1196 of 1196 controls
AC-1Access Control
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational

GVIDPR
LowModerateHigh
AC-2Access Control
Account Management

Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require [assignment] for group and role membership; Specify: Authorize

DEPR
LowModerateHigh
AC-2(1)Access Control
Automated System Account Management

Support the management of system accounts using [assignment].

LowModerateHigh
AC-2(2)Access Control
Automated Temporary and Emergency Account Management

Automatically [assignment] temporary and emergency accounts after [assignment].

LowModerateHigh
AC-2(3)Access Control
Disable Accounts

Disable accounts within [assignment] when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for [assignme

LowModerateHigh
AC-2(4)Access Control
Automated Audit Actions

Automatically audit account creation, modification, enabling, disabling, and removal actions.

LowModerateHigh
AC-2(5)Access Control
Inactivity Logout

Require that users log out when [assignment].

LowModerateHigh
AC-2(6)Access Control
Dynamic Privilege Management

Implement [assignment].

LowModerateHigh
AC-2(7)Access Control
Privileged User Accounts

Establish and administer privileged user accounts in accordance with [assignment]; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when priv

LowModerateHigh
AC-2(8)Access Control
Dynamic Account Management

Create, activate, manage, and deactivate [assignment] dynamically.

LowModerateHigh
AC-2(9)Access Control
Restrictions on Use of Shared and Group Accounts

Only permit the use of shared and group accounts that meet [assignment].

LowModerateHigh
AC-2(10)Access Control
Shared and Group Account Credential Change

LowModerateHigh
AC-2(11)Access Control
Usage Conditions

Enforce [assignment] for [assignment].

LowModerateHigh
AC-2(12)Access Control
Account Monitoring for Atypical Usage

Monitor system accounts for [assignment] ; and Report atypical usage of system accounts to [assignment].

LowModerateHigh
AC-2(13)Access Control
Disable Accounts for High-risk Individuals

Disable accounts of individuals within [assignment] of discovery of [assignment].

LowModerateHigh
AC-3Access Control
Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

PR
LowModerateHigh
AC-3(1)Access Control
Restricted Access to Privileged Functions

LowModerateHigh
AC-3(2)Access Control
Dual Authorization

Enforce dual authorization for [assignment].

LowModerateHigh
AC-3(3)Access Control
Mandatory Access Control

Enforce [assignment] over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specif

LowModerateHigh
AC-3(4)Access Control
Discretionary Access Control

Enforce [assignment] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more

LowModerateHigh
AC-3(5)Access Control
Security-relevant Information

Prevent access to [assignment] except during secure, non-operable system states.

LowModerateHigh
AC-3(6)Access Control
Protection of User and System Information

LowModerateHigh
AC-3(7)Access Control
Role-based Access Control

Enforce a role-based access control policy over defined subjects and objects and control access based upon [assignment].

LowModerateHigh
AC-3(8)Access Control
Revocation of Access Authorizations

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [assignment].

LowModerateHigh
AC-3(9)Access Control
Controlled Release

Release information outside of the system only if: The receiving [assignment] provides [assignment] ; and [assignment] are used to validate the appropriateness of the information designated for releas

LowModerateHigh
AC-3(10)Access Control
Audited Override of Access Control Mechanisms

Employ an audited override of automated access control mechanisms under [assignment] by [assignment].

LowModerateHigh
AC-3(11)Access Control
Restrict Access to Specific Information Types

Restrict access to data repositories containing [assignment].

LowModerateHigh
AC-3(12)Access Control
Assert and Enforce Application Access

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [assignment]; Provide an enforcement mechanism to prevent una

LowModerateHigh
AC-3(13)Access Control
Attribute-based Access Control

Enforce attribute-based access control policy over defined subjects and objects and control access based upon [assignment].

LowModerateHigh
AC-3(14)Access Control
Individual Access

Provide [assignment] to enable individuals to have access to the following elements of their personally identifiable information: [assignment].

LowModerateHigh
AC-3(15)Access Control
Discretionary and Mandatory Access Control

Enforce [assignment] over the set of covered subjects and objects specified in the policy; and Enforce [assignment] over the set of covered subjects and objects specified in the policy.

LowModerateHigh
AC-4Access Control
Information Flow Enforcement

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [assignment].

DEIDPR
LowModerateHigh
AC-4(1)Access Control
Object Security and Privacy Attributes

Use [assignment] associated with [assignment] to enforce [assignment] as a basis for flow control decisions.

LowModerateHigh
AC-4(2)Access Control
Processing Domains

Use protected processing domains to enforce [assignment] as a basis for flow control decisions.

LowModerateHigh
AC-4(3)Access Control
Dynamic Information Flow Control

Enforce [assignment].

LowModerateHigh
AC-4(4)Access Control
Flow Control of Encrypted Information

Prevent encrypted information from bypassing [assignment] by [assignment].

LowModerateHigh
AC-4(5)Access Control
Embedded Data Types

Enforce [assignment] on embedding data types within other data types.

LowModerateHigh
AC-4(6)Access Control
Metadata

Enforce information flow control based on [assignment].

LowModerateHigh
AC-4(7)Access Control
One-way Flow Mechanisms

Enforce one-way information flows through hardware-based flow control mechanisms.

LowModerateHigh
AC-4(8)Access Control
Security and Privacy Policy Filters

Enforce information flow control using [assignment] as a basis for flow control decisions for [assignment] ; and [assignment] data after a filter processing failure in accordance with [assignment].

LowModerateHigh
AC-4(9)Access Control
Human Reviews

Enforce the use of human reviews for [assignment] under the following conditions: [assignment].

LowModerateHigh
AC-4(10)Access Control
Enable and Disable Security or Privacy Policy Filters

Provide the capability for privileged administrators to enable and disable [assignment] under the following conditions: [assignment].

LowModerateHigh
AC-4(11)Access Control
Configuration of Security or Privacy Policy Filters

Provide the capability for privileged administrators to configure [assignment] to support different security or privacy policies.

LowModerateHigh
AC-4(12)Access Control
Data Type Identifiers

When transferring information between different security domains, use [assignment] to validate data essential for information flow decisions.

LowModerateHigh
AC-4(13)Access Control
Decomposition into Policy-relevant Subcomponents

When transferring information between different security domains, decompose information into [assignment] for submission to policy enforcement mechanisms.

LowModerateHigh
AC-4(14)Access Control
Security or Privacy Policy Filter Constraints

When transferring information between different security domains, implement [assignment] requiring fully enumerated formats that restrict data structure and content.

LowModerateHigh
AC-4(15)Access Control
Detection of Unsanctioned Information

When transferring information between different security domains, examine the information for the presence of [assignment] and prohibit the transfer of such information in accordance with the [assignm

LowModerateHigh
AC-4(16)Access Control
Information Transfers on Interconnected Systems

LowModerateHigh
AC-4(17)Access Control
Domain Authentication

Uniquely identify and authenticate source and destination points by [assignment] for information transfer.

LowModerateHigh
AC-4(18)Access Control
Security Attribute Binding

LowModerateHigh
AC-4(19)Access Control
Validation of Metadata

When transferring information between different security domains, implement [assignment] on metadata.

LowModerateHigh
AC-4(20)Access Control
Approved Solutions

Employ [assignment] to control the flow of [assignment] across security domains.

LowModerateHigh
AC-4(21)Access Control
Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [assignment] to accomplish [assignment].

LowModerateHigh
AC-4(22)Access Control
Access Only

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security doma

LowModerateHigh
AC-4(23)Access Control
Modify Non-releasable Information

When transferring information between different security domains, modify non-releasable information by implementing [assignment].

LowModerateHigh
AC-4(24)Access Control
Internal Normalized Format

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

LowModerateHigh
AC-4(25)Access Control
Data Sanitization

When transferring information between different security domains, sanitize data to minimize [assignment] in accordance with [assignment].

LowModerateHigh
AC-4(26)Access Control
Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

LowModerateHigh
AC-4(27)Access Control
Redundant/Independent Filtering Mechanisms

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

LowModerateHigh
AC-4(28)Access Control
Linear Filter Pipelines

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

LowModerateHigh
AC-4(29)Access Control
Filter Orchestration Engines

When transferring information between different security domains, employ content filter orchestration engines to ensure that: Content filtering mechanisms successfully complete execution without error

LowModerateHigh
AC-4(30)Access Control
Filter Mechanisms Using Multiple Processes

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

LowModerateHigh
AC-4(31)Access Control
Failed Content Transfer Prevention

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

LowModerateHigh
AC-4(32)Access Control
Process Requirements for Information Transfer

When transferring information between different security domains, the process that transfers information between filter pipelines: Does not filter message content; Validates filtering metadata; Ensure

LowModerateHigh
AC-5Access Control
Separation of Duties

Identify and document [assignment] ; and Define system access authorizations to support separation of duties.

PR
LowModerateHigh
AC-6Access Control
Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

PR
LowModerateHigh
AC-6(1)Access Control
Authorize Access to Security Functions

Authorize access for [assignment] to: [assignment] ; and [assignment].

LowModerateHigh
AC-6(2)Access Control
Non-privileged Access for Nonsecurity Functions

Require that users of system accounts (or roles) with access to [assignment] use non-privileged accounts or roles, when accessing nonsecurity functions.

LowModerateHigh
AC-6(3)Access Control
Network Access to Privileged Commands

Authorize network access to [assignment] only for [assignment] and document the rationale for such access in the security plan for the system.

LowModerateHigh
AC-6(4)Access Control
Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

LowModerateHigh
AC-6(5)Access Control
Privileged Accounts

Restrict privileged accounts on the system to [assignment].

LowModerateHigh
AC-6(6)Access Control
Privileged Access by Non-organizational Users

Prohibit privileged access to the system by non-organizational users.

LowModerateHigh
AC-6(7)Access Control
Review of User Privileges

Review [assignment] the privileges assigned to [assignment] to validate the need for such privileges; and Reassign or remove privileges, if necessary, to correctly reflect organizational mission and b

LowModerateHigh
AC-6(8)Access Control
Privilege Levels for Code Execution

Prevent the following software from executing at higher privilege levels than users executing the software: [assignment].

LowModerateHigh
AC-6(9)Access Control
Log Use of Privileged Functions

Log the execution of privileged functions.

LowModerateHigh
AC-6(10)Access Control
Prohibit Non-privileged Users from Executing Privileged Functions

Prevent non-privileged users from executing privileged functions.

LowModerateHigh
AC-7Access Control
Unsuccessful Logon Attempts

Enforce a limit of [assignment] consecutive invalid logon attempts by a user during a [assignment] ; and Automatically [assignment] when the maximum number of unsuccessful attempts is exceeded.

PR
LowModerateHigh
AC-7(1)Access Control
Automatic Account Lock

LowModerateHigh
AC-7(2)Access Control
Purge or Wipe Mobile Device

Purge or wipe information from [assignment] based on [assignment] after [assignment] consecutive, unsuccessful device logon attempts.

LowModerateHigh
AC-7(3)Access Control
Biometric Attempt Limiting

Limit the number of unsuccessful biometric logon attempts to [assignment].

LowModerateHigh
AC-7(4)Access Control
Use of Alternate Authentication Factor

Allow the use of [assignment] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and Enforce a l

LowModerateHigh
AC-8Access Control
System Use Notification

Display [assignment] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, stan

LowModerateHigh
AC-9Access Control
Previous Logon Notification

Notify the user, upon successful logon to the system, of the date and time of the last logon.

DE
LowModerateHigh
AC-9(1)Access Control
Unsuccessful Logons

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

LowModerateHigh
AC-9(2)Access Control
Successful and Unsuccessful Logons

Notify the user, upon successful logon, of the number of [assignment] during [assignment].

LowModerateHigh
AC-9(3)Access Control
Notification of Account Changes

Notify the user, upon successful logon, of changes to [assignment] during [assignment].

LowModerateHigh
AC-9(4)Access Control
Additional Logon Information

Notify the user, upon successful logon, of the following additional information: [assignment].

LowModerateHigh
AC-10Access Control
Concurrent Session Control

Limit the number of concurrent sessions for each [assignment] to [assignment].

PR
LowModerateHigh
AC-11Access Control
Device Lock

Prevent further access to the system by [assignment] ; and Retain the device lock until the user reestablishes access using established identification and authentication procedures.

LowModerateHigh
AC-11(1)Access Control
Pattern-hiding Displays

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

LowModerateHigh
AC-12Access Control
Session Termination

Automatically terminate a user session after [assignment].

PR
LowModerateHigh
AC-12(1)Access Control
User-initiated Logouts

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [assignment].

LowModerateHigh
AC-12(2)Access Control
Termination Message

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

LowModerateHigh
AC-12(3)Access Control
Timeout Warning Message

Display an explicit message to users indicating that the session will end in [assignment].

LowModerateHigh
AC-13Access Control
Supervision and Review — Access Control

LowModerateHigh
AC-14Access Control
Permitted Actions Without Identification or Authentication

Identify [assignment] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting ra

PR
LowModerateHigh
AC-14(1)Access Control
Necessary Uses

LowModerateHigh
AC-15Access Control
Automated Marking

LowModerateHigh
AC-16Access Control
Security and Privacy Attributes

Provide the means to associate [assignment] with [assignment] for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the info

PR
LowModerateHigh
AC-16(1)Access Control
Dynamic Attribute Association

Dynamically associate security and privacy attributes with [assignment] in accordance with the following security and privacy policies as information is created and combined: [assignment].

LowModerateHigh
AC-16(2)Access Control
Attribute Value Changes by Authorized Individuals

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

LowModerateHigh
AC-16(3)Access Control
Maintenance of Attribute Associations by System

Maintain the association and integrity of [assignment] to [assignment].

LowModerateHigh
AC-16(4)Access Control
Association of Attributes by Authorized Individuals

Provide the capability to associate [assignment] with [assignment] by authorized individuals (or processes acting on behalf of individuals).

LowModerateHigh
AC-16(5)Access Control
Attribute Displays on Objects to Be Output

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [assignment] using [assignment].

LowModerateHigh
AC-16(6)Access Control
Maintenance of Attribute Association

Require personnel to associate and maintain the association of [assignment] with [assignment] in accordance with [assignment].

LowModerateHigh
AC-16(7)Access Control
Consistent Attribute Interpretation

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

LowModerateHigh
AC-16(8)Access Control
Association Techniques and Technologies

Implement [assignment] in associating security and privacy attributes to information.

LowModerateHigh
AC-16(9)Access Control
Attribute Reassignment — Regrading Mechanisms

Change security and privacy attributes associated with information only via regrading mechanisms validated using [assignment].

LowModerateHigh
AC-16(10)Access Control
Attribute Configuration by Authorized Individuals

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

LowModerateHigh
AC-17Access Control
Remote Access

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorize each type of remote access to the sy

PR
LowModerateHigh
AC-17(1)Access Control
Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

LowModerateHigh
AC-17(2)Access Control
Protection of Confidentiality and Integrity Using Encryption

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

LowModerateHigh
AC-17(3)Access Control
Managed Access Control Points

Route remote accesses through authorized and managed network access control points.

LowModerateHigh
AC-17(4)Access Control
Privileged Commands and Access

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [assignment

LowModerateHigh
AC-17(5)Access Control
Monitoring for Unauthorized Connections

LowModerateHigh
AC-17(6)Access Control
Protection of Mechanism Information

Protect information about remote access mechanisms from unauthorized use and disclosure.

LowModerateHigh
AC-17(7)Access Control
Additional Protection for Security Function Access

LowModerateHigh
AC-17(8)Access Control
Disable Nonsecure Network Protocols

LowModerateHigh
AC-17(9)Access Control
Disconnect or Disable Access

Provide the capability to disconnect or disable remote access to the system within [assignment].

LowModerateHigh
AC-17(10)Access Control
Authenticate Remote Commands

Implement [assignment] to authenticate [assignment].

LowModerateHigh
AC-18Access Control
Wireless Access

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and Authorize each type of wireless access to the system prior to allowing

PR
LowModerateHigh
AC-18(1)Access Control
Authentication and Encryption

Protect wireless access to the system using authentication of [assignment] and encryption.

LowModerateHigh
AC-18(2)Access Control
Monitoring Unauthorized Connections

LowModerateHigh
AC-18(3)Access Control
Disable Wireless Networking

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

LowModerateHigh
AC-18(4)Access Control
Restrict Configurations by Users

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

LowModerateHigh
AC-18(5)Access Control
Antennas and Transmission Power Levels

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

LowModerateHigh
AC-19Access Control
Access Control for Mobile Devices

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and

PR
LowModerateHigh
AC-19(1)Access Control
Use of Writable and Portable Storage Devices

LowModerateHigh
AC-19(2)Access Control
Use of Personally Owned Portable Storage Devices

LowModerateHigh
AC-19(3)Access Control
Use of Portable Storage Devices with No Identifiable Owner

LowModerateHigh
AC-19(4)Access Control
Restrictions for Classified Information

Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official;

LowModerateHigh
AC-19(5)Access Control
Full Device or Container-based Encryption

Employ [assignment] to protect the confidentiality and integrity of information on [assignment].

LowModerateHigh
AC-20Access Control
Use of External Systems

[assignment] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: Access the syste

ID
LowModerateHigh
AC-20(1)Access Control
Limits on Authorized Use

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: Verification of the implementation of con

LowModerateHigh
AC-20(2)Access Control
Portable Storage Devices — Restricted Use

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [assignment].

LowModerateHigh
AC-20(3)Access Control
Non-organizationally Owned Systems — Restricted Use

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [assignment].

LowModerateHigh
AC-20(4)Access Control
Network Accessible Storage Devices — Prohibited Use

Prohibit the use of [assignment] in external systems.

LowModerateHigh
AC-20(5)Access Control
Portable Storage Devices — Prohibited Use

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

LowModerateHigh
AC-21Access Control
Information Sharing

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [assignment] ; and Employ [assignment] to assis

LowModerateHigh
AC-21(1)Access Control
Automated Decision Support

Employ [assignment] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

LowModerateHigh
AC-21(2)Access Control
Information Search and Retrieval

Implement information search and retrieval services that enforce [assignment].

LowModerateHigh
AC-22Access Control
Publicly Accessible Content

Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the

LowModerateHigh
AC-23Access Control
Data Mining Protection

Employ [assignment] for [assignment] to detect and protect against unauthorized data mining.

LowModerateHigh
AC-24Access Control
Access Control Decisions

[assignment] to ensure [assignment] are applied to each access request prior to access enforcement.

PR
LowModerateHigh
AC-24(1)Access Control
Transmit Access Authorization Information

Transmit [assignment] using [assignment] to [assignment] that enforce access control decisions.

LowModerateHigh
AC-24(2)Access Control
No User or Process Identity

Enforce access control decisions based on [assignment] that do not include the identity of the user or process acting on behalf of the user.

LowModerateHigh
AC-25Access Control
Reference Monitor

Implement a reference monitor for [assignment] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

LowModerateHigh
AT-1Awareness and Training
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organi

GVID
LowModerateHigh
AT-2Awareness and Training
Literacy Training and Awareness

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [assignment] thereafter; and When

PR
LowModerateHigh
AT-2(1)Awareness and Training
Practical Exercises

Provide practical exercises in literacy training that simulate events and incidents.

LowModerateHigh
AT-2(2)Awareness and Training
Insider Threat

Provide literacy training on recognizing and reporting potential indicators of insider threat.

LowModerateHigh
AT-2(3)Awareness and Training
Social Engineering and Mining

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

LowModerateHigh
AT-2(4)Awareness and Training
Suspicious Communications and Anomalous System Behavior

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [assignment].

LowModerateHigh
AT-2(5)Awareness and Training
Advanced Persistent Threat

Provide literacy training on the advanced persistent threat.

LowModerateHigh
AT-2(6)Awareness and Training
Cyber Threat Environment

Provide literacy training on the cyber threat environment; and Reflect current cyber threat information in system operations.

LowModerateHigh
AT-3Awareness and Training
Role-based Training

Provide role-based security and privacy training to personnel with the following roles and responsibilities: [assignment]: Before authorizing access to the system, information, or performing assigned

PR
LowModerateHigh
AT-3(1)Awareness and Training
Environmental Controls

Provide [assignment] with initial and [assignment] training in the employment and operation of environmental controls.

LowModerateHigh
AT-3(2)Awareness and Training
Physical Security Controls

Provide [assignment] with initial and [assignment] training in the employment and operation of physical security controls.

LowModerateHigh
AT-3(3)Awareness and Training
Practical Exercises

Provide practical exercises in security and privacy training that reinforce training objectives.

LowModerateHigh
AT-3(4)Awareness and Training
Suspicious Communications and Anomalous System Behavior

LowModerateHigh
AT-3(5)Awareness and Training
Processing Personally Identifiable Information

Provide [assignment] with initial and [assignment] training in the employment and operation of personally identifiable information processing and transparency controls.

LowModerateHigh
AT-4Awareness and Training
Training Records

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and Retain individua

LowModerateHigh
AT-5Awareness and Training
Contacts with Security Groups and Associations

LowModerateHigh
AT-6Awareness and Training
Training Feedback

Provide feedback on organizational training results to the following personnel [assignment]: [assignment].

LowModerateHigh
AU-1Audit and Accountability
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among orga

GVID
LowModerateHigh
AU-2Audit and Accountability
Event Logging

Identify the types of events that the system is capable of logging in support of the audit function: [assignment]; Coordinate the event logging function with other organizational entities requiring au

PR
LowModerateHigh
AU-2(1)Audit and Accountability
Compilation of Audit Records from Multiple Sources

LowModerateHigh
AU-2(2)Audit and Accountability
Selection of Audit Events by Component

LowModerateHigh
AU-2(3)Audit and Accountability
Reviews and Updates

LowModerateHigh
AU-2(4)Audit and Accountability
Privileged Functions

LowModerateHigh
AU-3Audit and Accountability
Content of Audit Records

Ensure that audit records contain information that establishes the following: What type of event occurred; When the event occurred; Where the event occurred; Source of the event; Outcome of the event;

PR
LowModerateHigh
AU-3(1)Audit and Accountability
Additional Audit Information

Generate audit records containing the following additional information: [assignment].

LowModerateHigh
AU-3(2)Audit and Accountability
Centralized Management of Planned Audit Record Content

LowModerateHigh
AU-3(3)Audit and Accountability
Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [assignment].

LowModerateHigh
AU-4Audit and Accountability
Audit Log Storage Capacity

Allocate audit log storage capacity to accommodate [assignment].

LowModerateHigh
AU-4(1)Audit and Accountability
Transfer to Alternate Storage

Transfer audit logs [assignment] to a different system, system component, or media other than the system or system component conducting the logging.

LowModerateHigh
AU-5Audit and Accountability
Response to Audit Logging Process Failures

Alert [assignment] within [assignment] in the event of an audit logging process failure; and Take the following additional actions: [assignment].

LowModerateHigh
AU-5(1)Audit and Accountability
Storage Capacity Warning

Provide a warning to [assignment] within [assignment] when allocated audit log storage volume reaches [assignment] of repository maximum audit log storage capacity.

LowModerateHigh
AU-5(2)Audit and Accountability
Real-time Alerts

Provide an alert within [assignment] to [assignment] when the following audit failure events occur: [assignment].

LowModerateHigh
AU-5(3)Audit and Accountability
Configurable Traffic Volume Thresholds

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [assignment] network traffic above those thresholds.

LowModerateHigh
AU-5(4)Audit and Accountability
Shutdown on Failure

Invoke a [assignment] in the event of [assignment] , unless an alternate audit logging capability exists.

LowModerateHigh
AU-5(5)Audit and Accountability
Alternate Audit Logging Capability

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [assignment].

LowModerateHigh
AU-6Audit and Accountability
Audit Record Review, Analysis, and Reporting

Review and analyze system audit records [assignment] for indications of [assignment] and the potential impact of the inappropriate or unusual activity; Report findings to [assignment] ; and Adjust the

DEPR
LowModerateHigh
AU-6(1)Audit and Accountability
Automated Process Integration

Integrate audit record review, analysis, and reporting processes using [assignment].

LowModerateHigh
AU-6(2)Audit and Accountability
Automated Security Alerts

LowModerateHigh
AU-6(3)Audit and Accountability
Correlate Audit Record Repositories

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

LowModerateHigh
AU-6(4)Audit and Accountability
Central Review and Analysis

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

LowModerateHigh
AU-6(5)Audit and Accountability
Integrated Analysis of Audit Records

Integrate analysis of audit records with analysis of [assignment] to further enhance the ability to identify inappropriate or unusual activity.

LowModerateHigh
AU-6(6)Audit and Accountability
Correlation with Physical Monitoring

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity

LowModerateHigh
AU-6(7)Audit and Accountability
Permitted Actions

Specify the permitted actions for each [assignment] associated with the review, analysis, and reporting of audit record information.

LowModerateHigh
AU-6(8)Audit and Accountability
Full Text Analysis of Privileged Commands

Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.

LowModerateHigh
AU-6(9)Audit and Accountability
Correlation with Information from Nontechnical Sources

Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.

LowModerateHigh
AU-6(10)Audit and Accountability
Audit Level Adjustment

LowModerateHigh
AU-7Audit and Accountability
Audit Record Reduction and Report Generation

Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of

PRRS
LowModerateHigh
AU-7(1)Audit and Accountability
Automatic Processing

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [assignment].

LowModerateHigh
AU-7(2)Audit and Accountability
Automatic Sort and Search

LowModerateHigh
AU-8Audit and Accountability
Time Stamps

Use internal system clocks to generate time stamps for audit records; and Record time stamps for audit records that meet [assignment] and that use Coordinated Universal Time, have a fixed local time o

LowModerateHigh
AU-8(1)Audit and Accountability
Synchronization with Authoritative Time Source

LowModerateHigh
AU-8(2)Audit and Accountability
Secondary Authoritative Time Source

LowModerateHigh
AU-9Audit and Accountability
Protection of Audit Information

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and Alert [assignment] upon detection of unauthorized access, modification, or deletion of audit

PR
LowModerateHigh
AU-9(1)Audit and Accountability
Hardware Write-once Media

Write audit trails to hardware-enforced, write-once media.

LowModerateHigh
AU-9(2)Audit and Accountability
Store on Separate Physical Systems or Components

Store audit records [assignment] in a repository that is part of a physically different system or system component than the system or component being audited.

LowModerateHigh
AU-9(3)Audit and Accountability
Cryptographic Protection

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

LowModerateHigh
AU-9(4)Audit and Accountability
Access by Subset of Privileged Users

Authorize access to management of audit logging functionality to only [assignment].

LowModerateHigh
AU-9(5)Audit and Accountability
Dual Authorization

Enforce dual authorization for [assignment] of [assignment].

LowModerateHigh
AU-9(6)Audit and Accountability
Read-only Access

Authorize read-only access to audit information to [assignment].

LowModerateHigh
AU-9(7)Audit and Accountability
Store on Component with Different Operating System

Store audit information on a component running a different operating system than the system or component being audited.

LowModerateHigh
AU-10Audit and Accountability
Non-repudiation

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [assignment].

LowModerateHigh
AU-10(1)Audit and Accountability
Association of Identities

Bind the identity of the information producer with the information to [assignment] ; and Provide the means for authorized individuals to determine the identity of the producer of the information.

LowModerateHigh
AU-10(2)Audit and Accountability
Validate Binding of Information Producer Identity

Validate the binding of the information producer identity to the information at [assignment] ; and Perform [assignment] in the event of a validation error.

LowModerateHigh
AU-10(3)Audit and Accountability
Chain of Custody

Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.

LowModerateHigh
AU-10(4)Audit and Accountability
Validate Binding of Information Reviewer Identity

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [assignment] ; and Perform [assignment] in the event

LowModerateHigh
AU-10(5)Audit and Accountability
Digital Signatures

LowModerateHigh
AU-11Audit and Accountability
Audit Record Retention

Retain audit records for [assignment] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

PR
LowModerateHigh
AU-11(1)Audit and Accountability
Long-term Retrieval Capability

Employ [assignment] to ensure that long-term audit records generated by the system can be retrieved.

LowModerateHigh
AU-12Audit and Accountability
Audit Record Generation

Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [assignment]; Allow [assignment] to select the event types that a

DEPR
LowModerateHigh
AU-12(1)Audit and Accountability
System-wide and Time-correlated Audit Trail

Compile audit records from [assignment] into a system-wide (logical or physical) audit trail that is time-correlated to within [assignment].

LowModerateHigh
AU-12(2)Audit and Accountability
Standardized Formats

Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

LowModerateHigh
AU-12(3)Audit and Accountability
Changes by Authorized Individuals

Provide and implement the capability for [assignment] to change the logging to be performed on [assignment] based on [assignment] within [assignment].

LowModerateHigh
AU-12(4)Audit and Accountability
Query Parameter Audits of Personally Identifiable Information

Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

LowModerateHigh
AU-13Audit and Accountability
Monitoring for Information Disclosure

Monitor [assignment] [assignment] for evidence of unauthorized disclosure of organizational information; and If an information disclosure is discovered: Notify [assignment] ; and Take the following ad

DEPR
LowModerateHigh
AU-13(1)Audit and Accountability
Use of Automated Tools

Monitor open-source information and information sites using [assignment].

LowModerateHigh
AU-13(2)Audit and Accountability
Review of Monitored Sites

Review the list of open-source information sites being monitored [assignment].

LowModerateHigh
AU-13(3)Audit and Accountability
Unauthorized Replication of Information

Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.

LowModerateHigh
AU-14Audit and Accountability
Session Audit

Provide and implement the capability for [assignment] to [assignment] the content of a user session under [assignment] ; and Develop, integrate, and use session auditing activities in consultation wit

LowModerateHigh
AU-14(1)Audit and Accountability
System Start-up

Initiate session audits automatically at system start-up.

LowModerateHigh
AU-14(2)Audit and Accountability
Capture and Record Content

LowModerateHigh
AU-14(3)Audit and Accountability
Remote Viewing and Listening

Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.

LowModerateHigh
AU-15Audit and Accountability
Alternate Audit Logging Capability

LowModerateHigh
AU-16Audit and Accountability
Cross-organizational Audit Logging

Employ [assignment] for coordinating [assignment] among external organizations when audit information is transmitted across organizational boundaries.

PR
LowModerateHigh
AU-16(1)Audit and Accountability
Identity Preservation

Preserve the identity of individuals in cross-organizational audit trails.

LowModerateHigh
AU-16(2)Audit and Accountability
Sharing of Audit Information

Provide cross-organizational audit information to [assignment] based on [assignment].

LowModerateHigh
AU-16(3)Audit and Accountability
Disassociability

Implement [assignment] to disassociate individuals from audit information transmitted across organizational boundaries.

LowModerateHigh
CA-1Assessment, Authorization, and Monitoring
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordi

GVID
LowModerateHigh
CA-2Assessment, Authorization, and Monitoring
Control Assessments

Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and cont

ID
LowModerateHigh
CA-2(1)Assessment, Authorization, and Monitoring
Independent Assessors

Employ independent assessors or assessment teams to conduct control assessments.

LowModerateHigh
CA-2(2)Assessment, Authorization, and Monitoring
Specialized Assessments

Include as part of control assessments, [assignment], [assignment], [assignment].

LowModerateHigh
CA-2(3)Assessment, Authorization, and Monitoring
Leveraging Results from External Organizations

Leverage the results of control assessments performed by [assignment] on [assignment] when the assessment meets [assignment].

LowModerateHigh
CA-3Assessment, Authorization, and Monitoring
Information Exchange

Approve and manage the exchange of information between the system and other systems using [assignment]; Document, as part of each exchange agreement, the interface characteristics, security and privac

IDPR
LowModerateHigh
CA-3(1)Assessment, Authorization, and Monitoring
Unclassified National Security System Connections

LowModerateHigh
CA-3(2)Assessment, Authorization, and Monitoring
Classified National Security System Connections

LowModerateHigh
CA-3(3)Assessment, Authorization, and Monitoring
Unclassified Non-national Security System Connections

LowModerateHigh
CA-3(4)Assessment, Authorization, and Monitoring
Connections to Public Networks

LowModerateHigh
CA-3(5)Assessment, Authorization, and Monitoring
Restrictions on External System Connections

LowModerateHigh
CA-3(6)Assessment, Authorization, and Monitoring
Transfer Authorizations

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

LowModerateHigh
CA-3(7)Assessment, Authorization, and Monitoring
Transitive Information Exchanges

Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and Take measures to ensure that transitive (downstream) information

LowModerateHigh
CA-4Assessment, Authorization, and Monitoring
Security Certification

LowModerateHigh
CA-5Assessment, Authorization, and Monitoring
Plan of Action and Milestones

Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls

ID
LowModerateHigh
CA-5(1)Assessment, Authorization, and Monitoring
Automation Support for Accuracy and Currency

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [assignment].

LowModerateHigh
CA-6Assessment, Authorization, and Monitoring
Authorization

Assign a senior official as the authorizing official for the system; Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; Ensur

LowModerateHigh
CA-6(1)Assessment, Authorization, and Monitoring
Joint Authorization — Intra-organization

Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.

LowModerateHigh
CA-6(2)Assessment, Authorization, and Monitoring
Joint Authorization — Inter-organization

Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the

LowModerateHigh
CA-7Assessment, Authorization, and Monitoring
Continuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the follo

DEID
LowModerateHigh
CA-7(1)Assessment, Authorization, and Monitoring
Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

LowModerateHigh
CA-7(2)Assessment, Authorization, and Monitoring
Types of Assessments

LowModerateHigh
CA-7(3)Assessment, Authorization, and Monitoring
Trend Analyses

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modif

LowModerateHigh
CA-7(4)Assessment, Authorization, and Monitoring
Risk Monitoring

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring; Compliance monitoring; and Change monitoring.

LowModerateHigh
CA-7(5)Assessment, Authorization, and Monitoring
Consistency Analysis

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [assignment].

LowModerateHigh
CA-7(6)Assessment, Authorization, and Monitoring
Automation Support for Monitoring

Ensure the accuracy, currency, and availability of monitoring results for the system using [assignment].

LowModerateHigh
CA-8Assessment, Authorization, and Monitoring
Penetration Testing

Conduct penetration testing [assignment] on [assignment].

ID
LowModerateHigh
CA-8(1)Assessment, Authorization, and Monitoring
Independent Penetration Testing Agent or Team

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

LowModerateHigh
CA-8(2)Assessment, Authorization, and Monitoring
Red Team Exercises

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [assignment].

LowModerateHigh
CA-8(3)Assessment, Authorization, and Monitoring
Facility Penetration Testing

Employ a penetration testing process that includes [assignment] [assignment] attempts to bypass or circumvent controls associated with physical access points to the facility.

LowModerateHigh
CA-9Assessment, Authorization, and Monitoring
Internal System Connections

Authorize internal connections of [assignment] to the system; Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the informatio

ID
LowModerateHigh
CA-9(1)Assessment, Authorization, and Monitoring
Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

LowModerateHigh
CM-1Configuration Management
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] configuration management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among orga

GVIDPR
LowModerateHigh
CM-2Configuration Management
Baseline Configuration

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: [assignment]; When required

PR
LowModerateHigh
CM-2(1)Configuration Management
Reviews and Updates

LowModerateHigh
CM-2(2)Configuration Management
Automation Support for Accuracy and Currency

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [assignment].

LowModerateHigh
CM-2(3)Configuration Management
Retention of Previous Configurations

Retain [assignment] of previous versions of baseline configurations of the system to support rollback.

LowModerateHigh
CM-2(4)Configuration Management
Unauthorized Software

LowModerateHigh
CM-2(5)Configuration Management
Authorized Software

LowModerateHigh
CM-2(6)Configuration Management
Development and Test Environments

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

LowModerateHigh
CM-2(7)Configuration Management
Configure Systems and Components for High-risk Areas

Issue [assignment] with [assignment] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the

LowModerateHigh
CM-3Configuration Management
Configuration Change Control

Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with

DEIDPR
LowModerateHigh
CM-3(1)Configuration Management
Automated Documentation, Notification, and Prohibition of Changes

Use [assignment] to: Document proposed changes to the system; Notify [assignment] of proposed changes to the system and request change approval; Highlight proposed changes to the system that have not

LowModerateHigh
CM-3(2)Configuration Management
Testing, Validation, and Documentation of Changes

Test, validate, and document changes to the system before finalizing the implementation of the changes.

LowModerateHigh
CM-3(3)Configuration Management
Automated Change Implementation

Implement changes to the current system baseline and deploy the updated baseline across the installed base using [assignment].

LowModerateHigh
CM-3(4)Configuration Management
Security and Privacy Representatives

Require [assignment] to be members of the [assignment].

LowModerateHigh
CM-3(5)Configuration Management
Automated Security Response

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [assignment].

LowModerateHigh
CM-3(6)Configuration Management
Cryptography Management

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [assignment].

LowModerateHigh
CM-3(7)Configuration Management
Review System Changes

Review changes to the system [assignment] or when [assignment] to determine whether unauthorized changes have occurred.

LowModerateHigh
CM-3(8)Configuration Management
Prevent or Restrict Configuration Changes

Prevent or restrict changes to the configuration of the system under the following circumstances: [assignment].

LowModerateHigh
CM-4Configuration Management
Impact Analyses

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

IDPR
LowModerateHigh
CM-4(1)Configuration Management
Separate Test Environments

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or

LowModerateHigh
CM-4(2)Configuration Management
Verification of Controls

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements

LowModerateHigh
CM-5Configuration Management
Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

PR
LowModerateHigh
CM-5(1)Configuration Management
Automated Access Enforcement and Audit Records

Enforce access restrictions using [assignment] ; and Automatically generate audit records of the enforcement actions.

LowModerateHigh
CM-5(2)Configuration Management
Review System Changes

LowModerateHigh
CM-5(3)Configuration Management
Signed Components

LowModerateHigh
CM-5(4)Configuration Management
Dual Authorization

Enforce dual authorization for implementing changes to [assignment].

LowModerateHigh
CM-5(5)Configuration Management
Privilege Limitation for Production and Operation

Limit privileges to change system components and system-related information within a production or operational environment; and Review and reevaluate privileges [assignment].

LowModerateHigh
CM-5(6)Configuration Management
Limit Library Privileges

Limit privileges to change software resident within software libraries.

LowModerateHigh
CM-5(7)Configuration Management
Automatic Implementation of Security Safeguards

LowModerateHigh
CM-6Configuration Management
Configuration Settings

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [assignment]; Implement th

DEPR
LowModerateHigh
CM-6(1)Configuration Management
Automated Management, Application, and Verification

Manage, apply, and verify configuration settings for [assignment] using [assignment].

LowModerateHigh
CM-6(2)Configuration Management
Respond to Unauthorized Changes

Take the following actions in response to unauthorized changes to [assignment]: [assignment].

LowModerateHigh
CM-6(3)Configuration Management
Unauthorized Change Detection

LowModerateHigh
CM-6(4)Configuration Management
Conformance Demonstration

LowModerateHigh
CM-7Configuration Management
Least Functionality

Configure the system to provide only [assignment] ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [assignment].

PR
LowModerateHigh
CM-7(1)Configuration Management
Periodic Review

Review the system [assignment] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and Disable or remove [assignment].

LowModerateHigh
CM-7(2)Configuration Management
Prevent Program Execution

Prevent program execution in accordance with [assignment].

PR
LowModerateHigh
CM-7(3)Configuration Management
Registration Compliance

Ensure compliance with [assignment].

LowModerateHigh
CM-7(4)Configuration Management
Unauthorized Software — Deny-by-exception

Identify [assignment]; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software

PR
LowModerateHigh
CM-7(5)Configuration Management
Authorized Software — Allow-by-exception

Identify [assignment]; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software program

PR
LowModerateHigh
CM-7(6)Configuration Management
Confined Environments with Limited Privileges

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [assignment].

LowModerateHigh
CM-7(7)Configuration Management
Code Execution in Protected Environments

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [assignment] when such code is: Obtained from sources w

LowModerateHigh
CM-7(8)Configuration Management
Binary or Machine Executable Code

Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and Allow exceptions only for compelling mission or operational

LowModerateHigh
CM-7(9)Configuration Management
Prohibiting The Use of Unauthorized Hardware

Identify [assignment]; Prohibit the use or connection of unauthorized hardware components; Review and update the list of authorized hardware components [assignment].

PR
LowModerateHigh
CM-8Configuration Management
System Component Inventory

Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or component

IDPR
LowModerateHigh
CM-8(1)Configuration Management
Updates During Installation and Removal

Update the inventory of system components as part of component installations, removals, and system updates.

LowModerateHigh
CM-8(2)Configuration Management
Automated Maintenance

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [assignment].

LowModerateHigh
CM-8(3)Configuration Management
Automated Unauthorized Component Detection

Detect the presence of unauthorized hardware, software, and firmware components within the system using [assignment] [assignment] ; and Take the following actions when unauthorized components are dete

LowModerateHigh
CM-8(4)Configuration Management
Accountability Information

Include in the system component inventory information, a means for identifying by [assignment] , individuals responsible and accountable for administering those components.

LowModerateHigh
CM-8(5)Configuration Management
No Duplicate Accounting of Components

LowModerateHigh
CM-8(6)Configuration Management
Assessed Configurations and Approved Deviations

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

LowModerateHigh
CM-8(7)Configuration Management
Centralized Repository

Provide a centralized repository for the inventory of system components.

LowModerateHigh
CM-8(8)Configuration Management
Automated Location Tracking

Support the tracking of system components by geographic location using [assignment].

LowModerateHigh
CM-8(9)Configuration Management
Assignment of Components to Systems

Assign system components to a system; and Receive an acknowledgement from [assignment] of this assignment.

LowModerateHigh
CM-9Configuration Management
Configuration Management Plan

Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process fo

IDPR
LowModerateHigh
CM-9(1)Configuration Management
Assignment of Responsibility

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

LowModerateHigh
CM-10Configuration Management
Software Usage Restrictions

Use software and associated documentation in accordance with contract agreements and copyright laws; Track the use of software and associated documentation protected by quantity licenses to control co

DEPR
LowModerateHigh
CM-10(1)Configuration Management
Open-source Software

Establish the following restrictions on the use of open-source software: [assignment].

LowModerateHigh
CM-11Configuration Management
User-installed Software

Establish [assignment] governing the installation of software by users; Enforce software installation policies through the following methods: [assignment] ; and Monitor policy compliance [assignment].

DEPR
LowModerateHigh
CM-11(1)Configuration Management
Alerts for Unauthorized Installations

LowModerateHigh
CM-11(2)Configuration Management
Software Installation with Privileged Status

Allow user installation of software only with explicit privileged status.

LowModerateHigh
CM-11(3)Configuration Management
Automated Enforcement and Monitoring

Enforce and monitor compliance with software installation policies using [assignment].

LowModerateHigh
CM-12Configuration Management
Information Location

Identify and document the location of [assignment] and the specific system components on which the information is processed and stored; Identify and document the users who have access to the system an

ID
LowModerateHigh
CM-12(1)Configuration Management
Automated Tools to Support Information Location

Use automated tools to identify [assignment] on [assignment] to ensure controls are in place to protect organizational information and individual privacy.

LowModerateHigh
CM-13Configuration Management
Data Action Mapping

Develop and document a map of system data actions.

ID
LowModerateHigh
CM-14Configuration Management
Signed Components

Prevent the installation of [assignment] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

LowModerateHigh
CP-1Contingency Planning
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza

GVID
LowModerateHigh
CP-2Contingency Planning
Contingency Plan

Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and m

IDPRRC
LowModerateHigh
CP-2(1)Contingency Planning
Coordinate with Related Plans

Coordinate contingency plan development with organizational elements responsible for related plans.

LowModerateHigh
CP-2(2)Contingency Planning
Capacity Planning

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

LowModerateHigh
CP-2(3)Contingency Planning
Resume Mission and Business Functions

Plan for the resumption of [assignment] mission and business functions within [assignment] of contingency plan activation.

LowModerateHigh
CP-2(4)Contingency Planning
Resume All Mission and Business Functions

LowModerateHigh
CP-2(5)Contingency Planning
Continue Mission and Business Functions

Plan for the continuance of [assignment] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processi

LowModerateHigh
CP-2(6)Contingency Planning
Alternate Processing and Storage Sites

Plan for the transfer of [assignment] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through

LowModerateHigh
CP-2(7)Contingency Planning
Coordinate with External Service Providers

Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

LowModerateHigh
CP-2(8)Contingency Planning
Identify Critical Assets

Identify critical system assets supporting [assignment] mission and business functions.

GV
LowModerateHigh
CP-3Contingency Planning
Contingency Training

Provide contingency training to system users consistent with assigned roles and responsibilities: Within [assignment] of assuming a contingency role or responsibility; When required by system changes;

LowModerateHigh
CP-3(1)Contingency Planning
Simulated Events

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

LowModerateHigh
CP-3(2)Contingency Planning
Mechanisms Used in Training Environments

Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

LowModerateHigh
CP-4Contingency Planning
Contingency Plan Testing

Test the contingency plan for the system [assignment] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [assignment]. Review the contingency p

IDRC
LowModerateHigh
CP-4(1)Contingency Planning
Coordinate with Related Plans

Coordinate contingency plan testing with organizational elements responsible for related plans.

LowModerateHigh
CP-4(2)Contingency Planning
Alternate Processing Site

Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing

LowModerateHigh
CP-4(3)Contingency Planning
Automated Testing

Test the contingency plan using [assignment].

LowModerateHigh
CP-4(4)Contingency Planning
Full Recovery and Reconstitution

Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

LowModerateHigh
CP-4(5)Contingency Planning
Self-challenge

Employ [assignment] to [assignment] to disrupt and adversely affect the system or system component.

LowModerateHigh
CP-5Contingency Planning
Contingency Plan Update

LowModerateHigh
CP-6Contingency Planning
Alternate Storage Site

Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equiv

PR
LowModerateHigh
CP-6(1)Contingency Planning
Separation from Primary Site

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

LowModerateHigh
CP-6(2)Contingency Planning
Recovery Time and Recovery Point Objectives

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

LowModerateHigh
CP-6(3)Contingency Planning
Accessibility

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

LowModerateHigh
CP-7Contingency Planning
Alternate Processing Site

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [assignment] for essential mission and business functions within [assignment] when the p

PR
LowModerateHigh
CP-7(1)Contingency Planning
Separation from Primary Site

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

LowModerateHigh
CP-7(2)Contingency Planning
Accessibility

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

LowModerateHigh
CP-7(3)Contingency Planning
Priority of Service

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

LowModerateHigh
CP-7(4)Contingency Planning
Preparation for Use

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

LowModerateHigh
CP-7(5)Contingency Planning
Equivalent Information Security Safeguards

LowModerateHigh
CP-7(6)Contingency Planning
Inability to Return to Primary Site

Plan and prepare for circumstances that preclude returning to the primary processing site.

LowModerateHigh
CP-8Contingency Planning
Telecommunications Services

Establish alternate telecommunications services, including necessary agreements to permit the resumption of [assignment] for essential mission and business functions within [assignment] when the prima

PR
LowModerateHigh
CP-8(1)Contingency Planning
Priority of Service Provisions

Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and R

LowModerateHigh
CP-8(2)Contingency Planning
Single Points of Failure

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

LowModerateHigh
CP-8(3)Contingency Planning
Separation of Primary and Alternate Providers

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

LowModerateHigh
CP-8(4)Contingency Planning
Provider Contingency Plan

Require primary and alternate telecommunications service providers to have contingency plans; Review provider contingency plans to ensure that the plans meet organizational contingency requirements; a

LowModerateHigh
CP-8(5)Contingency Planning
Alternate Telecommunication Service Testing

Test alternate telecommunication services [assignment].

LowModerateHigh
CP-9Contingency Planning
System Backup

Conduct backups of user-level information contained in [assignment] [assignment]; Conduct backups of system-level information contained in the system [assignment]; Conduct backups of system documentat

PRRC
LowModerateHigh
CP-9(1)Contingency Planning
Testing for Reliability and Integrity

Test backup information [assignment] to verify media reliability and information integrity.

LowModerateHigh
CP-9(2)Contingency Planning
Test Restoration Using Sampling

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

LowModerateHigh
CP-9(3)Contingency Planning
Separate Storage for Critical Information

Store backup copies of [assignment] in a separate facility or in a fire rated container that is not collocated with the operational system.

LowModerateHigh
CP-9(4)Contingency Planning
Protection from Unauthorized Modification

LowModerateHigh
CP-9(5)Contingency Planning
Transfer to Alternate Storage Site

Transfer system backup information to the alternate storage site [assignment].

LowModerateHigh
CP-9(6)Contingency Planning
Redundant Secondary System

Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

LowModerateHigh
CP-9(7)Contingency Planning
Dual Authorization for Deletion or Destruction

Enforce dual authorization for the deletion or destruction of [assignment].

LowModerateHigh
CP-9(8)Contingency Planning
Cryptographic Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [assignment].

LowModerateHigh
CP-10Contingency Planning
System Recovery and Reconstitution

Provide for the recovery and reconstitution of the system to a known state within [assignment] after a disruption, compromise, or failure.

RC
LowModerateHigh
CP-10(1)Contingency Planning
Contingency Plan Testing

LowModerateHigh
CP-10(2)Contingency Planning
Transaction Recovery

Implement transaction recovery for systems that are transaction-based.

LowModerateHigh
CP-10(3)Contingency Planning
Compensating Security Controls

Addressed through tailoring.

LowModerateHigh
CP-10(4)Contingency Planning
Restore Within Time Period

Provide the capability to restore system components within [assignment] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

LowModerateHigh
CP-10(5)Contingency Planning
Failover Capability

LowModerateHigh
CP-10(6)Contingency Planning
Component Protection

Protect system components used for recovery and reconstitution.

LowModerateHigh
CP-11Contingency Planning
Alternate Communications Protocols

Provide the capability to employ [assignment] in support of maintaining continuity of operations.

LowModerateHigh
CP-12Contingency Planning
Safe Mode

When [assignment] are detected, enter a safe mode of operation with [assignment].

LowModerateHigh
CP-13Contingency Planning
Alternative Security Mechanisms

Employ [assignment] for satisfying [assignment] when the primary means of implementing the security function is unavailable or compromised.

LowModerateHigh
IA-1Identification and Authentication
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination a

GVIDPR
LowModerateHigh
IA-2Identification and Authentication
Identification and Authentication (Organizational Users)

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

PR
LowModerateHigh
IA-2(1)Identification and Authentication
Multi-factor Authentication to Privileged Accounts

Implement multi-factor authentication for access to privileged accounts.

LowModerateHigh
IA-2(2)Identification and Authentication
Multi-factor Authentication to Non-privileged Accounts

Implement multi-factor authentication for access to non-privileged accounts.

LowModerateHigh
IA-2(3)Identification and Authentication
Local Access to Privileged Accounts

LowModerateHigh
IA-2(4)Identification and Authentication
Local Access to Non-privileged Accounts

LowModerateHigh
IA-2(5)Identification and Authentication
Individual Authentication with Group Authentication

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

LowModerateHigh
IA-2(6)Identification and Authentication
Access to Accounts —separate Device

Implement multi-factor authentication for [assignment] access to [assignment] such that: One of the factors is provided by a device separate from the system gaining access; and The device meets [assig

LowModerateHigh
IA-2(7)Identification and Authentication
Network Access to Non-privileged Accounts — Separate Device

LowModerateHigh
IA-2(8)Identification and Authentication
Access to Accounts — Replay Resistant

Implement replay-resistant authentication mechanisms for access to [assignment].

LowModerateHigh
IA-2(9)Identification and Authentication
Network Access to Non-privileged Accounts — Replay Resistant

LowModerateHigh
IA-2(10)Identification and Authentication
Single Sign-on

Provide a single sign-on capability for [assignment].

LowModerateHigh
IA-2(11)Identification and Authentication
Remote Access — Separate Device

LowModerateHigh
IA-2(12)Identification and Authentication
Acceptance of PIV Credentials

Accept and electronically verify Personal Identity Verification-compliant credentials.

LowModerateHigh
IA-2(13)Identification and Authentication
Out-of-band Authentication

Implement the following out-of-band authentication mechanisms under [assignment]: [assignment].

LowModerateHigh
IA-3Identification and Authentication
Device Identification and Authentication

Uniquely identify and authenticate [assignment] before establishing a [assignment] connection.

PR
LowModerateHigh
IA-3(1)Identification and Authentication
Cryptographic Bidirectional Authentication

Authenticate [assignment] before establishing [assignment] connection using bidirectional authentication that is cryptographically based.

LowModerateHigh
IA-3(2)Identification and Authentication
Cryptographic Bidirectional Network Authentication

LowModerateHigh
IA-3(3)Identification and Authentication
Dynamic Address Allocation

Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [assignment] ; and Audit lease informa

LowModerateHigh
IA-3(4)Identification and Authentication
Device Attestation

Handle device identification and authentication based on attestation by [assignment].

LowModerateHigh
IA-4Identification and Authentication
Identifier Management

Manage system identifiers by: Receiving authorization from [assignment] to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, grou

PR
LowModerateHigh
IA-4(1)Identification and Authentication
Prohibit Account Identifiers as Public Identifiers

Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.

LowModerateHigh
IA-4(2)Identification and Authentication
Supervisor Authorization

LowModerateHigh
IA-4(3)Identification and Authentication
Multiple Forms of Certification

LowModerateHigh
IA-4(4)Identification and Authentication
Identify User Status

Manage individual identifiers by uniquely identifying each individual as [assignment].

LowModerateHigh
IA-4(5)Identification and Authentication
Dynamic Management

Manage individual identifiers dynamically in accordance with [assignment].

LowModerateHigh
IA-4(6)Identification and Authentication
Cross-organization Management

Coordinate with the following external organizations for cross-organization management of identifiers: [assignment].

LowModerateHigh
IA-4(7)Identification and Authentication
In-person Registration

LowModerateHigh
IA-4(8)Identification and Authentication
Pairwise Pseudonymous Identifiers

Generate pairwise pseudonymous identifiers.

LowModerateHigh
IA-4(9)Identification and Authentication
Attribute Maintenance and Protection

Maintain the attributes for each uniquely identified individual, device, or service in [assignment].

LowModerateHigh
IA-5Identification and Authentication
Authenticator Management

Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing

PR
LowModerateHigh
IA-5(1)Identification and Authentication
Password-based Authentication

For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list [assignment] and when organizational passwords are suspected to have been co

LowModerateHigh
IA-5(2)Identification and Authentication
Public Key-based Authentication

For public key-based authentication: Enforce authorized access to the corresponding private key; and Map the authenticated identity to the account of the individual or group; and When public key infra

LowModerateHigh
IA-5(3)Identification and Authentication
In-person or Trusted External Party Registration

LowModerateHigh
IA-5(4)Identification and Authentication
Automated Support for Password Strength Determination

LowModerateHigh
IA-5(5)Identification and Authentication
Change Authenticators Prior to Delivery

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

LowModerateHigh
IA-5(6)Identification and Authentication
Protection of Authenticators

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

LowModerateHigh
IA-5(7)Identification and Authentication
No Embedded Unencrypted Static Authenticators

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

LowModerateHigh
IA-5(8)Identification and Authentication
Multiple System Accounts

Implement [assignment] to manage the risk of compromise due to individuals having accounts on multiple systems.

LowModerateHigh
IA-5(9)Identification and Authentication
Federated Credential Management

Use the following external organizations to federate credentials: [assignment].

LowModerateHigh
IA-5(10)Identification and Authentication
Dynamic Credential Binding

Bind identities and authenticators dynamically using the following rules: [assignment].

LowModerateHigh
IA-5(11)Identification and Authentication
Hardware Token-based Authentication

LowModerateHigh
IA-5(12)Identification and Authentication
Biometric Authentication Performance

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [assignment].

LowModerateHigh
IA-5(13)Identification and Authentication
Expiration of Cached Authenticators

Prohibit the use of cached authenticators after [assignment].

LowModerateHigh
IA-5(14)Identification and Authentication
Managing Content of PKI Trust Stores

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and

LowModerateHigh
IA-5(15)Identification and Authentication
GSA-approved Products and Services

Use only General Services Administration-approved products and services for identity, credential, and access management.

LowModerateHigh
IA-5(16)Identification and Authentication
In-person or Trusted External Party Authenticator Issuance

Require that the issuance of [assignment] be conducted [assignment] before [assignment] with authorization by [assignment].

LowModerateHigh
IA-5(17)Identification and Authentication
Presentation Attack Detection for Biometric Authenticators

Employ presentation attack detection mechanisms for biometric-based authentication.

LowModerateHigh
IA-5(18)Identification and Authentication
Password Managers

Employ [assignment] to generate and manage passwords; and Protect the passwords using [assignment].

LowModerateHigh
IA-6Identification and Authentication
Authentication Feedback

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

PR
LowModerateHigh
IA-7Identification and Authentication
Cryptographic Module Authentication

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such

PR
LowModerateHigh
IA-8Identification and Authentication
Identification and Authentication (Non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

PR
LowModerateHigh
IA-8(1)Identification and Authentication
Acceptance of PIV Credentials from Other Agencies

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

LowModerateHigh
IA-8(2)Identification and Authentication
Acceptance of External Authenticators

Accept only external authenticators that are NIST-compliant; and Document and maintain a list of accepted external authenticators.

LowModerateHigh
IA-8(3)Identification and Authentication
Use of FICAM-approved Products

LowModerateHigh
IA-8(4)Identification and Authentication
Use of Defined Profiles

Conform to the following profiles for identity management [assignment].

LowModerateHigh
IA-8(5)Identification and Authentication
Acceptance of PIV-I Credentials

Accept and verify federated or PKI credentials that meet [assignment].

LowModerateHigh
IA-8(6)Identification and Authentication
Disassociability

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [assignment].

LowModerateHigh
IA-9Identification and Authentication
Service Identification and Authentication

Uniquely identify and authenticate [assignment] before establishing communications with devices, users, or other services or applications.

PR
LowModerateHigh
IA-9(1)Identification and Authentication
Information Exchange

LowModerateHigh
IA-9(2)Identification and Authentication
Transmission of Decisions

LowModerateHigh
IA-10Identification and Authentication
Adaptive Authentication

Require individuals accessing the system to employ [assignment] under specific [assignment].

PR
LowModerateHigh
IA-11Identification and Authentication
Re-authentication

Require users to re-authenticate when [assignment].

PR
LowModerateHigh
IA-12Identification and Authentication
Identity Proofing

Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user id

PR
LowModerateHigh
IA-12(1)Identification and Authentication
Supervisor Authorization

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

LowModerateHigh
IA-12(2)Identification and Authentication
Identity Evidence

Require evidence of individual identification be presented to the registration authority.

LowModerateHigh
IA-12(3)Identification and Authentication
Identity Evidence Validation and Verification

Require that the presented identity evidence be validated and verified through [assignment].

LowModerateHigh
IA-12(4)Identification and Authentication
In-person Validation and Verification

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

LowModerateHigh
IA-12(5)Identification and Authentication
Address Confirmation

Require that a [assignment] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

LowModerateHigh
IA-12(6)Identification and Authentication
Accept Externally-proofed Identities

Accept externally-proofed identities at [assignment].

LowModerateHigh
IA-13Identification and Authentication
Identity Providers and Authorization Servers

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions

PR
LowModerateHigh
IA-13(1)Identification and Authentication
Protection of Cryptographic Keys

Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.

LowModerateHigh
IA-13(2)Identification and Authentication
Verification of Identity Assertions and Access Tokens

The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.

LowModerateHigh
IA-13(3)Identification and Authentication
Token Management

In accordance with [assignment], assertions and access tokens are: generated; issued; refreshed; revoked; time-restricted; and audience-restricted.

LowModerateHigh
IR-1Incident Response
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] incident response policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizatio

GVIDRC
LowModerateHigh
IR-2Incident Response
Incident Response Training

Provide incident response training to system users consistent with assigned roles and responsibilities: Within [assignment] of assuming an incident response role or responsibility or acquiring system

LowModerateHigh
IR-2(1)Incident Response
Simulated Events

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

LowModerateHigh
IR-2(2)Incident Response
Automated Training Environments

Provide an incident response training environment using [assignment].

LowModerateHigh
IR-2(3)Incident Response
Breach

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

LowModerateHigh
IR-3Incident Response
Incident Response Testing

Test the effectiveness of the incident response capability for the system [assignment] using the following tests: [assignment].

ID
LowModerateHigh
IR-3(1)Incident Response
Automated Testing

Test the incident response capability using [assignment].

LowModerateHigh
IR-3(2)Incident Response
Coordination with Related Plans

Coordinate incident response testing with organizational elements responsible for related plans.

LowModerateHigh
IR-3(3)Incident Response
Continuous Improvement

Use qualitative and quantitative data from testing to: Determine the effectiveness of incident response processes; Continuously improve incident response processes; and Provide incident response measu

LowModerateHigh
IR-4Incident Response
Incident Handling

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; Coo

DEIDRCRS
LowModerateHigh
IR-4(1)Incident Response
Automated Incident Handling Processes

Support the incident handling process using [assignment].

LowModerateHigh
IR-4(2)Incident Response
Dynamic Reconfiguration

Include the following types of dynamic reconfiguration for [assignment] as part of the incident response capability: [assignment].

LowModerateHigh
IR-4(3)Incident Response
Continuity of Operations

Identify [assignment] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [assignment].

LowModerateHigh
IR-4(4)Incident Response
Information Correlation

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

LowModerateHigh
IR-4(5)Incident Response
Automatic Disabling of System

Implement a configurable capability to automatically disable the system if [assignment] are detected.

LowModerateHigh
IR-4(6)Incident Response
Insider Threats

Implement an incident handling capability for incidents involving insider threats.

LowModerateHigh
IR-4(7)Incident Response
Insider Threats — Intra-organization Coordination

Coordinate an incident handling capability for insider threats that includes the following organizational entities [assignment].

LowModerateHigh
IR-4(8)Incident Response
Correlation with External Organizations

Coordinate with [assignment] to correlate and share [assignment] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

LowModerateHigh
IR-4(9)Incident Response
Dynamic Response Capability

Employ [assignment] to respond to incidents.

LowModerateHigh
IR-4(10)Incident Response
Supply Chain Coordination

Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.

LowModerateHigh
IR-4(11)Incident Response
Integrated Incident Response Team

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [assignment].

LowModerateHigh
IR-4(12)Incident Response
Malicious Code and Forensic Analysis

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

LowModerateHigh
IR-4(13)Incident Response
Behavior Analysis

Analyze anomalous or suspected adversarial behavior in or related to [assignment].

LowModerateHigh
IR-4(14)Incident Response
Security Operations Center

Establish and maintain a security operations center.

LowModerateHigh
IR-4(15)Incident Response
Public Relations and Reputation Repair

Manage public relations associated with an incident; and Employ measures to repair the reputation of the organization.

LowModerateHigh
IR-5Incident Response
Incident Monitoring

Track and document incidents.

DERS
LowModerateHigh
IR-5(1)Incident Response
Automated Tracking, Data Collection, and Analysis

Track incidents and collect and analyze incident information using [assignment].

LowModerateHigh
IR-6Incident Response
Incident Reporting

Require personnel to report suspected incidents to the organizational incident response capability within [assignment] ; and Report incident information to [assignment].

RCRS
LowModerateHigh
IR-6(1)Incident Response
Automated Reporting

Report incidents using [assignment].

LowModerateHigh
IR-6(2)Incident Response
Vulnerabilities Related to Incidents

Report system vulnerabilities associated with reported incidents to [assignment].

LowModerateHigh
IR-6(3)Incident Response
Supply Chain Coordination

Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the i

LowModerateHigh
IR-7Incident Response
Incident Response Assistance

Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of i

RS
LowModerateHigh
IR-7(1)Incident Response
Automation Support for Availability of Information and Support

Increase the availability of incident response information and support using [assignment].

LowModerateHigh
IR-7(2)Incident Response
Coordination with External Providers

Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and Identify organizational incident response team members

LowModerateHigh
IR-8Incident Response
Incident Response Plan

Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response ca

DEIDRCRS
LowModerateHigh
IR-8(1)Incident Response
Breaches

Include the following in the Incident Response Plan for breaches involving personally identifiable information: A process to determine if notice to individuals or other organizations, including oversi

LowModerateHigh
IR-9Incident Response
Information Spillage Response

Respond to information spills by: Assigning [assignment] with responsibility for responding to information spills; Identifying the specific information involved in the system contamination; Alerting [

LowModerateHigh
IR-9(1)Incident Response
Responsible Personnel

LowModerateHigh
IR-9(2)Incident Response
Training

Provide information spillage response training [assignment].

LowModerateHigh
IR-9(3)Incident Response
Post-spill Operations

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective

LowModerateHigh
IR-9(4)Incident Response
Exposure to Unauthorized Personnel

Employ the following controls for personnel exposed to information not within assigned access authorizations: [assignment].

LowModerateHigh
IR-10Incident Response
Integrated Information Security Analysis Team

LowModerateHigh
MA-1Maintenance
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational en

GVID
LowModerateHigh
MA-2Maintenance
Controlled Maintenance

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve

ID
LowModerateHigh
MA-2(1)Maintenance
Record Content

LowModerateHigh
MA-2(2)Maintenance
Automated Maintenance Activities

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [assignment] ; and Produce up-to date, accurate, and complete records of all maintenance, repair, and

LowModerateHigh
MA-3Maintenance
Maintenance Tools

Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools [assignment].

LowModerateHigh
MA-3(1)Maintenance
Inspect Tools

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

LowModerateHigh
MA-3(2)Maintenance
Inspect Media

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

LowModerateHigh
MA-3(3)Maintenance
Prevent Unauthorized Removal

Prevent the removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the eq

LowModerateHigh
MA-3(4)Maintenance
Restricted Tool Use

Restrict the use of maintenance tools to authorized personnel only.

LowModerateHigh
MA-3(5)Maintenance
Execution with Privilege

Monitor the use of maintenance tools that execute with increased privilege.

LowModerateHigh
MA-3(6)Maintenance
Software Updates and Patches

Inspect maintenance tools to ensure the latest software updates and patches are installed.

PR
LowModerateHigh
MA-4Maintenance
Nonlocal Maintenance

Approve and monitor nonlocal maintenance and diagnostic activities; Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the secur

LowModerateHigh
MA-4(1)Maintenance
Logging and Review

Log [assignment] for nonlocal maintenance and diagnostic sessions; and Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

LowModerateHigh
MA-4(2)Maintenance
Document Nonlocal Maintenance

LowModerateHigh
MA-4(3)Maintenance
Comparable Security and Sanitization

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or Rem

LowModerateHigh
MA-4(4)Maintenance
Authentication and Separation of Maintenance Sessions

Protect nonlocal maintenance sessions by: Employing [assignment] ; and Separating the maintenance sessions from other network sessions with the system by either: Physically separated communications pa

LowModerateHigh
MA-4(5)Maintenance
Approvals and Notifications

Require the approval of each nonlocal maintenance session by [assignment] ; and Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [assignment].

LowModerateHigh
MA-4(6)Maintenance
Cryptographic Protection

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [assignment].

LowModerateHigh
MA-4(7)Maintenance
Disconnect Verification

Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.

LowModerateHigh
MA-5Maintenance
Maintenance Personnel

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the s

LowModerateHigh
MA-5(1)Maintenance
Individuals Without Appropriate Access

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not

LowModerateHigh
MA-5(2)Maintenance
Security Clearances for Classified Systems

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals f

LowModerateHigh
MA-5(3)Maintenance
Citizenship Requirements for Classified Systems

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.

LowModerateHigh
MA-5(4)Maintenance
Foreign Nationals

Ensure that: Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated

LowModerateHigh
MA-5(5)Maintenance
Non-system Maintenance

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

LowModerateHigh
MA-6Maintenance
Timely Maintenance

Obtain maintenance support and/or spare parts for [assignment] within [assignment] of failure.

ID
LowModerateHigh
MA-6(1)Maintenance
Preventive Maintenance

Perform preventive maintenance on [assignment] at [assignment].

LowModerateHigh
MA-6(2)Maintenance
Predictive Maintenance

Perform predictive maintenance on [assignment] at [assignment].

LowModerateHigh
MA-6(3)Maintenance
Automated Support for Predictive Maintenance

Transfer predictive maintenance data to a maintenance management system using [assignment].

LowModerateHigh
MA-7Maintenance
Field Maintenance

Restrict or prohibit field maintenance on [assignment] to [assignment].

LowModerateHigh
MP-1Media Protection
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] media protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization

GVID
LowModerateHigh
MP-2Media Protection
Media Access

Restrict access to [assignment] to [assignment].

LowModerateHigh
MP-2(1)Media Protection
Automated Restricted Access

LowModerateHigh
MP-2(2)Media Protection
Cryptographic Protection

LowModerateHigh
MP-3Media Protection
Media Marking

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempt [assignment] from marking if the media remain with

LowModerateHigh
MP-4Media Protection
Media Storage

Physically control and securely store [assignment] within [assignment] ; and Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques

LowModerateHigh
MP-4(1)Media Protection
Cryptographic Protection

LowModerateHigh
MP-4(2)Media Protection
Automated Restricted Access

Restrict access to media storage areas and log access attempts and access granted using [assignment].

LowModerateHigh
MP-5Media Protection
Media Transport

Protect and control [assignment] during transport outside of controlled areas using [assignment]; Maintain accountability for system media during transport outside of controlled areas; Document activi

LowModerateHigh
MP-5(1)Media Protection
Protection Outside of Controlled Areas

LowModerateHigh
MP-5(2)Media Protection
Documentation of Activities

LowModerateHigh
MP-5(3)Media Protection
Custodians

Employ an identified custodian during transport of system media outside of controlled areas.

LowModerateHigh
MP-5(4)Media Protection
Cryptographic Protection

LowModerateHigh
MP-6Media Protection
Media Sanitization

Sanitize [assignment] prior to disposal, release out of organizational control, or release for reuse using [assignment] ; and Employ sanitization mechanisms with the strength and integrity commensurat

LowModerateHigh
MP-6(1)Media Protection
Review, Approve, Track, Document, and Verify

Review, approve, track, document, and verify media sanitization and disposal actions.

LowModerateHigh
MP-6(2)Media Protection
Equipment Testing

Test sanitization equipment and procedures [assignment] to ensure that the intended sanitization is being achieved.

LowModerateHigh
MP-6(3)Media Protection
Nondestructive Techniques

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [assignment].

LowModerateHigh
MP-6(4)Media Protection
Controlled Unclassified Information

LowModerateHigh
MP-6(5)Media Protection
Classified Information

LowModerateHigh
MP-6(6)Media Protection
Media Destruction

LowModerateHigh
MP-6(7)Media Protection
Dual Authorization

Enforce dual authorization for the sanitization of [assignment].

LowModerateHigh
MP-6(8)Media Protection
Remote Purging or Wiping of Information

Provide the capability to purge or wipe information from [assignment] [assignment].

LowModerateHigh
MP-7Media Protection
Media Use

[assignment] the use of [assignment] on [assignment] using [assignment] ; and Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

LowModerateHigh
MP-7(1)Media Protection
Prohibit Use Without Owner

LowModerateHigh
MP-7(2)Media Protection
Prohibit Use of Sanitization-resistant Media

Prohibit the use of sanitization-resistant media in organizational systems.

LowModerateHigh
MP-8Media Protection
Media Downgrading

Establish [assignment] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; Verify that the system m

PR
LowModerateHigh
MP-8(1)Media Protection
Documentation of Process

Document system media downgrading actions.

LowModerateHigh
MP-8(2)Media Protection
Equipment Testing

Test downgrading equipment and procedures [assignment] to ensure that downgrading actions are being achieved.

LowModerateHigh
MP-8(3)Media Protection
Controlled Unclassified Information

Downgrade system media containing controlled unclassified information prior to public release.

LowModerateHigh
MP-8(4)Media Protection
Classified Information

Downgrade system media containing classified information prior to release to individuals without required access authorizations.

LowModerateHigh
PE-1Physical and Environmental Protection
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] physical and environmental protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordinati

GVID
LowModerateHigh
PE-2Physical and Environmental Protection
Physical Access Authorizations

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; Issue authorization credentials for facility access; Review the access list detail

PR
LowModerateHigh
PE-2(1)Physical and Environmental Protection
Access by Position or Role

Authorize physical access to the facility where the system resides based on position or role.

LowModerateHigh
PE-2(2)Physical and Environmental Protection
Two Forms of Identification

Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [assignment].

LowModerateHigh
PE-2(3)Physical and Environmental Protection
Restrict Unescorted Access

Restrict unescorted access to the facility where the system resides to personnel with [assignment].

LowModerateHigh
PE-3Physical and Environmental Protection
Physical Access Control

Enforce physical access authorizations at [assignment] by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress and egress to the facility using [

DEPR
LowModerateHigh
PE-3(1)Physical and Environmental Protection
System Access

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [assignment].

LowModerateHigh
PE-3(2)Physical and Environmental Protection
Facility and Systems

Perform security checks [assignment] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

LowModerateHigh
PE-3(3)Physical and Environmental Protection
Continuous Guards

Employ guards to control [assignment] to the facility where the system resides 24 hours per day, 7 days per week.

LowModerateHigh
PE-3(4)Physical and Environmental Protection
Lockable Casings

Use lockable physical casings to protect [assignment] from unauthorized physical access.

LowModerateHigh
PE-3(5)Physical and Environmental Protection
Tamper Protection

Employ [assignment] to [assignment] physical tampering or alteration of [assignment] within the system.

LowModerateHigh
PE-3(6)Physical and Environmental Protection
Facility Penetration Testing

LowModerateHigh
PE-3(7)Physical and Environmental Protection
Physical Barriers

Limit access using physical barriers.

LowModerateHigh
PE-3(8)Physical and Environmental Protection
Access Control Vestibules

Employ access control vestibules at [assignment].

LowModerateHigh
PE-4Physical and Environmental Protection
Access Control for Transmission

Control physical access to [assignment] within organizational facilities using [assignment].

PR
LowModerateHigh
PE-5Physical and Environmental Protection
Access Control for Output Devices

Control physical access to output from [assignment] to prevent unauthorized individuals from obtaining the output.

PR
LowModerateHigh
PE-5(1)Physical and Environmental Protection
Access to Output by Authorized Individuals

LowModerateHigh
PE-5(2)Physical and Environmental Protection
Link to Individual Identity

Link individual identity to receipt of output from output devices.

LowModerateHigh
PE-5(3)Physical and Environmental Protection
Marking Output Devices

LowModerateHigh
PE-6Physical and Environmental Protection
Monitoring Physical Access

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; Review physical access logs [assignment] and upon occurrence of [assignment] ; an

DEPR
LowModerateHigh
PE-6(1)Physical and Environmental Protection
Intrusion Alarms and Surveillance Equipment

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

LowModerateHigh
PE-6(2)Physical and Environmental Protection
Automated Intrusion Recognition and Responses

Recognize [assignment] and initiate [assignment] using [assignment].

LowModerateHigh
PE-6(3)Physical and Environmental Protection
Video Surveillance

Employ video surveillance of [assignment]; Review video recordings [assignment] ; and Retain video recordings for [assignment].

LowModerateHigh
PE-6(4)Physical and Environmental Protection
Monitoring Physical Access to Systems

Monitor physical access to the system in addition to the physical access monitoring of the facility at [assignment].

LowModerateHigh
PE-7Physical and Environmental Protection
Visitor Control

LowModerateHigh
PE-8Physical and Environmental Protection
Visitor Access Records

Maintain visitor access records to the facility where the system resides for [assignment]; Review visitor access records [assignment] ; and Report anomalies in visitor access records to [assignment].

PR
LowModerateHigh
PE-8(1)Physical and Environmental Protection
Automated Records Maintenance and Review

Maintain and review visitor access records using [assignment].

LowModerateHigh
PE-8(2)Physical and Environmental Protection
Physical Access Records

LowModerateHigh
PE-8(3)Physical and Environmental Protection
Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [assignment].

LowModerateHigh
PE-9Physical and Environmental Protection
Power Equipment and Cabling

Protect power equipment and power cabling for the system from damage and destruction.

PR
LowModerateHigh
PE-9(1)Physical and Environmental Protection
Redundant Cabling

Employ redundant power cabling paths that are physically separated by [assignment].

LowModerateHigh
PE-9(2)Physical and Environmental Protection
Automatic Voltage Controls

Employ automatic voltage controls for [assignment].

LowModerateHigh
PE-10Physical and Environmental Protection
Emergency Shutoff

Provide the capability of shutting off power to [assignment] in emergency situations; Place emergency shutoff switches or devices in [assignment] to facilitate access for authorized personnel; and Pro

PR
LowModerateHigh
PE-10(1)Physical and Environmental Protection
Accidental and Unauthorized Activation

LowModerateHigh
PE-11Physical and Environmental Protection
Emergency Power

Provide an uninterruptible power supply to facilitate [assignment] in the event of a primary power source loss.

PR
LowModerateHigh
PE-11(1)Physical and Environmental Protection
Alternate Power Supply — Minimal Operational Capability

Provide an alternate power supply for the system that is activated [assignment] and that can maintain minimally required operational capability in the event of an extended loss of the primary power so

LowModerateHigh
PE-11(2)Physical and Environmental Protection
Alternate Power Supply — Self-contained

Provide an alternate power supply for the system that is activated [assignment] and that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [assignment] in the ev

LowModerateHigh
PE-12Physical and Environmental Protection
Emergency Lighting

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PR
LowModerateHigh
PE-12(1)Physical and Environmental Protection
Essential Mission and Business Functions

Provide emergency lighting for all areas within the facility supporting essential mission and business functions.

LowModerateHigh
PE-13Physical and Environmental Protection
Fire Protection

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

PR
LowModerateHigh
PE-13(1)Physical and Environmental Protection
Detection Systems — Automatic Activation and Notification

Employ fire detection systems that activate automatically and notify [assignment] and [assignment] in the event of a fire.

LowModerateHigh
PE-13(2)Physical and Environmental Protection
Suppression Systems — Automatic Activation and Notification

Employ fire suppression systems that activate automatically and notify [assignment] and [assignment] ; and Employ an automatic fire suppression capability when the facility is not staffed on a continu

LowModerateHigh
PE-13(3)Physical and Environmental Protection
Automatic Fire Suppression

LowModerateHigh
PE-13(4)Physical and Environmental Protection
Inspections

Ensure that the facility undergoes [assignment] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [assignment].

LowModerateHigh
PE-14Physical and Environmental Protection
Environmental Controls

Maintain [assignment] levels within the facility where the system resides at [assignment] ; and Monitor environmental control levels [assignment].

PR
LowModerateHigh
PE-14(1)Physical and Environmental Protection
Automatic Controls

Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [assignment].

LowModerateHigh
PE-14(2)Physical and Environmental Protection
Monitoring with Alarms and Notifications

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [assignment].

LowModerateHigh
PE-15Physical and Environmental Protection
Water Damage Protection

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

PR
LowModerateHigh
PE-15(1)Physical and Environmental Protection
Automation Support

Detect the presence of water near the system and alert [assignment] using [assignment].

LowModerateHigh
PE-16Physical and Environmental Protection
Delivery and Removal

Authorize and control [assignment] entering and exiting the facility; and Maintain records of the system components.

LowModerateHigh
PE-17Physical and Environmental Protection
Alternate Work Site

Determine and document the [assignment] allowed for use by employees; Employ the following controls at alternate work sites: [assignment]; Assess the effectiveness of controls at alternate work sites;

LowModerateHigh
PE-18Physical and Environmental Protection
Location of System Components

Position system components within the facility to minimize potential damage from [assignment] and to minimize the opportunity for unauthorized access.

PR
LowModerateHigh
PE-18(1)Physical and Environmental Protection
Facility Site

LowModerateHigh
PE-19Physical and Environmental Protection
Information Leakage

Protect the system from information leakage due to electromagnetic signals emanations.

PR
LowModerateHigh
PE-19(1)Physical and Environmental Protection
National Emissions Policies and Procedures

Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the i

LowModerateHigh
PE-20Physical and Environmental Protection
Asset Monitoring and Tracking

Employ [assignment] to track and monitor the location and movement of [assignment] within [assignment].

DEPR
LowModerateHigh
PE-21Physical and Environmental Protection
Electromagnetic Pulse Protection

Employ [assignment] against electromagnetic pulse damage for [assignment].

LowModerateHigh
PE-22Physical and Environmental Protection
Component Marking

Mark [assignment] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

LowModerateHigh
PE-23Physical and Environmental Protection
Facility Location

Plan the location or site of the facility where the system resides considering physical and environmental hazards; and For existing facilities, consider the physical and environmental hazards in the o

PR
LowModerateHigh
PL-1Planning
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entit

GVID
LowModerateHigh
PL-2Planning
System Security and Privacy Plans

Develop security and privacy plans for the system that: Are consistent with the organization’s enterprise architecture; Explicitly define the constituent system components; Describe the operational co

ID
LowModerateHigh
PL-2(1)Planning
Concept of Operations

LowModerateHigh
PL-2(2)Planning
Functional Architecture

LowModerateHigh
PL-2(3)Planning
Plan and Coordinate with Other Organizational Entities

LowModerateHigh
PL-3Planning
System Security Plan Update

LowModerateHigh
PL-4Planning
Rules of Behavior

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; Recei

LowModerateHigh
PL-4(1)Planning
Social Media and External Site/Application Usage Restrictions

Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications; Posting organizational information on public websites; and Use of orga

LowModerateHigh
PL-5Planning
Privacy Impact Assessment

LowModerateHigh
PL-6Planning
Security-related Activity Planning

LowModerateHigh
PL-7Planning
Concept of Operations

Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and Review and update th

LowModerateHigh
PL-8Planning
Security and Privacy Architectures

Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational inf

ID
LowModerateHigh
PL-8(1)Planning
Defense in Depth

Design the security and privacy architectures for the system using a defense-in-depth approach that: Allocates [assignment] to [assignment] ; and Ensures that the allocated controls operate in a coord

LowModerateHigh
PL-8(2)Planning
Supplier Diversity

Require that [assignment] allocated to [assignment] are obtained from different suppliers.

LowModerateHigh
PL-9Planning
Central Management

Centrally manage [assignment].

LowModerateHigh
PL-10Planning
Baseline Selection

Select a control baseline for the system.

LowModerateHigh
PL-11Planning
Baseline Tailoring

Tailor the selected control baseline by applying specified tailoring actions.

LowModerateHigh
PM-1Program Management
Information Security Program Plan

Develop and disseminate an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program managem

GVID
LowModerateHigh
PM-2Program Management
Information Security Program Leadership Role

Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

GV
LowModerateHigh
PM-3Program Management
Information Security and Privacy Resources

Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentati

GVPR
LowModerateHigh
PM-4Program Management
Plan of Action and Milestones Process

Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed

GVID
LowModerateHigh
PM-5Program Management
System Inventory

Develop and update [assignment] an inventory of organizational systems.

ID
LowModerateHigh
PM-5(1)Program Management
Inventory of Personally Identifiable Information

Establish, maintain, and update [assignment] an inventory of all systems, applications, and projects that process personally identifiable information.

LowModerateHigh
PM-6Program Management
Measures of Performance

Develop, monitor, and report on the results of information security and privacy measures of performance.

GV
LowModerateHigh
PM-7Program Management
Enterprise Architecture

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations,

ID
LowModerateHigh
PM-7(1)Program Management
Offloading

Offload [assignment] to other systems, system components, or an external provider.

LowModerateHigh
PM-8Program Management
Critical Infrastructure Plan

Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

GVRC
LowModerateHigh
PM-9Program Management
Risk Management Strategy

Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizati

DEGVIDPRRC
LowModerateHigh
PM-10Program Management
Authorization Process

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; Designate individuals to fulfill specific roles and

LowModerateHigh
PM-11Program Management
Mission and Business Process Definition

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, ot

DEGVIDRC
LowModerateHigh
PM-12Program Management
Insider Threat Program

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

ID
LowModerateHigh
PM-13Program Management
Security and Privacy Workforce

Establish a security and privacy workforce development and improvement program.

GV
LowModerateHigh
PM-14Program Management
Testing, Training, and Monitoring

Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and ma

LowModerateHigh
PM-15Program Management
Security and Privacy Groups and Associations

Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organiza

DEID
LowModerateHigh
PM-16Program Management
Threat Awareness Program

Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.

DEID
LowModerateHigh
PM-16(1)Program Management
Automated Means for Sharing Threat Intelligence

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

LowModerateHigh
PM-17Program Management
Protecting Controlled Unclassified Information on External Systems

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in a

LowModerateHigh
PM-18Program Management
Privacy Program Plan

Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the

DEGVID
LowModerateHigh
PM-19Program Management
Privacy Program Leadership Role

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks

GV
LowModerateHigh
PM-20Program Management
Dissemination of Privacy Program Information

Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: Ensures that the pu

LowModerateHigh
PM-20(1)Program Management
Privacy Policies on Websites, Applications, and Digital Services

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are written in plain language and organized in a way that is easy to understan

LowModerateHigh
PM-21Program Management
Accounting of Disclosures

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: Date, nature, and purpose of each disclosure; and Name and address, or other contact infor

LowModerateHigh
PM-22Program Management
Personally Identifiable Information Quality Management

Develop and document organization-wide policies and procedures for: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information li

ID
LowModerateHigh
PM-23Program Management
Data Governance Body

Establish a Data Governance Body consisting of [assignment] with [assignment].

GVID
LowModerateHigh
PM-24Program Management
Data Integrity Board

Establish a Data Integrity Board to: Review proposals to conduct or participate in a matching program; and Conduct an annual review of all matching programs in which the agency has participated.

GV
LowModerateHigh
PM-25Program Management
Minimization of Personally Identifiable Information Used in Testing, Training, and Research

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; Limit or minimize the amount of perso

LowModerateHigh
PM-26Program Management
Complaint Management

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy

LowModerateHigh
PM-27Program Management
Privacy Reporting

Develop [assignment] and disseminate to: [assignment] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and [assignment] and other personnel with responsibility fo

LowModerateHigh
PM-28Program Management
Risk Framing

Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-of

DEGV
LowModerateHigh
PM-29Program Management
Risk Management Program Leadership Roles

Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; a

GV
LowModerateHigh
PM-30Program Management
Supply Chain Risk Management Strategy

Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implem

DEGVID
LowModerateHigh
PM-30(1)Program Management
Suppliers of Critical or Mission-essential Items

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

GV
LowModerateHigh
PM-31Program Management
Continuous Monitoring Strategy

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: [assignment

GVID
LowModerateHigh
PM-32Program Management
Purposing

Analyze [assignment] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

LowModerateHigh
PS-1Personnel Security
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizati

GVID
LowModerateHigh
PS-2Personnel Security
Position Risk Designation

Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations [assignment].

LowModerateHigh
PS-3Personnel Security
Personnel Screening

Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with [assignment].

LowModerateHigh
PS-3(1)Personnel Security
Classified Information

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which the

LowModerateHigh
PS-3(2)Personnel Security
Formal Indoctrination

Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant type

LowModerateHigh
PS-3(3)Personnel Security
Information Requiring Special Protective Measures

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official go

LowModerateHigh
PS-3(4)Personnel Security
Citizenship Requirements

Verify that individuals accessing a system processing, storing, or transmitting [assignment] meet [assignment].

LowModerateHigh
PS-4Personnel Security
Personnel Termination

Upon termination of individual employment: Disable system access within [assignment]; Terminate or revoke any authenticators and credentials associated with the individual; Conduct exit interviews tha

LowModerateHigh
PS-4(1)Personnel Security
Post-employment Requirements

Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Require terminated individuals to sign an acknowledgment

LowModerateHigh
PS-4(2)Personnel Security
Automated Actions

Use [assignment] to [assignment].

LowModerateHigh
PS-5Personnel Security
Personnel Transfer

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within th

LowModerateHigh
PS-6Personnel Security
Access Agreements

Develop and document access agreements for organizational systems; Review and update the access agreements [assignment] ; and Verify that individuals requiring access to organizational information and

LowModerateHigh
PS-6(1)Personnel Security
Information Requiring Special Protection

LowModerateHigh
PS-6(2)Personnel Security
Classified Information Requiring Special Protection

Verify that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government dut

LowModerateHigh
PS-6(3)Personnel Security
Post-employment Requirements

Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Require individuals to sign an acknowledgment of these requirements, if

LowModerateHigh
PS-7Personnel Security
External Personnel Security

Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures es

DEGV
LowModerateHigh
PS-8Personnel Security
Personnel Sanctions

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and Notify [assignment] within [assignment] when a formal

LowModerateHigh
PS-9Personnel Security
Position Descriptions

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

GV
LowModerateHigh
PT-1Personally Identifiable Information Processing and Transparency
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] personally identifiable information processing and transparency policy that: Addresses purpose, scope, roles, responsibilities, managem

GVID
LowModerateHigh
PT-2Personally Identifiable Information Processing and Transparency
Authority to Process Personally Identifiable Information

Determine and document the [assignment] that permits the [assignment] of personally identifiable information; and Restrict the [assignment] of personally identifiable information to only that which is

LowModerateHigh
PT-2(1)Personally Identifiable Information Processing and Transparency
Data Tagging

Attach data tags containing [assignment] to [assignment].

LowModerateHigh
PT-2(2)Personally Identifiable Information Processing and Transparency
Automation

Manage enforcement of the authorized processing of personally identifiable information using [assignment].

LowModerateHigh
PT-3Personally Identifiable Information Processing and Transparency
Personally Identifiable Information Processing Purposes

Identify and document the [assignment] for processing personally identifiable information; Describe the purpose(s) in the public privacy notices and policies of the organization; Restrict the [assignm

LowModerateHigh
PT-3(1)Personally Identifiable Information Processing and Transparency
Data Tagging

Attach data tags containing the following purposes to [assignment]: [assignment].

LowModerateHigh
PT-3(2)Personally Identifiable Information Processing and Transparency
Automation

Track processing purposes of personally identifiable information using [assignment].

LowModerateHigh
PT-4Personally Identifiable Information Processing and Transparency
Consent

Implement [assignment] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

LowModerateHigh
PT-4(1)Personally Identifiable Information Processing and Transparency
Tailored Consent

Provide [assignment] to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

LowModerateHigh
PT-4(2)Personally Identifiable Information Processing and Transparency
Just-in-time Consent

Present [assignment] to individuals at [assignment] and in conjunction with [assignment].

LowModerateHigh
PT-4(3)Personally Identifiable Information Processing and Transparency
Revocation

Implement [assignment] for individuals to revoke consent to the processing of their personally identifiable information.

LowModerateHigh
PT-5Personally Identifiable Information Processing and Transparency
Privacy Notice

Provide notice to individuals about the processing of personally identifiable information that: Is available to individuals upon first interacting with an organization, and subsequently at [assignment

LowModerateHigh
PT-5(1)Personally Identifiable Information Processing and Transparency
Just-in-time Notice

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data a

LowModerateHigh
PT-5(2)Personally Identifiable Information Processing and Transparency
Privacy Act Statements

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by

LowModerateHigh
PT-6Personally Identifiable Information Processing and Transparency
System of Records Notice

For systems that process information that will be maintained in a Privacy Act system of records: Draft system of records notices in accordance with OMB guidance and submit new and significantly modifi

LowModerateHigh
PT-6(1)Personally Identifiable Information Processing and Transparency
Routine Uses

Review all routine uses published in the system of records notice at [assignment] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the

LowModerateHigh
PT-6(2)Personally Identifiable Information Processing and Transparency
Exemption Rules

Review all Privacy Act exemptions claimed for the system of records at [assignment] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulatio

LowModerateHigh
PT-7Personally Identifiable Information Processing and Transparency
Specific Categories of Personally Identifiable Information

Apply [assignment] for specific categories of personally identifiable information.

LowModerateHigh
PT-7(1)Personally Identifiable Information Processing and Transparency
Social Security Numbers

When a system processes Social Security numbers: Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; Do n

LowModerateHigh
PT-7(2)Personally Identifiable Information Processing and Transparency
First Amendment Information

Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent

LowModerateHigh
PT-8Personally Identifiable Information Processing and Transparency
Computer Matching Requirements

When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; Develop and enter i

LowModerateHigh
RA-1Risk Assessment
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizationa

GVID
LowModerateHigh
RA-2Risk Assessment
Security Categorization

Categorize the system and information it processes, stores, and transmits; Document the security categorization results, including supporting rationale, in the security plan for the system; and Verify

ID
LowModerateHigh
RA-2(1)Risk Assessment
Impact-level Prioritization

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

LowModerateHigh
RA-3Risk Assessment
Risk Assessment

Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption,

DEGVIDRS
LowModerateHigh
RA-3(1)Risk Assessment
Supply Chain Risk Assessment

Assess supply chain risks associated with [assignment] ; and Update the supply chain risk assessment [assignment] , when there are significant changes to the relevant supply chain, or when changes to

LowModerateHigh
RA-3(2)Risk Assessment
Use of All-source Intelligence

Use all-source intelligence to assist in the analysis of risk.

LowModerateHigh
RA-3(3)Risk Assessment
Dynamic Threat Awareness

Determine the current cyber threat environment on an ongoing basis using [assignment].

LowModerateHigh
RA-3(4)Risk Assessment
Predictive Cyber Analytics

Employ the following advanced automation and analytics capabilities to predict and identify risks to [assignment]: [assignment].

LowModerateHigh
RA-4Risk Assessment
Risk Assessment Update

DE
LowModerateHigh
RA-5Risk Assessment
Vulnerability Monitoring and Scanning

Monitor and scan for vulnerabilities in the system and hosted applications [assignment] and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability

GVID
LowModerateHigh
RA-5(1)Risk Assessment
Update Tool Capability

LowModerateHigh
RA-5(2)Risk Assessment
Update Vulnerabilities to Be Scanned

Update the system vulnerabilities to be scanned [assignment].

LowModerateHigh
RA-5(3)Risk Assessment
Breadth and Depth of Coverage

Define the breadth and depth of vulnerability scanning coverage.

LowModerateHigh
RA-5(4)Risk Assessment
Discoverable Information

Determine information about the system that is discoverable and take [assignment].

LowModerateHigh
RA-5(5)Risk Assessment
Privileged Access

Implement privileged access authorization to [assignment] for [assignment].

LowModerateHigh
RA-5(6)Risk Assessment
Automated Trend Analyses

Compare the results of multiple vulnerability scans using [assignment].

LowModerateHigh
RA-5(7)Risk Assessment
Automated Detection and Notification of Unauthorized Components

LowModerateHigh
RA-5(8)Risk Assessment
Review Historic Audit Logs

Review historic audit logs to determine if a vulnerability identified in a [assignment] has been previously exploited within an [assignment].

LowModerateHigh
RA-5(9)Risk Assessment
Penetration Testing and Analyses

LowModerateHigh
RA-5(10)Risk Assessment
Correlate Scanning Information

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

LowModerateHigh
RA-5(11)Risk Assessment
Public Disclosure Program

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

LowModerateHigh
RA-6Risk Assessment
Technical Surveillance Countermeasures Survey

Employ a technical surveillance countermeasures survey at [assignment] [assignment].

LowModerateHigh
RA-7Risk Assessment
Risk Response

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

GVIDRS
LowModerateHigh
RA-8Risk Assessment
Privacy Impact Assessments

Conduct privacy impact assessments for systems, programs, or other activities before: Developing or procuring information technology that processes personally identifiable information; and Initiating

ID
LowModerateHigh
RA-9Risk Assessment
Criticality Analysis

Identify critical system components and functions by performing a criticality analysis for [assignment] at [assignment].

GVID
LowModerateHigh
RA-10Risk Assessment
Threat Hunting

Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and Detect, track, and disrupt threats that evade existing controls; and Emp

DE
LowModerateHigh
SA-1System and Services Acquisition
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination amo

GVID
LowModerateHigh
SA-2System and Services Acquisition
Allocation of Resources

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; Determine, document, and allocate the resources requir

LowModerateHigh
SA-3System and Services Acquisition
System Development Life Cycle

Acquire, develop, and manage the system using [assignment] that incorporates information security and privacy considerations; Define and document information security and privacy roles and responsibil

IDPR
LowModerateHigh
SA-3(1)System and Services Acquisition
Manage Preproduction Environment

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

LowModerateHigh
SA-3(2)System and Services Acquisition
Use of Live or Operational Data

Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and Protect preproduction environments for the system, system com

LowModerateHigh
SA-3(3)System and Services Acquisition
Technology Refresh

Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.

LowModerateHigh
SA-4System and Services Acquisition
Acquisition Process

Include the following requirements, descriptions, and criteria, explicitly or by reference, using [assignment] in the acquisition contract for the system, system component, or system service: Security

DEGVID
LowModerateHigh
SA-4(1)System and Services Acquisition
Functional Properties of Controls

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

LowModerateHigh
SA-4(2)System and Services Acquisition
Design and Implementation Information for Controls

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [assignment] at [assignment].

LowModerateHigh
SA-4(3)System and Services Acquisition
Development Methods, Techniques, and Practices

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [assignment]; [assignment] ; and [assignment].

LowModerateHigh
SA-4(4)System and Services Acquisition
Assignment of Components to Systems

LowModerateHigh
SA-4(5)System and Services Acquisition
System, Component, and Service Configurations

Require the developer of the system, system component, or system service to: Deliver the system, component, or service with [assignment] implemented; and Use the configurations as the default for any

LowModerateHigh
SA-4(6)System and Services Acquisition
Use of Information Assurance Products

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protec

LowModerateHigh
SA-4(7)System and Services Acquisition
NIAP-approved Protection Profiles

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a Nationa

LowModerateHigh
SA-4(8)System and Services Acquisition
Continuous Monitoring Plan for Controls

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program

LowModerateHigh
SA-4(9)System and Services Acquisition
Functions, Ports, Protocols, and Services in Use

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

LowModerateHigh
SA-4(10)System and Services Acquisition
Use of Approved PIV Products

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

LowModerateHigh
SA-4(11)System and Services Acquisition
System of Records

Include [assignment] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

LowModerateHigh
SA-4(12)System and Services Acquisition
Data Ownership

Include organizational data ownership requirements in the acquisition contract; and Require all data to be removed from the contractor’s system and returned to the organization within [assignment].

LowModerateHigh
SA-5System and Services Acquisition
System Documentation

Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service

ID
LowModerateHigh
SA-5(1)System and Services Acquisition
Functional Properties of Security Controls

LowModerateHigh
SA-5(2)System and Services Acquisition
Security-relevant External System Interfaces

LowModerateHigh
SA-5(3)System and Services Acquisition
High-level Design

LowModerateHigh
SA-5(4)System and Services Acquisition
Low-level Design

LowModerateHigh
SA-5(5)System and Services Acquisition
Source Code

LowModerateHigh
SA-6System and Services Acquisition
Software Usage Restrictions

LowModerateHigh
SA-7System and Services Acquisition
User-installed Software

LowModerateHigh
SA-8System and Services Acquisition
Security and Privacy Engineering Principles

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [assignment].

IDPR
LowModerateHigh
SA-8(1)System and Services Acquisition
Clear Abstractions

Implement the security design principle of clear abstractions.

LowModerateHigh
SA-8(2)System and Services Acquisition
Least Common Mechanism

Implement the security design principle of least common mechanism in [assignment].

LowModerateHigh
SA-8(3)System and Services Acquisition
Modularity and Layering

Implement the security design principles of modularity and layering in [assignment].

LowModerateHigh
SA-8(4)System and Services Acquisition
Partially Ordered Dependencies

Implement the security design principle of partially ordered dependencies in [assignment].

LowModerateHigh
SA-8(5)System and Services Acquisition
Efficiently Mediated Access

Implement the security design principle of efficiently mediated access in [assignment].

LowModerateHigh
SA-8(6)System and Services Acquisition
Minimized Sharing

Implement the security design principle of minimized sharing in [assignment].

LowModerateHigh
SA-8(7)System and Services Acquisition
Reduced Complexity

Implement the security design principle of reduced complexity in [assignment].

LowModerateHigh
SA-8(8)System and Services Acquisition
Secure Evolvability

Implement the security design principle of secure evolvability in [assignment].

LowModerateHigh
SA-8(9)System and Services Acquisition
Trusted Components

Implement the security design principle of trusted components in [assignment].

LowModerateHigh
SA-8(10)System and Services Acquisition
Hierarchical Trust

Implement the security design principle of hierarchical trust in [assignment].

LowModerateHigh
SA-8(11)System and Services Acquisition
Inverse Modification Threshold

Implement the security design principle of inverse modification threshold in [assignment].

LowModerateHigh
SA-8(12)System and Services Acquisition
Hierarchical Protection

Implement the security design principle of hierarchical protection in [assignment].

LowModerateHigh
SA-8(13)System and Services Acquisition
Minimized Security Elements

Implement the security design principle of minimized security elements in [assignment].

LowModerateHigh
SA-8(14)System and Services Acquisition
Least Privilege

Implement the security design principle of least privilege in [assignment].

LowModerateHigh
SA-8(15)System and Services Acquisition
Predicate Permission

Implement the security design principle of predicate permission in [assignment].

LowModerateHigh
SA-8(16)System and Services Acquisition
Self-reliant Trustworthiness

Implement the security design principle of self-reliant trustworthiness in [assignment].

LowModerateHigh
SA-8(17)System and Services Acquisition
Secure Distributed Composition

Implement the security design principle of secure distributed composition in [assignment].

LowModerateHigh
SA-8(18)System and Services Acquisition
Trusted Communications Channels

Implement the security design principle of trusted communications channels in [assignment].

LowModerateHigh
SA-8(19)System and Services Acquisition
Continuous Protection

Implement the security design principle of continuous protection in [assignment].

LowModerateHigh
SA-8(20)System and Services Acquisition
Secure Metadata Management

Implement the security design principle of secure metadata management in [assignment].

LowModerateHigh
SA-8(21)System and Services Acquisition
Self-analysis

Implement the security design principle of self-analysis in [assignment].

LowModerateHigh
SA-8(22)System and Services Acquisition
Accountability and Traceability

Implement the security design principle of accountability and traceability in [assignment].

LowModerateHigh
SA-8(23)System and Services Acquisition
Secure Defaults

Implement the security design principle of secure defaults in [assignment].

LowModerateHigh
SA-8(24)System and Services Acquisition
Secure Failure and Recovery

Implement the security design principle of secure failure and recovery in [assignment].

LowModerateHigh
SA-8(25)System and Services Acquisition
Economic Security

Implement the security design principle of economic security in [assignment].

LowModerateHigh
SA-8(26)System and Services Acquisition
Performance Security

Implement the security design principle of performance security in [assignment].

LowModerateHigh
SA-8(27)System and Services Acquisition
Human Factored Security

Implement the security design principle of human factored security in [assignment].

LowModerateHigh
SA-8(28)System and Services Acquisition
Acceptable Security

Implement the security design principle of acceptable security in [assignment].

LowModerateHigh
SA-8(29)System and Services Acquisition
Repeatable and Documented Procedures

Implement the security design principle of repeatable and documented procedures in [assignment].

LowModerateHigh
SA-8(30)System and Services Acquisition
Procedural Rigor

Implement the security design principle of procedural rigor in [assignment].

LowModerateHigh
SA-8(31)System and Services Acquisition
Secure System Modification

Implement the security design principle of secure system modification in [assignment].

LowModerateHigh
SA-8(32)System and Services Acquisition
Sufficient Documentation

Implement the security design principle of sufficient documentation in [assignment].

LowModerateHigh
SA-8(33)System and Services Acquisition
Minimization

Implement the privacy principle of minimization using [assignment].

LowModerateHigh
SA-9System and Services Acquisition
External System Services

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [assignment]; Define and document organizational over

DEGVID
LowModerateHigh
SA-9(1)System and Services Acquisition
Risk Assessments and Organizational Approvals

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and Verify that the acquisition or outsourcing of dedicated information security

LowModerateHigh
SA-9(2)System and Services Acquisition
Identification of Functions, Ports, Protocols, and Services

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [assignment].

LowModerateHigh
SA-9(3)System and Services Acquisition
Establish and Maintain Trust Relationship with Providers

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [assignment].

LowModerateHigh
SA-9(4)System and Services Acquisition
Consistent Interests of Consumers and Providers

Take the following actions to verify that the interests of [assignment] are consistent with and reflect organizational interests: [assignment].

LowModerateHigh
SA-9(5)System and Services Acquisition
Processing, Storage, and Service Location

Restrict the location of [assignment] to [assignment] based on [assignment].

LowModerateHigh
SA-9(6)System and Services Acquisition
Organization-controlled Cryptographic Keys

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

LowModerateHigh
SA-9(7)System and Services Acquisition
Organization-controlled Integrity Checking

Provide the capability to check the integrity of information while it resides in the external system.

LowModerateHigh
SA-9(8)System and Services Acquisition
Processing and Storage Location — U.S. Jurisdiction

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

LowModerateHigh
SA-10System and Services Acquisition
Developer Configuration Management

Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [assignment]; Document, manage, and control the integ

IDPR
LowModerateHigh
SA-10(1)System and Services Acquisition
Software and Firmware Integrity Verification

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

PR
LowModerateHigh
SA-10(2)System and Services Acquisition
Alternative Configuration Management Processes

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

LowModerateHigh
SA-10(3)System and Services Acquisition
Hardware Integrity Verification

Require the developer of the system, system component, or system service to enable integrity verification of hardware components.

PR
LowModerateHigh
SA-10(4)System and Services Acquisition
Trusted Generation

Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code

LowModerateHigh
SA-10(5)System and Services Acquisition
Mapping Integrity for Version Control

Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hard

LowModerateHigh
SA-10(6)System and Services Acquisition
Trusted Distribution

Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organizat

LowModerateHigh
SA-10(7)System and Services Acquisition
Security and Privacy Representatives

Require [assignment] to be included in the [assignment].

LowModerateHigh
SA-11System and Services Acquisition
Developer Testing and Evaluation

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and priv

IDPR
LowModerateHigh
SA-11(1)System and Services Acquisition
Static Code Analysis

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

LowModerateHigh
SA-11(2)System and Services Acquisition
Threat Modeling and Vulnerability Analyses

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the syste

ID
LowModerateHigh
SA-11(3)System and Services Acquisition
Independent Verification of Assessment Plans and Evidence

Require an independent agent satisfying [assignment] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation

LowModerateHigh
SA-11(4)System and Services Acquisition
Manual Code Reviews

Require the developer of the system, system component, or system service to perform a manual code review of [assignment] using the following processes, procedures, and/or techniques: [assignment].

LowModerateHigh
SA-11(5)System and Services Acquisition
Penetration Testing

Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: [assignment] ; and Under the following constraints: [assignmen

LowModerateHigh
SA-11(6)System and Services Acquisition
Attack Surface Reviews

Require the developer of the system, system component, or system service to perform attack surface reviews.

LowModerateHigh
SA-11(7)System and Services Acquisition
Verify Scope of Testing and Evaluation

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level o

LowModerateHigh
SA-11(8)System and Services Acquisition
Dynamic Code Analysis

Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

LowModerateHigh
SA-11(9)System and Services Acquisition
Interactive Application Security Testing

Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.

LowModerateHigh
SA-12System and Services Acquisition
Supply Chain Protection

LowModerateHigh
SA-12(1)System and Services Acquisition
Acquisition Strategies / Tools / Methods

LowModerateHigh
SA-12(2)System and Services Acquisition
Supplier Reviews

LowModerateHigh
SA-12(3)System and Services Acquisition
Trusted Shipping and Warehousing

LowModerateHigh
SA-12(4)System and Services Acquisition
Diversity of Suppliers

LowModerateHigh
SA-12(5)System and Services Acquisition
Limitation of Harm

LowModerateHigh
SA-12(6)System and Services Acquisition
Minimizing Procurement Time

LowModerateHigh
SA-12(7)System and Services Acquisition
Assessments Prior to Selection / Acceptance / Update

LowModerateHigh
SA-12(8)System and Services Acquisition
Use of All-source Intelligence

LowModerateHigh
SA-12(9)System and Services Acquisition
Operations Security

LowModerateHigh
SA-12(10)System and Services Acquisition
Validate as Genuine and Not Altered

LowModerateHigh
SA-12(11)System and Services Acquisition
Penetration Testing / Analysis of Elements, Processes, and Actors

LowModerateHigh
SA-12(12)System and Services Acquisition
Inter-organizational Agreements

LowModerateHigh
SA-12(13)System and Services Acquisition
Critical Information System Components

LowModerateHigh
SA-12(14)System and Services Acquisition
Identity and Traceability

LowModerateHigh
SA-12(15)System and Services Acquisition
Processes to Address Weaknesses or Deficiencies

LowModerateHigh
SA-13System and Services Acquisition
Trustworthiness

LowModerateHigh
SA-14System and Services Acquisition
Criticality Analysis

LowModerateHigh
SA-14(1)System and Services Acquisition
Critical Components with No Viable Alternative Sourcing

LowModerateHigh
SA-15System and Services Acquisition
Development Process, Standards, and Tools

Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standar

IDPR
LowModerateHigh
SA-15(1)System and Services Acquisition
Quality Metrics

Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [as

LowModerateHigh
SA-15(2)System and Services Acquisition
Security and Privacy Tracking Tools

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.

LowModerateHigh
SA-15(3)System and Services Acquisition
Criticality Analysis

Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: [assignment] ; and At

LowModerateHigh
SA-15(4)System and Services Acquisition
Threat Modeling and Vulnerability Analysis

LowModerateHigh
SA-15(5)System and Services Acquisition
Attack Surface Reduction

Require the developer of the system, system component, or system service to reduce attack surfaces to [assignment].

LowModerateHigh
SA-15(6)System and Services Acquisition
Continuous Improvement

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

LowModerateHigh
SA-15(7)System and Services Acquisition
Automated Vulnerability Analysis

Require the developer of the system, system component, or system service [assignment] to: Perform an automated vulnerability analysis using [assignment]; Determine the exploitation potential for disco

ID
LowModerateHigh
SA-15(8)System and Services Acquisition
Reuse of Threat and Vulnerability Information

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current developme

ID
LowModerateHigh
SA-15(9)System and Services Acquisition
Use of Live Data

LowModerateHigh
SA-15(10)System and Services Acquisition
Incident Response Plan

Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.

LowModerateHigh
SA-15(11)System and Services Acquisition
Archive System or Component

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privac

LowModerateHigh
SA-15(12)System and Services Acquisition
Minimize Personally Identifiable Information

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

LowModerateHigh
SA-15(13)System and Services Acquisition
Logging Syntax

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

PR
LowModerateHigh
SA-16System and Services Acquisition
Developer-provided Training

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls,

LowModerateHigh
SA-17System and Services Acquisition
Developer Security and Privacy Architecture and Design

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: Is consistent with the organization’s security an

IDPR
LowModerateHigh
SA-17(1)System and Services Acquisition
Formal Policy Model

Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, a formal policy model describing the [assignment] to be enforced;

LowModerateHigh
SA-17(2)System and Services Acquisition
Security-relevant Components

Require the developer of the system, system component, or system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevan

LowModerateHigh
SA-17(3)System and Services Acquisition
Formal Correspondence

Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to

LowModerateHigh
SA-17(4)System and Services Acquisition
Informal Correspondence

Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the

LowModerateHigh
SA-17(5)System and Services Acquisition
Conceptually Simple Design

Require the developer of the system, system component, or system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protecti

LowModerateHigh
SA-17(6)System and Services Acquisition
Structure for Testing

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.

ID
LowModerateHigh
SA-17(7)System and Services Acquisition
Structure for Least Privilege

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

LowModerateHigh
SA-17(8)System and Services Acquisition
Orchestration

Design [assignment] with coordinated behavior to implement the following capabilities: [assignment].

LowModerateHigh
SA-17(9)System and Services Acquisition
Design Diversity

Use different designs for [assignment] to satisfy a common set of requirements or to provide equivalent functionality.

LowModerateHigh
SA-18System and Services Acquisition
Tamper Resistance and Detection

LowModerateHigh
SA-18(1)System and Services Acquisition
Multiple Phases of System Development Life Cycle

LowModerateHigh
SA-18(2)System and Services Acquisition
Inspection of Systems or Components

LowModerateHigh
SA-19System and Services Acquisition
Component Authenticity

LowModerateHigh
SA-19(1)System and Services Acquisition
Anti-counterfeit Training

LowModerateHigh
SA-19(2)System and Services Acquisition
Configuration Control for Component Service and Repair

LowModerateHigh
SA-19(3)System and Services Acquisition
Component Disposal

LowModerateHigh
SA-19(4)System and Services Acquisition
Anti-counterfeit Scanning

LowModerateHigh
SA-20System and Services Acquisition
Customized Development of Critical Components

Reimplement or custom develop the following critical system components: [assignment].

LowModerateHigh
SA-21System and Services Acquisition
Developer Screening

Require that the developer of [assignment]: Has appropriate access authorizations as determined by assigned [assignment] ; and Satisfies the following additional personnel screening criteria: [assignm

LowModerateHigh
SA-21(1)System and Services Acquisition
Validation of Screening

LowModerateHigh
SA-22System and Services Acquisition
Unsupported System Components

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or Provide the following options for alternative sources for continued sup

ID
LowModerateHigh
SA-22(1)System and Services Acquisition
Alternative Sources for Continued Support

LowModerateHigh
SA-23System and Services Acquisition
Specialization

Employ [assignment] on [assignment] supporting mission essential services or functions to increase the trustworthiness in those systems or components.

LowModerateHigh
SA-24System and Services Acquisition
Design For Cyber Resiliency

Design organizational systems, system components, or system services to achieve cyber resiliency by: Defining the following cyber resiliency goals: [assignment]. Defining the following cyber resilienc

GVPR
LowModerateHigh
SC-1System and Communications Protection
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordinatio

GVID
LowModerateHigh
SC-2System and Communications Protection
Separation of System and User Functionality

Separate user functionality, including user interface services, from system management functionality.

LowModerateHigh
SC-2(1)System and Communications Protection
Interfaces for Non-privileged Users

Prevent the presentation of system management functionality at interfaces to non-privileged users.

LowModerateHigh
SC-2(2)System and Communications Protection
Disassociability

Store state information from applications and software separately.

LowModerateHigh
SC-3System and Communications Protection
Security Function Isolation

Isolate security functions from nonsecurity functions.

LowModerateHigh
SC-3(1)System and Communications Protection
Hardware Separation

Employ hardware separation mechanisms to implement security function isolation.

PR
LowModerateHigh
SC-3(2)System and Communications Protection
Access and Flow Control Functions

Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

LowModerateHigh
SC-3(3)System and Communications Protection
Minimize Nonsecurity Functionality

Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.

LowModerateHigh
SC-3(4)System and Communications Protection
Module Coupling and Cohesiveness

Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

LowModerateHigh
SC-3(5)System and Communications Protection
Layered Structures

Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layer

LowModerateHigh
SC-4System and Communications Protection
Information in Shared System Resources

Prevent unauthorized and unintended information transfer via shared system resources.

PR
LowModerateHigh
SC-4(1)System and Communications Protection
Security Levels

LowModerateHigh
SC-4(2)System and Communications Protection
Multilevel or Periods Processing

Prevent unauthorized information transfer via shared resources in accordance with [assignment] when system processing explicitly switches between different information classification levels or securit

LowModerateHigh
SC-5System and Communications Protection
Denial-of-service Protection

[assignment] the effects of the following types of denial-of-service events: [assignment] ; and Employ the following controls to achieve the denial-of-service objective: [assignment].

DEPR
LowModerateHigh
SC-5(1)System and Communications Protection
Restrict Ability to Attack Other Systems

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [assignment].

LowModerateHigh
SC-5(2)System and Communications Protection
Capacity, Bandwidth, and Redundancy

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

LowModerateHigh
SC-5(3)System and Communications Protection
Detection and Monitoring

Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [assignment] ; and Monitor the following system resources to determine if

LowModerateHigh
SC-6System and Communications Protection
Resource Availability

Protect the availability of resources by allocating [assignment] by [assignment].

PR
LowModerateHigh
SC-7System and Communications Protection
Boundary Protection

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system compo

DEPR
LowModerateHigh
SC-7(1)System and Communications Protection
Physically Separated Subnetworks

LowModerateHigh
SC-7(2)System and Communications Protection
Public Access

LowModerateHigh
SC-7(3)System and Communications Protection
Access Points

Limit the number of external network connections to the system.

LowModerateHigh
SC-7(4)System and Communications Protection
External Telecommunications Services

Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information bein

LowModerateHigh
SC-7(5)System and Communications Protection
Deny by Default — Allow by Exception

Deny network communications traffic by default and allow network communications traffic by exception [assignment].

LowModerateHigh
SC-7(6)System and Communications Protection
Response to Recognized Failures

LowModerateHigh
SC-7(7)System and Communications Protection
Split Tunneling for Remote Devices

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [assignment].

LowModerateHigh
SC-7(8)System and Communications Protection
Route Traffic to Authenticated Proxy Servers

Route [assignment] to [assignment] through authenticated proxy servers at managed interfaces.

LowModerateHigh
SC-7(9)System and Communications Protection
Restrict Threatening Outgoing Communications Traffic

Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.

LowModerateHigh
SC-7(10)System and Communications Protection
Prevent Exfiltration

Prevent the exfiltration of information; and Conduct exfiltration tests [assignment].

LowModerateHigh
SC-7(11)System and Communications Protection
Restrict Incoming Communications Traffic

Only allow incoming communications from [assignment] to be routed to [assignment].

LowModerateHigh
SC-7(12)System and Communications Protection
Host-based Protection

Implement [assignment] at [assignment].

LowModerateHigh
SC-7(13)System and Communications Protection
Isolation of Security Tools, Mechanisms, and Support Components

Isolate [assignment] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

LowModerateHigh
SC-7(14)System and Communications Protection
Protect Against Unauthorized Physical Connections

Protect against unauthorized physical connections at [assignment].

LowModerateHigh
SC-7(15)System and Communications Protection
Networked Privileged Accesses

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

LowModerateHigh
SC-7(16)System and Communications Protection
Prevent Discovery of System Components

Prevent the discovery of specific system components that represent a managed interface.

LowModerateHigh
SC-7(17)System and Communications Protection
Automated Enforcement of Protocol Formats

Enforce adherence to protocol formats.

LowModerateHigh
SC-7(18)System and Communications Protection
Fail Secure

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

LowModerateHigh
SC-7(19)System and Communications Protection
Block Communication from Non-organizationally Configured Hosts

Block inbound and outbound communications traffic between [assignment] that are independently configured by end users and external service providers.

LowModerateHigh
SC-7(20)System and Communications Protection
Dynamic Isolation and Segregation

Provide the capability to dynamically isolate [assignment] from other system components.

LowModerateHigh
SC-7(21)System and Communications Protection
Isolation of System Components

Employ boundary protection mechanisms to isolate [assignment] supporting [assignment].

LowModerateHigh
SC-7(22)System and Communications Protection
Separate Subnets for Connecting to Different Security Domains

Implement separate network addresses to connect to systems in different security domains.

LowModerateHigh
SC-7(23)System and Communications Protection
Disable Sender Feedback on Protocol Validation Failure

Disable feedback to senders on protocol format validation failure.

LowModerateHigh
SC-7(24)System and Communications Protection
Personally Identifiable Information

For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: [assignment]; Monitor for permitted processi

LowModerateHigh
SC-7(25)System and Communications Protection
Unclassified National Security System Connections

Prohibit the direct connection of [assignment] to an external network without the use of [assignment].

LowModerateHigh
SC-7(26)System and Communications Protection
Classified National Security System Connections

Prohibit the direct connection of a classified national security system to an external network without the use of [assignment].

LowModerateHigh
SC-7(27)System and Communications Protection
Unclassified Non-national Security System Connections

Prohibit the direct connection of [assignment] to an external network without the use of [assignment].

LowModerateHigh
SC-7(28)System and Communications Protection
Connections to Public Networks

Prohibit the direct connection of [assignment] to a public network.

LowModerateHigh
SC-7(29)System and Communications Protection
Separate Subnets to Isolate Functions

Implement [assignment] separate subnetworks to isolate the following critical system components and functions: [assignment].

LowModerateHigh
SC-8System and Communications Protection
Transmission Confidentiality and Integrity

Protect the [assignment] of transmitted information.

PR
LowModerateHigh
SC-8(1)System and Communications Protection
Cryptographic Protection

Implement cryptographic mechanisms to [assignment] during transmission.

LowModerateHigh
SC-8(2)System and Communications Protection
Pre- and Post-transmission Handling

Maintain the [assignment] of information during preparation for transmission and during reception.

LowModerateHigh
SC-8(3)System and Communications Protection
Cryptographic Protection for Message Externals

Implement cryptographic mechanisms to protect message externals unless otherwise protected by [assignment].

LowModerateHigh
SC-8(4)System and Communications Protection
Conceal or Randomize Communications

Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [assignment].

LowModerateHigh
SC-8(5)System and Communications Protection
Protected Distribution System

Implement [assignment] to [assignment] during transmission.

LowModerateHigh
SC-9System and Communications Protection
Transmission Confidentiality

LowModerateHigh
SC-10System and Communications Protection
Network Disconnect

Terminate the network connection associated with a communications session at the end of the session or after [assignment] of inactivity.

LowModerateHigh
SC-11System and Communications Protection
Trusted Path

Provide a [assignment] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for

PR
LowModerateHigh
SC-11(1)System and Communications Protection
Irrefutable Communications Path

Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and Initiate the trusted communications path for communications between the [assignment] of t

LowModerateHigh
SC-12System and Communications Protection
Cryptographic Key Establishment and Management

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [assignment].

PR
LowModerateHigh
SC-12(1)System and Communications Protection
Availability

Maintain availability of information in the event of the loss of cryptographic keys by users.

LowModerateHigh
SC-12(2)System and Communications Protection
Symmetric Keys

Produce, control, and distribute symmetric cryptographic keys using [assignment] key management technology and processes.

LowModerateHigh
SC-12(3)System and Communications Protection
Asymmetric Keys

Produce, control, and distribute asymmetric cryptographic keys using [assignment].

LowModerateHigh
SC-12(4)System and Communications Protection
PKI Certificates

LowModerateHigh
SC-12(5)System and Communications Protection
PKI Certificates / Hardware Tokens

LowModerateHigh
SC-12(6)System and Communications Protection
Physical Control of Keys

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

LowModerateHigh
SC-13System and Communications Protection
Cryptographic Protection

Determine the [assignment] ; and Implement the following types of cryptography required for each specified cryptographic use: [assignment].

PR
LowModerateHigh
SC-13(1)System and Communications Protection
FIPS-validated Cryptography

LowModerateHigh
SC-13(2)System and Communications Protection
NSA-approved Cryptography

LowModerateHigh
SC-13(3)System and Communications Protection
Individuals Without Formal Access Approvals

LowModerateHigh
SC-13(4)System and Communications Protection
Digital Signatures

LowModerateHigh
SC-14System and Communications Protection
Public Access Protections

LowModerateHigh
SC-15System and Communications Protection
Collaborative Computing Devices and Applications

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [assignment] ; and Provide an explicit indication of use to users physically present at th

LowModerateHigh
SC-15(1)System and Communications Protection
Physical or Logical Disconnect

Provide [assignment] disconnect of collaborative computing devices in a manner that supports ease of use.

LowModerateHigh
SC-15(2)System and Communications Protection
Blocking Inbound and Outbound Communications Traffic

LowModerateHigh
SC-15(3)System and Communications Protection
Disabling and Removal in Secure Work Areas

Disable or remove collaborative computing devices and applications from [assignment] in [assignment].

LowModerateHigh
SC-15(4)System and Communications Protection
Explicitly Indicate Current Participants

Provide an explicit indication of current participants in [assignment].

LowModerateHigh
SC-16System and Communications Protection
Transmission of Security and Privacy Attributes

Associate [assignment] with information exchanged between systems and between system components.

PR
LowModerateHigh
SC-16(1)System and Communications Protection
Integrity Verification

Verify the integrity of transmitted security and privacy attributes.

LowModerateHigh
SC-16(2)System and Communications Protection
Anti-spoofing Mechanisms

Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.

LowModerateHigh
SC-16(3)System and Communications Protection
Cryptographic Binding

Implement [assignment] to bind security and privacy attributes to transmitted information.

LowModerateHigh
SC-17System and Communications Protection
Public Key Infrastructure Certificates

Issue public key certificates under an [assignment] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores m

LowModerateHigh
SC-18System and Communications Protection
Mobile Code

Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.

LowModerateHigh
SC-18(1)System and Communications Protection
Identify Unacceptable Code and Take Corrective Actions

Identify [assignment] and take [assignment].

LowModerateHigh
SC-18(2)System and Communications Protection
Acquisition, Development, and Use

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [assignment].

LowModerateHigh
SC-18(3)System and Communications Protection
Prevent Downloading and Execution

Prevent the download and execution of [assignment].

LowModerateHigh
SC-18(4)System and Communications Protection
Prevent Automatic Execution

Prevent the automatic execution of mobile code in [assignment] and enforce [assignment] prior to executing the code.

LowModerateHigh
SC-18(5)System and Communications Protection
Allow Execution Only in Confined Environments

Allow execution of permitted mobile code only in confined virtual machine environments.

LowModerateHigh
SC-19System and Communications Protection
Voice Over Internet Protocol

Technology-specific; addressed as any other technology or protocol.

LowModerateHigh
SC-20System and Communications Protection
Secure Name/Address Resolution Service (Authoritative Source)

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution

LowModerateHigh
SC-20(1)System and Communications Protection
Child Subspaces

LowModerateHigh
SC-20(2)System and Communications Protection
Data Origin and Integrity

Provide data origin and integrity protection artifacts for internal name/address resolution queries.

LowModerateHigh
SC-21System and Communications Protection
Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

LowModerateHigh
SC-21(1)System and Communications Protection
Data Origin and Integrity

LowModerateHigh
SC-22System and Communications Protection
Architecture and Provisioning for Name/Address Resolution Service

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

LowModerateHigh
SC-23System and Communications Protection
Session Authenticity

Protect the authenticity of communications sessions.

LowModerateHigh
SC-23(1)System and Communications Protection
Invalidate Session Identifiers at Logout

Invalidate session identifiers upon user logout or other session termination.

LowModerateHigh
SC-23(2)System and Communications Protection
User-initiated Logouts and Message Displays

LowModerateHigh
SC-23(3)System and Communications Protection
Unique System-generated Session Identifiers

Generate a unique session identifier for each session with [assignment] and recognize only session identifiers that are system-generated.

LowModerateHigh
SC-23(4)System and Communications Protection
Unique Session Identifiers with Randomization

LowModerateHigh
SC-23(5)System and Communications Protection
Allowed Certificate Authorities

Only allow the use of [assignment] for verification of the establishment of protected sessions.

LowModerateHigh
SC-24System and Communications Protection
Fail in Known State

Fail to a [assignment] for the following failures on the indicated components while preserving [assignment] in failure: [assignment].

PR
LowModerateHigh
SC-25System and Communications Protection
Thin Nodes

Employ minimal functionality and information storage on the following system components: [assignment].

LowModerateHigh
SC-26System and Communications Protection
Decoys

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

LowModerateHigh
SC-26(1)System and Communications Protection
Detection of Malicious Code

LowModerateHigh
SC-27System and Communications Protection
Platform-independent Applications

Include within organizational systems the following platform independent applications: [assignment].

LowModerateHigh
SC-28System and Communications Protection
Protection of Information at Rest

Protect the [assignment] of the following information at rest: [assignment].

PR
LowModerateHigh
SC-28(1)System and Communications Protection
Cryptographic Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [assignment]: [assignment].

LowModerateHigh
SC-28(2)System and Communications Protection
Offline Storage

Remove the following information from online storage and store offline in a secure location: [assignment].

LowModerateHigh
SC-28(3)System and Communications Protection
Cryptographic Keys

Provide protected storage for cryptographic keys [assignment].

LowModerateHigh
SC-29System and Communications Protection
Heterogeneity

Employ a diverse set of information technologies for the following system components in the implementation of the system: [assignment].

LowModerateHigh
SC-29(1)System and Communications Protection
Virtualization Techniques

Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [assignment].

LowModerateHigh
SC-30System and Communications Protection
Concealment and Misdirection

Employ the following concealment and misdirection techniques for [assignment] at [assignment] to confuse and mislead adversaries: [assignment].

LowModerateHigh
SC-30(1)System and Communications Protection
Virtualization Techniques

LowModerateHigh
SC-30(2)System and Communications Protection
Randomness

Employ [assignment] to introduce randomness into organizational operations and assets.

LowModerateHigh
SC-30(3)System and Communications Protection
Change Processing and Storage Locations

Change the location of [assignment] [assignment]].

LowModerateHigh
SC-30(4)System and Communications Protection
Misleading Information

Employ realistic, but misleading information in [assignment] about its security state or posture.

LowModerateHigh
SC-30(5)System and Communications Protection
Concealment of System Components

Employ the following techniques to hide or conceal [assignment]: [assignment].

LowModerateHigh
SC-31System and Communications Protection
Covert Channel Analysis

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [assignment] channels; and Estimate the maximum bandwidth of those

LowModerateHigh
SC-31(1)System and Communications Protection
Test Covert Channels for Exploitability

Test a subset of the identified covert channels to determine the channels that are exploitable.

LowModerateHigh
SC-31(2)System and Communications Protection
Maximum Bandwidth

Reduce the maximum bandwidth for identified covert [assignment] channels to [assignment].

LowModerateHigh
SC-31(3)System and Communications Protection
Measure Bandwidth in Operational Environments

Measure the bandwidth of [assignment] in the operational environment of the system.

LowModerateHigh
SC-32System and Communications Protection
System Partitioning

Partition the system into [assignment] residing in separate [assignment] domains or environments based on [assignment].

PR
LowModerateHigh
SC-32(1)System and Communications Protection
Separate Physical Domains for Privileged Functions

Partition privileged functions into separate physical domains.

LowModerateHigh
SC-33System and Communications Protection
Transmission Preparation Integrity

LowModerateHigh
SC-34System and Communications Protection
Non-modifiable Executable Programs

For [assignment] , load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: [assignment].

DEPR
LowModerateHigh
SC-34(1)System and Communications Protection
No Writable Storage

Employ [assignment] with no writeable storage that is persistent across component restart or power on/off.

LowModerateHigh
SC-34(2)System and Communications Protection
Integrity Protection on Read-only Media

Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.

LowModerateHigh
SC-34(3)System and Communications Protection
Hardware-based Protection

LowModerateHigh
SC-35System and Communications Protection
External Malicious Code Identification

Include system components that proactively seek to identify network-based malicious code or malicious websites.

DE
LowModerateHigh
SC-36System and Communications Protection
Distributed Processing and Storage

Distribute the following processing and storage components across multiple [assignment]: [assignment].

PR
LowModerateHigh
SC-36(1)System and Communications Protection
Polling Techniques

Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [assignment] ; and Take the following actions in response to identifi

LowModerateHigh
SC-36(2)System and Communications Protection
Synchronization

Synchronize the following duplicate systems or system components: [assignment].

LowModerateHigh
SC-37System and Communications Protection
Out-of-band Channels

Employ the following out-of-band channels for the physical delivery or electronic transmission of [assignment] to [assignment]: [assignment].

LowModerateHigh
SC-37(1)System and Communications Protection
Ensure Delivery and Transmission

Employ [assignment] to ensure that only [assignment] receive the following information, system components, or devices: [assignment].

LowModerateHigh
SC-38System and Communications Protection
Operations Security

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [assignment].

LowModerateHigh
SC-39System and Communications Protection
Process Isolation

Maintain a separate execution domain for each executing system process.

PR
LowModerateHigh
SC-39(1)System and Communications Protection
Hardware Separation

Implement hardware separation mechanisms to facilitate process isolation.

PR
LowModerateHigh
SC-39(2)System and Communications Protection
Separate Execution Domain Per Thread

Maintain a separate execution domain for each thread in [assignment].

LowModerateHigh
SC-40System and Communications Protection
Wireless Link Protection

Protect external and internal [assignment] from the following signal parameter attacks: [assignment].

PR
LowModerateHigh
SC-40(1)System and Communications Protection
Electromagnetic Interference

Implement cryptographic mechanisms that achieve [assignment] against the effects of intentional electromagnetic interference.

LowModerateHigh
SC-40(2)System and Communications Protection
Reduce Detection Potential

Implement cryptographic mechanisms to reduce the detection potential of wireless links to [assignment].

LowModerateHigh
SC-40(3)System and Communications Protection
Imitative or Manipulative Communications Deception

Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

LowModerateHigh
SC-40(4)System and Communications Protection
Signal Parameter Identification

Implement cryptographic mechanisms to prevent the identification of [assignment] by using the transmitter signal parameters.

LowModerateHigh
SC-41System and Communications Protection
Port and I/O Device Access

[assignment] disable or remove [assignment] on the following systems or system components: [assignment].

LowModerateHigh
SC-42System and Communications Protection
Sensor Capability and Data

Prohibit [assignment] ; and Provide an explicit indication of sensor use to [assignment].

LowModerateHigh
SC-42(1)System and Communications Protection
Reporting to Authorized Individuals or Roles

Verify that the system is configured so that data or information collected by the [assignment] is only reported to authorized individuals or roles.

LowModerateHigh
SC-42(2)System and Communications Protection
Authorized Use

Employ the following measures so that data or information collected by [assignment] is only used for authorized purposes: [assignment].

LowModerateHigh
SC-42(3)System and Communications Protection
Prohibit Use of Devices

LowModerateHigh
SC-42(4)System and Communications Protection
Notice of Collection

Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [assignment]: [assignment].

LowModerateHigh
SC-42(5)System and Communications Protection
Collection Minimization

Employ [assignment] that are configured to minimize the collection of information about individuals that is not needed.

LowModerateHigh
SC-43System and Communications Protection
Usage Restrictions

Establish usage restrictions and implementation guidelines for the following system components: [assignment] ; and Authorize, monitor, and control the use of such components within the system.

PR
LowModerateHigh
SC-44System and Communications Protection
Detonation Chambers

Employ a detonation chamber capability within [assignment].

LowModerateHigh
SC-45System and Communications Protection
System Time Synchronization

Synchronize system clocks within and between systems and system components.

LowModerateHigh
SC-45(1)System and Communications Protection
Synchronization with Authoritative Time Source

Compare the internal system clocks [assignment] with [assignment] ; and Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [assignment].

LowModerateHigh
SC-45(2)System and Communications Protection
Secondary Authoritative Time Source

Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and Synchronize the internal system clocks to the secondary authorit

LowModerateHigh
SC-46System and Communications Protection
Cross Domain Policy Enforcement

Implement a policy enforcement mechanism [assignment] between the physical and/or network interfaces for the connecting security domains.

LowModerateHigh
SC-47System and Communications Protection
Alternate Communications Paths

Establish [assignment] for system operations organizational command and control.

LowModerateHigh
SC-48System and Communications Protection
Sensor Relocation

Relocate [assignment] to [assignment] under the following conditions or circumstances: [assignment].

LowModerateHigh
SC-48(1)System and Communications Protection
Dynamic Relocation of Sensors or Monitoring Capabilities

Dynamically relocate [assignment] to [assignment] under the following conditions or circumstances: [assignment].

LowModerateHigh
SC-49System and Communications Protection
Hardware-enforced Separation and Policy Enforcement

Implement hardware-enforced separation and policy enforcement mechanisms between [assignment].

PR
LowModerateHigh
SC-50System and Communications Protection
Software-enforced Separation and Policy Enforcement

Implement software-enforced separation and policy enforcement mechanisms between [assignment].

LowModerateHigh
SC-51System and Communications Protection
Hardware-based Protection

Employ hardware-based, write-protect for [assignment] ; and Implement specific procedures for [assignment] to manually disable hardware write-protect for firmware modifications and re-enable the write

PR
LowModerateHigh
SI-1System and Information Integrity
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] system and information integrity policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination am

GVID
LowModerateHigh
SI-2System and Information Integrity
Flaw Remediation

Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant s

IDPR
LowModerateHigh
SI-2(1)System and Information Integrity
Central Management

LowModerateHigh
SI-2(2)System and Information Integrity
Automated Flaw Remediation Status

Determine if system components have applicable security-relevant software and firmware updates installed using [assignment] [assignment].

LowModerateHigh
SI-2(3)System and Information Integrity
Time to Remediate Flaws and Benchmarks for Corrective Actions

Measure the time between flaw identification and flaw remediation; and Establish the following benchmarks for taking corrective actions: [assignment].

LowModerateHigh
SI-2(4)System and Information Integrity
Automated Patch Management Tools

Employ automated patch management tools to facilitate flaw remediation to the following system components: [assignment].

LowModerateHigh
SI-2(5)System and Information Integrity
Automatic Software and Firmware Updates

Install [assignment] automatically to [assignment].

LowModerateHigh
SI-2(6)System and Information Integrity
Removal of Previous Versions of Software and Firmware

Remove previous versions of [assignment] after updated versions have been installed.

LowModerateHigh
SI-2(7)System and Information Integrity
Root Cause Analysis

Conduct root cause analysis to identify underlying causes of issues or failures. Develop actions to address the root cause of the issue or failure. Implement the actions and monitor the implementation

RS
LowModerateHigh
SI-3System and Information Integrity
Malicious Code Protection

Implement [assignment] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new rel

PR
LowModerateHigh
SI-3(1)System and Information Integrity
Central Management

LowModerateHigh
SI-3(2)System and Information Integrity
Automatic Updates

LowModerateHigh
SI-3(3)System and Information Integrity
Non-privileged Users

LowModerateHigh
SI-3(4)System and Information Integrity
Updates Only by Privileged Users

Update malicious code protection mechanisms only when directed by a privileged user.

LowModerateHigh
SI-3(5)System and Information Integrity
Portable Storage Devices

LowModerateHigh
SI-3(6)System and Information Integrity
Testing and Verification

Test malicious code protection mechanisms [assignment] by introducing known benign code into the system; and Verify that the detection of the code and the associated incident reporting occur.

LowModerateHigh
SI-3(7)System and Information Integrity
Nonsignature-based Detection

LowModerateHigh
SI-3(8)System and Information Integrity
Detect Unauthorized Commands

Detect the following unauthorized operating system commands through the kernel application programming interface on [assignment]: [assignment] ; and [assignment].

LowModerateHigh
SI-3(9)System and Information Integrity
Authenticate Remote Commands

LowModerateHigh
SI-3(10)System and Information Integrity
Malicious Code Analysis

Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [assignment] ; and Incorporate the results from malicious code analysis into organizational inc

LowModerateHigh
SI-4System and Information Integrity
System Monitoring

Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [assignment] ; and Unauthorized local, network, and remote connections

DEIDPR
LowModerateHigh
SI-4(1)System and Information Integrity
System-wide Intrusion Detection System

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

LowModerateHigh
SI-4(2)System and Information Integrity
Automated Tools and Mechanisms for Real-time Analysis

Employ automated tools and mechanisms to support near real-time analysis of events.

LowModerateHigh
SI-4(3)System and Information Integrity
Automated Tool and Mechanism Integration

Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.

LowModerateHigh
SI-4(4)System and Information Integrity
Inbound and Outbound Communications Traffic

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; Monitor inbound and outbound communications traffic [assignment] for [assignmen

LowModerateHigh
SI-4(5)System and Information Integrity
System-generated Alerts

Alert [assignment] when the following system-generated indications of compromise or potential compromise occur: [assignment].

LowModerateHigh
SI-4(6)System and Information Integrity
Restrict Non-privileged Users

LowModerateHigh
SI-4(7)System and Information Integrity
Automated Response to Suspicious Events

Notify [assignment] of detected suspicious events; and Take the following actions upon detection: [assignment].

LowModerateHigh
SI-4(8)System and Information Integrity
Protection of Monitoring Information

LowModerateHigh
SI-4(9)System and Information Integrity
Testing of Monitoring Tools and Mechanisms

Test intrusion-monitoring tools and mechanisms [assignment].

LowModerateHigh
SI-4(10)System and Information Integrity
Visibility of Encrypted Communications

Make provisions so that [assignment] is visible to [assignment].

LowModerateHigh
SI-4(11)System and Information Integrity
Analyze Communications Traffic Anomalies

Analyze outbound communications traffic at the external interfaces to the system and selected [assignment] to discover anomalies.

LowModerateHigh
SI-4(12)System and Information Integrity
Automated Organization-generated Alerts

Alert [assignment] using [assignment] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [assignment].

LowModerateHigh
SI-4(13)System and Information Integrity
Analyze Traffic and Event Patterns

Analyze communications traffic and event patterns for the system; Develop profiles representing common traffic and event patterns; and Use the traffic and event profiles in tuning system-monitoring de

LowModerateHigh
SI-4(14)System and Information Integrity
Wireless Intrusion Detection

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

LowModerateHigh
SI-4(15)System and Information Integrity
Wireless to Wireline Communications

Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

LowModerateHigh
SI-4(16)System and Information Integrity
Correlate Monitoring Information

Correlate information from monitoring tools and mechanisms employed throughout the system.

LowModerateHigh
SI-4(17)System and Information Integrity
Integrated Situational Awareness

Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

LowModerateHigh
SI-4(18)System and Information Integrity
Analyze Traffic and Covert Exfiltration

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [assignment].

LowModerateHigh
SI-4(19)System and Information Integrity
Risk for Individuals

Implement [assignment] of individuals who have been identified by [assignment] as posing an increased level of risk.

LowModerateHigh
SI-4(20)System and Information Integrity
Privileged Users

Implement the following additional monitoring of privileged users: [assignment].

LowModerateHigh
SI-4(21)System and Information Integrity
Probationary Periods

Implement the following additional monitoring of individuals during [assignment]: [assignment].

LowModerateHigh
SI-4(22)System and Information Integrity
Unauthorized Network Services

Detect network services that have not been authorized or approved by [assignment] ; and [assignment] when detected.

LowModerateHigh
SI-4(23)System and Information Integrity
Host-based Devices

Implement the following host-based monitoring mechanisms at [assignment]: [assignment].

LowModerateHigh
SI-4(24)System and Information Integrity
Indicators of Compromise

Discover, collect, and distribute to [assignment] , indicators of compromise provided by [assignment].

LowModerateHigh
SI-4(25)System and Information Integrity
Optimize Network Traffic Analysis

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.

LowModerateHigh
SI-5System and Information Integrity
Security Alerts, Advisories, and Directives

Receive system security alerts, advisories, and directives from [assignment] on an ongoing basis; Generate internal security alerts, advisories, and directives as deemed necessary; Disseminate securit

ID
LowModerateHigh
SI-5(1)System and Information Integrity
Automated Alerts and Advisories

Broadcast security alert and advisory information throughout the organization using [assignment].

LowModerateHigh
SI-6System and Information Integrity
Security and Privacy Function Verification

Verify the correct operation of [assignment]; Perform the verification of the functions specified in SI-6a [assignment]; Alert [assignment] to failed security and privacy verification tests; and [assi

LowModerateHigh
SI-6(1)System and Information Integrity
Notification of Failed Security Tests

LowModerateHigh
SI-6(2)System and Information Integrity
Automation Support for Distributed Testing

Implement automated mechanisms to support the management of distributed security and privacy function testing.

LowModerateHigh
SI-6(3)System and Information Integrity
Report Verification Results

Report the results of security and privacy function verification to [assignment].

LowModerateHigh
SI-7System and Information Integrity
Software, Firmware, and Information Integrity

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [assignment] ; and Take the following actions when unauthorized changes to the

DEIDPR
LowModerateHigh
SI-7(1)System and Information Integrity
Integrity Checks

Perform an integrity check of [assignment] [assignment].

LowModerateHigh
SI-7(2)System and Information Integrity
Automated Notifications of Integrity Violations

Employ automated tools that provide notification to [assignment] upon discovering discrepancies during integrity verification.

LowModerateHigh
SI-7(3)System and Information Integrity
Centrally Managed Integrity Tools

Employ centrally managed integrity verification tools.

LowModerateHigh
SI-7(4)System and Information Integrity
Tamper-evident Packaging

LowModerateHigh
SI-7(5)System and Information Integrity
Automated Response to Integrity Violations

Automatically [assignment] when integrity violations are discovered.

LowModerateHigh
SI-7(6)System and Information Integrity
Cryptographic Protection

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

LowModerateHigh
SI-7(7)System and Information Integrity
Integration of Detection and Response

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [assignment].

LowModerateHigh
SI-7(8)System and Information Integrity
Auditing Capability for Significant Events

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [assignment].

LowModerateHigh
SI-7(9)System and Information Integrity
Verify Boot Process

Verify the integrity of the boot process of the following system components: [assignment].

LowModerateHigh
SI-7(10)System and Information Integrity
Protection of Boot Firmware

Implement the following mechanisms to protect the integrity of boot firmware in [assignment]: [assignment].

LowModerateHigh
SI-7(11)System and Information Integrity
Confined Environments with Limited Privileges

LowModerateHigh
SI-7(12)System and Information Integrity
Integrity Verification

Require that the integrity of the following user-installed software be verified prior to execution: [assignment].

LowModerateHigh
SI-7(13)System and Information Integrity
Code Execution in Protected Environments

LowModerateHigh
SI-7(14)System and Information Integrity
Binary or Machine Executable Code

LowModerateHigh
SI-7(15)System and Information Integrity
Code Authentication

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [assignment].

LowModerateHigh
SI-7(16)System and Information Integrity
Time Limit on Process Execution Without Supervision

Prohibit processes from executing without supervision for more than [assignment].

LowModerateHigh
SI-7(17)System and Information Integrity
Runtime Application Self-protection

Implement [assignment] for application self-protection at runtime.

LowModerateHigh
SI-8System and Information Integrity
Spam Protection

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and Update spam protection mechanisms when new releases are available in accordance with or

LowModerateHigh
SI-8(1)System and Information Integrity
Central Management

LowModerateHigh
SI-8(2)System and Information Integrity
Automatic Updates

Automatically update spam protection mechanisms [assignment].

LowModerateHigh
SI-8(3)System and Information Integrity
Continuous Learning Capability

Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

LowModerateHigh
SI-9System and Information Integrity
Information Input Restrictions

LowModerateHigh
SI-10System and Information Integrity
Information Input Validation

Check the validity of the following information inputs: [assignment].

PR
LowModerateHigh
SI-10(1)System and Information Integrity
Manual Override Capability

Provide a manual override capability for input validation of the following information inputs: [assignment]; Restrict the use of the manual override capability to only [assignment] ; and Audit the use

LowModerateHigh
SI-10(2)System and Information Integrity
Review and Resolve Errors

Review and resolve input validation errors within [assignment].

LowModerateHigh
SI-10(3)System and Information Integrity
Predictable Behavior

Verify that the system behaves in a predictable and documented manner when invalid inputs are received.

LowModerateHigh
SI-10(4)System and Information Integrity
Timing Interactions

Account for timing interactions among system components in determining appropriate responses for invalid inputs.

LowModerateHigh
SI-10(5)System and Information Integrity
Restrict Inputs to Trusted Sources and Approved Formats

Restrict the use of information inputs to [assignment] and/or [assignment].

LowModerateHigh
SI-10(6)System and Information Integrity
Injection Prevention

Prevent untrusted data injections.

LowModerateHigh
SI-11System and Information Integrity
Error Handling

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and Reveal error messages only to [assignment].

LowModerateHigh
SI-12System and Information Integrity
Information Management and Retention

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines an

ID
LowModerateHigh
SI-12(1)System and Information Integrity
Limit Personally Identifiable Information Elements

Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: [assignment].

LowModerateHigh
SI-12(2)System and Information Integrity
Minimize Personally Identifiable Information in Testing, Training, and Research

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [assignment].

LowModerateHigh
SI-12(3)System and Information Integrity
Information Disposal

Use the following techniques to dispose of, destroy, or erase information following the retention period: [assignment].

LowModerateHigh
SI-13System and Information Integrity
Predictable Failure Prevention

Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [assignment] ; and Provide substitute system components and a means to exchange active

PR
LowModerateHigh
SI-13(1)System and Information Integrity
Transferring Component Responsibilities

Take system components out of service by transferring component responsibilities to substitute components no later than [assignment] of mean time to failure.

LowModerateHigh
SI-13(2)System and Information Integrity
Time Limit on Process Execution Without Supervision

LowModerateHigh
SI-13(3)System and Information Integrity
Manual Transfer Between Components

Manually initiate transfers between active and standby system components when the use of the active component reaches [assignment] of the mean time to failure.

LowModerateHigh
SI-13(4)System and Information Integrity
Standby Component Installation and Notification

If system component failures are detected: Ensure that the standby components are successfully and transparently installed within [assignment] ; and [assignment].

LowModerateHigh
SI-13(5)System and Information Integrity
Failover Capability

Provide [assignment] [assignment] for the system.

LowModerateHigh
SI-14System and Information Integrity
Non-persistence

Implement non-persistent [assignment] that are initiated in a known state and terminated [assignment].

LowModerateHigh
SI-14(1)System and Information Integrity
Refresh from Trusted Sources

Obtain software and data employed during system component and service refreshes from the following trusted sources: [assignment].

LowModerateHigh
SI-14(2)System and Information Integrity
Non-persistent Information

[assignment] ; and Delete information when no longer needed.

LowModerateHigh
SI-14(3)System and Information Integrity
Non-persistent Connectivity

Establish connections to the system on demand and terminate connections after [assignment].

LowModerateHigh
SI-15System and Information Integrity
Information Output Filtering

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [assignment].

LowModerateHigh
SI-16System and Information Integrity
Memory Protection

Implement the following controls to protect the system memory from unauthorized code execution: [assignment].

PR
LowModerateHigh
SI-17System and Information Integrity
Fail-safe Procedures

Implement the indicated fail-safe procedures when the indicated failures occur: [assignment].

LowModerateHigh
SI-18System and Information Integrity
Personally Identifiable Information Quality Operations

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [assignment] ; and Correct or delete inaccurate or outdated persona

ID
LowModerateHigh
SI-18(1)System and Information Integrity
Automation Support

Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [assignment].

LowModerateHigh
SI-18(2)System and Information Integrity
Data Tags

Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.

LowModerateHigh
SI-18(3)System and Information Integrity
Collection

Collect personally identifiable information directly from the individual.

LowModerateHigh
SI-18(4)System and Information Integrity
Individual Requests

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

LowModerateHigh
SI-18(5)System and Information Integrity
Notice of Correction or Deletion

Notify [assignment] and individuals that the personally identifiable information has been corrected or deleted.

LowModerateHigh
SI-19System and Information Integrity
De-identification

Remove the following elements of personally identifiable information from datasets: [assignment] ; and Evaluate [assignment] for effectiveness of de-identification.

LowModerateHigh
SI-19(1)System and Information Integrity
Collection

De-identify the dataset upon collection by not collecting personally identifiable information.

LowModerateHigh
SI-19(2)System and Information Integrity
Archiving

Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.

LowModerateHigh
SI-19(3)System and Information Integrity
Release

Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

LowModerateHigh
SI-19(4)System and Information Integrity
Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers

Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.

LowModerateHigh
SI-19(5)System and Information Integrity
Statistical Disclosure Control

Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.

LowModerateHigh
SI-19(6)System and Information Integrity
Differential Privacy

Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.

LowModerateHigh
SI-19(7)System and Information Integrity
Validated Algorithms and Software

Perform de-identification using validated algorithms and software that is validated to implement the algorithms.

LowModerateHigh
SI-19(8)System and Information Integrity
Motivated Intruder

Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.

LowModerateHigh
SI-20System and Information Integrity
Tainting

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [assignment].

LowModerateHigh
SI-21System and Information Integrity
Information Refresh

Refresh [assignment] at [assignment] or generate the information on demand and delete the information when no longer needed.

LowModerateHigh
SI-22System and Information Integrity
Information Diversity

Identify the following alternative sources of information for [assignment]: [assignment] ; and Use an alternative information source for the execution of essential functions or services on [assignment

LowModerateHigh
SI-23System and Information Integrity
Information Fragmentation

Based on [assignment]: Fragment the following information: [assignment] ; and Distribute the fragmented information across the following systems or system components: [assignment].

LowModerateHigh
SR-1Supply Chain Risk Management
Policy and Procedures

Develop, document, and disseminate to [assignment]: [assignment] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among

GVID
LowModerateHigh
SR-2Supply Chain Risk Management
Supply Chain Risk Management Plan

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the

GVID
LowModerateHigh
SR-2(1)Supply Chain Risk Management
Establish SCRM Team

Establish a supply chain risk management team consisting of [assignment] to lead and support the following SCRM activities: [assignment].

LowModerateHigh
SR-3Supply Chain Risk Management
Supply Chain Controls and Processes

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [assignment] in coordination with [assignment]; Employ the following c

GVRS
LowModerateHigh
SR-3(1)Supply Chain Risk Management
Diverse Supply Base

Employ a diverse set of sources for the following system components and services: [assignment].

LowModerateHigh
SR-3(2)Supply Chain Risk Management
Limitation of Harm

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [assignment].

LowModerateHigh
SR-3(3)Supply Chain Risk Management
Sub-tier Flow Down

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

LowModerateHigh
SR-4Supply Chain Risk Management
Provenance

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [assignment].

LowModerateHigh
SR-4(1)Supply Chain Risk Management
Identity

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [assignment].

LowModerateHigh
SR-4(2)Supply Chain Risk Management
Track and Trace

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [assignment].

LowModerateHigh
SR-4(3)Supply Chain Risk Management
Validate as Genuine and Not Altered

Employ the following controls to validate that the system or system component received is genuine and has not been altered: [assignment].

LowModerateHigh
SR-4(4)Supply Chain Risk Management
Supply Chain Integrity — Pedigree

Employ [assignment] and conduct [assignment] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technolo

LowModerateHigh
SR-5Supply Chain Risk Management
Acquisition Strategies, Tools, and Methods

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [assignment].

GVID
LowModerateHigh
SR-5(1)Supply Chain Risk Management
Adequate Supply

Employ the following controls to ensure an adequate supply of [assignment]: [assignment].

LowModerateHigh
SR-5(2)Supply Chain Risk Management
Assessments Prior to Selection, Acceptance, Modification, or Update

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

LowModerateHigh
SR-6Supply Chain Risk Management
Supplier Assessments and Reviews

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [assignment].

GVID
LowModerateHigh
SR-6(1)Supply Chain Risk Management
Testing and Analysis

Employ [assignment] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [assignment].

LowModerateHigh
SR-7Supply Chain Risk Management
Supply Chain Operations Security

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [assignment].

LowModerateHigh
SR-8Supply Chain Risk Management
Notification Agreements

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [assignment].

GVRCRS
LowModerateHigh
SR-9Supply Chain Risk Management
Tamper Resistance and Detection

Implement a tamper protection program for the system, system component, or system service.

LowModerateHigh
SR-9(1)Supply Chain Risk Management
Multiple Stages of System Development Life Cycle

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

LowModerateHigh
SR-10Supply Chain Risk Management
Inspection of Systems or Components

Inspect the following systems or system components [assignment] to detect tampering: [assignment].

GVID
LowModerateHigh
SR-11Supply Chain Risk Management
Component Authenticity

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to [

ID
LowModerateHigh
SR-11(1)Supply Chain Risk Management
Anti-counterfeit Training

Train [assignment] to detect counterfeit system components (including hardware, software, and firmware).

LowModerateHigh
SR-11(2)Supply Chain Risk Management
Configuration Control for Component Service and Repair

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [assignment].

LowModerateHigh
SR-11(3)Supply Chain Risk Management
Anti-counterfeit Scanning

Scan for counterfeit system components [assignment].

LowModerateHigh
SR-12Supply Chain Risk Management
Component Disposal

Dispose of [assignment] using the following techniques and methods: [assignment].

ID
LowModerateHigh