|
AC-01
|
Policy and Procedures |
|
|
|
|
|
AC-02
|
Account Management |
|
|
|
|
|
AC-03
|
Access Enforcement |
|
|
|
|
|
AC-04
|
Information Flow Enforcement |
|
|
|
|
|
AC-05
|
Separation of Duties |
|
|
|
|
|
AC-06
|
Least Privilege |
|
|
|
|
|
AC-07
|
Unsuccessful Logon Attempts |
|
|
|
|
|
AC-08
|
System Use Notification |
|
|
|
|
|
AC-09
|
Previous Logon Notification |
|
|
|
|
|
AC-10
|
Concurrent Session Control |
|
|
|
|
|
AC-11
|
Device Lock |
|
|
|
|
|
AC-12
|
Session Termination |
|
|
|
|
|
AC-13
|
Supervision and Review — Access Control |
Incorporated into
AC-2 AND AU-6.
|
|
AC-14
|
Permitted Actions Without Identification or Authentication |
|
|
|
|
|
AC-15
|
Automated Marking |
Incorporated into
MP-3.
|
|
AC-16
|
Security and Privacy Attributes |
|
|
|
|
|
AC-17
|
Remote Access |
|
|
|
|
|
AC-18
|
Wireless Access |
|
|
|
|
|
AC-19
|
Access Control for Mobile Devices |
|
|
|
|
|
AC-20
|
Use of External Systems |
|
|
|
|
|
AC-21
|
Information Sharing |
|
|
|
|
|
AC-22
|
Publicly Accessible Content |
|
|
|
|
|
AC-23
|
Data Mining Protection |
|
|
|
|
|
AC-24
|
Access Control Decisions |
|
|
|
|
|
AC-25
|
Reference Monitor |
|
|
|
|
|
AT-01
|
Policy and Procedures |
|
|
|
|
|
AT-02
|
Literacy Training and Awareness |
|
|
|
|
|
AT-03
|
Role-based Training |
|
|
|
|
|
AT-04
|
Training Records |
|
|
|
|
|
AT-05
|
Contacts with Security Groups and Associations |
Incorporated into
PM-15.
|
|
AT-06
|
Training Feedback |
|
|
|
|
|
AU-01
|
Policy and Procedures |
|
|
|
|
|
AU-02
|
Event Logging |
|
|
|
|
|
AU-03
|
Content of Audit Records |
|
|
|
|
|
AU-04
|
Audit Log Storage Capacity |
|
|
|
|
|
AU-05
|
Response to Audit Logging Process Failures |
|
|
|
|
|
AU-06
|
Audit Record Review, Analysis, and Reporting |
|
|
|
|
|
AU-07
|
Audit Record Reduction and Report Generation |
|
|
|
|
|
AU-08
|
Time Stamps |
|
|
|
|
|
AU-09
|
Protection of Audit Information |
|
|
|
|
|
AU-10
|
Non-repudiation |
|
|
|
|
|
AU-11
|
Audit Record Retention |
|
|
|
|
|
AU-12
|
Audit Record Generation |
|
|
|
|
|
AU-13
|
Monitoring for Information Disclosure |
|
|
|
|
|
AU-14
|
Session Audit |
|
|
|
|
|
AU-15
|
Alternate Audit Logging Capability |
Moved to
AU-5.5.
|
|
AU-16
|
Cross-organizational Audit Logging |
|
|
|
|
|
CA-01
|
Policy and Procedures |
|
|
|
|
|
CA-02
|
Control Assessments |
|
|
|
|
|
CA-03
|
Information Exchange |
|
|
|
|
|
CA-04
|
Security Certification |
Incorporated into
CA-2.
|
|
CA-05
|
Plan of Action and Milestones |
|
|
|
|
|
CA-06
|
Authorization |
|
|
|
|
|
CA-07
|
Continuous Monitoring |
|
|
|
|
|
CA-08
|
Penetration Testing |
|
|
|
|
|
CA-09
|
Internal System Connections |
|
|
|
|
|
CM-01
|
Policy and Procedures |
|
|
|
|
|
CM-02
|
Baseline Configuration |
|
|
|
|
|
CM-03
|
Configuration Change Control |
|
|
|
|
|
CM-04
|
Impact Analyses |
|
|
|
|
|
CM-05
|
Access Restrictions for Change |
|
|
|
|
|
CM-06
|
Configuration Settings |
|
|
|
|
|
CM-07
|
Least Functionality |
|
|
|
|
|
CM-08
|
System Component Inventory |
|
|
|
|
|
CM-09
|
Configuration Management Plan |
|
|
|
|
|
CM-10
|
Software Usage Restrictions |
|
|
|
|
|
CM-11
|
User-installed Software |
|
|
|
|
|
CM-12
|
Information Location |
|
|
|
|
|
CM-13
|
Data Action Mapping |
|
|
|
|
|
CM-14
|
Signed Components |
|
|
|
|
|
CP-01
|
Policy and Procedures |
|
|
|
|
|
CP-02
|
Contingency Plan |
|
|
|
|
|
CP-03
|
Contingency Training |
|
|
|
|
|
CP-04
|
Contingency Plan Testing |
|
|
|
|
|
CP-05
|
Contingency Plan Update |
Incorporated into
CP-2.
|
|
CP-06
|
Alternate Storage Site |
|
|
|
|
|
CP-07
|
Alternate Processing Site |
|
|
|
|
|
CP-08
|
Telecommunications Services |
|
|
|
|
|
CP-09
|
System Backup |
|
|
|
|
|
CP-10
|
System Recovery and Reconstitution |
|
|
|
|
|
CP-11
|
Alternate Communications Protocols |
|
|
|
|
|
CP-12
|
Safe Mode |
|
|
|
|
|
CP-13
|
Alternative Security Mechanisms |
|
|
|
|
|
IA-01
|
Policy and Procedures |
|
|
|
|
|
IA-02
|
Identification and Authentication (Organizational Users) |
|
|
|
|
|
IA-03
|
Device Identification and Authentication |
|
|
|
|
|
IA-04
|
Identifier Management |
|
|
|
|
|
IA-05
|
Authenticator Management |
|
|
|
|
|
IA-06
|
Authentication Feedback |
|
|
|
|
|
IA-07
|
Cryptographic Module Authentication |
|
|
|
|
|
IA-08
|
Identification and Authentication (Non-organizational Users) |
|
|
|
|
|
IA-09
|
Service Identification and Authentication |
|
|
|
|
|
IA-10
|
Adaptive Authentication |
|
|
|
|
|
IA-11
|
Re-authentication |
|
|
|
|
|
IA-12
|
Identity Proofing |
|
|
|
|
|
IA-13
|
Identity Providers and Authorization Servers |
|
|
|
|
|
IR-01
|
Policy and Procedures |
|
|
|
|
|
IR-02
|
Incident Response Training |
|
|
|
|
|
IR-03
|
Incident Response Testing |
|
|
|
|
|
IR-04
|
Incident Handling |
|
|
|
|
|
IR-05
|
Incident Monitoring |
|
|
|
|
|
IR-06
|
Incident Reporting |
|
|
|
|
|
IR-07
|
Incident Response Assistance |
|
|
|
|
|
IR-08
|
Incident Response Plan |
|
|
|
|
|
IR-09
|
Information Spillage Response |
|
|
|
|
|
IR-10
|
Integrated Information Security Analysis Team |
Moved to
IR-4.11.
|
|
MA-01
|
Policy and Procedures |
|
|
|
|
|
MA-02
|
Controlled Maintenance |
|
|
|
|
|
MA-03
|
Maintenance Tools |
|
|
|
|
|
MA-04
|
Nonlocal Maintenance |
|
|
|
|
|
MA-05
|
Maintenance Personnel |
|
|
|
|
|
MA-06
|
Timely Maintenance |
|
|
|
|
|
MA-07
|
Field Maintenance |
|
|
|
|
|
MP-01
|
Policy and Procedures |
|
|
|
|
|
MP-02
|
Media Access |
|
|
|
|
|
MP-03
|
Media Marking |
|
|
|
|
|
MP-04
|
Media Storage |
|
|
|
|
|
MP-05
|
Media Transport |
|
|
|
|
|
MP-06
|
Media Sanitization |
|
|
|
|
|
MP-07
|
Media Use |
|
|
|
|
|
MP-08
|
Media Downgrading |
|
|
|
|
|
PE-01
|
Policy and Procedures |
|
|
|
|
|
PE-02
|
Physical Access Authorizations |
|
|
|
|
|
PE-03
|
Physical Access Control |
|
|
|
|
|
PE-04
|
Access Control for Transmission |
|
|
|
|
|
PE-05
|
Access Control for Output Devices |
|
|
|
|
|
PE-06
|
Monitoring Physical Access |
|
|
|
|
|
PE-07
|
Visitor Control |
Incorporated into
PE-2 AND PE-3.
|
|
PE-08
|
Visitor Access Records |
|
|
|
|
|
PE-09
|
Power Equipment and Cabling |
|
|
|
|
|
PE-10
|
Emergency Shutoff |
|
|
|
|
|
PE-11
|
Emergency Power |
|
|
|
|
|
PE-12
|
Emergency Lighting |
|
|
|
|
|
PE-13
|
Fire Protection |
|
|
|
|
|
PE-14
|
Environmental Controls |
|
|
|
|
|
PE-15
|
Water Damage Protection |
|
|
|
|
|
PE-16
|
Delivery and Removal |
|
|
|
|
|
PE-17
|
Alternate Work Site |
|
|
|
|
|
PE-18
|
Location of System Components |
|
|
|
|
|
PE-19
|
Information Leakage |
|
|
|
|
|
PE-20
|
Asset Monitoring and Tracking |
|
|
|
|
|
PE-21
|
Electromagnetic Pulse Protection |
|
|
|
|
|
PE-22
|
Component Marking |
|
|
|
|
|
PE-23
|
Facility Location |
|
|
|
|
|
PL-01
|
Policy and Procedures |
|
|
|
|
|
PL-02
|
System Security and Privacy Plans |
|
|
|
|
|
PL-03
|
System Security Plan Update |
Incorporated into
PL-2.
|
|
PL-04
|
Rules of Behavior |
|
|
|
|
|
PL-05
|
Privacy Impact Assessment |
Incorporated into
RA-8.
|
|
PL-06
|
Security-related Activity Planning |
Incorporated into
PL-2.
|
|
PL-07
|
Concept of Operations |
|
|
|
|
|
PL-08
|
Security and Privacy Architectures |
|
|
|
|
|
PL-09
|
Central Management |
|
|
|
|
|
PL-10
|
Baseline Selection |
|
|
|
|
|
PL-11
|
Baseline Tailoring |
|
|
|
|
|
PM-01
|
Information Security Program Plan |
|
|
|
|
|
PM-02
|
Information Security Program Leadership Role |
|
|
|
|
|
PM-03
|
Information Security and Privacy Resources |
|
|
|
|
|
PM-04
|
Plan of Action and Milestones Process |
|
|
|
|
|
PM-05
|
System Inventory |
|
|
|
|
|
PM-06
|
Measures of Performance |
|
|
|
|
|
PM-07
|
Enterprise Architecture |
|
|
|
|
|
PM-08
|
Critical Infrastructure Plan |
|
|
|
|
|
PM-09
|
Risk Management Strategy |
|
|
|
|
|
PM-10
|
Authorization Process |
|
|
|
|
|
PM-11
|
Mission and Business Process Definition |
|
|
|
|
|
PM-12
|
Insider Threat Program |
|
|
|
|
|
PM-13
|
Security and Privacy Workforce |
|
|
|
|
|
PM-14
|
Testing, Training, and Monitoring |
|
|
|
|
|
PM-15
|
Security and Privacy Groups and Associations |
|
|
|
|
|
PM-16
|
Threat Awareness Program |
|
|
|
|
|
PM-17
|
Protecting Controlled Unclassified Information on External Systems |
|
|
|
|
|
PM-18
|
Privacy Program Plan |
|
|
|
|
|
PM-19
|
Privacy Program Leadership Role |
|
|
|
|
|
PM-20
|
Dissemination of Privacy Program Information |
|
|
|
|
|
PM-21
|
Accounting of Disclosures |
|
|
|
|
|
PM-22
|
Personally Identifiable Information Quality Management |
|
|
|
|
|
PM-23
|
Data Governance Body |
|
|
|
|
|
PM-24
|
Data Integrity Board |
|
|
|
|
|
PM-25
|
Minimization of Personally Identifiable Information Used in Testing, Training, and Research |
|
|
|
|
|
PM-26
|
Complaint Management |
|
|
|
|
|
PM-27
|
Privacy Reporting |
|
|
|
|
|
PM-28
|
Risk Framing |
|
|
|
|
|
PM-29
|
Risk Management Program Leadership Roles |
|
|
|
|
|
PM-30
|
Supply Chain Risk Management Strategy |
|
|
|
|
|
PM-31
|
Continuous Monitoring Strategy |
|
|
|
|
|
PM-32
|
Purposing |
|
|
|
|
|
PS-01
|
Policy and Procedures |
|
|
|
|
|
PS-02
|
Position Risk Designation |
|
|
|
|
|
PS-03
|
Personnel Screening |
|
|
|
|
|
PS-04
|
Personnel Termination |
|
|
|
|
|
PS-05
|
Personnel Transfer |
|
|
|
|
|
PS-06
|
Access Agreements |
|
|
|
|
|
PS-07
|
External Personnel Security |
|
|
|
|
|
PS-08
|
Personnel Sanctions |
|
|
|
|
|
PS-09
|
Position Descriptions |
|
|
|
|
|
PT-01
|
Policy and Procedures |
|
|
|
|
|
PT-02
|
Authority to Process Personally Identifiable Information |
|
|
|
|
|
PT-03
|
Personally Identifiable Information Processing Purposes |
|
|
|
|
|
PT-04
|
Consent |
|
|
|
|
|
PT-05
|
Privacy Notice |
|
|
|
|
|
PT-06
|
System of Records Notice |
|
|
|
|
|
PT-07
|
Specific Categories of Personally Identifiable Information |
|
|
|
|
|
PT-08
|
Computer Matching Requirements |
|
|
|
|
|
RA-01
|
Policy and Procedures |
|
|
|
|
|
RA-02
|
Security Categorization |
|
|
|
|
|
RA-03
|
Risk Assessment |
|
|
|
|
|
RA-04
|
Risk Assessment Update |
Incorporated into
RA-3.
|
|
RA-05
|
Vulnerability Monitoring and Scanning |
|
|
|
|
|
RA-06
|
Technical Surveillance Countermeasures Survey |
|
|
|
|
|
RA-07
|
Risk Response |
|
|
|
|
|
RA-08
|
Privacy Impact Assessments |
|
|
|
|
|
RA-09
|
Criticality Analysis |
|
|
|
|
|
RA-10
|
Threat Hunting |
|
|
|
|
|
SA-01
|
Policy and Procedures |
|
|
|
|
|
SA-02
|
Allocation of Resources |
|
|
|
|
|
SA-03
|
System Development Life Cycle |
|
|
|
|
|
SA-04
|
Acquisition Process |
|
|
|
|
|
SA-05
|
System Documentation |
|
|
|
|
|
SA-06
|
Software Usage Restrictions |
Incorporated into
CM-10 AND SI-7.
|
|
SA-07
|
User-installed Software |
Incorporated into
CM-11 AND SI-7.
|
|
SA-08
|
Security and Privacy Engineering Principles |
|
|
|
|
|
SA-09
|
External System Services |
|
|
|
|
|
SA-10
|
Developer Configuration Management |
|
|
|
|
|
SA-11
|
Developer Testing and Evaluation |
|
|
|
|
|
SA-12
|
Supply Chain Protection |
Incorporated into
SR.
|
|
SA-13
|
Trustworthiness |
Incorporated into
SA-8.
|
|
SA-14
|
Criticality Analysis |
Incorporated into
RA-9.
|
|
SA-15
|
Development Process, Standards, and Tools |
|
|
|
|
|
SA-16
|
Developer-provided Training |
|
|
|
|
|
SA-17
|
Developer Security and Privacy Architecture and Design |
|
|
|
|
|
SA-18
|
Tamper Resistance and Detection |
Moved to
SR-9.
|
|
SA-19
|
Component Authenticity |
Moved to
SR-11.
|
|
SA-20
|
Customized Development of Critical Components |
|
|
|
|
|
SA-21
|
Developer Screening |
|
|
|
|
|
SA-22
|
Unsupported System Components |
|
|
|
|
|
SA-23
|
Specialization |
|
|
|
|
|
SA-24
|
Design For Cyber Resiliency |
|
|
|
|
|
SC-01
|
Policy and Procedures |
|
|
|
|
|
SC-02
|
Separation of System and User Functionality |
|
|
|
|
|
SC-03
|
Security Function Isolation |
|
|
|
|
|
SC-04
|
Information in Shared System Resources |
|
|
|
|
|
SC-05
|
Denial-of-service Protection |
|
|
|
|
|
SC-06
|
Resource Availability |
|
|
|
|
|
SC-07
|
Boundary Protection |
|
|
|
|
|
SC-08
|
Transmission Confidentiality and Integrity |
|
|
|
|
|
SC-09
|
Transmission Confidentiality |
Incorporated into
SC-8.
|
|
SC-10
|
Network Disconnect |
|
|
|
|
|
SC-11
|
Trusted Path |
|
|
|
|
|
SC-12
|
Cryptographic Key Establishment and Management |
|
|
|
|
|
SC-13
|
Cryptographic Protection |
|
|
|
|
|
SC-14
|
Public Access Protections |
Incorporated into
AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, AND SI-10.
|
|
SC-15
|
Collaborative Computing Devices and Applications |
|
|
|
|
|
SC-16
|
Transmission of Security and Privacy Attributes |
|
|
|
|
|
SC-17
|
Public Key Infrastructure Certificates |
|
|
|
|
|
SC-18
|
Mobile Code |
|
|
|
|
|
SC-19
|
Voice Over Internet Protocol |
|
|
|
|
|
SC-20
|
Secure Name/Address Resolution Service (Authoritative Source) |
|
|
|
|
|
SC-21
|
Secure Name/Address Resolution Service (Recursive or Caching Resolver) |
|
|
|
|
|
SC-22
|
Architecture and Provisioning for Name/Address Resolution Service |
|
|
|
|
|
SC-23
|
Session Authenticity |
|
|
|
|
|
SC-24
|
Fail in Known State |
|
|
|
|
|
SC-25
|
Thin Nodes |
|
|
|
|
|
SC-26
|
Decoys |
|
|
|
|
|
SC-27
|
Platform-independent Applications |
|
|
|
|
|
SC-28
|
Protection of Information at Rest |
|
|
|
|
|
SC-29
|
Heterogeneity |
|
|
|
|
|
SC-30
|
Concealment and Misdirection |
|
|
|
|
|
SC-31
|
Covert Channel Analysis |
|
|
|
|
|
SC-32
|
System Partitioning |
|
|
|
|
|
SC-33
|
Transmission Preparation Integrity |
Incorporated into
SC-8.
|
|
SC-34
|
Non-modifiable Executable Programs |
|
|
|
|
|
SC-35
|
External Malicious Code Identification |
|
|
|
|
|
SC-36
|
Distributed Processing and Storage |
|
|
|
|
|
SC-37
|
Out-of-band Channels |
|
|
|
|
|
SC-38
|
Operations Security |
|
|
|
|
|
SC-39
|
Process Isolation |
|
|
|
|
|
SC-40
|
Wireless Link Protection |
|
|
|
|
|
SC-41
|
Port and I/O Device Access |
|
|
|
|
|
SC-42
|
Sensor Capability and Data |
|
|
|
|
|
SC-43
|
Usage Restrictions |
|
|
|
|
|
SC-44
|
Detonation Chambers |
|
|
|
|
|
SC-45
|
System Time Synchronization |
|
|
|
|
|
SC-46
|
Cross Domain Policy Enforcement |
|
|
|
|
|
SC-47
|
Alternate Communications Paths |
|
|
|
|
|
SC-48
|
Sensor Relocation |
|
|
|
|
|
SC-49
|
Hardware-enforced Separation and Policy Enforcement |
|
|
|
|
|
SC-50
|
Software-enforced Separation and Policy Enforcement |
|
|
|
|
|
SC-51
|
Hardware-based Protection |
|
|
|
|
|
SI-01
|
Policy and Procedures |
|
|
|
|
|
SI-02
|
Flaw Remediation |
|
|
|
|
|
SI-03
|
Malicious Code Protection |
|
|
|
|
|
SI-04
|
System Monitoring |
|
|
|
|
|
SI-05
|
Security Alerts, Advisories, and Directives |
|
|
|
|
|
SI-06
|
Security and Privacy Function Verification |
|
|
|
|
|
SI-07
|
Software, Firmware, and Information Integrity |
|
|
|
|
|
SI-08
|
Spam Protection |
|
|
|
|
|
SI-09
|
Information Input Restrictions |
Incorporated into
AC-2, AC-3, AC-5, AND AC-6.
|
|
SI-10
|
Information Input Validation |
|
|
|
|
|
SI-11
|
Error Handling |
|
|
|
|
|
SI-12
|
Information Management and Retention |
|
|
|
|
|
SI-13
|
Predictable Failure Prevention |
|
|
|
|
|
SI-14
|
Non-persistence |
|
|
|
|
|
SI-15
|
Information Output Filtering |
|
|
|
|
|
SI-16
|
Memory Protection |
|
|
|
|
|
SI-17
|
Fail-safe Procedures |
|
|
|
|
|
SI-18
|
Personally Identifiable Information Quality Operations |
|
|
|
|
|
SI-19
|
De-identification |
|
|
|
|
|
SI-20
|
Tainting |
|
|
|
|
|
SI-21
|
Information Refresh |
|
|
|
|
|
SI-22
|
Information Diversity |
|
|
|
|
|
SI-23
|
Information Fragmentation |
|
|
|
|
|
SR-01
|
Policy and Procedures |
|
|
|
|
|
SR-02
|
Supply Chain Risk Management Plan |
|
|
|
|
|
SR-03
|
Supply Chain Controls and Processes |
|
|
|
|
|
SR-04
|
Provenance |
|
|
|
|
|
SR-05
|
Acquisition Strategies, Tools, and Methods |
|
|
|
|
|
SR-06
|
Supplier Assessments and Reviews |
|
|
|
|
|
SR-07
|
Supply Chain Operations Security |
|
|
|
|
|
SR-08
|
Notification Agreements |
|
|
|
|
|
SR-09
|
Tamper Resistance and Detection |
|
|
|
|
|
SR-10
|
Inspection of Systems or Components |
|
|
|
|
|
SR-11
|
Component Authenticity |
|
|
|
|
|
SR-12
|
Component Disposal |
|
|
|
|