH-18 DCH-18_A05 information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[01]
DCH-18 DCH-18_A06 information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[02]
DCH-18 DCH-18_A07 information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[03]
DCH-18 DCH-18_A08 information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[04]
DCH-18.1 DCH-18.1_A01 elements of personal data being processed in the information life cycle are defined. 53A_R5_SI-12(01)_ODP
DCH-18.1 DCH-18.1_A02 personal data being processed in the information life cycle is limited to organization-defined elements of personal data. 53A_R5_SI-12(01)
DCH-18.2 DCH-18.2_A01 the developer of the system or system component is required to minimize the use of personal data in development and test environments. 53A_R5_SA-15(12)
DCH-18.2 DCH-18.2_A02 processes that implement the privacy principle of minimization are defined. 53A_R5_SA-08(33)_ODP
DCH-18.2 DCH-18.2_A03 the privacy principle of minimization is implemented using organization-defined processes. 53A_R5_SA-08(33)
DCH-18.2 DCH-18.2_A04 techniques used to minimize the use of personal data for research are defined. 53A_R5_SI-12(02)_ODP[01]
DCH-18.2 DCH-18.2_A05 techniques used to minimize the use of personal data for testing are defined. 53A_R5_SI-12(02)_ODP[02]
DCH-18.2 DCH-18.2_A06 techniques used to minimize the use of personal data for training are defined. 53A_R5_SI-12(02)_ODP[03]
DCH-18.2 DCH-18.2_A07 organization-defined techniques are used to minimize the use of personal data for research. 53A_R5_SI-12(02)[01]
DCH-18.2 DCH-18.2_A08 organization-defined techniques are used to minimize the use of personal data for testing. 53A_R5_SI-12(02)[02]

DCH-18.2 DCH-18.2_A09 organization-defined techniques are used to minimize the use of personal data for training. 53A_R5_SI-12(02)[03]
DCH-18.3 DCH-18.3_A01 periodic checks of temporary files for the existence of Personal Data (PD) are performed. SCF Created
DCH-19 DCH-19_A01 locations where information processing and data storage is/are to be restricted are defined. 53A_R5_SA-09(05)_ODP[01]
53A_R5_SA-09(05)_ODP[02]
DCH-19 DCH-19_A02 requirements or conditions for restricting the location of information processing, information storage or information services are defined. 53A_R5_SA-09(05)_ODP[03]
DCH-19 DCH-19_A03 based on requirements, information processing, information storage or information services is/are restricted to locations. 53A_R5_SA-09(05)
DCH-19 DCH-19_A04 the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States. 53A_R5_SA-09(08)
DCH-20 DCH-20_A01 archived data is protected in accordance with applicable statutory, regulatory and contractual obligations. SCF Created
DCH-21 DCH-21_A01 techniques used to dispose of information following the retention period are defined. 53A_R5_SI-12(03)_ODP[01]
DCH-21 DCH-21_A02 techniques used to destroy information following the retention period are defined. 53A_R5_SI-12(03)_ODP[02]
DCH-21 DCH-21_A03 techniques used to erase information following the retention period are defined. 53A_R5_SI-12(03)_ODP[03]
DCH-21 DCH-21_A04 organization-defined techniques are used to dispose of information following the retention period. 53A_R5_SI-12(03)[01]
DCH-21 DCH-21_A05 organization-defined techniques are used to destroy information following the retention period. 53A_R5_SI-12(03)[02]
DCH-21 DCH-21_A06 organization-defined techniques are used to erase information following the retention period. 53A_R5_SI-12(03)[03]
DCH-22 DCH-22_A01 organization-wide policies for personal data quality management are developed and documented. 53A_R5_PM-22[01]
DCH-22 DCH-22_A02 organization-wide procedures for personal data quality management are developed and documented. 53A_R5_PM-22[02]
DCH-22 DCH-22_A03 the policies address reviewing the accuracy of personal data across the information life cycle. 53A_R5_PM-22a.[01]
DCH-22 DCH-22_A04 the policies address reviewing the relevance of personal data across the information life cycle. 53A_R5_PM-22a.[02]
DCH-22 DCH-22_A05 the policies address reviewing the timeliness of personal data across the information life cycle. 53A_R5_PM-22a.[03]
DCH-22 DCH-22_A06 the policies address reviewing the completeness of personal data across the information life cycle. 53A_R5_PM-22a.[04]
DCH-22 DCH-22_A07 the procedures address reviewing the accuracy of personal data across the information life cycle. 53A_R5_PM-22a.[05]
DCH-22 DCH-22_A08 the procedures address reviewing the relevance of personal data across the information life cycle. 53A_R5_PM-22a.[06]
DCH-22 DCH-22_A09 the procedures address reviewing the timeliness of personal data across the information life cycle. 53A_R5_PM-22a.[07]
DCH-22 DCH-22_A10 the procedures address reviewing the completeness of personal data across the information life cycle. 53A_R5_PM-22a.[08]
DCH-22 DCH-22_A11 the policies address correcting or deleting inaccurate or outdated personal data. 53A_R5_PM-22b.[01]
DCH-22 DCH-22_A12 the procedures address correcting or deleting inaccurate or outdated personal data. 53A_R5_PM-22b.[02]
DCH-22 DCH-22_A13 the policies address disseminating notice of corrected or deleted personal data to individuals or other appropriate entities. 53A_R5_PM-22c.[01]
DCH-22 DCH-22_A14 the procedures address disseminating notice of corrected or deleted personal data to individuals or other appropriate entities. 53A_R5_PM-22c.[02]
DCH-22 DCH-22_A15 the policies address appeals of adverse decisions on correction or deletion requests. 53A_R5_PM-22d.[01]
DCH-22 DCH-22_A16 the procedures address appeals of adverse decisions on correction or deletion requests. 53A_R5_PM-22d.[02]
DCH-22 DCH-22_A17 the frequency at which to check the accuracy of personal data across the information life cycle is defined. 53A_R5_SI-18_ODP[01]
DCH-22 DCH-22_A18 the frequency at which to check the relevance of personal data across the information life cycle is defined. 53A_R5_SI-18_ODP[02]
DCH-22 DCH-22_A19 the frequency at which to check the timeliness of personal data across the information life cycle is defined. 53A_R5_SI-18_ODP[03]
DCH-22 DCH-22_A20 the frequency at which to check the completeness of personal data across the information life cycle is defined. 53A_R5_SI-18_ODP[04]
DCH-22 DCH-22_A21 the accuracy of personal data across the information life cycle is checked frequency. 53A_R5_SI-18a.[01]
DCH-22 DCH-22_A22 the relevance of personal data across the information life cycle is checked frequency. 53A_R5_SI-18a.[02]
DCH-22 DCH-22_A23 the timeliness of personal data across the information life cycle is checked frequency. 53A_R5_SI-18a.[03]

DCH-22 DCH-22_A24 the completeness of personal data across the information life cycle is checked frequency. 53A_R5_SI-18a.[04]
DCH-22 DCH-22_A25 inaccurate or outdated personal data is corrected or deleted. 53A_R5_SI-18b.
DCH-22 DCH-22_A26 automated mechanisms used to correct or delete personal data that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified are defined. 53A_R5_SI-18(01)_ODP
DCH-22 DCH-22_A27 automated mechanisms are used to correct or delete personal data that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified. 53A_R5_SI-18(01)
DCH-22.1 DCH-22.1_A01 personal data is corrected or deleted upon request by individuals or their designated representatives. 53A_R5_SI-18(04)
53A_R5_SI-18b.
DCH-22.1 DCH-22.1_A02 recipients of personal data to be notified when their personal data has been corrected or deleted are defined. 53A_R5_SI-18(05)_ODP
DCH-22.1 DCH-22.1_A03 recipients and individuals are notified when their personal data has been corrected or deleted. 53A_R5_SI-18(05)
DCH-22.1 DCH-22.1_A04 automated mechanisms used to correct or delete personal data that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified are defined. 53A_R5_SI-18(01)_ODP
DCH-22.1 DCH-22.1_A05 automated mechanisms are used to correct or delete personal data that is inaccurate, outdated, incorrectly determined regarding impact or incorrectly de-identified. 53A_R5_SI-18(01)
DCH-22.2 DCH-22.2_A01 data tags are employed to automate the correction or deletion of personal data across the information life cycle within organizational systems. 53A_R5_SI-18(02)
DCH-22.2 DCH-22.2_A02 the authorized processing of personal data is defined. 53A_R5_PT-02(01)_ODP[01]
DCH-22.2 DCH-22.2_A03 elements of personal data to be tagged are defined. 53A_R5_PT-02(01)_ODP[02]

53A_R5_PT-03(01)_ODP[02]
DCH-22.2 DCH-22.2_A04 data tags containing authorized processing are attached to elements of personal data. 53A_R5_PT-02(01)
DCH-22.2 DCH-22.2_A05 processing purposes to be contained in data tags are defined. 53A_R5_PT-03(01)_ODP[01]
DCH-22.2 DCH-22.2_A06 data tags containing processing purposes are attached to elements of personal data. 53A_R5_PT-03(01)
DCH-22.3 DCH-22.3_A01 personal data is collected directly from the individual. 53A_R5_SI-18(03)
DCH-23 DCH-23_A01 elements of personal data to be removed from datasets are defined. 53A_R5_SI-19_ODP[01]
DCH-23 DCH-23_A02 the frequency at which to evaluate the effectiveness of de-identification is defined. 53A_R5_SI-19_ODP[02]
DCH-23 DCH-23_A03 elements are removed from datasets. 53A_R5_SI-19a.
DCH-23 DCH-23_A04 the effectiveness of de-identification is evaluated frequency. 53A_R5_SI-19b.
DCH-23.1 DCH-23.1_A01 the dataset is de-identified upon collection by not collecting personal data. 53A_R5_SI-19(01)
DCH-23.2 DCH-23.2_A01 the archiving of personal data elements is prohibited if those elements in a dataset will not be needed after the dataset is archived. 53A_R5_SI-19(02)
DCH-23.3 DCH-23.3_A01 personal data elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release. 53A_R5_SI-19(03)
DCH-23.4 DCH-23.4_A01 direct identifiers in a dataset are removed, masked, encrypted, hashed or replaced. 53A_R5_SI-19(04)
DCH-23.5 DCH-23.5_A01 numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis. 53A_R5_SI-19(05)[01]
DCH-23.5 DCH-23.5_A02 contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis. 53A_R5_SI-19(05)[02]
DCH-23.5 DCH-23.5_A03 statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis. 53A_R5_SI-19(05)[03]
DCH-23.6 DCH-23.6_A01 the disclosure of personal data is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported. 53A_R5_SI-19(06)
DCH-23.7 DCH-23.7_A01 de-identification is performed using validated algorithms. 53A_R5_SI-19(07)[01]
DCH-23.7 DCH-23.7_A02 de-identification is performed using software that is validated to implement the algorithms. 53A_R5_SI-19(07)[02]
DCH-23.8 DCH-23.8_A01 a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. 53A_R5_SI-19(08)
DCH-23.9 DCH-23.9_A01 aliases used to name assets that are mission-critical and/or contain highly-sensitive/regulated data that are unique and not readily associated with a product, project or type of data. SCF Created
DCH-24 DCH-24_A01 information for which the location is to be identified and documented is defined. 53A_R5_CM-12_ODP
DCH-24 DCH-24_A02 the location of organization-defined information is identified and documented. 53A_R5_CM-12a.[01]
DCH-24 DCH-24_A03 the specific system components on which organization-defined information is processed are identified and documented. 53A_R5_CM-12a.[02]
DCH-24 DCH-24_A04 the specific system components on which organization-defined information is stored are identified and documented. 53A_R5_CM-12a.[03]

DCH-24 DCH-24_A05 the users who have access to the system and system components where organization-defined information is processed are identified and documented. 53A_R5_CM-12b.[01]
DCH-24 DCH-24_A06 the users who have access to the system and system components where organization-defined information is stored are identified and documented. 53A_R5_CM-12b.[02]
DCH-24 DCH-24_A07 changes to the location (e.g., system or system components) where organization-defined information is processed are documented. 53A_R5_CM-12c.[01]
DCH-24 DCH-24_A08 changes to the location (e.g., system or system components) where organization-defined information is stored are documented. 53A_R5_CM-12c.[02]
DCH-24.1 DCH-24.1_A01 information to be protected is defined by information type. 53A_R5_CM-12(01)_ODP[01]
DCH-24.1 DCH-24.1_A02 system components where the information is located are defined. 53A_R5_CM-12(01)_ODP[02]
DCH-24.1 DCH-24.1_A03 automated tools are used to identify information by information type on system components to ensure that controls are in place to protect organizational information and individual privacy. 53A_R5_CM-12(01)
DCH-25 DCH-25_A01 the statutory, regulatory and/or contractual basis restricts the transfer of sensitive and/or regulated data to third-countries or international organizations is identified. SCF Created
DCH-25 DCH-25_A02 mechanisms to restrict the transfer of sensitive and/or regulated data to third-countries or international organizations are defined. SCF Created
DCH-25 DCH-25_A03 mechanisms to restrict the transfer of sensitive and/or regulated data to third-countries or international organizations are implemented. SCF Created
DCH-25.1 DCH-25.1_A01 organization-specific "normal business activities" are defined. SCF Created
DCH-25.1 DCH-25.1_A02 mechanisms are implemented to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions. SCF Created
DCH-26 DCH-26_A01 executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance). SCF Created
DCH-26 DCH-26_A02 executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements). SCF Created
DCH-26 DCH-26_A03 executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.). SCF Created
DCH-26 DCH-26_A04 data localization is designed with defense-in-depth architecture to prevent host nations (where data is localized) from accessing other organizational assets not in the same geographic location as the host nation. SCF Created
EMB-01 EMB-01_A01 embedded technology controls are implemented to protect the confidentiality of Operational Technology (OT) and/or Internet of Things (IoT) technologies. SCF Created
EMB-01 EMB-01_A02 embedded technology controls are implemented to protect the integrity of Operational Technology (OT) and/or Internet of Things (IoT) technologies. SCF Created
EMB-01 EMB-01_A03 embedded technology controls are implemented to protect the availability of Operational Technology (OT) and/or Internet of Things (IoT) technologies. SCF Created
EMB-01 EMB-01_A04 embedded technology controls are implemented to protect the safety of Operational Technology (OT) and/or Internet of Things (IoT) technologies. SCF Created
EMB-02 EMB-02_A01 security and privacy risks associated with Internet of Things (IoT) are proactively managed. SCF Created
EMB-03 EMB-03_A01 security and privacy risks associated with Operational Technology (OT) are proactively managed. SCF Created
EMB-04 EMB-04_A01 embedded devices are protected against unauthorized use of the physical factory diagnostic SCF Created
and test interface(s).
EMB-05 EMB-05_A01 embedded devices generate log entries when configuration changes or attempts to access interfaces are detected. SCF Created
EMB-06 EMB-06_A01 embedded devices are protected by preventing the unauthorized installation and execution of software. SCF Created
EMB-07 EMB-07_A01 embedded devices are capable of securely receiving software updates and upgraded functionality. SCF Created
EMB-08 EMB-08_A01 embedded technologies are configured to be resilient to data network and power outages. SCF Created
EMB-09 EMB-09_A01 power levels of embedded technologies are monitored for decreased or excessive power usage, including battery drainage. SCF Created
EMB-09 EMB-09_A02 incidents of decreased or excessive power usage, including battery drainage, are investigated for device tampering. SCF Created
deployed embedded technologies are evaluated per an organization-defined interval (no less than annually) to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are
EMB-10 EMB-10_A01 SCF Created
identified and implemented.
EMB-11 EMB-11_A01 configurations enforce the security of Message Queuing Telemetry Transport (MQTT) traffic. SCF Created
EMB-12 EMB-12_A01 configurations for embedded technologies require the initiation of all communications and drop new, incoming communications. SCF Created
EMB-13 EMB-13_A01 configurations for embedded technologies restrict communications to authorized peers and service endpoints. SCF Created
EMB-14 EMB-14_A01 embedded technologies certifications are verified for use in the proposed operating environment. SCF Created
EMB-15 EMB-15_A01 the safety aspects of embedded technologies are evaluated via a fault tree analysis or similar method, to determine possible consequences of misuse, misconfiguration and/or failure. SCF Created
EMB-16 EMB-16_A01 certificate-based authentication is enforced for embedded technologies (e.g., IoT, OT, etc.) and their supporting services. SCF Created

EMB-17 EMB-17_A01 embedded technologies utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP). SCF Created
EMB-18 EMB-18_A01 embedded technologies utilize a securely configured Real-Time Operating System (RTOS). SCF Created
EMB-19 EMB-19_A01 autonomous systems are continuously validated to trigger an automatic state change when safe operation is no longer assured. SCF Created
END-01 END-01_A01 security configuration settings for information technology products employed in the system are established and included in the baseline configuration. 171A_3.4.2[a]
END-01 END-01_A02 a current baseline configuration of the system, application or service is developed and documented. 171A_3.4.1[a]
53A_R5_CM-02a.[01]
END-01 END-01_A03 the baseline configuration includes hardware, software, firmware and documentation. 171A_3.4.1[b]
END-01 END-01_A04 the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle under configuration control. 171A_3.4.1[c]
53A_R5_CM-02a.[02]
END-01 END-01_A05 security configuration settings for information technology products employed in the system are enforced. 171A_3.4.2[b]
53A_R5_CM-06b.
END-01 END-01_A06 configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using organization-defined common 53A_R5_CM-06a.
secure configurations.
END-01 END-01_A07 a control baseline for the system is selected. 53A_R5_PL-10
END-01 END-01_A08 thresholds to which attack surfaces are to be reduced are defined. 53A_R5_SA-15(05)_ODP
END-01 END-01_A09 the developer of the system, system component or system service is required to reduce attack surfaces to organization-defined thresholds. 53A_R5_SA-15(05)
END-02 END-02_A01 the confidentiality of sensitive / regulated data at rest is protected. 171A_3.13.16
END-02 END-02_A03 information at rest requiring protection is defined. 53A_R5_SC-28_ODP[01]

53A_R5_SC-28_ODP[02]
END-02 END-02_A04 the of information at rest is/are protected. 53A_R5_SC-28_ODP[01]

53A_R5_SC-28
END-03 END-03_A01 policies governing the installation of software by users are established. 53A_R5_CM-11_ODP[01]
53A_R5_CM-11a.
END-03 END-03_A02 user installation of software is allowed only with explicit privileged status. 53A_R5_CM-11(02)
END-03 END-03_A03 methods used to enforce software installation policies are defined. 53A_R5_CM-11_ODP[02]
END-03 END-03_A04 frequency with which to monitor compliance is defined. 53A_R5_CM-11_ODP[03]
END-03 END-03_A05 software installation policies are enforced through methods. 53A_R5_CM-11b.
END-03 END-03_A06 compliance with policies is monitored frequency. 53A_R5_CM-11c.
END-03.1 END-03.1_A01 compliance with software installation policies is monitored using organization-defined automated mechanisms. 53A_R5_CM-11(03)[02]
END-03.1 END-03.1_A02 automated mechanisms used to detect the presence of unauthorized hardware within the system are defined. 53A_R5_CM-08(03)_ODP[01]
END-03.1 END-03.1_A03 automated mechanisms used to detect the presence of unauthorized software within the system are defined. 53A_R5_CM-08(03)_ODP[02]
END-03.1 END-03.1_A04 automated mechanisms used to detect the presence of unauthorized firmware within the system are defined. 53A_R5_CM-08(03)_ODP[03]
END-03.1 END-03.1_A05 frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined. 53A_R5_CM-08(03)_ODP[04]
END-03.1 END-03.1_A06 automated mechanisms disable network access by unauthorized components, isolate unauthorized components and/or notify organization-defined personnel or roles. 53A_R5_CM-08(03)_ODP[05]
END-03.1 END-03.1_A07 personnel or roles to be notified when unauthorized components are detected is/are defined. 53A_R5_CM-08(03)_ODP[06]
END-03.1 END-03.1_A08 the presence of unauthorized hardware within the system is detected using automated mechanisms frequency. 53A_R5_CM-08(03)(a)[01]
END-03.1 END-03.1_A09 the presence of unauthorized software within the system is detected using automated mechanisms frequency. 53A_R5_CM-08(03)(a)[02]
END-03.1 END-03.1_A10 the presence of unauthorized firmware within the system is detected using automated mechanisms frequency. 53A_R5_CM-08(03)(a)[03]
END-03.1 END-03.1_A11 organization-defined actions are taken when unauthorized hardware is detected. 53A_R5_CM-08(03)(b)[01]
END-03.1 END-03.1_A12 organization-defined actions are taken when unauthorized software is detected. 53A_R5_CM-08(03)(b)[02]
END-03.1 END-03.1_A13 organization-defined actions are taken when unauthorized firmware is detected. 53A_R5_CM-08(03)(b)[03]
171A_3.4.5[a]
END-03.2 END-03.2_A01 physical access restrictions associated with changes to the system are defined and documented. 171A_3.4.5[b]
53A_R5_CM-05[01]
171A_3.4.5[c]
END-03.2 END-03.2_A02 physical access restrictions associated with changes to the system are approved.
53A_R5_CM-05[02]

END-03.2 END-03.2_A03 physical access restrictions associated with changes to the system are enforced. 171A_3.4.5[d]
53A_R5_CM-05[03]
171A_3.4.5[e]
END-03.2 END-03.2_A04 logical access restrictions associated with changes to the system are defined and documented. 171A_3.4.5[f]
53A_R5_CM-05[04]
END-03.2 END-03.2_A05 logical access restrictions associated with changes to the system are approved. 171A_3.4.5[g]
53A_R5_CM-05[05]
END-03.2 END-03.2_A06 logical access restrictions associated with changes to the system are enforced. 171A_3.4.5[h]
53A_R5_CM-05[06]
171A_3.14.5[a]
END-04 END-04_A01 the frequency for malicious code scans is defined. 53A_R5_SI-03_ODP[01]
53A_R5_SI-03_ODP[02]
END-04 END-04_A02 malicious code scans are performed with the defined frequency. 171A_3.14.5[b]
END-04 END-04_A03 real-time malicious code scans of files from external sources as files are downloaded, opened or executed are performed. 171A_3.14.5[c]
END-04 END-04_A04 designated locations for malicious code protection are identified. 171A_3.14.2[a]
END-04 END-04_A05 protection from malicious code at designated locations is provided. 171A_3.14.2[b]
END-04 END-04_A06 action to be taken in response to malicious code detection are defined. 53A_R5_SI-03_ODP[04]
53A_R5_SI-03_ODP[05]
END-04 END-04_A07 personnel or roles to be alerted when malicious code is detected is/are defined. 53A_R5_SI-03_ODP[06]
END-04 END-04_A08 malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code. 53A_R5_SI-03_ODP[01]
53A_R5_SI-03a.[01]
END-04 END-04_A09 malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code. 53A_R5_SI-03_ODP[04]
53A_R5_SI-03a.[02]
END-04 END-04_A10 malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures. 53A_R5_SI-03b.
END-04 END-04_A11 malicious code protection mechanisms are configured to perform periodic scans of the system frequency. 53A_R5_SI-03c.01[01]
END-04 END-04_A12 malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy. 53A_R5_SI-03c.01[02]
END-04 END-04_A13 malicious code protection mechanisms are configured to in response to malicious code detection. 53A_R5_SI-03c.02[01]
53A_R5_SI-03_ODP[04]
END-04 END-04_A14 malicious code protection mechanisms are configured to send alerts to personnel or roles in response to malicious code detection. 53A_R5_SI-03c.02[02]
END-04 END-04_A15 the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed. 53A_R5_SI-03d.
END-04 END-04_A16 malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code. 53A_R5_SI-03a.[02]
END-04 END-04_A17 malicious code protection mechanisms are configured to in response to malicious code detection. 53A_R5_SI-03c.02[01]
END-04.1 END-04.1_A01 malicious code protection mechanisms are updated when new releases are available. 171A_3.14.4
END-04.2 END-04.2_A01 antimalware technologies are documented. SCF Created
SCF Created
END-04.3 END-04.3_A01 antimalware controls and related processes to be centrally managed are defined.
53A_R5_PL-09_ODP
END-04.3 END-04.3_A02 antimalware controls and related processes are centrally managed. SCF Created
53A_R5_PL-09
END-04.4 END-04.4_A01 malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code. 53A_R5_SI-03a.[01]
END-04.4 END-04.4_A02 malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures. 53A_R5_SI-03b.
END-04.4 END-04.4_A03 malicious code protection mechanisms are configured to perform periodic scans of the system frequency. 53A_R5_SI-03c.01[01]
END-04.4 END-04.4_A04 malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy. 53A_R5_SI-03c.01[02]
END-04.5 END-04.5_A01 the frequency at which to test malicious code protection mechanisms is defined. 53A_R5_SI-03(06)_ODP
END-04.5 END-04.5_A02 malicious code protection mechanisms are tested frequently by introducing known benign code into the system. 53A_R5_SI-03(06)(a)
END-04.5 END-04.5_A03 the detection of (benign test) code occurs. 53A_R5_SI-03(06)(b)[01]
END-04.5 END-04.5_A04 the associated incident reporting occurs. 53A_R5_SI-03(06)(b)[02]
END-04.6 END-04.6_A01 system components that require diversity are defined. 172A_3.13.1e_ODP[1]
END-04.6 END-04.6_A02 diversity in system components is created to reduce the extent of malicious code propagation. 172A_3.13.1e[a]
53A_R5_SI-03c.01[02]
END-04.7 END-04.7_A01 malicious code protection mechanisms are configured to perform real-time scans of files from external sources as the files are downloaded, opened or executed in accordance with organizational policy.
171A_3.14.5[c]

END-05 END-05_A01 host-based firewall software, or similar technologies, are used on all systems, where technically feasible. SCF Created
END-06 END-06_A01 software requiring integrity verification tools to be employed to detect unauthorized changes is defined. 53A_R5_SI-07_ODP[01]
END-06 END-06_A02 firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined. 53A_R5_SI-07_ODP[02]
END-06 END-06_A03 information requiring integrity verification tools to be employed to detect unauthorized changes is defined. 53A_R5_SI-07_ODP[03]
END-06 END-06_A04 actions to be taken when unauthorized changes to software are detected are defined. 53A_R5_SI-07_ODP[04]
END-06 END-06_A05 actions to be taken when unauthorized changes to firmware are detected are defined. 53A_R5_SI-07_ODP[05]
END-06 END-06_A06 actions to be taken when unauthorized changes to information are detected are defined. 53A_R5_SI-07_ODP[06]
END-06 END-06_A07 integrity verification tools are employed to detect unauthorized changes to software. 53A_R5_SI-07a.[01]
END-06 END-06_A08 integrity verification tools are employed to detect unauthorized changes to firmware. 53A_R5_SI-07a.[02]
END-06 END-06_A09 integrity verification tools are employed to detect unauthorized changes to information. 53A_R5_SI-07a.[03]
END-06 END-06_A10 actions are taken when unauthorized changes to the software are detected. 53A_R5_SI-07b.[01]
END-06 END-06_A11 actions are taken when unauthorized changes to the firmware are detected. 53A_R5_SI-07b.[02]
END-06 END-06_A12 actions are taken when unauthorized changes to the information are detected. 53A_R5_SI-07b.[03]
END-06.1 END-06.1_A01 software on which an integrity check is to be performed is defined. 53A_R5_SI-07(01)_ODP[01]
END-06.1 END-06.1_A02 transitional states or security-relevant events requiring integrity checks (on software) are defined. 53A_R5_SI-07(01)_ODP[02]
53A_R5_SI-07(01)_ODP[03]
END-06.1 END-06.1_A03 frequency with which to perform an integrity check (on software) is defined. 53A_R5_SI-07(01)_ODP[04]
END-06.1 END-06.1_A04 firmware on which an integrity check is to be performed is defined. 53A_R5_SI-07(01)_ODP[05]
END-06.1 END-06.1_A05 transitional states or security-relevant events requiring integrity checks (on firmware) are defined. 53A_R5_SI-07(01)_ODP[06]
53A_R5_SI-07(01)_ODP[07]
END-06.1 END-06.1_A06 frequency with which to perform an integrity check (on firmware) is defined. 53A_R5_SI-07(01)_ODP[08]
END-06.1 END-06.1_A07 information on which an integrity check is to be performed is defined. 53A_R5_SI-07(01)_ODP[09]
END-06.1 END-06.1_A08 transitional states or security-relevant events requiring integrity checks (of information) are defined. 53A_R5_SI-07(01)_ODP[10]
53A_R5_SI-07(01)_ODP[11]
END-06.1 END-06.1_A09 frequency with which to perform an integrity check (of information) is defined. 53A_R5_SI-07(01)_ODP[12]
END-06.1 END-06.1_A10 an integrity check of software is performed per an organization-defined time period. 53A_R5_SI-07(01)[01]
END-06.1 END-06.1_A11 an integrity check of firmware is performed per an organization-defined time period. 53A_R5_SI-07(01)[02]
END-06.1 END-06.1_A12 an integrity check of information is performed per an organization-defined time period. 53A_R5_SI-07(01)[03]
END-06.2 END-06.2_A01 security-relevant changes to the system are defined. 53A_R5_SI-07(07)_ODP
END-06.2 END-06.2_A02 the detection of changes are incorporated into the organizational incident response capability. 53A_R5_SI-07(07)
END-06.3 END-06.3_A01 personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined. 53A_R5_SI-07(02)_ODP
END-06.3 END-06.3_A02 automated tools that provide notification to personnel or roles upon discovering discrepancies during integrity verification are employed. 53A_R5_SI-07(02)
53A_R5_SI-07(05)_ODP[01]
END-06.4 END-06.4_A01 controls to be implemented automatically when integrity violations are discovered are defined.
53A_R5_SI-07(05)_ODP[02]
END-06.4 END-06.4_A02 organization-defined actions are automatically performed when integrity violations are discovered. 53A_R5_SI-07(05)
END-06.5 END-06.5_A01 system components requiring integrity verification of the boot process are defined. 53A_R5_SI-07(09)_ODP
END-06.5 END-06.5_A02 the integrity of the boot process of system components is verified. 53A_R5_SI-07(09)
END-06.6 END-06.6_A01 mechanisms to be implemented to protect the integrity of boot firmware in system components are defined. 53A_R5_SI-07(10)_ODP[01]
END-06.6 END-06.6_A02 system components requiring mechanisms to protect the integrity of boot firmware are defined. 53A_R5_SI-07(10)_ODP[02]
END-06.6 END-06.6_A03 mechanisms are implemented to protect the integrity of boot firmware in system components. 53A_R5_SI-07(10)

END-06.7 END-06.7_A01 the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code. 53A_R5_CM-07(08)(a)
END-06.7 END-06.7_A02 exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational 53A_R5_CM-07(08)(b)[01]
requirements.
END-06.7 END-06.7_A03 exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official. 53A_R5_CM-07(08)(b)[02]
END-07 END-07_A01 host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or a similar technology, is deployed on business-critical systems. SCF Created
END-07 END-07_A02 host-based Intrusion Detection / Prevention Systems (HIDS / HIPS), or a similar technology, is deployed on systems that store, process and/or transmit sensitive/regulated data. SCF Created
END-08 END-08_A01 spam protection mechanisms are employed at system entry points to detect unsolicited messages. 53A_R5_SI-08a.[01]
END-08 END-08_A02 spam protection mechanisms are employed at system exit points to detect unsolicited messages. 53A_R5_SI-08a.[02]
END-08 END-08_A03 spam protection mechanisms are employed at system entry points to act on unsolicited messages. 53A_R5_SI-08a.[03]
END-08 END-08_A04 spam protection mechanisms are employed at system exit points to act on unsolicited messages. 53A_R5_SI-08a.[04]
END-08.1 END-08.1_A01 endpoint security controls and related processes to be centrally managed are defined. 53A_R5_PL-09_ODP
END-08.1 END-08.1_A02 endpoint security controls and related processes are centrally managed. 53A_R5_PL-09
END-08.2 END-08.2_A01 the frequency at which to automatically update spam protection mechanisms is defined. 53A_R5_SI-08(02)_ODP
END-08.2 END-08.2_A02 spam protection mechanisms are automatically updated frequently. 53A_R5_SI-08b.
53A_R5_SI-08(02)
END-09 END-09_A01 logical security functions of the system are defined. 53A_R5_SC-11_ODP[01]
53A_R5_SC-11_ODP[02]
END-09 END-09_A02 an organization-defined isolated trusted communication path is provided for communications between the user and the trusted components of the system. 53A_R5_SC-11a.
END-09 END-09_A03 users are permitted to invoke the trusted communication path for communications between the user and the security functions of the system, including authentication and re-authentication, at a minimum. 53A_R5_SC-11b.
END-10 END-10_A01 acceptable mobile code is defined. 53A_R5_SC-18a.[01]
END-10 END-10_A02 unacceptable mobile code is defined. 53A_R5_SC-18a.[02]
END-10 END-10_A03 acceptable mobile code technologies are defined. 53A_R5_SC-18a.[03]
53A_R5_SC-18a.[04]
END-10 END-10_A04 unacceptable mobile code technologies are defined. 53A_R5_SC-18(01)[01]
53A_R5_SC-18(01)_ODP[01]
END-10 END-10_A05 the use of mobile code is authorized. 53A_R5_SC-18b.[01]
END-10 END-10_A06 the use of mobile code is monitored. 53A_R5_SC-18b.[02]

171A_3.13.13[b]
END-10 END-10_A07 the use of mobile code is controlled. 53A_R5_SC-18b.[03]

171A_3.13.13[a]
END-10 END-10_A08 corrective actions to be taken when unacceptable mobile code is identified are defined. 53A_R5_SC-18(01)_ODP[02]
END-10 END-10_A09 corrective actions are taken if unacceptable mobile code is identified. 53A_R5_SC-18(01)[02]
END-10 END-10_A10 mobile code requirements for the acquisition, development and use of mobile code to be deployed in the system are defined. 53A_R5_SC-18(02)_ODP
END-10 END-10_A11 the acquisition of mobile code to be deployed in the system meets mobile code requirements. 53A_R5_SC-18(02)[01]
END-10 END-10_A12 the development of mobile code to be deployed in the system meets mobile code requirements. 53A_R5_SC-18(02)[02]
END-10 END-10_A13 the use of mobile code to be deployed in the system meets mobile code requirements. 53A_R5_SC-18(02)[03]
END-10 END-10_A14 unacceptable mobile code to be prevented from downloading and executing is defined. 53A_R5_SC-18(03)_ODP
END-10 END-10_A15 the download of unacceptable mobile code is prevented. 53A_R5_SC-18(03)[01]
END-10 END-10_A16 the execution of unacceptable mobile code is prevented. 53A_R5_SC-18(03)[02]
END-10 END-10_A17 software applications in which the automatic execution of mobile code is to be prevented are defined. 53A_R5_SC-18(04)_ODP[01]
END-10 END-10_A18 actions to be enforced by the system prior to executing mobile code are defined. 53A_R5_SC-18(04)_ODP[02]
END-10 END-10_A19 the automatic execution of mobile code in software applications is prevented. 53A_R5_SC-18(04)[01]
53A_R5_SC-18(04)[02]
END-10 END-10_A20 platform-independent applications to be included within organizational systems are defined. 53A_R5_SC-27_ODP

END-10 END-10_A21 platform-independent applications are included within organizational systems. 53A_R5_SC-27
END-11 END-11_A01 system components to be employed with minimal functionality and information storage are defined. 53A_R5_SC-25_ODP
END-11 END-11_A02 minimal functionality for system components is employed. 53A_R5_SC-25[01]
END-11 END-11_A03 minimal information storage on system components is allocated. 53A_R5_SC-25[02]
END-11 END-11_A04 physical isolation techniques are defined. 172A_3.13.4e_ODP[1]

172A_3.13.4e_ODP[2]
END-11 END-11_A05 logical isolation techniques are defined. 172A_3.13.4e_ODP[1]

172A_3.13.4e_ODP[3]
END-11 END-11_A06 physical isolation techniques and/or logical isolation techniques are employed in organizational systems and system components. 172A_3.13.4e[a]
END-12 END-12_A01 connection ports or input/output devices to be disabled or removed are defined. 53A_R5_SC-41_ODP[01]
53A_R5_SC-41_ODP[02]
END-12 END-12_A02 systems or system components with connection ports or input/output devices to be disabled or removed are defined. 53A_R5_SC-41_ODP[03]
END-12 END-12_A03 connection ports or input/output devices are organization-defined criteria disabled or removed on systems or system components. 53A_R5_SC-41
END-13 END-13_A01 environmental sensing capabilities in devices are defined. 53A_R5_SC-42_ODP[01]

53A_R5_SC-42_ODP[02]
END-13 END-13_A02 facilities, areas or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined. 53A_R5_SC-42_ODP[03]
END-13 END-13_A03 exceptions where remote activation of sensors is allowed are defined. 53A_R5_SC-42_ODP[04]
END-13 END-13_A04 group of users to whom an explicit indication of sensor use is to be provided is defined. 53A_R5_SC-42_ODP[05]
END-13 END-13_A05 organization-defined parameters are prohibited. 53A_R5_SC-42a.
END-13 END-13_A06 an explicit indication of sensor use is provided to a group of users. 53A_R5_SC-42b.
END-13.1 END-13.1_A01 measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined. 53A_R5_SC-42(02)_ODP
END-13.1 END-13.1_A02 organization-defined measures are employed so that data or information collected by sensors is only used for authorized purposes. 53A_R5_SC-42(02)
END-13.2 END-13.2_A01 measures to facilitate an individual’s awareness that personal data is being collected are defined. 53A_R5_SC-42(04)_ODP[01]
END-13.2 END-13.2_A02 sensors that collect personal data are defined. 53A_R5_SC-42(04)_ODP[02]
END-13.2 END-13.2_A03 organization-defined measures are employed to facilitate an individual’s awareness that personal data is being collected by sensors 53A_R5_SC-42(04)
END-13.3 END-13.3_A01 the frequency for reviewing policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[01]
END-13.3 END-13.3_A02 the frequency for updating policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[02]
END-13.3 END-13.3_A03 the frequency for reviewing procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[03]
END-13.3 END-13.3_A04 the frequency for updating procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[04]
END-13.3 END-13.3_A05 policies that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[01]
END-13.3 END-13.3_A06 policies that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[02]
END-13.3 END-13.3_A07 policies that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[03]
END-13.3 END-13.3_A08 procedures that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[04]
END-13.3 END-13.3_A09 procedures that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[05]
END-13.3 END-13.3_A10 procedures that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[06]
END-13.3 END-13.3_A11 policies that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[07]
END-13.3 END-13.3_A12 policies that address the use of personal data for training are implemented. 53A_R5_PM-25a.[08]
END-13.3 END-13.3_A13 policies that address the use of personal data for research are implemented. 53A_R5_PM-25a.[09]
END-13.3 END-13.3_A14 procedures that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[10]
END-13.3 END-13.3_A15 procedures that address the use of personal data for training are implemented. 53A_R5_PM-25a.[11]

END-13.3 END-13.3_A16 procedures that address the use of personal data for research are implemented. 53A_R5_PM-25a.[12]
END-13.3 END-13.3_A17 the amount of personal data used for internal testing purposes is limited or minimized. 53A_R5_PM-25b.[01]
END-13.3 END-13.3_A18 the amount of personal data used for internal training purposes is limited or minimized. 53A_R5_PM-25b.[02]
END-13.3 END-13.3_A19 the amount of personal data used for internal research purposes is limited or minimized. 53A_R5_PM-25b.[03]
END-13.3 END-13.3_A20 the required use of personal data for internal testing is authorized. 53A_R5_PM-25c.[01]
END-13.3 END-13.3_A21 the required use of personal data for internal training is authorized. 53A_R5_PM-25c.[02]
END-13.3 END-13.3_A22 the required use of personal data for internal research is authorized. 53A_R5_PM-25c.[03]
END-13.3 END-13.3_A23 policies are reviewed frequently. 53A_R5_PM-25d.[01]
END-13.3 END-13.3_A24 policies are updated frequently. 53A_R5_PM-25d.[02]
END-13.3 END-13.3_A25 procedures are reviewed frequently. 53A_R5_PM-25d.[03]
END-13.3 END-13.3_A26 procedures are updated frequently. 53A_R5_PM-25d.[04]
END-13.3 END-13.3_A27 processes that implement the privacy principle of minimization are defined. 53A_R5_SA-08(33)_ODP
END-13.3 END-13.3_A28 the privacy principle of minimization is implemented using organization-defined processes. 53A_R5_SA-08(33)
END-13.3 END-13.3_A29 the sensors that are configured to minimize the collection of unneeded information about individuals are defined. 53A_R5_SC-42(05)_ODP
END-13.3 END-13.3_A30 sensors configured to minimize the collection of information about individuals that is not needed are employed. 53A_R5_SC-42(05)
END-13.4 END-13.4_A01 sensors to be used to collect data or information are defined. 53A_R5_SC-42(01)_ODP
END-13.4 END-13.4_A02 systems are configured so that data or information collected by the sensors is only reported to authorized individuals or roles. 53A_R5_SC-42(01)
END-14 END-14_A01 collaborative computing devices are identified. 171A_3.13.12[a]
END-14 END-14_A02 collaborative computing devices provide indication to users of devices in use. 171A_3.13.12[b]
END-14 END-14_A03 remote activation of collaborative computing devices is prohibited. 171A_3.13.12[c]
END-14 END-14_A04 exceptions where remote activation is to be allowed are defined. 53A_R5_SC-15_ODP
END-14 END-14_A05 remote activation of collaborative computing devices and applications is prohibited except by organization-defined exceptions where remote activation is to be allowed. 53A_R5_SC-15a.
END-14 END-14_A06 an explicit indication of use is provided to users physically present at the devices. 53A_R5_SC-15b.
END-14 END-14_A07 collaborative computing devices are logically or physically disconnected. 53A_R5_SC-15(01)_ODP
END-14 END-14_A08 disconnect of collaborative computing devices is/are provided in a manner that supports ease of use. 53A_R5_SC-15(01)
END-14.1 END-14.1_A01 systems or system components from which collaborative computing devices are to be disabled or removed are defined. 53A_R5_SC-15(03)_ODP[01]
END-14.1 END-14.1_A02 secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined. 53A_R5_SC-15(03)_ODP[02]
END-14.1 END-14.1_A03 collaborative computing devices and applications are disabled or removed from systems or system components in secure work areas. 53A_R5_SC-15(03)
END-14.2 END-14.2_A01 online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined. 53A_R5_SC-15(04)_ODP
END-14.2 END-14.2_A02 an explicit indication of current participants in online meetings and teleconferences is provided. 53A_R5_SC-15(04)
END-15 END-15_A01 access to hypervisor management functions or administrative consoles for systems hosting virtualized systems is restricted. SCF Created
END-16 END-16_A01 system configurations isolate security functions from non-security functions. SCF Created
END-16.1 END-16.1_A01 host-based boundary protection mechanisms to be implemented are defined. 53A_R5_SC-07(12)_ODP[01]
END-16.1 END-16.1_A02 system components where host-based boundary protection mechanisms are to be implemented are defined. 53A_R5_SC-07(12)_ODP[02]
END-16.1 END-16.1_A03 host-based boundary protection mechanisms are implemented at system components. 53A_R5_SC-07(12)
HRS-01 HRS-01_A01 personnel or roles to whom the personnel security policy is to be disseminated is/are defined. 53A_R5_PS-01_ODP[01]

HRS-01 HRS-01_A02 personnel or roles to whom the personnel security procedures are to be disseminated is/are defined. 53A_R5_PS-01_ODP[02]
HRS-01 HRS-01_A03 an official to manage the personnel security policy and procedures is defined. 53A_R5_PS-01_ODP[03]
53A_R5_PS-01_ODP[04]
HRS-01 HRS-01_A04 the frequency at which the current personnel security policy is reviewed and updated is defined. 53A_R5_PS-01_ODP[05]
HRS-01 HRS-01_A05 events that would require the current personnel security policy to be reviewed and updated are defined. 53A_R5_PS-01_ODP[06]
HRS-01 HRS-01_A06 the frequency at which the current personnel security procedures are reviewed and updated is defined. 53A_R5_PS-01_ODP[07]
HRS-01 HRS-01_A07 events that would require the personnel security procedures to be reviewed and updated are defined. 53A_R5_PS-01_ODP[08]
HRS-01 HRS-01_A08 a personnel security policy is developed and documented. 53A_R5_PS-01a.[01]
HRS-01 HRS-01_A09 the personnel security policy is disseminated to organization-defined personnel or roles. 53A_R5_PS-01a.[02]
HRS-01 HRS-01_A10 personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented. 53A_R5_PS-01a.[03]
HRS-01 HRS-01_A11 the personnel security procedures are disseminated to organization-defined personnel or roles. 53A_R5_PS-01a.[04]
HRS-01 HRS-01_A12 the organization's personnel security policy addresses purpose. 53A_R5_PS-01a.01(a)[01]
HRS-01 HRS-01_A13 the organization's personnel security policy addresses scope. 53A_R5_PS-01a.01(a)[02]
HRS-01 HRS-01_A14 the organization's personnel security policy addresses roles. 53A_R5_PS-01a.01(a)[03]
HRS-01 HRS-01_A15 the organization's personnel security policy addresses responsibilities. 53A_R5_PS-01a.01(a)[04]
HRS-01 HRS-01_A16 the organization's personnel security policy addresses management commitment. 53A_R5_PS-01a.01(a)[05]
HRS-01 HRS-01_A17 the organization's personnel security policy addresses coordination among organizational entities. 53A_R5_PS-01a.01(a)[06]
HRS-01 HRS-01_A18 the organization's personnel security policy addresses compliance. 53A_R5_PS-01a.01(a)[07]
171A_3.9.2[a]
HRS-01 HRS-01_A19 the organization's personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_PS-01a.01(b)
171A_3.9.2[a]
HRS-01 HRS-01_A20 an organization-defined official is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures. 53A_R5_PS-01b.
HRS-01 HRS-01_A21 the current personnel security policy is reviewed and updated organization-defined frequency. 53A_R5_PS-01c.01[01]
HRS-01 HRS-01_A22 the current personnel security policy is reviewed and updated following organization-defined events. 53A_R5_PS-01c.01[02]
HRS-01 HRS-01_A23 the current personnel security procedures are reviewed and updated organization-defined frequency. 53A_R5_PS-01c.02[01]
HRS-01 HRS-01_A24 the current personnel security procedures are reviewed and updated following organization-defined events. 53A_R5_PS-01c.02[02]
HRS-01 HRS-01_A25 information security-related duties, roles, and responsibilities are defined. 171A_3.2.2[a]
HRS-01 HRS-01_A26 information security-related duties, roles, and responsibilities are assigned to designated personnel. 171A_3.2.2[b]
HRS-01 HRS-01_A27 personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. 171A_3.2.2[c]
HRS-01 HRS-01_A28 a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. 171A_3.9.2[a]
HRS-02 HRS-02_A01 the frequency at which to review and update position risk designations is defined. 53A_R5_PS-02_ODP
HRS-02 HRS-02_A02 a risk designation is assigned to all organizational positions. 53A_R5_PS-02a.
HRS-02 HRS-02_A03 screening criteria are established for individuals filling organizational positions. 53A_R5_PS-02b.
HRS-02 HRS-02_A04 position risk designations are reviewed and updated per an organization-defined frequency. 53A_R5_PS-02c.
HRS-02.1 HRS-02.1_A01 every user accessing a system that processes, stores or transmits sensitive/regulated information is cleared and regularly trained to handle the information in question. SCF Created
HRS-02.2 HRS-02.2_A01 additional monitoring to be implemented on individuals during probationary periods is defined. 53A_R5_SI-04(21)_ODP[01]
HRS-02.2 HRS-02.2_A02 the probationary period of individuals is defined. 53A_R5_SI-04(21)_ODP[02]
HRS-02.2 HRS-02.2_A03 additional monitoring of individuals is implemented during probationary period. 53A_R5_SI-04(21)
HRS-03 HRS-03_A01 cybersecurity roles and responsibilities are incorporated into organizational position descriptions. 53A_R5_PS-09[01]

HRS-03 HRS-03_A02 privacy roles and responsibilities are incorporated into organizational position descriptions. 53A_R5_PS-09[02]
HRS-03.1 HRS-03.1_A01 users are formally made aware of their roles and responsibilities to maintain a safe and secure working environment. SCF Created
HRS-03.1 HRS-03.1_A02 acknowledgement of user awareness is maintained by the organization. SCF Created
HRS-03.2 HRS-03.2_A01 the frequency at which to review and update position risk designations is defined. 53A_R5_PS-02_ODP
HRS-03.2 HRS-03.2_A02 a risk designation is assigned to all organizational positions. 53A_R5_PS-02a.
HRS-03.2 HRS-03.2_A03 screening criteria are established for individuals filling organizational positions. 53A_R5_PS-02b.
HRS-03.2 HRS-03.2_A04 position risk designations are reviewed and updated per an organization-defined frequency. 53A_R5_PS-02c.
HRS-04 HRS-04_A01 conditions requiring rescreening of individuals are defined. 53A_R5_PS-03_ODP[01]
HRS-04 HRS-04_A02 the frequency of rescreening individuals where it is so indicated is defined. 53A_R5_PS-03_ODP[02]
HRS-04 HRS-04_A03 individuals are screened prior to authorizing access to the system. 53A_R5_PS-03a.
HRS-04 HRS-04_A04 individuals are screened prior to authorizing access to systems containing sensitive / regulated data. 171A_3.9.1
HRS-04 HRS-04_A05 individuals are rescreened in accordance with conditions requiring rescreening. 53A_R5_PS-03b.[01]
HRS-04 HRS-04_A06 where rescreening is so indicated, individuals are rescreened frequency. 53A_R5_PS-03b.[02]
HRS-04.1 HRS-04.1_A01 enhanced personnel screening for individuals is defined. 172A_3.9.1e_ODP[1]
HRS-04.1 HRS-04.1_A02 the frequency with which to reassess individual positions and access to sensitive / regulated data is defined. 172A_3.9.1e_ODP[2]
HRS-04.1 HRS-04.1_A03 individuals that require enhanced personnel screening are identified. 172A_3.9.1e[a]
HRS-04.1 HRS-04.1_A04 positions that require access to sensitive / regulated data are identified. 172A_3.9.1e[b]
HRS-04.1 HRS-04.1_A05 enhanced personnel screening is conducted for individuals. 172A_3.9.1e[c]
HRS-04.1 HRS-04.1_A06 individual positions and access to sensitive / regulated data is reassessed frequency. 172A_3.9.1e[d]
HRS-04.1 HRS-04.1_A07 individuals with access to sensitive / regulated data are identified. 172A_3.9.2e[a]
HRS-04.1 HRS-04.1_A08 adverse information about individuals with access to sensitive / regulated data is defined. 172A_3.9.2e[b]
HRS-04.1 HRS-04.1_A09 organizational systems to which individuals have access are identified. 172A_3.9.2e[c]
HRS-04.1 HRS-04.1_A10 mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data. 172A_3.9.2e[d]
HRS-04.1 HRS-04.1_A11 individuals accessing a system processing, storing or transmitting classified information are cleared. 53A_R5_PS-03(01)[01]
HRS-04.1 HRS-04.1_A12 individuals accessing a system processing, storing or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system. 53A_R5_PS-03(01)[02]
HRS-04.1 HRS-04.1_A13 additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing or transmitting information requiring special protection are defined. 53A_R5_PS-03(03)_ODP
HRS-04.1 HRS-04.1_A14 individuals accessing a system processing, storing or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned duties. 53A_R5_PS-03(03)(a)
HRS-04.1 HRS-04.1_A15 individuals accessing a system processing, storing or transmitting information requiring special protection satisfy additional personnel screening criteria. 53A_R5_PS-03(03)(b)
HRS-04.2 HRS-04.2_A01 individuals accessing a system processing, storing or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they 53A_R5_PS-03(02)
have access on the system.
HRS-04.3 HRS-04.3_A01 information types that are processed, stored or transmitted by a system that requires individuals accessing the system to meet citizenship requirements are defined. 53A_R5_PS-03(04)_ODP[01]
HRS-04.3 HRS-04.3_A02 citizenship requirements to be met by individuals to access a system processing, storing or transmitting information are defined. 53A_R5_PS-03(04)_ODP[02]
HRS-04.3 HRS-04.3_A03 individuals accessing a system processing, storing or transmitting information types meet citizenship requirements. 53A_R5_PS-03(04)
HRS-04.4 HRS-04.4_A01 foreign nationals, including by their specific citizenship, are identified. SCF Created
HRS-04.4 HRS-04.4_A02 foreign citizenship identification is made conspicuous to other users in environments that contain export-controlled data. SCF Created
HRS-05 HRS-05_A01 through terms of employment, all employees and contractors are required to apply cybersecurity & privacy principles in their daily work. SCF Created
53A_R5_PL-04_ODP[01]
HRS-05.1 HRS-05.1_A01 frequency for reviewing and updating the rules of behavior is defined.
53A_R5_PL-04_ODP[02]

HRS-05.1 HRS-05.1_A02 frequency for individuals to read and re-acknowledge the rules of behavior is defined. 53A_R5_PL-04_ODP[03]
HRS-05.1 HRS-05.1_A03 rules that describe responsibilities and expected behavior for information and system usage, cybersecurity & privacy are established for individuals requiring access to the system. 53A_R5_PL-04a.[01]
53A_R5_PL-04a.[02]
HRS-05.1 HRS-05.1_A04 before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand and agree to abide by the rules of behavior is received. 53A_R5_PL-04b.
HRS-05.1 HRS-05.1_A05 rules of behavior are reviewed and updated frequently. 53A_R5_PL-04c.
HRS-05.1 HRS-05.1_A06 individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge the organization's current rules of behavior. 53A_R5_PL-04d.
HRS-05.2 HRS-05.2_A01 the rules of behavior include restrictions on the use of social media, social networking sites and external sites/applications. 53A_R5_PL-04(01)(a)
HRS-05.2 HRS-05.2_A02 the rules of behavior include restrictions on posting organizational information on public websites. 53A_R5_PL-04(01)(b)
HRS-05.2 HRS-05.2_A03 the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. 53A_R5_PL-04(01)(c)
53A_R5_PL-04a.[02]
53A_R5_PL-04a.[02]
53A_R5_PL-04a.[02]
HRS-05.6 HRS-05.6_A01 the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) is prohibited to prevent the unauthorized exfiltration of data and technology assets. SCF Created
HRS-05.7 HRS-05.7_A01 personnel receive recurring familiarization with the organization’s cybersecurity and privacy policies. SCF Created
HRS-05.7 HRS-05.7_A02 individuals who have acknowledged a previous version of the organization's cybersecurity and privacy policies are required to read and reacknowledge the organization's current cybersecurity and privacy policies. SCF Created
HRS-06 HRS-06_A01 the frequency at which to review and update access agreements is defined. 53A_R5_PS-06_ODP[01]
HRS-06 HRS-06_A02 the frequency at which to re-sign access agreements to maintain access to organizational information is defined. 53A_R5_PS-06_ODP[02]
HRS-06 HRS-06_A03 access agreements are developed and documented for organizational systems. 53A_R5_PS-06a.
HRS-06 HRS-06_A04 the access agreements are reviewed and updated frequently. 53A_R5_PS-06b.
HRS-06 HRS-06_A05 individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access. 53A_R5_PS-06c.01
HRS-06 HRS-06_A06 individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or frequency. 53A_R5_PS-06c.02
HRS-06.1 HRS-06.1_A01 the frequency at which to review and update access agreements is defined. 53A_R5_PS-06_ODP[01]
HRS-06.1 HRS-06.1_A02 the frequency at which to re-sign access agreements to maintain access to organizational information is defined. 53A_R5_PS-06_ODP[02]
HRS-06.1 HRS-06.1_A03 access agreements are developed and documented for organizational systems. 53A_R5_PS-06a.
HRS-06.1 HRS-06.1_A04 the access agreements are reviewed and updated frequently. 53A_R5_PS-06b.
HRS-06.1 HRS-06.1_A05 individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access. 53A_R5_PS-06c.01
HRS-06.1 HRS-06.1_A06 individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or frequency. 53A_R5_PS-06c.02
HRS-06.1 HRS-06.1_A07 access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned duties. 53A_R5_PS-06(02)(a)
HRS-06.1 HRS-06.1_A08 access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria. 53A_R5_PS-06(02)(b)
HRS-06.1 HRS-06.1_A09 access to classified information requiring special protection is granted only to individuals who have read, understood and signed a non-disclosure agreement. 53A_R5_PS-06(02)(c)
HRS-06.2 HRS-06.2_A01 individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information. 53A_R5_PS-06(03)(a)
HRS-06.2 HRS-06.2_A02 individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information. 53A_R5_PS-06(03)(b)
HRS-07 HRS-07_A01 a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. 171A_3.9.2[a]
HRS-07 HRS-07_A02 a formal sanctions process is employed for individuals failing to comply with established cybersecurity & privacy policies and procedures. 53A_R5_PS-08a.

HRS-07 HRS-07_A03 personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined. 53A_R5_PS-08_ODP[01]
HRS-07 HRS-07_A04 the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined. 53A_R5_PS-08_ODP[02]
HRS-07 HRS-07_A05 personnel or roles is/are notified within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. 53A_R5_PS-08b.
HRS-07 HRS-07_A06 system access and credentials are terminated consistent with personnel actions such as termination or transfer. 171A_3.9.2[b]
HRS-07 HRS-07_A07 the system is protected during and after personnel transfer actions. 171A_3.9.2[c]
HRS-07 HRS-07_A08 individuals with access to sensitive / regulated data are identified. 172A_3.9.2e[a]
HRS-07 HRS-07_A09 adverse information about individuals with access to sensitive / regulated data is defined. 172A_3.9.2e[b]
HRS-07 HRS-07_A10 organizational systems to which individuals have access are identified. 172A_3.9.2e[c]
HRS-07 HRS-07_A11 mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data. 172A_3.9.2e[d]
HRS-08 HRS-08_A01 criteria and/or process for terminating system access and any credentials coincident with personnel actions is established. 171A_3.9.2[a]
HRS-08 HRS-08_A04 transfer or reassignment actions to be initiated following transfer or reassignment are defined. 53A_R5_PS-05_ODP[01]
HRS-08 HRS-08_A05 the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined. 53A_R5_PS-05_ODP[02]
HRS-08 HRS-08_A06 personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined. 53A_R5_PS-05_ODP[03]
HRS-08 HRS-08_A07 time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined. 53A_R5_PS-05_ODP[04]
HRS-08 HRS-08_A08 the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the 53A_R5_PS-05a.
organization.
HRS-08 HRS-08_A09 transfer or reassignment actions are initiated within an organization-defined time period following the formal transfer action. 53A_R5_PS-05b.
HRS-08 HRS-08_A10 access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer. 53A_R5_PS-05c.
HRS-08 HRS-08_A11 personnel or roles are notified within an organization-defined time period. 53A_R5_PS-05d.
HRS-09 HRS-09_A01 criteria and/or process for terminating system access and any credentials coincident with personnel actions is established. 171A_3.9.2[a]
HRS-09 HRS-09_A04 a time period within which to disable system access is defined. 53A_R5_PS-04_ODP[01]
HRS-09 HRS-09_A05 cybersecurity topics to be discussed when conducting exit interviews are defined. 53A_R5_PS-04_ODP[02]
HRS-09 HRS-09_A06 upon termination of individual employment, system access is disabled within an organization-defined time period. 53A_R5_PS-04a.
HRS-09 HRS-09_A07 upon termination of individual employment, any authenticators and credentials are terminated or revoked. 53A_R5_PS-04b.
HRS-09 HRS-09_A08 upon termination of individual employment, exit interviews that include a discussion of cybersecurity topics are conducted. 53A_R5_PS-04c.
HRS-09 HRS-09_A09 upon termination of individual employment, all security-related organizational system-related property is retrieved. 53A_R5_PS-04d.
HRS-09 HRS-09_A10 upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained. 53A_R5_PS-04e.
HRS-09.1 HRS-09.1_A01 organization-owned assets are retrieved upon termination of an individual's employment. SCF Created
HRS-09.2 HRS-09.2_A01 time period within which to disable accounts of individuals who are discovered to pose significant risk is defined. 53A_R5_AC-02(13)_ODP[01]

HRS-09.2 HRS-09.2_A02 significant risks leading to disabling accounts are defined. 53A_R5_AC-02(13)_ODP[02]
HRS-09.2 HRS-09.2_A03 accounts of individuals are disabled within organization-defined time period of discovery of organization-defined significant risks. 53A_R5_AC-02(13)
HRS-09.3 HRS-09.3_A01 terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information. 53A_R5_PS-04(01)(a)
HRS-09.3 HRS-09.3_A02 terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process. 53A_R5_PS-04(01)(b)
HRS-09.4 HRS-09.4_A01 automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined. 53A_R5_PS-04(02)_ODP[01]
HRS-09.4 HRS-09.4_A02 personnel or roles to be notified upon termination of an individual is/are defined. 53A_R5_PS-04(02)_ODP[03]
HRS-09.4 HRS-09.4_A03 automated mechanisms are used to notify personnel or roles of individual termination actions and/or disable access to system resources. 53A_R5_PS-04(02)
53A_R5_PS-04(02)_ODP[02]
HRS-10 HRS-10_A01 personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined. 53A_R5_PS-07_ODP[01]
HRS-10 HRS-10_A02 time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials 53A_R5_PS-07_ODP[02]
and/or badges or who have system privileges is defined.
HRS-10 HRS-10_A03 personnel security requirements are established, including security roles and responsibilities for external providers. 53A_R5_PS-07a.
HRS-10 HRS-10_A04 external providers are required to comply with personnel security policies and procedures established by the organization. 53A_R5_PS-07b.
HRS-10 HRS-10_A05 personnel security requirements are documented. 53A_R5_PS-07c.
HRS-10 HRS-10_A06 external providers are required to notify personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within 53A_R5_PS-07d.
an organization-defined time period.
HRS-10 HRS-10_A07 provider compliance with personnel security requirements is monitored. 53A_R5_PS-07e.
HRS-11 HRS-11_A01 the duties of individuals requiring separation are defined. 171A_3.1.4[a]
53A_R5_AC-05_ODP
HRS-11 HRS-11_A02 responsibilities for duties that require separation are assigned to separate individuals. 171A_3.1.4[b]
53A_R5_AC-05a.
HRS-11 HRS-11_A03 access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. 171A_3.1.4[c]
53A_R5_AC-05b.
HRS-12 HRS-12_A01 incompatible development-specific roles are prevented through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment. SCF Created
HRS-12.1 HRS-12.1_A01 privileged commands and/or other actions requiring dual authorization are defined. 53A_R5_AC-03(02)_ODP
HRS-12.1 HRS-12.1_A02 dual authorization is enforced for organization-defined privileged commands and/or other actions. 53A_R5_AC-03(02)
HRS-12.1 HRS-12.1_A03 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified. 172A_3.1.1e[a]
53A_R5_CM-05(04)_ODP[01]
172A_3.1.1e[b]
HRS-12.1 HRS-12.1_A04 dual authorization is employed to execute critical or sensitive system and organizational operations. 53A_R5_CM-05(04)[01]
53A_R5_CM-05(04)[02]
HRS-13 HRS-13_A01 critical cybersecurity & privacy skills needed to support the organization’s mission are defined. SCF Created
HRS-13 HRS-13_A02 gaps / shortfalls in identified critical cybersecurity & privacy skills needed to support the organization’s mission are identified. SCF Created
HRS-13.1 HRS-13.1_A01 a plan to remediate critical skills deficiencies necessary to support the organization’s mission and business functions is defined. SCF Created
HRS-13.1 HRS-13.1_A02 a plan to remediate critical skills deficiencies necessary to support the organization’s mission and business functions is implemented. SCF Created
HRS-13.2 HRS-13.2_A01 vital cybersecurity & privacy staff are identified. SCF Created
HRS-13.3 HRS-13.3_A01 redundancy for vital cybersecurity & privacy staff is defined. SCF Created
HRS-13.3 HRS-13.3_A02 redundancy for vital cybersecurity & privacy staff is implemented. SCF Created
HRS-13.4 HRS-13.4_A01 succession planning for vital cybersecurity & privacy roles is performed. SCF Created
IAC-01 IAC-01_A01 the Identity & Access Management (IAM) program is organization-wide. 53A_R5_AC-01_ODP[03]
IAC-01.1 IAC-01.1_A01 a record of personnel accountability is retained to ensure there is a record of all access granted to an individual (system and application-wise). SCF Created

IAC-01.1 IAC-01.1_A02 a record of personnel accountability is retained to ensure there is a record of who provided the authorization. SCF Created
IAC-01.1 IAC-01.1_A03 a record of personnel accountability is retained to ensure there is a record of when the authorization was granted and when the access was last reviewed. SCF Created
IAC-01.1 IAC-01.1_A04 a record of personnel accountability is retained to ensure there is a record of when the access was last reviewed. SCF Created
IAC-01.2 IAC-01.2_A01 an inventory of Authenticate, Authorize and Audit (AAA) solutions exists, including instances on-premises and hosted by an External Service Provider (ESP). SCF Created
IAC-01.2 IAC-01.2_A02 procedures exist to govern on-premises AAA solutions by assigned stakeholders. SCF Created
IAC-01.2 IAC-01.2_A03 controls with ESPs contain explicit governance requirements for ESP-controlled AAA solutions. SCF Created
IAC-02 IAC-02_A01 system users are identified. 171A_3.5.1[a]

53A_R5_IA-02[01]
IAC-02 IAC-02_A02 processes acting on behalf of users are identified. 171A_3.5.1[b]
IAC-02 IAC-02_A03 devices accessing the system are identified. 171A_3.5.1[c]
IAC-02 IAC-02_A04 the identity of each user is authenticated or verified as a prerequisite to system access. 171A_3.5.2[a]
53A_R5_IA-02[01]
IAC-02 IAC-02_A05 the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. 171A_3.5.2[b]
IAC-02 IAC-02_A06 the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. 171A_3.5.2[c]
IAC-02 IAC-02_A07 the unique identification of authenticated organizational users is associated with processes acting on behalf of those users. 53A_R5_IA-02[02]
IAC-02.1 IAC-02.1_A01 users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed. 53A_R5_IA-02(05)
171A_3.5.4
IAC-02.2 IAC-02.2_A01 replay-resistant authentication mechanisms for access to are implemented for both privileged accounts and non-privileged accounts. 53A_R5_IA-02[01]
53A_R5_IA-02(08)_ODP
IAC-02.2 IAC-02.2_A02 systems and system components to identify and authenticate are defined. 172A_3.5.1e_ODP[1]
IAC-02.2 IAC-02.2_A03 bidirectional authentication that is cryptographically-based is implemented. 172A_3.5.1e[a]
IAC-02.2 IAC-02.2_A04 bidirectional authentication that is replay-resistant is implemented. 172A_3.5.1e[b]
IAC-02.2 IAC-02.2_A05 systems and system components are identified and authenticated before establishing a network connection using bidirectional authentication that is cryptographically-based and replay- resistant. 172A_3.5.1e[c]
IAC-02.3 IAC-02.3_A01 Personal Identity Verification (PIV)-compliant credentials are accepted and electronically verified. 53A_R5_IA-02(12)
IAC-02.3 IAC-02.3_A02 organizational controls for using federated or PKI credentials are defined. 53A_R5_IA-08(05)_ODP
IAC-02.3 IAC-02.3_A03 federated or PKI credentials that meet policy are accepted. 53A_R5_IA-08(05)[01]
IAC-02.3 IAC-02.3_A04 federated or PKI credentials that meet policy are verified. 53A_R5_IA-08(05)[02]
IAC-02.4 IAC-02.4_A01 out-of-band authentication mechanisms to be implemented are defined. 53A_R5_IA-02(13)_ODP[01]
IAC-02.4 IAC-02.4_A02 conditions under which out-of-band authentication is to be implemented are defined. 53A_R5_IA-02(13)_ODP[02]
IAC-02.4 IAC-02.4_A03 out-of-band authentication mechanisms are implemented under organization-defined conditions. 53A_R5_IA-02(13)
IAC-03 IAC-03_A01 non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated. 53A_R5_IA-08
IAC-03.1 IAC-03.1_A01 Personal Identity Verification (PIV)-compliant credentials from other federal agencies are accepted. 53A_R5_IA-08(01)[01]
IAC-03.1 IAC-03.1_A02 Personal Identity Verification (PIV)-compliant credentials from other federal agencies are electronically verified. 53A_R5_IA-08(01)[02]
IAC-03.2 IAC-03.2_A01 only external authenticators that are NIST-compliant are accepted. 53A_R5_IA-08(02)(a)
IAC-03.2 IAC-03.2_A02 a list of accepted external authenticators is documented. 53A_R5_IA-08(02)(b)[01]
IAC-03.2 IAC-03.2_A03 a list of accepted external authenticators is maintained. 53A_R5_IA-08(02)(b)[02]
IAC-03.3 IAC-03.3_A01 identity management profiles are defined. 53A_R5_IA-08(04)_ODP
IAC-03.3 IAC-03.3_A02 there is conformance with identity management profiles for identity management. 53A_R5_IA-08(04)
IAC-03.4 IAC-03.4_A01 disassociability measures are defined. 53A_R5_IA-08(06)_ODP
IAC-03.4 IAC-03.4_A02 measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers and relying parties are implemented. 53A_R5_IA-08(06)

IAC-03.5 IAC-03.5_A01 the use of external authenticators is restricted to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators. SCF Created
IAC-04 IAC-04_A01 devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined. 53A_R5_IA-03_ODP[01]
IAC-04 IAC-04_A02 devices and/or types of devices are uniquely identified and authenticated before establishing a local connection. 53A_R5_IA-03
53A_R5_IA-03_ODP[02]
IAC-04 IAC-04_A03 devices and/or types of devices are uniquely identified and authenticated before establishing a remote connection. 53A_R5_IA-03
53A_R5_IA-03_ODP[02]
IAC-04 IAC-04_A04 devices and/or types of devices are uniquely identified and authenticated before establishing a network connection. 53A_R5_IA-03
53A_R5_IA-03_ODP[02]
IAC-04 IAC-04_A05 devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined. 53A_R5_IA-03(01)_ODP[01]
IAC-04 IAC-04_A06 devices and/or types of devices are authenticated before establishing a local connection using bidirectional authentication that is cryptographically based. 53A_R5_IA-03(01)
53A_R5_IA-03(01)_ODP[02]
IAC-04 IAC-04_A07 devices and/or types of devices are authenticated before establishing a remote connection using bidirectional authentication that is cryptographically based. 53A_R5_IA-03(01)
53A_R5_IA-03(01)_ODP[02]
IAC-04 IAC-04_A08 devices and/or types of devices are authenticated before establishing a network connection using bidirectional authentication that is cryptographically based. 53A_R5_IA-03(01)
53A_R5_IA-03(01)_ODP[02]
IAC-04 IAC-04_A09 device identification and authentication are handled based on attestation by configuration management process. 53A_R5_IA-03(04)
IAC-04.1 IAC-04.1_A01 configuration management process to be employed to handle device identification and authentication based on attestation is defined. 53A_R5_IA-03(04)_ODP
IAC-05 IAC-05_A01 system services and applications to be uniquely identified and authenticated are defined. 53A_R5_IA-09_ODP
IAC-05 IAC-05_A02 system services and applications are uniquely identified and authenticated before establishing communications with devices, users or other services or applications. 53A_R5_IA-09
IAC-05.1 IAC-05.1_A01 third-party service providers provide the organization with current and accurate information for any third-party user with access to the organization's data or assets. SCF Created
IAC-05.2 IAC-05.2_A01 privileged access by non-organizational users is prohibited. SCF Created
IAC-06 IAC-06_A01 multi-factor authentication is implemented for access to privileged accounts. 53A_R5_IA-02(01)
IAC-06 IAC-06_A02 multi-factor authentication for access to non-privileged accounts is implemented. 53A_R5_IA-02(02)
IAC-06 IAC-06_A03 system components that are known, authenticated, in a properly configured state or in a trust profile are identified. 172A_3.5.3e[a]
IAC-06 IAC-06_A04 automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified. 172A_3.5.3e[b]
IAC-06 IAC-06_A05 automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state 172A_3.5.3e[c]
or in a trust profile.
IAC-06.1 IAC-06.1_A01 privileged accounts are identified. 171A_3.5.3[a]
IAC-06.1 IAC-06.1_A02 multifactor authentication is implemented for network access to privileged accounts. 171A_3.5.3[c]
53A_R5_IA-02(01)
IAC-06.2 IAC-06.2_A01 multifactor authentication is implemented for network access to non-privileged accounts. 171A_3.5.3[d]
53A_R5_IA-02(02)
IAC-06.3 IAC-06.3_A01 privileged accounts are identified. 171A_3.5.3[a]
IAC-06.3 IAC-06.3_A02 multifactor authentication is implemented for local access to privileged accounts. 171A_3.5.3[b]
IAC-06.4 IAC-06.4_A01 multi-factor authentication is implemented for access to privileged accounts. 53A_R5_IA-02(01)
IAC-06.4 IAC-06.4_A02 multi-factor authentication for access to non-privileged accounts is implemented. 53A_R5_IA-02(02)
IAC-07 IAC-07_A01 the validation and verification of identity evidence is conducted in person before a designated registration authority. 53A_R5_IA-12(04)
IAC-07.1 IAC-07.1_A01 user access rights are revoked following changes in personnel roles and duties, if no longer necessary or permitted. SCF Created
IAC-07.2 IAC-07.2_A01 prerequisites and criteria for group and role membership are defined. 53A_R5_AC-02_ODP[01]
IAC-07.2 IAC-07.2_A02 attributes (as required) for each account are defined. 53A_R5_AC-02_ODP[02]
IAC-07.2 IAC-07.2_A03 personnel or roles required to approve requests to create accounts is/are defined. 53A_R5_AC-02_ODP[03]
IAC-07.2 IAC-07.2_A04 criteria for account creation, enabling, modification, disabling and removal are defined. 53A_R5_AC-02_ODP[04]
IAC-07.2 IAC-07.2_A05 personnel or roles to be notified is/are defined. 53A_R5_AC-02_ODP[05]
IAC-07.2 IAC-07.2_A06 time period within which to notify account managers when accounts are no longer required is defined. 53A_R5_AC-02_ODP[06]
IAC-07.2 IAC-07.2_A07 time period within which to notify account managers when users are terminated or transferred is defined. 53A_R5_AC-02_ODP[07]

IAC-07.2 IAC-07.2_A08 time period within which to notify account managers when system usage or the need to know changes for an individual is defined. 53A_R5_AC-02_ODP[08]
IAC-07.2 IAC-07.2_A09 attributes needed to authorize system access (as required) are defined. 53A_R5_AC-02_ODP[09]
IAC-07.2 IAC-07.2_A10 the frequency of account review is defined. 53A_R5_AC-02_ODP[10]
IAC-07.2 IAC-07.2_A11 account types allowed for use within the system are defined and documented. 53A_R5_AC-02a.[01]
IAC-07.2 IAC-07.2_A12 account types specifically prohibited for use within the system are defined and documented. 53A_R5_AC-02a.[02]
IAC-07.2 IAC-07.2_A13 account managers are assigned. 53A_R5_AC-02b.
IAC-07.2 IAC-07.2_A14 prerequisites and criteria for group and role membership are required. 53A_R5_AC-02c.
IAC-07.2 IAC-07.2_A15 authorized users of the system are specified. 53A_R5_AC-02d.01
IAC-07.2 IAC-07.2_A16 group and role membership are specified. 53A_R5_AC-02d.02
IAC-07.2 IAC-07.2_A17 access authorizations (e.g., privileges) are specified for each account. 53A_R5_AC-02d.03[01]
IAC-07.2 IAC-07.2_A18 attributes (as required) are specified for each account. 53A_R5_AC-02d.03[02]
IAC-07.2 IAC-07.2_A19 approvals are required by personnel or roles for requests to create accounts. 53A_R5_AC-02e.
IAC-07.2 IAC-07.2_A20 accounts are created in accordance with policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[01]
IAC-07.2 IAC-07.2_A21 accounts are enabled in accordance with policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[02]
IAC-07.2 IAC-07.2_A22 accounts are modified in accordance with policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[03]
IAC-07.2 IAC-07.2_A23 accounts are disabled in accordance with policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[04]
IAC-07.2 IAC-07.2_A24 accounts are removed in accordance with policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[05]
IAC-07.2 IAC-07.2_A25 the use of accounts is monitored. 53A_R5_AC-02g.
IAC-07.2 IAC-07.2_A26 account managers and personnel or roles are notified within an organization-defined time period when accounts are no longer required. 53A_R5_AC-02h.01
IAC-07.2 IAC-07.2_A27 account managers and personnel or roles are notified within an organization-defined time period when users are terminated or transferred. 53A_R5_AC-02h.02
IAC-07.2 IAC-07.2_A28 account managers and personnel or roles are notified within an organization-defined time period when system usage or the need to know changes for an individual. 53A_R5_AC-02h.03
IAC-07.2 IAC-07.2_A29 access to the system is authorized based on a valid access authorization. 53A_R5_AC-02i.01
IAC-07.2 IAC-07.2_A30 access to the system is authorized based on intended system usage. 53A_R5_AC-02i.02
IAC-07.2 IAC-07.2_A31 access to the system is authorized based on attributes (as required). 53A_R5_AC-02i.03
IAC-07.2 IAC-07.2_A32 accounts are reviewed for compliance with account management requirements frequency. 53A_R5_AC-02j.
IAC-07.2 IAC-07.2_A33 a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group. 53A_R5_AC-02k.[01]
IAC-07.2 IAC-07.2_A34 a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group. 53A_R5_AC-02k.[02]
IAC-07.2 IAC-07.2_A35 account management processes are aligned with personnel termination processes. 53A_R5_AC-02l.[01]
IAC-07.2 IAC-07.2_A36 account management processes are aligned with personnel transfer processes. 53A_R5_AC-02l.[02]
53A_R5_AC-02(07)_ODP
IAC-07.2 IAC-07.2_A37 privileged user accounts are established and administered in accordance with organization-defined criteria.
53A_R5_AC-02(07)(a)
IAC-07.2 IAC-07.2_A38 privileged role or attribute assignments are monitored. 53A_R5_AC-02(07)(b)
IAC-07.2 IAC-07.2_A39 changes to roles or attributes are monitored. 53A_R5_AC-02(07)(c)
IAC-07.2 IAC-07.2_A40 access is revoked when privileged role or attribute assignments are no longer appropriate. 53A_R5_AC-02(07)(d)
IAC-08 IAC-08_A01 the organization implements a role-based access scheme or an attribute-based access scheme. 53A_R5_AC-02(07)_ODP
IAC-08 IAC-08_A02 privileged user accounts are established and administered in accordance with organization-defined parameters. 53A_R5_AC-02(07)(a)
IAC-08 IAC-08_A03 privileged role or attribute assignments are monitored. 53A_R5_AC-02(07)(b)

IAC-08 IAC-08_A04 changes to roles or attributes are monitored. 53A_R5_AC-02(07)(c)
IAC-08 IAC-08_A05 access is revoked when privileged role or attribute assignments are no longer appropriate. 53A_R5_AC-02(07)(d)
IAC-08 IAC-08_A06 access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned duties. 53A_R5_PS-06(02)(a)
IAC-08 IAC-08_A07 access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria. 53A_R5_PS-06(02)(b)
IAC-08 IAC-08_A08 access to classified information requiring special protection is granted only to individuals who have read, understood and signed a non-disclosure agreement. 53A_R5_PS-06(02)(c)
IAC-09 IAC-09_A01 personnel or roles from whom authorization must be received to assign an identifier are defined. 53A_R5_IA-04_ODP[01]
IAC-09 IAC-09_A02 a time period for preventing reuse of identifiers is defined. 53A_R5_IA-04_ODP[02]
171A_3.5.5[a]
IAC-09 IAC-09_A03 system identifiers are managed by receiving authorization from personnel or roles to assign to an individual, group, role or device identifier. 53A_R5_IA-04a.
IAC-09 IAC-09_A04 system identifiers are managed by selecting an identifier that identifies an individual, group, role, service or device. 53A_R5_IA-04b.
IAC-09 IAC-09_A05 system identifiers are managed by assigning the identifier to the intended individual, group, role, service or device. 53A_R5_IA-04c.
IAC-09 IAC-09_A06 system identifiers are managed by preventing reuse of identifiers for time period. 53A_R5_IA-04d.
171A_3.5.5[b]
IAC-09.1 IAC-09.1_A01 characteristics used to identify individual status is defined. 53A_R5_IA-04(04)_ODP
IAC-09.1 IAC-09.1_A02 individual identifiers are managed by uniquely identifying each individual as characteristics. 53A_R5_IA-04(04)
IAC-09.2 IAC-09.2_A01 characteristics used to identify individual status is defined. 53A_R5_IA-04(04)_ODP
IAC-09.2 IAC-09.2_A02 individual identifiers are managed by uniquely identifying each individual as characteristics. 53A_R5_IA-04(04)
IAC-09.3 IAC-09.3_A01 individual identifiers are dynamically managed in accordance with dynamic identifier policy. 53A_R5_IA-04(05)
IAC-09.3 IAC-09.3_A02 rules for dynamically binding identities and authenticators are defined. 53A_R5_IA-05(10)_ODP
IAC-09.3 IAC-09.3_A03 identities and authenticators are dynamically bound using organization-defined binding rules. 53A_R5_IA-05(10)
IAC-09.4 IAC-09.4_A01 external organizations with whom to coordinate the cross-organization management of identifiers are defined. 53A_R5_IA-04(06)_ODP
IAC-09.4 IAC-09.4_A02 cross-organization management of identifiers is coordinated with external organizations. 53A_R5_IA-04(06)
IAC-09.5 IAC-09.5_A01 security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined. 53A_R5_IA-05(08)_ODP
IAC-09.5 IAC-09.5_A02 security controls are implemented to manage the risk of compromise due to individuals having accounts on multiple systems. 53A_R5_IA-05(08)
IAC-09.6 IAC-09.6_A01 pairwise pseudonymous identifiers are generated. 53A_R5_IA-04(08)
IAC-10 IAC-10_A01 the number of generations during which a password cannot be reused is specified. 171A_3.5.8[a]
IAC-10 IAC-10_A02 reuse of passwords is prohibited during the specified number of generations. 171A_3.5.8[b]
IAC-10 IAC-10_A03 an immediate change to a permanent password is required when a temporary password is used for system logon. 171A_3.5.9
IAC-10 IAC-10_A04 a time period for changing or refreshing authenticators by authenticator type is defined. 53A_R5_IA-05_ODP[01]
IAC-10 IAC-10_A05 events that trigger the change or refreshment of authenticators are defined. 53A_R5_IA-05_ODP[02]
IAC-10 IAC-10_A06 system authenticators are managed through the verification of the identity of the individual, group, role, service or device receiving the authenticator as part of the initial authenticator distribution. 53A_R5_IA-05a.
IAC-10 IAC-10_A07 system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization. 53A_R5_IA-05b.
IAC-10 IAC-10_A08 system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use. 53A_R5_IA-05c.
system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution. lost, compromised or damaged authenticators. and the revocation
IAC-10 IAC-10_A09 53A_R5_IA-05d.
of authenticators.
IAC-10 IAC-10_A10 system authenticators are managed through the change of default authenticators prior to first use. 53A_R5_IA-05e.
IAC-10 IAC-10_A11 system authenticators are managed through the change or refreshment of authenticators time period by authenticator type or when events occur. 53A_R5_IA-05f.
IAC-10 IAC-10_A12 system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification. 53A_R5_IA-05g.
IAC-10 IAC-10_A13 system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators. 53A_R5_IA-05h.[01]

IAC-10 IAC-10_A14 system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators. 53A_R5_IA-05h.[02]
IAC-10 IAC-10_A15 system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes. 53A_R5_IA-05i.
IAC-10 IAC-10_A16 the frequency at which to update the list of commonly used, expected or compromised passwords is defined. 53A_R5_IA-05(01)_ODP[01]
IAC-10 IAC-10_A17 authenticator composition and complexity rules are defined. 53A_R5_IA-05(01)_ODP[02]
IAC-10.1 IAC-10.1_A01 for password-based authentication, a list of commonly used, expected or compromised passwords is maintained and updated frequently and when organizational passwords are suspected to have been compromised 53A_R5_IA-05(01)(a)
directly or indirectly.
IAC-10.1 IAC-10.1_A02 for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected or compromised passwords. 53A_R5_IA-05(01)(b)
IAC-10.1 IAC-10.1_A03 for password-based authentication, passwords are only transmitted over cryptographically protected channels. 53A_R5_IA-05(01)(c)
IAC-10.1 IAC-10.1_A04 for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash. 53A_R5_IA-05(01)(d)
IAC-10.1 IAC-10.1_A05 for password-based authentication, immediate selection of a new password is required upon account recovery. 53A_R5_IA-05(01)(e)
IAC-10.1 IAC-10.1_A06 for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters. 53A_R5_IA-05(01)(f)
IAC-10.1 IAC-10.1_A07 for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators. 53A_R5_IA-05(01)(g)
IAC-10.1 IAC-10.1_A08 for password-based authentication, composition and complexity rules are enforced. 53A_R5_IA-05(01)(h)
171A_3.5.7[c]
IAC-10.1 IAC-10.1_A09 password complexity requirements are defined. 171A_3.5.7[a]
IAC-10.1 IAC-10.1_A10 password change of character requirements are defined. 171A_3.5.7[b]
IAC-10.1 IAC-10.1_A11 minimum password complexity requirements, as defined, are enforced when new passwords are created. 171A_3.5.7[c]
IAC-10.1 IAC-10.1_A12 minimum password change of character requirements as defined are enforced when new passwords are created. 171A_3.5.7[d]
IAC-10.2 IAC-10.2_A01 authorized access to the corresponding private key is enforced for public key-based authentication. 53A_R5_IA-05(02)(a)(01)
IAC-10.2 IAC-10.2_A02 the authenticated identity is mapped to the account of the individual or group for public key-based authentication. 53A_R5_IA-05(02)(a)(02)
IAC-10.2 IAC-10.2_A03 when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information. 53A_R5_IA-05(02)(b)(01)
IAC-10.2 IAC-10.2_A04 when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation. 53A_R5_IA-05(02)(b)(02)
IAC-10.3 IAC-10.3_A01 the validation and verification of identity evidence is conducted in person before a designated registration authority. 53A_R5_IA-12(04)
IAC-10.4 IAC-10.4_A01 authenticator composition and complexity rules are defined. 53A_R5_IA-05(01)_ODP[02]
IAC-10.4 IAC-10.4_A02 for password-based authentication, composition and complexity rules are enforced. 53A_R5_IA-05(01)(h)
automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management
IAC-10.4 IAC-10.4_A03 172A_3.5.2e[b]
are identified.
IAC-10.4 IAC-10.4_A04 automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management 172A_3.5.2e[c]
are employed.
IAC-10.5 IAC-10.5_A01 authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access. 53A_R5_IA-05(06)
IAC-10.5 IAC-10.5_A02 passwords are cryptographically protected in storage. 171A_3.5.10[a]
IAC-10.5 IAC-10.5_A03 passwords are cryptographically protected in transit. 171A_3.5.10[b]
IAC-10.6 IAC-10.6_A01 unencrypted static authenticators are not embedded in applications or other forms of static storage. 53A_R5_IA-05(07)
IAC-10.7 IAC-10.7_A01 organization-defined token quality requirements are satisfied for hardware token-based authentication. SCF Created
IAC-10.8 IAC-10.8_A01 developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation. 53A_R5_IA-05(05)
IAC-10.9 IAC-10.9_A01 security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined. 53A_R5_IA-05(08)_ODP
IAC-10.9 IAC-10.9_A02 security controls are implemented to manage the risk of compromise due to individuals having accounts on multiple systems. 53A_R5_IA-05(08)
IAC-10.10 IAC-10.10_A01 the time period after which the use of cached authenticators is prohibited is defined. 53A_R5_IA-05(13)_ODP
IAC-10.10 IAC-10.10_A02 the use of cached authenticators is prohibited after an organization-defined time period. 53A_R5_IA-05(13)
IAC-10.11 IAC-10.11_A01 systems and system components that do not support multifactor authentication or complex account management are identified. 172A_3.5.2e[a]

IAC-10.11 IAC-10.11_A02 automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management 172A_3.5.2e[b]
are identified.
IAC-10.11 IAC-10.11_A03 automated mechanisms for the generation, protection, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management 172A_3.5.2e[c]
are employed.
IAC-10.11 IAC-10.11_A04 password managers employed for generating and managing passwords are defined. 53A_R5_IA-05(18)_ODP[01]
IAC-10.11 IAC-10.11_A05 controls for protecting passwords are defined. 53A_R5_IA-05(18)_ODP[02]
IAC-10.11 IAC-10.11_A06 password managers are employed to generate and manage passwords. 53A_R5_IA-05(18)(a)
IAC-10.11 IAC-10.11_A07 the passwords are protected using controls. 53A_R5_IA-05(18)(b)
IAC-10.12 IAC-10.12_A01 biometric quality requirements for biometric-based authentication are defined. 53A_R5_IA-05(12)_ODP
IAC-10.12 IAC-10.12_A02 mechanisms that satisfy organization-defined biometric quality requirements are employed for biometric-based authentication. 53A_R5_IA-05(12)
IAC-11 IAC-11_A01 authentication information is obscured during the authentication process. 171A_3.5.11
IAC-11 IAC-11_A02 the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. 53A_R5_IA-06
IAC-12 IAC-12_A01 mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards and guidelines for such 53A_R5_IA-07
authentication.
IAC-12.1 IAC-12.1_A01 Hardware Security Modules (HSM) protect authenticators on which the component relies. SCF Created
IAC-13 IAC-13_A01 supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined. 53A_R5_IA-10_ODP[01]
IAC-13 IAC-13_A02 circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined. 53A_R5_IA-10_ODP[02]
IAC-13 IAC-13_A03 individuals accessing the system are required to employ supplemental authentication techniques or mechanisms under specific circumstances or situations. 53A_R5_IA-10
IAC-13.1 IAC-13.1_A01 system accounts and services for which a single sign-on capability must be provided are defined. 53A_R5_IA-02(10)_ODP
IAC-13.1 IAC-13.1_A02 a single sign-on capability is provided for organization-defined system accounts and services. 53A_R5_IA-02(10)
IAC-13.2 IAC-13.2_A01 external organizations to be used for federating credentials are defined. 53A_R5_IA-05(09)_ODP
IAC-13.2 IAC-13.2_A02 external organizations are used to federate credentials. 53A_R5_IA-05(09)
IAC-14 IAC-14_A01 circumstances or situations requiring re-authentication are defined. 53A_R5_IA-11_ODP
IAC-14 IAC-14_A02 users are required to re-authenticate when organization-defined circumstances or situations. 53A_R5_IA-11
IAC-15 IAC-15_A01 the types of transactions and functions that authorized users are permitted to execute are defined. 171A_3.1.2[a]
IAC-15 IAC-15_A02 system access is limited to the defined types of transactions and functions for authorized users. 171A_3.1.2[b]
IAC-15 IAC-15_A03 prerequisites and criteria for group and role membership are defined. 53A_R5_AC-02_ODP[01]
IAC-15 IAC-15_A04 attributes (as required) for each account are defined. 53A_R5_AC-02_ODP[02]
IAC-15 IAC-15_A05 personnel or roles required to approve requests to create accounts is/are defined. 53A_R5_AC-02_ODP[03]
IAC-15 IAC-15_A06 criteria for account creation, enabling, modification, disabling and removal are defined. 53A_R5_AC-02_ODP[04]
IAC-15 IAC-15_A07 personnel or roles to be notified is/are defined. 53A_R5_AC-02_ODP[05]
IAC-15 IAC-15_A08 time period within which to notify account managers when accounts are no longer required is defined. 53A_R5_AC-02_ODP[06]
IAC-15 IAC-15_A09 time period within which to notify account managers when users are terminated or transferred is defined. 53A_R5_AC-02_ODP[07]
IAC-15 IAC-15_A10 time period within which to notify account managers when system usage or the need to know changes for an individual is defined. 53A_R5_AC-02_ODP[08]
IAC-15 IAC-15_A11 attributes needed to authorize system access (as required) are defined. 53A_R5_AC-02_ODP[09]
IAC-15 IAC-15_A12 the frequency of account review is defined. 53A_R5_AC-02_ODP[10]
IAC-15 IAC-15_A13 account types allowed for use within the system are defined and documented. 53A_R5_AC-02a.[01]
IAC-15 IAC-15_A14 account types specifically prohibited for use within the system are defined and documented. 53A_R5_AC-02a.[02]
IAC-15 IAC-15_A15 account managers are assigned. 53A_R5_AC-02b.

IAC-15 IAC-15_A16 organization-defined prerequisites and criteria for group and role membership are required. 53A_R5_AC-02c.
IAC-15 IAC-15_A17 authorized users of the system are specified. 53A_R5_AC-02d.01
IAC-15 IAC-15_A18 group and role membership are specified. 53A_R5_AC-02d.02
IAC-15 IAC-15_A19 access authorizations (e.g., privileges) are specified for each account. 53A_R5_AC-02d.03[01]
IAC-15 IAC-15_A20 organization-defined attributes (as required) are specified for each account. 53A_R5_AC-02d.03[02]
IAC-15 IAC-15_A21 approvals are required by organization-defined personnel or roles for requests to create accounts. 53A_R5_AC-02e.
IAC-15 IAC-15_A22 accounts are created in accordance with organization-defined policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[01]
IAC-15 IAC-15_A23 accounts are enabled in accordance with organization-defined policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[02]
IAC-15 IAC-15_A24 accounts are modified in accordance with organization-defined policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[03]
IAC-15 IAC-15_A25 accounts are disabled in accordance with organization-defined policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[04]
IAC-15 IAC-15_A26 accounts are removed in accordance with organization-defined policy, procedures, prerequisites and criteria. 53A_R5_AC-02f.[05]
IAC-15 IAC-15_A27 the use of accounts is monitored. 53A_R5_AC-02g.
IAC-15 IAC-15_A28 account managers and organization-defined personnel or roles are notified within organization-defined time period when accounts are no longer required. 53A_R5_AC-02h.01
IAC-15 IAC-15_A29 account managers and organization-defined personnel or roles are notified within organization-defined time period when users are terminated or transferred. 53A_R5_AC-02h.02
IAC-15 IAC-15_A30 account managers and organization-defined personnel or roles are notified within organization-defined time period when system usage or the need to know changes for an individual. 53A_R5_AC-02h.03
IAC-15 IAC-15_A31 access to the system is authorized based on a valid access authorization. 53A_R5_AC-02i.01
IAC-15 IAC-15_A32 access to the system is authorized based on intended system usage. 53A_R5_AC-02i.02
IAC-15 IAC-15_A33 access to the system is authorized based on organization-defined attributes (as required). 53A_R5_AC-02i.03
IAC-15 IAC-15_A34 accounts are reviewed for compliance with account management requirements organization-defined frequency. 53A_R5_AC-02j.
IAC-15 IAC-15_A35 a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group. 53A_R5_AC-02k.[01]
IAC-15 IAC-15_A36 a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group. 53A_R5_AC-02k.[02]
IAC-15 IAC-15_A37 account management processes are aligned with personnel termination processes. 53A_R5_AC-02l.[01]
IAC-15 IAC-15_A38 account management processes are aligned with personnel transfer processes. 53A_R5_AC-02l.[02]
IAC-15.1 IAC-15.1_A01 automated mechanisms used to support the management of system accounts are defined. 53A_R5_AC-02(01)_ODP
IAC-15.1 IAC-15.1_A02 the management of system accounts is supported using organization-defined automated mechanisms. 53A_R5_AC-02(01)
53A_R5_AC-02(02)_ODP[01]
IAC-15.2 IAC-15.2_A01 the time period after which to automatically remove or disable temporary or emergency accounts is defined.
53A_R5_AC-02(02)_ODP[02]
IAC-15.2 IAC-15.2_A02 temporary and emergency accounts are automatically organization-defined time period. 53A_R5_AC-02(02)
IAC-15.3 IAC-15.3_A01 a period of inactivity after which an identifier is disabled is defined. 171A_3.5.6[a]
IAC-15.3 IAC-15.3_A02 identifiers are disabled after the defined period of inactivity. 171A_3.5.6[b]
IAC-15.3 IAC-15.3_A03 time period within which to disable accounts is defined. 53A_R5_AC-02(03)_ODP[01]
IAC-15.3 IAC-15.3_A04 time period for account inactivity before disabling is defined. 53A_R5_AC-02(03)_ODP[02]
IAC-15.3 IAC-15.3_A05 accounts are disabled within organization-defined time period when the accounts have expired. 53A_R5_AC-02(03)(a)
IAC-15.3 IAC-15.3_A06 accounts are disabled within organization-defined time period when the accounts are no longer associated with a user or individual. 53A_R5_AC-02(03)(b)
IAC-15.3 IAC-15.3_A07 accounts are disabled within organization-defined time period when the accounts are in violation of organizational policy. 53A_R5_AC-02(03)(c)
IAC-15.3 IAC-15.3_A08 accounts are disabled within organization-defined time period when the accounts have been inactive for organization-defined time period. 53A_R5_AC-02(03)(d)
IAC-15.4 IAC-15.4_A01 account creation is automatically audited. 53A_R5_AC-02(04)[01]

IAC-15.4 IAC-15.4_A02 account modification is automatically audited. 53A_R5_AC-02(04)[02]
IAC-15.4 IAC-15.4_A03 account enabling is automatically audited. 53A_R5_AC-02(04)[03]
IAC-15.4 IAC-15.4_A04 account disabling is automatically audited. 53A_R5_AC-02(04)[04]
IAC-15.4 IAC-15.4_A05 account removal actions are automatically audited. 53A_R5_AC-02(04)[05]
IAC-15.5 IAC-15.5_A01 conditions for establishing shared and group accounts are defined. 53A_R5_AC-02(09)_ODP
IAC-15.5 IAC-15.5_A02 the use of shared and group accounts is only permitted if organization-defined conditions are met. 53A_R5_AC-02(09)
IAC-15.6 IAC-15.6_A01 time period within which to disable accounts of individuals who are discovered to pose significant risk is defined. 53A_R5_AC-02(13)_ODP[01]
IAC-15.6 IAC-15.6_A02 significant risks leading to disabling accounts are defined. 53A_R5_AC-02(13)_ODP[02]
IAC-15.6 IAC-15.6_A03 accounts of individuals are disabled within an organization-defined time period of discovery of significant risks. 53A_R5_AC-02(13)
IAC-15.7 IAC-15.7_A01 a process exists to associate all system accounts with a business process and owner. SCF Created
IAC-15.7 IAC-15.7_A02 system accounts that cannot be associated with a business process and owner are disabled. SCF Created
IAC-15.8 IAC-15.8_A01 circumstances and/or usage conditions to be enforced for system accounts are defined. 53A_R5_AC-02(11)_ODP[01]
IAC-15.8 IAC-15.8_A02 system accounts subject to enforcement of circumstances and/or usage conditions are defined. 53A_R5_AC-02(11)_ODP[02]
IAC-15.8 IAC-15.8_A03 organization-defined system accounts are enforced. 53A_R5_AC-02(11)
IAC-15.9 IAC-15.9_A01 a process exists to establish "emergency access only" accounts. SCF Created
IAC-15.9 IAC-15.9_A02 "emergency access only" accounts are controlled. SCF Created
IAC-16 IAC-16_A01 privileged access rights for users and services are restricted based on roles. SCF Created
IAC-16 IAC-16_A02 privileged access rights for users and services are controlled. SCF Created
IAC-16.1 IAC-16.1_A01 all privileged accounts are inventoried. SCF Created
IAC-16.1 IAC-16.1_A02 validation is performed for each person with elevated privileges for authorization by the appropriate level of organizational management. SCF Created
IAC-16.2 IAC-16.2_A01 separate privileged accounts exist between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments. SCF Created
IAC-17 IAC-17_A01 the frequency at which to review the privileges assigned to roles or classes of users is defined. 53A_R5_AC-06(07)_ODP[01]
IAC-17 IAC-17_A02 roles or classes of users to which privileges are assigned are defined. 53A_R5_AC-06(07)_ODP[02]
IAC-17 IAC-17_A03 privileges assigned to organization-defined frequency to validate the need for such privileges. 53A_R5_AC-06(07)(a)
IAC-17 IAC-17_A04 privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs. 53A_R5_AC-06(07)(b)
IAC-18 IAC-18_A01 authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access. 53A_R5_IA-05(06)
IAC-19 IAC-19_A01 the sharing of generic IDs, passwords or other generic authentication methods is prevented. SCF Created
IAC-20 IAC-20_A01 authorized users are identified. 171A_3.1.1[a]
IAC-20 IAC-20_A02 processes acting on behalf of authorized users are identified. 171A_3.1.1[b]
IAC-20 IAC-20_A03 devices (and other systems) authorized to connect to the system are identified. 171A_3.1.1[c]
IAC-20 IAC-20_A04 system access is limited to authorized users. 171A_3.1.1[d]
IAC-20 IAC-20_A05 system access is limited to processes acting on behalf of authorized users. 171A_3.1.1[e]
IAC-20 IAC-20_A06 system access is limited to authorized devices (including other systems). 171A_3.1.1[f]
IAC-20 IAC-20_A07 approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies. 53A_R5_AC-03
IAC-20 IAC-20_A08 the principle of least privilege is employed, allowing only authorized access for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. 53A_R5_AC-06
IAC-20 IAC-20_A09 systems and system components included in the scope of the specified enhanced security requirements are identified. 172A_3.14.3e_ODP[1]

IAC-20 IAC-20_A10 systems and system components are included in the scope of the specified enhanced security requirements. 172A_3.14.3e[a]
IAC-20 IAC-20_A11 systems and system components that are not included in systems and system components are segregated in purpose-specific networks. 172A_3.14.3e[b]
IAC-20.1 IAC-20.1_A01 access to sensitive/regulated data is restricted to only those individuals whose job requires such access. SCF Created
IAC-20.2 IAC-20.2_A01 access to database containing sensitive/regulated data is restricted to only necessary services or those individuals whose job requires such access. SCF Created
IAC-20.3 IAC-20.3_A01 access to utility programs that are capable of overriding system and application controls is restricted. SCF Created
IAC-20.4 IAC-20.4_A01 executing administrative tasks or tasks requiring elevated access is restricted to a dedicated machine. SCF Created
IAC-20.5 IAC-20.5_A01 privileged commands and/or other actions requiring dual authorization are defined. 53A_R5_AC-03(02)_ODP
IAC-20.5 IAC-20.5_A02 dual authorization is enforced for organization-defined privileged commands and/or other actions. 53A_R5_AC-03(02)
IAC-20.5 IAC-20.5_A03 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified. 172A_3.1.1e[a]
53A_R5_CM-05(04)_ODP[01]
172A_3.1.1e[b]
IAC-20.5 IAC-20.5_A04 dual authorization is employed to execute critical or sensitive system and organizational operations. 53A_R5_CM-05(04)[01]
53A_R5_CM-05(04)[02]
IAC-20.6 IAC-20.6_A01 rules governing the timing of revocations of access authorizations are defined. 53A_R5_AC-03(08)_ODP
IAC-20.6 IAC-20.6_A02 revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on organization-defined rules. 53A_R5_AC-03(08)[01]
IAC-20.6 IAC-20.6_A03 revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on organization-defined rules. 53A_R5_AC-03(08)[02]
IAC-20.7 IAC-20.7_A01 the types of accounts allowed on systems, applications and services is/are defined and documented. SCF Created
IAC-20.7 IAC-20.7_A02 the types of accounts prohibited on systems, applications and services is/are defined and documented. SCF Created
IAC-21 IAC-21_A01 privileged accounts are identified. 171A_3.1.5[a]
IAC-21 IAC-21_A02 access to privileged accounts is authorized in accordance with the principle of least privilege. 171A_3.1.5[b]
IAC-21 IAC-21_A03 security functions are identified. 171A_3.1.5[c]
IAC-21 IAC-21_A04 access to security functions is authorized in accordance with the principle of least privilege. 171A_3.1.5[d]
IAC-21 IAC-21_A05 the principle of least privilege is employed, allowing only authorized access for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. 53A_R5_AC-06
IAC-21 IAC-21_A06 systems or system components that implement the security design principle of least privilege are defined. 53A_R5_SA-08(14)_ODP
IAC-21 IAC-21_A07 organization-defined systems or system components implement the security design principle of least privilege. 53A_R5_SA-08(14)
IAC-21.1 IAC-21.1_A01 individuals and roles with authorized access to security functions and security-relevant information are defined. 53A_R5_AC-06(01)_ODP[01]
IAC-21.1 IAC-21.1_A02 security functions (deployed in hardware) for authorized access are defined. 53A_R5_AC-06(01)_ODP[02]
IAC-21.1 IAC-21.1_A03 security functions (deployed in software) for authorized access are defined. 53A_R5_AC-06(01)_ODP[03]
IAC-21.1 IAC-21.1_A04 security functions (deployed in firmware) for authorized access are defined. 53A_R5_AC-06(01)_ODP[04]
IAC-21.1 IAC-21.1_A05 security-relevant information for authorized access is defined. 53A_R5_AC-06(01)_ODP[05]
IAC-21.1 IAC-21.1_A06 access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in hardware). 53A_R5_AC-06(01)(a)[01]
IAC-21.1 IAC-21.1_A07 access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in software). 53A_R5_AC-06(01)(a)[02]
IAC-21.1 IAC-21.1_A08 access is authorized for organization-defined individuals and roles to organization-defined security functions (deployed in firmware). 53A_R5_AC-06(01)(a)[03]
IAC-21.1 IAC-21.1_A09 access is authorized for organization-defined individuals and roles to organization-defined security-relevant information. 53A_R5_AC-06(01)(b)
IAC-21.2 IAC-21.2_A01 non-security functions are identified. 171A_3.1.6[a]
IAC-21.2 IAC-21.2_A02 users are required to use non-privileged accounts or roles when accessing non-security functions. 171A_3.1.6[b]
IAC-21.2 IAC-21.2_A03 security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined. 53A_R5_AC-06(02)_ODP
IAC-21.2 IAC-21.2_A04 users of system accounts (or roles) with access to organization-defined security functions or security-relevant information are required to use non-privileged accounts or roles when accessing non-security functions. 53A_R5_AC-06(02)
IAC-21.3 IAC-21.3_A01 personnel or roles to which privileged accounts on the system are to be restricted is/are defined. 53A_R5_AC-06(05)_ODP

IAC-21.3 IAC-21.3_A02 privileged accounts on the system are restricted to organization-defined personnel or roles. 53A_R5_AC-06(05)
IAC-21.4 IAC-21.4_A01 the execution of privileged functions is logged. 53A_R5_AC-06(09)
IAC-21.5 IAC-21.5_A01 privileged functions are defined. 171A_3.1.7[a]
IAC-21.5 IAC-21.5_A02 non-privileged users are defined. 171A_3.1.7[b]
IAC-21.5 IAC-21.5_A03 non-privileged users are prevented from executing privileged functions. 171A_3.1.7[c]
53A_R5_AC-06(10)
IAC-21.5 IAC-21.5_A04 the execution of privileged functions is captured in event logs. 171A_3.1.7[d]
IAC-21.6 IAC-21.6_A01 privileged commands to which network access is to be authorized only for compelling operational needs are defined. 53A_R5_AC-06(03)_ODP[01]
IAC-21.6 IAC-21.6_A02 compelling operational needs necessitating network access to privileged commands are defined. 53A_R5_AC-06(03)_ODP[02]
IAC-21.6 IAC-21.6_A03 network access to organization-defined privileged commands is authorized only for organization-defined compelling operational needs. 53A_R5_AC-06(03)[01]
IAC-21.6 IAC-21.6_A04 the rationale for authorizing network access to privileged commands is documented in the security plan for the system. 53A_R5_AC-06(03)[02]
IAC-21.7 IAC-21.7_A01 software to be prevented from executing at higher privilege levels than users executing the software is defined. 53A_R5_AC-06(08)_ODP
IAC-21.7 IAC-21.7_A02 organization-defined software is prevented from executing at higher privilege levels than users executing the software. 53A_R5_AC-06(08)
IAC-22 IAC-22_A01 the means of limiting unsuccessful logon attempts is defined. 171A_3.1.8[a]
IAC-22 IAC-22_A02 the defined means of limiting unsuccessful logon attempts is implemented. 171A_3.1.8[b]
IAC-22 IAC-22_A03 the number of consecutive invalid logon attempts by a user allowed during a time period is defined. 53A_R5_AC-07_ODP[01]
IAC-22 IAC-22_A04 the time period to which the number of consecutive invalid logon attempts by a user is limited is defined. 53A_R5_AC-07_ODP[02]
IAC-22 IAC-22_A05 time period for an account or node to be locked is defined. 53A_R5_AC-07_ODP[04]
IAC-22 IAC-22_A06 delay algorithm for the next logon prompt is defined. 53A_R5_AC-07_ODP[05]
IAC-22 IAC-22_A07 other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined. 53A_R5_AC-07_ODP[03]
53A_R5_AC-07_ODP[06]
IAC-22 IAC-22_A08 a limit of organization-defined time period is enforced. 53A_R5_AC-07a.
IAC-22 IAC-22_A09 automatically organization's when the maximum number of unsuccessful attempts is exceeded. 53A_R5_AC-07b.
IAC-23 IAC-23_A01 accounts and/or account types for which to limit the number of concurrent sessions is defined. 53A_R5_AC-10_ODP[01]
IAC-23 IAC-23_A02 the number of concurrent sessions to be allowed for each account and/or account type is defined. 53A_R5_AC-10_ODP[02]
IAC-23 IAC-23_A03 the number of concurrent sessions for each organization-defined account and/or account types is limited to organization-defined number. 53A_R5_AC-10
IAC-24 IAC-24_A01 the period of inactivity after which the system initiates a session lock is defined. 171A_3.1.10[a]
IAC-24 IAC-24_A02 access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. 171A_3.1.10[b]
IAC-24 IAC-24_A03 previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. 171A_3.1.10[c]
IAC-24 IAC-24_A04 the time period of expected inactivity or description of when to log out is defined. 53A_R5_AC-02(05)_ODP
IAC-24 IAC-24_A05 users are required to log out when organization-defined time period of expected inactivity or description of when to log out. 53A_R5_AC-02(05)
53A_R5_AC-11_ODP[01]
IAC-24 IAC-24_A06 time period of inactivity after which a device lock is initiated is defined.
53A_R5_AC-11_ODP[02]
IAC-24 IAC-24_A07 further access to the system is prevented by organization-defined criteria 53A_R5_AC-11a.
IAC-24 IAC-24_A08 device lock is retained until the user re-establishes access using established identification and authentication procedures. 53A_R5_AC-11b.
IAC-24.1 IAC-24.1_A01 information previously visible on the display is concealed, via device lock, with a publicly viewable image. 53A_R5_AC-11(01)
IAC-25 IAC-25_A01 conditions requiring a user session to terminate are defined. 171A_3.1.11[a]
IAC-25 IAC-25_A02 conditions or trigger events requiring session disconnect are defined. 171A_3.1.11[b]
53A_R5_AC-12_ODP
IAC-25 IAC-25_A03 a user session is automatically terminated after organization-defined conditions or trigger events. 53A_R5_AC-12

IAC-25.1 IAC-25.1_A01 information resources for which a logout capability for user-initiated communications sessions is required are defined. 53A_R5_AC-12(01)_ODP
IAC-25.1 IAC-25.1_A02 a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources. 53A_R5_AC-12(01)
IAC-26 IAC-26_A01 user actions that can be performed on the system without identification or authentication are defined. 53A_R5_AC-14_ODP
IAC-26 IAC-26_A02 organization-defined user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified. 53A_R5_AC-14a.
IAC-26 IAC-26_A03_A01 user actions not requiring identification or authentication are documented in the security plan for the system. 53A_R5_AC-14b.[01]
IAC-26 IAC-26_A03_A02 a rationale for user actions not requiring identification or authentication is provided in the security plan for the system. 53A_R5_AC-14b.[02]
IAC-27 IAC-27_A01 access control policies for which a reference monitor is implemented are defined. 53A_R5_AC-25_ODP
IAC-27 IAC-27_A02 a reference monitor is implemented for organization-defined access control policies that is tamper-proof, always invoked and small enough to be subject to analysis and testing, the completeness of which can be 53A_R5_AC-25
assured.
IAC-28 IAC-28_A01 users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed. 53A_R5_IA-12a.
IAC-28 IAC-28_A02 user identities are resolved to a unique individual. 53A_R5_IA-12b.
IAC-28 IAC-28_A03 identity evidence is collected. 53A_R5_IA-12c.[01]
IAC-28 IAC-28_A04 identity evidence is validated. 53A_R5_IA-12c.[02]
IAC-28 IAC-28_A05 identity evidence is verified. 53A_R5_IA-12c.[03]
IAC-28.1 IAC-28.1_A01 the registration process to receive an account for logical access includes supervisor or sponsor authorization. 53A_R5_IA-12(01)
IAC-28.1 IAC-28.1_A02 access control decisions applied to each access request prior to access enforcement are defined. 53A_R5_AC-24_ODP[01]
53A_R5_AC-24_ODP[02]
IAC-28.1 IAC-28.1_A03 organization-defined criteria are taken in account to ensure that access control decisions are applied to each access request prior to access enforcement. 53A_R5_AC-24
IAC-28.2 IAC-28.2_A01 evidence of individual identification is presented to the registration authority. 53A_R5_IA-12(02)
IAC-28.3 IAC-28.3_A01 methods of validation and verification of identity evidence are defined. 53A_R5_IA-12(03)_ODP
IAC-28.3 IAC-28.3_A02 the presented identity evidence is validated and verified through organization-defined methods of validation and verification. 53A_R5_IA-12(03)
IAC-28.4 IAC-28.4_A01 the validation and verification of identity evidence is conducted in person before a designated registration authority. 53A_R5_IA-12(04)
IAC-28.5 IAC-28.5_A01 organization-defined criteria is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record. 53A_R5_IA-12(05)_ODP
53A_R5_IA-12(05)
IAC-29 IAC-29_A01 Attribute-Based Access Control (ABAC) is enforced for policy-driven, dynamic authorizations that supports the secure sharing of information. SCF Created
IRO-01 IRO-01_A01 an incident handling capability for incidents is implemented that is consistent with the incident response plan. 53A_R5_IR-04a.[01]
171A_3.6.1[a]
IRO-01 IRO-01_A02 incident handling activities are coordinated with contingency planning activities. 53A_R5_IR-04b.
IRO-01 IRO-01_A03 the incident handling capability for incidents includes preparation. 53A_R5_IR-04a.[02]
171A_3.6.1[b]
53A_R5_IR-04a.[03]
IRO-01 IRO-01_A04 the incident handling capability for incidents includes detection and analysis. 171A_3.6.1[c]
171A_3.6.1[d]
IRO-01 IRO-01_A05 the incident handling capability for incidents includes containment. 53A_R5_IR-04a.[04]
171A_3.6.1[e]
IRO-01 IRO-01_A06 the incident handling capability for incidents includes eradication. 53A_R5_IR-04a.[05]
IRO-01 IRO-01_A07 the incident handling capability for incidents includes recovery. 53A_R5_IR-04a.[06]
171A_3.6.1[f]
IRO-01 IRO-01_A08 lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing. 53A_R5_IR-04c.[01]
IRO-01 IRO-01_A09 the changes resulting from the incorporated lessons learned are implemented accordingly. 53A_R5_IR-04c.[02]
IRO-01 IRO-01_A10 the rigor of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[01]
IRO-01 IRO-01_A11 the intensity of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[02]
IRO-01 IRO-01_A12 the scope of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[03]
IRO-01 IRO-01_A13 the results of incident handling activities are comparable and predictable across the organization. 53A_R5_IR-04d.[04]
IRO-02 IRO-02_A01 authorities to whom incidents are to be reported are identified. 171A_3.6.2[c]

IRO-02 IRO-02_A02 organizational officials to whom incidents are to be reported are identified. 171A_3.6.2[d]
IRO-02 IRO-02_A03 identified authorities are notified of incidents. 171A_3.6.2[e]
IRO-02 IRO-02_A04 identified organizational officials are notified of incidents. 171A_3.6.2[f]
IRO-02 IRO-02_A05 an incident handling capability for incidents is implemented that is consistent with the incident response plan. 53A_R5_IR-04a.[01]
171A_3.6.1[a]
IRO-02 IRO-02_A06 the incident handling capability for incidents includes preparation. 53A_R5_IR-04a.[02]
171A_3.6.1[b]
53A_R5_IR-04a.[03]
IRO-02 IRO-02_A07 the incident handling capability for incidents includes detection and analysis. 171A_3.6.1[c]
171A_3.6.1[d]
IRO-02 IRO-02_A08 the incident handling capability for incidents includes containment. 53A_R5_IR-04a.[04]
171A_3.6.1[e]
IRO-02 IRO-02_A09 the incident handling capability for incidents includes eradication. 53A_R5_IR-04a.[05]
IRO-02 IRO-02_A10 the incident handling capability for incidents includes recovery. 53A_R5_IR-04a.[06]
171A_3.6.1[f]
IRO-02 IRO-02_A11 incident handling activities are coordinated with contingency planning activities. 53A_R5_IR-04b.
IRO-02 IRO-02_A12 the operational incident-handling capability includes user response activities. 171A_3.6.1[g]
IRO-02 IRO-02_A13 incidents are tracked. 171A_3.6.2[a]
IRO-02 IRO-02_A14 incidents are documented. 171A_3.6.2[b]
IRO-02 IRO-02_A15 lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training and testing. 53A_R5_IR-04c.[01]
IRO-02 IRO-02_A16 the changes resulting from the incorporated lessons learned are implemented accordingly. 53A_R5_IR-04c.[02]
IRO-02 IRO-02_A17 the rigor of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[01]
IRO-02 IRO-02_A18 the intensity of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[02]
IRO-02 IRO-02_A19 the scope of incident handling activities is comparable and predictable across the organization. 53A_R5_IR-04d.[03]
IRO-02 IRO-02_A20 the results of incident handling activities are comparable and predictable across the organization. 53A_R5_IR-04d.[04]
IRO-02.1 IRO-02.1_A01 automated mechanisms used to support the incident handling process are defined. 53A_R5_IR-04(01)_ODP
IRO-02.1 IRO-02.1_A02 the incident handling process is supported using automated mechanisms. 53A_R5_IR-04(01)
IRO-02.1 IRO-02.1_A03 incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined. 53A_R5_SI-04(07)_ODP[01]
IRO-02.1 IRO-02.1_A04 least-disruptive actions to terminate suspicious events are defined. 53A_R5_SI-04(07)_ODP[02]
IRO-02.1 IRO-02.1_A05 incident response personnel are notified of detected suspicious events. 53A_R5_SI-04(07)(a)
IRO-02.1 IRO-02.1_A06 least-disruptive actions are taken upon the detection of suspicious events. 53A_R5_SI-04(07)(b)
IRO-02.1 IRO-02.1_A07 anomalous or suspicious behavior is defined. 172A_3.14.2e[a]
IRO-02.1 IRO-02.1_A08 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior. 172A_3.14.2e[b]
IRO-02.2 IRO-02.2_A01 an incident handling capability is implemented for incidents involving insider threats. 53A_R5_IR-04(06)
IRO-02.3 IRO-02.3_A01 types of dynamic reconfiguration for system components are defined. 53A_R5_IR-04(02)_ODP[01]
IRO-02.3 IRO-02.3_A02 system components that require dynamic reconfiguration are defined. 53A_R5_IR-04(02)_ODP[02]
IRO-02.3 IRO-02.3_A03 types of dynamic reconfiguration for system components are included as part of the incident response capability. 53A_R5_IR-04(02)
IRO-02.4 IRO-02.4_A01 classes of incidents requiring an organization-defined action to be taken are defined. 53A_R5_IR-04(03)_ODP[01]
IRO-02.4 IRO-02.4_A02 actions to be taken in response to organization-defined classes of incidents are defined. 53A_R5_IR-04(03)_ODP[02]
IRO-02.4 IRO-02.4_A03 classes of incidents are identified. 53A_R5_IR-04(03)[01]
IRO-02.4 IRO-02.4_A04 actions are taken in response to those incidents to ensure the continuation of organizational mission and business functions. 53A_R5_IR-04(03)[02]
IRO-02.5 IRO-02.5_A01 external organizations with whom organizational incident information is to be coordinated and shared are defined. 53A_R5_IR-04(08)_ODP[01]

IRO-02.5 IRO-02.5_A02 incident information to be correlated and shared with organization-defined external organizations are defined. 53A_R5_IR-04(08)_ODP[02]
IRO-02.5 IRO-02.5_A03 there is coordination with external organizations to correlate and share incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses. 53A_R5_IR-04(08)
IRO-02.6 IRO-02.6_A01 a configurable capability is implemented to automatically disable the system if security violations are detected. 53A_R5_IR-04(05)
IRO-03 IRO-03_A01 environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined. 53A_R5_IR-04(13)_ODP
IRO-03 IRO-03_A02 anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed. 53A_R5_IR-04(13)
IRO-03 IRO-03_A03 anomalous or suspicious behavior is defined. 172A_3.14.2e[a]
IRO-03 IRO-03_A04 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior. 172A_3.14.2e[b]
IRO-04 IRO-04_A01 personnel or roles that review and approve the incident response plan is/are identified. 53A_R5_IR-08_ODP[01]
IRO-04 IRO-04_A02 the frequency at which to review and approve the incident response plan is defined. 53A_R5_IR-08_ODP[02]
IRO-04 IRO-04_A03 entities, personnel or roles with designated responsibility for incident response are defined. 53A_R5_IR-08_ODP[03]
IRO-04 IRO-04_A04 incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined. 53A_R5_IR-08_ODP[04]
IRO-04 IRO-04_A05 organizational elements to which copies of the incident response plan are to be distributed are defined. 53A_R5_IR-08_ODP[05]
IRO-04 IRO-04_A06 incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined. 53A_R5_IR-08_ODP[06]
IRO-04 IRO-04_A07 organizational elements to which changes to the incident response plan are communicated are defined. 53A_R5_IR-08_ODP[07]
IRO-04 IRO-04_A08 an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability. 53A_R5_IR-08a.01
IRO-04 IRO-04_A09 an incident response plan is developed that describes the structure and organization of the incident response capability. 53A_R5_IR-08a.02
IRO-04 IRO-04_A10 an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization. 53A_R5_IR-08a.03
IRO-04 IRO-04_A11 an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure and functions. 53A_R5_IR-08a.04
IRO-04 IRO-04_A12 an incident response plan is developed that defines reportable incidents. 53A_R5_IR-08a.05
IRO-04 IRO-04_A13 an incident response plan is developed that provides metrics for measuring the incident response capability within the organization. 53A_R5_IR-08a.06
IRO-04 IRO-04_A14 an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability. 53A_R5_IR-08a.07
IRO-04 IRO-04_A15 an incident response plan is developed that addresses the sharing of incident information. 53A_R5_IR-08a.08
IRO-04 IRO-04_A16 an incident response plan is developed that is reviewed and approved by personnel or roles frequency. 53A_R5_IR-08a.09
IRO-04 IRO-04_A17 an incident response plan is developed that explicitly designates responsibility for incident response to entities, personnel or roles. 53A_R5_IR-08a.10
IRO-04 IRO-04_A18 copies of the incident response plan are distributed to incident response personnel. 53A_R5_IR-08b.[01]
IRO-04 IRO-04_A19 copies of the incident response plan are distributed to organizational elements. 53A_R5_IR-08b.[02]
IRO-04 IRO-04_A20 the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution or testing. 53A_R5_IR-08c.
IRO-04 IRO-04_A21 incident response plan changes are communicated to incident response personnel. 53A_R5_IR-08d.[01]
IRO-04 IRO-04_A22 incident response plan changes are communicated to organizational elements. 53A_R5_IR-08d.[02]
IRO-04 IRO-04_A23 the incident response plan is protected from unauthorized disclosure. 53A_R5_IR-08e.[01]
IRO-04 IRO-04_A24 the incident response plan is protected from unauthorized modification. 53A_R5_IR-08e.[02]
IRO-04.1 IRO-04.1_A01 the incident response plan for breaches involving personal data includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed. 53A_R5_IR-08(01)(a)
IRO-04.1 IRO-04.1_A02 the incident response plan for breaches involving personal data includes an assessment process to determine the extent of the harm, embarrassment, inconvenience or unfairness to affected individuals and any 53A_R5_IR-08(01)(b)
mechanisms to mitigate such harms.
IRO-04.1 IRO-04.1_A03 the incident response plan for breaches involving personal data includes the identification of applicable privacy requirements. 53A_R5_IR-08(01)(c)
IRO-04.2 IRO-04.2_A01 personnel or roles to whom the incident response policy is to be disseminated is/are defined. 53A_R5_IR-01_ODP[01]
IRO-04.2 IRO-04.2_A02 personnel or roles to whom the incident response procedures are to be disseminated is/are defined. 53A_R5_IR-01_ODP[02]

IRO-04.2 IRO-04.2_A03 an official to manage the incident response policy and procedures is defined. 53A_R5_IR-01_ODP[03]
53A_R5_IR-01_ODP[04]
IRO-04.2 IRO-04.2_A04 the frequency at which the current incident response policy is reviewed and updated is defined. 53A_R5_IR-01_ODP[05]
IRO-04.2 IRO-04.2_A05 events that would require the current incident response policy to be reviewed and updated are defined. 53A_R5_IR-01_ODP[06]
IRO-04.2 IRO-04.2_A06 the frequency at which the current incident response procedures are reviewed and updated is defined. 53A_R5_IR-01_ODP[07]
IRO-04.2 IRO-04.2_A07 events that would require the incident response procedures to be reviewed and updated are defined. 53A_R5_IR-01_ODP[08]
IRO-04.2 IRO-04.2_A08 an incident response policy is developed and documented. 53A_R5_IR-01a.[01]
IRO-04.2 IRO-04.2_A09 the incident response policy is disseminated to organization-defined personnel or roles. 53A_R5_IR-01a.[02]
IRO-04.2 IRO-04.2_A10 incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented. 53A_R5_IR-01a.[03]
IRO-04.2 IRO-04.2_A11 the incident response procedures are disseminated to organization-defined personnel or roles. 53A_R5_IR-01a.[04]
IRO-04.2 IRO-04.2_A12 the organization's incident response policy addresses purpose. 53A_R5_IR-01a.01(a)[01]
IRO-04.2 IRO-04.2_A13 the organization's incident response policy addresses scope. 53A_R5_IR-01a.01(a)[02]
IRO-04.2 IRO-04.2_A14 the organization's incident response policy addresses roles. 53A_R5_IR-01a.01(a)[03]
IRO-04.2 IRO-04.2_A15 the organization's incident response policy addresses responsibilities. 53A_R5_IR-01a.01(a)[04]
IRO-04.2 IRO-04.2_A16 the organization's incident response policy addresses management commitment. 53A_R5_IR-01a.01(a)[05]
IRO-04.2 IRO-04.2_A17 the organization's incident response policy addresses coordination among organizational entities. 53A_R5_IR-01a.01(a)[06]
IRO-04.2 IRO-04.2_A18 the organization's incident response policy addresses compliance. 53A_R5_IR-01a.01(a)[07]
IRO-04.2 IRO-04.2_A19 the organization's incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_IR-01a.01(b)
IRO-04.2 IRO-04.2_A20 the organization-defined official is designated to manage the development, documentation, and dissemination of the incident response policy and procedures. 53A_R5_IR-01b.
IRO-04.2 IRO-04.2_A21 the current incident response policy is reviewed and updated organization-defined frequency. 53A_R5_IR-01c.01[01]
IRO-04.2 IRO-04.2_A22 the current incident response policy is reviewed and updated following organization-defined events. 53A_R5_IR-01c.01[02]
IRO-04.2 IRO-04.2_A23 the current incident response procedures are reviewed and updated organization-defined frequency. 53A_R5_IR-01c.02[01]
IRO-04.2 IRO-04.2_A24 the current incident response procedures are reviewed and updated following organization-defined events. 53A_R5_IR-01c.02[02]
IRO-04.3 IRO-04.3_A01 qualitative data from testing are used to determine the effectiveness of incident response processes. 53A_R5_IR-03(03)(a)[01]
IRO-04.3 IRO-04.3_A02 quantitative data from testing are used to determine the effectiveness of incident response processes. 53A_R5_IR-03(03)(a)[02]
IRO-04.3 IRO-04.3_A03 qualitative data from testing are used to continuously improve incident response processes. 53A_R5_IR-03(03)(b)[01]
IRO-04.3 IRO-04.3_A04 quantitative data from testing are used to continuously improve incident response processes. 53A_R5_IR-03(03)(b)[02]
IRO-04.3 IRO-04.3_A05 qualitative data from testing are used to provide incident response measures and metrics that are accurate. 53A_R5_IR-03(03)(c)[01]
IRO-04.3 IRO-04.3_A06 quantitative data from testing are used to provide incident response measures and metrics that are accurate. 53A_R5_IR-03(03)(c)[02]
IRO-04.3 IRO-04.3_A07 qualitative data from testing are used to provide incident response measures and metrics that are consistent. 53A_R5_IR-03(03)(c)[03]
IRO-04.3 IRO-04.3_A08 quantitative data from testing are used to provide incident response measures and metrics that are consistent. 53A_R5_IR-03(03)(c)[04]
IRO-04.3 IRO-04.3_A09 qualitative data from testing are used to provide incident response measures and metrics in a reproducible format. 53A_R5_IR-03(03)(c)[05]
IRO-04.3 IRO-04.3_A10 quantitative data from testing are used to provide incident response measures and metrics in a reproducible format. 53A_R5_IR-03(03)(c)[06]
IRO-05 IRO-05_A01 a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined. 53A_R5_IR-02_ODP[01]
IRO-05 IRO-05_A02 frequency at which to provide incident response training to users is defined. 53A_R5_IR-02_ODP[02]
IRO-05 IRO-05_A03 frequency at which to review and update incident response training content is defined. 53A_R5_IR-02_ODP[03]
IRO-05 IRO-05_A04 events that initiate a review of the incident response training content are defined. 53A_R5_IR-02_ODP[04]

IRO-05 IRO-05_A05 incident response training is provided to system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility or acquiring 53A_R5_IR-02a.01
system access.
IRO-05 IRO-05_A06 incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes. 53A_R5_IR-02a.02
IRO-05 IRO-05_A07 incident response training is provided to system users consistent with assigned roles and responsibilities frequency thereafter. 53A_R5_IR-02a.03
IRO-05 IRO-05_A08 incident response training content is reviewed and updated frequently. 53A_R5_IR-02b.[01]
IRO-05 IRO-05_A09 incident response training content is reviewed and updated following events. 53A_R5_IR-02b.[02]
IRO-05 IRO-05_A10 incident response training on how to identify and respond to a breach is provided. 53A_R5_IR-02(03)[01]
IRO-05 IRO-05_A11 incident response training on the organization’s process for reporting a breach is provided. 53A_R5_IR-02(03)[02]
IRO-05.1 IRO-05.1_A01 simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations. 53A_R5_IR-02(01)
IRO-05.2 IRO-05.2_A01 automated mechanisms used in an incident response training environment are defined. 53A_R5_IR-02(02)_ODP
IRO-05.2 IRO-05.2_A02 an incident response training environment is provided using automated mechanisms. 53A_R5_IR-02(02)
IRO-06 IRO-06_A01 the incident response capability is tested. 171A_3.6.3
IRO-06 IRO-06_A02 frequency at which to test the effectiveness of the incident response capability for the system is defined. 53A_R5_IR-03_ODP[01]
IRO-06 IRO-06_A03 tests used to test the effectiveness of the incident response capability for the system are defined. 53A_R5_IR-03_ODP[02]
IRO-06 IRO-06_A04 the effectiveness of the incident response capability for the system is tested frequently using tests. 53A_R5_IR-03
IRO-06 IRO-06_A05 a frequency at which to test intrusion-monitoring tools and mechanisms is defined. 53A_R5_SI-04(09)_ODP
IRO-06 IRO-06_A06 intrusion-monitoring tools and mechanisms are tested frequently. 53A_R5_SI-04(09)
IRO-06.1 IRO-06.1_A01 incident response testing is coordinated with organizational elements responsible for related plans. 53A_R5_IR-03(02)
IRO-07 IRO-07_A01 the time period within which an integrated incident response team can be deployed is defined. 53A_R5_IR-04(11)_ODP
172A_3.6.2e_ODP[1]
53A_R5_IR-04(11)[01]
IRO-07 IRO-07_A02 an integrated incident response team is established and maintained. 172A_3.6.2e[a]
172A_3.6.2e[c]
IRO-07 IRO-07_A03 the cyber incident response team can be deployed by the organization within an organization-defined time period. 53A_R5_IR-04(11)[02]
172A_3.6.2e[b]
IRO-08 IRO-08_A01 reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released. 53A_R5_AU-10(03)
IRO-09 IRO-09_A01 incidents are tracked. 53A_R5_IR-05[01]
IRO-09 IRO-09_A02 incidents are documented. 53A_R5_IR-05[02]
IRO-09.1 IRO-09.1_A01 automated mechanisms used to track incidents are defined. 53A_R5_IR-05(01)_ODP[01]
IRO-09.1 IRO-09.1_A02 automated mechanisms used to collect incident information are defined. 53A_R5_IR-05(01)_ODP[02]
IRO-09.1 IRO-09.1_A03 automated mechanisms used to analyze incident information are defined. 53A_R5_IR-05(01)_ODP[03]
IRO-09.1 IRO-09.1_A04 incidents are tracked using automated mechanisms. 53A_R5_IR-05(01)[01]
IRO-09.1 IRO-09.1_A05 incident information is collected using automated mechanisms. 53A_R5_IR-05(01)[02]
IRO-09.1 IRO-09.1_A06 incident information is analyzed using automated mechanisms. 53A_R5_IR-05(01)[03]
IRO-10 IRO-10_A01 time period for personnel to report suspected incidents to the organizational incident response capability is defined. 53A_R5_IR-06_ODP[01]
IRO-10 IRO-10_A02 authorities to whom incident information is to be reported are defined. 53A_R5_IR-06_ODP[02]
IRO-10 IRO-10_A03 personnel is/are required to report suspected incidents to the organizational incident response capability within an organization-defined time period. 53A_R5_IR-06a.
IRO-10 IRO-10_A04 incident information is reported to authorities. 53A_R5_IR-06b.
IRO-10.1 IRO-10.1_A01 automated mechanisms used for reporting incidents are defined. 53A_R5_IR-06(01)_ODP
IRO-10.1 IRO-10.1_A02 incidents are reported using automated mechanisms. 53A_R5_IR-06(01)
IRO-10.2 IRO-10.2_A01 sensitive/regulated data incidents are reported in a timely manner. SCF Created

IRO-10.3 IRO-10.3_A01 personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined. 53A_R5_IR-06(02)_ODP
IRO-10.3 IRO-10.3_A02 system vulnerabilities associated with reported incidents are reported to personnel or roles. 53A_R5_IR-06(02)
IRO-10.4 IRO-10.4_A01 incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain. 53A_R5_IR-04(10)
IRO-10.4 IRO-10.4_A02 incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident. 53A_R5_IR-06(03)
IRO-11 IRO-11_A01 an incident response support resource, integral to the organizational incident response capability, is provided. 53A_R5_IR-07[01]
IRO-11 IRO-11_A02 the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents. 53A_R5_IR-07[02]
IRO-11 IRO-11_A03 a time period for deploying a cyber incident response team is defined. 172A_3.6.2e_ODP[1]
IRO-11 IRO-11_A04 a cyber incident response team is established. 172A_3.6.2e[a]
IRO-11 IRO-11_A05 the cyber incident response team can be deployed by the organization within an organization-defined time period. 172A_3.6.2e[b]
IRO-11 IRO-11_A06 the cyber incident response team is maintained. 172A_3.6.2e[c]
IRO-11.1 IRO-11.1_A01 automated mechanisms used to increase the availability of incident response information and support are defined. 53A_R5_IR-07(01)_ODP
IRO-11.1 IRO-11.1_A02 the availability of incident response information and support is increased using automated mechanisms. 53A_R5_IR-07(01)
IRO-11.2 IRO-11.2_A01 a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability. 53A_R5_IR-07(02)(a)
IRO-11.2 IRO-11.2_A02 organizational incident response team members are identified to the external providers. 53A_R5_IR-07(02)(b)
IRO-12 IRO-12_A01 actions to be performed are defined. 53A_R5_IR-09_ODP[03]
IRO-12 IRO-12_A02 the specific information involved in the system contamination is identified in response to information spills. 53A_R5_IR-09b.
IRO-12 IRO-12_A03 personnel or roles is/are alerted of the information spill using a method of communication not associated with the spill. 53A_R5_IR-09c.
IRO-12 IRO-12_A04 the contaminated system or system component is isolated in response to information spills. 53A_R5_IR-09d.
IRO-12 IRO-12_A05 the information is eradicated from the contaminated system or component in response to information spills. 53A_R5_IR-09e.
IRO-12 IRO-12_A06 other systems or system components that may have been subsequently contaminated are identified in response to information spills. 53A_R5_IR-09f.
IRO-12 IRO-12_A07 actions are performed in response to information spills. 53A_R5_IR-09g.
IRO-12.1 IRO-12.1_A01 personnel or roles assigned the responsibility for responding to information spills is/are defined. 53A_R5_IR-09_ODP[01]
IRO-12.1 IRO-12.1_A02 personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined. 53A_R5_IR-09_ODP[02]
IRO-12.1 IRO-12.1_A03 personnel or roles is/are assigned the responsibility to respond to information spills. 53A_R5_IR-09a.
IRO-12.2 IRO-12.2_A01 frequency at which to provide information spillage response training is defined. 53A_R5_IR-09(02)_ODP
IRO-12.2 IRO-12.2_A02 information spillage response training is provided frequently. 53A_R5_IR-09(02)
IRO-12.3 IRO-12.3_A01 procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems undergo corrective actions are defined. 53A_R5_IR-09(03)_ODP
IRO-12.3 IRO-12.3_A02 procedures are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. 53A_R5_IR-09(03)
IRO-12.4 IRO-12.4_A01 controls employed for personnel exposed to information not within assigned access authorizations are defined. 53A_R5_IR-09(04)_ODP
IRO-12.4 IRO-12.4_A02 controls are employed for personnel exposed to information not within assigned access authorizations. 53A_R5_IR-09(04)
IRO-13 IRO-13_A08 malicious code remaining in the system is analyzed after the incident. 53A_R5_IR-04(12)[01]
IRO-13 IRO-13_A09 other residual artifacts remaining in the system (if any) are analyzed after the incident. 53A_R5_IR-04(12)[02]
IRO-14 IRO-14_A01 time period for personnel to report suspected incidents to the organizational incident response capability is defined. 53A_R5_IR-06_ODP[01]
IRO-14 IRO-14_A02 authorities to whom incident information is to be reported are defined. 53A_R5_IR-06_ODP[02]
IRO-14 IRO-14_A03 personnel is/are required to report suspected incidents to the organizational incident response capability within an organization-defined time period. 53A_R5_IR-06a.
IRO-14 IRO-14_A04 incident information is reported to authorities. 53A_R5_IR-06b.

IRO-15 IRO-15_A01 the system, system component or location where a detonation chamber capability is to be employed is defined. 53A_R5_SC-44_ODP
IRO-15 IRO-15_A02 a detonation chamber capability is employed within the organization-defined system, system component or location. 53A_R5_SC-44
IRO-16 IRO-16_A01 public relations associated with an incident are managed. 53A_R5_IR-04(15)(a)
IRO-16 IRO-16_A02 measures are employed to repair the reputation of the organization. 53A_R5_IR-04(15)(b)
IAO-01 IAO-01_A01 the Information Assurance (IA) program is organization-wide. 53A_R5_CA-01_ODP[03]
IAO-01 IAO-01_A02 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems are developed. 53A_R5_PM-14a.01[01]
53A_R5_PM-14a.01[03]
IAO-01 IAO-01_A03 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems are maintained. 53A_R5_PM-14a.01[02]
53A_R5_PM-14a.01[04]
IAO-01 IAO-01_A04 a process is implemented for ensuring that organizational plans for conducting security and/or privacy testing, training and monitoring activities associated with organizational systems continue to be executed. 53A_R5_PM-14a.02[01]
53A_R5_PM-14a.02[02]
IAO-01 IAO-01_A05 the security state of organizational systems and the environments in which those systems operate are managed through authorization processes. 53A_R5_PM-10a.[01]
IAO-01 IAO-01_A06 the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes. 53A_R5_PM-10a.[02]
IAO-01 IAO-01_A07 individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process. 53A_R5_PM-10b.
53A_R5_AC-01_ODP[03]
53A_R5_AT-01_ODP[03]
53A_R5_AU-01_ODP[03]
IAO-01 IAO-01_A08 the authorization processes are integrated into an organization-wide risk management program. 53A_R5_CA-01_ODP[03]
53A_R5_PM-10c.
53A_R5_CM-01_ODP[03]
53A_R5_CP-01_ODP[03]
53A_R5_IA-01_ODP[03]
53A_R5_IR-01_ODP[03]
53A_R5_MA-01_ODP[03]
IAO-01.1 IAO-01.1_A01 assessments are defined as (1) organization-level. (2) mission/business process-level. or (3) system/application/service--level. 53A_R5_MP-01_ODP[03]
53A_R5_PE-01_ODP[03]
53A_R5_PL-01_ODP[03]
53A_R5_PS-01_ODP[03]
53A_R5_PT-01_ODP[03]
the scope of assessments is established by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the 53A_R5_RA-01_ODP[03]
IAO-01.1 IAO-01.1_A02 172A_3.14.3e_ODP[1]
53A_R5_SA-01_ODP[03]
data and systems under review.
53A_R5_SC-01_ODP[03]
53A_R5_SI-01_ODP[03]
53A_R5_SR-01_ODP[03]
IAO-02 IAO-02_A01 security critical or essential software components for which to verify correctness are defined. 172A_3.14.7e_ODP[1]
IAO-02 IAO-02_A02 security critical or essential firmware components for which to verify correctness are defined. 172A_3.14.7e_ODP[2]
IAO-02 IAO-02_A03 security critical or essential hardware components for which to verify correctness are defined. 172A_3.14.7e_ODP[3]
IAO-02 IAO-02_A04 verification methods or techniques are defined. 172A_3.14.7e_ODP[4]
IAO-02 IAO-02_A05 the correctness of security critical or essential software components is verified using verification methods or techniques. 172A_3.14.7e[a]
IAO-02 IAO-02_A06 the correctness of security critical or essential firmware components is verified using verification methods or techniques. 172A_3.14.7e[b]
IAO-02 IAO-02_A07 the correctness of security critical or essential hardware components is verified using verification methods or techniques. 172A_3.14.7e[c]
IAO-02 IAO-02_A08 the frequency at which to assess controls in the system and its environment of operation is defined. 53A_R5_CA-02_ODP[01]
IAO-02 IAO-02_A09 individuals or roles to whom control assessment results are to be provided are defined. 53A_R5_CA-02_ODP[02]
IAO-02 IAO-02_A10 an appropriate assessor or assessment team is selected for the type of assessment to be conducted. 53A_R5_CA-02a.
IAO-02 IAO-02_A11 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment. 53A_R5_CA-02b.01
IAO-02 IAO-02_A12 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness. 53A_R5_CA-02b.02
IAO-02 IAO-02_A13 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment. 53A_R5_CA-02b.03[01]
IAO-02 IAO-02_A14 a control assessment plan is developed that describes the scope of the assessment, including the assessment team. 53A_R5_CA-02b.03[02]
IAO-02 IAO-02_A15 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities. 53A_R5_CA-02b.03[03]
IAO-02 IAO-02_A16 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment. 53A_R5_CA-02c.
IAO-02 IAO-02_A17 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[01]
controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired
IAO-02 IAO-02_A18 53A_R5_CA-02d.[02]
IAO-02 IAO-02_A19 a control assessment report is produced that documents the results of the assessment. 53A_R5_CA-02e.
IAO-02 IAO-02_A20 the results of the control assessment are provided to individuals or roles. 53A_R5_CA-02f.
IAO-02.1 IAO-02.1_A01 independent assessors or assessment teams are employed to conduct control assessments. 53A_R5_CA-02(01)
IAO-02.2 IAO-02.2_A01 frequency at which to include specialized assessments as part of the control assessment is defined. 53A_R5_CA-02(02)_ODP[01]

53A_R5_CA-02(02)_ODP[02]
IAO-02.2 IAO-02.2_A02 other forms of announced or unannounced assessment are defined. 53A_R5_CA-02(02)_ODP[03]
53A_R5_CA-02(02)_ODP[04]
IAO-02.2 IAO-02.2_A03 organization-defined specialized assessment frequencies are included as part of control assessments. 53A_R5_CA-02(02)
IAO-02.3 IAO-02.3_A01 external organizations from which the results of control assessments are leveraged are defined. 53A_R5_CA-02(03)_ODP[01]
IAO-02.3 IAO-02.3_A02 system on which a control assessment was performed by an external organization is defined. 53A_R5_CA-02(03)_ODP[02]
IAO-02.3 IAO-02.3_A03 requirements to be met by the control assessment performed by an external organization on the system are defined. 53A_R5_CA-02(03)_ODP[03]
IAO-02.3 IAO-02.3_A04 the results of control assessments performed by organization-defined external organizations on organization-defined system are leveraged when the assessment meets organization-defined requirements. 53A_R5_CA-02(03)
IAO-02.4 IAO-02.4_A01 produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions. SCF Created
IAO-03 IAO-03_A01 the system boundary is described and documented in the system security plan. 171A_3.12.4[b]
IAO-03 IAO-03_A02 the security requirements identified and approved by the designated authority as non-applicable are identified. 171A_3.12.4[d]
IAO-03 IAO-03_A03 the method of security requirement implementation is described and documented in the system security plan. 171A_3.12.4[e]
IAO-03 IAO-03_A04 the relationship with or connection to other systems is described and documented in the system security plan. 171A_3.12.4[f]
IAO-03 IAO-03_A05 the system security plan documents or references the security solution selected. 172A_3.11.4e[a]
IAO-03 IAO-03_A06 the system security plan documents or references the rationale for the security solution. 172A_3.11.4e[b]
IAO-03 IAO-03_A07 the system security plan documents or references the risk determination. 172A_3.11.4e[c]
IAO-03 IAO-03_A08 individuals or groups with whom cybersecurity & privacy-related activities affecting the system that require planning and coordination is/are assigned. 53A_R5_PL-02_ODP[01]
IAO-03 IAO-03_A09 personnel or roles to receive distributed copies of the system cybersecurity & privacy plans is/are assigned. 53A_R5_PL-02_ODP[02]
IAO-03 IAO-03_A10 frequency to review system cybersecurity & privacy plans is defined. 53A_R5_PL-02_ODP[03]
171A_3.12.4[g]
IAO-03 IAO-03_A11 system security plan is updated with the defined frequency. 171A_3.12.4[h]
IAO-03 IAO-03_A12 a security plan for the system is developed that is consistent with the organization’s enterprise architecture. 53A_R5_PL-02a.01[01]
IAO-03 IAO-03_A13 a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture. 53A_R5_PL-02a.01[02]
IAO-03 IAO-03_A14 a security plan for the system is developed that explicitly defines the constituent system components. 53A_R5_PL-02a.02[01]
IAO-03 IAO-03_A15 a privacy plan for the system is developed that explicitly defines the constituent system components. 53A_R5_PL-02a.02[02]
IAO-03 IAO-03_A16 a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes. 53A_R5_PL-02a.03[01]
IAO-03 IAO-03_A17 a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes. 53A_R5_PL-02a.03[02]
IAO-03 IAO-03_A18 a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities. 53A_R5_PL-02a.04[01]
IAO-03 IAO-03_A19 a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities. 53A_R5_PL-02a.04[02]
IAO-03 IAO-03_A20 a security plan for the system is developed that identifies the information types processed, stored and transmitted by the system. 53A_R5_PL-02a.05[01]
IAO-03 IAO-03_A21 a privacy plan for the system is developed that identifies the information types processed, stored and transmitted by the system. 53A_R5_PL-02a.05[02]
IAO-03 IAO-03_A22 a security plan for the system is developed that provides the security categorization of the system, including supporting rationale. 53A_R5_PL-02a.06[01]
IAO-03 IAO-03_A23 a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale. 53A_R5_PL-02a.06[02]
IAO-03 IAO-03_A24 a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization. 53A_R5_PL-02a.07[01]
IAO-03 IAO-03_A25 a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization. 53A_R5_PL-02a.07[02]
IAO-03 IAO-03_A26 a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personal data. 53A_R5_PL-02a.08[01]
IAO-03 IAO-03_A27 a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personal data. 53A_R5_PL-02a.08[02]
IAO-03 IAO-03_A28 a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components. 53A_R5_PL-02a.09[01]
171A_3.12.4[c]
IAO-03 IAO-03_A29 a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components. 53A_R5_PL-02a.09[02]

IAO-03 IAO-03_A30 a security plan for the system is developed that provides an overview of the security requirements for the system. 53A_R5_PL-02a.10[01]
171A_3.12.4[a]
IAO-03 IAO-03_A31 a privacy plan for the system is developed that provides an overview of the privacy requirements for the system. 53A_R5_PL-02a.10[02]
IAO-03 IAO-03_A32 a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable. 53A_R5_PL-02a.11[01]
IAO-03 IAO-03_A33 a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable. 53A_R5_PL-02a.11[02]
IAO-03 IAO-03_A34 a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions. 53A_R5_PL-02a.12[01]
IAO-03 IAO-03_A35 a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions. 53A_R5_PL-02a.12[02]
IAO-03 IAO-03_A36 a security plan for the system is developed that includes risk determinations for security architecture and design decisions. 53A_R5_PL-02a.13[01]
IAO-03 IAO-03_A37 a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions. 53A_R5_PL-02a.13[02]
IAO-03 IAO-03_A38 a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with individuals or groups. 53A_R5_PL-02a.14[01]
IAO-03 IAO-03_A39 a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with individuals or groups. 53A_R5_PL-02a.14[02]
IAO-03 IAO-03_A40 a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 53A_R5_PL-02a.15[01]
IAO-03 IAO-03_A41 a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. 53A_R5_PL-02a.15[02]
IAO-03 IAO-03_A42 copies of the plans are distributed to personnel or roles. 53A_R5_PL-02b.[01]
IAO-03 IAO-03_A43 subsequent changes to the plans are communicated to personnel or roles. 53A_R5_PL-02b.[02]
IAO-03 IAO-03_A44 plans are reviewed frequently. 53A_R5_PL-02c.
IAO-03 IAO-03_A45 plans are updated to address changes to the system and environment of operations. 53A_R5_PL-02d.[01]
IAO-03 IAO-03_A46 plans are updated to address problems identified during the plan implementation. 53A_R5_PL-02d.[02]
IAO-03 IAO-03_A47 plans are updated to address problems identified during control assessments. 53A_R5_PL-02d.[03]
IAO-03 IAO-03_A48 plans are protected from unauthorized disclosure. 53A_R5_PL-02e.[01]
IAO-03 IAO-03_A49 plans are protected from unauthorized modification. 53A_R5_PL-02e.[02]
IAO-03.1 IAO-03.1_A01 a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components. 53A_R5_PL-02a.09[01]
IAO-03.1 IAO-03.1_A02 a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components. 53A_R5_PL-02a.09[02]
IAO-03.2 IAO-03.2_A01 sensitive/regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract is protected. SCF Created
IAO-04 IAO-04_A01 the breadth of penetration testing is defined. 53A_R5_SA-11(05)_ODP[01]
IAO-04 IAO-04_A02 the depth of penetration testing is defined. 53A_R5_SA-11(05)_ODP[02]
IAO-04 IAO-04_A03 constraints of penetration testing are defined. 53A_R5_SA-11(05)_ODP[03]
IAO-04 IAO-04_A04 the developer of the system, system component, or system service is required to perform penetration testing at an organization-defined breadth. 53A_R5_SA-11(05)(a)[01]
IAO-04 IAO-04_A05 the developer of the system, system component, or system service is required to perform penetration testing at an organization-defined level of rigor. 53A_R5_SA-11(05)(a)[02]
IAO-04 IAO-04_A06 the developer of the system, system component, or system service is required to perform penetration testing under organization-defined constraints. 53A_R5_SA-11(05)(b)
IAO-05 IAO-05_A01 deficiencies and vulnerabilities to be addressed by the plan of action are identified. 171A_3.12.2[a]
IAO-05 IAO-05_A02 the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined. 53A_R5_CA-05_ODP
a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to 53A_R5_CA-05a.
IAO-05 IAO-05_A03
reduce or eliminate known vulnerabilities in the system. 171A_3.12.2[b]
IAO-05 IAO-05_A04 existing plan of action and milestones are updated organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities. 53A_R5_CA-05b.
IAO-05 IAO-05_A05 a process to ensure that plans of action and milestones for the cybersecurity program and associated organizational systems are developed. 53A_R5_PM-04a.01[01]
IAO-05 IAO-05_A06 a process to ensure that plans of action and milestones for the cybersecurity program and associated organizational systems are maintained. 53A_R5_PM-04a.01[02]
IAO-05 IAO-05_A07 a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed. 53A_R5_PM-04a.01[03]

IAO-05 IAO-05_A08 a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained. 53A_R5_PM-04a.01[04]
IAO-05 IAO-05_A09 a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed. 53A_R5_PM-04a.01[05]
IAO-05 IAO-05_A10 a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained. 53A_R5_PM-04a.01[06]
IAO-05 IAO-05_A11 a process to ensure that plans of action and milestones for the cybersecurity program and associated organizational systems document remedial cybersecurity risk management actions to adequately respond to risks 53A_R5_PM-04a.02[01]
to organizational operations and assets, individuals, other organizations and the Nation. 171A_3.12.2[c]
IAO-05 IAO-05_A12 a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to 53A_R5_PM-04a.02[02]
organizational operations and assets, individuals, other organizations and the Nation. 171A_3.12.2[c]
IAO-05 IAO-05_A13 a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately 53A_R5_PM-04a.02[03]
respond to risks to organizational operations and assets, individuals, other organizations and the Nation. 171A_3.12.2[c]
IAO-05 IAO-05_A14 a process to ensure that plans of action and milestones for the cybersecurity risk management programs and associated organizational systems are reported in accordance with established reporting requirements. 53A_R5_PM-04a.03[01]
171A_3.12.2[c]
IAO-05 IAO-05_A15 a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements. 53A_R5_PM-04a.03[02]
171A_3.12.2[c]
IAO-05 IAO-05_A16 a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements. 53A_R5_PM-04a.03[03]
171A_3.12.2[c]
IAO-05 IAO-05_A17 plans of action and milestones are reviewed for consistency with the organizational risk management strategy. 53A_R5_PM-04b.[01]
IAO-05 IAO-05_A18 plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions. 53A_R5_PM-04b.[02]
IAO-05 IAO-05_A19 the developer of the system, system component or system service is required to select and employ security tracking tools for use during the development process. 53A_R5_SA-15(02)[01]
IAO-05 IAO-05_A20 the developer of the system, system component or system service is required to select and employ privacy tracking tools for use during the development process. 53A_R5_SA-15(02)[02]
IAO-05 IAO-05_A21 the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews and continuous monitoring activities is defined. 53A_R5_CA-05_ODP
IAO-05 IAO-05_A22 a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to 53A_R5_CA-05a.
reduce or eliminate known vulnerabilities in the system.
IAO-05 IAO-05_A23 existing plan of action and milestones are updated per an organization-defined frequency based on the findings from control assessments, independent audits or reviews and continuous monitoring activities. 53A_R5_CA-05b.
IAO-05.1 IAO-05.1_A01 automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined. 53A_R5_CA-05(01)_ODP
IAO-05.1 IAO-05.1_A02 organization-defined automated mechanisms are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system. 53A_R5_CA-05(01)
IAO-06 IAO-06_A01 the frequency at which to assess controls in the system and its environment of operation is defined. 53A_R5_CA-02_ODP[01]
IAO-06 IAO-06_A02 individuals or roles to whom control assessment results are to be provided are defined. 53A_R5_CA-02_ODP[02]
IAO-06 IAO-06_A03 an appropriate assessor or assessment team is selected for the type of assessment to be conducted. 53A_R5_CA-02a.
IAO-06 IAO-06_A04 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment. 53A_R5_CA-02b.01
IAO-06 IAO-06_A05 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness. 53A_R5_CA-02b.02
IAO-06 IAO-06_A06 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment. 53A_R5_CA-02b.03[01]
IAO-06 IAO-06_A07 a control assessment plan is developed that describes the scope of the assessment, including the assessment team. 53A_R5_CA-02b.03[02]
IAO-06 IAO-06_A08 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities. 53A_R5_CA-02b.03[03]
IAO-06 IAO-06_A09 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment. 53A_R5_CA-02c.
controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired
IAO-06 IAO-06_A10 53A_R5_CA-02d.[01]
IAO-06 IAO-06_A11 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[02]
IAO-06 IAO-06_A12 a control assessment report is produced that documents the results of the assessment. 53A_R5_CA-02e.
IAO-06 IAO-06_A13 the results of the control assessment are provided to individuals or roles. 53A_R5_CA-02f.
IAO-06 IAO-06_A14 the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes. 53A_R5_CM-04(02)[01]
IAO-06 IAO-06_A15 the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes. 53A_R5_CM-04(02)[02]
IAO-06 IAO-06_A16 the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes. 53A_R5_CM-04(02)[03]
IAO-06 IAO-06_A17 the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes. 53A_R5_CM-04(02)[04]
IAO-06 IAO-06_A18 the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes. 53A_R5_CM-04(02)[05]

IAO-06 IAO-06_A19 the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes. 53A_R5_CM-04(02)[06]
IAO-07 IAO-07_A01 frequency at which to update the authorizations is defined. 53A_R5_CA-06_ODP
IAO-07 IAO-07_A02 a senior official is assigned as the authorizing official for the system. 53A_R5_CA-06a.
IAO-07 IAO-07_A03 a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems. 53A_R5_CA-06b.
IAO-07 IAO-07_A04 before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system. 53A_R5_CA-06c.01
IAO-07 IAO-07_A05 before commencing operations, the authorizing official for the system authorizes the system to operate. 53A_R5_CA-06c.02
IAO-07 IAO-07_A06 the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems. 53A_R5_CA-06d.
IAO-07 IAO-07_A07 the authorizations are updated organization-defined frequency. 53A_R5_CA-06e.
MNT-01 MNT-01_A01 personnel or roles to whom the maintenance policy is to be disseminated is/are defined. 53A_R5_MA-01_ODP[01]
MNT-01 MNT-01_A02 personnel or roles to whom the maintenance procedures are to be disseminated is/are defined. 53A_R5_MA-01_ODP[02]
MNT-01 MNT-01_A03 one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}. 53A_R5_MA-01_ODP[03]
MNT-01 MNT-01_A04 an official to manage the maintenance policy and procedures is defined. 53A_R5_MA-01_ODP[04]
MNT-01 MNT-01_A05 the frequency with which the current maintenance policy is reviewed and updated is defined. 53A_R5_MA-01_ODP[05]
MNT-01 MNT-01_A06 events that would require the current maintenance policy to be reviewed and updated are defined. 53A_R5_MA-01_ODP[06]
MNT-01 MNT-01_A07 the frequency with which the current maintenance procedures are reviewed and updated is defined. 53A_R5_MA-01_ODP[07]
MNT-01 MNT-01_A08 events that would require the maintenance procedures to be reviewed and updated are defined. 53A_R5_MA-01_ODP[08]
MNT-01 MNT-01_A09 a maintenance policy is developed and documented. 53A_R5_MA-01a.[01]
MNT-01 MNT-01_A10 the maintenance policy is disseminated to organization-defined personnel or roles. 53A_R5_MA-01a.[02]
MNT-01 MNT-01_A11 maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented. 53A_R5_MA-01a.[03]
MNT-01 MNT-01_A12 the maintenance procedures are disseminated to organization-defined personnel or roles. 53A_R5_MA-01a.[04]
MNT-01 MNT-01_A13 the organization's maintenance policy addresses purpose. 53A_R5_MA-01a.01(a)[01]
MNT-01 MNT-01_A14 the organization's maintenance policy addresses scope. 53A_R5_MA-01a.01(a)[02]
MNT-01 MNT-01_A15 the organization's maintenance policy addresses roles. 53A_R5_MA-01a.01(a)[03]
MNT-01 MNT-01_A16 the organization's maintenance policy addresses responsibilities. 53A_R5_MA-01a.01(a)[04]
MNT-01 MNT-01_A17 the organization's maintenance policy addresses management commitment. 53A_R5_MA-01a.01(a)[05]
MNT-01 MNT-01_A18 the organization's maintenance policy addresses coordination among organizational entities. 53A_R5_MA-01a.01(a)[06]
MNT-01 MNT-01_A19 the organization's maintenance policy addresses compliance. 53A_R5_MA-01a.01(a)[07]
MNT-01 MNT-01_A20 the organization's maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_MA-01a.01(b)
MNT-01 MNT-01_A21 the organization-defined official is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures. 53A_R5_MA-01b.
MNT-01 MNT-01_A22 the current maintenance policy is reviewed and updated organization-defined frequency. 53A_R5_MA-01c.01[01]
MNT-01 MNT-01_A23 the current maintenance policy is reviewed and updated following organization-defined events. 53A_R5_MA-01c.01[02]
MNT-01 MNT-01_A24 the current maintenance procedures are reviewed and updated organization-defined frequency. 53A_R5_MA-01c.02[01]
MNT-01 MNT-01_A25 the current maintenance procedures are reviewed and updated following organization-defined events. 53A_R5_MA-01c.02[02]
MNT-02 MNT-02_A01 system maintenance is performed. 171A_3.7.1
MNT-02 MNT-02_A02 personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined. 53A_R5_MA-02_ODP[01]
MNT-02 MNT-02_A03 information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement is defined. 53A_R5_MA-02_ODP[02]

MNT-02 MNT-02_A04 information to be included in organizational maintenance records is defined. 53A_R5_MA-02_ODP[03]
MNT-02 MNT-02_A05 maintenance, repair and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements. 53A_R5_MA-02a.[01]
MNT-02 MNT-02_A06 maintenance, repair and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements. 53A_R5_MA-02a.[02]
MNT-02 MNT-02_A07 records of maintenance, repair and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements. 53A_R5_MA-02a.[03]
MNT-02 MNT-02_A08 all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved. 53A_R5_MA-02b.[01]
MNT-02 MNT-02_A09 all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored. 53A_R5_MA-02b.[02]
MNT-02 MNT-02_A10 personnel or roles is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair or replacement. 53A_R5_MA-02c.
MNT-02 MNT-02_A11 equipment is sanitized to remove information from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement. 53A_R5_MA-02d.
MNT-02 MNT-02_A12 all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair or replacement actions. 53A_R5_MA-02e.
MNT-02 MNT-02_A13 information is included in organizational maintenance records. 53A_R5_MA-02f.
MNT-02.1 MNT-02.1_A01 automated mechanisms used to schedule maintenance, repair and replacement actions for the system are defined. 53A_R5_MA-02(02)_ODP[01]
MNT-02.1 MNT-02.1_A02 automated mechanisms used to conduct maintenance, repair and replacement actions for the system are defined. 53A_R5_MA-02(02)_ODP[02]
MNT-02.1 MNT-02.1_A03 automated mechanisms used to document maintenance, repair and replacement actions for the system are defined. 53A_R5_MA-02(02)_ODP[03]
MNT-02.1 MNT-02.1_A04 automated mechanisms are used to schedule maintenance, repair and replacement actions for the system. 53A_R5_MA-02(02)(a)[01]
MNT-02.1 MNT-02.1_A05 automated mechanisms are used to conduct maintenance, repair and replacement actions for the system. 53A_R5_MA-02(02)(a)[02]
MNT-02.1 MNT-02.1_A06 automated mechanisms are used to document maintenance, repair and replacement actions for the system. 53A_R5_MA-02(02)(a)[03]
MNT-02.1 MNT-02.1_A07 up-to date, accurate and complete records of all maintenance actions requested, scheduled, in process and completed are produced. 53A_R5_MA-02(02)(b)[01]
MNT-02.1 MNT-02.1_A08 up-to date, accurate and complete records of all repair actions requested, scheduled, in process and completed are produced. 53A_R5_MA-02(02)(b)[02]
MNT-02.1 MNT-02.1_A09 up-to date, accurate and complete records of all replacement actions requested, scheduled, in process and completed are produced. 53A_R5_MA-02(02)(b)[03]
MNT-03 MNT-03_A01 system components for which maintenance support and/or spare parts are obtained are defined. 53A_R5_MA-06_ODP[01]
MNT-03 MNT-03_A02 time period within which maintenance support and/or spare parts are to be obtained after a failure are defined. 53A_R5_MA-06_ODP[02]
MNT-03 MNT-03_A03 maintenance support and/or spare parts are obtained for system components within an organization-defined time period of failure. 53A_R5_MA-06
MNT-03.1 MNT-03.1_A01 system components on which preventive maintenance is to be performed are defined. 53A_R5_MA-06(01)_ODP[01]
MNT-03.1 MNT-03.1_A02 time intervals within which preventive maintenance is to be performed on system components are defined. 53A_R5_MA-06(01)_ODP[02]
MNT-03.1 MNT-03.1_A03 preventive maintenance is performed on system components at time intervals. 53A_R5_MA-06(01)
MNT-03.2 MNT-03.2_A01 system components on which predictive maintenance is to be performed are defined. 53A_R5_MA-06(02)_ODP[01]
MNT-03.2 MNT-03.2_A02 time intervals within which predictive maintenance is to be performed are defined. 53A_R5_MA-06(02)_ODP[02]
MNT-03.2 MNT-03.2_A03 predictive maintenance is performed on system components at time intervals. 53A_R5_MA-06(02)
MNT-03.3 MNT-03.3_A01 automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined. 53A_R5_MA-06(03)_ODP
MNT-03.3 MNT-03.3_A02 predictive maintenance data is transferred to a maintenance management system using automated mechanisms. 53A_R5_MA-06(03)
MNT-04 MNT-04_A01 tools used to conduct system maintenance are controlled. 171A_3.7.2[a]
53A_R5_MA-03a.[02]
MNT-04 MNT-04_A02 techniques used to conduct system maintenance are controlled. 171A_3.7.2[b]
MNT-04 MNT-04_A03 mechanisms used to conduct system maintenance are controlled. 171A_3.7.2[c]
MNT-04 MNT-04_A04 personnel used to conduct system maintenance are controlled. 171A_3.7.2[d]
MNT-04 MNT-04_A05 frequency at which to review previously approved system maintenance tools is defined. 53A_R5_MA-03_ODP
MNT-04 MNT-04_A06 the use of system maintenance tools is approved. 53A_R5_MA-03a.[01]

MNT-04 MNT-04_A07 the use of system maintenance tools is monitored. 53A_R5_MA-03a.[03]
MNT-04 MNT-04_A08 previously approved system maintenance tools are reviewed per an organization-defined frequency. 53A_R5_MA-03b.
MNT-04 MNT-04_A09 the use of maintenance tools that execute with increased privilege is monitored. 53A_R5_MA-03(05)
MNT-04 MNT-04_A10 maintenance tools are inspected to ensure that the latest software updates and patches are installed. 53A_R5_MA-03(06)
MNT-04.1 MNT-04.1_A01 maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications. 53A_R5_MA-03(01)
MNT-04.2 MNT-04.2_A01 media containing diagnostic and test programs are checked for malicious code before the media are used in the system. 53A_R5_MA-03(02)
171A_3.7.4
MNT-04.3 MNT-04.3_A01 personnel or roles who can authorize removal of equipment from the facility is/are defined. 53A_R5_MA-03(03)_ODP
MNT-04.3 MNT-04.3_A02 the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment. 53A_R5_MA-03(03)(a)
MNT-04.3 MNT-04.3_A03 the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment. 53A_R5_MA-03(03)(b)
MNT-04.3 MNT-04.3_A04 the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility. 53A_R5_MA-03(03)(c)
MNT-04.3 MNT-04.3_A05 the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from personnel or roles explicitly authorizing removal of the equipment from the facility. 53A_R5_MA-03(03)(d)
MNT-04.4 MNT-04.4_A01 the use of maintenance tools is restricted to authorized personnel only. 53A_R5_MA-03(04)
MNT-05 MNT-05_A01 nonlocal maintenance and diagnostic activities are approved. 53A_R5_MA-04a.[01]
MNT-05 MNT-05_A02 nonlocal maintenance and diagnostic activities are monitored. 53A_R5_MA-04a.[02]
MNT-05 MNT-05_A03 the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy. 53A_R5_MA-04b.[01]
MNT-05 MNT-05_A04 the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system. 53A_R5_MA-04b.[02]
MNT-05 MNT-05_A05 strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions. 53A_R5_MA-04c.
MNT-05 MNT-05_A06 records for nonlocal maintenance and diagnostic activities are maintained. 53A_R5_MA-04d.
MNT-05 MNT-05_A07 session connections are terminated when nonlocal maintenance is completed. 53A_R5_MA-04e.[01]
MNT-05 MNT-05_A08 network connections are terminated when nonlocal maintenance is completed. 53A_R5_MA-04e.[02]
MNT-05 MNT-05_A09 multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. 171A_3.7.5[a]
MNT-05 MNT-05_A10 nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. 171A_3.7.5[b]
MNT-05.1 MNT-05.1_A01 audit events to be logged for nonlocal maintenance are defined. 53A_R5_MA-04(01)_ODP[01]
MNT-05.1 MNT-05.1_A02 audit events to be logged for diagnostic sessions are defined. 53A_R5_MA-04(01)_ODP[02]
MNT-05.1 MNT-05.1_A03 audit events are logged for nonlocal maintenance sessions. 53A_R5_MA-04(01)(a)[01]
MNT-05.1 MNT-05.1_A04 audit events are logged for nonlocal diagnostic sessions. 53A_R5_MA-04(01)(a)[02]
MNT-05.1 MNT-05.1_A05 the audit records of the maintenance sessions are reviewed to detect anomalous behavior. 53A_R5_MA-04(01)(b)[01]
MNT-05.1 MNT-05.1_A06 the audit records of the diagnostic sessions are reviewed to detect anomalous behavior. 53A_R5_MA-04(01)(b)[02]
MNT-05.2 MNT-05.2_A01 nonlocal maintenance and diagnostic activities are monitored. 53A_R5_MA-04a.[02]
MNT-05.3 MNT-05.3_A01 cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined. 53A_R5_MA-04(06)_ODP
MNT-05.3 MNT-05.3_A02 cryptographic mechanisms are implemented to protect the integrity of nonlocal maintenance and diagnostic communications. 53A_R5_MA-04(06)[01]
MNT-05.3 MNT-05.3_A03 cryptographic mechanisms are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications. 53A_R5_MA-04(06)[02]
MNT-05.4 MNT-05.4_A01 session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions. 53A_R5_MA-04(07)[01]
MNT-05.4 MNT-05.4_A02 network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions. 53A_R5_MA-04(07)[02]
MNT-05.5 MNT-05.5_A01 personnel or roles required to approve each nonlocal maintenance session is/are defined. 53A_R5_MA-04(05)_ODP[01]
MNT-05.5 MNT-05.5_A02 personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined. 53A_R5_MA-04(05)_ODP[02]

MNT-05.5 MNT-05.5_A03 the approval of each nonlocal maintenance session is required by personnel or roles. 53A_R5_MA-04(05)(a)
MNT-05.5 MNT-05.5_A04 personnel and roles is/are notified of the date and time of planned nonlocal maintenance. 53A_R5_MA-04(05)(b)
MNT-05.6 MNT-05.6_A01 nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced. 53A_R5_MA-04(03)(a)[01]
MNT-05.6 MNT-05.6_A02 nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced. or 53A_R5_MA-04(03)(a)[02]
MNT-05.6 MNT-05.6_A03 the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services. 53A_R5_MA-04(03)(b)[01]
MNT-05.6 MNT-05.6_A04 the component to be serviced is sanitized (for organizational information). 53A_R5_MA-04(03)(b)[02]
MNT-05.6 MNT-05.6_A05 the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system. 53A_R5_MA-04(03)(b)[03]
MNT-05.7 MNT-05.7_A01 authenticators that are replay resistant are defined. 53A_R5_MA-04(04)_ODP
MNT-05.7 MNT-05.7_A02 nonlocal maintenance sessions are protected by employing organization-defined authenticators that are replay resistant. 53A_R5_MA-04(04)(a)
MNT-05.7 MNT-05.7_A03 nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths. 53A_R5_MA-04(04)(b)(01)
MNT-05.7 MNT-05.7_A04 nonlocal maintenance sessions are protected by logically separated communication paths. 53A_R5_MA-04(04)(b)(02)
MNT-06 MNT-06_A01 maintenance personnel without required access authorization are supervised during maintenance activities. 171A_3.7.6
MNT-06 MNT-06_A02 a process for maintenance personnel authorization is established. 53A_R5_MA-05a.[01]
MNT-06 MNT-06_A03 a list of authorized maintenance organizations or personnel is maintained. 53A_R5_MA-05a.[02]
MNT-06 MNT-06_A04 non-escorted personnel performing maintenance on the system possess the required access authorizations. 53A_R5_MA-05b.
MNT-06 MNT-06_A05 organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations. 53A_R5_MA-05c.
MNT-06.1 MNT-06.1_A01 alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed or disconnected from the system are defined. 53A_R5_MA-05(01)_ODP
procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have
MNT-06.1 MNT-06.1_A02 appropriate access authorizations and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic 53A_R5_MA-05(01)(a)(01)
activities.
MNT-06.1 MNT-06.1_A03 procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being 53A_R5_MA-05(01)(a)(02)
sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities.
MNT-06.1 MNT-06.1_A04 alternate controls are developed and implemented in the event that a system cannot be sanitized, removed or disconnected from the system. 53A_R5_MA-05(01)(b)
MNT-06.1 MNT-06.1_A05 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting classified information possess security clearances for at least the highest classification level and for 53A_R5_MA-05(02)[01]
compartments of information on the system.
MNT-06.1 MNT-06.1_A06 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting classified information possess formal access approvals for at least the highest classification level and for 53A_R5_MA-05(02)[02]
compartments of information on the system.
MNT-06.1 MNT-06.1_A07 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting classified information are U.S. citizens. 53A_R5_MA-05(03)
MNT-06.1 MNT-06.1_A08 foreign nationals are used to conduct maintenance and diagnostic activities on systems only when approved and authorized. 53A_R5_MA-05(04)(a)
MNT-06.1 MNT-06.1_A09 approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. 53A_R5_MA-05(04)(b)[01]
MNT-06.1 MNT-06.1_A10 consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. 53A_R5_MA-05(04)(b)[02]
MNT-06.1 MNT-06.1_A11 detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. 53A_R5_MA-05(04)(b)[03]
MNT-06.2 MNT-06.2_A01 non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations. 53A_R5_MA-05(05)
MNT-07 MNT-07_A01 system components requiring configuration control are defined. 53A_R5_SR-11(02)_ODP
MNT-07 MNT-07_A02 configuration control over organization-defined system components awaiting service or repair is maintained. 53A_R5_SR-11(02)[01]
MNT-07 MNT-07_A03 configuration control over serviced or repaired organization-defined system components awaiting return to service is maintained. 53A_R5_SR-11(02)[02]
MNT-08 MNT-08_A01 systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined. 53A_R5_MA-07_ODP[01]
MNT-08 MNT-08_A02 trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined. 53A_R5_MA-07_ODP[02]
MNT-08 MNT-08_A03 field maintenance on systems or system components are restricted or prohibited to trusted maintenance facilities. 53A_R5_MA-07
MNT-09 MNT-09_A01 off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site. SCF Created
MNT-10 MNT-10_A01 maintenance activities are validated to ensure they were appropriately performed according to the work order and that security controls are operational. SCF Created

MNT-11 MNT-11_A01 situational awareness is maintained of the quality and reliability of systems and components through tracking maintenance activities and component failure rates. SCF Created
MDM-01 MDM-01_A01 policies and standards facilitate the implementation of mobile device management controls. SCF Created
MDM-02 MDM-02_A01 configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area. 53A_R5_AC-19a.[01]
MDM-02 MDM-02_A02 connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area. 53A_R5_AC-19a.[02]
MDM-02 MDM-02_A03 implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area. 53A_R5_AC-19a.[03]
MDM-02 MDM-02_A04 the connection of mobile devices to organizational systems is authorized. 53A_R5_AC-19b.
171A_3.1.18[b]
MDM-02 MDM-02_A05 mobile devices that process, store or transmit sensitive / regulated data are identified. 171A_3.1.18[a]
MDM-02 MDM-02_A06 mobile device connections are monitored and logged. 171A_3.1.18[c]
MDM-03 MDM-03_A01 mobile devices and mobile computing platforms that process, store or transmit sensitive / regulated data are identified. 171A_3.1.19[a]
MDM-03 MDM-03_A02 encryption is employed to protect sensitive / regulated data on identified mobile devices and mobile computing platforms 171A_3.1.19[b]
MDM-03 MDM-03_A03 mobile devices on which to employ encryption are defined. 53A_R5_AC-19(05)_ODP[02]
MDM-03 MDM-03_A04 full-device encryption or container-based encryption is employed to protect the confidentiality and integrity of information on organization-defined mobile devices. 53A_R5_AC-19(05)_ODP[01]
53A_R5_AC-19(05)
MDM-04 MDM-04_A01 anti-tamper technologies to be employed are defined. 53A_R5_PE-03(05)_ODP[01]
MDM-04 MDM-04_A02 hardware components to be protected from physical tampering or alteration are defined. 53A_R5_PE-03(05)_ODP[03]
MDM-04 MDM-04_A03 anti-tamper technologies are employed to detect and/or prevent physical tampering or alteration of hardware components within the system. 53A_R5_PE-03(05)
53A_R5_PE-03(05)_ODP[02]
MDM-05 MDM-05_A01 mobile devices to be purged or wiped of information are defined. 53A_R5_AC-07(02)_ODP[01]
MDM-05 MDM-05_A02 purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined. 53A_R5_AC-07(02)_ODP[02]
MDM-05 MDM-05_A03 the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined. 53A_R5_AC-07(02)_ODP[03]
MDM-05 MDM-05_A04 information is purged or wiped from organization-defined mobile devices based on organization-defined purging or wiping requirements or techniques after organization-defined number consecutive, unsuccessful 53A_R5_AC-07(02)
device logon attempts.
MDM-05 MDM-05_A05 systems or system components to purge or wipe information either remotely or under specific conditions are defined. 53A_R5_MP-06(08)_ODP[01]
MDM-05 MDM-05_A06 conditions under which information is to be purged or wiped are defined. 53A_R5_MP-06(08)_ODP[02]
53A_R5_MP-06(08)_ODP[03]
MDM-05 MDM-05_A07 the capability to purge or wipe information from systems or system components organization-defined criteria is provided. 53A_R5_MP-06(08)
MDM-06 MDM-06_A01 the connection of personally-owned, mobile devices to organizational systems and networks is restricted. SCF Created
MDM-07 MDM-07_A01 the installation of non-approved applications or approved applications not obtained through the organization-approved application store is prohibited. SCF Created
MDM-08 MDM-08_A01 data retention on mobile devices is limited to the smallest usable dataset and timeframe. SCF Created
MDM-09 MDM-09_A01 the functionality of mobile devices is restricted based on geographic location. SCF Created
MDM-10 MDM-10_A01 a separate device workspace is enforced on applicable mobile devices to separate work-related and personal-related applications and data. SCF Created
MDM-11 MDM-11_A01 the connectivity of unauthorized mobile devices is restricted from communicating with systems, applications and services. SCF Created
NET-01 NET-01_A01 personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined. 53A_R5_SC-01_ODP[01]
NET-01 NET-01_A02 personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined. 53A_R5_SC-01_ODP[02]
NET-01 NET-01_A03 an official to manage the system and communications protection policy and procedures is defined. 53A_R5_SC-01_ODP[03]
53A_R5_SC-01_ODP[04]
NET-01 NET-01_A04 the frequency at which the current system and communications protection policy is reviewed and updated is defined. 53A_R5_SC-01_ODP[05]
NET-01 NET-01_A05 events that would require the current system and communications protection policy to be reviewed and updated are defined. 53A_R5_SC-01_ODP[06]
NET-01 NET-01_A06 the frequency at which the current system and communications protection procedures are reviewed and updated is defined. 53A_R5_SC-01_ODP[07]
NET-01 NET-01_A07 events that would require the system and communications protection procedures to be reviewed and updated are defined. 53A_R5_SC-01_ODP[08]
NET-01 NET-01_A08 a system and communications protection policy is developed and documented. 53A_R5_SC-01a.[01]

NET-01 NET-01_A09 the system and communications protection policy is disseminated to organization-defined personnel or roles. 53A_R5_SC-01a.[02]
NET-01 NET-01_A10 system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed 53A_R5_SC-01a.[03]
and documented.
NET-01 NET-01_A11 the system and communications protection procedures are disseminated to organization-defined personnel or roles. 53A_R5_SC-01a.[04]
NET-01 NET-01_A12 the organization's system and communications protection policy addresses purpose. 53A_R5_SC-01a.01(a)[01]
NET-01 NET-01_A13 the organization's system and communications protection policy addresses scope. 53A_R5_SC-01a.01(a)[02]
NET-01 NET-01_A14 the organization's system and communications protection policy addresses roles. 53A_R5_SC-01a.01(a)[03]
NET-01 NET-01_A15 the organization's system and communications protection policy addresses responsibilities. 53A_R5_SC-01a.01(a)[04]
NET-01 NET-01_A16 the organization's system and communications protection policy addresses management commitment. 53A_R5_SC-01a.01(a)[05]
NET-01 NET-01_A17 the organization's system and communications protection policy addresses coordination among organizational entities. 53A_R5_SC-01a.01(a)[06]
NET-01 NET-01_A18 the organization's system and communications protection policy addresses compliance. 53A_R5_SC-01a.01(a)[07]
NET-01 NET-01_A19 the organization's system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_SC-01a.01(b)
NET-01 NET-01_A20 the organization-defined official is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures. 53A_R5_SC-01b.
NET-01 NET-01_A21 the current system and communications protection policy is reviewed and updated organization-defined frequency. 53A_R5_SC-01c.01[01]
NET-01 NET-01_A22 the current system and communications protection policy is reviewed and updated following organization-defined events. 53A_R5_SC-01c.01[02]
NET-01 NET-01_A23 the current system and communications protection procedures are reviewed and updated organization-defined frequency. 53A_R5_SC-01c.02[01]
NET-01 NET-01_A24 the current system and communications protection procedures are reviewed and updated following organization-defined events. 53A_R5_SC-01c.02[02]
NET-01.1 NET-01.1_A01 all users are treated as potential threats and prevent access to data and resources until the user can be properly authenticated and their access authorized. SCF Created
NET-01.1 NET-01.1_A02 all devices are treated as potential threats and prevent access to data and resources until the device can be properly authenticated and its access authorized. SCF Created
NET-02 NET-02_A01 security functions are implemented as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. SCF Created
NET-02.1 NET-02.1_A01 types of denial-of-service events to be protected against or limited are defined. 53A_R5_SC-05_ODP[01]
53A_R5_SC-05(01)_ODP
NET-02.1 NET-02.1_A02 resource prioritization is designed to limit negative effects of denial-of-service events. 53A_R5_SC-05_ODP[02]
NET-02.1 NET-02.1_A03 controls to achieve the denial-of-service objective by type of denial-of-service event are defined. 53A_R5_SC-05_ODP[03]
NET-02.1 NET-02.1_A04 the effects of types of denial-of-service events are organizationally-defined. 53A_R5_SC-05a.
NET-02.1 NET-02.1_A05 controls by type of denial-of-service event are employed to achieve the denial-of-service protection objective. 53A_R5_SC-05b.
NET-02.1 NET-02.1_A06 the ability of individuals to launch denial-of-service attacks against other systems is restricted. 53A_R5_SC-05(01)
NET-02.1 NET-02.1_A07 capacity, bandwidth or other redundancies to limit the effects of information flooding denial-of-service attacks are managed. 53A_R5_SC-05(02)
NET-02.1 NET-02.1_A08 monitoring tools for detecting indicators of denial-of-service attacks are defined. 53A_R5_SC-05(03)_ODP[01]
NET-02.1 NET-02.1_A09 system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined. 53A_R5_SC-05(03)_ODP[02]
NET-02.1 NET-02.1_A10 monitoring tools are employed to detect indicators of denial-of-service attacks against or launched from the system. 53A_R5_SC-05(03)(a)
NET-02.1 NET-02.1_A11 system resources are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks. 53A_R5_SC-05(03)(b)
NET-02.2 NET-02.2_A01 a secure guest network is defined. SCF Created
NET-02.2 NET-02.2_A02 a secure guest network is implemented SCF Created
NET-02.3 NET-02.3_A01 a Cross Domain Solution (CDS) is implemented to mitigate the specific security risks of accessing or transferring information between security domains. SCF Created
NET-03 NET-03_A01 the external system boundary is defined. 171A_3.13.1[a]
NET-03 NET-03_A02 key internal system boundaries are defined. 171A_3.13.1[b]
NET-03 NET-03_A03 communications are protected at the external system boundary. 171A_3.13.1[g]

NET-03 NET-03_A04 communications are protected at key internal boundaries. 171A_3.13.1[h]
53A_R5_SC-07_ODP
NET-03 NET-03_A05 communications at external managed interfaces to the system are monitored. 53A_R5_SC-07a.[01]
171A_3.13.1[c]
53A_R5_SC-07_ODP
NET-03 NET-03_A06 communications at external managed interfaces to the system are controlled. 53A_R5_SC-07a.[02]
171A_3.13.1[e]
NET-03 NET-03_A07 communications at key internal managed interfaces within the system are monitored. 53A_R5_SC-07a.[03]
171A_3.13.1[d]
NET-03 NET-03_A08 communications at key internal managed interfaces within the system are controlled. 53A_R5_SC-07a.[04]
171A_3.13.1[f]
NET-03 NET-03_A09 subnetworks for publicly accessible system components are selected per organization-defined values separated from internal organizational networks. 53A_R5_SC-07b.
NET-03 NET-03_A10 external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational cybersecurity & privacy architecture. 53A_R5_SC-07c.
NET-03 NET-03_A11 outgoing communications traffic posing a threat to external systems is detected. 53A_R5_SC-07(09)(a)[01]
NET-03 NET-03_A12 outgoing communications traffic posing a threat to external systems is denied. 53A_R5_SC-07(09)(a)[02]
NET-03 NET-03_A13 the identity of internal users associated with denied communications is audited. 53A_R5_SC-07(09)(b)
NET-03 NET-03_A14 authorized sources of incoming communications to be routed are defined. 53A_R5_SC-07(11)_ODP[01]
NET-03 NET-03_A15 authorized destinations to which incoming communications from authorized sources may be routed are defined. 53A_R5_SC-07(11)_ODP[02]
NET-03 NET-03_A16 only incoming communications from authorized sources are allowed to be routed to authorized destinations. 53A_R5_SC-07(11)
NET-03 NET-03_A17 one or more of the following is/are selected: physical isolation techniques. logical isolation techniques. 172A_3.13.4e_ODP[1]
NET-03 NET-03_A18 physical isolation techniques are defined. 172A_3.13.4e_ODP[2]
NET-03 NET-03_A19 logical isolation techniques are defined. 172A_3.13.4e_ODP[3]
NET-03 NET-03_A20 physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components. 172A_3.13.4e[a]
NET-03.1 NET-03.1_A01 the number of external network connections to the system is limited. 53A_R5_SC-07(03)
NET-03.2 NET-03.2_A01 the frequency at which to review exceptions to traffic flow policy is defined. 53A_R5_SC-07(04)_ODP
NET-03.2 NET-03.2_A02 a managed interface is implemented for each external telecommunication service. 53A_R5_SC-07(04)(a)
NET-03.2 NET-03.2_A03 a traffic flow policy is established for each managed interface. 53A_R5_SC-07(04)(b)
NET-03.2 NET-03.2_A04 the confidentiality of the information being transmitted across each interface is protected. 53A_R5_SC-07(04)(c)[01]
NET-03.2 NET-03.2_A05 the integrity of the information being transmitted across each interface is protected. 53A_R5_SC-07(04)(c)[02]
NET-03.2 NET-03.2_A06 each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need. 53A_R5_SC-07(04)(d)
NET-03.2 NET-03.2_A07 exceptions to the traffic flow policy are reviewed frequently. 53A_R5_SC-07(04)(e)[01]
NET-03.2 NET-03.2_A08 exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed. 53A_R5_SC-07(04)(e)[02]
NET-03.2 NET-03.2_A09 unauthorized exchanges of control plan traffic with external networks are prevented. 53A_R5_SC-07(04)(f)
NET-03.2 NET-03.2_A10 information is published to enable remote networks to detect unauthorized control plane traffic from internal networks. 53A_R5_SC-07(04)(g)
NET-03.2 NET-03.2_A11 unauthorized control plane traffic is filtered from external networks. 53A_R5_SC-07(04)(h)
NET-03.2 NET-03.2_A12 outgoing communications traffic posing a threat to external systems is detected. 53A_R5_SC-07(09)(a)[01]
NET-03.2 NET-03.2_A13 outgoing communications traffic posing a threat to external systems is denied. 53A_R5_SC-07(09)(a)[02]
NET-03.2 NET-03.2_A14 the identity of internal users associated with denied communications is audited. 53A_R5_SC-07(09)(b)
NET-03.3 NET-03.3_A01 the discovery of specific system components that represent a managed interface is prevented. 53A_R5_SC-07(16)
NET-03.4 NET-03.4_A01 processing rules for systems that process personal data are defined. 53A_R5_SC-07(24)_ODP
NET-03.4 NET-03.4_A02 processing rules are applied to data elements of personal data on systems that process personal data. 53A_R5_SC-07(24)(a)
NET-03.4 NET-03.4_A03 permitted processing is monitored at the external interfaces to the systems that process personal data. 53A_R5_SC-07(24)(b)[01]

NET-03.4 NET-03.4_A04 permitted processing is monitored at key internal boundaries within the systems that process personal data. 53A_R5_SC-07(24)(b)[02]
NET-03.4 NET-03.4_A05 each processing exception is documented for systems that process personal data. 53A_R5_SC-07(24)(c)
NET-03.4 NET-03.4_A06 exceptions for systems that process personal data are reviewed. 53A_R5_SC-07(24)(d)[01]
NET-03.4 NET-03.4_A07 exceptions for systems that process personal data that are no longer supported are removed. 53A_R5_SC-07(24)(d)[02]
NET-03.5 NET-03.5_A01 the frequency for conducting exfiltration tests is defined. 53A_R5_SC-07(10)_ODP
NET-03.5 NET-03.5_A02 the exfiltration of information is prevented. 53A_R5_SC-07(10)(a)
NET-03.5 NET-03.5_A03 exfiltration tests are conducted per an organization-defined frequency. 53A_R5_SC-07(10)(b)
NET-03.6 NET-03.6_A01 system components to be dynamically isolated from other system components are defined. 53A_R5_SC-07(20)_ODP
NET-03.6 NET-03.6_A02 the capability to dynamically isolate organization-defined system components from other system components is provided. 53A_R5_SC-07(20)
NET-03.7 NET-03.7_A01 system components to be isolated by boundary protection mechanisms are defined. 53A_R5_SC-07(21)_ODP[01]
NET-03.7 NET-03.7_A02 missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined. 53A_R5_SC-07(21)_ODP[02]
NET-03.7 NET-03.7_A03 boundary protection mechanisms are employed to isolate system components supporting missions and/or business functions. 53A_R5_SC-07(21)
NET-03.7 NET-03.7_A04 physical isolation techniques are defined. 172A_3.13.4e_ODP[2]

172A_3.13.4e_ODP[1]
NET-03.7 NET-03.7_A05 logical isolation techniques are defined. 172A_3.13.4e_ODP[3]

172A_3.13.4e_ODP[1]
NET-03.7 NET-03.7_A06 physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components. 172A_3.13.4e[a]
NET-03.8 NET-03.8_A01 separate network addresses are implemented to connect to systems in different security domains. 53A_R5_SC-07(22)
NET-03.8 NET-03.8_A02 critical system components and functions are logically isolated. 53A_R5_SC-07(29)_ODP[01]
NET-03.8 NET-03.8_A03 critical system components and functions to be isolated are defined. 53A_R5_SC-07(29)_ODP[02]
NET-03.8 NET-03.8_A04 subnetworks are separated organization-defined criteria to isolate critical system components and functions. 53A_R5_SC-07(29)

172A_3.13.4e_ODP[2]
NET-03.8 NET-03.8_A06 logical isolation techniques are defined. 172A_3.13.4e_ODP[1]

172A_3.13.4e_ODP[3]
NET-04 NET-04_A01 information flow control policies are defined. 171A_3.1.3[a]

53A_R5_AC-04_ODP
NET-04 NET-04_A02 methods and enforcement mechanisms for controlling the flow of sensitive / regulated data are defined. 171A_3.1.3[b]
NET-04 NET-04_A03 designated sources and destinations (e.g., networks, individuals and devices) for sensitive / regulated data within the system and between interconnected systems are identified. 171A_3.1.3[c]
NET-04 NET-04_A04 authorizations for controlling the flow of sensitive / regulated data are defined. 171A_3.1.3[d]
NET-04 NET-04_A05 approved authorizations for controlling the flow of sensitive / regulated data are enforced. 171A_3.1.3[e]
NET-04 NET-04_A06 secure information transfer solutions are defined. 172A_3.1.3e_ODP[1]
NET-04 NET-04_A07 information flows between security domains on connected systems are identified. 172A_3.1.3e[a]
NET-04 NET-04_A08 solutions are employed to control information flows between security domains on connected systems. 172A_3.1.3e[b]
NET-04 NET-04_A09 systems and system components included in the scope of the specified enhanced security requirements are identified. 172A_3.14.3e_ODP[1]
NET-04 NET-04_A10 systems and system components are included in the scope of the specified enhanced security requirements. 172A_3.14.3e[a]
NET-04 NET-04_A11 systems and system components that are not included in systems and system components are segregated in purpose-specific networks. 172A_3.14.3e[b]
NET-04 NET-04_A12 approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on organization-defined information flow control policies. 53A_R5_AC-04
NET-04.1 NET-04.1_A01 network communications traffic is denied by default. 171A_3.13.6[a]

53A_R5_SC-07(05)[01]
171A_3.13.6[b]
NET-04.1 NET-04.1_A02 network communications traffic is allowed by exception.
53A_R5_SC-07(05)[02]

NET-04.1 NET-04.1_A03 systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined. 53A_R5_SC-07(05)_ODP[01]
53A_R5_SC-07(05)_ODP[02]
NET-04.1 NET-04.1_A04 authorized sources of incoming communications to be routed are defined. 53A_R5_SC-07(11)_ODP[01]
NET-04.1 NET-04.1_A05 authorized destinations to which incoming communications from authorized sources may be routed are defined. 53A_R5_SC-07(11)_ODP[02]
NET-04.1 NET-04.1_A06 only incoming communications from authorized sources are allowed to be routed to authorized destinations. 53A_R5_SC-07(11)
NET-04.2 NET-04.2_A01 security attributes associated with information, source and destination objects are defined. 53A_R5_AC-04(01)_ODP[01]
NET-04.2 NET-04.2_A02 privacy attributes associated with information, source and destination objects are defined. 53A_R5_AC-04(01)_ODP[02]
NET-04.2 NET-04.2_A03 information objects to be associated with cybersecurity attributes are defined. 53A_R5_AC-04(01)_ODP[03]
NET-04.2 NET-04.2_A04 information objects to be associated with privacy attributes are defined. 53A_R5_AC-04(01)_ODP[04]
NET-04.2 NET-04.2_A05 source objects to be associated with cybersecurity attributes are defined. 53A_R5_AC-04(01)_ODP[05]
NET-04.2 NET-04.2_A06 source objects to be associated with privacy attributes are defined. 53A_R5_AC-04(01)_ODP[06]
NET-04.2 NET-04.2_A07 destination objects to be associated with cybersecurity attributes are defined. 53A_R5_AC-04(01)_ODP[07]
NET-04.2 NET-04.2_A08 destination objects to be associated with privacy attributes are defined. 53A_R5_AC-04(01)_ODP[08]
NET-04.2 NET-04.2_A09 information flow control policies as a basis for enforcement of flow control decisions are defined. 53A_R5_AC-04(01)_ODP[09]
NET-04.2 NET-04.2_A10 organization-defined security attributes associated with organization-defined information objects, organization-defined source objects and organization-defined destination objects are used to enforce organization- 53A_R5_AC-04(01)[01]
defined information flow control policies as a basis for flow control decisions.
NET-04.2 NET-04.2_A11 organization-defined privacy attributes associated with organization-defined information objects, organization-defined source objects and organization-defined destination objects are used to enforce organization- 53A_R5_AC-04(01)[02]
defined information flow control policies as a basis for flow control decisions.
NET-04.2 NET-04.2_A12 secure information transfer solutions are defined. 172A_3.1.3e_ODP[1]
NET-04.2 NET-04.2_A13 information flows between security domains on connected systems are identified. 172A_3.1.3e[a]
NET-04.2 NET-04.2_A14 solutions are employed to control information flows between security domains on connected systems. 172A_3.1.3e[b]
NET-04.3 NET-04.3_A01 information flow control mechanisms that encrypted information is prevented from bypassing are defined. 53A_R5_AC-04(04)_ODP[01]
NET-04.3 NET-04.3_A02 the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined. 53A_R5_AC-04(04)_ODP[02]
53A_R5_AC-04(04)_ODP[03]
NET-04.3 NET-04.3_A03 encrypted information is prevented from bypassing the organization's information flow control mechanisms. 53A_R5_AC-04(04)
NET-04.4 NET-04.4_A01 limitations on embedding data types within other data types are defined. 53A_R5_AC-04(05)_ODP
NET-04.4 NET-04.4_A02 organization-defined limitations are enforced on embedding data types within other data types. 53A_R5_AC-04(05)
NET-04.5 NET-04.5_A01 metadata on which to base enforcement of information flow control is defined. 53A_R5_AC-04(06)_ODP
NET-04.5 NET-04.5_A02 information flow control enforcement is based on organization-defined metadata. 53A_R5_AC-04(06)
NET-04.5 NET-04.5_A03 secure information transfer solutions are defined. 172A_3.1.3e_ODP[1]
NET-04.6 NET-04.6_A01 information flows requiring the use of human reviews are defined. 53A_R5_AC-04(09)_ODP[01]
NET-04.6 NET-04.6_A02 conditions under which the use of human reviews for information flows are to be enforced are defined. 53A_R5_AC-04(09)_ODP[02]
NET-04.6 NET-04.6_A03 human reviews are used for organization-defined conditions. 53A_R5_AC-04(09)
NET-04.7 NET-04.7_A01 security policy filters to be used as a basis for enforcing information flow control are defined. 53A_R5_AC-04(08)_ODP[01]
NET-04.7 NET-04.7_A02 privacy policy filters to be used as a basis for enforcing information flow control are defined. 53A_R5_AC-04(08)_ODP[02]
53A_R5_AC-04(08)_ODP[03]
NET-04.7 NET-04.7_A03 information flows for which information flow control is enforced by security filters are defined.
172A_3.1.3e_ODP[1]
NET-04.7 NET-04.7_A04 information flows for which information flow control is enforced by privacy filters are defined. 53A_R5_AC-04(08)_ODP[04]
53A_R5_AC-04(08)_ODP[05]
NET-04.7 NET-04.7_A05 security policy identifying actions to be taken after a filter processing failure are defined (e.g., block, strip, modify or quarantine)
53A_R5_AC-04(08)_ODP[06]

NET-04.7 NET-04.7_A06 privacy policy identifying actions to be taken after a filter processing failure are defined. 53A_R5_AC-04(08)_ODP[07]
NET-04.7 NET-04.7_A07 information flow control is enforced using organization-defined security policy filter as a basis for flow control decisions for organization-defined information flows. 53A_R5_AC-04(08)(a)[01]
NET-04.7 NET-04.7_A08 information flow control is enforced using organization-defined privacy policy filter as a basis for flow control decisions for organization-defined information flows. 53A_R5_AC-04(08)(a)[02]
NET-04.7 NET-04.7_A09 organization's data after a filter processing failure in accordance with organization's data after a filter processing failure in accordance with organization-defined privacy policy. 53A_R5_AC-04(08)(b)
NET-04.7 NET-04.7_A12 when transferring information between different security domains, data is sanitized to minimize organization's in accordance with organization-defined policy. 53A_R5_AC-04(25)_ODP[01]
53A_R5_AC-04(25)
NET-04.8 NET-04.8_A01 data type identifiers to be used to validate data essential for information flow decisions are defined. 53A_R5_AC-04(12)_ODP
NET-04.8 NET-04.8_A02 when transferring information between different security domains, organization-defined data type identifiers are used to validate data essential for information flow decisions. 53A_R5_AC-04(12)
NET-04.9 NET-04.9_A01 policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined. 53A_R5_AC-04(13)_ODP
NET-04.9 NET-04.9_A02 when transferring information between different security domains, information is decomposed into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms. 53A_R5_AC-04(13)
NET-04.10 NET-04.10_A01 unsanctioned information to be detected is defined. 53A_R5_AC-04(15)_ODP[01]
NET-04.10 NET-04.10_A02 security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined. 53A_R5_AC-04(15)_ODP[02]
NET-04.10 NET-04.10_A03 privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined. 53A_R5_AC-04(15)_ODP[03]
NET-04.10 NET-04.10_A04 when transferring information between different security domains, information is examined for the presence of organization-defined unsanctioned information. 53A_R5_AC-04(15)[01]
NET-04.10 NET-04.10_A05 when transferring information between different security domains, transfer of organization-defined unsanctioned information is prohibited in accordance with the organization-defined security policy. 53A_R5_AC-04(15)[02]
NET-04.10 NET-04.10_A06 when transferring information between different security domains, transfer of organization-defined unsanctioned information is prohibited in accordance with the organization-defined privacy policy. 53A_R5_AC-04(15)[03]
NET-04.11 NET-04.11_A01 solutions in approved configurations to control the flow of information across security domains are defined. 53A_R5_AC-04(20)_ODP[01]
NET-04.11 NET-04.11_A02 information to be controlled when it flows across security domains is defined. 53A_R5_AC-04(20)_ODP[02]
NET-04.11 NET-04.11_A03 organization-defined solutions in approved configurations are employed to control the flow of organization-defined information across security domains. 53A_R5_AC-04(20)
NET-04.12 NET-04.12_A01 source and destination points are uniquely identified and authenticated by organization-defined criteria for information transfer (e.g., organization, system, application, service or individual). 53A_R5_AC-04(17)_ODP
53A_R5_AC-04(17)
NET-04.13 NET-04.13_A01 security policy filters to be implemented on metadata are defined (if selected). 53A_R5_AC-04(19)_ODP[01]
NET-04.13 NET-04.13_A02 privacy policy filters to be implemented on metadata are defined (if selected). 53A_R5_AC-04(19)_ODP[02]
NET-04.13 NET-04.13_A03 when transferring information between different security domains, organization-defined security policy filters are implemented on metadata. 53A_R5_AC-04(19)[01]
NET-04.13 NET-04.13_A04 when transferring information between different security domains, organization-defined privacy policy filters are implemented on metadata. 53A_R5_AC-04(19)[02]
the type of agreement used to approve and manage the exchange of information is defined (e.g., interconnection security agreements, information exchange security agreements, memoranda of understanding or 53A_R5_CA-03_ODP[01]
NET-05 NET-05_A01
agreement, service level agreements, user agreements, non-disclosure agreements or organization-defined type of agreements). 53A_R5_CA-03_ODP[02]
NET-05 NET-05_A02 the frequency at which to review and update agreements is defined. 53A_R5_CA-03_ODP[03]
NET-05 NET-05_A03 the exchange of information between the system and other systems is approved and managed using organization-defined criteria. 53A_R5_CA-03a.
NET-05 NET-05_A04 the interface characteristics are documented as part of each exchange agreement. 53A_R5_CA-03b.[01]
NET-05 NET-05_A05 security requirements are documented as part of each exchange agreement. 53A_R5_CA-03b.[02]
NET-05 NET-05_A06 privacy requirements are documented as part of each exchange agreement. 53A_R5_CA-03b.[03]
NET-05 NET-05_A07 controls are documented as part of each exchange agreement. 53A_R5_CA-03b.[04]
NET-05 NET-05_A08 responsibilities for each system are documented as part of each exchange agreement. 53A_R5_CA-03b.[05]
NET-05 NET-05_A09 the impact level of the information communicated is documented as part of each exchange agreement. 53A_R5_CA-03b.[06]
NET-05 NET-05_A10 agreements are reviewed and updated organization-defined frequency. 53A_R5_CA-03c.
NET-05 NET-05_A11 systems are prohibited from directly connecting to an external network is defined. 53A_R5_SC-07(25)_ODP[01]

NET-05 NET-05_A12 the boundary protection device required for a direct connection to an external network is defined. 53A_R5_SC-07(25)_ODP[02]
53A_R5_SC-07(26)_ODP
NET-05 NET-05_A13 the direct connection of systems to an external network without the use of boundary protection device is prohibited. 53A_R5_SC-07(25)
NET-05 NET-05_A14 the direct connection of classified national security system to an external network without the use of an organization-defined boundary protection device is prohibited. 53A_R5_SC-07(26)
NET-05.1 NET-05.1_A01 systems are prohibited from directly connecting to an external network is defined. 53A_R5_SC-07(27)_ODP[01]
NET-05.1 NET-05.1_A02 the boundary protection device required for a direct connection of a system to an external network is defined. 53A_R5_SC-07(27)_ODP[02]
NET-05.1 NET-05.1_A03 the direct connection of a system to an external network without the use of a boundary protection device is prohibited. 53A_R5_SC-07(27)
NET-05.2 NET-05.2_A01 system components or classes of components requiring internal connections to the system are defined. 53A_R5_CA-09_ODP[01]
NET-05.2 NET-05.2_A02 conditions requiring termination of internal connections are defined. 53A_R5_CA-09_ODP[02]
NET-05.2 NET-05.2_A03 frequency at which to review the continued need for each internal connection is defined. 53A_R5_CA-09_ODP[03]
NET-05.2 NET-05.2_A04 internal connections of organization-defined system components to the system are authorized. 53A_R5_CA-09a.
NET-05.2 NET-05.2_A05 for each internal connection, the interface characteristics are documented. 53A_R5_CA-09b.[01]
NET-05.2 NET-05.2_A06 for each internal connection, the security requirements are documented. 53A_R5_CA-09b.[02]
NET-05.2 NET-05.2_A07 for each internal connection, the privacy requirements are documented. 53A_R5_CA-09b.[03]
NET-05.2 NET-05.2_A08 for each internal connection, the nature of the information communicated is documented. 53A_R5_CA-09b.[04]
NET-05.2 NET-05.2_A09 internal system connections are terminated after organization-defined conditions. 53A_R5_CA-09c.
NET-05.2 NET-05.2_A10 the continued need for each internal connection is reviewed organization-defined frequency. 53A_R5_CA-09d.
NET-06 NET-06_A01 publicly accessible system components are identified. 171A_3.13.5[a]
NET-06 NET-06_A02 subnetworks for publicly accessible system components are physically or logically separated from internal networks. 171A_3.13.5[b]
NET-06 NET-06_A03 logical isolation techniques are defined. 172A_3.13.4e_ODP[1]

172A_3.13.4e_ODP[3]
NET-06 NET-06_A04 physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components. 172A_3.13.4e[a]
NET-06 NET-06_A05 mechanisms and/or techniques used to logically separate information flows are defined. 53A_R5_AC-04(21)_ODP[01]
NET-06 NET-06_A06 mechanisms and/or techniques used to physically separate information flows are defined. 53A_R5_AC-04(21)_ODP[02]
NET-06 NET-06_A07 required separations by types of information are defined. 53A_R5_AC-04(21)_ODP[03]
NET-06 NET-06_A08 information flows are separated logically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations. 53A_R5_AC-04(21)[01]
NET-06 NET-06_A09 information flows are separated physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations. 53A_R5_AC-04(21)[02]
NET-06.1 NET-06.1_A01 cybersecurity tools, mechanisms and support components to be isolated from other internal system components are defined. 53A_R5_SC-07(13)_ODP
NET-06.1 NET-06.1_A02 cybersecurity tools, mechanisms and support components are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the 53A_R5_SC-07(13)
system.
NET-06.1 NET-06.1_A03 security management subnets are logically isolated. 53A_R5_SC-07(29)_ODP[01]
NET-06.1 NET-06.1_A04 security management subnet system components and functions to be isolated are defined. 53A_R5_SC-07(29)_ODP[02]
NET-06.1 NET-06.1_A05 organization-defined criteria are used to isolate security management subnets. 53A_R5_SC-07(29)

172A_3.13.4e_ODP[2]
172A_3.13.4e_ODP[1]
NET-06.1 NET-06.1_A07 logical isolation techniques are defined.
172A_3.13.4e_ODP[3]
enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise
NET-06.2 NET-06.2_A01 SCF Created
neighboring systems.
NET-06.3 NET-06.3_A01 segmentation controls restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones). SCF Created
sensitive / regulated data enclaves (secure zones) are isolated from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management,
etc.) to those isolated network segments.

NET-06.5 NET-06.5_A01 Internet access from sensitive / regulated data enclaves (secure zones) is prohibited or strictly-controlled. SCF Created
NET-07 NET-07_A01 a period of inactivity to terminate network connections associated with communications sessions is defined. 171A_3.13.9[a]
53A_R5_SC-10_ODP
NET-07 NET-07_A02 network connections associated with communications sessions are terminated at the end of the sessions. 171A_3.13.9[b]
53A_R5_SC-10
NET-07 NET-07_A03 network connections associated with communications sessions are terminated after the defined period of inactivity. 171A_3.13.9[c]
53A_R5_SC-10
NET-08 NET-08_A01 Network Intrusion Detection / Prevention Systems (NIDS/NIPS) is utilized to detect and/or prevent intrusions into the network. SCF Created
NET-08.1 NET-08.1_A01 De-Militarized Zone (DMZ) network segments exist to separate untrusted networks from trusted networks. SCF Created
NET-08.2 NET-08.2_A01 wireless network segments implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies. SCF Created
NET-09 NET-09_A01 the authenticity of communications sessions is protected. 171A_3.13.15

53A_R5_SC-23
NET-09 NET-09_A02 the confidentiality and/or integrity of information is/are maintained during preparation for transmission. 53A_R5_SC-08(02)[01]
53A_R5_SC-08(02)_ODP
NET-09 NET-09_A03 the confidentiality and/or integrity of information is/are maintained during reception. 53A_R5_SC-08(02)[02]
53A_R5_SC-08(02)_ODP
NET-09.1 NET-09.1_A01 session identifiers are invalidated upon user logout or other session termination. 53A_R5_SC-23(01)
NET-09.2 NET-09.2_A01 randomness requirements for generating a unique session identifier for each session are defined. 53A_R5_SC-23(03)_ODP
NET-09.2 NET-09.2_A02 a unique session identifier is generated for each session with organization-defined randomness requirements. 53A_R5_SC-23(03)[01]
NET-09.2 NET-09.2_A03 only system-generated session identifiers are recognized. 53A_R5_SC-23(03)[02]
NET-10 NET-10_A01 additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries. 53A_R5_SC-20a.[01]
NET-10 NET-10_A02 integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries. 53A_R5_SC-20a.[02]
NET-10 NET-10_A03 the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace. 53A_R5_SC-20b.[01]
NET-10 NET-10_A04 the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided. 53A_R5_SC-20b.[02]
NET-10.1 NET-10.1_A01 the systems that collectively provide name/address resolution services for an organization are fault-tolerant. 53A_R5_SC-22[01]
NET-10.1 NET-10.1_A02 the systems that collectively provide name/address resolution services for an organization implement internal role separation. 53A_R5_SC-22[02]
NET-10.1 NET-10.1_A03 the systems that collectively provide name/address resolution services for an organization implement external role separation. 53A_R5_SC-22[03]
NET-10.2 NET-10.2_A01 data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources. 53A_R5_SC-21[01]
NET-10.2 NET-10.2_A02 data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources. 53A_R5_SC-21[02]
NET-10.2 NET-10.2_A03 data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources. 53A_R5_SC-21[03]
NET-10.2 NET-10.2_A04 data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources. 53A_R5_SC-21[04]
the legitimacy of email communications is validated through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send
email from the specified domain.
NET-10.4 NET-10.4_A01 the domain name registrar is locked to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain’s registration details. SCF Created
NET-11 NET-11_A01 out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components or devices to individuals or the system are defined. 53A_R5_SC-37_ODP[01]
NET-11 NET-11_A02 information, system components or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined. 53A_R5_SC-37_ODP[02]
NET-11 NET-11_A03 individuals or systems to which physical delivery or electronic transmission of information, system components or devices is to be achieved via the employment of out-of-band channels are defined. 53A_R5_SC-37_ODP[03]
NET-11 NET-11_A04 out-of-band channels are employed for the physical delivery or electronic transmission of information, system components or devices to individuals or systems. 53A_R5_SC-37
NET-11 NET-11_A05 controls to be employed to ensure that only designated individuals or systems receive specific information, system components or devices are defined. 53A_R5_SC-37(01)_ODP[01]
NET-11 NET-11_A06 individuals or systems designated to receive specific information, system components or devices are defined. 53A_R5_SC-37(01)_ODP[02]
NET-11 NET-11_A07 information, system components or devices that only individuals or systems are designated to receive are defined. 53A_R5_SC-37(01)_ODP[03]
NET-11 NET-11_A08 organization-defined controls are employed to ensure that only authorized individuals or systems receive information, system components or devices. 53A_R5_SC-37(01)
NET-12 NET-12_A01 approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies. 53A_R5_AC-03

NET-12.1 NET-12.1_A01 external wireless links to be protected from particular types of signal parameter attacks are defined. 53A_R5_SC-40_ODP[01]
NET-12.1 NET-12.1_A02 types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined. 53A_R5_SC-40_ODP[02]
NET-12.1 NET-12.1_A03 internal wireless links to be protected from particular types of signal parameter attacks are defined. 53A_R5_SC-40_ODP[03]
NET-12.1 NET-12.1_A04 types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined. 53A_R5_SC-40_ODP[04]
NET-12.1 NET-12.1_A05 external wireless links are protected from types of signal parameter attacks or references to sources for such attacks. 53A_R5_SC-40[01]
NET-12.1 NET-12.1_A06 internal wireless links are protected from types of signal parameter attacks or references to sources for such attacks. 53A_R5_SC-40[02]
NET-12.2 NET-12.2_A01 the transmission of unprotected sensitive/regulated data by end-user messaging technologies is prohibited through administrative and/or technical means. SCF Created
NET-13 NET-13_A01 use of Voice over Internet Protocol (VoIP) technologies is controlled. 171A_3.13.14[a]
NET-13 NET-13_A02 use of Voice over Internet Protocol (VoIP) technologies is monitored. 171A_3.13.14[b]
NET-13 NET-13_A03 alternative physical controls to protect message externals are defined. 53A_R5_SC-08(03)_ODP
NET-13 NET-13_A04 cryptographic mechanisms are implemented to protect message externals unless otherwise protected by alternative physical controls. 53A_R5_SC-08(03)
NET-14 NET-14_A01 usage restrictions are established and documented for each type of remote access allowed. 53A_R5_AC-17a.[01]
NET-14 NET-14_A02 configuration/connection requirements are established and documented for each type of remote access allowed. 53A_R5_AC-17a.[02]
NET-14 NET-14_A03 implementation guidance is established and documented for each type of remote access allowed. 53A_R5_AC-17a.[03]
NET-14 NET-14_A04 each type of remote access to the system is authorized prior to allowing such connections. 53A_R5_AC-17b.
NET-14 NET-14_A05 information about remote access mechanisms is protected from unauthorized use and disclosure. 53A_R5_AC-17(06)
NET-14.1 NET-14.1_A01 remote access sessions are permitted. 171A_3.1.12[a]
NET-14.1 NET-14.1_A02 the types of permitted remote access are identified. 171A_3.1.12[b]
NET-14.1 NET-14.1_A03 remote access sessions are controlled. 171A_3.1.12[c]

53A_R5_AC-17(01)[02]
NET-14.1 NET-14.1_A04 remote access sessions are monitored. 171A_3.1.12[d]

53A_R5_AC-17(01)[01]
NET-14.2 NET-14.2_A01 cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. 171A_3.1.13[a]
NET-14.2 NET-14.2_A02 cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. 171A_3.1.13[b]
53A_R5_AC-17(02)
NET-14.3 NET-14.3_A01 managed access control points are identified and implemented. 171A_3.1.14[a]
171A_3.1.14[b]
NET-14.3 NET-14.3_A02 remote access is routed through managed network access control points.
53A_R5_AC-17(03)
NET-14.4 NET-14.4_A01 privileged commands authorized for remote execution are identified. 171A_3.1.15[a]
53A_R5_AC-17(04)_ODP[01]
171A_3.1.15[b]
NET-14.4 NET-14.4_A02 security-relevant information authorized to be accessed remotely is identified.
53A_R5_AC-17(04)_ODP[02]
NET-14.4 NET-14.4_A03 the execution of the identified privileged commands via remote access is authorized. 171A_3.1.15[c]
53A_R5_AC-17(04)(a)[01]
171A_3.1.15[d]
NET-14.4 NET-14.4_A04 access to the identified security-relevant information via remote access is authorized. 53A_R5_AC-17(04)(a)[02]
53A_R5_AC-17(04)(a)[04]
NET-14.4 NET-14.4_A05 the rationale for remote access is documented in the security plan for the system. 53A_R5_AC-17(04)(b)
NET-14.5 NET-14.5_A01 secure telecommuting practices are defined. SCF Created
NET-14.5 NET-14.5_A02 technical measures govern remote access to systems and data for remote workers. SCF Created
NET-14.5 NET-14.5_A03 administrative measures govern rules of behavior for telecommuting practices. SCF Created
NET-14.6 NET-14.6_A01 proactively control and monitor third-party accounts used to access, support or maintain system components via remote access. SCF Created
NET-14.7 NET-14.7_A01 security compliance checks are performed on constituent system components prior to the establishment of the internal connection. 53A_R5_CA-09(01)[01]
NET-14.7 NET-14.7_A02 privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection. 53A_R5_CA-09(01)[02]
NET-14.8 NET-14.8_A01 the time period within which to disconnect or disable remote access to the system is defined. 53A_R5_AC-17(09)_ODP

NET-14.8 NET-14.8_A02 the capability to disconnect or disable remote access to the system within organization-defined time period is provided. 53A_R5_AC-17(09)
NET-15 NET-15_A01 wireless access points are identified. 171A_3.1.16[a]
NET-15 NET-15_A02 wireless access is authorized prior to allowing such connections. 171A_3.1.16[b]
53A_R5_AC-18b.
NET-15 NET-15_A03 configuration requirements are established for each type of wireless access. 53A_R5_AC-18a.[01]
NET-15 NET-15_A04 connection requirements are established for each type of wireless access. 53A_R5_AC-18a.[02]
NET-15 NET-15_A05 implementation guidance is established for each type of wireless access. 53A_R5_AC-18a.[03]
171A_3.1.17[a]
NET-15.1 NET-15.1_A01 wireless access to the system is protected using authentication. 53A_R5_AC-18(01)_ODP
53A_R5_AC-18(01)[01]
NET-15.1 NET-15.1_A02 wireless access to the system is protected using encryption. 171A_3.1.17[b]
53A_R5_AC-18(01)[02]
NET-15.1 NET-15.1_A05 information is/are maintained during preparation for transmission. 53A_R5_SC-08(02)[01]
53A_R5_SC-08(02)_ODP
NET-15.1 NET-15.1_A06 information is/are maintained during reception. 53A_R5_SC-08(02)[02]

53A_R5_SC-08(02)_ODP
NET-15.2 NET-15.2_A01 when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment. 53A_R5_AC-18(03)
NET-15.3 NET-15.3_A01 users allowed to independently configure wireless networking capabilities are identified. 53A_R5_AC-18(04)[01]
NET-15.3 NET-15.3_A02 users allowed to independently configure wireless networking capabilities are explicitly authorized. 53A_R5_AC-18(04)[02]
NET-15.3 NET-15.3_A03 radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. 53A_R5_AC-18(05)[01]
NET-15.4 NET-15.4_A01 transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. 53A_R5_AC-18(05)[02]
NET-15.5 NET-15.5_A01 all authorized and unauthorized Wireless Access Points (WAPs) are identified within the facility(ies). SCF Created
NET-15.5 NET-15.5_A02 rogue WAPs are responded to in accordance with published incident response plans. SCF Created
NET-16 NET-16_A01 trust relationships are established with other organizations owning, operating, and/or maintaining intranet systems. SCF Created
trust relationships with other organizations allow authorized individuals to:

NET-16 NET-16_A02 ▪ Access the intranet from external systems. and/or and SCF Created
▪ Process, store, and/or transmit organization-controlled information using the external systems.
NET-17 NET-17_A01 interior points within the system where communications traffic is to be analyzed are defined. 53A_R5_SI-04(18)_ODP
NET-17 NET-17_A02 outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information. 53A_R5_SI-04(18)[01]
NET-17 NET-17_A03 outbound communications traffic is analyzed at interfaces internal to the system to detect covert exfiltration of information. 53A_R5_SI-04(18)[02]
NET-18 NET-18_A01 Internet-bound network traffic is routed through a proxy device or service for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites. SCF Created
NET-18.1 NET-18.1_A01 internal communications traffic to be routed to external networks is defined. 53A_R5_SC-07(08)_ODP[01]
NET-18.1 NET-18.1_A02 external networks to which internal communications traffic is to be routed are defined. 53A_R5_SC-07(08)_ODP[02]
NET-18.1 NET-18.1_A03 internal communications traffic is routed to external networks through authenticated proxy servers at managed interfaces. 53A_R5_SC-07(08)
NET-18.2 NET-18.2_A01 encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined. 53A_R5_SI-04(10)_ODP[01]
NET-18.2 NET-18.2_A02 system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined. 53A_R5_SI-04(10)_ODP[02]
NET-18.2 NET-18.2_A03 provisions are made so that encrypted communications traffic is visible to system monitoring tools and mechanisms. 53A_R5_SI-04(10)
NET-18.3 NET-18.3_A01 networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control. 53A_R5_SC-07(15)[01]
NET-18.3 NET-18.3_A02 networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing. 53A_R5_SC-07(15)[02]
PES-01 PES-01_A01 the physical facility where organizational systems reside is protected. 171A_3.10.2[a]
PES-01 PES-01_A02 the support infrastructure for organizational systems is protected. 171A_3.10.2[b]
PES-01 PES-01_A03 the physical facility where organizational systems reside is monitored. 171A_3.10.2[c]
PES-01 PES-01_A04 the support infrastructure for organizational systems is monitored. 171A_3.10.2[d]
PES-01 PES-01_A30 the location or site of the facility where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.

PES-01 PES-01_A31 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. 53A_R5_PE-23b.
PES-01.1 PES-01.1_A01 a Site Security Plan (SitePlan) is documented for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and SCF Created
threats.
PES-02 PES-02_A01 authorized individuals allowed physical access are identified. 171A_3.10.1[a]
53A_R5_PE-02a.[01]
PES-02 PES-02_A02 physical access to organizational systems is limited to authorized individuals. 171A_3.10.1[b]
PES-02 PES-02_A03 physical access to equipment is limited to authorized individuals. 171A_3.10.1[c]
PES-02 PES-02_A04 physical access to operating environments is limited to authorized individuals. 171A_3.10.1[d]
PES-02 PES-02_A05 frequency at which to review the access list detailing authorized facility access by individuals is defined. 53A_R5_PE-02_ODP
PES-02 PES-02_A06 the list of individuals with authorized access to the facility where the system resides has been approved. 53A_R5_PE-02a.[02]
PES-02 PES-02_A07 the list of individuals with authorized access to the facility where the system resides has been maintained. 53A_R5_PE-02a.[03]
PES-02 PES-02_A08 authorization credentials are issued for facility access. 53A_R5_PE-02b.
PES-02 PES-02_A09 the access list detailing authorized facility access by individuals is reviewed per an organization-defined frequency. 53A_R5_PE-02c.
PES-02 PES-02_A10 individuals are removed from the facility access list when access is no longer required. 53A_R5_PE-02d.
PES-02.1 PES-02.1_A01 physical access to the facility where the system resides is authorized based on position or role. 53A_R5_PE-02(01)
PES-02.2 PES-02.2_A01 a "two-person rule" is enforced for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.). SCF Created
171A_3.10.5[a]
PES-03 PES-03_A01 physical access devices are identified. 53A_R5_PE-03_ODP[02]
53A_R5_PE-03_ODP[03]
PES-03 PES-03_A02 physical access devices are controlled. 171A_3.10.5[b]
PES-03 PES-03_A03 physical access devices are managed. 171A_3.10.5[c]
PES-03 PES-03_A04 entry and exit points to the facility in which the system resides are defined. 53A_R5_PE-03_ODP[01]
PES-03 PES-03_A05 entry or exit points for which physical access logs are maintained are defined. 53A_R5_PE-03_ODP[04]
PES-03 PES-03_A06 physical access controls to control access to areas within the facility designated as publicly accessible are defined. 53A_R5_PE-03_ODP[05]
PES-03 PES-03_A07 circumstances requiring visitor escorts and control of visitor activity are defined. 53A_R5_PE-03_ODP[06]
PES-03 PES-03_A08 physical access devices to be inventoried are defined. 53A_R5_PE-03_ODP[07]
PES-03 PES-03_A09 frequency at which to inventory physical access devices is defined. 53A_R5_PE-03_ODP[08]
PES-03 PES-03_A10 frequency at which to change combinations is defined. 53A_R5_PE-03_ODP[09]
PES-03 PES-03_A11 frequency at which to change keys is defined. 53A_R5_PE-03_ODP[10]
PES-03 PES-03_A12 physical access authorizations are enforced at entry and exit points by verifying individual access authorizations before granting access to the facility. 53A_R5_PE-03a.01
PES-03 PES-03_A13 physical access authorizations are enforced at entry and exit points by controlling ingress and egress to the facility. 53A_R5_PE-03a.02
PES-03 PES-03_A14 physical access event logs are maintained for entry or exit points. 53A_R5_PE-03b.
PES-03 PES-03_A15 access to areas within the facility designated as publicly accessible are maintained by implementing physical access controls. 53A_R5_PE-03c.
PES-03 PES-03_A16 visitors are escorted. 53A_R5_PE-03d.[01]
PES-03 PES-03_A17 visitor activity is controlled circumstances. 53A_R5_PE-03d.[02]
PES-03 PES-03_A18 keys are secured. 53A_R5_PE-03e.[01]
PES-03 PES-03_A19 combinations are secured. 53A_R5_PE-03e.[02]
PES-03 PES-03_A20 other physical access devices are secured. 53A_R5_PE-03e.[03]
PES-03 PES-03_A21 physical access devices are inventoried frequency. 53A_R5_PE-03f.
PES-03 PES-03_A22 combinations are changed frequency, when combinations are compromised or when individuals possessing the combinations are transferred or terminated. 53A_R5_PE-03g.[01]

PES-03 PES-03_A23 keys are changed frequency, when keys are lost or when individuals possessing the keys are transferred or terminated. 53A_R5_PE-03g.[02]
PES-03 PES-03_A24 the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined. 53A_R5_PE-03(02)_ODP
PES-03 PES-03_A25 security checks are performed frequency at the physical perimeter of the facility or system for exfiltration of information or removal of system components. 53A_R5_PE-03(02)
PES-03 PES-03_A26 physical access points to the facility where the system resides are defined. 53A_R5_PE-03(03)_ODP
PES-03 PES-03_A27 guards are employed to control physical access points to the facility where the system resides 24 hours per day, 7 days per week. 53A_R5_PE-03(03)
PES-03.1 PES-03.1_A01 physical access control mechanisms limit physical access through controlled ingress and egress points. SCF Created
PES-03.1 PES-03.1_A02 physical access control mechanisms monitor physical access through controlled ingress and egress points. SCF Created
PES-03.2 PES-03.2_A01 system components to be protected from unauthorized physical access are defined. 53A_R5_PE-03(04)_ODP
PES-03.2 PES-03.2_A02 lockable physical casings are used to protect system components from unauthorized access. 53A_R5_PE-03(04)
PES-03.3 PES-03.3_A01 event logs of physical access are maintained. 171A_3.10.4
PES-03.3 PES-03.3_A02 time period for which to maintain visitor access records for the facility where the system resides is defined. 53A_R5_PE-08_ODP[01]
PES-03.3 PES-03.3_A03 the frequency at which to review visitor access records is defined. 53A_R5_PE-08_ODP[02]
PES-03.3 PES-03.3_A04 personnel to whom visitor access records anomalies are reported to is/are defined. 53A_R5_PE-08_ODP[03]
PES-03.3 PES-03.3_A05 visitor access records for the facility where the system resides are maintained for time period. 53A_R5_PE-08a.
PES-03.3 PES-03.3_A06 visitor access records are reviewed frequently. 53A_R5_PE-08b.
PES-03.3 PES-03.3_A07 visitor access records anomalies are reported to personnel. 53A_R5_PE-08c.
PES-03.4 PES-03.4_A01 physical spaces containing one or more components of the system are defined. 53A_R5_PE-03(01)_ODP
PES-03.4 PES-03.4_A02 physical access authorizations to the system are enforced. 53A_R5_PE-03(01)[01]
PES-03.4 PES-03.4_A03 physical access controls are enforced for the facility at physical spaces. 53A_R5_PE-03(01)02]
PES-04 PES-04_A01 identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities. SCF Created
PES-04.1 PES-04.1_A01 Physical security mechanisms exist to allow only authorized personnel access to secure areas. SCF Created
PES-04.2 PES-04.2_A01 Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration SCF Created
of data and technology assets.
PES-04.3 PES-04.3_A01 Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with SCF Created
surveillance cameras and/or security guards.
PES-05 PES-05_A01 the frequency at which to review physical access logs is defined. 53A_R5_PE-06_ODP[01]
PES-05 PES-05_A02 events or potential indication of events requiring physical access logs to be reviewed are defined. 53A_R5_PE-06_ODP[02]
PES-05 PES-05_A03 physical access to the facility where the system resides is monitored to detect and respond to physical security incidents. 53A_R5_PE-06a.
PES-05 PES-05_A04 physical access logs are reviewed frequently. 53A_R5_PE-06b.[01]
PES-05 PES-05_A05 physical access logs are reviewed upon occurrence of events. 53A_R5_PE-06b.[02]
PES-05 PES-05_A06 results of reviews are coordinated with organizational incident response capabilities. 53A_R5_PE-06c.[01]
PES-05 PES-05_A07 results of investigations are coordinated with organizational incident response capabilities. 53A_R5_PE-06c.[02]
PES-05.1 PES-05.1_A01 physical access to the facility where the system resides is monitored using physical intrusion alarms. 53A_R5_PE-06(01)[01]
PES-05.1 PES-05.1_A02 physical access to the facility where the system resides is monitored using physical surveillance equipment. 53A_R5_PE-06(01)[02]
PES-05.2 PES-05.2_A01 physical spaces containing one or more components of the system are defined. 53A_R5_PE-06(04)_ODP
PES-05.2 PES-05.2_A02 physical access to the system is monitored in addition to the physical access monitoring of the facility at physical spaces. 53A_R5_PE-06(04)
PES-06 PES-06_A01 visitors are escorted. 171A_3.10.3[a]
PES-06 PES-06_A02 visitor activity is monitored. 171A_3.10.3[b]

PES-06.1 PES-06.1_A01 physical access control mechanisms distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible. SCF Created
PES-06.2 PES-06.2_A01 a list of acceptable forms of identification for visitor access to the facility where the system resides is defined. 53A_R5_PE-02(02)_ODP
PES-06.2 PES-06.2_A02 two forms of identification are required from list of acceptable forms of identification for visitor access to the facility where the system resides. 53A_R5_PE-02(02)
PES-06.3 PES-06.3_A01 visitors are escorted. 171A_3.10.3[a]
PES-06.3 PES-06.3_A02 visitor activity is monitored. 171A_3.10.3[b]
PES-06.3 PES-06.3_A03 physical access authorizations for unescorted access to the facility where the system resides are defined. 53A_R5_PE-02(03)_ODP[01]
53A_R5_PE-02(03)_ODP[02]
PES-06.3 PES-06.3_A04 unescorted access to the facility where the system resides is restricted. 53A_R5_PE-02(03)
PES-06.4 PES-06.4_A01 automated mechanisms used to maintain visitor access records are defined. 53A_R5_PE-08(01)_ODP[01]
PES-06.4 PES-06.4_A02 automated mechanisms used to review visitor access records are defined. 53A_R5_PE-08(01)_ODP[02]
PES-06.4 PES-06.4_A03 visitor access records are maintained using automated mechanisms. 53A_R5_PE-08(01)[01]
PES-06.4 PES-06.4_A04 visitor access records are reviewed using automated mechanisms. 53A_R5_PE-08(01)[02]
PES-06.5 PES-06.5_A01 processes that implement the privacy principle of minimization are defined. 53A_R5_SA-08(33)_ODP
PES-06.5 PES-06.5_A02 the privacy principle of minimization is implemented using organization-defined processes. 53A_R5_SA-08(33)
PES-06.5 PES-06.5_A03 elements identified in the privacy risk assessment to limit personal data contained in visitor access logs are defined. 53A_R5_PE-08(03)_ODP
PES-06.5 PES-06.5_A04 personal data contained in visitor access records is limited to elements identified in the privacy risk assessment. 53A_R5_PE-08(03)
PES-06.6 PES-06.6_A01 visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration. SCF Created
PES-07.7 PES-07.7_A01 distance by which redundant power cabling paths are to be physically separated is defined. 53A_R5_PE-09(01)_ODP
PES-07.7 PES-07.7_A02 redundant power cabling paths that are physically separated by organization-defined distance are employed. 53A_R5_PE-09(01)
PES-07 PES-07_A01 power equipment for the system is protected from damage and destruction. 53A_R5_PE-09[01]
PES-07 PES-07_A02 power cabling for the system is protected from damage and destruction. 53A_R5_PE-09[02]
PES-07.1 PES-07.1_A01 the critical system components that require automatic voltage controls are defined. 53A_R5_PE-09(02)_ODP
PES-07.1 PES-07.1_A02 automatic voltage controls for critical system components are employed. 53A_R5_PE-09(02)
PES-07.2 PES-07.2_A01 system or individual system components that require the capability to shut off power in emergency situations is/are defined. 53A_R5_PE-10_ODP[01]
PES-07.2 PES-07.2_A02 location of emergency shutoff switches or devices by system or system component is defined. 53A_R5_PE-10_ODP[02]
PES-07.2 PES-07.2_A03 the capability to shut off power to system or individual system components in emergency situations is provided. 53A_R5_PE-10a.
PES-07.2 PES-07.2_A04 emergency shutoff switches or devices are placed in location to facilitate access for authorized personnel. 53A_R5_PE-10b.
PES-07.2 PES-07.2_A05 the emergency power shutoff capability is protected from unauthorized activation. 53A_R5_PE-10c.
53A_R5_PE-11_ODP
PES-07.3 PES-07.3_A01 an uninterruptible power supply is provided to facilitate selected organization-defined values in the event of a primary power source loss.
53A_R5_PE-11
PES-07.3 PES-07.3_A02 an alternate power supply provided for the system is activated upon organization-defined criteria. 53A_R5_PE-11(01)_ODP
53A_R5_PE-11(01)[01]
PES-07.3 PES-07.3_A03 the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source. 53A_R5_PE-11(01)[02]
PES-07.4 PES-07.4_A01 automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system. 53A_R5_PE-12[01]
PES-07.4 PES-07.4_A02 automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system. 53A_R5_PE-12[02]
PES-07.4 PES-07.4_A03 automatic emergency lighting for the system covers emergency exits within the facility. 53A_R5_PE-12[03]
PES-07.4 PES-07.4_A04 automatic emergency lighting for the system covers evacuation routes within the facility. 53A_R5_PE-12[04]
PES-07.5 PES-07.5_A01 the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves. 53A_R5_PE-15[01]
PES-07.5 PES-07.5_A02 the master shutoff or isolation valves are accessible. 53A_R5_PE-15[02]

PES-07.5 PES-07.5_A03 the master shutoff or isolation valves are working properly. 53A_R5_PE-15[03]
PES-07.5 PES-07.5_A04 the master shutoff or isolation valves are known to key personnel. 53A_R5_PE-15[04]
PES-07.6 PES-07.6_A01 personnel or roles to be alerted when the presence of water is detected near the system is/are defined. 53A_R5_PE-15(01)_ODP[01]
PES-07.6 PES-07.6_A02 automated mechanisms used to detect the presence of water near the system are defined. 53A_R5_PE-15(01)_ODP[02]
PES-07.6 PES-07.6_A03 the presence of water near the system can be detected automatically. 53A_R5_PE-15(01)[01]
PES-07.6 PES-07.6_A04 organization-defined personnel or roles is/are alerted using organization-defined automated mechanisms. 53A_R5_PE-15(01)[02]
PES-08 PES-08_A01 fire detection systems are employed. 53A_R5_PE-13[01]
PES-08 PES-08_A02 employed fire detection systems are supported by an independent energy source. 53A_R5_PE-13[02]
PES-08 PES-08_A03 employed fire detection systems are maintained. 53A_R5_PE-13[03]
PES-08 PES-08_A04 fire suppression systems are employed. 53A_R5_PE-13[04]
PES-08 PES-08_A05 employed fire suppression systems are supported by an independent energy source. 53A_R5_PE-13[05]
PES-08 PES-08_A06 employed fire suppression systems are maintained. 53A_R5_PE-13[06]
PES-08.1 PES-08.1_A01 personnel or roles to be notified in the event of a fire is/are defined. 53A_R5_PE-13(01)_ODP[01]
PES-08.1 PES-08.1_A02 emergency responders to be notified in the event of a fire are defined. 53A_R5_PE-13(01)_ODP[02]
PES-08.1 PES-08.1_A03 fire detection systems that activate automatically are employed in the event of a fire. 53A_R5_PE-13(01)[01]
PES-08.1 PES-08.1_A04 fire detection systems that notify organization-defined personnel or roles automatically are employed in the event of a fire. 53A_R5_PE-13(01)[02]
PES-08.1 PES-08.1_A05 fire detection systems that notify organization-defined emergency responders automatically are employed in the event of a fire. 53A_R5_PE-13(01)[03]
PES-08.2 PES-08.2_A01 personnel or roles to be notified in the event of a fire is/are defined. 53A_R5_PE-13(02)_ODP[01]
PES-08.2 PES-08.2_A02 emergency responders to be notified in the event of a fire are defined. 53A_R5_PE-13(02)_ODP[02]
PES-08.2 PES-08.2_A03 fire suppression systems that activate automatically are employed. 53A_R5_PE-13(02)(a)[01]
PES-08.2 PES-08.2_A04 fire suppression systems that notify organization-defined personnel or roles automatically are employed. 53A_R5_PE-13(02)(a)[02]
PES-08.2 PES-08.2_A05 e suppression systems that notify organization-defined emergency responders automatically are employed. 53A_R5_PE-13(02)(a)[03]
PES-08.3 PES-08.3_A01 an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis. 53A_R5_PE-13(02)(b)
53A_R5_PE-14_ODP[01]
PES-09 PES-09_A01 environmental control(s) for which to maintain a specified level in the facility where the system resides are defined.
53A_R5_PE-14_ODP[02]
PES-09 PES-09_A02 acceptable levels for environmental controls are defined. 53A_R5_PE-14_ODP[03]
PES-09 PES-09_A03 frequency at which to monitor environmental control levels is defined. 53A_R5_PE-14_ODP[04]
PES-09 PES-09_A04 levels are maintained at acceptable levels within the facility where the system resides. 53A_R5_PE-14a.
PES-09 PES-09_A05 environmental control levels are monitored frequency. 53A_R5_PE-14b.
PES-09.1 PES-09.1_A01 personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined. 53A_R5_PE-14(02)_ODP
PES-09.1 PES-09.1_A02 environmental control monitoring is employed. 53A_R5_PE-14(02)[01]
PES-09.1 PES-09.1_A03 personnel or roles when changes are potentially harmful to personnel or equipment. 53A_R5_PE-14(02)[02]
PES-10 PES-10_A01 types of system components to be authorized and controlled when entering the facility are defined. 53A_R5_PE-16_ODP[01]
PES-10 PES-10_A02 types of system components to be authorized and controlled when exiting the facility are defined. 53A_R5_PE-16_ODP[02]
PES-10 PES-10_A03 types of system components are authorized when entering the facility. 53A_R5_PE-16a.[01]
PES-10 PES-10_A04 types of system components are controlled when entering the facility. 53A_R5_PE-16a.[02]
PES-10 PES-10_A05 types of system components are authorized when exiting the facility. 53A_R5_PE-16a.[03]

PES-10 PES-10_A06 types of system components are controlled when exiting the facility. 53A_R5_PE-16a.[04]
PES-10 PES-10_A07 records of the system components are maintained. 53A_R5_PE-16b.
PES-11 PES-11_A01 alternate work sites allowed for use by employees are defined. 53A_R5_PE-17_ODP[01]
PES-11 PES-11_A02 controls to be employed at alternate work sites are defined. 53A_R5_PE-17_ODP[02]
PES-11 PES-11_A03 alternate work sites are determined and documented. 53A_R5_PE-17a.
PES-11 PES-11_A04 controls are employed at alternate work sites. 53A_R5_PE-17b.
PES-11 PES-11_A05 the effectiveness of controls at alternate work sites is assessed. 53A_R5_PE-17c.
PES-11 PES-11_A06 a means for employees to communicate with cybersecurity & privacy personnel in case of incidents is provided. 53A_R5_PE-17d.
PES-11 PES-11_A07 safeguarding measures for sensitive / regulated data are defined for alternate work sites. 171A_3.10.6[a]
PES-11 PES-11_A08 safeguarding measures for sensitive / regulated data are enforced for alternate work sites. 171A_3.10.6[b]
PES-12 PES-12_A01 physical and environmental hazards that could result in potential damage to system components within the facility are defined. 53A_R5_PE-18_ODP
PES-12 PES-12_A02 physical and environmental hazards and to minimize the opportunity for unauthorized access. 53A_R5_PE-18
PES-12 PES-12_A03 the location or site of the facility where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.
PES-12 PES-12_A04 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. 53A_R5_PE-23b.
PES-12 PES-12_A05 managed interfaces to be protected against unauthorized physical connections are defined. 53A_R5_SC-07(14)_ODP
PES-12 PES-12_A06 managed interfaces are protected against unauthorized physical connections. 53A_R5_SC-07(14)
PES-12.1 PES-12.1_A01 system distribution and transmission lines requiring physical access controls are defined. 53A_R5_PE-04_ODP[01]
PES-12.1 PES-12.1_A02 security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined. 53A_R5_PE-04_ODP[02]
PES-12.1 PES-12.1_A03 physical access to system distribution and transmission lines within organizational facilities is controlled using security controls. 53A_R5_PE-04
PES-12.1 PES-12.1_A04 managed interfaces to be protected against unauthorized physical connections are defined. 53A_R5_SC-07(14)_ODP
PES-12.1 PES-12.1_A05 managed interfaces are protected against unauthorized physical connections. 53A_R5_SC-07(14)
PES-12.2 PES-12.2_A01 output devices that require physical access control to output are defined. 53A_R5_PE-05_ODP
PES-12.2 PES-12.2_A02 output devices is controlled to prevent unauthorized individuals from obtaining the output. 53A_R5_PE-05
PES-13 PES-13_A01 the system is protected from information leakage due to electromagnetic signal emanations. 53A_R5_PE-19
PES-14 PES-14_A01 asset location technologies to be employed to track and monitor the location and movement of assets is defined. 53A_R5_PE-20_ODP[01]
PES-14 PES-14_A02 assets whose location and movement are to be tracked and monitored are defined. 53A_R5_PE-20_ODP[02]
PES-14 PES-14_A03 controlled areas within which asset location and movement are to be tracked and monitored are defined. 53A_R5_PE-20_ODP[03]
PES-14 PES-14_A04 asset location technologies are employed to track and monitor the location and movement of assets within controlled areas. 53A_R5_PE-20
PES-15 PES-15_A01 protective measures to be employed against electromagnetic pulse damage are defined. 53A_R5_PE-21_ODP[01]
PES-15 PES-15_A02 system and system components requiring protection against electromagnetic pulse damage are defined. 53A_R5_PE-21_ODP[02]
PES-15 PES-15_A03 protective measures are employed against electromagnetic pulse damage for system and system components. 53A_R5_PE-21
PES-16 PES-16_A01 system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored or transmitted by the hardware component are defined. 53A_R5_PE-22_ODP
PES-16 PES-16_A02 system hardware components are marked indicating the impact level or classification level of the information permitted to be processed, stored or transmitted by the hardware component. 53A_R5_PE-22
PES-17 PES-17_A01 physical proximity to robotic or autonomous platforms is monitored to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario. SCF Created
PES-18 PES-18_A01 client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client workspaces. SCF Created
PRI-01 PRI-01_A01 the frequency of updates to the privacy program plan is defined. 53A_R5_PM-18_ODP

PRI-01 PRI-01_A02 an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed. 53A_R5_PM-18a.[01]
PRI-01 PRI-01_A03 the privacy program plan includes a description of the structure of the privacy program. 53A_R5_PM-18a.01[01]
PRI-01 PRI-01_A04 the privacy program plan includes a description of the resources dedicated to the privacy program. 53A_R5_PM-18a.01[02]
PRI-01 PRI-01_A05 the privacy program plan provides an overview of the requirements for the privacy program. 53A_R5_PM-18a.02[01]
PRI-01 PRI-01_A06 the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program. 53A_R5_PM-18a.02[02]
PRI-01 PRI-01_A07 the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program. 53A_R5_PM-18a.02[03]
PRI-01 PRI-01_A08 the privacy program plan includes the role of the senior organization official for privacy. 53A_R5_PM-18a.03[01]
PRI-01 PRI-01_A09 the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities. 53A_R5_PM-18a.03[02]
PRI-01 PRI-01_A10 the privacy program plan describes management commitment. 53A_R5_PM-18a.04[01]
PRI-01 PRI-01_A11 the privacy program plan describes compliance. 53A_R5_PM-18a.04[02]
PRI-01 PRI-01_A12 the privacy program plan describes the strategic goals and objectives of the privacy program. 53A_R5_PM-18a.04[03]
PRI-01 PRI-01_A13 the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy. 53A_R5_PM-18a.05
PRI-01 PRI-01_A14 the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image and reputation), 53A_R5_PM-18a.06
organizational assets, individuals, other organizations and the Nation.
PRI-01 PRI-01_A15 the privacy program plan is disseminated. 53A_R5_PM-18a.[02]
PRI-01 PRI-01_A16 the privacy program plan is updated per an organization-defined frequency. 53A_R5_PM-18b.[01]
PRI-01 PRI-01_A17 the privacy program plan is updated to address changes in federal privacy laws and policies. 53A_R5_PM-18b.[02]
PRI-01 PRI-01_A18 the privacy program plan is updated to address organizational changes. 53A_R5_PM-18b.[03]
PRI-01 PRI-01_A19 the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments. 53A_R5_PM-18b.[04]
PRI-01.1 PRI-01.1_A01 a senior organization official for privacy with authority, mission, accountability and resources is appointed. 53A_R5_PM-19[01]
PRI-01.1 PRI-01.1_A02 the senior organization official for privacy coordinates applicable privacy requirements. 53A_R5_PM-19[02]
PRI-01.1 PRI-01.1_A03 the senior organization official for privacy develops applicable privacy requirements. 53A_R5_PM-19[03]
PRI-01.1 PRI-01.1_A04 the senior organization official for privacy implements applicable privacy requirements. 53A_R5_PM-19[04]
PRI-01.1 PRI-01.1_A05 the senior organization official for privacy manages privacy risks through the organization-wide privacy program. 53A_R5_PM-19[05]
Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records or Privacy Act statements are provided on separate forms that can be retained by
PRI-01.2 PRI-01.2_A01 53A_R5_PT-05(02)
individuals.
PRI-01.3 PRI-01.3_A01 a central resource webpage is maintained on the organization’s principal public website. 53A_R5_PM-20[01]
PRI-01.3 PRI-01.3_A02 the webpage serves as a central source of information about the organization’s privacy program. 53A_R5_PM-20[02]
PRI-01.3 PRI-01.3_A03 the webpage ensures that the public has access to information about organizational privacy activities. 53A_R5_PM-20a.[01]
PRI-01.3 PRI-01.3_A04 the webpage ensures that the public can communicate with its senior organization official for privacy. 53A_R5_PM-20a.[02]
PRI-01.3 PRI-01.3_A05 the webpage ensures that organizational privacy practices are publicly available. 53A_R5_PM-20b.[01]
PRI-01.3 PRI-01.3_A06 the webpage ensures that organizational privacy reports are publicly available. 53A_R5_PM-20b.[02]
PRI-01.3 PRI-01.3_A07 the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. 53A_R5_PM-20c.
PRI-01.4 PRI-01.4_A01 a Data Protection Officer (DPO) is appointed based on the basis of professional qualities. SCF Created
PRI-01.4 PRI-01.4_A02 the role of the Data Protection Officer (DPO) is involved in all issues related to the protection of personal data. SCF Created
PRI-01.5 PRI-01.5_A01 Binding Corporate Rules (BCR) are used to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data. SCF Created
PRI-01.6 PRI-01.6_A01 Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD. SCF Created
PRI-01.7 PRI-01.7_A01 the disclosure of Personal Data (PD) is restricted to authorized parties for the sole purpose for which the PD was obtained. SCF Created

PRI-02 PRI-02_A01 privacy policies are developed and posted on all external-facing websites. 53A_R5_PM-20(01)[01]
PRI-02 PRI-02_A02 privacy policies are developed and posted on all mobile applications. 53A_R5_PM-20(01)[02]
PRI-02 PRI-02_A03 privacy policies are developed and posted on all other digital services. 53A_R5_PM-20(01)[03]
PRI-02 PRI-02_A04 the privacy policies are written in plain language. 53A_R5_PM-20(01)(a)[01]
PRI-02 PRI-02_A05 the privacy policies are organized in a way that is easy to understand and navigate. 53A_R5_PM-20(01)(a)[02]
PRI-02 PRI-02_A06 the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization. 53A_R5_PM-20(01)(b)[01]
PRI-02 PRI-02_A07 the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization. 53A_R5_PM-20(01)(b)[02]
PRI-02 PRI-02_A08 the privacy policies are updated whenever the organization makes a substantive change to the practices it describes. 53A_R5_PM-20(01)(c)[01]
PRI-02 PRI-02_A09 the privacy policies include a time/date stamp to inform the public of the date of the most recent changes. 53A_R5_PM-20(01)(c)[02]
PRI-02 PRI-02_A10 the frequency at which a notice is provided to individuals after initial interaction with an organization is defined. 53A_R5_PT-05_ODP[01]
PRI-02 PRI-02_A11 information to be included with the notice about the processing of personal data is defined. 53A_R5_PT-05_ODP[02]
PRI-02 PRI-02_A12 a notice to individuals about the processing of personal data is provided such that the notice is available to individuals upon first interacting with an organization. 53A_R5_PT-05a.[01]
PRI-02 PRI-02_A13 a notice to individuals about the processing of personal data is provided such that the notice is subsequently available to individuals frequency. 53A_R5_PT-05a.[02]
PRI-02 PRI-02_A14 a notice to individuals about the processing of personal data is provided that is clear, easy-to-understand and expresses information about personal data processing in plain language. 53A_R5_PT-05b.
PRI-02 PRI-02_A15 a notice to individuals about the processing of personal data that identifies the authority that authorizes the processing of personal data is provided. 53A_R5_PT-05c.
PRI-02 PRI-02_A16 a notice to individuals about the processing of personal data that identifies the purpose for which personal data is to be processed is provided. 53A_R5_PT-05d.
PRI-02 PRI-02_A17 a notice to individuals about the processing of personal data which includes information is provided. 53A_R5_PT-05e.
PRI-02.1 PRI-02.1_A01 the purpose(s) for processing personal data is/are defined. 53A_R5_PT-03_ODP[01]
PRI-02.1 PRI-02.1_A02 the processing of personal data to be restricted is defined. 53A_R5_PT-03_ODP[02]
PRI-02.1 PRI-02.1_A03 mechanisms to be implemented for ensuring any changes in the processing of personal data are made in accordance with requirements are defined. 53A_R5_PT-03_ODP[03]
PRI-02.1 PRI-02.1_A04 requirements for changing the processing of personal data are defined. 53A_R5_PT-03_ODP[04]
PRI-02.1 PRI-02.1_A05 the purpose(s) for processing personal data is/are identified and documented. 53A_R5_PT-03a.
PRI-02.1 PRI-02.1_A06 the purpose(s) is/are described in the public privacy notices of the organization. 53A_R5_PT-03b.[01]
PRI-02.1 PRI-02.1_A07 the purpose(s) is/are described in the policies of the organization. 53A_R5_PT-03b.[02]
PRI-02.1 PRI-02.1_A08 the processing of personal data are restricted to only that which is compatible with the identified purpose(s). 53A_R5_PT-03c.
PRI-02.1 PRI-02.1_A09 changes in the processing of personal data are monitored. 53A_R5_PT-03d.[01]
PRI-02.1 PRI-02.1_A10 mechanisms are implemented to ensure that any changes are made in accordance with requirements. 53A_R5_PT-03d.[02]
PRI-02.2 PRI-02.2_A01 automated mechanisms used to manage enforcement of the authorized processing of personal data are defined. 53A_R5_PT-02(02)_ODP
PRI-02.2 PRI-02.2_A02 enforcement of the authorized processing of personal data is managed using automated mechanisms. 53A_R5_PT-02(02)
PRI-02.3 PRI-02.3_A01 approval to conduct the matching program is obtained from the data integrity board/function when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08a.
PRI-02.3 PRI-02.3_A02 a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08b.[01]
PRI-02.3 PRI-02.3_A03 a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08b.[02]
PRI-02.3 PRI-02.3_A04 a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08c.
the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of
PRI-02.3 PRI-02.3_A05 53A_R5_PT-08d.
conducting a matching program.
PRI-02.3 PRI-02.3_A06 individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08e.[01]
PRI-02.3 PRI-02.3_A07 individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program. 53A_R5_PT-08e.[02]

PRI-02.4 PRI-02.4_A01 system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records. 53A_R5_PT-06a.[01]
PRI-02.4 PRI-02.4_A02 new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a 53A_R5_PT-06a.[02]
Privacy Act system of records.
PRI-02.4 PRI-02.4_A03 system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records. 53A_R5_PT-06b.
PRI-02.4 PRI-02.4_A04 system of records notices are kept accurate, up-to-date and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records. 53A_R5_PT-06c.
PRI-02.5 PRI-02.5_A01 the frequency at which to review all routine uses published in the system of records notice is defined. 53A_R5_PT-06(01)_ODP
PRI-02.5 PRI-02.5_A02 all routine uses published in the system of records notice are reviewed frequently to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information 53A_R5_PT-06(01)
was collected.
PRI-02.6 PRI-02.6_A01 the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined. 53A_R5_PT-06(02)_ODP
PRI-02.6 PRI-02.6_A02 all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they remain appropriate and necessary in accordance with law. 53A_R5_PT-06(02)[01]
PRI-02.6 PRI-02.6_A03 all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they have been promulgated as regulations. 53A_R5_PT-06(02)[02]
PRI-02.6 PRI-02.6_A04 all Privacy Act exemptions claimed for the system of records are reviewed frequently to ensure that they are accurately described in the system of records notice. 53A_R5_PT-06(02)[03]
PRI-02.7 PRI-02.7_A01 real-time and/or layered notices are generated to provide data subjects with a summary of key points or more detailed information that is specific to the organization's privacy notice. SCF Created
PRI-03 PRI-03_A01 the tools or mechanisms to be implemented for individuals to consent to the processing of their Personal Data (PD) are defined. 53A_R5_PT-04_ODP
PRI-03 PRI-03_A02 tools or mechanisms are implemented for individuals to consent to the processing of their personal data prior to its collection that facilitate individuals’ informed decision-making. 53A_R5_PT-04
PRI-03.1 PRI-03.1_A01 tailoring mechanisms for processing selected elements of personal data permissions are defined. 53A_R5_PT-04(01)_ODP
PRI-03.1 PRI-03.1_A02 mechanisms are provided to allow individuals to tailor processing permissions to selected elements of personal data. 53A_R5_PT-04(01)
PRI-03.2 PRI-03.2_A01 consent mechanisms to be presented to individuals are defined. 53A_R5_PT-04(02)_ODP[01]
PRI-03.2 PRI-03.2_A02 the frequency at which to present consent mechanisms to individuals is defined. 53A_R5_PT-04(02)_ODP[02]
PRI-03.2 PRI-03.2_A03 Personal Data (PD) processing to be presented in conjunction with organization-defined consent mechanisms is defined. 53A_R5_PT-04(02)_ODP[03]
PRI-03.2 PRI-03.2_A04 consent mechanisms are presented to individuals frequency and in conjunction with Personal Data (PD) processing. 53A_R5_PT-04(02)
PRI-03.3 PRI-03.3_A01 Personal Data (PD) identified as "do not sell" by the data subject is identified. SCF Created
PRI-03.3 PRI-03.3_A02 the sale of Personal Data (PD) identified as "do not sell" is prevented anywhere the PD is stored and/or processed. SCF Created
PRI-03.4 PRI-03.4_A01 the tools or mechanisms to be implemented for revoking consent to the processing of personal data are defined. 53A_R5_PT-04(03)_ODP
PRI-03.4 PRI-03.4_A02 the tools or mechanisms are implemented for individuals to revoke consent to the processing of their personal data. 53A_R5_PT-04(03)
PRI-03.5 PRI-03.5_A01 processes exist to prevent the refusal of products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent. SCF Created
PRI-03.6 PRI-03.6_A01 data subjects are empowered to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions. SCF Created
PRI-03.7 PRI-03.7_A01 data subjects are compelled to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.). SCF Created
PRI-03.8 PRI-03.8_A01 consumer-facing technologies are configured to empower data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal). SCF Created
PRI-04 PRI-04_A01 the type of processing of personal data is defined. 53A_R5_PT-02_ODP[02]
PRI-04 PRI-04_A02 the type of processing of personal data to be restricted is defined. 53A_R5_PT-02_ODP[03]
PRI-04.1 PRI-04.1_A01 the authority to permit the processing of personal data is defined. 53A_R5_PT-02_ODP[01]
PRI-04.1 PRI-04.1_A02 the authority that permits the processing of personal data is determined and documented. 53A_R5_PT-02a.
PRI-04.1 PRI-04.1_A03 the processing of personal data is restricted to only that which is authorized. 53A_R5_PT-02b.
PRI-04.2 PRI-04.2_A01 processes exist to ensure that whenever possible, personal data is directly collected from the data subject. SCF Created
PRI-04.3 PRI-04.3_A01 the business case(s) is defined for the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals. SCF Created
PRI-04.3 PRI-04.3_A02 the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals is restricted to legitimate business needs. SCF Created
data subjects are promptly informed of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance
PRI-04.4 PRI-04.4_A01 SCF Created
to the data subject.

PRI-04.5 PRI-04.5_A01 data subjects, or authorized representatives, are prompted to validate Personal Data (PD) during the collection process. SCF Created
PRI-04.6 PRI-04.6_A01 data subjects, or authorized representatives, are prompted to re-validate that Personal Data (PD) acquired during the collection process is still accurate. SCF Created
PRI-05 PRI-05_A01 information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[01]
PRI-05 PRI-05_A02 information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[02]
PRI-05 PRI-05_A03 information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[03]
PRI-05 PRI-05_A04 information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines and operational requirements. 53A_R5_SI-12[04]
PRI-05 PRI-05_A05 techniques used to dispose of information following the retention period are defined. 53A_R5_SI-12(03)_ODP[01]
PRI-05 PRI-05_A06 techniques used to destroy information following the retention period are defined. 53A_R5_SI-12(03)_ODP[02]
PRI-05 PRI-05_A07 techniques used to erase information following the retention period are defined. 53A_R5_SI-12(03)_ODP[03]
PRI-05 PRI-05_A08 organization-defined techniques are used to dispose of information following the retention period. 53A_R5_SI-12(03)[01]
PRI-05 PRI-05_A09 organization-defined techniques are used to destroy information following the retention period. 53A_R5_SI-12(03)[02]
PRI-05 PRI-05_A10 organization-defined techniques are used to erase information following the retention period. 53A_R5_SI-12(03)[03]
PRI-05.1 PRI-05.1_A01 elements of personal data being processed in the information life cycle are defined. 53A_R5_SI-12(01)_ODP
PRI-05.1 PRI-05.1_A02 personal data being processed in the information life cycle is limited to organization-defined elements of personal data. 53A_R5_SI-12(01)
PRI-05.1 PRI-05.1_A03 techniques used to minimize the use of personal data for research are defined. 53A_R5_SI-12(02)_ODP[01]
PRI-05.1 PRI-05.1_A04 techniques used to minimize the use of personal data for testing are defined. 53A_R5_SI-12(02)_ODP[02]
PRI-05.1 PRI-05.1_A05 techniques used to minimize the use of personal data for training are defined. 53A_R5_SI-12(02)_ODP[03]
PRI-05.1 PRI-05.1_A06 organization-defined techniques are used to minimize the use of personal data for research. 53A_R5_SI-12(02)[01]
PRI-05.1 PRI-05.1_A07 organization-defined techniques are used to minimize the use of personal data for testing. 53A_R5_SI-12(02)[02]
PRI-05.1 PRI-05.1_A08 organization-defined techniques are used to minimize the use of personal data for training. 53A_R5_SI-12(02)[03]
PRI-05.1 PRI-05.1_A09 the frequency for reviewing policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[01]
PRI-05.1 PRI-05.1_A10 the frequency for updating policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[02]
PRI-05.1 PRI-05.1_A11 the frequency for reviewing procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[03]
PRI-05.1 PRI-05.1_A12 the frequency for updating procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[04]
PRI-05.1 PRI-05.1_A13 policies that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[01]
PRI-05.1 PRI-05.1_A14 policies that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[02]
PRI-05.1 PRI-05.1_A15 policies that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[03]
PRI-05.1 PRI-05.1_A16 procedures that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[04]
PRI-05.1 PRI-05.1_A17 procedures that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[05]
PRI-05.1 PRI-05.1_A18 procedures that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[06]
PRI-05.1 PRI-05.1_A19 policies that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[07]
PRI-05.1 PRI-05.1_A20 policies that address the use of personal data for training are implemented. 53A_R5_PM-25a.[08]
PRI-05.1 PRI-05.1_A21 policies that address the use of personal data for research are implemented. 53A_R5_PM-25a.[09]
PRI-05.1 PRI-05.1_A22 procedures that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[10]
PRI-05.1 PRI-05.1_A23 procedures that address the use of personal data for training are implemented. 53A_R5_PM-25a.[11]
PRI-05.1 PRI-05.1_A24 procedures that address the use of personal data for research are implemented. 53A_R5_PM-25a.[12]

PRI-05.1 PRI-05.1_A25 the amount of personal data used for internal testing purposes is limited or minimized. 53A_R5_PM-25b.[01]
PRI-05.1 PRI-05.1_A26 the amount of personal data used for internal training purposes is limited or minimized. 53A_R5_PM-25b.[02]
PRI-05.1 PRI-05.1_A27 the amount of personal data used for internal research purposes is limited or minimized. 53A_R5_PM-25b.[03]
PRI-05.1 PRI-05.1_A28 the required use of personal data for internal testing is authorized. 53A_R5_PM-25c.[01]
PRI-05.1 PRI-05.1_A29 the required use of personal data for internal training is authorized. 53A_R5_PM-25c.[02]
PRI-05.1 PRI-05.1_A30 the required use of personal data for internal research is authorized. 53A_R5_PM-25c.[03]
PRI-05.1 PRI-05.1_A31 policies are reviewed frequently. 53A_R5_PM-25d.[01]
PRI-05.1 PRI-05.1_A32 policies are updated frequently. 53A_R5_PM-25d.[02]
PRI-05.1 PRI-05.1_A33 procedures are reviewed frequently. 53A_R5_PM-25d.[03]
PRI-05.1 PRI-05.1_A34 procedures are updated frequently. 53A_R5_PM-25d.[04]
PRI-05.1 PRI-05.1_A36 the type of processing of personal data is defined. 53A_R5_PT-02_ODP[02]
PRI-05.1 PRI-05.1_A37 the type of processing of personal data to be restricted is defined. 53A_R5_PT-02_ODP[03]
PRI-05.1 PRI-05.1_A40 the purpose(s) for processing personal data is/are defined. 53A_R5_PT-03_ODP[01]
PRI-05.1 PRI-05.1_A41 the processing of personal data to be restricted is defined. 53A_R5_PT-03_ODP[02]
PRI-05.1 PRI-05.1_A42 mechanisms to be implemented for ensuring any changes in the processing of personal data are made in accordance with requirements are defined. 53A_R5_PT-03_ODP[03]
PRI-05.1 PRI-05.1_A43 requirements for changing the processing of personal data are defined. 53A_R5_PT-03_ODP[04]
PRI-05.1 PRI-05.1_A44 the purpose(s) for processing personal data is/are identified and documented. 53A_R5_PT-03a.
PRI-05.1 PRI-05.1_A45 the purpose(s) is/are described in the public privacy notices of the organization. 53A_R5_PT-03b.[01]
PRI-05.1 PRI-05.1_A46 the purpose(s) is/are described in the policies of the organization. 53A_R5_PT-03b.[02]
PRI-05.1 PRI-05.1_A47 the processing of personal data are restricted to only that which is compatible with the identified purpose(s). 53A_R5_PT-03c.
PRI-05.1 PRI-05.1_A48 changes in the processing of personal data are monitored. 53A_R5_PT-03d.[01]
PRI-05.1 PRI-05.1_A49 mechanisms are implemented to ensure that any changes are made in accordance with requirements. 53A_R5_PT-03d.[02]
PRI-05.2 PRI-05.2_A01 a data integrity board/function is established. 53A_R5_PM-24
PRI-05.2 PRI-05.2_A02 the data integrity board/function reviews proposals to conduct or participate in a matching program. 53A_R5_PM-24a.
PRI-05.2 PRI-05.2_A03 the data integrity board/function conducts an annual review of all matching programs in which the agency has participated. 53A_R5_PM-24b.
PRI-05.3 PRI-05.3_A01 direct identifiers in a dataset are removed, masked, encrypted, hashed or replaced. 53A_R5_SI-19(04)
PRI-05.4 PRI-05.4_A01 data mining prevention and detection techniques are defined. 53A_R5_AC-23_ODP[01]
PRI-05.4 PRI-05.4_A02 data storage objects to be protected against unauthorized data mining are defined. 53A_R5_AC-23_ODP[02]
PRI-05.4 PRI-05.4_A03 organization-defined techniques are employed for organization-defined data storage objects to detect and protect against unauthorized data mining. 53A_R5_AC-23
PRI-05.4 PRI-05.4_A04 the frequency for reviewing policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[01]
PRI-05.4 PRI-05.4_A05 the frequency for updating policies that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[02]
PRI-05.4 PRI-05.4_A06 the frequency for reviewing procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[03]
PRI-05.4 PRI-05.4_A07 the frequency for updating procedures that address the use of personal data for internal testing, training and research is defined. 53A_R5_PM-25_ODP[04]

PRI-05.4 PRI-05.4_A08 policies that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[01]
PRI-05.4 PRI-05.4_A09 policies that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[02]
PRI-05.4 PRI-05.4_A10 policies that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[03]
PRI-05.4 PRI-05.4_A11 procedures that address the use of personal data for internal testing are developed and documented. 53A_R5_PM-25a.[04]
PRI-05.4 PRI-05.4_A12 procedures that address the use of personal data for internal training are developed and documented. 53A_R5_PM-25a.[05]
PRI-05.4 PRI-05.4_A13 procedures that address the use of personal data for internal research are developed and documented. 53A_R5_PM-25a.[06]
PRI-05.4 PRI-05.4_A14 policies that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[07]
PRI-05.4 PRI-05.4_A15 policies that address the use of personal data for training are implemented. 53A_R5_PM-25a.[08]
PRI-05.4 PRI-05.4_A16 policies that address the use of personal data for research are implemented. 53A_R5_PM-25a.[09]
PRI-05.4 PRI-05.4_A17 procedures that address the use of personal data for internal testing are implemented. 53A_R5_PM-25a.[10]
PRI-05.4 PRI-05.4_A18 procedures that address the use of personal data for training are implemented. 53A_R5_PM-25a.[11]
PRI-05.4 PRI-05.4_A19 procedures that address the use of personal data for research are implemented. 53A_R5_PM-25a.[12]
PRI-05.4 PRI-05.4_A20 the amount of personal data used for internal testing purposes is limited or minimized. 53A_R5_PM-25b.[01]
PRI-05.4 PRI-05.4_A21 the amount of personal data used for internal training purposes is limited or minimized. 53A_R5_PM-25b.[02]
PRI-05.4 PRI-05.4_A22 the amount of personal data used for internal research purposes is limited or minimized. 53A_R5_PM-25b.[03]
PRI-05.4 PRI-05.4_A23 the required use of personal data for internal testing is authorized. 53A_R5_PM-25c.[01]
PRI-05.4 PRI-05.4_A24 the required use of personal data for internal training is authorized. 53A_R5_PM-25c.[02]
PRI-05.4 PRI-05.4_A25 the required use of personal data for internal research is authorized. 53A_R5_PM-25c.[03]
PRI-05.4 PRI-05.4_A26 policies are reviewed frequently. 53A_R5_PM-25d.[01]
PRI-05.4 PRI-05.4_A27 policies are updated frequently. 53A_R5_PM-25d.[02]
PRI-05.4 PRI-05.4_A28 procedures are reviewed frequently. 53A_R5_PM-25d.[03]
PRI-05.4 PRI-05.4_A29 procedures are updated frequently. 53A_R5_PM-25d.[04]
PRI-05.4 PRI-05.4_A31 the type of processing of personal data is defined. 53A_R5_PT-02_ODP[02]
PRI-05.4 PRI-05.4_A32 the type of processing of personal data to be restricted is defined. 53A_R5_PT-02_ODP[03]
PRI-05.4 PRI-05.4_A35 processing conditions to be applied for specific categories of personal data are defined. 53A_R5_PT-07_ODP
PRI-05.4 PRI-05.4_A36 processing conditions are applied for specific categories of personal data. 53A_R5_PT-07
PRI-05.5 PRI-05.5_A01 the frequency at which to update the inventory of systems, applications and projects that process personal data is defined. 53A_R5_PM-05(01)_ODP
PRI-05.5 PRI-05.5_A02 an inventory of all systems, applications and projects that process personal data is established. 53A_R5_PM-05(01)[01]
PRI-05.5 PRI-05.5_A03 an inventory of all systems, applications and projects that process personal data is maintained. 53A_R5_PM-05(01)[02]
PRI-05.5 PRI-05.5_A04 an inventory of all systems, applications and projects that process personal data is updated frequently. 53A_R5_PM-05(01)[03]
PRI-05.6 PRI-05.6_A01 the frequency at which to update the inventory of systems, applications and projects that process personal data is defined. 53A_R5_PM-05(01)_ODP
PRI-05.6 PRI-05.6_A02 an inventory of all systems, applications and projects that process personal data is established. 53A_R5_PM-05(01)[01]
PRI-05.6 PRI-05.6_A03 an inventory of all systems, applications and projects that process personal data is maintained. 53A_R5_PM-05(01)[02]

PRI-05.6 PRI-05.6_A04 an inventory of all systems, applications and projects that process personal data is updated frequently. 53A_R5_PM-05(01)[03]
PRI-05.7 PRI-05.7_A01 processing conditions to be applied for specific categories of personal data are defined. 53A_R5_PT-07_ODP
PRI-05.7 PRI-05.7_A02 processing conditions are applied for specific categories of personal data. 53A_R5_PT-07
PRI-05.7 PRI-05.7_A03 when a system processes Social Security numbers, the unnecessary collection, maintenance and use of Social Security numbers are eliminated. 53A_R5_PT-07(01)(a)[01]
PRI-05.7 PRI-05.7_A04 when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored. 53A_R5_PT-07(01)(a)[02]
PRI-05.7 PRI-05.7_A05 when a system processes Social Security numbers, individual rights, benefits or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number. 53A_R5_PT-07(01)(b)
PRI-05.7 PRI-05.7_A06 when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other 53A_R5_PT-07(01)(c)[01]
authority such number is solicited and what uses will be made of it.
PRI-05.7 PRI-05.7_A07 when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited. 53A_R5_PT-07(01)(c)[02]
PRI-05.7 PRI-05.7_A08 when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it. 53A_R5_PT-07(01)(c)[03]
PRI-05.7 PRI-05.7_A09 the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and 53A_R5_PT-07(02)
within the scope of an authorized law enforcement activity.
PRI-06 PRI-06_A01 personal data is corrected or deleted upon request by individuals or their designated representatives. 53A_R5_SI-18(04)
PRI-06 PRI-06_A02 mechanisms enabling individuals to have access to elements of their personal data are defined. 53A_R5_AC-03(14)_ODP[01]
PRI-06 PRI-06_A03 elements of personal data to which individuals have access are defined. 53A_R5_AC-03(14)_ODP[02]
PRI-06 PRI-06_A04 organization-defined mechanisms are provided to enable individuals to have access to organization-defined elements of their personal data. 53A_R5_AC-03(14)
PRI-06.1 PRI-06.1_A01 recipients of personal data to be notified when the personal data has been corrected or deleted are defined. 53A_R5_SI-18(05)_ODP
PRI-06.1 PRI-06.1_A02 recipients and individuals are notified when the personal data has been corrected or deleted. 53A_R5_SI-18(05)
PRI-06.2 PRI-06.2_A01 recipients of personal data to be notified when the personal data has been corrected or deleted are defined. 53A_R5_SI-18(05)_ODP
PRI-06.2 PRI-06.2_A02 recipients and individuals are notified when the personal data has been corrected or deleted. 53A_R5_SI-18(05)
PRI-06.3 PRI-06.3_A01 the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined. 53A_R5_PM-26_ODP[01]
PRI-06.3 PRI-06.3_A02 the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined. 53A_R5_PM-26_ODP[02]
PRI-06.3 PRI-06.3_A03 the time period for acknowledging the receipt of complaints is defined. 53A_R5_PM-26_ODP[03]
PRI-06.3 PRI-06.3_A04 the time period for responding to complaints is defined. 53A_R5_PM-26_ODP[04]
PRI-06.3 PRI-06.3_A05 a process for receiving complaints, concerns or questions from individuals about organizational cybersecurity & privacy practices is implemented. 53A_R5_PM-26[01]
PRI-06.3 PRI-06.3_A06 a process for responding to complaints, concerns or questions from individuals about organizational cybersecurity & privacy practices is implemented. 53A_R5_PM-26[02]
PRI-06.3 PRI-06.3_A07 the complaint management process includes mechanisms that are easy to use by the public. 53A_R5_PM-26a.[01]
PRI-06.3 PRI-06.3_A08 the complaint management process includes mechanisms that are readily accessible by the public. 53A_R5_PM-26a.[02]
PRI-06.3 PRI-06.3_A09 the complaint management process includes all information necessary for successfully filing complaints. 53A_R5_PM-26b.
PRI-06.3 PRI-06.3_A10 the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within an organization-defined time period. 53A_R5_PM-26c.[01]
PRI-06.3 PRI-06.3_A11 the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within an organization-defined time period. 53A_R5_PM-26c.[02]
PRI-06.3 PRI-06.3_A12 the complaint management process includes acknowledging the receipt of complaints, concerns or questions from individuals within an organization-defined time period. 53A_R5_PM-26d.
PRI-06.3 PRI-06.3_A13 the complaint management process includes responding to complaints, concerns or questions from individuals within an organization-defined time period. 53A_R5_PM-26e.
PRI-06.4 PRI-06.4_A01 the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined. 53A_R5_PM-26_ODP[01]
PRI-06.4 PRI-06.4_A02 the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined. 53A_R5_PM-26_ODP[02]
PRI-06.4 PRI-06.4_A03 the time period for acknowledging the receipt of complaints is defined. 53A_R5_PM-26_ODP[03]
PRI-06.4 PRI-06.4_A04 the time period for responding to complaints is defined. 53A_R5_PM-26_ODP[04]
PRI-06.4 PRI-06.4_A05 a process for receiving complaints, concerns or questions from individuals about organizational cybersecurity & privacy practices is implemented. 53A_R5_PM-26[01]

PRI-06.4 PRI-06.4_A06 a process for responding to complaints, concerns or questions from individuals about organizational cybersecurity & privacy practices is implemented. 53A_R5_PM-26[02]
PRI-06.4 PRI-06.4_A07 the complaint management process includes mechanisms that are easy to use by the public. 53A_R5_PM-26a.[01]
PRI-06.4 PRI-06.4_A08 the complaint management process includes mechanisms that are readily accessible by the public. 53A_R5_PM-26a.[02]
PRI-06.4 PRI-06.4_A09 the complaint management process includes all information necessary for successfully filing complaints. 53A_R5_PM-26b.
PRI-06.4 PRI-06.4_A10 the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within an organization-defined time period. 53A_R5_PM-26c.[01]
PRI-06.4 PRI-06.4_A11 the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within an organization-defined time period. 53A_R5_PM-26c.[02]
PRI-06.4 PRI-06.4_A12 the complaint management process includes acknowledging the receipt of complaints, concerns or questions from individuals within an organization-defined time period. 53A_R5_PM-26d.
PRI-06.4 PRI-06.4_A13 the complaint management process includes responding to complaints, concerns or questions from individuals within an organization-defined time period. 53A_R5_PM-26e.
PRI-06.5 PRI-06.5_A01 administrative processes exist to intake data subject requests to erase Personal Data (PD) erase personal data. SCF Created
PRI-06.5 PRI-06.5_A02 technical processes exist to securely erase Personal Data (PD) without delay, once a legitimate data subject request for erasure is received. SCF Created
PRI-06.6 PRI-06.6_A01 export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance. SCF Created
PRI-06.7 PRI-06.7_A01 Personal Data (PD) is capable of being digitally exported in a secure manner upon request by the data subject. SCF Created
PRI-07 PRI-07_A01 information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined. 53A_R5_AC-21_ODP[01]
PRI-07 PRI-07_A02 automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined. 53A_R5_AC-21_ODP[02]
PRI-07 PRI-07_A03 authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for information-sharing circumstances. 53A_R5_AC-21a.
PRI-07 PRI-07_A04 automated mechanisms are employed to assist users in making information-sharing and collaboration decisions. 53A_R5_AC-21b.
PRI-07.1 PRI-07.1_A01 includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers. SCF Created
PRI-07.2 PRI-07.2_A01 clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem. SCF Created
PRI-07.3 PRI-07.3_A01 inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD). SCF Created
PRI-07.4 PRI-07.4_A01 reject unauthorized disclosure requests. SCF Created
PRI-08 PRI-08_A01 a process is implemented for ensuring that organizational plans for conducting security testing, training and monitoring activities associated with organizational systems are developed. 53A_R5_PM-14a.01[01]
PRI-08 PRI-08_A02 a process is implemented for ensuring that organizational plans for conducting security testing, training and monitoring activities associated with organizational systems are maintained. 53A_R5_PM-14a.01[02]
PRI-08 PRI-08_A03 a process is implemented for ensuring that organizational plans for conducting privacy testing, training and monitoring activities associated with organizational systems are developed. 53A_R5_PM-14a.01[03]
PRI-08 PRI-08_A04 a process is implemented for ensuring that organizational plans for conducting privacy testing, training and monitoring activities associated with organizational systems are maintained. 53A_R5_PM-14a.01[04]
PRI-08 PRI-08_A05 a process is implemented for ensuring that organizational plans for conducting security testing, training and monitoring activities associated with organizational systems continue to be executed. 53A_R5_PM-14a.02[01]
PRI-08 PRI-08_A06 a process is implemented for ensuring that organizational plans for conducting privacy testing, training and monitoring activities associated with organizational systems continue to be executed. 53A_R5_PM-14a.02[02]
PRI-08 PRI-08_A07 testing plans are reviewed for consistency with the organizational risk management strategy. 53A_R5_PM-14b.[01]
PRI-08 PRI-08_A08 training plans are reviewed for consistency with the organizational risk management strategy. 53A_R5_PM-14b.[02]
PRI-08 PRI-08_A09 monitoring plans are reviewed for consistency with the organizational risk management strategy. 53A_R5_PM-14b.[03]
PRI-08 PRI-08_A10 testing plans are reviewed for consistency with organization-wide priorities for risk response actions. 53A_R5_PM-14b.[04]
PRI-08 PRI-08_A11 training plans are reviewed for consistency with organization-wide priorities for risk response actions. 53A_R5_PM-14b.[05]
PRI-08 PRI-08_A12 monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions. 53A_R5_PM-14b.[06]
PRI-09 PRI-09_A01 records of data disclosures and sharing are maintained. SCF Created
PRI-09 PRI-09_A02 records of data disclosures and sharing can be accessed for review or transmission/disclosure. SCF Created
PRI-09 PRI-09_A03 records of data provenance and lineage are maintained SCF Created
PRI-09 PRI-09_A04 records of data provenance and lineage can be accessed for review or transmission/disclosure. SCF Created

PRI-10 PRI-10_A01 organization-wide policies for personal data quality management are developed and documented. 53A_R5_PM-22[01]
PRI-10 PRI-10_A02 organization-wide procedures for personal data quality management are developed and documented. 53A_R5_PM-22[02]
PRI-10 PRI-10_A03 the policies address reviewing the accuracy of personal data across the information life cycle. 53A_R5_PM-22a.[01]
PRI-10 PRI-10_A04 the policies address reviewing the relevance of personal data across the information life cycle. 53A_R5_PM-22a.[02]
PRI-10 PRI-10_A05 the policies address reviewing the timeliness of personal data across the information life cycle. 53A_R5_PM-22a.[03]
PRI-10 PRI-10_A06 the policies address reviewing the completeness of personal data across the information life cycle. 53A_R5_PM-22a.[04]
PRI-10 PRI-10_A07 the procedures address reviewing the accuracy of personal data across the information life cycle. 53A_R5_PM-22a.[05]
PRI-10 PRI-10_A08 the procedures address reviewing the relevance of personal data across the information life cycle. 53A_R5_PM-22a.[06]
PRI-10 PRI-10_A09 the procedures address reviewing the timeliness of personal data across the information life cycle. 53A_R5_PM-22a.[07]
PRI-10 PRI-10_A10 the procedures address reviewing the completeness of personal data across the information life cycle. 53A_R5_PM-22a.[08]
PRI-10 PRI-10_A11 the policies address correcting or deleting inaccurate or outdated personal data. 53A_R5_PM-22b.[01]
PRI-10 PRI-10_A12 the procedures address correcting or deleting inaccurate or outdated personal data. 53A_R5_PM-22b.[02]
PRI-10 PRI-10_A13 the policies address disseminating notice of corrected or deleted personal data to individuals or other appropriate entities. 53A_R5_PM-22c.[01]
PRI-10 PRI-10_A14 the procedures address disseminating notice of corrected or deleted personal data to individuals or other appropriate entities. 53A_R5_PM-22c.[02]
PRI-10 PRI-10_A15 the policies address appeals of adverse decisions on correction or deletion requests. 53A_R5_PM-22d.[01]
PRI-10 PRI-10_A16 the procedures address appeals of adverse decisions on correction or deletion requests. 53A_R5_PM-22d.[02]
PRI-10 PRI-10_A17 the roles of a the organization's data governance body are defined. 53A_R5_PM-23_ODP[01]
PRI-10 PRI-10_A18 the responsibilities of a the organization's data governance body are defined. 53A_R5_PM-23_ODP[02]
PRI-10 PRI-10_A19 a the organization's data governance body consisting of roles with responsibilities is established. 53A_R5_PM-23
PRI-10 PRI-10_A20 a data integrity board/function is established. 53A_R5_PM-24
PRI-10 PRI-10_A21 the data integrity board/function reviews proposals to conduct or participate in a matching program. 53A_R5_PM-24a.
PRI-10 PRI-10_A22 the data integrity board/function conducts an annual review of all matching programs in which the agency has participated. 53A_R5_PM-24b.
PRI-10.1 PRI-10.1_A01 automated mechanisms for tracking the processing purposes of personal data are defined. 53A_R5_PT-03(02)_ODP
PRI-10.1 PRI-10.1_A02 the processing purposes of personal data are tracked using automated mechanisms. 53A_R5_PT-03(02)
PRI-10.2 PRI-10.2_A01 potential data analytics biases are defined. SCF Created
PRI-10.2 PRI-10.2_A02 the organization evaluate its analytical processes for potential data analytics bias. SCF Created
PRI-11 PRI-11_A01 processing purposes to be contained in data tags are defined. 53A_R5_PT-03(01)_ODP[01]
PRI-11 PRI-11_A02 elements of personal data to be tagged are defined. 53A_R5_PT-03(01)_ODP[02]
PRI-11 PRI-11_A03 data tags containing processing purposes are attached to elements of personal data. 53A_R5_PT-03(01)
PRI-12 PRI-12_A01 processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur are defined. SCF Created
PRI-12 PRI-12_A02 processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur are implemented. SCF Created
PRI-13 PRI-13_A01 the roles of a the organization's data governance body are defined. 53A_R5_PM-23_ODP[01]
PRI-13 PRI-13_A02 the responsibilities of a the organization's data governance body are defined. 53A_R5_PM-23_ODP[02]
PRI-13 PRI-13_A03 a the organization's data governance body consisting of roles with responsibilities is established. 53A_R5_PM-23
PRI-13 PRI-13_A04 a data integrity board/function is established. 53A_R5_PM-24
PRI-13 PRI-13_A05 the data integrity board/function reviews proposals to conduct or participate in a matching program. 53A_R5_PM-24a.

PRI-13 PRI-13_A06 the data integrity board/function conducts an annual review of all matching programs in which the agency has participated. 53A_R5_PM-24b.
PRI-14 PRI-14_A01 privacy reports are defined. 53A_R5_PM-27_ODP[01]
PRI-14 PRI-14_A02 privacy oversight bodies are defined. 53A_R5_PM-27_ODP[02]
PRI-14 PRI-14_A03 officials responsible for monitoring privacy program compliance are defined. 53A_R5_PM-27_ODP[03]
PRI-14 PRI-14_A04 the frequency for reviewing and updating privacy reports is defined. 53A_R5_PM-27_ODP[04]
PRI-14 PRI-14_A05 privacy reports are developed. 53A_R5_PM-27a.
PRI-14 PRI-14_A06 privacy reports are disseminated to oversight bodies to demonstrate accountability with statutory, regulatory and policy privacy mandates. 53A_R5_PM-27a.01
PRI-14 PRI-14_A07 privacy reports are disseminated to officials. 53A_R5_PM-27a.02[01]
PRI-14 PRI-14_A08 privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance. 53A_R5_PM-27a.02[02]
PRI-14 PRI-14_A09 privacy reports are reviewed and updated frequently. 53A_R5_PM-27b.
PRI-14.1 PRI-14.1_A01 an accurate accounting of disclosures of personal data is developed and maintained. 53A_R5_PM-21a.
PRI-14.1 PRI-14.1_A02 the accounting includes the date of each disclosure. 53A_R5_PM-21a.01[01]
PRI-14.1 PRI-14.1_A03 the accounting includes the nature of each disclosure. 53A_R5_PM-21a.01[02]
PRI-14.1 PRI-14.1_A04 the accounting includes the purpose of each disclosure. 53A_R5_PM-21a.01[03]
PRI-14.1 PRI-14.1_A05 the accounting includes the name of the individual or organization to whom the disclosure was made. 53A_R5_PM-21a.02[01]
PRI-14.1 PRI-14.1_A06 the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made. 53A_R5_PM-21a.02[02]
PRI-14.1 PRI-14.1_A07 the accounting of disclosures is retained for the length of time that the personal data is maintained or five years after the disclosure is made, whichever is longer. 53A_R5_PM-21b.
PRI-14.1 PRI-14.1_A08 the accounting of disclosures is made available to the individual to whom the personal data relates upon request. 53A_R5_PM-21c.
PRI-14.2 PRI-14.2_A01 data subjects are provided notice of applicable legal requests to disclose their Personal Data (PD). SCF Created
PRI-15 PRI-15_A01 a list of Data Authorities that require database registration is created and maintained. SCF Created
PRI-15 PRI-15_A02 as required by a law or regulation, databases containing Personal Data (PD) are registered with the appropriate Data Authority. SCF Created
PRI-16 PRI-16_A01 executive leadership, along with legal counsel, formally identifies risks associated with non-compliance (e.g., fines, operational impacts, etc.). SCF Created
PRI-16 PRI-16_A02 executive leadership, along with legal counsel, formally identifies primary risks associated with compliance (e.g., loss of confidentiality and/or integrity considerations with data governance). SCF Created
PRI-16 PRI-16_A03 executive leadership, along with legal counsel, formally identifies secondary risks associated with compliance (e.g., non-compliance with other laws, regulations and contractual agreements). SCF Created
PRI-16 PRI-16_A04 executive leadership, along with legal counsel, formally identifies tertiary risks associated with compliance (e.g., human rights abuses, theft of intellectual property, espionage, etc.). SCF Created
PRI-17 PRI-17_A01 disclosures and communications to data subjects are made easily accessible. SCF Created
PRI-17 PRI-17_A02 disclosures and communications to data subjects are written in a manner that is concise, unambiguous and understandable by a reasonable person. SCF Created
PRI-17.1 PRI-17.1_A01 a conspicuous link to the organization's privacy notice exists on all consumer-facing websites. SCF Created
PRI-17.1 PRI-17.1_A02 a conspicuous link to the organization's privacy notice exists on all consumer-facing mobile applications. SCF Created
data subjects are provided with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to
PRI-17.2 PRI-17.2_A01 SCF Created
participate.
PRM-01 PRM-01_A01 personnel or roles to whom the planning policy is to be disseminated is/are defined. 53A_R5_PL-01_ODP[01]
PRM-01 PRM-01_A02 personnel or roles to whom the planning procedures are to be disseminated is/are defined. 53A_R5_PL-01_ODP[02]
PRM-01 PRM-01_A03 one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}. 53A_R5_PL-01_ODP[03]
PRM-01 PRM-01_A04 an official to manage the planning policy and procedures is defined. 53A_R5_PL-01_ODP[04]
PRM-01 PRM-01_A05 the frequency with which the current planning policy is reviewed and updated is defined. 53A_R5_PL-01_ODP[05]
PRM-01 PRM-01_A06 events that would require the current planning policy to be reviewed and updated are defined. 53A_R5_PL-01_ODP[06]

PRM-01 PRM-01_A07 the frequency with which the current planning procedures are reviewed and updated is defined. 53A_R5_PL-01_ODP[07]
PRM-01 PRM-01_A08 events that would require procedures to be reviewed and updated are defined. 53A_R5_PL-01_ODP[08]
PRM-01 PRM-01_A09 a planning policy is developed and documented. 53A_R5_PL-01a.[01]
PRM-01 PRM-01_A10 the planning policy is disseminated to organization-defined personnel or roles. 53A_R5_PL-01a.[02]
PRM-01 PRM-01_A11 planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented. 53A_R5_PL-01a.[03]
PRM-01 PRM-01_A12 the planning procedures are disseminated to organization-defined personnel or roles. 53A_R5_PL-01a.[04]
PRM-01 PRM-01_A13 the organization's planning policy addresses purpose. 53A_R5_PL-01a.01(a)[01]
PRM-01 PRM-01_A14 the organization's planning policy addresses scope. 53A_R5_PL-01a.01(a)[02]
PRM-01 PRM-01_A15 the organization's planning policy addresses roles. 53A_R5_PL-01a.01(a)[03]
PRM-01 PRM-01_A16 the organization's planning policy addresses responsibilities. 53A_R5_PL-01a.01(a)[04]
PRM-01 PRM-01_A17 the organization's planning policy addresses management commitment. 53A_R5_PL-01a.01(a)[05]
PRM-01 PRM-01_A18 the organization's planning policy addresses coordination among organizational entities. 53A_R5_PL-01a.01(a)[06]
PRM-01 PRM-01_A19 the organization's planning policy addresses compliance. 53A_R5_PL-01a.01(a)[07]
PRM-01 PRM-01_A20 the organization's planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_PL-01a.01(b)
PRM-01 PRM-01_A21 the organization-defined official is designated to manage the development, documentation, and dissemination of the planning policy and procedures. 53A_R5_PL-01b.
PRM-01 PRM-01_A22 the current planning policy is reviewed and updated organization-defined frequency. 53A_R5_PL-01c.01[01]
PRM-01 PRM-01_A23 the current planning policy is reviewed and updated following organization-defined events. 53A_R5_PL-01c.01[02]
PRM-01 PRM-01_A24 the current planning procedures are reviewed and updated organization-defined frequency. 53A_R5_PL-01c.02[01]
PRM-01 PRM-01_A25 the current planning procedures are reviewed and updated following organization-defined events. 53A_R5_PL-01c.02[02]
PRM-01.1 PRM-01.1_A01 a documented strategic cybersecurity & privacy-specific business plan exists. SCF Created
PRM-01.1 PRM-01.1_A02 a documented set of objectives to achieve that cybersecurity and privacy-specific business plan exists. SCF Created
PRM-01.2 PRM-01.2_A01 the organization defines a Capability Maturity Model (CMM) it will use to benchmark maturity. SCF Created
PRM-01.2 PRM-01.2_A02 targeted capability maturity levels are defined at the domain and/or control level. SCF Created
PRM-02 PRM-02_A01 the resources needed to implement the cybersecurity program are included in capital planning and investment requests and all exceptions are documented. 53A_R5_PM-03a.[01]
PRM-02 PRM-02_A02 the resources needed to implement the privacy program are included in capital planning and investment requests and all exceptions are documented. 53A_R5_PM-03a.[02]
the documentation required for addressing the cybersecurity program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations,
PRM-02 PRM-02_A03 53A_R5_PM-03b.[01]
standards.
PRM-02 PRM-02_A04 the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations and 53A_R5_PM-03b.[02]
standards.
PRM-02 PRM-02_A05 cybersecurity resources are made available for expenditure as planned. 53A_R5_PM-03c.[01]
PRM-02 PRM-02_A06 privacy resources are made available for expenditure as planned. 53A_R5_PM-03c.[02]
PRM-03 PRM-03_A01 the high-level cybersecurity requirements for the system or system service are determined in mission and business process planning. 53A_R5_SA-02a.[01]
PRM-03 PRM-03_A02 the high-level privacy requirements for the system or system service are determined in mission and business process planning. 53A_R5_SA-02a.[02]
PRM-03 PRM-03_A03 the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process. 53A_R5_SA-02b.[01]
PRM-03 PRM-03_A04 the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process. 53A_R5_SA-02b.[02]
PRM-03 PRM-03_A05 a discrete line item for cybersecurity is established in organizational programming and budgeting documentation. 53A_R5_SA-02c.[01]
PRM-03 PRM-03_A06 a discrete line item for privacy is established in organizational programming and budgeting documentation. 53A_R5_SA-02c.[02]
PRM-04 PRM-04_A01 the frequency at which to assess controls in the system and its environment of operation is defined. 53A_R5_CA-02_ODP[01]

PRM-04 PRM-04_A02 individuals or roles to whom control assessment results are to be provided are defined. 53A_R5_CA-02_ODP[02]
PRM-04 PRM-04_A03 an appropriate assessor or assessment team is selected for the type of assessment to be conducted. 53A_R5_CA-02a.
PRM-04 PRM-04_A04 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment. 53A_R5_CA-02b.01
PRM-04 PRM-04_A05 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness. 53A_R5_CA-02b.02
PRM-04 PRM-04_A06 a control assessment plan is developed that describes the scope of the assessment, including the assessment environment. 53A_R5_CA-02b.03[01]
PRM-04 PRM-04_A07 a control assessment plan is developed that describes the scope of the assessment, including the assessment team. 53A_R5_CA-02b.03[02]
PRM-04 PRM-04_A08 a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities. 53A_R5_CA-02b.03[03]
PRM-04 PRM-04_A09 the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment. 53A_R5_CA-02c.
PRM-04 PRM-04_A10 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[01]
PRM-04 PRM-04_A11 controls are assessed in the system and its environment of operation assessment frequency to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired 53A_R5_CA-02d.[02]
PRM-04 PRM-04_A12 a control assessment report is produced that documents the results of the assessment. 53A_R5_CA-02e.
PRM-04 PRM-04_A13 the results of the control assessment are provided to individuals or roles. 53A_R5_CA-02f.
PRM-05 PRM-05_A01 systems, system components or system services to be analyzed for criticality are defined. 53A_R5_RA-09_ODP[01]
PRM-05 PRM-05_A02 decision points in the system development life cycle when a criticality analysis is to be performed are defined. 53A_R5_RA-09_ODP[02]
PRM-05 PRM-05_A03 critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle. 53A_R5_RA-09
PRM-06 PRM-06_A01 the frequency at which to review and revise the mission and business processes is defined. 53A_R5_PM-11_ODP
PRM-06 PRM-06_A02 organizational mission and business processes are defined with consideration for cybersecurity. 53A_R5_PM-11a.[01]
PRM-06 PRM-06_A03 organizational mission and business processes are defined with consideration for privacy. 53A_R5_PM-11a.[02]
PRM-06 PRM-06_A04 organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations and the Nation. 53A_R5_PM-11a.[03]
PRM-06 PRM-06_A05 information protection needs arising from the defined mission and business processes are determined. 53A_R5_PM-11b.[01]
PRM-06 PRM-06_A06 personal data processing needs arising from the defined mission and business processes are determined. 53A_R5_PM-11b.[02]
PRM-06 PRM-06_A07 the mission and business processes are reviewed and revised per an organization-defined frequency. 53A_R5_PM-11c.
PRM-07 PRM-07_A01 system development life cycle is defined. 53A_R5_SA-03_ODP
PRM-07 PRM-07_A02 the system is acquired, developed and managed using organization-defined system-development life cycle that incorporates information security considerations. 53A_R5_SA-03a.[01]
PRM-07 PRM-07_A03 the system is acquired, developed and managed using organization-defined system-development life cycle that incorporates privacy considerations. 53A_R5_SA-03a.[02]
PRM-07 PRM-07_A04 cybersecurity roles and responsibilities are defined and documented throughout the system development life cycle. 53A_R5_SA-03b.[01]
PRM-07 PRM-07_A05 privacy roles and responsibilities are defined and documented throughout the system development life cycle. 53A_R5_SA-03b.[02]
PRM-07 PRM-07_A06 individuals with cybersecurity roles and responsibilities are identified. 53A_R5_SA-03c.[01]
PRM-07 PRM-07_A07 individuals with privacy roles and responsibilities are identified. 53A_R5_SA-03c.[02]
PRM-07 PRM-07_A08 organizational cybersecurity risk management processes are integrated into system development life cycle activities. 53A_R5_SA-03d.[01]
PRM-07 PRM-07_A09 organizational privacy risk management processes are integrated into system development life cycle activities. 53A_R5_SA-03d.[02]
PRM-07 PRM-07_A10 system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service. 53A_R5_SA-03(01)
PRM-07 PRM-07_A11 systems or system components that implement the security design principle of procedural rigor are defined. 53A_R5_SA-08(30)_ODP
PRM-07 PRM-07_A12 systems or system components implement the security design principle of procedural rigor. 53A_R5_SA-08(30)
PRM-08 PRM-08_A01 critical organizational knowledge is defined. SCF Created
PRM-08 PRM-08_A02 organizational knowledge of the cybersecurity & privacy staff is documented. SCF Created

PRM-08 PRM-08_A03 cross-training is performed to maintain organizational knowledge. SCF Created
RSK-01 RSK-01_A01 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. 53A_R5_PE-23b.
RSK-01 RSK-01_A02 the frequency at which to review and update the risk management strategy is defined. 53A_R5_PM-09_ODP
RSK-01 RSK-01_A03 a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations and the Nation associated with the operation and use of organizational systems. 53A_R5_PM-09a.01
RSK-01 RSK-01_A04 a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personal data. 53A_R5_PM-09a.02
RSK-01 RSK-01_A05 the risk management strategy is implemented consistently across the organization. 53A_R5_PM-09b.
RSK-01 RSK-01_A06 the risk management strategy is reviewed and updated per an organization-defined frequency or as required to address organizational changes. 53A_R5_PM-09c.
RSK-01 RSK-01_A07 a senior organizational position for Risk Management is appointed. 53A_R5_PM-29a.[01]
RSK-01 RSK-01_A08 a senior organizational position for Risk Management aligns cybersecurity & privacy management processes with strategic, operational and budgetary planning processes. 53A_R5_PM-29a.[02]
RSK-01 RSK-01_A09 a risk executive function is established. 53A_R5_PM-29b.[01]
RSK-01 RSK-01_A10 a risk executive function views and analyzes risk from an organization-wide perspective. 53A_R5_PM-29b.[02]
RSK-01 RSK-01_A11 a risk executive function ensures that the management of risk is consistent across the organization. 53A_R5_PM-29b.[03]
RSK-01.1 RSK-01.1_A01 the personnel to receive the results of risk framing activities is/are defined. 53A_R5_PM-28_ODP[01]
RSK-01.1 RSK-01.1_A02 the frequency for reviewing and updating risk framing considerations is defined. 53A_R5_PM-28_ODP[02]
RSK-01.1 RSK-01.1_A03 assumptions affecting risk assessments are identified and documented. 53A_R5_PM-28a.01[01]
RSK-01.1 RSK-01.1_A04 assumptions affecting risk responses are identified and documented. 53A_R5_PM-28a.01[02]
RSK-01.1 RSK-01.1_A05 assumptions affecting risk monitoring are identified and documented. 53A_R5_PM-28a.01[03]
RSK-01.1 RSK-01.1_A06 constraints affecting risk assessments are identified and documented. 53A_R5_PM-28a.02[01]
RSK-01.1 RSK-01.1_A07 constraints affecting risk responses are identified and documented. 53A_R5_PM-28a.02[02]
RSK-01.1 RSK-01.1_A08 constraints affecting risk monitoring are identified and documented. 53A_R5_PM-28a.02[03]
RSK-01.1 RSK-01.1_A09 priorities considered by the organization for managing risk are identified and documented. 53A_R5_PM-28a.03[01]
RSK-01.1 RSK-01.1_A10 trade-offs considered by the organization for managing risk are identified and documented. 53A_R5_PM-28a.03[02]
RSK-01.1 RSK-01.1_A11 organizational risk tolerance is identified and documented. 53A_R5_PM-28a.04
RSK-01.1 RSK-01.1_A12 the results of risk framing activities are distributed to personnel. 53A_R5_PM-28b.
RSK-01.1 RSK-01.1_A13 risk framing considerations are reviewed and updated frequently. 53A_R5_PM-28c.
RSK-01.2 RSK-01.2_A01 an executive steering committee, or advisory board, identifies necessary resourcing for the capability required to manage technology-related risks. SCF Created
RSK-01.2 RSK-01.2_A02 the organization's incident response capability is resourced accordingly so it can reduce the magnitude or likelihood of potential impacts from technology-related risks. SCF Created
RSK-01.2 RSK-01.2_A03 recurring reviews of incident response operations are used to benchmark resourcing requirements for incident response operations. SCF Created
RSK-01.3 RSK-01.3_A01 an executive steering committee, or advisory board, defines the organization's risk tolerance. SCF Created
RSK-01.4 RSK-01.4_A01 an executive steering committee, or advisory board, defines the organization's risk threshold. SCF Created
RSK-01.5 RSK-01.5_A01 an executive steering committee, or advisory board, defines the organization's risk appetite. SCF Created
RSK-02 RSK-02_A01 the system and the information it processes, stores and transmits are categorized. 53A_R5_RA-02a.
RSK-02 RSK-02_A02 the security categorization results, including supporting rationale, are documented in the security plan for the system. 53A_R5_RA-02b.
RSK-02 RSK-02_A03 the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. 53A_R5_RA-02c.
RSK-02.1 RSK-02.1_A01 an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels. 53A_R5_RA-02(01)
RSK-03 RSK-03_A01 a process exists to identify applicable internal and external risks. SCF Created

RSK-03 RSK-03_A02 applicable internal and external risks are documented. SCF Created
RSK-03.1 RSK-03.1_A01 a risk catalog, or similar solution, exists that keeps current a catalog of applicable risks associated with the organization's business operations and technologies in use. SCF Created
RSK-04 RSK-04_A01 the frequency to assess risk to organizational operations, organizational assets and individuals is defined. 171A_3.11.1[a]
172A_3.11.5e_ODP[1]
RSK-04 RSK-04_A02 security solutions are identified. 172A_3.11.5e[a]
RSK-04 RSK-04_A03 current and accumulated threat intelligence is identified. 172A_3.11.5e[b]
RSK-04 RSK-04_A04 Anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence is identified. 172A_3.11.5e[c]
RSK-04 RSK-04_A05 the effectiveness of security solutions is assessed frequency to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. 172A_3.11.5e[d]
RSK-04 RSK-04_A06 a document in which risk assessment results are to be documented (if not documented in the cybersecurity & privacy plans or risk assessment report) is defined. 53A_R5_RA-03_ODP[01]
53A_R5_RA-03_ODP[02]
RSK-04 RSK-04_A07 the frequency to review risk assessment results is defined. 53A_R5_RA-03_ODP[03]
RSK-04 RSK-04_A08 personnel or roles to whom risk assessment results are to be disseminated is/are defined. 53A_R5_RA-03_ODP[04]
RSK-04 RSK-04_A09 the frequency to update the risk assessment is defined. 53A_R5_RA-03_ODP[05]
RSK-04 RSK-04_A10 a risk assessment is conducted to identify threats to and vulnerabilities in the system. 53A_R5_RA-03a.01
RSK-04 RSK-04_A11 a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification or destruction of the system. the information it processes, stores 53A_R5_RA-03a.02
or transmits. and any related information.
RSK-04 RSK-04_A12 a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personal data. 53A_R5_RA-03a.03
RSK-04 RSK-04_A13 risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments. 53A_R5_RA-03b.
RSK-04 RSK-04_A14 risk assessment results are documented per organization-defined criteria. 53A_R5_RA-03c.
RSK-04 RSK-04_A15 risk assessment results are reviewed frequently. 53A_R5_RA-03d.
RSK-04 RSK-04_A16 risk assessment results are disseminated to personnel or roles. 53A_R5_RA-03e.
RSK-04 RSK-04_A17 the risk assessment is updated frequently or when there are significant changes to the system, its environment of operation or other conditions that may impact the security or privacy state of the system. 53A_R5_RA-03f.
RSK-04 RSK-04_A18 risk to organizational operations, organizational assets and individuals resulting from the operation of an organizational system that processes, stores or transmits sensitive / regulated data is assessed with the defined 171A_3.11.1[b]
frequency.
RSK-04.1 RSK-04.1_A01 a risk register is maintained to facilitate the monitoring and reporting of risks. SCF Created
RSK-05 RSK-05_A01 newly discovered risks are ranked based on industry-recognized practices. SCF Created
RSK-06 RSK-06_A01 a defined risk threshold exists to determine what risk is and is not acceptable. SCF Created
RSK-06 RSK-06_A02 data / process owners are held accountable to remediate risks to an acceptable level. SCF Created
RSK-06 RSK-06_A03 the organization utilizes compensating controls to remediate control deficiencies to an acceptable level. SCF Created
RSK-06.1 RSK-06.1_A01 findings from security assessments are responded to in accordance with organizational risk tolerance. 53A_R5_RA-07[01]
RSK-06.1 RSK-06.1_A02 findings from privacy assessments are responded to in accordance with organizational risk tolerance. 53A_R5_RA-07[02]
RSK-06.1 RSK-06.1_A03 findings from monitoring are responded to in accordance with organizational risk tolerance. 53A_R5_RA-07[03]
RSK-06.1 RSK-06.1_A04 findings from audits are responded to in accordance with organizational risk tolerance. 53A_R5_RA-07[04]
RSK-06.2 RSK-06.2_A01 identify and implement compensating countermeasures to reduce risk and exposure to threats. SCF Created
RSK-07 RSK-07_A01 routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information. SCF Created
RSK-08 RSK-08_A01 conduct a Business Impact Analysis (BIA). SCF Created
RSK-09 RSK-09_A01 systems, system components or system services for which a supply chain risk management plan is developed are defined. 53A_R5_SR-02_ODP[01]
172A_3.11.7e[b]
RSK-09 RSK-09_A02 supply chain risks associated with organizational systems and system components are identified. 172A_3.11.7e[a]
RSK-09 RSK-09_A03 an organization-wide strategy for managing supply chain risks is developed. 53A_R5_PM-30a.[01]
RSK-09 RSK-09_A04 the supply chain risk management strategy is implemented consistently across the organization. 53A_R5_PM-30b.

RSK-09 RSK-09_A05 the supply chain risk management strategy is reviewed and updated per an organization-defined frequency or as required to address organizational changes. 53A_R5_PM-30c.
RSK-09 RSK-09_A06 a plan for managing supply chain risks associated with organizational systems and system components is developed. 172A_3.11.7e[c]
53A_R5_SR-02a.[01]
53A_R5_PM-30_ODP
RSK-09 RSK-09_A07 the frequency for reviewing and updating the supply chain risk management strategy is defined. 53A_R5_SR-02_ODP[02]
172A_3.11.7e_ODP[1]
RSK-09 RSK-09_A08 the plan for managing supply chain risks is updated frequently. 172A_3.11.7e[d]
53A_R5_SR-02a.[02]
RSK-09 RSK-09_A09 the supply chain risk management plan addresses risks associated with the research and development of systems, system components or system services. 53A_R5_PM-30a.[02]
53A_R5_PM-30a.[03]
53A_R5_PM-30a.[04]
RSK-09 RSK-09_A10 the supply chain risk management plan addresses risks associated with the design of systems, system components or system services. 53A_R5_SR-02a.[03]
RSK-09 RSK-09_A11 the supply chain risk management plan addresses risks associated with the manufacturing of systems, system components or system services. 53A_R5_SR-02a.[04]
53A_R5_PM-30a.[05]
RSK-09 RSK-09_A12 the supply chain risk management plan addresses risks associated with the acquisition of systems, system components or system services. 53A_R5_PM-30a.[06]
53A_R5_PM-30a.[07]
53A_R5_SR-02a.[05]
RSK-09 RSK-09_A13 the supply chain risk management plan addresses risks associated with the delivery of systems, system components or system services. 53A_R5_SR-02a.[06]
RSK-09 RSK-09_A14 the supply chain risk management plan addresses risks associated with the integration of systems, system components or system services. 53A_R5_SR-02a.[07]
53A_R5_PM-30a.[08]
RSK-09 RSK-09_A15 the supply chain risk management plan addresses risks associated with the operation and maintenance of systems, system components or system services. 53A_R5_PM-30a.[09]
53A_R5_PM-30a.[10]
53A_R5_SR-02a.[08]
53A_R5_PM-30a.[11]
RSK-09 RSK-09_A16 the supply chain risk management plan addresses risks associated with the disposal of systems, system components or system services. 53A_R5_PM-30a.[12]
53A_R5_PM-30a.[13]
53A_R5_SR-02a.[09]
RSK-09 RSK-09_A17 the supply chain risk management plan is reviewed and updated frequently or as required to address threat, organizational or environmental changes. 53A_R5_SR-02b.
RSK-09 RSK-09_A18 the supply chain risk management plan is protected from unauthorized disclosure. 53A_R5_SR-02c.[01]
RSK-09 RSK-09_A19 the supply chain risk management plan is protected from unauthorized modification. 53A_R5_SR-02c.[02]
RSK-09 RSK-09_A20 Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component or system service are defined. 53A_R5_SR-07_ODP
RSK-09 RSK-09_A21 OPSEC controls are employed to protect supply chain-related information for the system, system component or system service. 53A_R5_SR-07
RSK-09.1 RSK-09.1_A01 supply chain risks associated with organizational systems and system components are identified. 172A_3.11.6e[a]
53A_R5_RA-03(01)_ODP[01]
RSK-09.1 RSK-09.1_A02 supply chain risks associated with organizational systems and system components are assessed. 172A_3.11.6e[b]
53A_R5_RA-03(01)(a)
RSK-09.1 RSK-09.1_A03 supply chain risks associated with organizational systems and system components are responded to. 172A_3.11.6e[c]
RSK-09.1 RSK-09.1_A04 supply chain risks associated with organizational systems and system components are monitored. 172A_3.11.6e[d]
RSK-09.1 RSK-09.1_A05 the frequency at which to update the supply chain risk assessment is defined. 53A_R5_RA-03(01)_ODP[02]
RSK-09.1 RSK-09.1_A06 the supply chain risk assessment is updated frequently, when there are significant changes to the relevant supply chain or when changes to the system, environments of operation or other conditions may necessitate a 53A_R5_RA-03(01)(b)
change in the supply chain.
Supply Chain Risk Management (SCRM) practices address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from the organization's supply chain, including third-party
RSK-09.2 RSK-09.2_A01 SCF Created
software and data.
RSK-10 RSK-10_A01 privacy impact assessments are conducted for systems, programs or other activities before developing or procuring information technology that processes personal data. 53A_R5_RA-08a.
RSK-10 RSK-10_A02 privacy impact assessments are conducted for systems, programs or other activities before initiating a collection of personal data that will be processed using information technology. 53A_R5_RA-08b.[01]
RSK-10 RSK-10_A03 privacy impact assessments are conducted for systems, programs or other activities before initiating a collection of personal data that includes personal data permitting the physical or virtual (online) contacting of a 53A_R5_RA-08b.[02]
specific individual.
RSK-11 RSK-11_A01 risk monitoring is an integral part of the continuous monitoring strategy. 53A_R5_CA-07(04)
RSK-11 RSK-11_A02 effectiveness monitoring is included in risk monitoring. 53A_R5_CA-07(04)(a)
RSK-11 RSK-11_A03 compliance monitoring is included in risk monitoring. 53A_R5_CA-07(04)(b)
RSK-11 RSK-11_A04 change monitoring is included in risk monitoring. 53A_R5_CA-07(04)(c)
RSK-12 RSK-12_A01 an executive steering committee, or advisory board, defines the organization's risk culture. SCF Created
RSK-12 RSK-12_A02 a Chief Risk Officer (CRO), or similar position, is tasked with operationalizing the defined risk culture criteria throughout the organization's Business As Usual (BAU) activities. SCF Created
SEA-01 SEA-01_A01 secure engineering principles are defined. 53A_R5_SA-08_ODP[01]
SEA-01 SEA-01_A02 privacy engineering principles are defined. 53A_R5_SA-08_ODP[02]
SEA-01 SEA-01_A03 architectural designs that promote effective cybersecurity are identified. 171A_3.13.2[a]

SEA-01 SEA-01_A04 systems engineering principles that promote effective cybersecurity are identified. 171A_3.13.2[c]
SEA-01 SEA-01_A05 identified architectural designs that promote effective cybersecurity are employed. 171A_3.13.2[d]
SEA-01 SEA-01_A06 identified systems engineering principles that promote effective cybersecurity are employed. 171A_3.13.2[f]
SEA-01 SEA-01_A07 systems security engineering principles are applied in the specification of the system and system components. 53A_R5_SA-08[01]
SEA-01 SEA-01_A08 systems security engineering principles are applied in the design of the system and system components. 53A_R5_SA-08[02]
SEA-01 SEA-01_A09 systems security engineering principles are applied in the development of the system and system components. 53A_R5_SA-08[03]
SEA-01 SEA-01_A10 systems security engineering principles are applied in the implementation of the system and system components. 53A_R5_SA-08[04]
SEA-01 SEA-01_A11 systems security engineering principles are applied in the modification of the system and system components. 53A_R5_SA-08[05]
SEA-01 SEA-01_A12 privacy engineering principles are applied in the specification of the system and system components. 53A_R5_SA-08[06]
SEA-01 SEA-01_A13 privacy engineering principles are applied in the design of the system and system components. 53A_R5_SA-08[07]
SEA-01 SEA-01_A14 privacy engineering principles are applied in the development of the system and system components. 53A_R5_SA-08[08]
SEA-01 SEA-01_A15 privacy engineering principles are applied in the implementation of the system and system components. 53A_R5_SA-08[09]
SEA-01 SEA-01_A16 privacy engineering principles are applied in the modification of the system and system components. 53A_R5_SA-08[10]
SEA-01 SEA-01_A17 thresholds to which attack surfaces are to be reduced are defined. 53A_R5_SA-15(05)_ODP
SEA-01 SEA-01_A18 the developer of the system, system component, or system service is required to reduce attack surfaces to organization-defined thresholds. 53A_R5_SA-15(05)
SEA-01 SEA-01_A19 systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device. 53A_R5_SC-07(18)
SEA-01.1 SEA-01.1_A01 security and privacy controls and related processes to be centrally managed are defined. 53A_R5_PL-09_ODP
SEA-01.1 SEA-01.1_A02 controls and related processes are centrally managed. 53A_R5_PL-09
SEA-01.2 SEA-01.2_A01 the organization's goals for resiliency are defined for normal and adverse situations. SCF Created
SEA-01.2 SEA-01.2_A02 solutions exists to achieve resilience requirements in normal situations. SCF Created
SEA-01.2 SEA-01.2_A03 solutions exists to achieve resilience requirements in adverse situations. SCF Created
SEA-02 SEA-02_A01 an enterprise architecture is developed with consideration for cybersecurity. 53A_R5_PM-07[01]
SEA-02 SEA-02_A02 an enterprise architecture is maintained with consideration for cybersecurity. 53A_R5_PM-07[02]
SEA-02 SEA-02_A03 an enterprise architecture is developed with consideration for privacy. 53A_R5_PM-07[03]
SEA-02 SEA-02_A04 an enterprise architecture is maintained with consideration for privacy. 53A_R5_PM-07[04]
SEA-02 SEA-02_A05 an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations and the Nation. 53A_R5_PM-07[05]
SEA-02 SEA-02_A06 an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations and the Nation. 53A_R5_PM-07[06]
SEA-02 SEA-02_A07 frequency for review and update to reflect changes in the enterprise architecture. 53A_R5_PL-08_ODP
SEA-02 SEA-02_A08 a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity and availability of organizational information. 53A_R5_PL-08a.01
SEA-02 SEA-02_A09 a privacy architecture describes the requirements and approach to be taken for processing personal data to minimize privacy risk to individuals. 53A_R5_PL-08a.02
SEA-02 SEA-02_A10 a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture. 53A_R5_PL-08a.03[01]
SEA-02 SEA-02_A11 a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture. 53A_R5_PL-08a.03[02]
SEA-02 SEA-02_A12 a security architecture for the system describes any assumptions about and dependencies on external systems and services. 53A_R5_PL-08a.04[01]
SEA-02 SEA-02_A13 a privacy architecture for the system describes any assumptions about and dependencies on external systems and services. 53A_R5_PL-08a.04[02]
SEA-02 SEA-02_A14 changes in the enterprise architecture are reviewed and updated per an organization-defined frequency to reflect changes in the enterprise architecture. 53A_R5_PL-08b.
SEA-02 SEA-02_A15 planned architecture changes are reflected in the security plan. 53A_R5_PL-08c.[01]

SEA-02 SEA-02_A16 planned architecture changes are reflected in the privacy plan. 53A_R5_PL-08c.[02]
SEA-02 SEA-02_A17 planned architecture changes are reflected in the Concept of Operations (CONOPS). 53A_R5_PL-08c.[03]
SEA-02 SEA-02_A18 planned architecture changes are reflected in criticality analysis. 53A_R5_PL-08c.[04]
SEA-02 SEA-02_A19 planned architecture changes are reflected in organizational procedures. 53A_R5_PL-08c.[05]
SEA-02 SEA-02_A20 planned architecture changes are reflected in procurements and acquisitions. 53A_R5_PL-08c.[06]
SEA-02.1 SEA-02.1_A01 technology and process terminology is standardized to reduce confusion amongst groups and departments. SCF Created
SEA-02.2 SEA-02.2_A01 non-essential functions or services to be offloaded are defined. 53A_R5_PM-07(01)_ODP
SEA-02.2 SEA-02.2_A02 non-essential functions or services are offloaded to other systems, system components or an external provider. 53A_R5_PM-07(01)
SEA-02.3 SEA-02.3_A01 “technical debt” reviews of hardware and software technologies are routinely conducted. SCF Created
SEA-02.3 SEA-02.3_A02 the results of “technical debt” reviews are leveraged as justification to remediate outdated and/or unsupported technologies. SCF Created
SEA-03 SEA-03_A01 security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. 53A_R5_SC-03(05)
SEA-03 SEA-03_A02 controls to be allocated are defined. 53A_R5_PL-08(01)_ODP[01]
SEA-03 SEA-03_A03 locations and architectural layers are defined. 53A_R5_PL-08(01)_ODP[02]
SEA-03 SEA-03_A04 the security architecture for the system is designed using a defense-in-depth approach that allocates controls to locations and architectural layers. 53A_R5_PL-08(01)(a)[01]
SEA-03 SEA-03_A05 the privacy architecture for the system is designed using a defense-in-depth approach that allocates controls to locations and architectural layers. 53A_R5_PL-08(01)(a)[02]
SEA-03 SEA-03_A06 the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner. 53A_R5_PL-08(01)(b)[01]
SEA-03 SEA-03_A07 the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner. 53A_R5_PL-08(01)(b)[02]
SEA-03.1 SEA-03.1_A01 system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined. 53A_R5_SC-32_ODP[01]
SEA-03.1 SEA-03.1_A02 circumstances for the physical or logical separation of components are defined. 53A_R5_SC-32_ODP[02]
53A_R5_SC-32_ODP[03]
SEA-03.1 SEA-03.1_A03 the system is partitioned into system components residing in separate organization-defined criteria domains or environments based on circumstances for the physical or logical separation of components. 53A_R5_SC-32
SEA-03.2 SEA-03.2_A01 user functionality is identified. 171A_3.13.3[a]
SEA-03.2 SEA-03.2_A02 system management functionality is identified. 171A_3.13.3[b]
SEA-03.2 SEA-03.2_A03 user functionality is separated from system management functionality. 171A_3.13.3[c]
53A_R5_SC-02
SEA-03.2 SEA-03.2_A04 the presentation of system management functionality is prevented at interfaces to non-privileged users. 53A_R5_SC-02(01)
SEA-03.2 SEA-03.2_A05 state information is stored separately from applications and software. 53A_R5_SC-02(02)
SEA-04 SEA-04_A01 a separate execution domain is maintained for each executing system process. 53A_R5_SC-39
SEA-04.1 SEA-04.1_A01 security functions are isolated from non-security functions. 53A_R5_SC-03
SEA-04.2 SEA-04.2_A01 hardware separation is implemented to facilitate process isolation. 53A_R5_SC-39(01)
SEA-04.3 SEA-04.3_A01 multi-thread processing for which a separate execution domain is to be maintained for each thread is defined. 53A_R5_SC-39(02)_ODP
SEA-04.3 SEA-04.3_A02 a separate execution domain is maintained for each thread in organization-defined multi-threaded processing. 53A_R5_SC-39(02)
SEA-05 SEA-05_A01 unauthorized information transfer via shared system resources is prevented. 53A_R5_SC-04[01]
171A_3.13.4
SEA-05 SEA-05_A02 unintended information transfer via shared system resources is prevented. 53A_R5_SC-04[02]
SEA-06 SEA-06_A01 policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined. 53A_R5_CM-07(02)_ODP[01]
53A_R5_CM-07(02)_ODP[02]
SEA-06 SEA-06_A02 program execution is prevented in accordance with organization-defined criteria. 53A_R5_CM-07(02)
SEA-07 SEA-07_A01 system components for which Mean Time to Failure (MTTF) should be determined are defined. 53A_R5_SI-13_ODP[01]
SEA-07 SEA-07_A02 Mean Time to Failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined. 53A_R5_SI-13_ODP[02]

SEA-07 SEA-07_A03 Mean Time to Failure (MTTF) is determined for system components in specific environments of operation. 53A_R5_SI-13a.
SEA-07 SEA-07_A04 substitute system components and a means to exchange active and standby components are provided in accordance with Mean Time to Failure (MTTF) substitution criteria. 53A_R5_SI-13b.
SEA-07.1 SEA-07.1_A01 system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service. 53A_R5_SA-03(01)
SEA-07.1 SEA-07.1_A02 a technology refresh schedule is planned for the system throughout the system development life cycle. 53A_R5_SA-03(03)[01]
SEA-07.1 SEA-07.1_A03 a technology refresh schedule is implemented for the system throughout the system development life cycle. 53A_R5_SA-03(03)[02]
SEA-07.2 SEA-07.2_A01 restrictions for safe mode of operation are defined. 53A_R5_CP-12_ODP[01]
SEA-07.2 SEA-07.2_A02 conditions detected to enter a safe mode of operation are defined. 53A_R5_CP-12_ODP[02]
SEA-07.2 SEA-07.2_A03 a safe mode of operation is entered with restrictions when conditions are detected. 53A_R5_CP-12
SEA-07.2 SEA-07.2_A04 systems or system components that implement the security design principle of secure failure are defined. 53A_R5_SA-08(24)_ODP[01]
SEA-07.2 SEA-07.2_A05 systems or system components that implement the security design principle of secure recovery are defined. 53A_R5_SA-08(24)_ODP[02]
SEA-07.2 SEA-07.2_A06 systems or system components implement the security design principle of secure failure. 53A_R5_SA-08(24)[01]
SEA-07.2 SEA-07.2_A07 systems or system components implement the security design principle of secure recovery. 53A_R5_SA-08(24)[02]
SEA-07.2 SEA-07.2_A08 types of system failures for which the system components fail to a known state are defined. 53A_R5_SC-24_ODP[01]
SEA-07.2 SEA-07.2_A09 known system state to which system components fail in the event of a system failure is defined. 53A_R5_SC-24_ODP[02]
SEA-07.2 SEA-07.2_A10 system state information to be preserved in the event of a system failure is defined. 53A_R5_SC-24_ODP[03]
SEA-07.2 SEA-07.2_A11 types of system failures on system components fail to a known system state while preserving system state information in failure. 53A_R5_SC-24
SEA-07.3 SEA-07.3_A01 fail-safe procedures associated with failure conditions are defined. 53A_R5_SI-17_ODP[01]
SEA-07.3 SEA-07.3_A02 a list of failure conditions requiring fail-safe procedures is defined. 53A_R5_SI-17_ODP[02]
SEA-07.3 SEA-07.3_A03 fail-safe procedures are implemented when list of failure conditions occur. 53A_R5_SI-17
SEA-08 SEA-08_A01 non-persistent system components and services to be implemented are defined. 53A_R5_SI-14_ODP[01]
SEA-08 SEA-08_A02 the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined. 53A_R5_SI-14_ODP[02]
53A_R5_SI-14_ODP[03]
SEA-08 SEA-08_A03 non-persistent system components and services that are initiated in a known state are implemented. 53A_R5_SI-14[01]
SEA-08 SEA-08_A04 non-persistent system components and services are terminated per organization-defined criteria. 53A_R5_SI-14[02]
SEA-08.1 SEA-08.1_A01 a technology refresh schedule is planned for the system throughout the system development life cycle. 53A_R5_SA-03(03)[01]
SEA-08.1 SEA-08.1_A02 a technology refresh schedule is implemented for the system throughout the system development life cycle. 53A_R5_SA-03(03)[02]
SEA-08.1 SEA-08.1_A03 trusted sources to obtain software and data for system component and service refreshes are defined. 53A_R5_SI-14(01)_ODP
SEA-08.1 SEA-08.1_A04 the software and data employed during system component and service refreshes are obtained from organization-defined trusted sources. 53A_R5_SI-14(01)
SEA-08.1 SEA-08.1_A05 approved systems and system components are identified. 172A_3.4.1e[a]
SEA-08.1 SEA-08.1_A06 implemented system components are identified. 172A_3.4.1e[b]
SEA-08.1 SEA-08.1_A07 an authoritative source and repository are established to provide a trusted source and accountability for approved and implemented system components. 172A_3.4.1e[c]
SEA-08.1 SEA-08.1_A08 an authoritative source and repository are maintained to provide a trusted source and accountability for approved and implemented system components. 172A_3.4.1e[d]
SEA-08.1 SEA-08.1_A09 systems and system components to refresh from a known, trusted state are defined. 172A_3.14.4e_ODP[1]
SEA-08.1 SEA-08.1_A10 the frequency to refresh systems and systems components is defined. 172A_3.14.4e_ODP[2]
SEA-08.1 SEA-08.1_A11 a known, trusted state is identified for systems and system components. 172A_3.14.4e[a]
SEA-08.1 SEA-08.1_A12 systems and system components are refreshed from a known, trusted state per an organization-defined frequency. 172A_3.14.4e[b]
SEA-09 SEA-09_A01 software programs and/or applications whose information output requires validation are defined. 53A_R5_SI-15_ODP

SEA-09 SEA-09_A02 information output from organization-defined software programs and/or applications is validated to ensure that the information is consistent with the expected content. 53A_R5_SI-15
SEA-09.1 SEA-09.1_A01 the dissemination of Personal Data (PD) is restricted to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes. SCF Created
SEA-10 SEA-10_A01 controls to be implemented to protect the system memory from unauthorized code execution are defined. 53A_R5_SI-16_ODP
SEA-10 SEA-10_A02 controls are implemented to protect the system memory from unauthorized code execution. 53A_R5_SI-16
SEA-11 SEA-11_A01 environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined. 53A_R5_IR-04(13)_ODP
SEA-11 SEA-11_A02 anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed. 53A_R5_IR-04(13)
SEA-11 SEA-11_A03 components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks. 53A_R5_SC-26[01]
SEA-11 SEA-11_A04 components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks. 53A_R5_SC-26[02]
SEA-11 SEA-11_A05 components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks. 53A_R5_SC-26[03]
SEA-11 SEA-11_A06 technical and procedural means to confuse and mislead adversaries are defined. 172A_3.13.3e_ODP[1]
SEA-11 SEA-11_A07 technical and procedural means are employed to confuse and mislead adversaries. 172A_3.13.3e[a]
SEA-12 SEA-12_A01 system components that proactively seek to identify network-based malicious code or malicious websites are included. 53A_R5_SC-35
SEA-12 SEA-12_A02 environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined. 53A_R5_IR-04(13)_ODP
SEA-12 SEA-12_A03 anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed. 53A_R5_IR-04(13)
SEA-13 SEA-13_A01 diversity in system components is created to reduce the extent of malicious code propagation. 172A_3.13.1e[a]
SEA-13 SEA-13_A02 system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined. 53A_R5_SC-29_ODP
172A_3.13.1e_ODP[1]
SEA-13 SEA-13_A03 a diverse set of information technologies is employed for organization-defined system components in the implementation of the system. 53A_R5_SC-29
SEA-13.1 SEA-13.1_A01 the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined. 53A_R5_SC-29(01)_ODP
SEA-13.1 SEA-13.1_A02 virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed per an organization-defined frequency. 53A_R5_SC-29(01)
SEA-14 SEA-14_A01 concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined. 53A_R5_SC-30_ODP[01]
172A_3.13.3e_ODP[1]
SEA-14 SEA-14_A02 systems for which concealment and misdirection techniques are to be employed are defined. 53A_R5_SC-30_ODP[02]
SEA-14 SEA-14_A03 time periods to employ concealment and misdirection techniques for systems are defined. 53A_R5_SC-30_ODP[03]
SEA-14 SEA-14_A04 concealment and misdirection techniques are employed for systems for time periods to confuse and mislead adversaries. 53A_R5_SC-30
172A_3.13.3e[a]
SEA-14.1 SEA-14.1_A01 changes to organizational systems and system components to introduce a degree of unpredictability into operations are defined. 172A_3.13.2e_ODP[1]
SEA-14.1 SEA-14.1_A02 the frequency of changes by system and system components is defined. 172A_3.13.2e_ODP[2]
SEA-14.1 SEA-14.1_A03 organizational systems and system components necessitating unpredictability are identified. 172A_3.13.2e[a]
SEA-14.1 SEA-14.1_A04 changes to organizational systems and system components are implemented frequency to introduce a degree of unpredictability into operations. 172A_3.13.2e[b]
172A_3.13.3e_ODP[1]
SEA-14.1 SEA-14.1_A05 technical and procedural means to confuse and mislead adversaries are defined.
53A_R5_SC-30(02)_ODP
SEA-14.1 SEA-14.1_A06 technical and procedural means are employed to confuse and mislead adversaries. 172A_3.13.3e[a]
53A_R5_SC-30(02)
SEA-14.2 SEA-14.2_A01 processing and/or storage locations to be changed are defined. 53A_R5_SC-30(03)_ODP[01]
SEA-14.2 SEA-14.2_A02 time frequency at which to change the location of processing and/or storage is defined. 53A_R5_SC-30(03)_ODP[02]
53A_R5_SC-30(03)_ODP[03]
SEA-14.2 SEA-14.2_A03 the location of processing and/or storage is changed per an organization-defined criteria. 53A_R5_SC-30(03)
SEA-15 SEA-15_A01 the logical and physical location where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.
53A_R5_SC-36_ODP[04]
SEA-15 SEA-15_A02 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. 53A_R5_PE-23b.
SEA-15 SEA-15_A03 processing components to be distributed across multiple locations/domains are defined. 53A_R5_SC-36_ODP[01]
53A_R5_SC-36_ODP[02]
SEA-15 SEA-15_A04 storage components to be distributed across multiple locations/domains are defined.
53A_R5_SC-36_ODP[03]

SEA-15 SEA-15_A05 processing components are distributed across organization-defined locations. 53A_R5_SC-36[01]
SEA-15 SEA-15_A06 storage components are distributed across organization-defined locations. 53A_R5_SC-36[02]
SEA-15 SEA-15_A07 system functions or resources to distribute and relocate are defined. 172A_3.13.5e_ODP[1]
SEA-15 SEA-15_A08 frequency to distribute and relocate system functions or resources is defined. 172A_3.13.5e_ODP[2]
SEA-15 SEA-15_A09 system functions or resources are distributed and relocated frequency. 172A_3.13.5e[a]
SEA-16 SEA-16_A01 system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined. 53A_R5_SC-34_ODP[01]
SEA-16 SEA-16_A02 applications to be loaded and executed from hardware-enforced, read-only media are defined. 53A_R5_SC-34_ODP[02]
SEA-16 SEA-16_A03 the operating environment for system components is loaded and executed from hardware-enforced, read-only media. 53A_R5_SC-34a.
SEA-16 SEA-16_A04 applications for system components are loaded and executed from hardware-enforced, read-only media. 53A_R5_SC-34b.
SEA-17 SEA-17_A01 a trusted communications path is used between the user and the security functions of the system (e.g., Ctrl+Alt+Del). SCF Created
SEA-18 SEA-18_A01 system use notification message or banner to be displayed by the system to users before granting access to the system is defined. 53A_R5_AC-08_ODP[01]
SEA-18 SEA-18_A02 conditions for system use to be displayed by the system before granting further access are defined. 53A_R5_AC-08_ODP[02]
53A_R5_AC-08a.
SEA-18 SEA-18_A03 organization-defined system use notification is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, 171A_3.1.9[a]
regulations, policies, standards and guidelines. 171A_3.1.9[b]
SEA-18 SEA-18_A04 the system use notification states that users are accessing a protected system. 53A_R5_AC-08a.01
SEA-18 SEA-18_A05 the system use notification states that system usage may be monitored, recorded and subject to audit. 53A_R5_AC-08a.02
SEA-18 SEA-18_A06 the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties. and 53A_R5_AC-08a.03
SEA-18 SEA-18_A07 the system use notification states that use of the system indicates consent to monitoring and recording. 53A_R5_AC-08a.04
SEA-18 SEA-18_A08 the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system. 53A_R5_AC-08b.
SEA-18 SEA-18_A09 for publicly accessible systems, system use information organization-defined conditions is displayed before granting further access to the publicly accessible system. 53A_R5_AC-08c.01
SEA-18 SEA-18_A10 for publicly accessible systems, any references to monitoring, recording or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed. 53A_R5_AC-08c.02
SEA-18 SEA-18_A11 for publicly accessible systems, a description of the authorized uses of the system is included. 53A_R5_AC-08c.03
SEA-18.1 SEA-18.1_A01 Microsoft Windows-based systems are configured to display an approved logon banner before granting access to the system that provides privacy and security notices. SCF Created
SEA-18.2 SEA-18.2_A01 Where technically feasible, systems utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source, such as Active Directory. SCF Created
SEA-19 SEA-19_A01 the user is notified, upon successful logon to the system, of the date and time of the last logon. 53A_R5_AC-09
SEA-20 SEA-20_A01 granularity of time measurement for audit record timestamps is defined. 53A_R5_AU-08_ODP
SEA-20 SEA-20_A02 internal system clocks are used to generate timestamps for audit records. 53A_R5_AU-08a.
OPS-01 OPS-01_A01 operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined. 53A_R5_SC-38_ODP
53A_R5_AC-01a.[03]
53A_R5_AT-01a.[03]
53A_R5_AU-01a.[03]
OPS-01 OPS-01_A02 operations security controls are employed to protect key organizational information throughout the system development life cycle. 53A_R5_CA-01a.[03]
53A_R5_SC-38
53A_R5_CM-01a.[03]
53A_R5_CP-01a.[03]
53A_R5_AC-01a.[04]
53A_R5_IA-01a.[03]
53A_R5_AT-01a.[04]
53A_R5_IR-01a.[03]
53A_R5_AU-01a.[04]
53A_R5_MA-01a.[03]
OPS-01.1 OPS-01.1_A01 procedures to facilitate the implementation of the cybersecurity & privacy policies and associated controls are developed and documented. 53A_R5_CA-01a.[04]
53A_R5_MP-01a.[03]
53A_R5_CM-01a.[04]
53A_R5_PE-01a.[03]
53A_R5_CP-01a.[04]
53A_R5_PL-01a.[03]
53A_R5_AC-01c.02[01]
53A_R5_IA-01a.[04]
53A_R5_PS-01a.[03]
53A_R5_AT-01c.02[01]
53A_R5_IR-01a.[04]
53A_R5_PT-01a.[03]
53A_R5_AU-01c.02[01]
53A_R5_MA-01a.[04]
53A_R5_RA-01a.[03]
OPS-01.1 OPS-01.1_A02 the cybersecurity & privacy procedures are disseminated to personnel or roles. 53A_R5_CA-01c.02[01]
53A_R5_MP-01a.[04]
53A_R5_SA-01a.[03]
53A_R5_CM-01c.02[01]
53A_R5_PE-01a.[04]
53A_R5_SC-01a.[03]
53A_R5_CP-01c.02[01]
53A_R5_PL-01a.[04]
53A_R5_SI-01a.[03]
53A_R5_AC-01c.02[02]
53A_R5_IA-01c.02[01]
53A_R5_PS-01a.[04]
53A_R5_SR-01a.[03]
53A_R5_AT-01c.02[02]
53A_R5_IR-01c.02[01]
53A_R5_PT-01a.[04]
53A_R5_AU-01c.02[02]
53A_R5_MA-01c.02[01]
53A_R5_RA-01a.[04]
OPS-01.1 OPS-01.1_A03 the current cybersecurity & privacy procedures are reviewed and updated frequently. 53A_R5_CA-01c.02[02]
53A_R5_MP-01c.02[01]
53A_R5_SA-01a.[04]
53A_R5_CM-01c.02[02]
53A_R5_PE-01c.02[01]
53A_R5_SC-01a.[04]
53A_R5_CP-01c.02[02]
53A_R5_PL-01c.02[01]
53A_R5_SI-01a.[04]
53A_R5_AC-01_ODP[02]
53A_R5_IA-01c.02[02]
53A_R5_PS-01c.02[01]
53A_R5_SR-01a.[04]
53A_R5_AT-01_ODP[02]
53A_R5_IR-01c.02[02]
53A_R5_PT-01c.02[01]
53A_R5_AU-01_ODP[02]
53A_R5_MA-01c.02[02]
53A_R5_RA-01c.02[01]
OPS-01.1 OPS-01.1_A04 the current cybersecurity & privacy procedures are reviewed and updated following events. 53A_R5_CA-01_ODP[02]
53A_R5_MP-01c.02[02]
53A_R5_SA-01c.02[01]
53A_R5_CM-01_ODP[02]
53A_R5_PE-01c.02[02]
53A_R5_SC-01c.02[01]
53A_R5_CP-01_ODP[02]
53A_R5_PL-01c.02[02]
53A_R5_SI-01c.02[01]
53A_R5_AC-01_ODP[07]
53A_R5_IA-01_ODP[02]
53A_R5_PS-01c.02[02]
53A_R5_SR-01c.02[01]
53A_R5_AT-01_ODP[07]
53A_R5_IR-01_ODP[02]
53A_R5_PT-01c.02[02]
53A_R5_AU-01_ODP[07]
53A_R5_MA-01_ODP[02]
53A_R5_RA-01c.02[02]
OPS-01.1 OPS-01.1_A05 personnel or roles to whom cybersecurity & privacy procedures are to be disseminated is/are defined. 53A_R5_CA-01_ODP[07]
53A_R5_MP-01_ODP[02]
53A_R5_SA-01c.02[02]
53A_R5_CM-01_ODP[07]
53A_R5_PE-01_ODP[02]
53A_R5_SC-01c.02[02]
53A_R5_CP-01_ODP[07]
53A_R5_PL-01_ODP[02]
53A_R5_SI-01c.02[02]
53A_R5_AC-01_ODP[08]
53A_R5_IA-01_ODP[07]
53A_R5_PS-01_ODP[02]
53A_R5_SR-01c.02[02]
53A_R5_AT-01_ODP[08]
53A_R5_IR-01_ODP[07]
53A_R5_PT-01_ODP[02]
53A_R5_AU-01_ODP[08]
53A_R5_MA-01_ODP[07]
53A_R5_RA-01_ODP[02]
OPS-01.1 OPS-01.1_A06 the frequency with which cybersecurity & privacy procedures are reviewed and updated is defined. 53A_R5_CA-01_ODP[08]
53A_R5_MP-01_ODP[07]
53A_R5_SA-01_ODP[02]
53A_R5_CM-01_ODP[08]
53A_R5_PE-01_ODP[07]
53A_R5_SC-01_ODP[02]
53A_R5_CP-01_ODP[08]
53A_R5_PL-01_ODP[07]
53A_R5_SI-01_ODP[02]
53A_R5_IA-01_ODP[08]
53A_R5_PS-01_ODP[07]
53A_R5_SR-01_ODP[02]
53A_R5_IR-01_ODP[08]
53A_R5_PT-01_ODP[07]
53A_R5_MA-01_ODP[08]
53A_R5_RA-01_ODP[07]
OPS-01.1 OPS-01.1_A07 events that would require procedures to be reviewed and updated are defined. 53A_R5_MP-01_ODP[08]
53A_R5_SA-01_ODP[07]
53A_R5_PE-01_ODP[08]
53A_R5_SC-01_ODP[07]
53A_R5_PL-01_ODP[08]
53A_R5_SI-01_ODP[07]
53A_R5_PS-01_ODP[08]
53A_R5_SR-01_ODP[07]
53A_R5_PT-01_ODP[08]
53A_R5_RA-01_ODP[08]
OPS-01.1 OPS-01.1_A08 systems or system components that implement the security design principle of sufficient documentation are defined. 53A_R5_SA-08(32)_ODP
53A_R5_SA-01_ODP[08]
53A_R5_SC-01_ODP[08]
53A_R5_SI-01_ODP[08]
53A_R5_SR-01_ODP[08]

OPS-01.1 OPS-01.1_A09 systems or system components implement the security design principle of sufficient documentation. 53A_R5_SA-08(32)
OPS-02 OPS-02_A01 frequency for review and update of the Concept of Operations (CONOPS) is defined. 53A_R5_PL-07_ODP
OPS-02 OPS-02_A02 a CONOPS for the system describing how the organization intends to operate the system from the perspective of cybersecurity & privacy is developed. 53A_R5_PL-07a.
OPS-02 OPS-02_A03 the CONOPS is reviewed and updated per an organization-defined frequency. 53A_R5_PL-07b.
OPS-03 OPS-03_A01 supporting business processes are defined. SCF Created
OPS-03 OPS-03_A02 appropriate governance and service management is implemented to ensure appropriate planning, delivery and support of business functions, workforce, and/or customers. SCF Created
OPS-04 OPS-04_A01 a time period to operate a Security Operations Center (SOC) capability is defined. 172A_3.6.1e_ODP[1]
OPS-04 OPS-04_A02 a Security Operations Center (SOC) capability is established. 172A_3.6.1e[a]

53A_R5_IR-04(14)[01]
OPS-04 OPS-04_A03 the Security Operations Center (SOC) capability operates according to an organization-defined time period. 172A_3.6.1e[b]
OPS-04 OPS-04_A04 the Security Operations Center (SOC) capability is maintained. 172A_3.6.1e[c]
53A_R5_IR-04(14)[02]
OPS-05 OPS-05_A01 guidelines and recommendations for the secure use of products and/or services are generated to assist in the configuration, installation and use of the product and/or service. SCF Created
SAT-01 SAT-01_A01 the cybersecurity & privacy education and awareness program is organization-wide. 53A_R5_AT-01_ODP[03]
SAT-01 SAT-01_A02 a security workforce development and improvement program is established. 53A_R5_PM-13[01]
SAT-01 SAT-01_A03 a privacy workforce development and improvement program is established. 53A_R5_PM-13[02]
SAT-02 SAT-02_A01 security risks associated with organizational activities involving sensitive / regulated data are identified. 171A_3.2.1[a]
SAT-02 SAT-02_A02 policies, standards and procedures related to the security of the system are identified. 171A_3.2.1[b]
SAT-02 SAT-02_A03 managers, systems administrators and users of the system are made aware of the security risks associated with their activities. 171A_3.2.1[c]
SAT-02 SAT-02_A04 managers, systems administrators and users of the system are made aware of the applicable policies, standards and procedures related to the security of the system. 171A_3.2.1[d]
SAT-02 SAT-02_A05 the frequency at which to provide security literacy training to system users (including managers, senior executives and contractors) after initial training is defined. 53A_R5_AT-02_ODP[01]
AT-02_ODP[01]
SAT-02 SAT-02_A06 the frequency at which to provide privacy literacy training to system users (including managers, senior executives and contractors) after initial training is defined. 53A_R5_AT-02_ODP[02]
AT-02_ODP[01]
SAT-02 SAT-02_A07 events that require security literacy training for system users are defined. 53A_R5_AT-02_ODP[03]
SAT-02 SAT-02_A08 events that require privacy literacy training for system users are defined. 53A_R5_AT-02_ODP[04]
SAT-02 SAT-02_A09 techniques to be employed to increase the cybersecurity & privacy awareness of system users are defined. 53A_R5_AT-02_ODP[05]
53A_R5_AT-02_ODP[06]
SAT-02 SAT-02_A10 the frequency at which to update literacy training and awareness content is defined.
172A_3.2.1e_ODP[2]
SAT-02 SAT-02_A11 events that would require literacy training and awareness content to be updated are defined. 53A_R5_AT-02_ODP[07]
SAT-02 SAT-02_A12 awareness training is updated frequently or when there are significant changes to the threat. 172A_3.2.1e[d]
SAT-02 SAT-02_A13 security literacy training is provided to system users (including managers, senior executives and contractors) as part of initial training for new users. 53A_R5_AT-02a.01[01]
SAT-02 SAT-02_A14 privacy literacy training is provided to system users (including managers, senior executives and contractors) as part of initial training for new users. 53A_R5_AT-02a.01[02]
SAT-02 SAT-02_A15 security literacy training is provided to system users (including managers, senior executives and contractors) organization-defined frequency thereafter. 53A_R5_AT-02a.01[03]
SAT-02 SAT-02_A16 privacy literacy training is provided to system users (including managers, senior executives and contractors) organization-defined frequency thereafter. 53A_R5_AT-02a.01[04]
SAT-02 SAT-02_A17 security literacy training is provided to system users (including managers, senior executives and contractors) when required by system changes or following organization-defined events. 53A_R5_AT-02a.02[01]
SAT-02 SAT-02_A18 privacy literacy training is provided to system users (including managers, senior executives and contractors) when required by system changes or following organization-defined events. 53A_R5_AT-02a.02[02]
SAT-02 SAT-02_A19 organization-defined awareness techniques are employed to increase the cybersecurity & privacy awareness of system users. 53A_R5_AT-02b.
SAT-02 SAT-02_A20 literacy training and awareness content is updated organization-defined frequency. 53A_R5_AT-02c.[01]
SAT-02 SAT-02_A21 literacy training and awareness content is updated following organization-defined events. 53A_R5_AT-02c.[02]
SAT-02 SAT-02_A22 lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques. 53A_R5_AT-02d.

SAT-02.1 SAT-02.1_A01 practical exercises are identified. 172A_3.2.2e[a]
SAT-02.1 SAT-02.1_A02 current threat scenarios are identified. 172A_3.2.2e[b]
SAT-02.1 SAT-02.1_A03 individuals involved in training and their supervisors are identified. 172A_3.2.2e[c]
SAT-02.1 SAT-02.1_A04 practical exercises that are aligned with current threat scenarios are included in awareness training for roles. 172A_3.2.2e[d]
SAT-02.1 SAT-02.1_A05 practical exercises in literacy training that simulate events and incidents are provided. 53A_R5_AT-02(01)
SAT-02.1 SAT-02.1_A06 frequency at which to provide feedback on organizational training results is defined. 53A_R5_AT-06_ODP[01]
SAT-02.1 SAT-02.1_A07 personnel to whom feedback on organizational training results will be provided is/are assigned. 53A_R5_AT-06_ODP[02]
SAT-02.1 SAT-02.1_A08 feedback on organizational training results is provided organization-defined frequency to organization-defined personnel. 53A_R5_AT-06
172A_3.2.2e[e]
SAT-02.2 SAT-02.2_A01 threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors are identified. 172A_3.2.1e[a]
SAT-02.2 SAT-02.2_A02 literacy training on recognizing potential and actual instances of social engineering is provided. 53A_R5_AT-02(03)[01]
172A_3.2.1e[b]
SAT-02.2 SAT-02.2_A03 literacy training on reporting potential and actual instances of social engineering is provided. 53A_R5_AT-02(03)[02]
172A_3.2.1e[b]
SAT-02.2 SAT-02.2_A04 literacy training on recognizing potential and actual instances of social mining is provided. 53A_R5_AT-02(03)[03]
172A_3.2.1e[b]
SAT-02.2 SAT-02.2_A05 literacy training on reporting potential and actual instances of social mining is provided. 53A_R5_AT-02(03)[04]
172A_3.2.1e[b]
SAT-02.2 SAT-02.2_A06 significant changes to the threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors are identified. 172A_3.2.1e[c]
SAT-02.2 SAT-02.2_A07 awareness training is updated per an organization-defined frequency or when there are significant changes to the threat. 172A_3.2.1e[d]
SAT-03 SAT-03_A01 roles and responsibilities for role-based security training are defined. 53A_R5_AT-03_ODP[01]
171A_3.2.2[a]
SAT-03 SAT-03_A02 roles and responsibilities for role-based privacy training are defined. 53A_R5_AT-03_ODP[02]
171A_3.2.2[b]
SAT-03 SAT-03_A03 the frequency at which to provide role-based cybersecurity & privacy training to assigned personnel after initial training is defined. 53A_R5_AT-03_ODP[03]
SAT-03 SAT-03_A04 the frequency at which to update role-based training content is defined. 53A_R5_AT-03_ODP[04]
SAT-03 SAT-03_A05 events that require role-based training content to be updated are defined. 53A_R5_AT-03_ODP[05]
SAT-03 SAT-03_A06 role-based security training is provided to organization-defined roles and responsibilities before authorizing access to the system, information or performing assigned duties. 53A_R5_AT-03a.01[01]
171A_3.2.2[c]
SAT-03 SAT-03_A07 role-based privacy training is provided to organization-defined roles and responsibilities before authorizing access to the system, information or performing assigned duties. 53A_R5_AT-03a.01[02]
SAT-03 SAT-03_A08 role-based security training is provided to organization-defined frequency thereafter. 53A_R5_AT-03a.01[03]
171A_3.2.2[c]
SAT-03 SAT-03_A09 role-based privacy training is provided to organization-defined frequency thereafter. 53A_R5_AT-03a.01[04]
SAT-03 SAT-03_A10 role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes. 53A_R5_AT-03a.02[01]
171A_3.2.2[c]
SAT-03 SAT-03_A11 role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes. 53A_R5_AT-03a.02[02]
SAT-03 SAT-03_A12 role-based training content is updated organization-defined frequency. 53A_R5_AT-03b.[01]
SAT-03 SAT-03_A13 role-based training content is updated following organization-defined events. 53A_R5_AT-03b.[02]
SAT-03 SAT-03_A14 lessons learned from internal or external security incidents or breaches are incorporated into role-based training. 53A_R5_AT-03c.
SAT-03.1 SAT-03.1_A01 practical exercises in security training that reinforce training objectives are provided. 53A_R5_AT-03(03)[01]
SAT-03.1 SAT-03.1_A02 practical exercises in privacy training that reinforce training objectives are provided. 53A_R5_AT-03(03)[02]
SAT-03.2 SAT-03.2_A01 indicators of malicious code are defined. 53A_R5_AT-02(04)_ODP
SAT-03.2 SAT-03.2_A02 literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using organization-defined indicators of malicious code is provided. 53A_R5_AT-02(04)
SAT-03.2 SAT-03.2_A03 literacy training on the advanced persistent threat is provided. 53A_R5_AT-02(05)
SAT-03.3 SAT-03.3_A01 personnel or roles to be provided with initial and refresher training in the employment and operation of personal data processing and transparency controls is/are defined. 53A_R5_AT-03(05)_ODP[01]
SAT-03.3 SAT-03.3_A02 the frequency at which to provide refresher training in the employment and operation of personal data processing and transparency controls is defined. 53A_R5_AT-03(05)_ODP[02]

SAT-03.3 SAT-03.3_A03 organization-defined personnel or roles are provided with initial and refresher training organization-defined frequency in the employment and operation of personal data processing and transparency controls. 53A_R5_AT-03(05)
SAT-03.4 SAT-03.4_A01 vendor-specific security training is provided to support new technology initiatives. SCF Created
SAT-03.5 SAT-03.5_A01 specific training for privileged users is provided to ensure privileged users understand their unique roles and responsibilities SCF Created
SAT-03.6 SAT-03.6_A01 literacy training on the cyber threat environment is provided. 53A_R5_AT-02(06)(a)
SAT-03.6 SAT-03.6_A02 system operations reflects current cyber threat information. 53A_R5_AT-02(06)(b)
SAT-03.6 SAT-03.6_A03 the frequency of providing awareness training is defined. 172A_3.2.1e_ODP[1]
SAT-03.6 SAT-03.6_A04 the frequency of updating awareness training is defined. 172A_3.2.1e_ODP[2]
SAT-03.7 SAT-03.7_A01 cybersecurity and privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles SCF Created
and responsibilities.
SAT-03.8 SAT-03.8_A01 application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats. SCF Created
SAT-04 SAT-04_A01 time period for retaining individual training records is defined. 53A_R5_AT-04_ODP
SAT-04 SAT-04_A02 security and privacy training activities, including cybersecurity & privacy awareness training and specific role-based cybersecurity & privacy training, are documented. 53A_R5_AT-04a.[01]
SAT-04 SAT-04_A03 security and privacy training activities, including cybersecurity & privacy awareness training and specific role-based cybersecurity & privacy training, are monitored. 53A_R5_AT-04a.[02]
SAT-04 SAT-04_A04 individual training records are retained for organization-defined time period. 53A_R5_AT-04b.
TDA-01 TDA-01_A01 personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined. 53A_R5_SA-01_ODP[01]
TDA-01 TDA-01_A02 personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined. 53A_R5_SA-01_ODP[02]
TDA-01 TDA-01_A03 one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}. 53A_R5_SA-01_ODP[03]
TDA-01 TDA-01_A04 an official to manage the system and services acquisition policy and procedures is defined. 53A_R5_SA-01_ODP[04]
TDA-01 TDA-01_A05 the frequency at which the current system and services acquisition policy is reviewed and updated is defined. 53A_R5_SA-01_ODP[05]
TDA-01 TDA-01_A06 events that would require the current system and services acquisition policy to be reviewed and updated are defined. 53A_R5_SA-01_ODP[06]
TDA-01 TDA-01_A07 the frequency at which the current system and services acquisition procedures are reviewed and updated is defined. 53A_R5_SA-01_ODP[07]
TDA-01 TDA-01_A08 events that would require the system and services acquisition procedures to be reviewed and updated are defined. 53A_R5_SA-01_ODP[08]
TDA-01 TDA-01_A09 a system and services acquisition policy is developed and documented. 53A_R5_SA-01a.[01]
TDA-01 TDA-01_A10 the system and services acquisition policy is disseminated to organization-defined personnel or roles. 53A_R5_SA-01a.[02]
TDA-01 TDA-01_A11 system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented. 53A_R5_SA-01a.[03]
TDA-01 TDA-01_A12 the system and services acquisition procedures are disseminated to organization-defined personnel or roles. 53A_R5_SA-01a.[04]
TDA-01 TDA-01_A13 the organization's system and services acquisition policy addresses purpose. 53A_R5_SA-01a.01(a)[01]
TDA-01 TDA-01_A14 the organization's system and services acquisition policy addresses scope. 53A_R5_SA-01a.01(a)[02]
TDA-01 TDA-01_A15 the organization's system and services acquisition policy addresses roles. 53A_R5_SA-01a.01(a)[03]
TDA-01 TDA-01_A16 the organization's system and services acquisition policy addresses responsibilities. 53A_R5_SA-01a.01(a)[04]
TDA-01 TDA-01_A17 the organization's system and services acquisition policy addresses management commitment. 53A_R5_SA-01a.01(a)[05]
TDA-01 TDA-01_A18 the organization's system and services acquisition policy addresses coordination among organizational entities. 53A_R5_SA-01a.01(a)[06]
TDA-01 TDA-01_A19 the organization's system and services acquisition policy addresses compliance. 53A_R5_SA-01a.01(a)[07]
TDA-01 TDA-01_A20 the organization's system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. 53A_R5_SA-01a.01(b)
TDA-01 TDA-01_A21 the organization-defined official is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures. 53A_R5_SA-01b.
TDA-01 TDA-01_A22 the system and services acquisition policy is reviewed and updated organization-defined frequency. 53A_R5_SA-01c.01[01]
TDA-01 TDA-01_A23 the current system and services acquisition policy is reviewed and updated following organization-defined events. 53A_R5_SA-01c.01[02]

TDA-01 TDA-01_A24 the current system and services acquisition procedures are reviewed and updated organization-defined frequency. 53A_R5_SA-01c.02[01]
TDA-01 TDA-01_A25 the current system and services acquisition procedures are reviewed and updated following organization-defined events. 53A_R5_SA-01c.02[02]
TDA-01 TDA-01_A26 systems or system components supporting mission-essential services or functions are defined. 53A_R5_SA-23_ODP[01]
53A_R5_SA-23_ODP[02]
TDA-01 TDA-01_A27 organization's is employed on organization-defined systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components. 53A_R5_SA-23
TDA-01.1 TDA-01.1_A01 systems or system components supporting mission-essential services or functions are defined. 53A_R5_SA-23_ODP[01]
53A_R5_SA-23_ODP[02]
TDA-01.1 TDA-01.1_A02 organization-defined criteria are employed on systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components. 53A_R5_SA-23
TDA-01.2 TDA-01.2_A01 integrity validation mechanisms are utilized for security updates. SCF Created
TDA-01.3 TDA-01.3_A01 at least one (1) malware detection tool is used to identify if any known malware exists in the final binaries of the product or security update. SCF Created
TDA-02 TDA-02_A01 security functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04a.[01]
TDA-02 TDA-02_A02 privacy functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04a.[02]
TDA-02 TDA-02_A03 strength of mechanism requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04b.
TDA-02 TDA-02_A04 security assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04c.[01]
TDA-02 TDA-02_A05 privacy assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04c.[02]
TDA-02 TDA-02_A06 controls needed to satisfy the security requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04d.[01]
TDA-02 TDA-02_A07 controls needed to satisfy the privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04d.[02]
TDA-02 TDA-02_A08 security documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04e.[01]
TDA-02 TDA-02_A09 privacy documentation requirements, descriptions and criteria are included explicitly or by reference in the acquisition contract for the system, system component or system service. 53A_R5_SA-04e.[02]
TDA-02 TDA-02_A10 requirements for protecting security documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04f.[01]
TDA-02 TDA-02_A11 requirements for protecting privacy documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04f.[02]
TDA-02 TDA-02_A12 the description of the system development environment and environment in which the system is intended to operate, requirements and criteria are included explicitly or by reference using in the acquisition contract 53A_R5_SA-04g.
for the system, system component or system service.
TDA-02 TDA-02_A13 the allocation of responsibility or identification of parties responsible for cybersecurity requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, 53A_R5_SA-04h.[01]
system component or system service.
TDA-02 TDA-02_A14 the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria. 53A_R5_SA-04h.[02]
TDA-02 TDA-02_A15 the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria. 53A_R5_SA-04h.[03]
TDA-02 TDA-02_A16 acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04i.
TDA-02.1 TDA-02.1_A01 the developer of the system, system component or system service is required to identify the functions intended for organizational use. 53A_R5_SA-04(09)[01]
TDA-02.1 TDA-02.1_A02 the developer of the system, system component or system service is required to identify the ports intended for organizational use. 53A_R5_SA-04(09)[02]
TDA-02.1 TDA-02.1_A03 the developer of the system, system component or system service is required to identify the protocols intended for organizational use. 53A_R5_SA-04(09)[03]
TDA-02.1 TDA-02.1_A04 the developer of the system, system component or system service is required to identify the services intended for organizational use. 53A_R5_SA-04(09)[04]
TDA-02.2 TDA-02.2_A01 as required per statutory, regulatory or contractual obligations, only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within 53A_R5_SA-04(10)
organizational systems are employed.
TDA-02.3 TDA-02.3_A01 systems engineering methods are defined. 53A_R5_SA-04(03)_ODP[01]
TDA-02.3 TDA-02.3_A02 system security engineering methods are defined. 53A_R5_SA-04(03)_ODP[02]

53A_R5_SA-04(03)_ODP[03]
TDA-02.3 TDA-02.3_A03 privacy engineering methods are defined. 53A_R5_SA-04(03)_ODP[04]
TDA-02.3 TDA-02.3_A04 software development methods are defined. 53A_R5_SA-04(03)_ODP[05]

53A_R5_SA-04(03)_ODP[06]
TDA-02.3 TDA-02.3_A05 testing, evaluation, assessment, verification and validation methods are defined. 53A_R5_SA-04(03)_ODP[07]
TDA-02.3 TDA-02.3_A06 quality control processes are defined. 53A_R5_SA-04(03)_ODP[08]
53A_R5_SA-04(03)(a)
the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering
TDA-02.3 TDA-02.3_A07 53A_R5_SA-04(03)(b)
methods.
53A_R5_SA-04(03)(c)

TDA-02.4 TDA-02.4_A01 security configurations for the system, component or service are defined. 53A_R5_SA-04(05)_ODP
TDA-02.4 TDA-02.4_A02 the developer of the system, system component or system service is required to deliver the system, component or service with security configurations implemented. 53A_R5_SA-04(05)(a)
TDA-02.4 TDA-02.4_A03 the configurations are used as the default for any subsequent system, component or service reinstallation or upgrade. 53A_R5_SA-04(05)(b)
TDA-02.5 TDA-02.5_A01 process owners identify necessary the ports, protocols and other services necessary to operate their technology solutions. SCF Created
TDA-02.5 TDA-02.5_A02 process owners document legitimate business justifications for the ports, protocols and other services necessary to operate their technology solutions. SCF Created
TDA-02.6 TDA-02.6_A01 risks associated with the use of insecure ports, protocols and services necessary to operate technology solutions are appropriately mitigated. SCF Created
TDA-02.7 TDA-02.7_A01 security representatives to be included in the configuration change management and control process are defined. 53A_R5_SA-10(07)_ODP[01]
TDA-02.7 TDA-02.7_A02 privacy representatives to be included in the configuration change management and control process are defined. 53A_R5_SA-10(07)_ODP[02]
TDA-02.7 TDA-02.7_A03 configuration change management and control processes in which security representatives are required to be included are defined. 53A_R5_SA-10(07)_ODP[03]
TDA-02.7 TDA-02.7_A04 configuration change management and control processes in which privacy representatives are required to be included are defined. 53A_R5_SA-10(07)_ODP[04]
TDA-02.7 TDA-02.7_A05 organization-defined security representatives are required to be included in the organization-defined configuration change management and control processes. 53A_R5_SA-10(07)[01]
TDA-02.7 TDA-02.7_A06 organization-defined privacy representatives are required to be included in the organization-defined configuration change management and control processes. 53A_R5_SA-10(07)[02]
TDA-03 TDA-03_A01 the organization only uses Commercial Off-the-Shelf (COTS) security products. SCF Created
TDA-03 TDA-03_A02 for classified environments, only Government Off-The-Shelf (GOTS)or Commercial Off-The-Shelf (COTS) information assurance and information assurance-enabled information technology products that compose an 53A_R5_SA-04(06)(a)
NSA-approved solution are employed.
TDA-03 TDA-03_A03 for classified environments, GOTS and COTS products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. 53A_R5_SA-04(06)(b)
TDA-03.1 TDA-03.1_A01 controls to be allocated are defined. 53A_R5_PL-08(02)_ODP[01]
TDA-03.1 TDA-03.1_A02 locations and architectural layers are defined. 53A_R5_PL-08(02)_ODP[02]
TDA-03.1 TDA-03.1_A03 controls that are allocated to locations and architectural layers are required to be obtained from different suppliers. 53A_R5_PL-08(02)
TDA-03.1 TDA-03.1_A04 system components with a diverse set of sources are defined. 53A_R5_SR-03(01)_ODP[01]
TDA-03.1 TDA-03.1_A05 services with a diverse set of sources are defined. 53A_R5_SR-03(01)_ODP[02]
TDA-03.1 TDA-03.1_A06 a diverse set of sources is employed for system components. 53A_R5_SR-03(01)[01]
TDA-03.1 TDA-03.1_A07 a diverse set of sources is employed for services. 53A_R5_SR-03(01)[02]
TDA-04 TDA-04_A01 actions to take when system, system component or system service documentation is either unavailable or nonexistent are defined. 53A_R5_SA-05_ODP[01]
TDA-04 TDA-04_A02 personnel or roles to distribute system documentation to is/are defined. 53A_R5_SA-05_ODP[02]
TDA-04 TDA-04_A03 administrator documentation for the system, system component or system service that describes the secure configuration of the system, component or service is obtained or developed. 53A_R5_SA-05a.01[01]
TDA-04 TDA-04_A04 administrator documentation for the system, system component or system service that describes the secure installation of the system, component or service is obtained or developed. 53A_R5_SA-05a.01[02]
TDA-04 TDA-04_A05 administrator documentation for the system, system component or system service that describes the secure operation of the system, component or service is obtained or developed. 53A_R5_SA-05a.01[03]
TDA-04 TDA-04_A06 administrator documentation for the system, system component or system service that describes the effective use of security functions and mechanisms is obtained or developed. 53A_R5_SA-05a.02[01]
TDA-04 TDA-04_A07 administrator documentation for the system, system component or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed. 53A_R5_SA-05a.02[02]
TDA-04 TDA-04_A08 administrator documentation for the system, system component or system service that describes the effective use of privacy functions and mechanisms is obtained or developed. 53A_R5_SA-05a.02[03]
TDA-04 TDA-04_A09 administrator documentation for the system, system component or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed. 53A_R5_SA-05a.02[04]
TDA-04 TDA-04_A10 administrator documentation for the system, system component or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed. 53A_R5_SA-05a.03[01]
TDA-04 TDA-04_A11 administrator documentation for the system, system component or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed. 53A_R5_SA-05a.03[02]
TDA-04 TDA-04_A12 user documentation for the system, system component or system service that describes user-accessible security functions and mechanisms is obtained or developed. 53A_R5_SA-05b.01[01]
TDA-04 TDA-04_A13 user documentation for the system, system component or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed. 53A_R5_SA-05b.01[02]
TDA-04 TDA-04_A14 user documentation for the system, system component or system service that describes user-accessible privacy functions and mechanisms is obtained or developed. 53A_R5_SA-05b.01[03]

TDA-04 TDA-04_A15 user documentation for the system, system component or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed. 53A_R5_SA-05b.01[04]
TDA-04 TDA-04_A16 user documentation for the system, system component or system service that describes methods for user interaction, which enable individuals to use the system, component or service in a more secure manner is 53A_R5_SA-05b.02[01]
obtained or developed.
TDA-04 TDA-04_A17 user documentation for the system, system component or system service that describes methods for user interaction, which enable individuals to use the system, component or service to protect individual privacy is 53A_R5_SA-05b.02[02]
obtained or developed.
TDA-04 TDA-04_A18 user documentation for the system, system component or system service that describes user responsibilities for maintaining the security of the system, component or service is obtained or developed. 53A_R5_SA-05b.03[01]
TDA-04 TDA-04_A19 user documentation for the system, system component or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed. 53A_R5_SA-05b.03[02]
TDA-04 TDA-04_A20 attempts to obtain system, system component or system service documentation when such documentation is either unavailable or nonexistent is documented. 53A_R5_SA-05c.[01]
TDA-04 TDA-04_A21 after attempts to obtain system, system component or system service documentation when such documentation is either unavailable or nonexistent, actions are taken in response. 53A_R5_SA-05c.[02]
TDA-04 TDA-04_A22 documentation is distributed to personnel or roles. 53A_R5_SA-05d.
TDA-04.1 TDA-04.1_A01 the developer of the system, system component or system service is required to provide a description of the functional properties of the controls to be implemented. 53A_R5_SA-04(01)
TDA-04.1 TDA-04.1_A02 organization-defined criteria for security-relevant information pertaining to external system interfaces, high-level design, low-level design, source code or hardware schematics and design and implementation 53A_R5_SA-04(02)_ODP[01]
information are documented in a System Security Plan (SSP).
TDA-04.1 TDA-04.1_A03 design and implementation information is defined. 53A_R5_SA-04(02)_ODP[02]
TDA-04.1 TDA-04.1_A04 level of detail is defined. 53A_R5_SA-04(02)_ODP[03]
TDA-04.1 TDA-04.1_A05 the developer of the system, system component or system service is required to provide design and implementation information for the controls that includes using at level of detail. 53A_R5_SA-04(02)
TDA-04.2 TDA-04.2_A01 a Software Bill of Materials (SBOM) for systems, applications and services lists software packages in use, including versions and applicable licenses. SCF Created
TDA-05 TDA-05_A01 the developer of the system, system component or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an 53A_R5_SA-17(a)[01]
integral part the organization’s enterprise architecture.
TDA-05 TDA-05_A02 the developer of the system, system component or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an 53A_R5_SA-17(a)[02]
integral part the organization’s enterprise architecture.
TDA-05 TDA-05_A03 the developer of the system, system component or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and 53A_R5_SA-17(b)[01]
the allocation of controls among physical and logical components.
TDA-05 TDA-05_A04 the developer of the system, system component or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and 53A_R5_SA-17(b)[02]
the allocation of controls among physical and logical components.
TDA-05 TDA-05_A05 the developer of the system, system component or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms and services work 53A_R5_SA-17(c)[01]
together to provide required security capabilities and a unified approach to protection.
TDA-05 TDA-05_A06 the developer of the system, system component or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms and services work 53A_R5_SA-17(c)[02]
together to provide required privacy capabilities and a unified approach to protection.
TDA-05.1 TDA-05.1_A01 physical diagnostic and test interfaces are secured to prevent misuse. SCF Created
TDA-05.2 TDA-05.2_A01 endpoint devices are configured to log events and generate alerts for attempts to access diagnostic and test interfaces. SCF Created
171A_3.13.2[b]
53A_R5_SA-04(03)_ODP[01]
TDA-06 TDA-06_A01 software development techniques that promote effective cybersecurity are identified. 53A_R5_SA-04(03)_ODP[02]
53A_R5_SA-04(03)_ODP[03]
53A_R5_SA-04(03)_ODP[05]
53A_R5_SA-04(03)_ODP[06]
TDA-06 TDA-06_A02 testing, evaluation, assessment, verification and validation methods are defined. 53A_R5_SA-04(03)_ODP[07]
TDA-06 TDA-06_A03 quality control processes are defined. 53A_R5_SA-04(03)_ODP[08]
TDA-06 TDA-06_A04 privacy engineering methods are defined. 53A_R5_SA-04(03)_ODP[04]
TDA-06 TDA-06_A05 identified software development techniques that promote effective cybersecurity are employed. 171A_3.13.2[e]
TDA-06 TDA-06_A06 frequency at which to review the development process, standards, tools, tool options and tool configurations is defined. 53A_R5_SA-15_ODP[01]
TDA-06 TDA-06_A07 security requirements to be satisfied by the process, standards, tools, tool options and tool configurations are defined. 53A_R5_SA-15_ODP[02]
TDA-06 TDA-06_A08 privacy requirements to be satisfied by the process, standards, tools, tool options and tool configurations are defined. 53A_R5_SA-15_ODP[03]
TDA-06 TDA-06_A09 the developer of the system, system component or system service is required to follow a documented development process that explicitly addresses security requirements. 53A_R5_SA-15a.01[01]
TDA-06 TDA-06_A10 the developer of the system, system component or system service is required to follow a documented development process that explicitly addresses privacy requirements. 53A_R5_SA-15a.01[02]
TDA-06 TDA-06_A11 the developer of the system, system component or system service is required to follow a documented development process that identifies the standards used in the development process. 53A_R5_SA-15a.02[01]
TDA-06 TDA-06_A12 the developer of the system, system component or system service is required to follow a documented development process that identifies the tools used in the development process. 53A_R5_SA-15a.02[02]
TDA-06 TDA-06_A13 the developer of the system, system component or system service is required to follow a documented development process that documents the specific tool used in the development process. 53A_R5_SA-15a.03[01]
TDA-06 TDA-06_A14 the developer of the system, system component or system service is required to follow a documented development process that documents the specific tool configurations used in the development process. 53A_R5_SA-15a.03[02]

TDA-06 TDA-06_A15 the developer of the system, system component or system service is required to follow a documented development process that documents, manages and ensures the integrity of changes to the process and/or tools 53A_R5_SA-15a.04
used in development.
TDA-06 TDA-06_A16 the developer of the system, system component or system service is required to follow a documented development process in which the development process, standards, tools, tool options and tool configurations are 53A_R5_SA-15b.[01]
reviewed frequently to determine that the process, standards, tools, tool options and tool configurations selected and employed satisfy security requirements.
TDA-06 TDA-06_A17 the developer of the system, system component or system service is required to follow a documented development process in which the development process, standards, tools, tool options and tool configurations are 53A_R5_SA-15b.[02]
reviewed frequently to determine that the process, standards, tools, tool options and tool configurations selected and employed satisfy privacy requirements.
53A_R5_SA-04(03)(a)
TDA-06 TDA-06_A18 the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering 53A_R5_SA-04(03)(b)
methods.
53A_R5_SA-04(03)(c)
TDA-06.1 TDA-06.1_A01 decision points in the system development life cycle are defined. 53A_R5_SA-15(03)_ODP[01]
TDA-06.1 TDA-06.1_A02 the breadth of criticality analysis is defined. 53A_R5_SA-15(03)_ODP[02]
TDA-06.1 TDA-06.1_A03 the depth of criticality analysis is defined. 53A_R5_SA-15(03)_ODP[03]
TDA-06.1 TDA-06.1_A04 the developer of the system, system component, or system service is required to perform a criticality analysis at organization-defined decision points in the system development life cycle. 53A_R5_SA-15(03)(a)
TDA-06.1 TDA-06.1_A05 the developer of the system, system component, or system service is required to perform a criticality analysis per an organization-defined breadth. 53A_R5_SA-15(03)(b)[01]
TDA-06.1 TDA-06.1_A06 the developer of the system, system component, or system service is required to perform a criticality analysis per an organization-defined depth. 53A_R5_SA-15(03)(b)[02]
TDA-06.1 TDA-06.1_A07 suppliers of critical or mission-essential technologies, products and services are identified. 53A_R5_PM-30(01)[01]
TDA-06.1 TDA-06.1_A08 suppliers of critical or mission-essential technologies, products and services are prioritized. 53A_R5_PM-30(01)[02]
TDA-06.1 TDA-06.1_A09 suppliers of critical or mission-essential technologies, products and services are assessed. 53A_R5_PM-30(01)[03]
TDA-06.2 TDA-06.2_A01 threat modelling and other secure design techniques are used to ensure that threats to software and solutions are identified and accounted for. SCF Created
TDA-06.3 TDA-06.3_A01 a Software Assurance Maturity Model (SAMM) governs a secure development lifecycle for the development of systems, applications and services. SCF Created
TDA-06.4 TDA-06.4_A01 a supporting toolchain helps ensure the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle. SCF Created
TDA-06.5 TDA-06.5_A01 an independent review of the software design confirms that all cybersecurity & privacy requirements are met and that any identified risks are satisfactorily addressed. SCF Created
TDA-07 TDA-07_A01 system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component or system service. 53A_R5_SA-03(01)
TDA-08 TDA-08_A01 changes to the system are analyzed in a separate test environment before implementation in an operational environment. 53A_R5_CM-04(01)[01]
TDA-08 TDA-08_A02 changes to the system are analyzed for security impacts due to flaws. 53A_R5_CM-04(01)[02]
TDA-08 TDA-08_A03 changes to the system are analyzed for privacy impacts due to flaws. 53A_R5_CM-04(01)[03]
TDA-08 TDA-08_A04 changes to the system are analyzed for security impacts due to weaknesses. 53A_R5_CM-04(01)[04]
TDA-08 TDA-08_A05 changes to the system are analyzed for privacy impacts due to weaknesses. 53A_R5_CM-04(01)[05]
TDA-08 TDA-08_A06 changes to the system are analyzed for security impacts due to incompatibility. 53A_R5_CM-04(01)[06]
TDA-08 TDA-08_A07 changes to the system are analyzed for privacy impacts due to incompatibility. 53A_R5_CM-04(01)[07]
TDA-08 TDA-08_A08 changes to the system are analyzed for security impacts due to intentional malice. 53A_R5_CM-04(01)[08]
TDA-08 TDA-08_A09 changes to the system are analyzed for privacy impacts due to intentional malice. 53A_R5_CM-04(01)[09]
TDA-08.1 TDA-08.1_A01 secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment. SCF Created
53A_R5_SA-04(03)(a)
TDA-09 TDA-09_A01 the developer of the system, system component or system service is required to demonstrate the use of a system development life cycle process that includes organization-defined system security engineering 53A_R5_SA-04(03)(b)
methods. 53A_R5_SA-04(03)(c)
53A_R5_SA-11_ODP[02]
TDA-09 TDA-09_A02 frequency at which to conduct testing/evaluation is defined.
53A_R5_SA-11_ODP[01]
TDA-09 TDA-09_A03 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments. 53A_R5_SA-11a.[01]
TDA-09 TDA-09_A04 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments. 53A_R5_SA-11a.[02]
TDA-09 TDA-09_A05 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments. 53A_R5_SA-11a.[03]
TDA-09 TDA-09_A06 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments. 53A_R5_SA-11a.[04]
TDA-09 TDA-09_A07 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation frequency to conduct at depth and coverage. 53A_R5_SA-11b.
TDA-09 TDA-09_A08 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan. 53A_R5_SA-11c.[01]

TDA-09 TDA-09_A09 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation. 53A_R5_SA-11c.[02]
TDA-09 TDA-09_A10 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process. 53A_R5_SA-11d.
TDA-09 TDA-09_A11 the developer of the system, system component or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation. 53A_R5_SA-11e.
TDA-09 TDA-09_A12 the developer of the system, system component or system service is required to perform attack surface reviews. 53A_R5_SA-11(06)
53A_R5_SA-11(07)_ODP[01]
TDA-09 TDA-09_A13 the breadth of testing and evaluation of required controls is defined. 53A_R5_SA-11_ODP[03]
53A_R5_SA-11_ODP[01]
53A_R5_SA-11(07)_ODP[02]
TDA-09 TDA-09_A14 the depth of testing and evaluation of required controls is defined. 53A_R5_SA-11_ODP[03]
53A_R5_SA-11_ODP[01]
TDA-09 TDA-09_A15 the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls per an organization-defined 53A_R5_SA-11(07)[01]
breadth.
TDA-09 TDA-09_A16 the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls per an organization-defined depth. 53A_R5_SA-11(07)[02]
TDA-09.1 TDA-09.1_A01 the developer of the system, system component or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the 53A_R5_SA-04(08)
organization.
TDA-09.2 TDA-09.2_A01 the developer of the system, system component or system service is required to employ static code analysis tools to identify common flaws. 53A_R5_SA-11(01)[01]
TDA-09.2 TDA-09.2_A02 the developer of the system, system component or system service is required to employ static code analysis tools to document the results of the analysis. 53A_R5_SA-11(01)[02]
TDA-09.3 TDA-09.3_A01 the developer of the system, system component or system service is required to employ dynamic code analysis tools to identify common flaws. 53A_R5_SA-11(08)[01]
TDA-09.3 TDA-09.3_A02 the developer of the system, system component or system service is required to document the results of the analysis. 53A_R5_SA-11(08)[02]
TDA-09.4 TDA-09.4_A01 the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined breadth. 53A_R5_SA-11(05)(a)[01]
TDA-09.4 TDA-09.4_A02 the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined depth. 53A_R5_SA-11(05)(a)[02]
TDA-09.4 TDA-09.4_A03 the developer of the system, system component, or system service is required to perform penetration testing under organization-defined constraints. 53A_R5_SA-11(05)(b)
TDA-09.4 TDA-09.4_A04 the developer of the system, system component or system service is required to perform attack surface reviews. 53A_R5_SA-11(06)
TDA-09.5 TDA-09.5_A01 the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined breadth. 53A_R5_SA-11(05)(a)[01]
TDA-09.5 TDA-09.5_A02 the developer of the system, system component, or system service is required to perform penetration testing per an organization-defined depth. 53A_R5_SA-11(05)(a)[02]
TDA-09.5 TDA-09.5_A03 the developer of the system, system component, or system service is required to perform penetration testing under organization-defined constraints. 53A_R5_SA-11(05)(b)
TDA-09.5 TDA-09.5_A04 the developer of the system, system component or system service is required to perform attack surface reviews. 53A_R5_SA-11(06)
TDA-09.6 TDA-09.6_A01 default secure configuration settings reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise. SCF Created
TDA-09.7 TDA-09.7_A01 specific code requiring manual code review is defined. 53A_R5_SA-11(04)_ODP[01]
TDA-09.7 TDA-09.7_A02 processes, procedures, and/or techniques used for manual code reviews are defined. 53A_R5_SA-11(04)_ODP[02]
TDA-09.7 TDA-09.7_A03 the developer of the system, system component, or system service is required to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or 53A_R5_SA-11(04)
techniques.
TDA-10 TDA-10_A01 the use of live data in pre-production environments is approved for the system, system component or system service. 53A_R5_SA-03(02)a.[01]
TDA-10 TDA-10_A02 the use of live data in pre-production environments is documented for the system, system component or system service. 53A_R5_SA-03(02)a.[02]
TDA-10 TDA-10_A03 the use of live data in pre-production environments is controlled for the system, system component or system service. 53A_R5_SA-03(02)a.[03]
TDA-10 TDA-10_A04 pre-production environments for the system, system component or system service are protected at the same impact or classification level as any live data in use within the pre-production environments. 53A_R5_SA-03(02)b.
TDA-10.1 TDA-10.1_A01 the integrity of test data is ensured through existing cybersecurity & privacy controls. SCF Created
TDA-11 TDA-11_A01 controls to validate that the system or system component received is genuine are defined. 53A_R5_SR-04(03)_ODP[01]
TDA-11 TDA-11_A02 controls to validate that the system or system component received has not been altered are defined. 53A_R5_SR-04(03)_ODP[02]
TDA-11 TDA-11_A03 controls are employed to validate that the system or system component received is genuine. 53A_R5_SR-04(03)[01]
TDA-11 TDA-11_A04 controls are employed to validate that the system or system component received has not been altered. 53A_R5_SR-04(03)[02]
TDA-11 TDA-11_A05 controls employed to ensure that the integrity of the system and system component are defined. 53A_R5_SR-04(04)_ODP[01]
an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products and services to ensure the integrity of the system and system component
TDA-11 TDA-11_A06 53A_R5_SR-04(04)_ODP[02]
is defined.

TDA-11 TDA-11_A07 controls are employed to ensure the integrity of the system and system components. 53A_R5_SR-04(04)[01]
TDA-11 TDA-11_A08 analysis method is conducted to ensure the integrity of the system and system components. 53A_R5_SR-04(04)[02]
TDA-11 TDA-11_A09 systems or system components that require inspection are defined. 53A_R5_SR-10_ODP[01]
TDA-11 TDA-11_A10 frequency at which to inspect systems or system components is defined. 53A_R5_SR-10_ODP[02]
53A_R5_SR-10_ODP[03]
TDA-11 TDA-11_A11 indications of the need for an inspection of systems or system components are defined. 53A_R5_SR-10_ODP[04]
TDA-11 TDA-11_A12 systems or system components are inspected to detect tampering. 53A_R5_SR-10
TDA-11 TDA-11_A13 external reporting organizations to whom counterfeit system components are to be reported is/are defined. 53A_R5_SR-11_ODP[01]
53A_R5_SR-11_ODP[02]
TDA-11 TDA-11_A14 personnel or roles to whom counterfeit system components are to be reported is/are defined. 53A_R5_SR-11_ODP[03]
TDA-11 TDA-11_A15 anti-counterfeit procedures are developed and implemented. 53A_R5_SR-11a.[02]
TDA-11 TDA-11_A16 the anti-counterfeit procedures include the means to detect counterfeit components entering the system. 53A_R5_SR-11a.[03]
TDA-11 TDA-11_A17 the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system. 53A_R5_SR-11a.[04]
TDA-11 TDA-11_A18 counterfeit system components are reported per organization-defined criteria. 53A_R5_SR-11b.
TDA-11 TDA-11_A19 the frequency at which to scan for counterfeit system components is defined. 53A_R5_SR-11(03)_ODP
TDA-11 TDA-11_A20 scanning for counterfeit system components is conducted per an organization-defined frequency. 53A_R5_SR-11(03)
TDA-11.1 TDA-11.1_A01 personnel or roles requiring training to detect counterfeit system components (including hardware, software and firmware) is/are defined. 53A_R5_SR-11(01)_ODP
TDA-11.1 TDA-11.1_A02 personnel or roles are trained to detect counterfeit system components (including hardware, software and firmware). 53A_R5_SR-11(01)
TDA-12 TDA-12_A01 suppliers of critical or mission-essential technologies, products and services are identified. 53A_R5_PM-30(01)[01]
TDA-12 TDA-12_A02 suppliers of critical or mission-essential technologies, products and services are prioritized. 53A_R5_PM-30(01)[02]
TDA-12 TDA-12_A03 suppliers of critical or mission-essential technologies, products and services are assessed. 53A_R5_PM-30(01)[03]
TDA-12 TDA-12_A04 critical system components to be reimplemented or custom-developed are defined. 53A_R5_SA-20_ODP
TDA-12 TDA-12_A05 critical system are reimplemented or custom-developed. 53A_R5_SA-20
TDA-12 TDA-12_A06 systems or system components supporting mission-essential services or functions are defined. 53A_R5_SA-23_ODP[01]
53A_R5_SA-23_ODP[02]
TDA-12 TDA-12_A07 organization-defined criteria are employed on systems or system components supporting essential services or functions to increase the trustworthiness in those systems or components. 53A_R5_SA-23
TDA-13 TDA-13_A01 the system, systems component or system service that the developer has access to is/are defined. 53A_R5_SA-21_ODP[01]
TDA-13 TDA-13_A02 official duties assigned to the developer are defined. 53A_R5_SA-21_ODP[02]
53A_R5_SA-21_ODP[03]
TDA-13 TDA-13_A03 additional personnel screening criteria for the developer are defined.
172A_3.9.1e_ODP[1]
TDA-14 TDA-14_A01 the frequency with which to reassess individual positions and access to sensitive / regulated data is defined. 172A_3.9.1e_ODP[2]
TDA-14 TDA-14_A02 individuals that require enhanced personnel screening are identified. 172A_3.9.1e[a]
TDA-14 TDA-14_A03 positions that require access to sensitive / regulated data are identified. 172A_3.9.1e[b]
53A_R5_SA-21b.
TDA-14 TDA-14_A04 organization-defined enhanced personnel screening is conducted for individuals. 172A_3.9.1e_ODP[1]
172A_3.9.1e[c]
TDA-14 TDA-14_A05 individual positions and access to sensitive / regulated data is reassessed per an organization-defined frequency. 172A_3.9.1e[d]
TDA-14 TDA-14_A06 individuals with access to sensitive / regulated data are identified. 172A_3.9.2e[a]
TDA-14 TDA-14_A07 adverse information about individuals with access to sensitive / regulated data is defined. 172A_3.9.2e[b]
TDA-14 TDA-14_A08 organizational systems to which individuals have access are identified. 172A_3.9.2e[c]
TDA-14 TDA-14_A09 mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to sensitive / regulated data. 172A_3.9.2e[d]
TDA-14 TDA-14_A10 the developer of system, systems component or system service is required to have appropriate access authorizations as determined by assigned official duties. 53A_R5_SA-21a.

TDA-14 TDA-14_A11 configuration items under configuration management are defined. 53A_R5_SA-10_ODP[01]
53A_R5_SA-10_ODP[02]
TDA-14 TDA-14_A12 personnel to whom security flaws and flaw resolutions within the system, component or service are reported is/are defined. 53A_R5_SA-10_ODP[03]
TDA-14 TDA-14_A13 the developer of the system, system component or system service is required to perform configuration management during system, component or service per organization-defined criteria. 53A_R5_SA-10a.
TDA-14 TDA-14_A14 the developer of the system, system component or system service is required to document the integrity of changes to configuration items. 53A_R5_SA-10b.[01]
TDA-14 TDA-14_A15 the developer of the system, system component or system service is required to manage the integrity of changes to configuration items. 53A_R5_SA-10b.[02]
TDA-14 TDA-14_A16 the developer of the system, system component or system service is required to control the integrity of changes to configuration items. 53A_R5_SA-10b.[03]
TDA-14 TDA-14_A17 the developer of the system, system component or system service is required to implement only organization-approved changes to the system, component or service. 53A_R5_SA-10c.
TDA-14 TDA-14_A18 the developer of the system, system component or system service is required to document approved changes to the system, component or service. 53A_R5_SA-10d.[01]
TDA-14 TDA-14_A19 the developer of the system, system component or system service is required to document the potential security impacts of approved changes. 53A_R5_SA-10d.[02]
TDA-14 TDA-14_A20 the developer of the system, system component or system service is required to document the potential privacy impacts of approved changes. 53A_R5_SA-10d.[03]
TDA-14 TDA-14_A21 the developer of the system, system component or system service is required to track security flaws within the system, component or service. 53A_R5_SA-10e.[01]
TDA-14 TDA-14_A22 the developer of the system, system component or system service is required to track security flaw resolutions within the system, component or service. 53A_R5_SA-10e.[02]
TDA-14 TDA-14_A23 the developer of the system, system component or system service is required to report findings to personnel. 53A_R5_SA-10e.[03]
TDA-14 TDA-14_A24 an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team. 53A_R5_SA-10(02)
TDA-14.1 TDA-14.1_A01 the developer of the system, system component or system service is required to enable integrity verification of software and firmware components. 53A_R5_SA-10(01)
TDA-14.2 TDA-14.2_A01 independence criteria to be satisfied by an independent agent are defined. 53A_R5_SA-11(03)_ODP
TDA-14.2 TDA-14.2_A02 an independent agent is required to satisfy organization-defined independence criteria to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and 53A_R5_SA-11(03)(a)[01]
evaluation.
TDA-14.2 TDA-14.2_A03 an independent agent is required to satisfy organization-defined independence criteria to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and 53A_R5_SA-11(03)(a)[02]
evaluation.
TDA-14.2 TDA-14.2_A04 the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. 53A_R5_SA-11(03)(b)
TDA-15 TDA-15_A01 information concerning impact, environment of operations, known or assumed threats and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined. 53A_R5_SA-11(02)_ODP[01]
TDA-15 TDA-15_A02 the tools and methods to be employed for threat modeling and vulnerability analyses are defined. 53A_R5_SA-11(02)_ODP[02]
TDA-15 TDA-15_A03 the breadth and depth of threat modeling to be conducted is defined. 53A_R5_SA-11(02)_ODP[03]
TDA-15 TDA-15_A04 the breadth and depth of vulnerability analyses to be conducted is defined. 53A_R5_SA-11(02)_ODP[04]
TDA-15 TDA-15_A05 acceptance criteria to be met by produced evidence for threat modeling are defined. 53A_R5_SA-11(02)_ODP[05]
TDA-15 TDA-15_A06 acceptance criteria to be met by produced evidence for vulnerability analyses are defined. 53A_R5_SA-11(02)_ODP[06]
TDA-15 TDA-15_A07 the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses organization-defined information. 53A_R5_SA-11(02)(a)[01]
TDA-15 TDA-15_A08 the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses organization-defined information. 53A_R5_SA-11(02)(a)[02]
the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses organization-
TDA-15 TDA-15_A09 53A_R5_SA-11(02)(a)[03]
defined information.
TDA-15 TDA-15_A10 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses 53A_R5_SA-11(02)(a)[04]
organization-defined information.
the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs organization-defined tools and
TDA-15 TDA-15_A11 53A_R5_SA-11(02)(b)[01]
methods.
TDA-15 TDA-15_A12 the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs organization- 53A_R5_SA-11(02)(b)[02]
defined tools and methods.
the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs organization-defined tools and
TDA-15 TDA-15_A13 53A_R5_SA-11(02)(b)[03]
methods.
TDA-15 TDA-15_A14 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs 53A_R5_SA-11(02)(b)[04]
organization-defined tools and methods.
TDA-15 TDA-15_A15 the developer of the system, system component, or system service is required to perform threat modeling per an organization-defined breadth and depth during development of the system, component or service. 53A_R5_SA-11(02)(c)[01]
TDA-15 TDA-15_A16 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts 53A_R5_SA-11(02)(c)[02]
modeling and analyses per an organization-defined breadth and depth.
the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets organization-
TDA-15 TDA-15_A17 53A_R5_SA-11(02)(d)[01]
defined acceptance criteria.

TDA-15 TDA-15_A18 the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence 53A_R5_SA-11(02)(d)[02]
that meets organization-defined acceptance criteria.
TDA-15 TDA-15_A19 the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets 53A_R5_SA-11(02)(d)[03]
organization-defined acceptance criteria.
TDA-15 TDA-15_A20 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces 53A_R5_SA-11(02)(d)[04]
evidence that meets organization-defined acceptance criteria.
TDA-16 TDA-16_A01 training on the correct use and operation of the implemented cybersecurity & privacy functions, controls, and/or mechanisms provided by the developer of the system, system component or system service is defined. 53A_R5_SA-16_ODP
TDA-16 TDA-16_A02 training on the correct use and operation of the implemented cybersecurity & privacy functions, controls, and/or mechanisms. 53A_R5_SA-16
TDA-17 TDA-17_A01 support from external providers is defined. 53A_R5_SA-22_ODP[01]

53A_R5_SA-22_ODP[02]
TDA-17 TDA-17_A02 system components are replaced when support for the components is no longer available from the developer, vendor or manufacturer. 53A_R5_SA-22a.
TDA-17.1 TDA-17.1_A01 provide options for alternative sources for continued support for unsupported components. 53A_R5_SA-22b.
TDA-18 TDA-18_A01 approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies. 53A_R5_AC-03
TDA-18 TDA-18_A02 information inputs to the system requiring validity checks are defined. 53A_R5_SI-10_ODP
TDA-18 TDA-18_A03 the validity of the organization-defined information inputs is checked. 53A_R5_SI-10
TDA-19 TDA-19_A01 personnel or roles to whom error messages are to be revealed is/are defined. 53A_R5_SI-11_ODP
TDA-19 TDA-19_A02 error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited. 53A_R5_SI-11a.
TDA-19 TDA-19_A03 error messages are revealed only to organization-defined personnel or roles. 53A_R5_SI-11b.
TDA-20 TDA-20_A01 organization-defined criteria for security-relevant information pertaining to external system interfaces, high-level design, low-level design, source code or hardware schematics and design and implementation 53A_R5_SA-04(02)_ODP[01]
information are documented in a System Security Plan (SSP).
TDA-20 TDA-20_A04 the developer of the system, system component or system service is required to provide design and implementation information for the controls that includes using at level of detail. 53A_R5_SA-04(02)
TDA-20.1 TDA-20.1_A01 integrity verification information is published for software releases. SCF Created
TDA-20.2 TDA-20.2_A01 software releases and all of their components (e.g., code, package files, third-party libraries, documentation) are securely archived to maintain integrity verification information. SCF Created
TDA-20.3 TDA-20.3_A01 source code and supporting documentation are escrowed to ensure software availability in the event the software provider goes out of business or is unable to provide support. SCF Created
TPM-01 TPM-01_A01 contract language is defined. 53A_R5_SA-04_ODP[01]

53A_R5_SA-04_ODP[02]
TPM-01 TPM-01_A02 security functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04a.[01]
TPM-01 TPM-01_A03 privacy functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04a.[02]
TPM-01 TPM-01_A04 strength of mechanism requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04b.
TPM-01 TPM-01_A05 security assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04c.[01]
TPM-01 TPM-01_A06 privacy assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04c.[02]
TPM-01 TPM-01_A07 controls needed to satisfy the security requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04d.[01]
TPM-01 TPM-01_A08 controls needed to satisfy the privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04d.[02]
TPM-01 TPM-01_A09 security documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04e.[01]
TPM-01 TPM-01_A10 privacy documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04e.[02]
TPM-01 TPM-01_A11 requirements for protecting security documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04f.[01]
TPM-01 TPM-01_A12 requirements for protecting privacy documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04f.[02]
the description of the system development environment and environment in which the system is intended to operate, requirements and criteria are included explicitly or by reference using in the acquisition contract
TPM-01 TPM-01_A13 53A_R5_SA-04g.
for the system, system component or system service.
TPM-01 TPM-01_A14 the allocation of responsibility or identification of parties responsible for cybersecurity requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, 53A_R5_SA-04h.[01]
system component or system service.
TPM-01 TPM-01_A15 the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria. 53A_R5_SA-04h.[02]
TPM-01 TPM-01_A16 the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria. 53A_R5_SA-04h.[03]
TPM-01 TPM-01_A17 acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component or system service. 53A_R5_SA-04i.

TPM-01.1 TPM-01.1_A01 a current, accurate and complete list of Third-Party Service Providers (TSP) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services SCF Created
and data is maintained.
TPM-02 TPM-02_A01 systems, system components or system services to be analyzed for criticality are defined. 53A_R5_RA-09_ODP[01]
TPM-02 TPM-02_A02 decision points in the system development life cycle when a criticality analysis is to be performed are defined. 53A_R5_RA-09_ODP[02]
TPM-02 TPM-02_A03 critical system components and functions are identified by performing a criticality analysis for systems, system components or system services at decision points in the system development life cycle. 53A_R5_RA-09
TPM-02 TPM-02_A04 suppliers of critical or mission-essential technologies, products and services are identified. 53A_R5_PM-30(01)[01]
TPM-02 TPM-02_A05 suppliers of critical or mission-essential technologies, products and services are prioritized. 53A_R5_PM-30(01)[02]
TPM-02 TPM-02_A06 suppliers of critical or mission-essential technologies, products and services are assessed. 53A_R5_PM-30(01)[03]
TPM-03 TPM-03_A01 the personnel, roles and responsibilities of the supply chain risk management team are defined. 53A_R5_SR-02(01)_ODP[01]
TPM-03 TPM-03_A02 supply chain risk management activities are defined. 53A_R5_SR-02(01)_ODP[02]
TPM-03 TPM-03_A03 a supply chain risk management team consisting of personnel, roles and responsibilities is established to lead and support supply chain risk management activities. 53A_R5_SR-02(01)
TPM-03 TPM-03_A04 systems, system components or system services for which a supply chain risk management plan is developed are defined. 53A_R5_SR-02_ODP[01]
TPM-03 TPM-03_A05 the frequency at which to review and update the supply chain risk management plan is defined. 53A_R5_SR-02_ODP[02]
TPM-03 TPM-03_A06 a plan for managing supply chain risks is developed. 53A_R5_SR-02a.[01]
TPM-03 TPM-03_A07 the supply chain risk management plan addresses risks associated with the research and development of systems, system components or system services. 53A_R5_SR-02a.[02]
TPM-03 TPM-03_A08 the supply chain risk management plan addresses risks associated with the design of systems, system components or system services. 53A_R5_SR-02a.[03]
TPM-03 TPM-03_A09 the supply chain risk management plan addresses risks associated with the manufacturing of systems, system components or system services. 53A_R5_SR-02a.[04]
TPM-03 TPM-03_A10 the supply chain risk management plan addresses risks associated with the acquisition of systems, system components or system services. 53A_R5_SR-02a.[05]
TPM-03 TPM-03_A11 the supply chain risk management plan addresses risks associated with the delivery of systems, system components or system services. 53A_R5_SR-02a.[06]
TPM-03 TPM-03_A12 the supply chain risk management plan addresses risks associated with the integration of systems, system components or system services. 53A_R5_SR-02a.[07]
TPM-03 TPM-03_A13 the supply chain risk management plan addresses risks associated with the operation and maintenance of systems, system components or system services. 53A_R5_SR-02a.[08]
TPM-03 TPM-03_A14 the supply chain risk management plan addresses risks associated with the disposal of systems, system components or system services. 53A_R5_SR-02a.[09]
TPM-03 TPM-03_A15 the supply chain risk management plan is reviewed and updated frequently or as required to address threat, organizational or environmental changes. 53A_R5_SR-02b.
TPM-03 TPM-03_A16 the supply chain risk management plan is protected from unauthorized disclosure. 53A_R5_SR-02c.[01]
TPM-03 TPM-03_A17 the supply chain risk management plan is protected from unauthorized modification. 53A_R5_SR-02c.[02]
TPM-03.1 TPM-03.1_A01 acquisition strategies, contract tools and procurement methods to protect against, identify and mitigate supply chain risks are defined. 53A_R5_SR-05_ODP
TPM-03.1 TPM-03.1_A02 strategies, tools and methods are employed to protect against supply chain risks. 53A_R5_SR-05[01]
TPM-03.1 TPM-03.1_A03 strategies, tools and methods are employed to identify supply chain risks. 53A_R5_SR-05[02]
TPM-03.1 TPM-03.1_A04 strategies, tools and methods are employed to mitigate supply chain risks. 53A_R5_SR-05[03]
TPM-03.2 TPM-03.2_A01 controls to limit harm from potential supply chain adversaries are defined. 53A_R5_SR-03(02)_ODP
TPM-03.2 TPM-03.2_A02 controls are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain. 53A_R5_SR-03(02)
TPM-03.3 TPM-03.3_A01 the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined. 53A_R5_SR-03_ODP[01]
TPM-03.3 TPM-03.3_A02 supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined. 53A_R5_SR-03_ODP[02]
TPM-03.3 TPM-03.3_A03 supply chain controls employed to protect against supply chain risks to the system, system component or system service and to limit the harm or consequences from supply chain-related events are defined. 53A_R5_SR-03_ODP[03]
53A_R5_SR-03_ODP[04]
TPM-03.3 TPM-03.3_A04 the document identifying the selected and implemented supply chain processes and controls is defined.
53A_R5_SR-03_ODP[05]
TPM-03.3 TPM-03.3_A05 a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of system or system component. 53A_R5_SR-03a.[01]
TPM-03.3 TPM-03.3_A06 the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of system or system component is/are coordinated with supply chain personnel. 53A_R5_SR-03a.[02]

TPM-03.3 TPM-03.3_A07 supply chain controls are employed to protect against supply chain risks to the system, system component or system service and to limit the harm or consequences from supply chain-related events. 53A_R5_SR-03b.
TPM-03.3 TPM-03.3_A08 the selected and implemented supply chain processes and controls are documented in accordance with organization-defined criteria. 53A_R5_SR-03c.
TPM-03.4 TPM-03.4_A01 controls to ensure an adequate supply of critical system components are defined. 53A_R5_SR-05(01)_ODP[01]
TPM-03.4 TPM-03.4_A02 critical system components of which an adequate supply is required are defined. 53A_R5_SR-05(01)_ODP[02]
TPM-03.4 TPM-03.4_A03 controls are employed to ensure an adequate supply of critical system components. 53A_R5_SR-05(01)
TPM-04 TPM-04_A01 controls to be employed by external system service providers are defined. 53A_R5_SA-09_ODP[01]
TPM-04 TPM-04_A02 processes, methods and techniques employed to monitor control compliance by external service providers are defined. 53A_R5_SA-09_ODP[02]
TPM-04 TPM-04_A03 providers of external system services comply with organizational security requirements. 53A_R5_SA-09a.[01]
TPM-04 TPM-04_A04 providers of external system services comply with organizational privacy requirements. 53A_R5_SA-09a.[02]
TPM-04 TPM-04_A05 providers of external system services employ controls. 53A_R5_SA-09a.[03]
TPM-04 TPM-04_A06 organizational oversight with regard to external system services are defined and documented. 53A_R5_SA-09b.[01]
TPM-04 TPM-04_A07 user roles and responsibilities with regard to external system services are defined and documented. 53A_R5_SA-09b.[02]
TPM-04 TPM-04_A08 processes, methods and techniques are employed to monitor control compliance by external service providers on an ongoing basis. 53A_R5_SA-09c.
TPM-04.1 TPM-04.1_A01 personnel or roles that approve the acquisition or outsourcing of dedicated cybersecurity services is/are defined. 53A_R5_SA-09(01)_ODP
TPM-04.1 TPM-04.1_A02 an organizational assessment of risk is conducted prior to the acquisition or outsourcing of cybersecurity services. 53A_R5_SA-09(01)(a)
TPM-04.1 TPM-04.1_A03 personnel or roles approve the acquisition or outsourcing of dedicated cybersecurity services. 53A_R5_SA-09(01)(b)
TPM-04.2 TPM-04.2_A01 external system services that require the identification of functions, ports, protocols and other services are defined. 53A_R5_SA-09(02)_ODP
TPM-04.2 TPM-04.2_A02 providers of external system services are required to identify the functions, ports, protocols and other services required for the use of such services. 53A_R5_SA-09(02)
TPM-04.3 TPM-04.3_A01 external service providers are defined. 53A_R5_SA-09(04)_ODP[01]
TPM-04.3 TPM-04.3_A02 actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined. 53A_R5_SA-09(04)_ODP[02]
TPM-04.3 TPM-04.3_A03 actions are taken to verify that the interests of external service providers are consistent with and reflect organizational interests. 53A_R5_SA-09(04)
TPM-04.4 TPM-04.4_A01 locations where information processing and data storage is/are to be restricted are defined. 53A_R5_SA-09(05)_ODP[01]
53A_R5_SA-09(05)_ODP[02]
TPM-04.4 TPM-04.4_A02 requirements or conditions for restricting the location of information processing, information storage or information services are defined. 53A_R5_SA-09(05)_ODP[03]
TPM-04.4 TPM-04.4_A03 based on requirements, information processing, information storage or information services is/are restricted to locations. 53A_R5_SA-09(05)
TPM-04.4 TPM-04.4_A04 the location or site of the facility where the system resides is planned considering physical and environmental hazards. 53A_R5_PE-23a.
TPM-04.4 TPM-04.4_A05 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. 53A_R5_PE-23b.
TPM-05 TPM-05_A01 legally-binding contracts are executed to enforce cybersecurity & privacy requirements by third-parties. SCF Created
TPM-05 TPM-05_A02 before sharing sensitive/regulated data, Non-Disclosure Agreements (NDAs) are executed with third parties. SCF Created
TPM-05.1 TPM-05.1_A01 information for which agreements and procedures are to be established are defined. 53A_R5_SR-08_ODP[01]
53A_R5_SR-08_ODP[02]
TPM-05.1 TPM-05.1_A02 agreements and procedures are established with entities involved in the supply chain for the system, system components or system service per organization-defined criteria. 53A_R5_SR-08
TPM-05.2 TPM-05.2_A01 the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. 53A_R5_SR-03(03)
TPM-05.3 TPM-05.3_A01 Third-Party Service Providers (TSP) are obligated to use unique authentication factors for each of its customers. SCF Created
TPM-05.4 TPM-05.4_A01 a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, delineates assignment for cybersecurity and privacy controls between internal stakeholders and Third-Party SCF Created
Service Providers (TSP).
recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, is performed to ensure cybersecurity and privacy control assignments accurately
TPM-05.5 TPM-05.4_A02 SCF Created
reflect current business practices, compliance obligations, technologies and stakeholders.
TPM-05.6 TPM-05.4_A03 a First-Party Declaration (1PD) is obtained from applicable Third-Party Service Providers (TSP) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity and SCF Created
privacy controls, including any flow-down requirements to subcontractors.
TPM-05.7 TPM-05.7_A01 contracts with third-parties include "break clauses" to enable the organization to exit a contract due to a third-party's non-compliance with contract requirements for cybersecurity and/or privacy controls. SCF Created

TPM-06 TPM-06_A01 roles and responsibilities for third-party provider personnel are documented. SCF Created
TPM-07 TPM-07_A01 sensitive / regulated data flows identify information shared with third-parties. SCF Created
TPM-07 TPM-07_A02 mechanisms are used to look for unauthorized exfiltration or disclosure of sensitive / regulated data that is shared with third-parties. SCF Created
TPM-08 TPM-08_A01 the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components or system services they provide is defined. 53A_R5_SR-06_ODP
TPM-08 TPM-08_A02 the supply chain-related risks associated with suppliers or contractors and the systems, system components or system services they provide are assessed and reviewed per an organization-defined frequency. 53A_R5_SR-06
TPM-08 TPM-08_A03 supply chain elements, processes and actors to be analyzed and tested are defined. 53A_R5_SR-06(01)_ODP[01]
53A_R5_SR-06(01)_ODP[02]
TPM-08 TPM-08_A04 is/are employed on supply chain elements, processes and actors associated with the system, system component or system service. 53A_R5_SR-06(01)
TPM-09 TPM-09_A01 weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements are remediated. SCF Created
TPM-10 TPM-10_A01 affected third-parties are identified through change control practices. SCF Created
TPM-10 TPM-10_A02 provided services are assessed for impact from proposed changes. SCF Created
TPM-10 TPM-10_A03 recurring reviews are performed of third-party provided services against existing contract requirements. SCF Created
TPM-10 TPM-10_A04 discrepancies in services provided and/or geolocation of provided services are evaluated for impact to the organization's operations. SCF Created
TPM-11 TPM-11_A01 incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain. 53A_R5_IR-04(10)
THR-01 THR-01_A01 sources of threat intelligence are defined. 172A_3.11.1e_ODP[1]
THR-01 THR-01_A02 a risk assessment methodology is identified. 172A_3.11.1e[a]
THR-01 THR-01_A03 sources of threat intelligence are employed as part of a risk assessment to guide and inform the development of organizational systems and security architectures. 172A_3.11.1e[b]
THR-01 THR-01_A04 sources of threat intelligence are employed as part of a risk assessment to guide and inform the selection of security solutions. 172A_3.11.1e[c]
THR-01 THR-01_A05 sources of threat intelligence are employed as part of a risk assessment to guide and inform system monitoring activities. 172A_3.11.1e[d]
THR-01 THR-01_A06 sources of threat intelligence are employed as part of a risk assessment to guide and inform threat hunting activities. 172A_3.11.1e[e]
THR-01 THR-01_A07 sources of threat intelligence are employed as part of a risk assessment to guide and inform response and recovery activities. 172A_3.11.1e[f]
THR-01 THR-01_A08 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to facilitate ongoing security education and training for organizational personnel. 53A_R5_PM-15a.[01]
53A_R5_PM-15a.[02]
THR-01 THR-01_A09 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to maintain currency with recommended security practices, techniques and technologies. 53A_R5_PM-15b.[01]
53A_R5_PM-15b.[02]
THR-01 THR-01_A10 contact is established and institutionalized with selected groups and associations within the cybersecurity & privacy community to share current security information, including threats, vulnerabilities and incidents. 53A_R5_PM-15c.[01]
53A_R5_PM-15c.[02]
THR-01 THR-01_A11 a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented. 53A_R5_PM-16
THR-02 THR-02_A01 Indicators of Exposure (IOE) exist for personnel to understand the potential attack vectors that attackers could use to attack the organization. SCF Created
THR-03 THR-03_A01 external organizations from which to obtain threat indicator information and effective mitigations are defined. 172A_3.14.6e_ODP[1]
THR-03 THR-03_A02 threat indicator information is identified. 172A_3.14.6e[a]
THR-03 THR-03_A03 effective mitigations are identified. 172A_3.14.6e[b]
THR-03 THR-03_A04 intrusion detection approaches are identified. 172A_3.14.6e[c]
THR-03 THR-03_A05 threat hunting activities are identified. 172A_3.14.6e[d]
THR-03 THR-03_A06 automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information. 53A_R5_PM-16(01)
THR-03 THR-03_A07 external organizations from whom system security alerts, advisories and directives are to be received on an ongoing basis are defined. 53A_R5_SI-05_ODP[01]
THR-03 THR-03_A08 personnel or roles to whom security alerts, advisories and directives are to be disseminated is/are defined. 53A_R5_SI-05_ODP[02]
53A_R5_SI-05_ODP[03]
THR-03 THR-03_A09 elements within the organization to whom security alerts, advisories and directives are to be disseminated are defined. 53A_R5_SI-05_ODP[04]
THR-03 THR-03_A10 external organizations to whom security alerts, advisories and directives are to be disseminated are defined. 53A_R5_SI-05_ODP[05]
THR-03 THR-03_A11 system security alerts, advisories and directives are received from external organizations on an ongoing basis. 53A_R5_SI-05a.

THR-03 THR-03_A12 internal security alerts, advisories and directives are generated as deemed necessary. 53A_R5_SI-05b.
THR-03 THR-03_A13 security alerts, advisories and directives are disseminated per organization-defined criteria. 53A_R5_SI-05c.
THR-03 THR-03_A14 security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance. 53A_R5_SI-05d.
THR-03 THR-03_A15 automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined. 53A_R5_SI-05(01)_ODP
THR-03 THR-03_A16 automated mechanisms are used to broadcast security alerts and advisory information throughout the organization. 53A_R5_SI-05(01)
THR-04 THR-04_A01 threat indicator information and effective mitigations obtained from external organizations are used to guide and inform intrusion detection and threat hunting. 172A_3.14.6e[e]
THR-04 THR-04_A02 an insider threat program that includes a cross-discipline insider threat incident handling team is implemented. 53A_R5_PM-12
THR-05 THR-05_A01 potential indicators associated with insider threats are identified. 171A_3.2.3[a]
THR-05 THR-05_A02 security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. 171A_3.2.3[b]
THR-05 THR-05_A03 literacy training on recognizing potential indicators of insider threat is provided. 53A_R5_AT-02(02)[01]
THR-05 THR-05_A04 literacy training on reporting potential indicators of insider threat is provided. 53A_R5_AT-02(02)[02]
THR-06 THR-06_A01 a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components. 53A_R5_RA-05(11)
THR-07 THR-07_A01 a cyber threat capability is established and maintained to search for Indicators of Compromise (IOC) in organizational systems. 53A_R5_RA-10a.01
THR-07 THR-07_A02 a cyber threat capability is established and maintained to detect, track and disrupt threats that evade existing controls. 53A_R5_RA-10a.02
172A_3.11.2e[b]
THR-07 THR-07_A03 cyber threat hunting activities are conducted according to an organization-defined frequency and/or organization-defined event to detect, track and disrupt threats that evade existing controls. 172A_3.11.2e[c]
53A_R5_RA-10b.
THR-07 THR-07_A04 sensors and monitoring capabilities to be relocated are defined. 53A_R5_SC-48_ODP[01]
THR-07 THR-07_A05 locations to where sensors and monitoring capabilities are to be relocated are defined. 53A_R5_SC-48_ODP[02]
THR-07 THR-07_A06 conditions or circumstances for relocating sensors and monitoring capabilities are defined. 53A_R5_SC-48_ODP[03]
THR-07 THR-07_A07 sensors and monitoring capabilities are relocated to locations under organization-defined conditions or circumstances. 53A_R5_SC-48
THR-07 THR-07_A08 Indicators of Compromise (IOC) are defined. 172A_3.11.2e[a]
THR-07 THR-07_A09 organizational systems to search for Indicators of Compromise (IOC) are defined. 172A_3.11.2e_ODP[4]
172A_3.11.2e_ODP[1]
THR-07 THR-07_A10 the frequency with which to conduct cyber threat hunting activities is defined. 172A_3.11.2e_ODP[2]
53A_R5_RA-10_ODP
THR-07 THR-07_A11 the event triggering cyber threat hunting activities is defined. 172A_3.11.2e_ODP[3]
THR-08 THR-08_A01 the systems or system components with data or capabilities to be embedded are defined. 53A_R5_SI-20_ODP
THR-08 THR-08_A02 systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization. 53A_R5_SI-20
THR-09 THR-09_A01 the organization maintains a threat catalog that documents applicable internal and external threats that are specific to the organization. SCF Created
THR-09 THR-09_A02 the threat catalog documents both natural and manmade threats. SCF Created
THR-09 THR-09_A03 on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats. SCF Created
THR-09 THR-09_A04 the threat catalog is updated, based on a current threat assessment. SCF Created
THR-10 THR-10_A01 on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats. SCF Created
THR-10 THR-10_A02 a threat catalog captures applicable internal and external threats from the threat assessment. SCF Created
THR-10 THR-10_A03 each item in the threat catalog is prioritized, based on the potential threat to the organization. SCF Created
VPM-01 VPM-01_A01 the time within which to identify system flaws is specified. 171A_3.14.1[a]
171A_3.14.1[b]
VPM-01 VPM-01_A02 system flaws are identified within the specified time frame.
53A_R5_SI-02a.[01]
VPM-01 VPM-01_A03 the time within which to report system flaws is specified. 171A_3.14.1[c]
171A_3.14.1[d]
VPM-01 VPM-01_A04 system flaws are reported within the specified time frame.
53A_R5_SI-02a.[02]

VPM-01 VPM-01_A05 the time within which to correct system flaws is specified. 171A_3.14.1[e]
VPM-01 VPM-01_A06 system flaws are corrected within the specified time frame. 171A_3.14.1[f]
53A_R5_SI-02a.[03]
VPM-01 VPM-01_A07 time period within which to install security-relevant software updates after the release of the updates is defined. 53A_R5_SI-02_ODP
VPM-01 VPM-01_A08 software updates related to flaw remediation are tested for effectiveness before installation. 53A_R5_SI-02b.[01]
VPM-01 VPM-01_A09 software updates related to flaw remediation are tested for potential side effects before installation. 53A_R5_SI-02b.[02]
VPM-01 VPM-01_A10 firmware updates related to flaw remediation are tested for effectiveness before installation. 53A_R5_SI-02b.[03]
VPM-01 VPM-01_A11 firmware updates related to flaw remediation are tested for potential side effects before installation. 53A_R5_SI-02b.[04]
VPM-01 VPM-01_A12 security-relevant software updates are installed within an organization-defined time period of the release of the updates. 53A_R5_SI-02c.[01]
VPM-01 VPM-01_A13 security-relevant firmware updates are installed within an organization-defined time period of the release of the updates. 53A_R5_SI-02c.[02]
VPM-01 VPM-01_A14 flaw remediation is incorporated into the organizational configuration management process. 53A_R5_SI-02d.
VPM-01.1 VPM-01.1_A01 the breadth of testing and evaluation of required controls is defined. 53A_R5_SA-11(07)_ODP[01]
172A_3.14.3e_ODP[1]
VPM-01.1 VPM-01.1_A02 the depth of testing and evaluation of required controls is defined. 53A_R5_SA-11(07)_ODP[02]
VPM-01.1 VPM-01.1_A03 systems and system components are included in the scope of the specified enhanced security requirements. 172A_3.14.3e[a]
VPM-01.1 VPM-01.1_A04 systems and system components that are not included in systems and system components are segregated in purpose-specific networks. 172A_3.14.3e[b]
VPM-01.1 VPM-01.1_A05 the developer of the system, system component or system service is required to perform attack surface reviews. 53A_R5_SA-11(06)
VPM-01.1 VPM-01.1_A06 the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces 53A_R5_SA-11(07)[01]
evidence that meets an organization-defined breadth.
VPM-01.1 VPM-01.1_A07 the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at an organization-defined depth. 53A_R5_SA-11(07)[02]
VPM-02 VPM-02_A01 vulnerabilities are identified. 171A_3.11.3[a]
VPM-02 VPM-02_A02 vulnerabilities are remediated in accordance with risk assessments. 171A_3.11.3[b]
VPM-03 VPM-03_A01 a risk ranking methodology is utilized to prioritize newly discovered security vulnerabilities. SCF Created
VPM-03.1 VPM-03.1_A01 on at least an annual basis, a threat assessment is performed to identify and assess applicable internal and external threats. SCF Created
VPM-03.1 VPM-03.1_A02 a threat catalog captures applicable internal and external threats from the threat assessment. SCF Created
VPM-03.1 VPM-03.1_A03 the scope of Attack Surface Management (ASM) is defined. SCF Created
VPM-03.1 VPM-03.1_A04 vulnerability scanning activities are performed against the scope of ASM to identify applicable vulnerabilities. SCF Created
VPM-03.1 VPM-03.1_A05 the organization documents the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities. SCF Created
VPM-03.1 VPM-03.1_A06 each item in the threat catalog is prioritized, based on potential impact(s) and likelihood(s) of applicable internal and external threats exploiting identified vulnerabilities. SCF Created
VPM-04 VPM-04_A01 sources of new threats and vulnerabilities are defined. SCF Created
VPM-04 VPM-04_A02 a time period is defined to seek out new, applicable threats and vulnerabilities. SCF Created
VPM-04 VPM-04_A03 a capability exists to respond to new threats and vulnerabilities on an ongoing basis. SCF Created
VPM-04.1 VPM-04.1_A01 the latest stable version of software and/or security-related updates is installed on applicable systems. SCF Created
VPM-04.2 VPM-04.2_A01 flaws related to the collection, usage, processing or dissemination of Personal Data (PD) are identified. SCF Created
VPM-04.2 VPM-04.2_A02 flaws related to the collection, usage, processing or dissemination of Personal Data (PD) are corrected. SCF Created
VPM-05 VPM-05_A01 time period within which to install security-relevant software updates after the release of the updates is defined. 53A_R5_SI-02_ODP
VPM-05 VPM-05_A02 system flaws are identified. 53A_R5_SI-02a.[01]
VPM-05 VPM-05_A03 system flaws are reported. 53A_R5_SI-02a.[02]
VPM-05 VPM-05_A04 system flaws are corrected. 53A_R5_SI-02a.[03]

VPM-05 VPM-05_A05 software updates related to flaw remediation are tested for effectiveness before installation. 53A_R5_SI-02b.[01]
VPM-05 VPM-05_A06 software updates related to flaw remediation are tested for potential side effects before installation. 53A_R5_SI-02b.[02]
VPM-05 VPM-05_A07 firmware updates related to flaw remediation are tested for effectiveness before installation. 53A_R5_SI-02b.[03]
VPM-05 VPM-05_A08 firmware updates related to flaw remediation are tested for potential side effects before installation. 53A_R5_SI-02b.[04]
VPM-05 VPM-05_A09 security-relevant software updates are installed within an organization-defined time period of the release of the updates. 53A_R5_SI-02c.[01]
VPM-05 VPM-05_A10 security-relevant firmware updates are installed within an organization-defined time period of the release of the updates. 53A_R5_SI-02c.[02]
VPM-05 VPM-05_A11 flaw remediation is incorporated into the organizational configuration management process. 53A_R5_SI-02d.
VPM-05 VPM-05_A12 the system components requiring automated patch management tools to facilitate flaw remediation are defined. 53A_R5_SI-02(04)_ODP
VPM-05 VPM-05_A13 automated patch management tools are employed to facilitate flaw remediation to components. 53A_R5_SI-02(04)
VPM-05.1 VPM-05.1_A01 security and privacy controls and related processes to be centrally managed are defined. 53A_R5_PL-09_ODP
VPM-05.1 VPM-05.1_A02 controls and related processes are centrally managed. 53A_R5_PL-09
VPM-05.1 VPM-05.1_A03 the system components requiring automated patch management tools to facilitate flaw remediation are defined. 53A_R5_SI-02(04)_ODP
VPM-05.1 VPM-05.1_A04 automated patch management tools are employed to facilitate flaw remediation to components. 53A_R5_SI-02(04)
VPM-05.2 VPM-05.2_A01 automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined. 53A_R5_SI-02(02)_ODP[01]
VPM-05.2 VPM-05.2_A02 the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined. 53A_R5_SI-02(02)_ODP[02]
VPM-05.2 VPM-05.2_A03 system components have applicable security-relevant software and firmware updates installed frequency using automated mechanisms. 53A_R5_SI-02(02)
VPM-05.3 VPM-05.3_A01 the benchmarks for taking corrective actions are defined. 53A_R5_SI-02(03)_ODP
VPM-05.3 VPM-05.3_A02 the time between flaw identification and flaw remediation is measured. 53A_R5_SI-02(03)(a)
VPM-05.3 VPM-05.3_A03 benchmarks for taking corrective actions have been established. 53A_R5_SI-02(03)(b)
VPM-05.4 VPM-05.4_A03 security-relevant software and firmware updates to be automatically installed to system components are defined. 53A_R5_SI-02(05)_ODP[01]
VPM-05.4 VPM-05.4_A04 system components requiring security-relevant software updates to be automatically installed are defined. 53A_R5_SI-02(05)_ODP[02]
VPM-05.4 VPM-05.4_A05 security-relevant software and firmware updates are installed automatically to system components. 53A_R5_SI-02(05)
VPM-05.5 VPM-05.5_A01 software and firmware components to be removed after updated versions have been installed are defined. 53A_R5_SI-02(06)_ODP
VPM-05.5 VPM-05.5_A02 previous versions of software and firmware components are removed after updated versions have been installed. 53A_R5_SI-02(06)
VPM-06 VPM-06_A01 frequency for monitoring systems and hosted applications for vulnerabilities is defined. 53A_R5_RA-05_ODP[01]
53A_R5_RA-05_ODP[02]
VPM-06 VPM-06_A02 frequency for scanning systems and hosted applications for vulnerabilities is defined.
171A_3.11.2[a]
VPM-06 VPM-06_A03 response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined. 53A_R5_RA-05_ODP[03]
VPM-06 VPM-06_A04 personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared. 53A_R5_RA-05_ODP[04]
VPM-06 VPM-06_A05 systems and hosted applications are monitored for vulnerabilities frequency and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are 53A_R5_RA-05a.[01]
identified and reported.
systems and hosted applications are scanned for vulnerabilities frequency and/or randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified
VPM-06 VPM-06_A06 53A_R5_RA-05a.[02]
and reported.
VPM-06 VPM-06_A07 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools. 53A_R5_RA-05b.
VPM-06 VPM-06_A08 vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws and improper configurations. 53A_R5_RA-05b.01

VPM-06 VPM-06_A09 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and 53A_R5_RA-05b.02
test procedures.
VPM-06 VPM-06_A10 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability 53A_R5_RA-05b.03
impact.
VPM-06 VPM-06_A11 vulnerability scans are performed on organizational systems with the defined frequency. 171A_3.11.2[b]
VPM-06 VPM-06_A12 vulnerability scans are performed on applications with the defined frequency. 171A_3.11.2[c]
VPM-06 VPM-06_A13 vulnerability scans are performed on organizational systems when new vulnerabilities are identified. 171A_3.11.2[d]
VPM-06 VPM-06_A14 vulnerability scans are performed on applications when new vulnerabilities are identified. 171A_3.11.2[e]
VPM-06 VPM-06_A15 vulnerability scan reports and results from vulnerability monitoring are analyzed. 53A_R5_RA-05c.
VPM-06 VPM-06_A16 legitimate vulnerabilities are remediated response times in accordance with an organizational assessment of risk. 53A_R5_RA-05d.
VPM-06 VPM-06_A17 information obtained from the vulnerability monitoring process and control assessments is shared with personnel or roles to help eliminate similar vulnerabilities in other systems. 53A_R5_RA-05e.
VPM-06 VPM-06_A18 vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed. 53A_R5_RA-05f.
VPM-06.1 VPM-06.1_A01 the frequency for updating the system vulnerabilities to be scanned is defined. 53A_R5_RA-05(02)_ODP[01]
53A_R5_RA-05(02)_ODP[02]
VPM-06.1 VPM-06.1_A03 the system vulnerabilities to be scanned are updated per organization-defined criteria. 53A_R5_RA-05(02)
VPM-06.2 VPM-06.2_A01 the breadth and depth of vulnerability scanning coverage are defined. 53A_R5_RA-05(03)
VPM-06.3 VPM-06.3_A01 system components to which privileged access is authorized for selected vulnerability scanning activities are defined. 53A_R5_RA-05(05)_ODP[01]
VPM-06.3 VPM-06.3_A02 vulnerability scanning activities selected for privileged access authorization to system components are defined. 53A_R5_RA-05(05)_ODP[02]
VPM-06.3 VPM-06.3_A03 privileged access authorization is implemented to system components for vulnerability scanning activities. 53A_R5_RA-05(05)
VPM-06.4 VPM-06.4_A01 automated mechanisms to compare the results of multiple vulnerability scans are defined. 53A_R5_RA-05(06)_ODP
VPM-06.4 VPM-06.4_A02 the results of multiple vulnerability scans are compared using automated mechanisms. 53A_R5_RA-05(06)
VPM-06.5 VPM-06.5_A01 a system whose historic event logs are to be reviewed is defined. 53A_R5_RA-05(08)_ODP[01]
VPM-06.5 VPM-06.5_A02 a time period for a potential previous exploit of a system is defined. 53A_R5_RA-05(08)_ODP[02]
VPM-06.5 VPM-06.5_A03 historic event logs are reviewed to determine if a vulnerability identified in a system has been previously exploited within an organization-defined time period. 53A_R5_RA-05(08)
VPM-06.6 VPM-06.6_A01 for Payment Card Industry Data Security Standard (PCI DSS) compliance, quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, are SCF Created
performed until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).
VPM-06.7 VPM-06.7_A01 for Payment Card Industry Data Security Standard (PCI DSS) compliance, quarterly internal vulnerability scans, that includes all segments of the organization's internal network, are performed until passing results are SCF Created
obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).
VPM-06.8 VPM-06.8_A01 corrective actions to be taken if information about the system is discoverable are defined. 53A_R5_RA-05(04)_ODP
VPM-06.8 VPM-06.8_A02 information about the system is discoverable. 53A_R5_RA-05(04)[01]
VPM-06.8 VPM-06.8_A03 corrective actions are taken when information about the system is confirmed as discoverable. 53A_R5_RA-05(04)[02]
VPM-06.9 VPM-06.9_A01 the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors. 53A_R5_RA-05(10)
53A_R5_SA-11(05)_ODP[01]
VPM-07 VPM-07_A01 the breadth of penetration testing is defined. 53A_R5_CA-08_ODP[02]
53A_R5_SA-11(05)(a)[01]
VPM-07 VPM-07_A02 the depth of penetration testing is defined. 53A_R5_SA-11(05)_ODP[02]

53A_R5_SA-11(05)(a)[02]
53A_R5_SA-11(05)_ODP[03]
VPM-07 VPM-07_A03 constraints of penetration testing are defined.
53A_R5_SA-11(05)(b)
VPM-07 VPM-07_A04 automated scanning tools are identified. 172A_3.12.1e[a]
VPM-07 VPM-07_A05 ad hoc tests using subject matter experts are identified. 172A_3.12.1e[b]
VPM-07 VPM-07_A06 penetration testing is conducted frequently leveraging automated scanning tools and ad hoc tests using subject matter experts. 172A_3.12.1e[c]
53A_R5_CA-08_ODP[01]
VPM-07 VPM-07_A07 frequency at which to conduct penetration testing on systems or system components is defined.
172A_3.12.1e_ODP[1]
VPM-07 VPM-07_A08 penetration testing is conducted organization-defined frequency on organization-defined system(s) or system components. 53A_R5_CA-08
VPM-07.1 VPM-07.1_A01 an independent penetration testing agent or team is employed to perform penetration testing on the system or system components. 53A_R5_CA-08(01)

VPM-08 VPM-08_A01 locations to employ technical surveillance countermeasure surveys are defined. 53A_R5_RA-06_ODP[01]
VPM-08 VPM-08_A02 the frequency at which to employ technical surveillance countermeasure surveys is defined. 53A_R5_RA-06_ODP[02]
53A_R5_RA-06_ODP[03]
VPM-08 VPM-08_A03 events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined. 53A_R5_RA-06_ODP[04]
VPM-08 VPM-08_A04 a technical surveillance countermeasures survey is employed at locations per organization-defined criteria. 53A_R5_RA-06
VPM-09 VPM-09_A01 logs associated with scanning activities are monitored to ensure that those activities are limited to the timeframes of legitimate scans. SCF Created
VPM-09 VPM-09_A02 logs associated with administrator accounts are monitored to ensure that those activities are limited to the timeframes of legitimate scans. SCF Created
VPM-10 VPM-10_A01 red team exercises to simulate attempts by adversaries to compromise organizational systems are defined. 53A_R5_CA-08(02)_ODP
VPM-10 VPM-10_A02 organization-defined red team exercises are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement. 53A_R5_CA-08(02)
WEB-01 WEB-01_A01 an enterprise-wide web management policy, as well as associated standards, controls and procedures exists. SCF Created
WEB-01.1 WEB-01.1_A01 a capability exists to review secure pages for unauthorized code. SCF Created
WEB-02 WEB-02_A01 a Demilitarized Zone (DMZ) architecture is utilized for Internet-facing technologies to restrict inbound traffic to authorized devices on certain services, protocols and ports. SCF Created
WEB-03 WEB-03_A01 a Web Application Firewalls (WAFs) is utilized for Internet-facing technologies to protect against application-specific threats. SCF Created
WEB-04 WEB-04_A01 a capability exists to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service. SCF Created
WEB-05 WEB-05_A01 data subjects are provided with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management. SCF Created
WEB-06 WEB-06_A01 Strong Customer Authentication (SCA) is utilized for consumers and/or data subjects to prove their identity. SCF Created
WEB-07 WEB-07_A01 the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process. SCF Created
WEB-08 WEB-08_A01 a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs. SCF Created
WEB-09 WEB-09_A01 all input handled by a web application is validated and/or sanitized. SCF Created
WEB-10 WEB-10_A01 all web application content is delivered using cryptographic mechanisms (e.g., TLS). SCF Created
WEB-11 WEB-11_A01 output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks. SCF Created
WEB-12 WEB-12_A01 web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users. SCF Created
WEB-13 WEB-13_A01 Indicators of Compromise (IoC) include unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data. SCF Created
WEB-13 WEB-13_A02 a capability exists to monitor for web-based IoC triggers. SCF Created
WEB-14 WEB-14_A01 the scope of publicly accessible systems is defined. SCF Created
WEB-14 WEB-14_A02 publicly accessible systems containing sensitive/regulated data are identified. SCF Created
WEB-14 WEB-14_A03 a capability exists to routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered. SCF Created
WEB-14 WEB-14_A04 a capability exists to expeditiously remove sensitive/regulated data from publicly accessible systems, if discovered. SCF Created

version 2023.4 SCF Conformity Assessment Program (CAP)
Evidence Request List (ERL)
# ERL # Area of Focus Documentation Artifact Artifact Description SCF Control

Mappings
1 E-GOV-01 Cybersecurity & Data Charter - Cybersecurity Program Documented evidence of a corporate-level (C-Level) organization and resourcing for a cybersecurity & data protection governance GOV-01
Protection Management program.
2 E-GOV-02 Cybersecurity & Data Charter - Privacy Program Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management GOV-01
Protection Management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. PRI-01
3 E-GOV-03 Cybersecurity & Data Charter - Cybersecurity Steering Committee Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of cybersecurity GOV-01.1
Protection Management management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. GOV-01.2
4 E-GOV-04 Cybersecurity & Data Charter - Privacy Steering Committee Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management GOV-01.2
Protection Management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. CPL-02
5 E-GOV-05 Cybersecurity & Data Charter - Audit Committee Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of internal and external GOV-01.2
Protection Management audit management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. CPL-02
6 E-GOV-06 Cybersecurity & Data Charter - Risk Committee Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of risk management GOV-01.2
Protection Management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives. CPL-02
7 E-GOV-07 Cybersecurity & Data Charter - Data Management Board (DMB) Documented evidence of the organization's Data Management Board (DMB) charter and mission. GOV-01.2
Protection Management
Documented evidence of an appropriately-scoped cybersecurity & data protection policies. Policies are high-level statements of
8 E-GOV-08 Cybersecurity & Data Cybersecurity & Data Protection Policies management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to GOV-02
Protection Management achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and PRI-01
accountable requirements.
Cybersecurity & Data Cybersecurity & Data Protection Standards Documented evidence of an appropriately-scoped cybersecurity & data protection standards. Standards are mandatory requirements
9 E-GOV-09 regarding processes, actions and configurations. Standards are intended to be granular and prescriptive to ensure systems, applications GOV-02
Protection Management
and processes are designed and operated to include appropriate cybersecurity & data protection protections
Documented evidence of an appropriately-scoped cybersecurity & data protection controls. Controls are technical, administrative or
Cybersecurity & Data Cybersecurity & Data Protection Controls physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular GOV-09
10 E-GOV-10 CPL-01
Protection Management threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure
specific aspects of how standards are actually implemented. CPL-01.2
Documented evidence of an appropriate appropriately-scoped cybersecurity & data protection procedures. Procedures are a documented
11 E-GOV-11 Cybersecurity & Data Cybersecurity & Data Protection Procedures set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the GOV-02
Protection Management question of how the organization actually operationalizes a policy, standard or control. The result of a procedure is intended to satisfy a OPS-01.1
specific control. Procedures are also commonly referred to as “control activities.”
12 E-GOV-12 Cybersecurity & Data Cybersecurity & Data Protection Policies & Documented evidence of a periodic review process for the organization's cybersecurity & data protection policies and standards to identify GOV-03
Protection Management Standards Reviews necessary updates.
Cybersecurity & Data Measures of Performance (Metrics) Documented evidence of formal measure of performance that are used to track the health of the cybersecurity & data protection program GOV-01.2
13 E-GOV-13 GOV-05
Protection Management (e.g., metrics, KPIs, KRIs).
CPL-02
AST-01
14 E-AST-01 Asset Management IT Asset Management (ITAM) Documented evidence of an IT Asset Management (ITAM) program. AST-03
AST-03.1
AST-10
AST-04.1
AST-04.2
15 E-AST-02 Asset Management Asset Scoping Guidance Documented evidence of an asset scoping guidance. This is program-level documentation in the form of a runbook, playbook or a similar AST-04.3
format provides guidance on defining in-scope systems, applications, services, processes and third-parties. CPL-01.2
IAO-01.1


Mappings
AST-09
16 E-AST-03 Asset Management Asset Disposal Evidence Documented evidence of asset disposal/destruction (e.g., asset tracking by serial # for shredding, degaussing, etc.). DCH-08
DCH-09
DCH-09.1
17 E-AST-04 Asset Management Asset Inventories - Hardware Documented evidence of an inventory of the organization's technology hardware assets. AST-02
18 E-AST-05 Asset Management Asset Inventories - Software Documented evidence of an inventory of the organization's software assets. AST-02
CLD-01
19 E-AST-06 Asset Management Asset Inventories - Cloud Service Provider (CSP) Documented evidence of an inventory of the organization's cloud-based services (e.g., SaaS, IaaS, PaaS, etc.). CLD-09
TPM-01.1
20 E-AST-07 Asset Management Cyber-Physical Systems (CPS) Documented evidence of an inventory of the organization's physical assets that process functions based on software and networks. AST-02
EMB-01
CLD-10
21 E-AST-08 Asset Management Asset Inventories - Sensitive / Regulated Data Documented evidence of an inventory of the organization's sensitive/regulated data (including systems where sensitive/regulated data is DCH-06.2
stored, processed and/or transmitted). BCD-11.2
PRI-05.5
22 E-AST-09 Asset Management Computer Lifecycle Plan (CLP) Documented evidence of a Computer Lifecycle Plan (CLP) that describes how the life of technology assets is managed. SEA-07.1
TDA-17
23 E-AST-10 Asset Management Prohibited Equipment List (PEM) Documented evidence of equipment identified by Federal Acquisition Regulation (FAR) section 889 prohibitions for certain AST-17
telecommunications equipment.
DCH-18
24 E-AST-11 Asset Management Data Retention Program Documented evidence of a formal data retention program that governs the retention and destruction of data types. MON-10
PRI-05
CFG-02
CFG-02.5
25 E-AST-12 Asset Management Secure Baseline Configurations Reviews Documented evidence of a review process to ensure Secure Baseline Configurations (SBC) are current and applicable. NET-04
NET-04.1
NET-04.6
26 E-AST-13 Asset Management Secure Baseline Configurations - Cloud-Based Documented evidence of secure baseline configurations for all deployed types of cloud-based services or applications. CFG-02
Services CFG-02.5
27 E-AST-14 Asset Management Secure Baseline Configurations - Databases Documented evidence of secure baseline configurations for all deployed types of databases. CFG-02
CFG-02.5
28 E-AST-15 Asset Management Secure Baseline Configurations - Embedded Documented evidence of secure baseline configurations for all deployed types of embedded technologies. CFG-02
Technologies CFG-02.5
29 E-AST-16 Asset Management Secure Baseline Configurations - Major Documented evidence of secure baseline configurations for all deployed types of major applications. CFG-02
Applications CFG-02.5
30 E-AST-17 Asset Management Secure Baseline Configurations - Minor Documented evidence of secure baseline configurations for all deployed types of minor applications. CFG-02
Applications CFG-02.5
31 E-AST-18 Asset Management Secure Baseline Configurations - Mobile Devices Documented evidence of secure baseline configurations for all deployed types of mobile devices. CFG-02
CFG-02.5
CFG-02
32 E-AST-19 Asset Management Secure Baseline Configurations - Network Devices Documented evidence of secure baseline configurations for all deployed types of network devices. CFG-02.5
NET-04
NET-04.1
33 E-AST-20 Asset Management Secure Baseline Configurations - Server Class Documented evidence of secure baseline configurations for all deployed types of server-class operating systems. CFG-02
Systems CFG-02.5
34 E-AST-21 Asset Management Secure Baseline Configurations - Workstation Documented evidence of secure baseline configurations for all deployed types of workstation-class operating systems. CFG-02
Class Systems CFG-02.5
35 E-AST-22 Asset Management Provenance Documented evidence of that tracks the origin, development, ownership, location and changes to systems, system components and AST-03.2
associated data.
BCD-02.4
36 E-AST-23 Asset Management Geolocation Inventory Documented evidence of designated internal and third-party facilities where organizational data is stored, transmitted and/or processed. CLD-09
DCH-19
DCH-24
37 E-AST-24 Asset Management Asset Categorization Documented evidence of a methodology to categorize technology assets (e.g., criticality and data classification considerations) AST-31
AST-31.1


Mappings
38 E-BCM-01 Business Continuity Continuity of Operations Plan (COOP) Documented evidence of a Continuity of Operations Plan (COOP). This is program-level documentation in the form of a runbook, playbook BCD-01
or a similar format provides guidance on organizational practices that support existing policies and standards.
39 E-BCM-02 Business Continuity Recovery Time Objectives (RTOs) Documented evidence of Recovery Time Objectives (RTOs) that guide Continuity of Operations Plan (COOP)-related operations. BCD-01.4
40 E-BCM-03 Business Continuity Recovery Point Objectives (RPOs) Documented evidence of Recovery Point Objectives (RPOs) that guide Continuity of Operations Plan (COOP)-related operations. BCD-01.4
41 E-BCM-04 Business Continuity COOP Root Cause Analysis (RCA) Documented evidence of a Root Cause Analysis (RCA) from any Continuity of Operations Plan (COOP)-related training, testing or incident. BCD-05
42 E-BCM-05 Business Continuity COOP Updates Documented evidence of a periodic review process for the organization's Continuity of Operations Plan (COOP) to identify necessary BCD-06
updates.
43 E-BCM-06 Business Continuity COOP Testing Documented evidence of a Continuity of Operations Plan (COOP)-related testing activity. BCD-03.1
BCD-04
44 E-BCM-07 Business Continuity COOP Training Documented evidence of a Continuity of Operations Plan (COOP)-related training activity. BCD-03
BCD-04
45 E-BCM-08 Business Continuity COOP Criticality Analysis Documented evidence of a Continuity of Operations Plan (COOP)-related criticality analysis. BCD-02
46 E-BCM-09 Business Continuity COOP Dependency Analysis Documented evidence of a Continuity of Operations Plan (COOP)-related dependency analysis for applications, systems, services, facilities, AST-01.1
stakeholders and third-parties.
47 E-BCM-10 Business Continuity Backups Documented evidence of a Continuity of Operations Plan (COOP)-related data backup scheme that demonstrates the methods of data BCD-11
backup (including protection measures) for all data types to ensure business continuity requirements.
48 E-BCM-11 Business Continuity Backups - Local Documented evidence of event logs for the on-site / local data backup solution. BCD-11
BCD-11.2
49 E-BCM-12 Business Continuity Backups - Remote Documented evidence of event logs for the off-site / remote data backup solution. BCD-11
BCD-11.2
50 E-BCM-13 Business Continuity Backups - Recovery Documented evidence of a Continuity of Operations Plan (COOP)-related criticality analysis for applications, systems, services, facilities, BCD-11
stakeholders and third-parties. BCD-11.1
51 E-CHG-01 Change Management Business Impact Analysis (BIA) Documented evidence of a Business Impact Analysis (BIA) for proposed changes. RSK-08
52 E-CHG-02 Change Management Charter - Change Control Board (CCB) Documented evidence of the organization's Change Control Board (CCB) charter and mission. CHG-01
CHG-02
53 E-CHG-03 Change Management Change Control Board (CCB) Minutes Documented evidence of Change Control Board (CCB) meeting minutes CHG-02.2
54 E-CHG-04 Change Management Evidence of Cybersecurity / Data Privacy Reviews Documented evidence of Change Control Board (CCB) meeting-related cybersecurity and/or privacy reviews for proposed change(s). CHG-02.3
55 E-CPL-01 Compliance Statutory, Regulatory & Contractual Obligations Documented evidence of applicable statutory, regulatory and/or contractual obligations for cybersecurity & data privacy controls. CPL-01
AST-04.1
Documented evidence of a formal scoping document that identifies applicable statutory, regulatory and/or contractual obligations for the AST-04.2
56 E-CPL-02 Compliance Defined Compliance Scope (DCS) organization. Defines the affected Lines of Business (LOB), internal / external stakeholders and facilities for the specific scope of AST-04.3
compliance obligations. CPL-01.2
AST-01.2
57 E-CPL-03 Compliance Controls Responsibility Matrix (CRM) Documented evidence of a Controls Responsibility Matrix (CRM), or similar documentation, that identifies the stakeholder involved in AST-03
executing assigned controls (e.g., Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix). CLD-06.1
TPM-05.4
58 E-CPL-04 Compliance Internal Audit (IA) Documented evidence of an Internal Audit (IA) capability. CPL-02.1
CPL-01.1
59 E-CPL-05 Compliance Internal Audit (IA) Findings Documented evidence of a centrally-managed and prioritized repository Internal Audit (IA) findings. CPL-03
GOV-01.2
TDA-01.1
TDA-02.1
Documented Manufacturer Disclosure Statement for Medical Device Security (MDS2) that communicates information about medical TDA-02.5
60 E-CPL-06 Compliance Manufacturer Disclosure Statement for Medical device cybersecurity & data privacy characteristics to current device owners and potential buyers. [note MDS2 is specific to medical device TDA-04
Device Security (MDS2) manufacturers] TDA-04.1
TPM-04
TPM-04.2


Mappings
CPL-02
61 E-CPL-07 Compliance Control Assessments Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity & data privacy CPL-02.1
controls. CPL-03
CPL-03.1
62 E-CPL-08 Compliance Functional Review of Cybersecurity Controls Documented evidence of control testing to ensure cybersecurity controls function as expected. CPL-03.2
63 E-CPL-09 Compliance Non-Compliance Oversight Reporting Documented evidence of governance oversight reporting of non-compliance to the organization's executive leadership. CPL-02
GOV-01.2
CRY-03
CRY-04
64 E-CRY-01 Cryptographic Protections FIPS-Validated Certificates Documented evidence of FIPS-validated cryptographic modules. [note FIPS-validated cryptography is specific to US government contractors CRY-09
for NIST SP 800-171 & CMMC compliance] CRY-09.1
CRY-09.2
65 E-DCH-01 Data Protection Data Classification Scheme Documented evidence of an organization-specific data classification scheme. AST-04.1
DCH-02
66 E-DCH-02 Data Protection Data Handling Practices Documented evidence of an organization-specific data handling practices (e.g., guidance specific the data classification scheme). AST-04.1
DCH-02
67 E-DCH-03 Data Protection Network Diagram - Global System View (GSV) Documented evidence of a high-level network diagram that provides a conceptual, logical depiction of the network(s) to describe the AST-04
interconnections of the systems/applications/services, including internal and external interfaces. NET-02
68 E-DCH-04 Data Protection Network Diagram - Low Level Documented evidence of a low-level network diagram that provides a detailed, logical depiction of assets on the network(s). AST-04
NET-02
Documented evidence of a Data Flow Diagram (DFD) that accurately identifies where sensitive/regulated data is stored, transmitted AST-02.8
69 E-DCH-05 Data Protection Data Flow Diagram (DFD) AST-04
and/or processed.
NET-02
70 E-DCH-06 Data Protection Third-Party Inventories Documented evidence of an inventory of Third-Party Service Providers (TSP), contractors, vendors, etc. that directly or indirectly impact TPM-01.1
the organization's data, systems, applications, services and/or processes.
71 E-DCH-07 Data Protection Media Sanitization Documentation Documented evidence of media sanitization actions. DCH-09
DCH-09.1
72 E-DCH-08 Data Protection Authorization Documentation Documented evidence of that identifies authorized users and processes acting on behalf of authorized users. CFG-08
73 E-SAT-01 Education Continuing Professional Education (CPE) Documented evidence of Continuing Professional Education (CPE) requirements for cybersecurity & data privacy personnel. SAT-03.7
SAT-02
74 E-SAT-02 Education Initial User Training Documented evidence of initial user training for cybersecurity and/or privacy topics. SAT-02.2
SAT-04
HRS-05.7
SAT-02.1
75 E-SAT-03 Education Practical Exercises Documented evidence of practical user training exercises for cybersecurity and/or privacy topics (e.g., phishing exercise). SAT-03.1
SAT-04
SAT-03.4
SAT-03.6
76 E-SAT-04 Education Recurring User Training Documented evidence of recurring (e.g., annual) user training for cybersecurity and/or privacy topics. SAT-03.7
SAT-04
HRS-05.7
SAT-03
77 E-SAT-05 Education Role-Based Training Documented evidence of specialized user training for privileged users, executives, individuals who handle sensitive/regulated data, etc. SAT-03.4
SAT-03.5
SAT-04
MON-01.2
78 E-MON-01 Event Log Monitoring Evidence of Log Review Processes Documented evidence of centralized collection and review/analysis of security event logs. MON-01.8
MON-02
MON-02.2
Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis MON-01.8
79 E-MON-02 Event Log Monitoring Malware Activity MON-02.2
process.
END-04.3
80 E-MON-03 Event Log Monitoring Privileged User Oversight Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis MON-01.14
process. MON-01.15
81 E-MON-04 Event Log Monitoring Rogue Devices Documented evidence of rogue device identification is included as part of the centralized event log collection and review/analysis process. AST-02.6


Mappings
MON-01.2
82 E-MON-05 Event Log Monitoring Security Events Documented evidence of security-relevant activities being logged and included as part of the centralized event log collection and MON-01.8
review/analysis process. MON-02
MON-02.2
GOV-04
83 E-HRS-01 Human Resources Defined Cybersecurity & Data Privacy Roles Documented evidence of a discrete roles for cybersecurity & data privacy functions (e.g., position categorization). HRS-02
HRS-03
HRS-03.1
HRS-02
84 E-HRS-02 Human Resources Assigned Roles - Application Developers List of employed or contract personnel assigned to application development roles. HRS-02.1
HRS-03
HRS-02
85 E-HRS-03 Human Resources Assigned Roles - Cybersecurity Staff List of employed or contract personnel assigned to cybersecurity roles. HRS-02.1
HRS-03
HRS-02
86 E-HRS-04 Human Resources Assigned Roles - Data Privacy Staff List of employed or contract personnel assigned to data privacy roles. HRS-02.1
HRS-03
87 E-HRS-05 Human Resources Role Assignment - CISO Documented evidence of a formal role assignment to the Chief Information Security Officer (CISO) position. GOV-04
88 E-HRS-06 Human Resources Role Assignment - COO Documented evidence of a formal role assignment to the Chief Operations Officer (COO) position. GOV-04
89 E-HRS-07 Human Resources Role Assignment - CIO Documented evidence of a formal role assignment to the Chief Information Officer (CIO) position. GOV-04
90 E-HRS-08 Human Resources Role Assignment - CPO Documented evidence of a formal role assignment to the Chief Privacy Officer (CPO) position. GOV-04
PRI-01.1
91 E-HRS-09 Human Resources Role Assignment - CRO Documented evidence of a formal role assignment to the Chief Risk Officer (CRO) position. GOV-04
92 E-HRS-10 Human Resources Role Assignment - DPO Documented evidence of a formal role assignment to Data Protection Officer (DPO) positions. GOV-04
PRI-01.4
HRS-02
93 E-HRS-11 Human Resources Role Assignment - Sensitive / Regulated Data Documented evidence of a formal role assignment to personnel who are cleared to handle sensitive/regulated data. HRS-02.1
HRS-03
IAC-07
94 E-HRS-12 Human Resources Role Review Documented evidence of a formal review process to ensure personnel roles currently reflect business needs. IAC-07.1
IAC-08
IAC-17
Defined Cybersecurity & Data Privacy Documented evidence of a role-based cybersecurity & data privacy responsibilities to ensure personnel are both educated on the role and GOV-04
95 E-HRS-13 Human Resources HRS-03
Responsibilities are responsible for the associated control execution.
HRS-03.1
96 E-HRS-14 Human Resources Responsibilities Review Documented evidence of a formal review process to ensure assigned responsibilities currently reflect business needs for the assigned role. IAC-17
GOV-04
97 E-HRS-15 Human Resources Organization Chart Current and accurate organization chart that depicts logical staff hierarchies. GOV-04.1
GOV-04.2
HRS-03.1
98 E-HRS-16 Human Resources Access Agreements Documented evidence of personnel management practices protecting sensitive/regulated data through formal access agreements. HRS-05
HRS-06
HRS-10
99 E-HRS-17 Human Resources Background Checks Documented evidence of personnel screening practices, which centers around some form of formalized background check process. HRS-04
HRS-04.1
HRS-03
HRS-03.1
100 E-HRS-18 Human Resources Provisioning Checklist (Onboarding) Documented evidence of personnel management practices to formally onboard personnel into their assigned roles. HRS-04.2
HRS-05.7
HRS-10
IAC-07


Mappings
HRS-06.2
HRS-09
HRS-09.1
101 E-HRS-19 Human Resources Deprovisioning Checklist (Offboarding) Documented evidence of personnel management practices to formally offboard personnel from their assigned roles due to employment HRS-09.2
termination or role change. HRS-09.3
IAC-07
IAC-07.1
IAC-07.2
102 E-HRS-20 Human Resources Non-Disclosure Agreements (NDAs) Documented evidence of the use of Non-Disclosure Agreements (NDAs) that restricts unauthorized sharing of sensitive/regulated data. HRS-06.1
Documented evidence of personnel management practices to define minimum competency requirements for cybersecurity & data HRS-03.2
103 E-HRS-21 Human Resources Position Competency Requirements HRS-04
privacy-related roles.
HRS-04.1
HRS-02
HRS-02.1
HRS-03
HRS-05
104 E-HRS-22 Human Resources Rules of Behavior Documented evidence of personnel management practices to define "acceptable use" or "rules of behavior" criteria that specify HRS-05.1
acceptable and unacceptable user behaviors. HRS-05.2
HRS-05.3
HRS-05.4
HRS-05.5
HRS-10
105 E-HRS-23 Human Resources Critical Cybersecurity & Data Privacy Skills Documented evidence of personnel management practices to formally identify critical cybersecurity skills needed to support business HRS-03.2
operations. HRS-13
106 E-HRS-24 Human Resources Critical Cybersecurity & Data Privacy Skill Gaps Documented evidence of personnel management practices to formally identify critical cybersecurity skill gaps. HRS-13
HRS-13.1
107 E-HRS-25 Human Resources Separation of Duties (SoD) Documented evidence of personnel management practices to implement and maintain Separation of Duties (SoD) to prevent potential HRS-11
inappropriate activity without collusion. HRS-12
108 E-HRS-26 Human Resources Vital Cybersecurity & Data Privacy Staff Documented evidence of personnel management practices to formally identify vital cybersecurity & data privacy personnel. HRS-13.2
109 E-IAM-01 Identity & Access Access Permission Review Documented evidence of periodic access permission reviews. IAC-17
Management
110 E-IAM-02 Identity & Access Defined Roles (RBAC) Documented evidence of defined access control-specific roles (e.g., Role Based Access Control (RBAC)). IAC-08
Management
111 E-IAM-03 Identity & Access Privileged User Inventory Documented evidence of an inventory of privileged users across systems, applications and services (internal and external). IAC-16
Management IAC-16.1
112 E-IRO-01 Incident Response Incident Response Program (IRP) Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a IRO-04
similar format provides guidance on organizational practices that support existing policies and standards.
113 E-IRO-02 Incident Response Indicators of Compromise (IOC) Documented evidence of defined Indicators of Compromise (IOC). IRO-03
114 E-IRO-03 Incident Response Incident Tracking Documented evidence of a centralized repository to track cybersecurity & data privacy incidents. IRO-02
IRO-09
115 E-IRO-04 Incident Response IRP Testing Documented evidence of an Incident Response Plan (IRP)-related testing activity. IRO-06
116 E-IRO-05 Incident Response Table Top Exercises Documented evidence of "table top" exercises that test incident response practices. IRO-05
117 E-IRO-06 Incident Response IRP Training Documented evidence of an Incident Response Plan (IRP)-related training activity. IRO-05
118 E-IRO-07 Incident Response IRP Updates Documented evidence of a periodic review process for the organization's Incident Response Plan (IRP) to identify necessary updates. IRO-04.2
119 E-IRO-08 Incident Response Root Cause Analysis (RCA) Documented evidence of a Root Cause Analysis (RCA) from any Incident Response Plan (IRP)-related training, testing or incident. IRO-13
120 E-IAO-01 Information Assurance Information Assurance Program (IAP) Documented evidence of a Information Assurance Program (IAP). This is program-level documentation in the form of a runbook, playbook IAO-01
or a similar format provides guidance on organizational practices that support existing policies and standards.
121 E-IAO-02 Information Assurance Artificial Intelligence Test, Evaluation, Validation Documented evidence of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable AI-related testing, AAT-10
& Verification (AI TEVV) identification of incidents and information sharing.
122 E-MNT-01 Maintenance Maintenance - Authorized Maintenance Documented evidence of personnel who have designated maintenance roles. MNT-06.1
Personnel


Mappings
123 E-MNT-02 Maintenance Maintenance Plan Documented evidence of a Maintenance Plan. This is program-level documentation in the form of a runbook, playbook or a similar format MNT-01
provides guidance on organizational practices that support existing policies and standards.
VPM-01
124 E-MNT-03 Maintenance Patch Management Documented evidence of maintenance activities for systems, applications and services management (e.g., patch management). VPM-04
VPM-05
MNT-01
125 E-MNT-04 Maintenance Infrastructure Maintenance Documented evidence of maintenance activities for the organization's infrastructure and supporting systems. MNT-02
MNT-03
MNT-03.1
126 E-NET-01 Network Security Content / DNS Filtering Documented evidence of the methods that content / DNS filtering is implemented to prevent Internet traffic from prohibited content NET-18
and/or hostile web sites. NET-18.1
127 E-NET-02 Network Security Wireless Rogue Detection Documented evidence of automated or manual means to detect rogue wireless devices. NET-15.5
128 E-NET-03 Network Security Work From Anywhere (WFA) Guidance (remote Documented evidence of administrative and technical measures that are enforced at "alternate work sites" which includes working from NET-14
workers) home or working while traveling on business. NET-14.5
PES-01
129 E-PES-01 Physical Security Environmental Monitoring Documented evidence of environmental monitoring (e.g., water leaks, temperature, humidity, etc.) PES-07
PES-08
PES-09
PES-03
130 E-PES-02 Physical Security Visitor Logbook Documented evidence of a visitor management and logging visitor activities. PES-03.3
PES-06
PES-06.4
131 E-PES-03 Physical Security Defined Physical Security Roles Documented evidence of defined physical access control-specific roles that limit physical access to rooms and/or facilities. PES-02
PES-02.1
132 E-PES-04 Physical Security Site Security Plan (Site Plan) Documented evidence of a site security plan (site plan). PES-01.1
133 E-PRI-01 Privacy Accounting of Disclosures Documented evidence of accounting for privacy-related disclosures. PRI-14.1
PRI-04
134 E-PRI-02 Privacy Authorized Use Documented evidence of authorized use definitions for privacy-related data operations. PRI-04.1
PRI-05
PRI-05.1
135 E-PRI-03 Privacy Data Authority Registrations Documented evidence of registrations made with applicable data authorities for privacy-related data processing. PRI-15
136 E-PRI-04 Privacy Data Protection Impact Assessment (DPIA) Documented evidence of Data Protection Impact Assessment (DPIA). RSK-10
Documented evidence of formal data sharing practices that address, at a minimum:
• The business justification for the data sharing; PRI-01.5
137 E-PRI-05 Privacy Data Sharing Agreement • The type / category of data being shared; PRI-07
• The third-parties the data is being shared with; PRI-07.1
• Lawful bases for data sharing; and PRI-07.2
• Data subject rights.
138 E-PRI-06 Privacy Data Subject Access Documented evidence of how data subject access requests are handled that includes intake through remediation. PRI-06
139 E-PRI-07 Privacy Personal Data Categories Documented evidence of formal personal data categories. PRI-05.7
140 E-PRI-08 Privacy Privacy Notice Documented evidence of a publicly-accessible privacy notice. PRI-02
GOV-08
141 E-PRM-01 Resource Management Cybersecurity Business Plan (CBP) Documented evidence of a cybersecurity-specific business plan that documents a strategic plan and discrete objectives. PRM-01.1
PRM-03
PRM-01
142 E-PRM-02 Resource Management Portfolio Roadmap Documented evidence of the organization's roadmap for implementing cybersecurity-related initiatives and technologies. PRM-02
PRM-03
PRM-04
143 E-PRM-03 Resource Management Secure Development Lifecycle (SDLC) Documented evidence of a secure development lifecycle that the organization utilizes for new initiatives or significant changes to existing PRM-05
initiatives to ensure cybersecurity & data privacy principles are identified and implemented by default. PRM-06
PRM-07
144 E-PRM-04 Resource Management Targeted Maturity Level Documented evidence of a targeted level of control maturity from a Capability Maturity Model (CMM). PRM-01.2
145 E-RSK-01 Risk Management Risk Management Program (RMP) Documented evidence of a Risk Management Program (RMP). This is program-level documentation in the form of a runbook, playbook or RSK-01
a similar format provides guidance on organizational practices that support existing policies and standards.


Mappings
146 E-RSK-02 Risk Management Cybersecurity Supply Chain Risk Management (C- Documented evidence of a Cybersecurity Supply Chain Risk Management (C-SCRM). This is program-level documentation in the form of a RSK-09
SCRM) runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. TPM-03
Plan of Actions & Milestones (POA&M) / Risk AST-02.4

147 E-RSK-03 Risk Management Documented evidence of a POA&M, or risk register, that tracks control deficiencies from identification through remediation. CPL-02
Register
RSK-04.1
148 E-RSK-04 Risk Management Cybersecurity Risk Assessment (RA) Documented evidence of a cybersecurity-specific risk assessment. RSK-04
149 E-RSK-05 Risk Management Supply Chain Risk Assessment (SCRA) Documented evidence of supply chain-specific risk assessment that evaluates risks that are specific to its supply chain. RSK-09.1
150 E-RSK-06 Risk Management Risk Threshold Documented evidence the organization has a defined risk threshold. RSK-01.3
151 E-RSK-07 Risk Management Risk Tolerance Documented evidence the organization has a defined risk tolerance. RSK-01.4
152 E-RSK-08 Risk Management Risk Appetitie Documented evidence the organization has a defined risk appetite. RSK-01.5
153 E-TDA-01 Technology Design & Secure Software Development Principles (SSDP) Documented evidence of a Secure Software Development Principles (SSDP). This is program-level documentation in the form of a runbook, SEA-01
Acquisition playbook or a similar format provides guidance on organizational practices that support existing policies and standards. TDA-01
154 E-TDA-02 Technology Design & Secure Engineering & Data Privacy (SEDP) Documented evidence of a Secure Engineering & Data Privacy (SEDP) program. This is program-level documentation in the form of a SEA-01
Acquisition runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. TDA-01
TDA-06.2
TDA-09
TDA-09.1
155 E-TDA-03 Technology Design & Application Security Testing (AST) Documented evidence of application security testing (e.g., DAST, SAST, fuzzing, etc.). TDA-09.2
Acquisition TDA-09.3
TDA-09.4
TDA-09.5
TDA-09.6
SEA-01
SEA-02
156 E-TDA-04 Technology Design & Design and Development Plan (DDP) Documented evidence of an engineering method to control the design process and govern the lifecycle of the product/service. SEA-03
TDA-05
TDA-06.3
Technology Design & Documented evidence of an engineering method designed to define, identify, and present solutions for system failures, problems, or TDA-01.1
157 E-TDA-05 Failure Mode and Effect Analysis (FMEA) TDA-06.5
Acquisition errors.
TDA-09
TDA-01.1
158 E-TDA-06 Technology Design & Multi Patient Harm View (MPHV) Documented evidence of a description of a Multi Patient Harm View (MPHV) that explains how the device / system defends against and/or TDA-02
Acquisition responds to attacks with the potential to harm multiple patients. [note MPHV is specific to medical device manufacturers] TDA-04
TDA-04.1
TDA-01.1
159 E-TDA-07 Technology Design & Ports, Protocols & Services (PPS) Documented evidence of all ports, protocols and services in use by the system, application or service. TDA-02.1
TPM-04.2
Technology Design & Documented evidence of defined secure engineering principles used to ensure Confidentiality, Integrity, Availability & Safety (CIAS) SEA-01
160 E-TDA-08 Secure Engineering Principles (SEP) TDA-01
Acquisition concerns are properly addressed in the design and implementation of systems, applications and services.
TDA-06
Documented evidence that identifies security-relevant system elements and their interfaces: CLD-02
161 E-TDA-09 Technology Design & Security Architecture View • Define security context, domains, boundaries, and external interfaces of the system; SEA-01
Acquisition • Align the architecture with (a) the system security objectives and requirements, (b) security design characteristics; and SEA-02
• Establish traceability of architecture elements to user and system security requirements. SEA-03
Technology Design & Documented evidence of diagrams, with explanatory text, describing various security scenarios in each of the operational and clinical TDA-04
162 E-TDA-10 Security Use Case View (SUCV) functionality states of the system and how the system addresses each scenario architecturally. [note SUCV is specific to medical device TDA-04.1
Acquisition
manufacturers] TDA-06.2
163 E-TDA-11 Technology Design & Software Assurance Maturity Model (SAMM) Documented evidence of a Software Assurance Maturity Model (SAMM). TDA-06
164 E-TDA-12 Technology Design & Software Bill of Materials (SBOM) Documented evidence of a Software Bill of Materials (SBOM). TDA-04.2
Acquisition


Mappings
165 E-TDA-13 Technology Design & Software Escrow Documented evidence of a software escrow solution. TDA-20.3
Acquisition
166 E-TDA-14 Technology Design & System Security & Privacy Plan (SSPP) Documented evidence of at least one (1) System Security Plan (SSPP) that covers the sensitive/regulated data environment. There may be AST-02.4
Acquisition multiple SSPPs, based on applicable contracts. IAO-03
Technology Design & Documented evidence of a description of the end-to-end process permitting software updates and patches to be deployed to the TDA-01.1
167 E-TDA-15 Updateability / Patchability View TDA-01.2
Acquisition device/service.
TDA-04.1
168 E-TDA-16 Technology Design & Vulnerability Disclosure Program (VDP) Documented evidence of a Vulnerability Disclosure Program (VDP) (e.g., bug bounty). THR-06
Acquisition
169 E-THR-01 Threat Management Indicators of Exposure (IOE) Documented evidence of defined Indicators of Exposure (IOE). THR-02
170 E-THR-02 Threat Management Industry Associations / Memberships Documented evidence of industry associations the organization utilizes to maintain situational awareness of evolving threats and trends. GOV-07
171 E-THR-03 Threat Management Threat Intelligence Feeds (TIF) Documented evidence of threat intelligence feeds. THR-03
172 E-THR-04 Threat Management Threat Intelligence Program (TIP) Documented evidence of a formal capability that intakes and analysis threat information to determine specific threat to the organization THR-01
and necessary actions to mitigate the threat(s). THR-04
TDA-06.2
173 E-THR-05 Threat Management Threat Mitigation Documented evidence of steps taken to mitigate identified threats. THR-07
VPM-01
VPM-04
TPM-01
TPM-05
174 E-TPM-01 Third-Party Management Third-Party Contracts Documented evidence of third-party contractual obligations for cybersecurity & data privacy protections. PRI-07
PRI-07.1
PRI-07.2
175 E-TPM-02 Third-Party Management Third-Party Criticality Assessment Documented evidence of third-party criticality assessment that evaluates the critical nature of each third-party the organization works TPM-02
with.
TPM-01
TPM-05
176 E-TPM-03 Third-Party Management Third-Party Service Reviews Documented evidence of a formal, annual stakeholder review of third-party services for each Third-Party Service Provider (TSP). TPM-05.5
TPM-08
TPM-09
BCD-09.3
177 E-TPM-04 Third-Party Management Service Level Agreements (SLAs) Documented evidence of third-party Service Level Agreements (SLAs) to support business operations. BCD-10.1
OPS-03
178 E-TPM-05 Third-Party Management Break Clauses Documented evidence of "break clauses" in third-party contracts. TPM-05.7
179 E-VPM-01 Vulnerability & Patch Vulnerability & Patch Management Program Documented evidence of a Vulnerability & Patch Management Program (VPMP). This is program-level documentation in the form of a VPM-01
Management (VPMP) runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Documented evidence of Application Security Testing (AST) activities:

• Abuse case, malformed, and unexpected inputs (e.g., Robustness or Fuzz testing);
• Attack surface analysis;
180 E-VPM-02 Vulnerability Penetration Testing - Application • Vulnerability chaining; VPM-07
Management • Closed box testing of known vulnerability scanning;
• Software composition analysis of binary executable files; and/or
• Static and dynamic code analysis, including testing for credentials that are “hardcoded,” default, easily guessed, and easily compromised.
181 E-VPM-03 Vulnerability Penetration Testing - Network Documented evidence of internal and external network penetration testing activities that focus on discovering and exploiting security VPM-07
Management vulnerabilities.
182 E-VPM-04 Vulnerability Red Team Testing Documented evidence of "red team" testing. VPM-07.1
Management
Vulnerability VPM-06
183 E-VPM-05 Vulnerability Assessments Documented evidence of internal and external vulnerability assessment activities. VPM-06.6
Management
VPM-06.7

7011(e)(1)(F)
7011(e)(1)(G)
5.3.1 7011(e)(1)(H)
5.3.2
5.3.3
7011(e)(1)(I)
5.4 7011(e)(1)(J)
version 2023.4 Secure Controls Framework (SCF) 5.4.1 7011(e)(1)(K)
03/12/2024
Data Privacy Management Principles (DPMP) 5.4.1.1
5.4.2
7011(e)(2)
5.5 7011(e)(2)(A)
5.5.1 7011(e)(2)(B)
AICPA EU-US Data ISO
5.5.2 ISO NIST SP NIST SP NIST Privacy 7011(e)(2)(C)
Privacy FIPPs FIPPs HIPAA 5.5.3 OMB US-California US-Nevada Secure Controls
# Principle Name SCF Data Privacy Management Principle (SCF-DPMP) Description TSC SOC 2 APEC EU GDPR GAPP 27701 29100 800-53 800-53 Framework OECD PIPEDA 7011(e)(2)(D)
Framework (DHS) (OMB) Privacy Rule 5.5.4
A-130 CPRA SB220 Framework (SCF)
(2017) v2019
5.5.5
5.5.5.1
v2011 rev4 rev5 v1.0 4(h)
7011(e)(2)(E)
7011(e)(2)(F)
5.5.5.2 5(f)(1)(a)
5.5.5.3 GV.PO-P1 7011(e)(3)
App1-3(b)
Art
Art 32.1
35.2 6.5 PM-1 CM.PO-P1 7011(e)(3)(A)
Establish and maintain a comprehensive data privacy program that ensures data privacy considerations are 5.6.1 5.1 App1-3(b)(1) GOV-01
Art
Art 32.2
37.1 PM-18 CM.AW-P2 7011(e)(3)(B)
1 Data Privacy by Design addressed by design in the development of policies, standards, processes, systems, applications, projects 1 Principle 2.7.a 8.2.1 5.6.2 5.10 AR-1 App1-3(f) PRI-01
Art
Art 32.3
37.2 5.6.3 PM-20 CT.DM-P9 7011(e)(3)(C)
and third-party contracts. 5.11 App1-4(c)(2) PRI-01.3
Art 37.3
Art 32.4 5.6.4 PT-1 CT.DM-P10 7011(e)(3)(D)
1.1.0 5.7 App1-4(e)
Art 37.4 CT.PO-P2 7011(e)(3)(E)
1.1.2 5.7.1 App1-4(e)(1)
Art 37.5 5.7.2 7011(e)(3)(F)
1.2.1 App1-4(e)(10)
Art 37.6 5.7.3
4(h) 7011(e)(3)(G)
Assign accountability through documented roles and responsibilities to qualified data subjects, including key 1.2.2 5.8
7011(e)(3)(H)
Art 37.7 Accountability & 6.15.1.4
5.8.1 CM.PO-P2 5(c)(6) PRI-01.1
1.1 Assigned Responsibilities internal and external stakeholders, for maintaining compliance with all applicable data privacy requirements Accountability 1.2.8 164.530(a)(1) 5.10 PM-19 1 7011(e)(3)(I)
Art 38.1 Auditing 8.5
5.8.1 CT.PO-P2 5(f)(1)(b) PRI-01.4
that involves appropriately monitoring and documenting the data privacy program. 1.2.9 6.2 7011(e)(3)(J)
Art 38.2 App1-4(e)
2.1.0 6.2.1
7011(e)(4)
Art 38.3 6.2.1.1
4.2.3 7011(e)(5)
Art 38.4 7.1
PT-7
8.2.1 7.4 7012(a)
1.2 Data Classification
Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, ArtArt38.5
4
6.5.2.1
8.3 PT-7(1)
DCH-02
regulatory and contractual contexts. ArtArt38.6
9 8.3.1
7012(b) PRI-05.7
PT-7(2) 7012(c)
Art 39.1 8.4
Art 39.2 8.5.1 7012(c)(1)
1.3 Registering Databases Register applicable databases containing personal data with the appropriate Data Authority, when required. Art 30.4 7012(c)(2) PRI-15
5(a)(3)(e)(ii) 7012(c)(3)
5(d)(3)(e) 7012(c)(4)
Identify and plan for resources needed to operate a data privacy program and include data privacy Art 32.1 App1-4(b)(1) 7012(c)(5)
1.4 Resource Planning 6.3.1.5 PRM-01
requirements in solicitations for technology solutions and services. Art 32.2 App1-4(b)(2) 7012(d)
App1-4(b)(4) 7012(e)(1)
App1-4(e)(6) 7012(e)(2)
Maintain an inventory of both the type of personal data and specific data element, as well as the systems, Art 4 ID.IM-P1 5(a)(1)(a)(ii)
AT-1 7012(e)(3) PRI-05.5
1.5 Inventory of Personal Data applications and processes that collect, create, use, disseminate, maintain, and/or disclose that personal Art 5.2 7.2.2 SE-1 PM-5(1) ID.IM-P3 5(f)(1)(e) SAT-01
AT-2 7012(e)(4) PRI-05.6
data. Art 9 ID.IM-P6 App1-4(j)(2)(c) SAT-02
AT-2(1) GV.PO-P1 App1-4(h)(1) 7012(e)(5)
7012(e)(6) SAT-02.1
AR-5 AT-2(5) GV.AT-P1 App1-4(h)(2) 7010(d)
1.1.1 164.504 7100(a)
7012(f) SAT-03
1.6 Data Privacy Training Provide recurring data privacy awareness and training for all employees and contractors. 6.4.2.2 AT-3(4) AT-3 GV.AT-P2 App1-4(h)(3) 7013(a)
1.2.10 164.530 7100(b)
7012(g) SAT-03.1
AT-4 AT-3(3) GV.AT-P3 App1-4(h)(4) 7013(b)
7012(g)(1) SAT-03.2
Define and implement data handling and protection requirements for specific categories of sensitive AT-3(5) GV.AT-P4 App1-4(h)(5) 7013(c)
1.7 Personal Data Categories 7012(g)(2)
7002(f) SAT-03.3
PRI-05.7
Personal Data (PD). AT-4 7013(d)
7012(g)(3)(A) SAT-04
PM-13 7003(a)
7013(e)
7012(g)(3)(B)
7003(b)(1)
7013(e)(1)
7012(g)(3)(C)
Craft disclosures and communications to data subjects so the material is readily accessible and written in a 7003(b)(2)
7013(e)(2)
1.8 Data Subject Communications 7012(h) PRI-17
manner that is concise, unambiguous and understandable by a reasonable person. 7003(b)(3)
7013(e)(3)
7012(i)
7011(c)
7013(e)(3)(A)
7002(e)
7102(a)(1)(A)
7102(a)(2)
7013(e)(3)(B)
7002(f)
7102(a)(1)(B)
7003(c)
7013(f)(1)
7004(a)
7102(a)(1)(C)
7003(d)
Conspicuous Link To Data Design websites and mobile applications to include a conspicuous link to the organization's data privacy 7013(f)(2)
7004(a)(1)
1.9 7102(a)(1)(D)
7010(d) PRI-17.1
Privacy Notice notice. 7013(g)(1)
7004(a)(2)
7102(a)(1)(E)
7010(e)
7013(g)(1)
7004(a)(2)(a)
7102(a)(1)(F)
7011(d)
7013(h)
7004(a)(2)(b)
7102(a)(2)
7080(a)
7004(a)(2)(c)
7102(b)
Provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial
Principle 2.2.a(i) 7080(b)
7004(a)(3)
7002(e)
1.10 Notice of Financial Incentive incentive, price or service difference so the data subject can make an informed decision about whether to PRI-17.2
Principle 2.2.a(ii) 7080(c)
7004(a)(3)(a)
7002(f)
participate.
Art 6.1 Principle 2.2.b 7080(d)(1)
7004(a)(3)(b)
7004(a)
Art 7.1 Principle 2.2.c 7080(d)(2)
7004(a)(3)(c)
7004(a)(1)
Art 7.2 Principle 2.2.c(i) 7.2.3 7080(d)(3)
7004(a)(4)
7004(a)(2)
3.2.1 7080(d)(4)
data subjects are directly involved in the decision-making process regarding the fair and lawful processing of Art 7.3 Principle 2.2.c(ii) 7.2.4 7004(a)(4)(a)
7002(e)
7004(a)(2)(a)
P2.1 3.2.2 164.506 IP-1 CT.PO-P1 7080(e)
2 Data Subject Participation the individual’s personal data and, to the extent practicable, directly-engaged to receive explicit permission 5 Art 7.4 Principle 2.7 Individual Participation Individual Participation 7.3.4 5.2 PT-4 7 3 7004(a)(4)(b)
7002(f)
7004(a)(2)(b) PRI-03
P3.2 Art 3.2.3 164.508 IP-1(1) CT.PO-P3
to use their personal data. Art 7.1
8.1 Principle 2.7.a.i 7.3.5 7080(f)
7004(a)(5)
7004(a)
7004(a)(2)(c)
Art 3.2.4
Art 7.2
8.2 Principle 2.7.a.ii 8.5.7 7080(g)
7004(a)(5)(a)
7004(a)(1)
7004(a)(3)
Art12.6
Art 7.3 Principle 2.7.a.iii 7081(a)
7004(a)(5)(b)
2.2.a(i) 7004(a)(2)
7004(a)(3)(a)
Art 7.4
Art 14.3 Principle2.2.a(ii)
2.7.b 7081(a)(1)
7004(a)(5)(c)
Principle 7004(a)(2)(a)
7004(a)(3)(b)
Provide clear and conspicuous choices that enable an individual, or a person authorized by the individual, to Art 12.2 2.7.c 7081(a)(2)
7004(b)
Principle 2.2.b 164.508(a-c) TR-1 PM-20(1) 7004(a)(2)(b)
7004(a)(3)(c)
2.1 Clear Choices permit or prohibit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of Art 12.3 Principle 2.7.d 7.3.4 CT.PO-P3 3 7081(a)(3)
7004(c)
7010(d) PRI-03
2.2.c 164.510 (a) and (b) TR-1(1) PT-5 7004(a)(2)(c)
7004(a)(4)
the individual’s personal data. This is also referred to as the right to "opt out." Art 12.4 7081(a)(4)
7010(c)
Principle 2.2.c(i) 7013(a)
7004(a)(3)
7004(a)(4)(a)
Art 22.1 7081(a)(5)
7010(d)
7013(b)
Principle 2.2.c(ii)
2.2.a(i) 7004(a)(3)(a)
7004(a)(4)(b)
Art 22.2 7.2.3 7081(a)(6)
7015(a)
7013(c)
Principle 2.2.a(ii) 3.2.1 7004(a)(3)(b)
7004(a)(5)
Art 22.3 164.506(c)(1-4) 7.2.4 7081(a)(7)
7015(b)
7013(d)
Prior to the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of the P2.1 Principle 2.2.b 3.2.2 IP-1 CT.PO-P1 7004(a)(3)(c)
7004(a)(5)(a)
2.2 Initial Consent Art 164.510 (a)(2) 7.3.4 5.2 PT-4 7 3 PRI-03
individual’s personal data, the knowledge and consent of the individual are required. P3.2 Art22.4
7.1 Principle 2.2.c 3.2.3 IP-1(1) CT.PO-P3 7081(a)(8)
7015(c)(1)
7013(e)
7004(a)(4)
7004(a)(5)(b)
164.510 (b) 7.3.5 7081(b)
7015(c)(2)
7013(e)(1)
Art 7.2 Principle 2.2.c(i) 3.2.4 7004(a)(4)(a)
7004(a)(5)(c)
8.5.7 7028(a)
7013(e)(2)
Art 7.3 Principle 2.2.c(ii) 7004(a)(4)(b)
7004(b)
7002(f)
Art 7.4 7028(b)
7013(e)(3)
7004(a)(5)
7004(c)
7015(a)
7010(a)
Based on changes to data privacy practices that affect the parameters of an individual's initial consent, Art 8.1 7013(e)(3)(A)
7004(a)(5)(a)
7010(c)
7016(a)
7015(b)
updated consent of the individual is required to continue the collection, creation, use, dissemination, Art 8.2 PT-4(2) CT.PO-P1 7013(e)(3)(B)
7004(a)(5)(b)
7028(a)
7016(b) PRI-03.2
2.3 Updated Consent 7.3.4 3 7015(c)(1)
7016(c)
maintenance, retention, and/or disclosure of the individual’s personal data. This is also referred to as the Art 12.2 PT-5(1) CT.PO-P3 7013(f)(1)
7004(a)(5)(c)
7028(b) PRI-03.4
7015(c)(2)
7016(d)
right to revoke or "opt out" at any time after the initial consent was provided. Art 12.3 7013(f)(2)
7004(b)
7016(d)(1)
7028(a)
Art 12.4 7013(g)(1)
7004(c)
7016(d)(2)
7028(b)
7016(d)(3)
Art 13.3 7013(g)(1)
7010(c)
7016(d)(4)
Art 14.3 7013(h)
7028(a)
6.15 7016(d)(5)
Implement business processes to protect the right of data subjects to equal service and price, even if they Art 21.4 PL-1 7014(a)
7028(b)
7016(d)(5)(A)
2.4 Equal Service & Price 164.524(c) 6.15.1 GV.MT-P3 CPL-01
exercise their data privacy rights. PM-8 7016(d)(5)(B)
7014(b)
6.15.1.1 7025(a)
7080(a)
7014(c)
7080(b)
7025(b)(1)
7014(d)
7080(c)
7025(b)(2)
7080(d)(1)
7014(e)
Provide a clear and conspicuous link on the organization's Internet-based homepage, titled “Do Not Sell My 7025(c)(1)
7080(d)(2)
Prohibit The Sale of Personal TR-1 7014(e)(1) PRI-03.1
2.5 Personal Data” that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of 7.3.4 PT-4(1) CT.PO-P3 3 7080(d)(3)
7025(c)(2)
Data TR-1(1) 7014(e)(2)
7080(d)(4) PRI-03.3
the consumer’s personal data. 7025(c)(3)
7080(e)
7014(f)(1)
7025(c)(4)
7080(f)
7063(a)
7014(f)(2)
7080(g)
7025(c)(5)
7063(a)(1)
7014(g)(1)
Allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make 7025(c)(6)
7063(a)(2)
7014(g)(2)
2.6 Authorized Agent (Proxy) 7025(c)(7)(A) PRI-03.6
Personal Data (PD) processing decisions. 7063(b)
7014(h)
7025(c)(7)(B)
7063(c)
7026(a)
7025(c)(7)(C)
7063(d)
7026(a)(1)
7025(c)(7)(D)
7026(a)(2)
Enable automated mechanisms to provide data subjects with functionality to automatically exercise pre- 7010(d)
2.7 Global Privacy Control (GPC) 7025(c)(7)(E)
7070(a)
7026(a)(3) PRI-03.8
selected opt-out preferences (e.g., opt-out signal).
7025(d)
7070(a)(1)
7026(a)(4)
7070(a)(2)(A)
7025(e)
7026(b)
7070(a)(2)(B)
7.2.2 7025(f)(1)
7070(a)(2)(C)
7.3.1 7026(c)
Ensure that the design of data collection and use are consistent with the intended use of the information and Principle 2.5.a 4.1.2 CT.PO-P1 7025(f)(2)
7070(a)(2)(D)
7026(d)
3 Limited Collection & Use P3.1 3 Art 5.1 164.506 7.3.2
7.2.2 5.4 AP-1 PT-2 1 4 7070(a)(2)(E)
7025(f)(3) PRI-04
the need for new information is balanced against any data privacy risks. Principle 2.5.b 9.2.2 CT.DM-P1 7026(e)
7070(a)(2)(F)
7.4.1
7.3.1 7002(d)
7025(g)(1)
7070(b)
7026(f)(1)
8.2.1
7.3.2 7002(d)(1)
7025(g)(2)(A)
7070(c)
7026(f)(2)
7002(d)(2)
7071(a)
7.5 7025(g)(2)(B)
7026(g)
7071(b)
1.2.5 7.5.1 7002(d)(3)
7002(a)
7025(g)(2)(C)
7072(a)
7026(h)
Identify the lawful basis given to collect, create, use, disseminate, maintain, and/or disclose an individual’s PT-2 7027(a)
3.1 Authority to Collect Art 5.1 Authority 1.2.11 164.520(a) 7.5.2 5.4 AP-1 CT.DP-P4 7002(e)
7025(g)(2)(D)
7072(b)
7026(i) PRI-04.1
personal data. Document this authority in the organization's publicly-facing data privacy notice. 7027(b)
4.2.2 8.1 7002(f)
7025(g)(3)
7026(j)
Art 5.1 8.2 7027(b)(1)
7025(g)(3)(A)
7026(k)
7027(b)(2)
Art 35.1 8.2.1 7025(g)(3)(B)
Art 7027(b)(3)
Take steps to minimize the collection, creation, use, dissemination, maintenance, retention, and/or Art35.2
5.1 8.5.1 DM-1
PM-25
Art 7027(b)(4)
3.2 Data Minimization disclosure of the individual’s personal data to what is directly relevant and necessary to accomplish a legally Art35.3
9.1 Data Minimization Data Minimization
164.502 8.5.7
7.4.4 5.5 DM-3
SI-12(2)
CT.DP-P4 5(f)(1)(f) 4 DCH-18.2
Art 7027(c)
authorized purpose. Art35.6
9.2 164.514
DM-3(1)
SA-8(33)
Art 7027(d)
Art35.8
10 SA-15(12)
Art 11.1
35.9 7027(e)
Art 164.502
Art 4.1.2 7027(f)
Art35.11
18.1 164.504
5.2.1 7.4.2 DM-3 PM-25 CT.DM-P8 7027(g)(1) DCH-18.1
Restrict the internal use of personal data to only authorized purpose(s) that are consistent with the stated Art 18.2 Principle 2.5.a Purpose Specification & 164.510
3.3 Internal Use Use Limitation 7.2.2 7.4.4 DM-3(1) PT-2 CT.PO-P2 5 7027(g)(2) Sec2.3 PRI-05.1
data privacy notice. Art 35.1 Principle 2.5.b Use Limitation 164.512
9.2.1 8.2.3 UL-1 SI-12(1) CT.DP-P4 7027(g)(3) PRI-05.4
Art 35.2 164.514
9.2.2 7027(h)
Art 35.3 164.532
7027(i)
Art 35.6
7027(j)
Art 35.8
7027(k)
Art 35.9
7027(l)
Art 35.11
7027(m)
7027(m)(1) 250 of 280
Licensed by Creative Commons Attribution-NoDerivatives 7027(m)(2)
7027(m)(3)
7027(m)(4)
7027(m)(5)
7027(m)(6)
7011(b)
7011(c)
7011(d)
7011(e)(1)
7011(e)(1)(A)
7011(e)(1)(B)
7011(e)(1)(C)
version 2023.4 Secure Controls Framework

2.1.1 (SCF) 7011(e)(1)(D)
7011(e)(1)(E) 03/12/2024
2.2.1
Data Privacy Management Principles (DPMP) 7011(e)(1)(F)
2.2.2 7011(e)(1)(G)
2.2.3 7011(e)(1)(H)
AICPA EU-US
Principle Data
2.1.a.i 3.1.0 ISO ISO NIST SP NIST SP NIST Privacy 7011(e)(1)(I)
Privacy
Principle 2.1.a.ii FIPPs FIPPs 3.1.1 HIPAA OMB US-California
7011(e)(1)(J) US-Nevada Secure Controls
# Principle Name SCF Data Privacy Management Principle (SCF-DPMP) Description TSC SOC 2 APEC EU GDPR GAPP 27701 29100 800-53 800-53 Framework OECD PIPEDA 7011(e)(1)(K)
Art 11.2 Principle
Framework 2.1.a.iii (DHS) (OMB) 3.1.2 Privacy Rule A-130 CPRA
7011(e)(2) SB220 Framework (SCF)
(2017) Art 12.1 Principle 2.1.a.iv 4.1.0
v2019
7.3
v2011 rev4 rev5 v1.0 7011(e)(2)(A)
7011(e)(2)(B)
Art 13.1 Principle 2.1.a.v 4.1.1 7.3.1 7011(e)(2)(C)
DI-2(1)
Art 13.2 Principle 2.1.a.vi 4.2.4 7.3.2 7011(e)(2)(D)
Provide a transparent notice to the public about data privacy practices through a clear and conspicuous Principle2.1.a.vii
2.1.a.i TR-1 PM-20(1) 7011(e)(2)(E) PRI-01.2
Art 13.3 Principle 5.1.0 8.2.2 5.2 CM.AW-P1
4 Transparency notice on all organizational websites, mobile applications and other digital services regarding the collection, P1.1 2 Principle2.1.a.viii
2.1.a.ii Transparency Transparency 164.520 TR-1(1) PT-5 6 5(f)(1)(j) 8 7011(e)(2)(F) PRI-02
Art 14.1 Principle 5.1.1 8.2.3 5.8 CM.PO-P1 7011(e)(3)
creation, use, dissemination, maintenance, retention, and/or disclosure of the personal data. Principle 2.1.a.ix
2.1.a.iii TR-2 PT-5(2) PRI-14.2
Art 14.2 Principle 6.1.0 8.5.1 7011(e)(3)(A)
7002(a)(1)
Principle TR-3
Art 14.3 Principle 2.1.a.iv
2.1.a.x 7.1.0 8.5.2 7011(e)(3)(B)
7002(a)(2)
Art 26.1 Principle 2.1.a.xi
Principle 2.1.a.v 7.1.1 8.5.6
7011(e)(3)(C)
7002(b)
7011(e)(3)(D)
26.2 Principle 2.1.a.xii
Principle 2.1.a.vi 8.1.0 7.2 AP-2 7002(b)(1)
Art 13.1 7011(e)(3)(E)
7002(b)(2)
Data Privacy Notice & Purpose Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, Principle 2.1.a.vii
Principle 2.1.a.xii Purpose Specification & 8.1.1 7.2.1 DI-2(1) 7011(e)(3)(F) PRI-02.1
4.1 Art 14.1 Purpose Specification 4.2.1 164.520 5.3 PT-3 CM.PO-P1 3 5(f)(1)(d) 2 7002(b)(3)
Specification maintained, retained and/or disclosed. Principle 2.1.a.viii Use Limitation 8.2.2 TR-1 AC-23
7011(e)(3)(G)
7002(b)(4) PRI-14.2
Art
Art14.2
5.1 Principle 2.1.b 9.1.0 7011(e)(3)(H)
Principle 2.1.a.ix 9.1.1 8.5.1 TR-1(1) MP-1 7002(b)(5)
7011(e)(3)(I)
Art 18.1 Principle 2.1.a.x 6.5.2 7002(c)(1)
10.1.0 PM-24 7011(e)(3)(J)
7002(c)(2)
P2.1 Art 18.2 Principle 2.1.a.xi 6.5.3.3 4(g) 7011(e)(4) DCH-01
Limit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data 4.1.2
10.1.1 PM-25 7002(c)(3)
P4.1 Art 21.1 Principle2.1.a.xii
Principle 2.5.a 164.502 7.4.2 CT.DM-P5 5(a)(1)(c)(i) 7011(e)(5) PRI-02.2
5 Data Lifecycle Management to that which is legally authorized, relevant and deemed "reasonably necessary" for the proper performance 4 5.2.2
10.2.3 5.6 PT-2 4 5 7012(a)
P4.2 Art 21.2 Principle2.1.a.xii
Principle 2.5.b 164.504 7.4.8 CT.DM-P7 5(b)(4) PRI-05
of business functions. 5.2.3 PT-2(2) 7012(b)
P4.3 Art 21.3 Principle 2.1.b 8.2.3 App1-4(b)(2) 7012(c) PRI-11
PT-3(1)
Art 32.1 8.4.2 7012(c)(1)
PT-3(2) 7012(c)(2)
Art 32.2 7.2.8
Maintain a record of processing activities that documents the organization's necessary records to support its SI-18 CM.AW-P4 7012(c)(3)
5.1 Processing Records 8.2.6 SA-4(12) 7012(c)(4) PRI-09
obligations for the processing of sensitive/regulated data. CM.AW-P6 7012(c)(5)
8.5.3
7012(d)
7012(e)(1)
7012(e)(2)
7012(e)(3)
7012(e)(4)
7012(e)(5)
Maintain a record of processing activities that documents the flow of personal data that includes: 7012(e)(6)
- Geographic locations and third-parties involved in the storage, transmission and/or processing of personal 7012(f)
data; Art 30.1 7101(a)
7012(g)
7012(g)(1) AST-04
- Contact details of the controller(s) involved in the storage, transmission and/or processing of personal Art 30.2 PL-2 7101(b)
ID.IM-P1 7012(g)(2) CFG-08.1
5.2 Data Flow Mapping data; Art 30.3 UL-2 SA-4(1) 7101(c)
7012(g)(3)(A)
ID.IM-P4 DCH-01.3
- The purposes of the storage, transmission and processing; Art 30.4 SA-4(2) 7101(d)
7012(g)(3)(B)
- A description of the categories of data subjects and personal data; 7012(g)(3)(C) PRI-11
Art 30.5 7101(e)
7012(h)
- Where possible, the time limits for erasure of the different categories of data; and 7012(i)
- Where possible, a description of the cybersecurity & data privacy measures of the data controller.
CM-8(4)
Identify the owners or operators of systems/products/services that process data, or with which data subjects CT.DM-P7 AST-03
5.3 Data Custodians 6.5.1.2 PT-3(1)
are interacting. ID.IM-P2 AST-03.1
SA-4(12)
6.5.3
Ensure that all records containing personal data are maintained in accordance with the organization's Art 6.1 MP-7 DCH-18
5.4 Retention of Personal Data Art 5.1 Principle 2.5.b 6.15.1.3 DM-2 5(f)(1)(h) 5
records retention schedule and comply with applicable statutory, regulatory and contractual obligations. Art 26.1 SI-12 PRI-05
Art 26.2 7.4.7
Art 27.3
Art 28.1
Art 28.2 MP-6
Secure Destruction of Personal DCH-09.3
5.5 Utilize secure methods to dispose of or destroy both physical and digital media that contains personal data. Art 5.1
Art 28.3 7.4.8 DM-2 MP-6(3) CT.DM-P5 5
Data Art 28.4 DCH-21
Art 28.5
SI-12(3)
Art 28.6
Art 28.9 CM-12 DCH-24
Art 28.10
Restrict the location of processing, storage and service locations to comply with the data privacy notice, as PE-23 DCH-25
5.6 Geolocation Restrictions Art 29
well as applicable statutory, regulatory and contractual obligations. Art 44 SA-9(5) SEA-15
Art 45.1 SC-36 TPM-04.4
Art 45.2
Art 46.1
Art
Art 20.1
46.2
Art 20.2
46.3 ID.DE-P4 7101(a)
Provide the functionality to export personal data in a structured, commonly-used and machine-readable Art PRI-06.6
5.7 Data Portability Art 47.1 CT.DM-P2 7101(b)
format that can be transferred to another controller without hindrance. Art
Art 20.3
47.2 PRI-06.7
CT.DM-P6 7101(c)
ArtArt20.4
48
Art 49.1 7101(d)
Art
Art 30.1
49.2 164.502 7101(e)
Art 49.6
Art 30.2 164.504 7.2.8 7102(a)(1)(A)
Develop and maintain an accounting of personal data disclosures that upon request can be made available P6.2 7.2.1 PRI-14
5.8 Record of Disclosures Art 30.3 164.506 7.5.3 AR-6 PM-21 CM.AW-P4 7102(a)(1)(B)
to the individual whose personal data was disclosed. P6.3 7.2.4 PRI-14.1
Art 30.4 164.508 7.5.4 7102(a)(1)(C)
Art 30.5 164.528 7102(a)(1)(D)
Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is PR.DS-P6 7102(a)(1)(E) GOV-10
5.9 Integrity Protections Art 5.1 Data Quality & Integrity Quality & Integrity 9.2.1 7.4.3 5.7 DI-2 PM-24 6 7102(a)(1)(F)
collected, created, used, disseminated, maintained, retained and/or disclosed. PR.DS-P8 PRI-05.2
7102(a)(2)
Art 4.5 CT.DP-P1 7102(b)
Process personal data in such a manner that it is not attributable to a data subject through technical or Art 5.1 164.514(a) SI-19 CT.DP-P2 DCH-23
5.1 De-Identification 5(f)(1)(f)
organizational measures (e.g., anonymization, pseudonymization or data minimization). Art 6.4 164.514(b) SI-19(4) CT.DP-P3 PRI-05.3
Art 32.1 CT.DP-P5
Art 5.1 CA-2

PM-22
Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness PM-11 CT.DM-P8
CM.AW-P3 PRI-10
5.11 Quality Management P7.1 6 Art 21.5 Data Quality & Integrity Quality & Integrity 7.4.3
6.3.1.5 PT-3(2) PM-23 2 6
and completeness as is reasonably necessary to ensure fairness to the individual. PT-1 CT.PO-P4
CT.PO-P1 PRI-10.1
Art 22 6.11 PM-24 PRM-04
AR-7 RA-9 CT.DM-P7
6.11.1 PRM-05
SA-8 SA-3 CT.DM-P8
6.11.2 PRM-06
Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of SA-13 SA-3(1) CT.PO-P4
5.12 Secure Data Processing 6.11.2.1 PRM-07
sensitive/regulated data is maintained throughout the data lifecycle. SC-1 SA-8 ID.DE-P4
6.11.2.2 PRM-08
SC-7(18) SA-8(30) ID.IM-P5
6.11.2.5 SEA-01
Maintain records of the inputs, entities, systems, applications and processes that influence data of interest, SI-1 SA-15(5) PR.PP-P3
ID.IM-P7
7.4 TDA-06
providing a historical record of the data and its origins. SC-1 PR.PP-P4
ID.IM-P8
5.13 Data Lineage 8.4 PL-2 PL-2 IAO-03
SC-7(18) PR.PP-P5
ID.BE-P3
SI-1 IN.AW-P6
Implement data management processes to adjust data that is able to be collected, created, used,
7002(f)
disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s). PT-4(2) CT.PO-P1
5.14 Updated Use Permissions 7.3.4 7028(a)
7020(a) PRI-03.2
PT-5(1) CT.PO-P3 7020(b)
7028(b)
7023(h)
7020(c)
7024(a)
7020(e)
Principle 2.6.a 7024(b)
7020(f)
Flaw Remediation with Personal Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, Principle 3.8.c.i 6.9.6 7024(c)
7020(g) DCH-22.1
5.15 Art 5.1 SI-18(4) CM.AW-P5 6
Data retained and/or disclosed. Principle 3.8.c.ii 6.9.6.1 7024(c)(1)
7020(h) VPM-04.2
Art 12.1 7024(c)(2)
7021(a)
Principle 3.8.e.i 7024(c)(3)
Art 12.2 7021(b)
7022(c)(3)
5.16 Analytical Biases Understand and evaluate data analytic inputs and outputs for potential bias. Principle
Principle3.8.e.i.1
3.8.c.i ID.RA-P2 7024(c)(4)
7023(h) PRI-10.2
Art 13.2 6.2.1 7022(c)(4)
7024(d)
Principle
Principle3.8.e.i.2
3.8.c.ii 7060(a)
Art 14.2 6.2.2 7024(e)
7023(j)
7023(a)
7060(b)
Principle
Principle3.8.e.i.3
3.8.e.i 164.502 7024(f)
P5.1 Art 15.1 6.2.3 7.3.6 AC-3(14) 7060(c)(1)
7050(a)(1)
7023(b) PRI-06
6 Data Subject Rights Provide data subjects with appropriate access to their personal data. 8 Art 3.8.e.i.4 Access & Amendment 164.522 IP-2 CT.DM-P1 9 Sec2.1
Art 18.1 Principle 3.8.e.i.1 7024(g)
7060(c)(2)
P6.7 15.2 6.2.4 8.2.5 SI-18(4) 7050(a)(2)
7023(b)(1)
7024(h) PRI-07.4
Art 3.8.e.i.5 164.524 7060(c)(3)(A)
Art 18.2
15.3 Principle 3.8.e.i.2
6.2.5 7024(i)
7050(a)(3)
7023(b)(1)(A)
7060(c)(3)(B)
Art Principle3.8.e.i.3
3.8.c.ii
Art 18.3
15.4 Principle
6.2.6
CM.AW-P2 7024(j)
7060(c)(3)(C)
7050(a)(3)(A)
7023(b)(1)(B) Sec2.1 DCH-22.1
Art Principle3.8.e.i.4
3.8.f.i
Art 19 Principle PM-26 CT.DM-P1
Maintain a capability to receive and respond to data privacy-related requests, complaints, concerns or 7024(k)
7060(c)(3)(D)
6.1 Inquiry Management P8.1 16 7.1.2 164.522 7.3.9 IP-4 10 7050(a)(3)(B)
7023(b)(1)(C)
7024(k)(1) Sec2.2 PRI-06.4
questions from data subjects. Art Principle3.8.e.i.5
3.8.f.ii
Art 21.1 Principle SI-18(4) GV.MT-P4 7060(c)(3)(E)
26.3 10.2.1 7050(a)(4)
7024(k)(2)
7023(b)(2)
7060(c)(3)(F) Sec2.4 PRI-07.4
Art 21.6 Principle 3.8.f.iii
3.8.c.ii GV.MT-P7 7024(k)(3)
Principle 10.2.2 7060(d)
7050(a)(5)
7023(c)
Art 22 Principle 3.8.g.i
3.8.f.i 7.3.6
7024(k)(4)
7060(e)
Principle 3.8.h.i CT.DM-P1 7050(b)
7023(d)(1)
7024(k)(5)
DCH-22.1
6.2 Updating Personal Data Provide data subjects with appropriate opportunity to correct or amend their personal data. Art
Art26.3
5.1 Principle 3.8.f.ii
2.6.a 164.526 7.4.3 SI-18(4)
7060(f)
Sec2.3
CT.DM-P3 7050(b)(1)
7024(k)(6)
7023(d)(2)
7060(g)
PRI-12
Principle 3.8.f.iii 8.2.5 7024(l)
7060(h)
7050(b)(2)
7023(d)(2)(A)
Principle 3.8.g.i 7061(a)
Art 12.3 7050(c)
7023(d)(2)(B)
Principle 3.8.h.i 6.2.5 7061(b)
Art 14.2 7050(d)
7023(d)(2)(C)
7062(a)
Provide data subjects with appropriate opportunity to challenge the organization’s compliance with its data 6.2.6
6.3 Redress Art 16 Access & Amendment 164.522 7.3.6 IP-3 SI-18(5) CT.DM-P3 10 7050(e)
7062(b)
7023(d)(2)(D) PRI-06.1
privacy principles. 10.2.1 7062(c)
Art 18.1 7050(f)
7023(d)(3)
7062(d)
10.2.2
Art 26.3 CM.AW-P1 7050(g)
7023(d)(4)
7062(e)
Art 12.3
CM.AW-P5 7051(a)(1)
7062(e)(1)
7023(e)
Notice of Correction or Art 18.3 7062(e)(2) PRI-06.2
6.4 Notify affected data subjects and applicable third-parties when personal data is corrected or amended. P5.2 8 164.526 8.5.8 SI-18(5) CM.AW-P7 7051(a)(2)
7023(f)
Amendment Art 19 7062(f) PRI-07.3
CM.PO-P1 7051(a)(3)
7023(f)(1)
7062(g)
Art 26.3
CT.PO-P4 7051(a)(4)
7023(f)(2)
7051(a)(5)
7023(f)(3)
7051(a)(6)
7023(f)(4)
7051(a)(7)
7023(g)
7051(a)(8)
7023(h)
7051(a)(9) 251 of 280
Licensed by Creative Commons Attribution-NoDerivatives 7023(i)
7051(a)(10)
7023(j)
7051(b)
7023(k)
7051(c)
7052(a)
7052(b)
Data Privacy Management Principles (DPMP)
AICPA EU-US Data ISO ISO NIST SP NIST SP NIST Privacy

Privacy FIPPs FIPPs HIPAA OMB US-California US-Nevada Secure Controls
# Principle Name SCF Data Privacy Management Principle (SCF-DPMP) Description TSC SOC 2 APEC EU GDPR GAPP 27701 29100 800-53 800-53 Framework OECD PIPEDA
Framework (DHS) (OMB) Privacy Rule A-130 CPRA SB220 Framework (SCF)
(2017) v2019 v2011 rev4 rev5 v1.0
Art 21.1 7022(a)
Provide data subjects with appropriate opportunity to appeal an adverse decision to have incorrect personal Art 21.2 7022(b)(1)
6.5 Appeal 164.526 PM-26 CM.AW-P8 PRI-06.3
data amended. Art 21.3 7022(b)(2)
7022(b)(3)
Art 26.3 7022(c)(1)
7022(c)(2)
GV.PO-P4
Provide data subjects with appropriate opportunity to request the deletion of personal data where it is used, Art 17.1 PC.AC-P1
7022(c)(3)
7022(c)(4)
6.6 Right to Erasure disseminated, maintained, retained and/or disclosed, including where the personal data is stored or Art 17.2 Principle 2.6.a 7.3.6 CT.DM-P4 GOV-15
PRI-06.5
PC.AC-P2 7022(d)
processed by third-parties. Art GOV-15.1
Art17.3
5.2 PC.AC-P3 7022(e)
7022(f)(1) GOV-15.2
Art 24.1 AC-1 PC.AC-P4 7022(f)(2)
GOV-15.3
Art 24.2 AU-1 AU-1 PC.AC-P5
CM.AW-P3 7022(f)(3)
7022(f)(4) GOV-15.4
Establish administrative, technical and physical safeguards to protect sensitive/regulated data Art 24.3 AU-2 AU-2 PC.AC-P6
CT.PO-P1
164.502 7022(g) GOV-15.5
commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, Art 25.1 PL-1 PL-1 PR.PO-P1
CT.DM-P7 7022(h)
7 Cybersecurity by Design Principle 2.4.a Security Security 8.2.2 164.504 7 IAC-01
modification, loss or dissemination. Selected practices are in accordance with industry-leading practices Art 25.2 PL-9 PL-9 PR.PO-P2
CT.DM-P8
164.530 MON-01
(e.g., ISO 27002, NIST 800-53, Secure Controls Framework (SCF), etc.). Art
Art25.3
5.2 SA-1 SA-1 PR.PO-P3
ID.DE-P4 GOV-15
AR-7 CM-4 MON-02
Art 24.1
Art 32.1 SA-11 SA-11 PR.PO-P4
PR.DS-P3 GOV-15.1
CM-4 PL-8 PRI-01.6
Art 24.2
Art 32.2 SA-23 PR.PO-P5
PR.DS-P4 GOV-15.2
PL-8 PM-7 SEA-01.1
Art 24.3
Art 40.2 4.2.3 PR.PO-P6
PR.DS-P5 GOV-15.3
Incorporate data privacy requirements into enterprise architecture to ensure that risk is addressed so 6.11.2.5 PM-7 PT-1 TDA-01
Art 25.1 6.2.2 164.504 PR.PO-P7
PR.DS-P7 GOV-15.4
7.1 Cybersecurity Considerations systems, applications and services achieve the necessary levels of trustworthiness, protection and 7 Principle 2.4.a Security Security 7.4 SA-8 SA-8 5 App1-4(b)(5) 7 7001 TDA-09
Art 25.2 7.2.2 164.530 PR.PO-P8
PR.MA-P1 GOV-15.5
resilience. 8.4 SA-13 SC-1 PR.PO-P10
Art 25.3 7.2.3 SC-8 PR.MA-P2 CHG-03
SC-1 SC-7(18)
SC-8
Art 32.1 6.7 SC-8(2) PR.PP-P3 PRI-01.6
164.502 SC-7(18) SI-1
SC-8(2) CRY-01
Art 32.2 6.7.1 SC-13 PR.PP-P4
PR.DS-P1 SEA-01
7.2 Cryptographic Protections Ensure personal data is encrypted both at rest and in transit. Art40.2
5.1 164.504 SI-1 SA-15(5)
SC-13 CRY-03
Art 6.7.1.1 SC-13(1) PR.PP-P5
PR.DS-P2 SEA-02
164.530 SC-28(2) PR.PT-P1 CRY-05
6.10.2.3 SC-28(2)
SI-7(6) PR.PT-P2
Ensure physical security and environmental controls provide appropriate protection for environments where Art 32.1 8.2.3 164.504 6.8.1.4 SI-7(6) PE-1
7.3 Physical Protections Security Security PE-1 PR.AC-P2
PR.PT-P3 7 PES-01
personal data is stored, transmitted and/or processed. Art 32.2 8.2.4 164.530 6.15.1.4 PE-23
PR.PT-P4
Art 5.1 PM-25 EMB-01
Facilitate the secure implementation of embedded technologies so sensors minimize the collection of Art 5.2 164.504 SA-8(33) END-13.1
7.4 Embedded Technology Transparency Transparency
personal data and alert data subjects to the personal data collected by those sensors. Art 32.1 164.530 SC-42(2) END-13.2
Art 32.2 SC-42(5) END-13.3
Upgrade, replace, or retire any system, application or service for which appropriate protections, 164.504
7.5 Retire Outdated Systems SA-22 SA-22 App1-4(b)(3) TDA-17
commensurate with risk, cannot be effectively implemented. 164.530
Implement personnel management practices, covering employees, contractors and other entities, that Art 32.1 5(c)(2)
164.504 AT-1 AT-1 GV.PO-P1 7100(a)
7.6 Personnel Security ensures appropriate vetting and clearance to systems, applications and/or services that contain, store or Art 32.2 6.4.2.2 App1-4(h)(1)-(2) 7 SAT-01
164.530 PM-13 PM-13 PR.PO-P9 7100(b)
transmit personal data. Art 32.4 App1-(4)-(7)
Require employees and contractors to read and agree to abide by the organization's rules of behavior, prior
164.504 6.4.2.1 PL-4 PL-4 App1-4(h)(6) HRS-05.1
7.7 Rules of Behavior to being granted access to systems, applications and/or services that store, transmit or process personal CC1.1 PR.PO-P9
164.530 6.5.1.3 PL-4(1) PL-4(1) App1-4(h)(7) HRS-05.2
data, including social media.
Utilize employee sanctions to hold personnel accountable for complying with the organization's data privacy 164.504
7.8 Employee Sanctions CC1.5 6.4.2.3 PS-8 PS-8 PR.PO-P9 App1-3(b)(9) HRS-07
policies and processes. 164.530
Art 32.1
Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology 164.504 5(c)(1)
7.9 Workforce Management Art 32.2 PS-1 PS-1 PR.PO-P9 HRS-01
environment through recruiting and retaining the talent needed to support the organization's mission. 164.530 5(c)(7)
Art 32.4
Develop and enforce data privacy competency requirements for staff members involved in the acquisition, Art 32.1 6.4
164.504
7.10 Professional Competency management, maintenance and use of information resources, to ensure they have the appropriate Art 32.2 6.4.1 PS-3 PS-3 PR.PO-P9 5(c)(1) HRS-04
164.530
knowledge and skill. Art 32.4 6.4.1.1
CA-1
Develop and enforce an Information Assurance (IA) capability that provides a mechanism to perform pre- CA-1 IAO-01
CA-6
Cybersecurity & Data Privacy production control testing to ensure applicable cybersecurity & data privacy controls exist and are CA-6 IAO-07
7.11 CA-7(4)
Control Validation functioning. Systems, applications and service are prohibited from "going live" without security authorization, PM-10 RSK-11
PM-10
following the results of pre-production control testing. SA-11 TDA-09
SA-11
Implement secure configuration management throughout the System Development Life Cycle (SDLC) to
Secure Configuration CM-1 CM-1 CFG-01
7.12 ensure systems, applications and/or services are configured according to industry-recognized secure
Management SA-11 SA-11 TDA-09
practices.
Correlate logs from across the organization with a Security Incident Event Manager (SIEM), or similar App1-4(b)(3) MON-02
7.13 Situational Awareness automated tool, to maintain situational awareness of events for potential cybersecurity & data privacy IR-4(4) App1-4(f)(1) MON-02.1
incidents. App1-4(f)(3)
Art 33.1 IR-1 IR-1 App1-4(f)(4) IRO-01
6.13
Art 33.2 IR-3 IR-3 GV.MT-P4 App1-4(f)(5) IRO-04
Maintain and test incident response plans, capabilities and training for employees and third-party 1.2.7 6.13.1
8 Incident Response Art 33.3 IR-7 IR-7 GV.MT-P5 App1-4(f)(6) IRO-04.1
stakeholders on how to report and respond to incidents. 7.2.4 6.13.1.1
Art 33.4 IR-8 IR-8 PR.PO-P7 App1-4(f)(7) IRO-06
6.13.1.5
Art 33.5 SE-2 IR-8(1) App1-4(f)(8) IRO-11
App1-4(f)(9)
Respond to incidents in a coordinated and structed manner to ensure the appropriate steps are taken to App1-4(f)(10)
8.1 Coordinated Response 6.13.1.4 IR-10 IR-4(11) IRO-07
identify and respond to potential incidents. Art 33.1 App1-4(j)(2)(e)
164.400
Art 33.2
164.402
Art 33.3
164.404
Art 33.4
Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in 164.406 6.13.1.2 IR-6 IR-6 IRO-10
8.2 Breach Notification P6.6 Art 33.5 1.2.7 App1-4(b)(3)
accordance with applicable statutory, regulatory and contractual obligations for breach notification. 164.408 6.13.1.3 IR-7(2) IR-7(2) IRO-11.2
Art 34.1
164.410
Art 34.2
164.412
Art 34.3
164.414 GV.MT-P1
Art 34.4
CA-7(4) GV.PO-P4
Implement a risk management framework to ensure that risks are identified, evaluated and addressed to Art 32.1 PM-9 PM-9 GV.RM-P1 RSK-01
9 Risk Management 6.8.1.4 4(i)
achieve necessary levels of trustworthiness, protection and resilience. Art 32.2 RA-1 PM-29 GV.RM-P2 RSK-11
RA-1 GV.RM-P3
ID.DE-P1
Art 35.1
Art 35.2
Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm, from Art 35.3 GV.MT-P1
5.4.1.2 5(d)(3)
9.1 Evaluate Risks unauthorized access, use, disclosure, disruption, modification or destruction of personal data where it is Art 35.6 1.2.4 RA-3 RA-3 ID.DE-P1 RSK-04
6.8.1.2 5(d)(4)(b)
stored, transmitted and/or processed. Art 35.8 ID.DE-P5
Art
Art 35.1
35.9
Art35.11
Art 35.2
PM-29
Art 35.3 GV.MT-P1
PM-30 RSK-08
Assess supply chain risks associated with systems, system components and services for data privacy Art 35.6 ID.DE-P2
9.2 Assess Supply Chain Risk SA-12 RA-3(1) RSK-09
implications. Art 35.8 ID.DE-P3
SR-2 RSK-09.1
Art 35.9 ID.DE-P5
SR-7
Art 35.11
Art 36.3 CA-5 IAO-05
Maintain a current and accurate register of risk (e.g., Plan of Action & Milestones (POA&M), risk register, CA-5
9.3 Risk Awareness Art 35.1 CA-7(4) ID.DE-P1 RSK-04.1
etc.). PM-4
PM-4 RSK-11
Art 35.1 ID.DE-P1

GV.MT-P1
9.4 Risk Response Responses to identified risks are appropriately identified, categorized and prioritized. Art 35.2 RA-7 ID.RA-P5
GV.MT-P4 RSK-06.1
Art 35.3 RS.MI-P3
GV.MT-P5
Art 35.6 ID.IM-P7
Art 35.7 ID.RA-P1
Data Protection Impact Utilize Data Protection Impact Assessments (DPIAs) to effectively identify and reduce data privacy risks to 1.2.4
9.5 Art 35.8 7.2.5 AR-2 RA-8 ID.RA-P2 5(f)(1)(i) RSK-10
Assessment (DPIA) an acceptable level. 4.2.3
Art 35.9 ID.RA-P3
Art 35.11 ID.RA-P4
Art 36.1 ID.RA-P5
Art 36.2 ID.DE-P2
Art 36.3 ID.DE-P3
252 of 280
7012(g)
7012(g)(1)
7012(g)(2)
version 2023.4 Secure Controls Framework (SCF) 7012(g)(3)(A) 03/12/2024
Data Privacy Management Principles (DPMP) 7012(g)(3)(B)
7012(g)(3)(C)
7001(w)
7002(a)(1)
7022(c)(3)
7012(g)
AICPA EU-US Data ISO ISO NIST SP NIST SP NIST Privacy 7002(a)(2)
7022(c)(4)
Principle 2.3.b(i)
Privacy FIPPs FIPPs HIPAA OMB US-California
7012(g)(1) US-Nevada Secure Controls
# Principle Name SCF Data Privacy Management Principle (SCF-DPMP) Description TSC SOC 2 APEC EUArtGDPR
28.1 GAPP 27701 29100 800-53 800-53 Framework OECD PIPEDA 7050(a)(1)
7002(b)
7012(g)(2)
Art 28.2 Principle 2.3.b(ii)
Framework (DHS) (OMB) Privacy Rule A-130 CPRA SB220 Framework (SCF)
(2017) Principle 2.3.b(iii) v2019 v2011 rev4 rev5 v1.0 7050(a)(2)
7002(b)(1)
7012(g)(3)(A)
Art 28.3 7050(a)(3)
7002(b)(2)
Principle 2.3.b(iv) 7012(g)(3)(B)
Art 28.4 7050(a)(3)(A)
7002(b)(3)
Principle
Principle2.3.b(v)
2.3.a 6.12 SA-4 7012(g)(3)(C)
Provide data privacy oversight of third-parties with access to personal data, so that only trusted third-parties Art 28.5 SA-4 7050(a)(3)(B)
7002(b)(4) TPM-01
10 Third-Party Management Art28.6
6.1 Principle
Principle2.3.b(vi)
2.3.b(i) 164.514 6.12.1 SA-9 GV.PO-P4 7050(a)(1)
are contracted with. Art SA-9 7050(a)(4)
7002(b)(5) TPM-04
Art
Art28.1
6.4 Principle2.3.b(ii)
Principle 2.7.a.i 6.12.1.1 SR-1 7050(a)(2)
Art 28.9 7050(a)(5)
7002(c)(1)
28.2
Art28.10
15.2 Principle2.3.b(iii)
Principle 2.7.a.ii 7050(a)(3)
Art 7002(c)(2)
7050(b)
Art 28.3
20.2 Principle 2.3.b(iv)
Principle 2.7.a.iii 7050(a)(3)(A)
Art 32.1 SA-9 7050(b)(1)
7002(c)(3)
Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, Art 28.4
26.1 Principle
Principle 2.7.b SA-9 App1-4(j)(2)(b) 7050(a)(3)(B) TPM-03
10.1 Supply Chain Protections Art 32.2 Principle2.3.b(v)
2.3.a 6.12.1.3 SR-2 GV.PO-P4 7050(b)(2)
7010(a)
process and/or transmit it in a secure manner. Art 28.5
26.2 Principle2.3.b(vi)
Principle 2.7.c SA-12 App1-4(j)(3) 7050(a)(4) TPM-04
Principle 2.3.b(i) SR-2(1) 7010(b)
7050(c)
Art 28.6
26.3 Principle 2.7.d
Principle2.3.b(ii)
2.7.a.i 7050(a)(5)
Principle 7050(d)
7010(e)
Art
Art28.9
44 Principle 3.10.a.i
Principle2.3.b(iii)
2.7.a.ii 7.4.9 5(e)(1)(b) 7050(b)
Principle 7050(e)
7011(a)
Art28.10
Art
Art 6.1
45.1 Principle 3.10.a.ii
Principle 2.3.b(iv)
2.7.a.iii 7.2.1 7.5 5(e)(1)(c) 7050(b)(1)
Secure Disclosure To Third- Govern third-party use of personal data to ensure data privacy requirements are enforced when a third-party Principle 164.502 7012(g)
7011(b)
7050(f)
10.2 P6.1 Art45.2
Art 6.4 Principle
Principle3.10.a.ii.1
2.7.b 7.2.2 8.4.3 UL-2 AC-21 CT.PO-P2 5(e)(1)(d) 7050(b)(2) PRI-07
Parties stores, processes or transmits personal data on behalf of the organization. Principle 2.3.b(v) 164.504 7012(g)(1)
7050(g)
7011(c)
Art
Art 26.1
46.1 Principle
2.7.c 7.2.3 8.5.1 5(e)(7)(h) 7050(c)
Principle 2.3.b(vi) 7012(g)(2)
7051(a)(1)
7011(d)
Art
Art 26.2
46.2 Principle
2.7.d 8.5.7 App1-3(c) 7050(d)
Principle 2.7.a.i 7012(g)(3)(A)
7051(a)(2)
7011(e)(1)
Art
Art 26.3
46.3 Principle
Principle 3.10.a.iii
3.10.a.i 7050(e)
Principle 2.7.a.ii 6.10.2.4 7012(g)(3)(B)
7011(e)(1)(A)
7051(a)(3)
Art
Art 28.1
47.1 Principle 3.10.b.i 5(a)(1)(b)(ii) 7050(f)
Principle 3.10.a.ii
2.7.a.iii 164.502 6.12.1.2 7012(g)(3)(C)
7011(e)(1)(B)
7051(a)(4)
Contractual Obligations for Require terms and conditions in contracts and other agreements to cover the collection, creation, use, P6.4 Art
Art 28.2
47.2 Principle
Principle 3.10.c.i
3.10.a.ii.1 4.2.3 AR-3 5(d)(1)(j) 7050(g) PRI-07.1
10.3 Principle 2.7.b 164.504 7.2.6 SA-9(3) ID.DE-P3 7050(a)(1)
7011(e)(1)(C)
7051(a)(5)
Third-Parties dissemination, maintenance, retention, and/or disclosure of personal data. P6.5 Art
Art28.3
48 Principle 3.10.a.ii.2 7.2.4 SA-9(3) App1-3(d) 7051(a)(1) TPM-05
Principle 2.7.c 164.514 8.2.5 7050(a)(2)
7011(e)(1)(D)
7051(a)(6)
Art
Art 28.4
49.1 Principle 3.10.a.ii.3 App1-4(j)(1) 7051(a)(2)
Principle 2.7.d 8.5.8 7050(a)(3)
7011(e)(1)(E)
7051(a)(7)
Art
Art 28.5
49.2 Principle 7051(a)(3)
Principle 3.10.a.iii
3.10.a.i 7050(a)(3)(A)
7011(e)(1)(F)
7051(a)(8)
Art
Art 28.6
49.6 Principle 3.10.a.ii
3.10.b.i 7051(a)(4)
Validate that data privacy controls for systems, applications and services used or operated by third-parties Principle 1.2.6 7050(a)(3)(B)
7011(e)(1)(G)
7051(a)(9)
Art 28.9 Principle3.10.a.ii.1
3.10.c.i 7051(a)(5)
are effectively-implemented and align with industry-recognized secure practices, as well as comply with Art28.10
32.1 Principle 10.2.3 6.15.2.2 AR-4 PM-14 7050(a)(4)
7011(e)(1)(H)
7051(a)(10) PRI-08
10.4 Third-Party Compliance Art GV.PO-P4 App1-4(j)(2)(b) 7051(a)(6)
applicable statutory, regulatory and contractual obligations. Art Principle 3.10.a.ii.2
Art32.2
29 10.2.4 6.15.2.3 SA-9 SA-9 7050(a)(5)
7011(e)(1)(I)
7051(b)
7051(a)(7) TPM-04
Principle 3.10.a.ii.3 10.2.5 7050(b)
7011(e)(1)(J)
7051(c)
7051(a)(8)
Principle 3.10.a.iii 7050(b)(1)
7011(e)(1)(K)
7052(a)
7051(a)(9)
Principle 3.10.b.i 7050(b)(2)
7011(e)(2)
7052(b)
6.12 PM-3 GV.PO-P2 7051(a)(10)
The organization’s mission, objectives, stakeholders and activities are understood and prioritized to provide Principle 3.10.c.i PM-3 7050(c)
7011(e)(2)(A)
7053(a)(1) PRM-02
11 Business Environment 6.12.1 SA-4 GV.PO-P3 7051(b)
resourcing and guidance for data privacy roles, responsibilities and risk management decisions. Principle 3.4.a SA-4 7050(d)
7011(e)(2)(B)
7053(a)(2) TPM-01
6.12.1.1 SR-1 GV.PO-P4 7051(c)
Principle 3.4.b 7050(e)
7011(e)(2)(C)
7053(a)(3)
7052(a)
Principle 3.6.a 7.2.7 7050(f)
7011(e)(2)(D)
7053(a)(4)
7052(b)
ID.IM-P5
Identify and document the organization's role as a controller and/or processor of sensitive/regulated data, Principle 3.6.b 7.4.9 CM.PO-P1 7050(g)
7011(e)(2)(E)
7053(a)(5)
7053(a)(1) GOV-08
11.1 Data Privacy Protections Context ID.BE-P1
including instances involving more than one party. Principle 3.6.b.i 8.4.3 CT.PO-P1 7051(a)(1)
7011(e)(2)(F)
7053(a)(6)
7053(a)(2) PRI-07.2
ID.BE-P2
Principle 3.6.b.ii 8.5.7 CT.PO-P2 7051(a)(2)
7011(e)(3)
7053(b)
7053(a)(3)
Principle 3.6.b.iii CT.PO-P3 7051(a)(3)
7011(e)(3)(A)
7053(a)(4)
Art 32.1 Principle 3.4.a
Principle 3.6.b.iii.1 6.2 GV.PO-P1 7051(a)(4)
7011(e)(3)(B)
7053(a)(5)
Policies, Standards & Art 32.2 Principle 3.4.b PM-1 GOV-02
11.2 Ensure appropriate policies, standards and procedures exist to operationalize the data privacy program. Principle 3.6.b.iii.2 8.2.1 164.530(h)(1) 6.2.1 PM-1 GV.MT-P3 App1-4(j)(2)(a) 7051(a)(5)
7011(e)(3)(C)
7053(a)(6)
Procedures Art 32.3 Principle 3.6.a PM-20 PRI-01.3
Principle 3.6.b.iv 6.2.1.1 GV.MT-P4 7051(a)(6)
7011(e)(3)(D)
7053(b)
Art 32.4 Principle 3.6.b
Principle 3.6.b.iv.1 GV.MT-P5 7051(a)(7)
7011(e)(3)(E)
Principle 3.6.b.i
Art 5.2 Principle 3.6.b.iv.2 GV.MT-P6 7051(a)(8)
7011(e)(3)(F)
Principle 3.6.b.ii
At planned intervals or after significant changes, review policies, standards and procedures to ensure the Art 32.1 Principle 3.6.b.v GV.MT-P7 7051(a)(9)
7011(e)(3)(G)
Principle 3.6.b.iii 8.2.1 CA-2 CA-2 GV.MT-P1 GOV-03
11.3 Periodic Review continuing suitability, adequacy and effectiveness to meet the organization's applicable statutory, regulatory Art 32.2 Principle 3.6.b.vi 164.530(h)(2) 6.2.1.2 PR.PO-P4 7051(a)(10)
7011(e)(3)(H)
Principle 3.6.b.iii.1 10.2.4 PM-1 PM-1 GV.MT-P2 CPL-03
and contractual needs. Art 32.3 Principle 3.6.b.vii 7051(b)
7011(e)(3)(I)
Principle 3.6.b.iii.2
Art 32.4 Principle 3.6.b.viii 7051(c)
7011(e)(3)(J)
Principle 3.6.b.iv
Principle 3.6.c 7052(a)
7011(e)(4)
Art 5.1 Principle 3.6.b.iv.1
Principle 3.6.d 7052(b)
7011(e)(5)
Art 5.2 Principle 3.6.b.iv.2 CA-7 App1-3(a)
Principle 3.6.e 7053(a)(1)
7012(a)
Provide oversight of data privacy controls throughout the lifecycle of systems, applications and services to Art
Art30.1 Principle 3.6.b.v CA-7 CA-7(1) CT.DM-P8 App1-3(b)(4)
1.2 Principle 3.6.f Accountability & Accountability & 7053(a)(2)
7012(b) CPL-02
11.4 Oversight ensure that in a timely manner, senior leaders with the organization are made aware of data privacy-related Art
Art30.2
2.1 Principle
Principle3.6.b.vi
3.5.b 8.2.7 164.530(c)(1) CA-7(1) PM-14 GV.MT-P4 App1-3(f) 7101(a)
Principle 3.6.g Auditing Auditing 7053(a)(3)
7012(c) PRI-13
risks that are not appropriately remediated. Art
Art30.3
2.2 Principle
Principle 3.6.b.vii
3.5.b.i PM-14 PM-23 PR.PO-P5 App1-3(g) 7101(b)
Art 3.1 Principle 3.6.h
Principle 3.5.b.ii 7053(a)(4)
7012(c)(1)
Art 30.4
Art 3.2 Principle
Principle 3.6.b.viii
3.5.b.iii
PM-24 App1-4(b)(2) 7101(c)
Principle 3.7.a 7053(a)(5)
7012(c)(2)
Art
Art30.5
3.3 Principle 3.6.c
Principle 3.6.a 7101(d)
Principle 3.7.b 7053(a)(6)
7012(c)(3)
Art 6.1 Principle 3.6.d
Principle 3.6.b 7101(e)
Art 17.3 Principle 3.7.c
Principle 3.6.b.i 7053(b)
7012(c)(4)
Art 20.3
Principle 3.6.e CM.AW-P4 5(a)(1)(c)(ii) 7102(a)(1)(A) GOV-01.2
Provide performance metrics and trend analysis to enable management visibility and coordinate data privacy Principle 3.6.b.ii
Principle 3.7.d 10.2.3 AR-6 PM-6 7012(c)(5)
11.5 Metrics & Trends 9 Art 31
Art 23.1 Principle 3.6.f
Principle 3.6.b.iii CM.AW-P6 8 App1-3(b)(10)
4(g) 7102(a)(1)(B) GOV-05
efforts across the organization. Principle 3.7.e 10.2.5 PM-6 PM-27 7012(d)
Art 23.2 Principle 3.6.g
Principle 3.6.b.iii.1 CM.AW-P7 App1-4(1)
5(e)(1)(d) 7102(a)(1)(C) PRI-14
Art 24.1 Principle 3.6.b.iii.2 AU-11 7012(e)(1)
Art 24.2
Principle 3.6.h
Principle 3.6.b.iv 5(f)(1)(a) 7102(a)(1)(D) CPL-01
PL-1 7012(e)(2)
Principle 3.6.b.iv.1 164.530(c)(1) 5(f)(1)(c) 7102(a)(1)(E) MON-10
Oversee the execution of data privacy controls to create appropriate evidence of due diligence and due care, 6.15 AU-11 PM-8 7012(e)(3)
Art 25.1 Principle 3.7.b
Principle 3.6.b.iv.2
164.500 GV.MT-P3 5(f)(1)(g) 7102(a)(1)(F) PRI-02.3
11.6 Compliance demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age- Art 25.2 Principle 3.6.b.v 6.15.1 PL-1 PT-6 7012(e)(4)
7010(a)
Art 25.3
Principle 3.7.c
Principle 3.6.b.vi 164.501 GV.PO-P4 App1-3(a) 7102(a)(2) PRI-02.4
based restrictions. 6.15.1.1 PM-8 PT-6(1) 7012(e)(5)
Art 27.1 Principle 3.7.d
Principle 3.6.b.vii 164.502(a-j) App1-3(b)(4) 7102(b) PRI-02.5
PT-6(2) 7012(e)(6)
Art 27.2 Principle 3.7.e
Principle 3.6.b.viii
App1-3(f) PRI-02.6
Art 27.3 Principle 3.6.c PT-8 7012(f)
Art 27.4 Principle 3.6.d CP-2(8) App1-3(g) 7012(g)
App1-4(j)(3) BCD-02
Ensure systems/products/services that support organizational priorities are assessed so that critical assets Art 27.5 Principle 3.6.e CP-2(8) PM-30(1) 7012(g)(1)
11.7 Critical Business Functions Art 32.1 Principle 3.6.f ID.BE-P3 TDA-06.1
are identified and key functional requirements communicated. SA-14 RA-9 7012(g)(2)
Art 32.2 Principle 3.6.g TPM-02
Art 32.3 Principle 3.6.h SA-15(3) 7012(g)(3)(A)
Art 40.1 Principle 3.7.b 7012(g)(3)(B)
Art 40.2 Principle 3.7.c 7012(g)(3)(C)
Art 42.2 Principle 3.7.d 7012(h)
Art 43 Principle 3.7.e
Art 50 7012(i)
7102(a)(1)(A)
7102(a)(1)(B)
7102(a)(1)(C)
7102(a)(1)(D)
7102(a)(1)(E)
7102(a)(1)(F)
7102(a)(2)
7102(b)
253 of 280
version 2023.4 Secure Controls Framework (SCF) to AICPA TSC 2017 Points of Focus (POF) 03/12/2024
Control # Control Points of Focus (POF) SCF #
CPL-02
GOV-04
HRS-01
CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. HRS-05
HRS-05.1
HRS-07.1
Sets the Tone at the Top — The board of directors and management, at all levels, demonstrate through
CC1.1-POF1 their directives, actions, and behavior the importance of integrity and ethical values to support the GOV-01
functioning of the system of internal control. GOV-14
Establishes Standards of Conduct — The expectations of the board of directors and senior management
concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at
CC1.1-POF2 all levels of the entity and by outsourced service providers and business partners. HRS-05.1
Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the performance of CPL-02
CC1.1-POF3 individuals and teams against the entity’s expected standards of conduct. CPL-03
HRS-01
Addresses Deviations in a Timely Manner — Deviations from the entity’s expected standards of conduct CPL-01.1
CC1.1-POF4 are identified and remedied in a timely and consistent manner. RSK-06
Considers Contractors and Vendor Employees in Demonstrating Its Commitment — Management and
the board of directors consider the use of contractors and vendor employees in its processes for TPM-01
TPM-03
CC1.1-POF5 establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in TPM-05
a timely manner. TPM-06
GOV-01
GOV-05
COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the GOV-05.1
CC1.2 GOV-05.2
development and performance of internal control. HRS-02
HRS-03
HRS-03.2
Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight
responsibilities in relation to established requirements and expectations. GOV-01.1
GOV-04.1
GOV-04.2
CC1.2-POF1 HRS-01
HRS-02
HRS-03
Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the GOV-01.1
skills and expertise needed among its members to enable them to ask probing questions of senior HRS-01
CC1.2-POF2 management and take commensurate action. HRS-02
HRS-03.2
Operates Independently — The board of directors has sufficient members who are independent from GOV-01.1
CC1.2-POF3 management and objective in evaluations and decision making. HRS-01
HRS-02
Supplements Board Expertise — The board of directors supplements its expertise relevant to security, GOV-01.1
availability, processing integrity, confidentiality, and privacy, as needed, through the use of a HRS-01
CC1.2-POF4 subcommittee or consultants. HRS-02
HRS-03.2
GOV-04
COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and HRS-03
CC1.3 HRS-03.2
responsibilities in the pursuit of objectives. PRM-06
RSK-01
Considers All Structures of the Entity — Management and the board of directors consider the multiple
CC1.3-POF1 structures used (including operating units, legal entities, geographic distribution, and outsourced service GOV-04.1
providers) to support the achievement of objectives. GOV-04.2
Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity
CC1.3-POF2 structure to enable execution of authorities and responsibilities and flow of information to manage the GOV-04.1
activities of the entity. GOV-04.2
Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors
delegate authority, define responsibilities, and use appropriate processes and technology to assign GOV-04.1
CC1.3-POF3 responsibility and segregate duties as necessary at the various levels of the organization. GOV-04.2
HRS-03
254 of 280

Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and
the board of directors consider requirements relevant to security, availability, processing integrity, GOV-04.1
CC1.3-POF4 confidentiality, and privacy when defining authorities and responsibilities. GOV-04.2
HRS-03
Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities,
and Responsibilities — Management and the board of directors consider the need for the entity to GOV-04.1
CC1.3-POF5 interact with and monitor the activities of external parties when establishing structures, reporting lines, GOV-04.2
authorities, and responsibilities. HRS-03
HRS-01
HRS-02.1
HRS-03.1
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with HRS-04
CC1.4 HRS-04.1
objectives. HRS-04.2
PRM-02
PRM-03
SAT-01
Establishes Policies and Practices — Policies and practices reflect expectations of competence necessary GOV-02
CC1.4-POF1 to support the achievement of objectives. HRS-01
Evaluates Competence and Addresses Shortcomings — The board of directors and management
evaluate competence across the entity and in outsourced service providers in relation to established AAT-13.1
HRS-01
policies and practices and act as necessary to address shortcomings. HRS-02.2
CC1.4-POF2 HRS-03.2
TPM-01
TPM-08
Attracts, Develops, and Retains Individuals — The entity provides the mentoring and training needed to
attract, develop, and retain sufficient and competent personnel and outsourced service providers to AAT-11
AAT-13
support the achievement of objectives. HRS-01
CC1.4-POF3 HRS-02.2
TPM-01
TPM-08
Plans and Prepares for Succession — Senior management and the board of directors develop HRS-13
CC1.4-POF4 contingency plans for assignments of responsibility important for internal control. HRS-13.4
Considers the Background of Individuals — The entity considers the background of potential and existing
CC1.4-POF5 personnel, contractors, and vendor employees when determining whether to employ and retain the HRS-04
individuals.
Considers the Technical Competency of Individuals — The entity considers the technical competency of
CC1.4-POF6 potential and existing personnel, contractors, and vendor employees when determining whether to HRS-03.2
employ and retain the individuals.
Provides Training to Maintain Technical Competencies — The entity provides training programs, SAT-03
CC1.4-POF7 including continuing education and training, to ensure skill sets and technical competency of existing SAT-03.7
personnel, contractors, and vendor employees are developed and maintained. SAT-03.8
GOV-05
GOV-05.1
GOV-05.2
HRS-01
HRS-03.2
HRS-06
HRS-06.1
CC1.5 COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. HRS-07
HRS-07.1
HRS-08
HRS-09
HRS-09.1
HRS-09.2
HRS-09.3
Enforces Accountability Through Structures, Authorities, and Responsibilities — Management and the
board of directors establish the mechanisms to communicate and hold individuals accountable for GOV-04.1
CC1.5-POF1 performance of internal control responsibilities across the entity and implement corrective action as GOV-04.2
necessary.
255 of 280

Establishes Performance Measures, Incentives, and Rewards — Management and the board of directors
establish performance measures, incentives, and other rewards appropriate for responsibilities at all
levels of the entity, reflecting appropriate dimensions of performance and expected standards of GOV-05
CC1.5-POF2 conduct, and considering the achievement of both short-term and longer-term objectives. HRS-01
Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and
CC1.5-POF3 the board of directors align incentives and rewards with the fulfillment of internal control responsibilities GOV-01.1
in the achievement of objectives. HRS-01
Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures
CC1.5-POF4 associated with the achievement of objectives as they assign responsibilities, develop performance GOV-01.1
measures, and evaluate performance. HRS-01
Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of
directors evaluate performance of internal control responsibilities, including adherence to standards of GOV-01.1
CC1.5-POF5 conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as HRS-01
appropriate. HRS-07
AST-04
DCH-01
COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal DCH-01.1
CC2.1
control. DCH-02
DCH-22
OPS-03
Identifies Information Requirements — A process is in place to identify the information required and GOV-09
CC2.1-POF1 expected to support the functioning of the other components of internal control and the achievement of GOV-15
the entity’s objectives. OPS-03
Captures Internal and External Sources of Data — Information systems capture internal and external GOV-15
CC2.1-POF2 sources of data. OPS-03
Processes Relevant Data Into Information — Information systems process and transform relevant data GOV-15
CC2.1-POF3 into information. OPS-03
Maintains Quality Throughout Processing — Information systems produce information that is timely,
CC2.1-POF4 current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to GOV-15
assess its relevance in supporting the internal control components. OPS-03
CPL-01
CPL-02
GOV-05
GOV-05.1
GOV-05.2
COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, HRS-03
CC2.2
necessary to support the functioning of internal control. OPS-01
OPS-01.1
PRM-01
PRM-05
SEA-01
SEA-02.1
Communicates Internal Control Information — A process is in place to communicate required OPS-03

CC2.2-POF1 information to enable all personnel to understand and carry out their internal control responsibilities. GOV-02
GOV-09
Communicates With the Board of Directors — Communication exists between management and the
CC2.2-POF2 board of directors so that both have information needed to fulfill their roles with respect to the entity’s GOV-01.2
objectives.
Provides Separate Communication Lines — Separate communication channels, such as whistle-blower HRS-01
hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential HRS-07.1
CC2.2-POF3 communication when normal channels are inoperative or ineffective. IRO-01
IRO-02
Selects Relevant Method of Communication — The method of communication considers the timing, GOV-01.1
CC2.2-POF4 audience, and nature of the information. GOV-02
GOV-03
Communicates Responsibilities — Entity personnel with responsibility for designing, developing,
implementing, operating, maintaining, or monitoring system controls receive communications about their
CC2.2-POF5 responsibilities, including changes in their responsibilities, and have the information necessary to carry HRS-03
out those responsibilities.
256 of 280

Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters — Entity
IRO-02
personnel are provided with information on how to report systems failures, incidents, concerns, and IRO-07
CC2.2-POF6 other complaints to personnel. IRO-09
IRO-10
IRO-10.2
Communicates Objectives and Changes to Objectives — The entity communicates its objectives and GOV-02
CC2.2-POF7 changes to those objectives to personnel in a timely manner. GOV-03
Communicates Information to Improve Security Knowledge and Awareness — The entity communicates SAT-01
CC2.2-POF8 information to improve security knowledge and awareness and to model appropriate security behaviors SAT-02
to personnel through a security awareness training program. SAT-03.6
Communicates Information About System Operation and Boundaries — The entity prepares and
communicates information about the design and operation of the system and its boundaries to AST-04.1
authorized personnel to enable them to understand their role in the system and the results of system AST-04.2
operation. CPL-01.2
IAO-01.1
CC2.2-POF9 SAT-03.3
SAT-03.5
TPM-05.5
VPM-01.1
Communicates System Objectives — The entity communicates its objectives to personnel to enable them GOV-08
CC2.2-POF10 to carry out their responsibilities. GOV-09
Communicates System Changes — System changes that affect responsibilities or the achievement of the CHG-01
CC2.2-POF11 entity's objectives are communicated in a timely manner. CHG-05
CPL-01
CPL-02
GOV-06
CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. IRO-10
IRO-14
PRI-14
Communicates to External Parties — Processes are in place to communicate relevant and timely IRO-10
CC2.3-POF1 information to external parties, including shareholders, partners, owners, regulators, customers, financial IRO-10.2
analysts, and other external parties. IRO-10.4
Enables Inbound Communications — Open communication channels allow input from customers,
CC2.3-POF2 consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management OPS-03
and the board of directors with relevant information.
Communicates With the Board of Directors — Relevant information resulting from assessments GOV-01.1
CC2.3-POF3 conducted by external parties is communicated to the board of directors. GOV-01.2
Provides Separate Communication Lines — Separate communication channels, such as whistle-blower
CC2.3-POF4 hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential HRS-01
communication when normal channels are inoperative or ineffective. HRS-07.1
Selects Relevant Method of Communication — The method of communication considers the timing,
CC2.3-POF5 audience, and nature of the communication and legal, regulatory, and fiduciary requirements and GOV-01
expectations. GOV-01.2
Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity

CC2.3-POF6 communicates, to external users, vendors, business partners, and others whose products and services are OPS-03
part of the system, objectives and changes to objectives related to confidentiality.
Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to
CC2.3-POF7 external users, vendors, business partners, and others whose products and services are part of the PRI-01
system, objectives related to privacy and changes to those objectives. PRI-02
Communicates Information About System Operation and Boundaries — The entity prepares and
communicates information about the design and operation of the system and its boundaries to
CC2.3-POF8 authorized external users to permit users to understand their role in the system and the results of system IAO-03
operation.
Communicates System Objectives — The entity communicates its system objectives to appropriate
CC2.3-POF9 external users. TPM-01
Communicates System Responsibilities — External users with responsibility for designing, developing,
implementing, operating, maintaining, and monitoring system controls receive communications about TPM-01
CC2.3-POF10 their responsibilities and have the information necessary to carry out those responsibilities. TPM-05
TDA-01
Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters —
CC2.3-POF11 External users are provided with information on how to report systems failures, incidents, concerns, and IRO-02
other complaints to appropriate personnel.
257 of 280
PRM-01
PRM-04
COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating PRM-06
CC3.1
to objectives. RSK-01
RSK-09
SEA-02
Reflects Management's Choices — Operations objectives reflect management's choices about structure,
CC3.1-POF1 industry considerations, and performance of the entity. (Operations Objectives) RSK-01.1
Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the
CC3.1-POF2 achievement of operations objectives. (Operations Objectives) RSK-01.3
Includes Operations and Financial Performance Goals — The organization reflects the desired level of
CC3.1-POF3 operations and financial performance for the entity within operations objectives. (Operations Objectives) RSK-01
Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for
CC3.1-POF4 allocating resources needed to attain desired operations and financial performance. (Operations PRM-01
Objectives) PRM-03
Complies With Applicable Accounting Standards — Financial reporting objectives are consistent with
CC3.1-POF5 accounting principles suitable and available for that entity. The accounting principles selected are GOV-15
appropriate in the circumstances. (External Financial Reporting Objectives)
Considers Materiality — Management considers materiality in financial statement presentation. (External RSK-01.1
CC3.1-POF6 Financial Reporting Objectives) RSK-05
Reflects Entity Activities — External reporting reflects the underlying transactions and events to show PRM-06
CC3.1-POF7 qualitative characteristics and assertions. (External Financial Reporting Objectives) OPS-03
Objectives Complies With Externally Established Frameworks — Management establishes objectives
CC3.1-POF8 consistent with laws and regulations or standards and frameworks of recognized external organizations. PRM-06
(External Nonfinancial Reporting Objectives) OPS-03
Considers the Required Level of Precision — Management reflects the required level of precision and
CC3.1-POF9 accuracy suitable for user needs and based on criteria established by third parties in nonfinancial PRM-06
reporting. (External Nonfinancial Reporting Objectives) OPS-03
Reflects Entity Activities — External reporting reflects the underlying transactions and events within a PRM-06
CC3.1-POF10 range of acceptable limits. (External Nonfinancial Reporting Objectives) OPS-03
Reflects Management's Choices — Internal reporting provides management with accurate and complete
CC3.1-POF11 information regarding management's choices and information needed in managing the entity. (Internal PRM-06
Reporting Objectives) OPS-03
Considers the Required Level of Precision — Management reflects the required level of precision and
CC3.1-POF12 accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial PRM-06
reporting objectives. (Internal Reporting Objectives) OPS-03
Reflects Entity Activities — Internal reporting reflects the underlying transactions and events within a PRM-06
CC3.1-POF13 range of acceptable limits. (Internal Reporting Objectives) OPS-03
Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, CPL-01
CC3.1-POF14 which the entity integrates into compliance objectives. (Compliance Objectives) PRM-06
OPS-03
Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the PRM-06
CC3.1-POF15 achievement of operations objectives. (Compliance Objectives) OPS-03
RSK-01.3
Establishes Sub-objectives to Support Objectives — Management identifies subobjectives related to
CC3.1-POF16 security, availability, processing integrity, confidentiality, and privacy to support the achievement of the PRM-06
entity’s objectives related to reporting, operations, and compliance. OPS-03
RSK-06.1
RSK-08
RSK-01.1
RSK-02
RSK-03
RSK-04
COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for RSK-04.1
CC3.2
determining how the risks should be managed. RSK-05
RSK-06
RSK-07
RSK-09
RSK-09.1
RSK-10
SEA-01
258 of 280

Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and
CC3.2-POF1 assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the RSK-04
achievement of objectives.
Analyzes Internal and External Factors — Risk identification considers both internal and external factors
CC3.2-POF2 and their impact on the achievement of objectives. RSK-01.1
Involves Appropriate Levels of Management — The entity puts into place effective risk assessment
CC3.2-POF3 mechanisms that involve appropriate levels of management. RSK-01
Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes RSK-02.1
CC3.2-POF4 estimating the potential significance of the risk. RSK-05
Determines How to Respond to Risks — Risk assessment includes considering how the risk should be RSK-01
CC3.2-POF5 managed and whether to accept, avoid, reduce, or share the risk. RSK-06.1
Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities —
The entity's risk identification and assessment process includes (1) identifying information assets,
including physical devices and systems, virtual devices, software, data and data flows, external
information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) RSK-03
CC3.2-POF6 identifying the threats to the assets from intentional (including malicious) and unintentional acts and RSK-04
environmental events; and (4) identifying the vulnerabilities of the identified assets.
Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity's
risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors RSK-09
providing goods and services, as well as threats and vulnerabilities arising from business partners, RSK-09.1
CC3.2-POF7 customers, and others with access to the entity's information systems. THR-01
TPM-03
VPM-01
Considers the Significance of the Risk — The entity’s consideration of the potential significance of the
identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2)
assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the RSK-01.1
CC3.2-POF8 likelihood of identified threats; and (4) determining the risk associated with assets based on asset RSK-05
criticality, threat impact, and likelihood.
RSK-06.1
THR-01
THR-02
THR-04
CC3.3 COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. TPM-01
TPM-03.1
TPM-04
TPM-04.3
Considers Various Types of Fraud — The assessment of fraud considers fraudulent reporting, possible HRS-01
CC3.3-POF1 loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. THR-01
THR-04
Assesses Incentives and Pressures — The assessment of fraud risks considers incentives and pressures. HRS-01
CC3.3-POF2 THR-01
THR-04
Assesses Opportunities — The assessment of fraud risk considers opportunities for unauthorized HRS-01
CC3.3-POF3 acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other THR-01
inappropriate acts. THR-04
Assesses Attitudes and Rationalizations — The assessment of fraud risk considers how management and HRS-01
CC3.3-POF4 other personnel might engage in or justify inappropriate actions. THR-01
THR-04
Considers the Risks Related to the Use of IT and Access to Information — The assessment of fraud risks HRS-01
CC3.3-POF5 includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to THR-01
information. THR-04
CHG-01
CHG-02
CHG-02.2
CHG-02.3
CHG-03
CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. PRM-01
PRM-06
TPM-04.1
TPM-08
TPM-10
259 of 280

Assesses Changes in the External Environment — The risk identification process considers changes to the RSK-01.1
CC3.4-POF1 regulatory, economic, and physical environment in which the entity operates. RSK-03
RSK-04
Assesses Changes in the Business Model — The entity considers the potential impacts of new business
lines, dramatically altered compositions of existing business lines, acquired or divested business RSK-01.1
CC3.4-POF2 operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and RSK-03
new technologies. RSK-04
Assesses Changes in Leadership — The entity considers changes in management and respective attitudes RSK-01.1
CC3.4-POF3 and philosophies on the system of internal control. RSK-03
RSK-04
Assesses Changes in Systems and Technology — The risk identification process considers changes arising CHG-03
from changes in the entity’s systems and changes in the technology environment. RSK-01.1
CC3.4-POF4 RSK-03
RSK-04
Assesses Changes in Vendor and Business Partner Relationships — The risk identification process RSK-01.1
considers changes in vendor and business partner relationships. RSK-03
CC3.4-POF5 RSK-04
TPM-10
CPL-03
CPL-03.2
CPL-04
GOV-05
GOV-05.1
GOV-05.2
IAO-01
IAO-02
IAO-02.1
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the IAO-02.2
CC4.1
components of internal control are present and functioning. IAO-03.1
IAO-04
IAO-06
PRM-03
PRM-04
PRM-05
PRM-06
RSK-01
RSK-09
SEA-02
Considers a Mix of Ongoing and Separate Evaluations — Management includes a balance of ongoing and
CC4.1-POF1 separate evaluations. CPL-02.1
Considers Rate of Change — Management considers the rate of change in business and business
CC4.1-POF2 processes when selecting and developing ongoing and separate evaluations. CPL-02.1
Establishes Baseline Understanding — The design and current state of an internal control system are
CC4.1-POF3 used to establish a baseline for ongoing and separate evaluations. CPL-02.1
Uses Knowledgeable Personnel — Evaluators performing ongoing and separate evaluations have
CC4.1-POF4 sufficient knowledge to understand what is being evaluated. CPL-02.1
Integrates With Business Processes — Ongoing evaluations are built into the business processes and
CC4.1-POF5 adjust to changing conditions. CPL-02.1
Adjusts Scope and Frequency — Management varies the scope and frequency of separate evaluations
CC4.1-POF6 depending on risk. CPL-02.1
Objectively Evaluates — Separate evaluations are performed periodically to provide objective feedback.
CC4.1-POF7 CPL-02.1
Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of
different types of ongoing and separate evaluations, including penetration testing, independent
CC4.1-POF8 certification made against established specifications (for example, ISO certifications), and internal audit CPL-02.1
assessments.
IAO-04
IAO-05
COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties RSK-06
CC4.2 TDA-15
responsible for taking corrective action, including senior management and the board of directors, as appropriate. TPM-09
VPM-02
VPM-04
260 of 280

Assesses Results — Management and the board of directors, as appropriate, assess results of ongoing CPL-01.1
CC4.2-POF1 and separate evaluations. CPL-02
GOV-15.3
Communicates Deficiencies — Deficiencies are communicated to parties responsible for taking corrective CPL-01.1
CC4.2-POF2 action and to senior management and the board of directors, as appropriate. CPL-02
GOV-01.2
Monitors Corrective Action — Management tracks whether deficiencies are remedied on a timely basis. CPL-01.1
CPL-02
CC4.2-POF3 IAO-05
RSK-04.1
HRS-11
OPS-01.1
OPS-02
COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement PRM-06
CC5.1
of objectives to acceptable levels. RSK-01
SEA-01
SEA-01.1
SEA-02
Integrates With Risk Assessment — Control activities help ensure that risk responses that address and
CC5.1-POF1 mitigate risks are carried out. GOV-15
Considers Entity-Specific Factors — Management considers how the environment, complexity, nature,
CC5.1-POF2 and scope of its operations, as well as the specific characteristics of its organization, affect the selection GOV-15
and development of control activities.
Determines Relevant Business Processes — Management determines which relevant business processes
CC5.1-POF3 require control activities. GOV-15
Evaluates a Mix of Control Activity Types — Control activities include a range and variety of controls and
CC5.1-POF4 may include a balance of approaches to mitigate risks, considering both manual and automated controls, GOV-15
and preventive and detective controls.
Considers at What Level Activities Are Applied — Management considers control activities at various GOV-15
CC5.1-POF5 levels in the entity. PRM-01.2
Addresses Segregation of Duties — Management segregates incompatible duties and, where such
CC5.1-POF6 segregation is not practical, management selects and develops alternative control activities. GOV-15
HRS-11
PRM-01
PRM-04
PRM-05
PRM-06
COSO Principle 11: The entity also selects and develops general control activities over technol- PRM-07
CC5.2
ogy to support the achievement of objectives. RSK-08
RSK-10
SEA-01
TDA-01
TDA-02
Determines Dependency Between the Use of Technology in Business Processes and

Technology General Controls — Management understands and determines the dependency and linkage
CC5.2-POF1 between business processes, automated control activities, and technology general controls. AST-01.1
Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops
control activities over the technology infrastructure, which are designed and implemented to help ensure AST-04.2
CC5.2-POF2 the completeness, accuracy, and availability of technology processing. CPL-01.2
Establishes Relevant Security Management Process Controls Activities — Management selects and
develops control activities that are designed and implemented to restrict technology access rights to IAC-08
CC5.2-POF3 authorized users commensurate with their job responsibilities and to protect the entity’s assets from IAC-21
external threats.
Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
— Management selects and develops control activities over the acquisition, development, and
CC5.2-POF4 maintenance of technology and its infrastructure to achieve management’s objectives. TDA-01
261 of 280
GOV-02
COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that GOV-03
CC5.3 HRS-03.2
put policies into action. HRS-10
OPS-01.1
Establishes Policies and Procedures to Support Deployment of Management’s Directives —

Management establishes control activities that are built into business processes and employees’ day-to- GOV-02
CC5.3-POF1 day activities through policies establishing what is expected and relevant procedures specifying actions. GOV-14
Establishes Responsibility and Accountability for Executing Policies and Procedures — Management
establishes responsibility and accountability for control activities with management (or other designated GOV-04
CC5.3-POF2 personnel) of the business unit or function in which the relevant risks reside. GOV-04.1
HRS-03
Performs in a Timely Manner — Responsible personnel perform control activities in a timely manner as OPS-01.1
CC5.3-POF3 defined by the policies and procedures. OPS-03
Takes Corrective Action — Responsible personnel investigate and act on matters identified as a result of RSK-06
CC5.3-POF4 executing control activities. VPM-02
Performs Using Competent Personnel — Competent personnel with sufficient authority perform control AAT-13.1
CC5.3-POF5 activities with diligence and continuing focus. HRS-03.2
Reassesses Policies and Procedures — Management periodically reviews control activities to determine
CC5.3-POF6 their continued relevance and refreshes them when necessary. GOV-03
CRY-01
CRY-03
CRY-05
CRY-08
CRY-09
CRY-09.1
CRY-09.2
IAC-01
IAC-02
IAC-03
IAC-04
IAC-05
IAC-08
The entity implements logical access security software, infrastructure, and architectures over protected information assets to IAC-09
CC6.1
protect them from security events to meet the entity's objectives. IAC-09.1
IAC-10
IAC-10.8
IAC-15
IAC-16
IAC-20
IAC-21
NET-01
NET-03
NET-03.1
NET-04
NET-05.1
NET-06
NET-06.1
Identifies and Manages the Inventory of Information Assets — The entity identifies, inventories, AST-02
CC6.1-POF1 classifies, and manages information assets. DCH-02
Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during
processing, or in transmission), software, administrative authorities, mobile devices, output, and offline
CC6.1-POF2 system components is restricted through the use of access control software and rule sets. IAC-01
Identifies and Authenticates Users — Persons, infrastructure, and software are identified and IAC-02
CC6.1-POF3 authenticated prior to accessing information assets, whether locally or remotely. IAC-03
Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's NET-06
CC6.1-POF4 information system to be isolated from each other. NET-06.1
Manages Points of Access — Points of access by outside entities and the types of data that flow through CLD-11
CC6.1-POF5 the points of access are identified, inventoried, and managed. The types of individuals and systems using NET-03
each point of access are identified, documented, and managed. NET-14.3
262 of 280

Restricts Access to Information Assets — Combinations of data classification, separate data structures, CFG-03
port restrictions, access protocol restrictions, user identification, and digital certificates are used to IAC-01
CC6.1-POF6 establish access-control rules for information assets. IAC-21
NET-04
Manages Identification and Authentication — Identification and authentication requirements are

CC6.1-POF7 established, documented, and managed for individuals and systems accessing entity information, IAC-01
infrastructure, and software.
Manages Credentials for Infrastructure and Software — New internal and external infrastructure and
software are registered, authorized, and documented prior to being granted access credentials and
implemented on the network or access point. Credentials are removed and access is disabled when IAC-04
CC6.1-POF8 access is no longer required or the infrastructure and software are no longer in use. IAC-05
Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to CRY-01
CC6.1-POF9 protect data at rest, when such protections are deemed appropriate based on assessed risk. CRY-03
CRY-05
Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, CRY-08
use, and destruction. CRY-09
CC6.1-POF10 CRY-09.1
CRY-09.2
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users IAC-07
CC6.2 whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials IAC-07.1
are removed when user access is no longer authorized. IAC-17
Controls Access Credentials to Protected Assets — Information asset access credentials are created IAC-07
CC6.2-POF1 based on an authorization from the system's asset owner or authorized custodian. IAC-07.1
IAC-28.1
Removes Access to Protected Assets When Appropriate — Processes are in place to remove credential IAC-07
CC6.2-POF2 access when an individual no longer requires such access. IAC-07.1
Reviews Appropriateness of Access Credentials — The appropriateness of access credentials is reviewed
CC6.2-POF3 on a periodic basis for unnecessary and inappropriate individuals with credentials. IAC-17
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on
CC6.3 roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of IAC-08
duties, to meet the entity’s objectives.
Creates or Modifies Access to Protected Information Assets — Processes are in place to create or modify IAC-07
CC6.3-POF1 access to protected information assets based on authorization from the asset’s owner. IAC-07.1
IAC-28.1
Removes Access to Protected Information Assets — Processes are in place to remove access to IAC-07
CC6.3-POF2 protected information assets when an individual no longer requires access. IAC-07.1
Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of
CC6.3-POF3 incompatible functions. IAC-08
Reviews Access Roles and Rules — The appropriateness of access roles and access rules is reviewed on a
CC6.3-POF4 periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as IAC-17
appropriate.
PES-01
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media PES-02
CC6.4
storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. PES-02.1
PES-03
Creates or Modifies Physical Access — Processes are in place to create or modify physical access to PES-01
facilities such as data centers, office spaces, and work areas, based on authorization from the system's PES-02
CC6.4-POF1 asset owner. PES-02.1
PES-03
Removes Physical Access — Processes are in place to remove access to physical resources when an PES-01
individual no longer requires access. PES-02
CC6.4-POF2 PES-02.1
PES-03
Reviews Physical Access — Processes are in place to periodically review physical access to ensure PES-03.3
CC6.4-POF3 consistency with job responsibilities. PES-05
AST-09
DCH-08
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and DCH-09
CC6.5
software from those assets has been diminished and is no longer required to meet the entity’s objectives. DCH-21
PRI-05
TDA-11.2
Identifies Data and Software for Disposal — Procedures are in place to identify data and software stored
CC6.5-POF1 on equipment to be disposed and to render such data and software unreadable. DCH-18
PRI-05
263 of 280

Removes Data and Software From Entity Control — Procedures are in place to remove data and
software stored on equipment to be removed from the physical control of the entity and to render such AST-09
DCH-08
data and software unreadable. DCH-09
CC6.5-POF2 DCH-18
DCH-21
PRI-05
NET-01
NET-02
NET-03
NET-03.1
NET-04
CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. NET-04.1
NET-08.1
NET-12
NET-12.1
NET-13
NET-14
Restricts Access — The types of activities that can occur through a communication channel (for example, NET-01
FTP site, router port) are restricted. NET-03
CC6.6-POF1 NET-04
NET-04.1
Protects Identification and Authentication Credentials — Identification and authentication credentials NET-01
CC6.6-POF2 are protected during transmission outside its system boundaries. NET-12
NET-13
Requires Additional Authentication or Credentials — Additional authentication information or NET-01
credentials are required when accessing the system from outside its boundaries. NET-03
CC6.6-POF3 NET-04.1
NET-14
Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls,
demilitarized zones, and intrusion detection systems) are implemented to protect external access points NET-01
CC6.6-POF4 from attempts and unauthorized access and are monitored to detect such attempts. NET-02
NET-03
CFG-04.2
CRY-03
CRY-05
DCH-01
DCH-10
DCH-12
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and DCH-13
CC6.7
processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. DCH-13.2
DCH-14
DCH-17
MDM-01
MDM-03
NET-12.2
NET-13
Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are DCH-17
CC6.7-POF1 used to restrict ability to authorize and execute transmission, movement, and removal of information. NET-12.2
NET-17
Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption CRY-03
CC6.7-POF2 technologies or secured communication channels are used to protect transmission of data and other CRY-05
communications beyond connectivity access points. DCH-01
Protects Removal Media — Encryption technologies and physical asset protections are used for
CC6.7-POF3 removable media (such as USB drives and backup tapes), as appropriate. DCH-12
Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart END-01
CC6.7-POF4 phones, and tablets) that serve as information assets. MDM-01
CHG-02.1
END-04
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet END-06
CC6.8 END-07
the entity’s objectives. MON-01.7
NET-03
NET-08
264 of 280

Restricts Application and Software Installation — The ability to install applications and software is CFG-05
CC6.8-POF1 restricted to authorized individuals. CFG-05.2
END-03
Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to
CC6.8-POF2 detect changes to software and configuration parameters that may be indicative of unauthorized or CFG-05.1
malicious software. END-03.1
Uses a Defined Change Control Process — A management-defined change control process is used for the CHG-01
CC6.8-POF3 implementation of software. CHG-02
Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software is implemented and
CC6.8-POF4 maintained to provide for the interception or detection and remediation of malware. END-04
Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software —
Procedures are in place to scan information assets that have been transferred or returned to the entity’s END-04
CC6.8-POF5 custody for malware and other unauthorized software and to remove any items detected prior to its END-04.7
implementation on the network.
CFG-01
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in CFG-02
CC7.1 the introduction of new vulnerabilities, and (2) susceptibilities to newly END-06.1
discovered vulnerabilities. MON-01.7
VPM-06
Uses Defined Configuration Standards — Management has defined configuration standards. CFG-01
CC7.1-POF1 CFG-02
Monitors Infrastructure and Software — The entity monitors infrastructure and software for
CC7.1-POF2 noncompliance with the standards, which could threaten the achievement of the entity's objectives. MON-01.7
END-06
Implements Change-Detection Mechanisms — The IT system includes a changedetection mechanism (for

CC7.1-POF3 example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical MON-01.7
system files, configuration files, or content files. END-06
Detects Unknown or Unauthorized Components — Procedures are in place to de-tect the introduction of AST-02.2
CC7.1-POF4 unknown or unauthorized components. MON-01.7
END-06
Conducts Vulnerability Scans — The entity conducts vulnerability scans designed to identify potential
vulnerabilities or misconfigurations on a periodic basis and after any significant change in the
CC7.1-POF5 environment and takes action to remediate identified deficiencies on a timely basis. VPM-06
MON-01
MON-01.1
MON-01.2
MON-01.3
MON-01.4
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious MON-01.5
MON-01.6
CC7.2 acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine MON-01.8
whether they represent security events. MON-02
MON-02.1
MON-06
MON-16
OPS-02
RSK-03
Implements Detection Policies, Procedures, and Tools — Detection policies and procedures are defined
and implemented and detection tools are implemented on infrastructure and software to identify
anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined
governance process for security event detection and management that includes provision of resources; GOV-02
CC7.2-POF1 MON-01
(2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of
unusual system activities.
Designs Detection Measures — Detection measures are designed to identify anomalies that could result
from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized
personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access
from outside the system boundaries; (5) compromise of authorized external parties; and (6) MON-01.1
CC7.2-POF2 MON-16
implementation or connection of unauthorized hardware and software.
265 of 280

Implements Filters to Analyze Anomalies — Management has implemented procedures to filter, MON-01.1
CC7.2-POF3 summarize, and analyze anomalies to identify security events. MON-16
Monitors Detection Tools for Effective Operation — Management has implemented processes to CPL-03.2
CC7.2-POF4 monitor the effectiveness of detection tools. MON-01.8
END-06.2
IRO-01
IRO-02
IRO-04
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its IRO-04.1
CC7.3
objectives (security incidents) and, if so, takes actions to prevent or address such failures. MON-02
MON-02.1
MON-06
RSK-04
TPM-11
Responds to Security Incidents — Procedures are in place for responding to security incidents and IRO-01
CC7.3-POF1 evaluating the effectiveness of those policies and procedures on a periodic basis. IRO-02
IRO-04
Communicates and Reviews Detected Security Events — Detected security events are communicated to IRO-09
CC7.3-POF2 and reviewed by the individuals responsible for the management of the security program and actions are IRO-10
taken, if necessary. IRO-10.2
Develops and Implements Procedures to Analyze Security Incidents — Procedures are in place to
CC7.3-POF3 analyze security incidents and determine system impact. IRO-02
Assesses the Impact on Personal Information — Detected security events are evaluated to determine
whether they could or did result in the unauthorized disclosure or use of personal information and IRO-02
CC7.3-POF4 whether there has been a failure to comply with applicable laws or regulations. IRO-04.1
Determines Personal Information Used or Disclosed — When an unauthorized use or disclosure of IRO-02
CC7.3-POF5 personal information has occurred, the affected information is identified. IRO-04.1
IRO-01
IRO-02
IRO-04
IRO-07
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, IRO-09
CC7.4 IRO-10
remediate, and communicate security incidents, as appropriate. IRO-10.2
IRO-10.4
IRO-11.2
IRO-14
RSK-06
Assigns Roles and Responsibilities — Roles and responsibilities for the design, implementation,
HRS-03
maintenance, and execution of the incident response program are assigned, including the use of external IRO-01
CC7.4-POF1 resources when necessary. IRO-02
IRO-04
IRO-07
Contains Security Incidents — Procedures are in place to contain security incidents that actively threaten IRO-01
CC7.4-POF2 entity objectives. IRO-02
IRO-04
Mitigates Ongoing Security Incidents — Procedures are in place to mitigate the effects of ongoing IRO-01
CC7.4-POF3 security incidents. IRO-02
IRO-04
Ends Threats Posed by Security Incidents — Procedures are in place to end the threats posed by security IRO-01
CC7.4-POF4 incidents through closure of the vulnerability, removal of unauthorized access, and other remediation IRO-02
actions. IRO-04
Restores Operations — Procedures are in place to restore data and business operations to an interim BCD-01
state that permits the achievement of entity objectives. IRO-01
CC7.4-POF5 IRO-02
IRO-04
Develops and Implements Communication Protocols for Security Incidents — Protocols for IRO-01
CC7.4-POF6 communicating security incidents and actions taken to affected parties are developed and implemented IRO-02
to meet the entity's objectives. IRO-04
266 of 280

Obtains Understanding of Nature of Incident and Determines Containment Strategy — An
understanding of the nature (for example, the method by which the incident occurred and the affected
system resources) and severity of the security incident is obtained to determine the appropriate IRO-01
CC7.4-POF7 containment strategy, including (1) a determination of the appropriate response time frame, and (2) the IRO-02
IRO-04
determination and execution of the containment approach.
Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the IRO-01
CC7.4-POF8 development and execution of remediation activities. IRO-02
IRO-04
Communicates Remediation Activities — Remediation activities are documented and communicated in
IRO-01
accordance with the incident-response program. IRO-02
CC7.4-POF9 IRO-04
IRO-09
IRO-10
Evaluates the Effectiveness of Incident Response — The design of incident-response activities is

BCD-05
evaluated for effectiveness on a periodic basis. IRO-01
CC7.4-POF10 IRO-02
IRO-04
IRO-13
Periodically Evaluates Incidents — Periodically, management reviews incidents related to security, IRO-01
CC7.4-POF11 availability, processing integrity, confidentiality, and privacy and identifies the need for system changes IRO-02
based on incident patterns and root causes. IRO-04
Communicates Unauthorized Use and Disclosure — Events that resulted in unauthorized use or IRO-01
CC7.4-POF12 disclosure of personal information are communicated to the data subjects, legal and regulatory IRO-02
authorities, and others as required. IRO-04
Application of Sanctions — The conduct of individuals and organizations operating under the authority of
the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if HRS-07
IRO-01
CC7.4-POF13 appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements. IRO-02
IRO-04
BCD-01
BCD-02
BCD-02.1
BCD-02.2
BCD-02.3
BCD-04
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents. BCD-05
BCD-06
BCD-11
BCD-11.1
BCD-12
BCD-13
Restores the Affected Environment — The activities restore the affected environment to functional
CC7.5-POF1 operation by rebuilding systems, updating software, installing patches, and changing configurations, as BCD-01
needed.
Communicates Information About the Event — Communications about the nature of the incident,
CC7.5-POF2 recovery actions taken, and activities required for the prevention of future security events are made to BCD-01
management and others as appropriate (internal and external).
CC7.5-POF3 Determines Root Cause of the Event — The root cause of the event is determined. BCD-05
Implements Changes to Prevent and Detect Recurrences — Additional architecture or changes to
CC7.5-POF4 preventive and detective controls, or both, are implemented to prevent and detect recurrences on a BCD-01
timely basis. BCD-06
Improves Response and Recovery Procedures — Lessons learned are analyzed and the incident-response BCD-01
CC7.5-POF5 plan and recovery procedures are improved. BCD-06
Implements Incident-Recovery Plan Testing — Incident-recovery plan testing is performed on a periodic
basis. The testing includes (1) development of testing scenarios based on threat likelihood and
magnitude; (2) consideration of relevant system components from across the entity that can impair
CC7.5-POF6 availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) BCD-04
revision of continuity plans and systems based on test results.
267 of 280
CFG-02
CFG-02.1
CFG-02.2
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to CHG-01
CC8.1
infrastructure, data, software, and procedures to meet its objectives. CHG-02
CHG-02.2
CHG-05
PRM-07
Manages Changes Throughout the System Life Cycle — A process for managing system changes CHG-01
CC8.1-POF1 throughout the life cycle of the system and its components (infrastructure, data, software, and CHG-02
procedures) is used to support system availability and processing integrity. PRM-07
Authorizes Changes — A process is in place to authorize system changes prior to development. CHG-01
CC8.1-POF2 CHG-02
Designs and Develops Changes — A process is in place to design and develop system changes. CHG-01
CC8.1-POF3 CHG-02
Documents Changes — A process is in place to document system changes to support ongoing CHG-01
CC8.1-POF4 maintenance of the system and to support system users in performing their responsibilities. CHG-02
Tracks System Changes — A process is in place to track system changes prior to implementation. CHG-01
CC8.1-POF5 CHG-02
Configures Software — A process is in place to select and implement the configuration parameters used CHG-01
CC8.1-POF6 to control the functionality of software. CHG-02
Tests System Changes — A process is in place to test system changes prior to implementation. CHG-01
CC8.1-POF7 CHG-02
Approves System Changes — A process is in place to approve system changes prior to implementation. CHG-01
CC8.1-POF8 CHG-02
Deploys System Changes — A process is in place to implement system changes. CHG-01
CC8.1-POF9 CHG-02
Identifies and Evaluates System Changes — Objectives affected by system changes are identified and the
CC8.1-POF10 ability of the modified system to meet the objectives is evaluated throughout the system development CHG-01
life cycle. CHG-02
Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents
— Changes in infrastructure, data, software, and procedures required to remediate incidents to continue CHG-01
CC8.1-POF11 to meet objectives are identified and the change process is initiated upon identification. CHG-02
Creates Baseline Configuration of IT Technology — A baseline configuration of IT and control systems is CHG-01
CC8.1-POF12 created and maintained. CHG-02
Provides for Changes Necessary in Emergency Situations — A process is in place for authorizing,
CC8.1-POF13 designing, testing, approving, and implementing changes necessary in emergency situations (that is, CHG-01
changes that need to be implemented in an urgent time frame). CHG-02
Protects Confidential Information — The entity protects confidential information during system design,
CC8.1-POF14 development, testing, implementation, and change processes to meet the entity’s objectives related to CHG-01
confidentiality. CHG-02
Protects Personal Information — The entity protects personal information during system design,
CC8.1-POF15 development, testing, implementation, and change processes to meet the entity’s objectives related to CHG-01
privacy. CHG-02
BCD-01
BCD-07
TPM-01
TPM-02
TPM-03
TPM-03.1
TPM-03.2
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. TPM-03.3
TPM-04.4
TPM-05
TPM-06
TPM-07
TPM-08
TPM-09
TPM-10
268 of 280

Considers Mitigation of Risks of Business Disruption — Risk mitigation activities include the
development of planned policies, procedures, communications, and alternative processing solutions to
respond to, mitigate, and recover from security events that disrupt business operations. Those policies BCD-01
CC9.1-POF1 and procedures include monitoring processes, information, and communications to meet the entity's RSK-06.2
objectives during response, mitigation, and recovery efforts. RSK-08
Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk management activities BCD-01
CC9.1-POF2 consider the use of insurance to offset the financial impact of loss events that would otherwise impair the RSK-06.2
ability of the entity to meet its objectives. RSK-08
RSK-09.1
CC9.2 The entity assesses and manages risks associated with vendors and business partners. TPM-04.1
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes
specific requirements for a vendor and business partner engagement that includes (1) scope of services RSK-09
RSK-09.1
and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service TPM-01
CC9.2-POF1 levels. TPM-03
TPM-05
TPM-05.2
Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that
RSK-09
vendors and business partners (and those entities’ vendors and business partners) represent to the RSK-09.1
CC9.2-POF2 achievement of the entity's objectives. TPM-01
TPM-03
TPM-04.1
Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity
assigns responsibility and accountability for the management of risks associated with vendors and RSK-09
business partners. RSK-09.1
TPM-01
CC9.2-POF3 TPM-03
TPM-05
TPM-05.2
TPM-05.4
Establishes Communication Protocols for Vendors and Business Partners — The entity establishes RSK-09
communication and resolution protocols for service or product issues related to vendors and business RSK-09.1
CC9.2-POF4 partners. TPM-01
TPM-03
Establishes Exception Handling Procedures From Vendors and Business Partners — The entity RSK-09
establishes exception handling procedures for service or product issues related to vendors and business RSK-09.1
CC9.2-POF5 partners. TPM-01
TPM-03
Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance
RSK-09
of vendors and business partners. RSK-09.1
CC9.2-POF6 TPM-01
TPM-03
TPM-08
Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessme RSK-09
nts — The entity implements procedures for addressing issues identified with vendor and business RSK-09.1
CC9.2-POF7 partner relationships. TPM-01
TPM-03
Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity RSK-09
implements procedures for terminating vendor and business partner relationships. RSK-09.1
CC9.2-POF8 TPM-01
TPM-03
Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains
confidentiality commitments that are consistent with the entity’s confidentiality commitments and RSK-09
requirements from vendors and business partners who have access to confidential information. RSK-09.1
TPM-01
CC9.2-POF9 TPM-03
TPM-05
TPM-05.2
TPM-05.6
Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a

RSK-09
periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the RSK-09.1
CC9.2-POF10 entity’s confidentiality commitments and requirements. TPM-01
TPM-03
TPM-08
269 of 280

Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy
RSK-09
commitments, consistent with the entity’s privacy commitments and requirements, from vendors and RSK-09.1
CC9.2-POF11 business partners who have access to personal information. TPM-01
TPM-03
TPM-05.6
Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and
RSK-09
as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s RSK-09.1
CC9.2-POF12 privacy commitments and requirements and takes corrective action as necessary. TPM-01
TPM-03
TPM-08
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, CAP-01
A1.1 CAP-02
and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. CAP-03
Measures Current Usage — The use of the system components is measured to establish a baseline for
A1.1-POF1 capacity management and to use when evaluating the risk of impaired availability due to capacity CAP-01
constraints. CAP-04
Forecasts Capacity — The expected average and peak use of system components is forecasted and
A1.1-POF2 compared to system capacity and associated tolerances. Forecasting considers capacity in the event of CAP-03
the failure of system components that constrain capacity.
Makes Changes Based on Forecasts — The system change management process is initiated when
A1.1-POF3 forecasted usage exceeds capacity tolerances. CAP-01
BCD-08
BCD-08.1
BCD-08.2
BCD-09
BCD-09.1
BCD-09.2
BCD-09.3
BCD-10
BCD-10.1
BCD-11
BCD-11.1
BCD-11.2
BCD-11.3
BCD-11.4
BCD-12
BCD-12.1
BCD-12.2
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental PES-01
A1.2
protections, software, data backup processes, and recovery infrastructure to meet its objectives. PES-07
PES-07.1
PES-07.2
PES-07.3
PES-07.4
PES-07.5
PES-08
PES-08.1
PES-08.2
PES-09
PES-09.1
PES-10
PES-11
PES-12
PES-13
PES-15
RSK-03
RSK-04
Identifies Environmental Threats — As part of the risk assessment process, management identifies
environmental threats that could impair the availability of the system, including threats resulting from BCD-01
A1.2-POF1 adverse weather, failure of environmental control systems, electrical discharge, fire, and water. PES-01
Designs Detection Measures — Detection measures are implemented to identify anomalies that could BCD-01
result from environmental threat events. PES-01
A1.2-POF2 PES-09
PES-09.1
270 of 280

Implements and Maintains Environmental Protection Mechanisms — Management implements and
A1.2-POF3 maintains environmental protection mechanisms to prevent and mitigate environmental events. BCD-01
PES-01
Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to BCD-01
personnel for analysis to identify environmental threat events. PES-01
A1.2-POF4 PES-09
PES-09.1
Responds to Environmental Threat Events — Procedures are in place for responding to environmental
threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. BCD-01
PES-01
A1.2-POF5 This includes automatic mitigation systems (for example, uninterruptable power system and generator IRO-01
backup subsystem). IRO-02
Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat
A1.2-POF6 events are communicated to and reviewed by the individuals responsible for the management of the BCD-01
system and actions are taken, if necessary. PES-01
Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. BCD-11
A1.2-POF7 PES-01
Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup BCD-11
A1.2-POF8 failures, and initiating corrective action when such failures occur. PES-01
Addresses Offsite Storage — Backup data is stored in a location at a distance from BCD-08
its principal storage location sufficient that the likelihood of a security or environmental threat event BCD-11.2
A1.2-POF9 affecting both sets of data is reduced to an appropriate level. BCD-11.6
PES-01
Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing
A1.2-POF10 to alternate infrastructure in the event normal processing infrastructure becomes unavailable. BCD-09
PES-01
BCD-03.1
A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives. BCD-04
Implements Business Continuity Plan Testing — Business continuity plan testing is performed on a
periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and
magnitude; (2) consideration of system components from across the entity that can impair the
A1.3-POF1 availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) BCD-04
revision of continuity plans and systems based on test results.
Tests Integrity and Completeness of Backup Data — The integrity and completeness of backup BCD-04
A1.3-POF2 information is tested on a periodic basis. BCD-11.1
The entity identifies and maintains confidential information to meet the entity’s objectives related DCH-01
C1.1 DCH-02
to confidentiality. DCH-03
Identifies Confidential information — Procedures are in place to identify and designate confidential
C1.1-POF1 information when it is received or created and to determine the period over which the confidential AST-04
information is to be retained. DCH-06.2
Protects Confidential Information From Destruction — Procedures are in place to protect confidential DCH-01
C1.1-POF2 information from erasure or destruction during the specified retention period of the information. DCH-01.2
DCH-18
DCH-21
C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality. MON-10
PRI-05
Identifies Confidential Information for Destruction — Procedures are in place to identify confidential DCH-18
C1.2-POF1 information requiring destruction when the end of the retention period is reached. PRI-05
Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential
AST-09
information that has been identified for destruction. DCH-08
C1.2-POF2 DCH-09
DCH-21
PRI-05
OPS-03
The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to PRM-06
RSK-08
PI1.1 processing, including definitions of data processed and product and service specifications, to support the use of products and RSK-10
services. TDA-06
TDA-06.1
Identifies Information Specifications — The entity identifies information specifications required to PRM-05
support the use of products and services. PRM-06
PI1.1-POF1 TDA-01.1
TDA-02
271 of 280

Defines Data Necessary to Support a Product or Service — When data is provided as part of a service or
product or as part of a reporting obligation related to a product or service:
1. The definition of the data is available to the users of the data
2. The definition of the data includes the following information:
a. The population of events or instances included in the data
b. The nature of each element (for example, field) of the data (that is, the event or instance to which the
data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in
that stock on a given day)
c. Source(s) of the data
d. The unit(s) of measurement of data elements (for example, fields)
e. The accuracy/correctness/precision of measurement
f. The uncertainty or confidence interval inherent in each data element and in the population of those
elements PRM-05
PI1.1-POF2 g. The date the data was observed or the period of time during which the events relevant to the data TDA-01.1
TDA-02
occurred
h. The factors in addition to the date and period of time used to determine the inclusion and exclusion of
items in the data elements and population
3. The definition is complete and accurate.
4. The description of the data identifies any information that is necessary to understand each data
element and the population in a manner consistent with its definition and intended purpose (metadata)
that has not been included within the data.
Defines Information Necessary to Support the Use of a Good or Product — When information provided
by the entity is needed to use the good or product in accordance with its specifications:
1. The required information is available to the user of the good or product. PRM-05
PI1.1-POF3 2. The required information is clearly identifiable. TDA-01.1
3. The required information is validated for completeness and accuracy. TDA-02
The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result TDA-06
PI1.2
in products, services, and reporting to meet the entity’s objectives. TDA-18
Defines Characteristics of Processing Inputs — The characteristics of processing inputs that are necessary TDA-06
PI1.2-POF1 to meet requirements are defined. TDA-18
Evaluates Processing Inputs — Processing inputs are evaluated for compliance with defined input TDA-06
PI1.2-POF2 requirements. TDA-18
Creates and Maintains Records of System Inputs — Records of system input activities are created and TDA-06
PI1.2-POF3 maintained completely and accurately in a timely manner. TDA-18
PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the TDA-06
entity’s objectives.
Defines Processing Specifications — The processing specifications that are necessary to meet product or OPS-03
PI1.3-POF1 service requirements are defined. PRM-06
TDA-06
Defines Processing Activities — Processing activities are defined to result in products or services that OPS-03
PI1.3-POF2 meet specifications. PRM-06
TDA-06
Detects and Corrects Production Errors — Errors in the production process are detected and corrected in OPS-03
PI1.3-POF3 a timely manner. PRM-06
TDA-06
Records System Processing Activities — System processing activities are recorded completely and OPS-03
PI1.3-POF4 accurately in a timely manner. PRM-06
TDA-06
Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance OPS-03
PI1.3-POF5 with defined processing activities. PRM-06
TDA-06
MON-03
The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in MON-08
PI1.4
accordance with specifications to meet the entity’s objectives. PES-12.2
TDA-06
Protects Output — Output is protected when stored or delivered, or both, to prevent theft, destruction, DCH-01
corruption, or deterioration that would prevent output from meeting specifications. OPS-03
PI1.4-POF1 PRM-06
TDA-06
272 of 280

Distributes Output Only to Intended Parties — Output is distributed or made available only to intended DCH-01
parties. OPS-03
PI1.4-POF2 PRM-06
TDA-06
Distributes Output Completely and Accurately — Procedures are in place to provide for the DCH-01
completeness, accuracy, and timeliness of distributed output. OPS-03
PI1.4-POF3 PRM-06
TDA-06
Creates and Maintains Records of System Output Activities — Records of system output activities are DCH-01
created and maintained completely and accurately in a timely manner. OPS-03
PI1.4-POF4 PRM-06
TDA-06
DCH-01
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and DCH-18
PI1.5
timely in accordance with system specifications to meet the entity’s objectives. MON-08
TDA-06
Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or DCH-01
deterioration that would prevent output from meeting specifications. OPS-03
PI1.5-POF1 PRM-06
TDA-06
Archives and Protects System Records — System records are archived and archives are protected against DCH-01
theft, corruption, destruction, or deterioration that would prevent them from being used. OPS-03
PI1.5-POF2 PRM-06
TDA-06
Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, DCH-01
and timely storage of data. OPS-03
PI1.5-POF3 PRM-06
TDA-06
Creates and Maintains Records of System Storage Activities — Records of system storage activities are DCH-01
created and maintained completely and accurately in a timely manner. OPS-03
PI1.5-POF4 PRM-06
TDA-06
P1.0 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy PRI-01
The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The PRI-01.2
P1.1 notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including PRI-01.3
changes in the use of personal information, to meet the entity’s objectives related to privacy. PRI-02
Communicates to Data Subjects — Notice is provided to data subjects regarding the following:
— Purpose for collecting personal information
— Choice and consent
— Types of personal information collected
— Methods of collection (for example, use of cookies or other tracking techniques)
— Use, retention, and disposal
— Access
— Disclosure to third parties PRI-02
P1.1-POF1 — Security for privacy PRI-02.1
— Quality, including data subjects’ responsibilities for quality
— Monitoring and enforcement
If personal information is collected from sources other than the individual, such sources are described in
the privacy notice.
Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or before the time personal
information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy PRI-02
P1.1-POF2 notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not PRI-02.1
previously identified.
Covers Entities and Activities in Notice — An objective description of the entities and activities covered is PRI-02
P1.1-POF3 included in the entity’s privacy notice. PRI-02.1
Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicuous and uses clear PRI-02
P1.1-POF4 language. PRI-02.1
P2.0 Privacy Criteria Related to Choice and Consent PRI-03

information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention,
disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such PRI-03
P2.1
consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The PRI-03.2
entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information
273 of 280

Communicates to Data Subjects — Data subjects are informed (a) about the choices available to them
with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit
P2.1-POF1 consent is required to collect, use, and disclose personal information, unless a law or regulation PRI-03
specifically requires or allows otherwise.
Communicates Consequences of Denying or Withdrawing Consent — When personal information is

collected, data subjects are informed of the consequences of refusing to provide personal information or
P2.1-POF2 denying or withdrawing consent to use personal information for purposes identified in the notice. PRI-03
Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from

P2.1-POF3 data subjects at or before the time personal information is collected or soon thereafter. The individual’s PRI-03
preferences expressed in his or her consent are confirmed and implemented.
Documents and Obtains Consent for New Purposes and Uses — If information that was previously
collected is to be used for purposes not previously identified in the privacy notice, the new purpose is
P2.1-POF4 documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new PRI-03.2
use or purpose.
Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data
P2.1-POF5 subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation PRI-03.1
specifically requires otherwise.
Obtains Consent for Data Transfers — Consent is obtained before personal information is transferred to
P2.1-POF6 or from an individual’s computer or other similar device. PRI-03
P3.0 Privacy Criteria Related to Collection PRI-04

PRI-04
P3.1 Personal information is collected consistent with the entity’s objectives related to privacy. PRI-04.1
Limits the Collection of Personal Information — The collection of personal information is limited to that
P3.1-POF1 necessary to meet the entity’s objectives. PRI-04
Collects Information by Fair and Lawful Means — Methods of collecting personal information are
reviewed by management before they are implemented to confirm that personal information is obtained
(a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law,
P3.1-POF2 whether derived from statute or common law, relating to the collection of personal information. PRI-04
Collects Information From Reliable Sources — Management confirms that third parties from whom
P3.1-POF3 personal information is collected (that is, sources other than the individual) are reliable sources that PRI-04
collect information fairly and lawfully. PRI-04.2
Informs Data Subjects When Additional Information Is Acquired — Data subjects are informed if the PRI-04
P3.1-POF4 entity develops or acquires additional information about them for its use. PRI-06.2
For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a
PRI-03
P3.2 failure to provide consent for the request for personal information and obtains the consent prior to the collection of the PRI-03.2
information to meet the entity’s objectives related to privacy.
Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data
P3.2-POF1 subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation PRI-03.1
specifically requires otherwise.
Documents Explicit Consent to Retain Information — Documentation of explicit consent for the
P3.2-POF2 collection, use, or disclosure of sensitive personal information is retained in accordance with objectives PRI-03
related to privacy.
PRI-05
P4.0 Privacy Criteria Related to Use, Retention, and Disposal PRI-05.4
PRI-05.1
P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy. PRI-05.4
Uses Personal Information for Intended Purposes — Personal information is used only for the intended
P4.1-POF1 purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a PRI-05.4
law or regulation specifically requires otherwise.
P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy. PRI-05
Retains Personal Information — Personal information is retained for no longer than necessary to fulfill DCH-18
P4.2-POF1 the stated purposes, unless a law or regulation specifically requires otherwise. PRI-05
Protects Personal Information — Policies and procedures have been implemented to protect personal
P4.2-POF2 information from erasure or destruction during the specified retention period of the information. PRI-01.6
DCH-09.3
P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy. DCH-21
PRI-05
274 of 280

Captures, Identifies, and Flags Requests for Deletion — Requests for deletion of personal information
P4.3-POF1 are captured and information related to the requests is identified and flagged for destruction to meet the PRI-06.4
entity’s objectives related to privacy. PRI-06.5
Disposes of, Destroys, and Redacts Personal Information — Personal information no longer retained is AST-09
anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized DCH-08
P4.3-POF2 access. DCH-21
PRI-05
Destroys Personal Information — Policies and procedures are implemented to erase or otherwise AST-09
destroy personal information that has been identified for destruction. DCH-08
P4.3-POF3 DCH-21
PRI-05
PRM-01
P5.0 Privacy Criteria Related to Access PRI-06
The entity grants identified and authenticated data subjects the ability to access their stored personal information for review
and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives DCH-22.1
P5.1 PRI-06
related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet PRI-06.1
the entity’s objectives related to privacy.
Authenticates Data Subjects’ Identity — The identity of data subjects who request access to their
P5.1-POF1 personal information is authenticated before they are given access to that information. PRI-06
Permits Data Subjects Access to Their Personal Information — Data subjects are able to determine
P5.1-POF2 whether the entity maintains personal information about them and, upon request, may obtain access to PRI-06
their personal information.
Provides Understandable Personal Information Within Reasonable Time — Personal information is
P5.1-POF3 provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable PRI-06
cost, if any.
Informs Data Subjects If Access Is Denied — When data subjects are denied access to their personal
P5.1-POF4 information, the entity informs them of the denial and the reason for the denial in a timely manner, PRI-06.4
unless prohibited by law or regulation. PRI-07.4
DCH-22.1
The entity corrects, amends, or appends personal information based on information provided by data subjects and PRI-06.1
communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a PRI-06.2
P5.2
request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s PRI-06.3
objectives related to privacy. PRI-06.4
PRI-12
Communicates Denial of Access Requests — Data subjects are informed, in writing, of the reason a
request for access to their personal information was denied, the source of the entity’s legal right to deny PRI-06.4
P5.2-POF1 such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically PRI-07.4
permitted or required by law or regulation.
Permits Data Subjects to Update or Correct Personal Information — Data subjects are able to update or
correct personal information held by the entity. The entity provides such updated or corrected PRI-06.1
P5.2-POF2 information to third parties that were previously provided with the data subject’s personal information PRI-06.2
consistent with the entity’s objectives related to privacy. PRI-12
Communicates Denial of Correction Requests — Data subjects are informed, in writing, about the reason PRI-06.2
P5.2-POF3 a request for correction of personal information was denied and how they may appeal. PRI-06.4
PRI-07.4
P6.0 Privacy Criteria Related to Disclosure and Notification PRI-01.7

P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects and such consent is obtained PRI-07
prior to disclosure to meet the entity’s objectives related to privacy.
Communicates Privacy Policies to Third Parties — Privacy policies or other specific instructions or
P6.1-POF1 requirements for handling personal information are communicated to third parties to whom personal PRI-07
information is disclosed. PRI-07.1
Discloses Personal Information Only When Appropriate — Personal information is disclosed to third
parties only for the purposes for which it was collected or created and only when implicit or explicit DCH-03.1
P6.1-POF2 consent has been obtained from the data subject, unless a law or regulation specifically requires PRI-01.7
otherwise.
Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed
only to third parties who have agreements with the entity to protect personal information in a manner
consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or
requirements. The entity has procedures in place to evaluate that the third parties have effective controls DCH-03.1
P6.1-POF3 PRI-01.7
to meet the terms of the agreement, instructions, or requirements.
275 of 280

Discloses Information to Third Parties for New Purposes and Uses — Personal information is disclosed
P6.1-POF4 to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects. DCH-03.1
PRI-01.7
The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet
P6.2 PRI-14.1
the entity’s objectives related to privacy.
Creates and Retains Record of Authorized Disclosures — The entity creates and maintains a record of
P6.2-POF1 authorized disclosures of personal information that is complete, accurate, and timely. PRI-14.1
IRO-04.1
The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures IRO-10
P6.3
(including breaches) of personal information to meet the entity’s objectives related to privacy. IRO-12
PRI-14.1
Creates and Retains Record of Detected or Reported Unauthorized Disclosures — The entity creates and
P6.3-POF1 maintains a record of detected or reported unauthorized disclosures of personal information that is PRI-14.1
complete, accurate, and timely.
The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet
P6.4 the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and PRI-07.1
takes corrective action, if necessary.
Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed
only to third parties who have agreements with the entity to protect personal information in a manner
consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or
requirements. The entity has procedures in place to evaluate that the third parties have effective controls DCH-03.1
P6.4-POF1 PRI-01.7
to meet the terms of the agreement, instructions, or requirements.
Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in TPM-03.2
P6.4-POF2 response to misuse of personal information by a third party to whom the entity has transferred such TPM-05.7
information. TPM-09
The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in
the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate PRI-08
P6.5
personnel and acted on in accordance with established incident-response procedures to meet the entity’s objectives related to TPM-11
privacy. Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in TPM-03.2
information. TPM-09
Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining commitments TPM-03.2
P6.5-POF2 from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures TPM-05.7
of personal information. TPM-09
The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s IRO-04.1
P6.6
objectives related to privacy. TPM-11
Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in TPM-03.2
information. TPM-09
Provides Notice of Breaches and Incidents — The entity has a process for providing notice of breaches
P6.6-POF2 and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to IRO-04.1
privacy.
The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ IRO-04.1
P6.7
personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy. IRO-10
Identifies Types of Personal Information and Handling Process — The types of personal information and PRM-06
P6.7-POF1 sensitive personal information and the related processes, systems, and third parties involved in the PRI-02.1
handling of such information are identified. PRI-04.1
Captures, Identifies, and Communicates Requests for Information — Requests for an accounting of
personal information held and disclosures of the data subjects’ personal information are captured and PRI-06.4
P6.7-POF2 information related to the requests is identified and communicated to data subjects to meet the entity’s PRI-06.6
objectives related to privacy. PRI-06.7
P7.0 Privacy Criteria Related to Quality PRI-10

The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s
P7.1 PRI-10
objectives related to privacy.
Ensures Accuracy and Completeness of Personal Information — Personal information is accurate and
P7.1-POF1 complete for the purposes for which it is to be used. PRI-10
Ensures Relevance of Personal Information — Personal information is relevant to the purposes for which
P7.1-POF2 it is to be used. PRI-10
P8.0 Privacy Criteria Related to Monitoring and Enforcement PRI-08

The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints,
P8.1 and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to PRI-06.4
privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.
Communicates to Data Subjects — Data subjects are informed about how to contact the entity with
P8.1-POF1 inquiries, complaints, and disputes. PRI-06.4
276 of 280

Addresses Inquiries, Complaints, and Disputes — A process is in place to address inquiries, complaints,
P8.1-POF2 and disputes. PRI-06.4
Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the
P8.1-POF3 resolution is documented and communicated to the individual. PRI-06.4
Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are
P8.1-POF4 reviewed and documented and the results of such reviews are reported to management. If problems are PRI-14
identified, remediation plans are developed and implemented.
Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives
P8.1-POF5 related to privacy are documented and reported and, if needed, corrective and disciplinary measures are PRI-14
taken on a timely basis.
Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring the effectiveness of
P8.1-POF6 controls over personal information and for taking timely corrective actions when necessary. PRI-08
277 of 280
Secure Controls Framework (SCF) Risk Catalog
278 of 280
Licensed by Creative Commons Attribution-NoDerivatives version 2023.4
RISK CATALOG use case: What are the risks associated with a control deficiency? (e.g., if the control fails, what risk(s) is the organization exposed to?)
* Definition of risk ** Danger: state of possibly suffering harm or injury

noun A situation where someone or something valued is exposed to danger, harm or loss.** ** Harm: material / physical damage
verb To expose someone or something valued to danger, harm or loss. ** Loss: destruction, deprivation or inability to use
Risk* Description of Possible Risk Due To Control Deficiency

Note - Some of these risks may indicate a deficiency that NIST CSF
Risk Grouping Risk # could be considered a failure to meet "reasonable security Function
practices" IF THE CONTROL FAILS, RISK THAT THE ORGANIZATION IS EXPOSED TO IS:
R-AC-1 Inability to maintain individual accountability The inability to maintain accountability (e.g., asset ownership, non-repudiation of actions or inactions, etc.). Protect
R-AC-2 Improper assignment of privileged functions The inability to implement least privileges (e.g., Role-Based Access Control (RBAC), Privileged Account Management (PAM), etc.). Protect
Access Control
R-AC-3 Privilege escalation The inability to restrict access to privileged functions. Protect
R-AC-4 Unauthorized access The inability to restrict access to only authorized individuals, groups or services. Protect
R-AM-1 Lost, damaged or stolen asset(s) Lost, damaged or stolen assets. Protect
Asset Management R-AM-2 Loss of integrity through unauthorized changes Unauthorized changes that corrupt the integrity of the system / application / service. Protect
R-AM-3 Emergent properties and/or unintended consequences Emergent properties and/or unintended consequences from Artificial Intelligence & Autonomous Technologies (AAT). Protect
R-BC-1 Business interruption Increased latency, or a service outage, that negatively impact business operations. Recover
R-BC-2 Data loss / corruption The inability to maintain the confidentiality of the data (compromise) or prevent data corruption (loss). Recover
Business Continuity R-BC-3 Reduction in productivity Diminished user productivity. Protect
R-BC-4 Information loss / corruption or system compromise due to A technical attack that compromises data, systems, applications or services (e.g., malware, phishing, hacking, etc.). Protect
technical attack
R-BC-5 Information loss / corruption or system compromise due to A non-technical attack that compromises data, systems, applications or services (e.g., social engineering, sabotage, etc.). Protect
non‐technical attack
R-EX-1 Loss of revenue A negatively impact on the ability to generate revenue (e.g., a loss of clients or an inability to generate future revenue). Recover
R-EX-2 Cancelled contract A cancelled contract with a client or other entity for cause (e.g., failure to fulfill obligations for secure practices). Recover
R-EX-3 Diminished competitive advantage Diminished competitive advantage (e.g., lose market share, internal dysfunction, etc.). Recover
Exposure R-EX-4 Diminished reputation Diminished brand value (e.g., tarnished reputation). Recover
R-EX-5 Fines and judgements Financial damages due to fines and/or judgements from statutory / regulatory / contractual non-compliance. Recover
R-EX-6 Unmitigated vulnerabilities Unmitigated technical vulnerabilities that lack compensating controls or other mitigation actions. Protect
R-EX-7 System compromise A compromise of a system, application or service that affects confidentiality, integrity, availability and/or safety. Protect
R-GV-1 Inability to support business processes Insufficient cybersecurity and/or privacy practices that cannot securely support the organization's technologies & processes. Protect
R-GV-2 Incorrect controls scoping Missing or incorrect cybersecurity and/or privacy controls due to incorrect or inadequate control scoping practices. Identify
R-GV-3 Lack of roles & responsibilities Insufficient cybersecurity and/or privacy roles & responsibilities that cannot securely support the organization's technologies & processes. Identify
R-GV-4 Inadequate internal practices Insufficient cybersecurity and/or privacy practices that can securely support the organization's technologies & processes. Protect
Governance
R-GV-5 Inadequate third-party practices Insufficient Cybersecurity Supply Chain Risk Management (C-SCRM) practices that cannot securely support the organization's Protect
technologies & processes.
R-GV-6 Lack of oversight of internal controls The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity Identify
and/or privacy controls.
R-GV-7 Lack of oversight of third-party controls The inability to demonstrate appropriate evidence of due diligence and due care in overseeing third-party cybersecurity and/or privacy Identify
controls.
R-GV-8 Illegal content or abusive action Disruptive content or actions that negatively affect business operations (e.g., abusive content, harmful speech, threats of violence, illegal Identify
content, etc.).
R-IR-1 Inability to investigate / prosecute incidents Insufficient incident response practices that prevent the organization from investigating and/or prosecuting incidents (e.g., chain of Respond
custody corruption, available sources of evidence, etc.).
R-IR-2 Improper response to incidents The inability to appropriately respond to incidents in a timely manner. Respond
Incident Response
R-IR-3 Ineffective remediation actions The inability to ensure incident response actions were correct and/or effective. Protect
R-IR-4 Expense associated with managing a loss event Financial repercussions from responding to an incident or loss. Respond
R-SA-1 Inability to maintain situational awareness The inability to detect cybersecurity and/or privacy incidents (e.g., a lack of situational awareness). Detect
Situational Awareness
R-SA-2 Lack of a security-minded workforce The inability to appropriately educate and train personnel to foster a security-minded workforce. Protect
Note: These are POSSIBLE risks and the matrix is expected to be tailored. Every organization has a unique set of obligations and risks. This is not an authoritative list of all applicable risks.
Secure Controls Framework (SCF) Threat Catalog 279 of 280
Licensed by Creative Commons Attribution-NoDerivatives version 2023.4
THREAT CATALOG use case: What natural and man-made threats affect control execution? (e.g., if the threat materializes, will the control function as expected?)
* Definition of threat
noun A person or thing likely to cause damage or danger.
verb To indicate impending damage or danger.
Threat Grouping Threat # Threat* Threat Description
NT-1 Drought & Water Shortage Regardless of geographic location, periods of reduced rainfall are expected. For non-agricultural industries, drought may not be impactful to
operations until it reaches the extent of water rationing.
NT-2 Earthquakes Earthquakes are sudden rolling or shaking events caused by movement under the earth’s surface. Although earthquakes usually last less
than one minute, the scope of devastation can be widespread and have long-lasting impact.
NT-3 Fire & Wildfires Regardless of geographic location or even building material, fire is a concern for every business. When thinking of a fire in a building,
envision a total loss to all technology hardware, including backup tapes, and all paper files being consumed in the fire.
Flooding is the most common of natural hazards and requires an understanding of the local environment, including floodplains and the
NT-4 Floods frequency of flooding events. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the
facility).
NT-5 Hurricanes & Tropical Storms Hurricanes and tropical storms are among the most powerful natural disasters because of their size and destructive potential. In addition to
high winds, regional flooding and infrastructure damage should be considered when assessing hurricanes and tropical storms.
Landslides occur throughout the world and can be caused by a variety of factors including earthquakes, storms, volcanic eruptions, fire, and
NT-6 Landslides & Debris Flow by human modification of land. Landslides can occur quickly, often with little notice. Location of critical technologies should be considered
(e.g., server room is in the basement or first floor of the facility).
Due to the wide variety of possible scenarios, consideration should be given both to the magnitude of what can reasonably happen during a
NT-7 Pandemic (Disease) Outbreaks pandemic outbreak (e.g., COVID-19, Influenza, SARS, Ebola, etc.) and what actions the business can be taken to help lessen the impact of a
pandemic on operations.
Natural Threat
NT-8 Severe Weather Severe weather is a broad category of meteorological events that include events that range from damaging winds to hail.
Space weather includes natural events in space that can affect the near-earth environment and satellites. Most commonly, this is associated
NT-9 Space Weather with solar flares from the Sun, so an understanding of how solar flares may impact the business is of critical importance in assessing this
threat.
Thunderstorms are most prevalent in the spring and summer months and generally occur during the afternoon and evening hours, but they
NT-10 Thunderstorms & Lightning can occur year-round and at all hours. Many hazardous weather events are associated with thunderstorms. Under the right conditions,
rainfall from thunderstorms causes flash flooding and lightning is responsible for equipment damage, fires and fatalities.
Tornadoes occur in many parts of the world, including the US, Australia, Europe, Africa, Asia, and South America. Tornadoes can happen at
NT-11 Tornadoes any time of year and occur at any time of day or night, but most tornadoes occur between 4–9 p.m. Tornadoes (with winds up to about 300
mph) can destroy all but the best-built man-made structures.
All tsunamis are potentially dangerous, even though they may not damage every coastline they strike. A tsunami can strike anywhere along
NT-12 Tsunamis most of the US coastline. The most destructive tsunamis have occurred along the coasts of California, Oregon, Washington, Alaska and
Hawaii.
NT-13 Volcanoes While volcanoes are geographically fixed objects, volcanic fallout can have significant downwind impacts for thousands of miles. Far outside
of the blast zone, volcanoes can significantly damage or degrade transportation systems and also cause electrical grids to fail.
Winter storms is a broad category of meteorological events that include events that range from ice storms, to heavy snowfall, to
NT-14 Winter Storms & Extreme Cold unseasonably (e.g., record breaking) cold temperatures. Winter storms can significantly impact business operations and transportation
systems over a wide geographic region.
MT-1 Civil or Political Unrest Civil or political unrest can be singular or wide-spread events that can be unexpected and unpredictable. These events can occur anywhere,
at any time.
Unlike physical threats that prompt immediate action (e.g., "stop, drop, and roll" in the event of a fire), cyber incidents are often difficult to
MT-2 Hacking & Other Cybersecurity Crimes identify as the incident is occurring. Detection generally occurs after the incident has occurred, with the exception of "denial of service"
attacks. The spectrum of cybersecurity risks is limitless and threats can have wide-ranging effects on the individual, organizational,
geographic, and national levels.
MT-3 Hazardous Materials Emergencies Hazardous materials emergencies are focused on accidental disasters that occur in industrialized nations. These incidents can range from
industrial chemical spills to groundwater contamination.
The use of NBC weapons are in the possible arsenals of international terrorists and it must be a consideration. Terrorist use of a “dirty
MT-4 Nuclear, Biological and Chemical (NBC) Weapons bomb” — is considered far more likely than use of a traditional nuclear explosive device. This may be a combination a conventional explosive
device with radioactive / chemical / biological material and be designed to scatter lethal and sub-lethal amounts of material over a wide
area.
MT-5 Physical Crime Physical crime includes "traditional" crimes of opportunity. These incidents can range from theft, to vandalism, riots, looting, arson and
other forms of criminal activities.
Armed attacks, regardless of the motivation of the attacker, can impact a businesses. Scenarios can range from single actors (e.g.,
MT-6 Terrorism & Armed Attacks "disgruntled" employee) all the way to a coordinated terrorist attack by multiple assailants. These incidents can range from the use of blade
weapons (e.g., knives), blunt objects (e.g., clubs), to firearms and explosives.
MT-7 Utility Service Disruption Utility service disruptions are focused on the sustained loss of electricity, Internet, natural gas, water, and/or sanitation services. These
incidents can have a variety of causes but directly impact the fulfillment of utility services that your business needs to operate.
Dysfunctional management practices are a manmade threat that expose an organization to significant risk. The threat stems from the
MT-8 Dysfunctional Management Practices inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. The resulting
risk manifests due (1) an absence of a required control or (2) a control deficiency.
Man-Made Threat
MT-9 Human Error Human error is a broad category that includes non-malicious actions that are unexpected and unpredictable by humans. These incidents can
range from misconfigurations, to misunderstandings or other unintentional accidents.
Technical /mechanical failure is a broad category that includes non-malicious failure due to a defect in the technology, materials or
MT-10 Technical / Mechanical Failure workmanship. Technical / mechanical failures are unexpected and unpredictable, even when routine and preventative maintenance is
performed. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).
MT-11 Statutory / Regulatory / Contractual Obligation Laws, regulations and/or contractual obligations that directly or indirectly weaken an organization's security & privacy controls. This includes
hostile nation states that leverage statutory and/or regulatory means for economic or political espionage and/or cyberwarfare activities.
MT-12 Redundant, Obsolete/Outdated, Toxic or Trivial Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) data is information an organization utilizes for business processes even though the
(ROT) Data data is untrustworthy, due to the data's currency, accuracy, integrity and/or applicability.
Artificial Intelligence & Autonomous Technologies (AAT) is a broad category that ranges from non-malicious failure due to a defect in the
MT-13 Artificial Intelligence & Autonomous Technologies algorithm to emergent properties or unintended consequences. AAT failures can be due to hardware failures, inherent biases or other flaws
(AAT) in the underlying algorithm. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of
life).
Willful criminal conduct is a broad category that includes consciously-committed criminal acts performed by individuals (e.g., mens rea).
MT-14 Willful Criminal Conduct These incidents can range from theft, to illegal content to other criminal activities. Criminal conduct generally involves one of the following
kinds of mens rea: (1) intent, (2) knowledge, (3) recklessness and/or (4) negligence.
Conflict of Interest (COI) is a broad category but pertains to an ethical incompatibility. COI exist when (1) the concerns or goals of different
MT-15 Conflict of Interest (COI) parties are incompatible or (2) a person in a decision-making position is able to derive personal benefit from actions taken or decisions made
in their official capacity.
Macroeconomic factors that can negatively affect the global supply chain. Macroeconomic factors directly impact unemployment rates,
MT-16 Macroeconomics interest rates, exchange rates and commodity prices. Due to how fiscal and monetary policies can negatively affect the global supply chain,
this can disrupt or degrade an organization's business operations.
Note: These are POSSIBLE threats and the matrix is expected to be tailored. Every organization has a unique set of obligations and threats. This is not an authoritative list of all applicable threats.
Threat Materiality
No - Not A Material Threat
Yes - This Is A Material Threat
Unknown
Risk Materiality
No - Not A Material Risk
Yes - This Is A Material Risk
Unknown

Secure Controls Framework 2023 4

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure Controls Framework 2023 4

Uploaded by

Copyright:

Available Formats

version 2023.

4 Secure Controls Framework (SCF) High-Level Domains

NIST Privacy Framework

Secure Software Development Framework (SSDF):

StateRAMP StateRAMP Low (Category 1)

StateRAMP StateRAMP Low+ (Category 2)

StateRAMP StateRAMP Moderate (Category 3)

EMEA Version 1.0

SCRM SCRM SCRM

Artificial & Autonomous AI & Autonomous

Asset Management Asset-Service Dependencies AST-01.1 E-BCM-09 5 Identify X X

Asset Management Stakeholder Identification & AST-01.2 E-CPL-03 5 Identify X

Asset Management Data Action Mapping AST-02.8 E-DCH-05 9 Identify X X

Asset Management Component Assignment AST-02.11 3 Identify X

Asset Management Accountability Information AST-03.1 E-AST-01 5 Identify X

Asset Management Provenance AST-03.2 E-AST-22 8 Identify X X

Asset Management Control Applicability Boundary AST-04.2 E-AST-02 6 Identify X X

Asset Management Security of Assets & Media AST-05 8 Identify X

Asset Management Asset Storage In Automobiles AST-06.1 7 Protect X

Asset Management Tamper Detection AST-08 9 Detect X

Asset Management Use of Personal Devices AST-12 10 Protect X

Asset Management Infrared Communications AST-14.2 5 Protect X X

Asset Management Roots of Trust Protection AST-18 4 Protect X X

Asset Management Voice Over Internet Protocol AST-21 8 Protect X

Asset Management Microphones & Web Cameras AST-22 8 Protect X X

Asset Management Multi-Function Devices (MFD) AST-23 E-TPM-01 8 Protect X

Asset Management Jump Server AST-27 7 Protect X X

Asset Management Database Administrative AST-28 9 Identify X

Asset Management Asset Categorization AST-31 E-AST-24 9 Identify X X X

Business Continuity & Backup & Restoration

Change Management Automated Security Response CHG-02.4 5 Protect X X

Change Management Cryptographic Management CHG-02.5 5 Protect X X

Change Management Dual Authorization for Change CHG-04.3 6 Protect X X

Change Management Library Privileges CHG-04.5 8 Protect X

Cloud Security Cloud Services CLD-01 E-AST-06 10 Protect X X X

Cloud Infrastructure Security

Cloud Security Multi-Tenant Forensics CLD-06.3 8 Identify X

Compliance Non-Compliance Oversight CPL-01.1 E-CPL-05 9 Respond X

Compliance Independent Assessors CPL-03.1 E-CPL-07 6 Detect X

Compliance Audit Activities CPL-04 5 Identify X

Configuration Unsupported Internet

Configuration User-Installed Software CFG-05 10 Protect X X X

Continuous Monitoring Automated Alerts MON-01.12 5 Detect X

Continuous Monitoring Alert Threshold Tuning MON-01.13 5 Detect X X

Continuous Monitoring Individuals Posing Greater Risk MON-01.14 E-MON-03 5 Detect X X

Continuous Monitoring Privileged User Oversight MON-01.15 E-MON-03 5 Detect X

Continuous Monitoring Analyze and Prioritize

Continuous Monitoring Permitted Actions MON-02.5 5 Protect X X

Continuous Monitoring Sensitive Audit Information MON-03.1 8 Detect X

Continuous Monitoring Audit Trails MON-03.2 10 Detect X

Continuous Monitoring Privileged Functions Logging MON-03.3 8 Detect X

Continuous Monitoring Limit Personal Data (PD) In

Continuous Monitoring Database Logging MON-03.7 8 Detect X

Continuous Monitoring Event Log Storage Capacity MON-04 8 Detect X X

Continuous Monitoring Time Stamps MON-07 10 Detect X

Continuous Monitoring Dual Authorization for Event

Continuous Monitoring Non-Repudiation MON-09 8 Protect X

Continuous Monitoring Identity Binding MON-09.1 4 Protect X X

Continuous Monitoring Monitoring

Continuous Monitoring Monitoring for Indicators of

Continuous Monitoring Sharing of Event Logs MON-14.1 5 Detect X X

Continuous Monitoring Covert Channel Analysis MON-15 3 Detect X X

Continuous Monitoring Account Creation and