Controls
Controls are policy- and technology-agnostic mechanisms for safeguarding information systems against compromises of the confidentiality, integrity, and/or availability of those systems.
Inventory
| Number | Title | Low | Moderate | High | Privacy |
|---|---|---|---|---|---|
| AC-01 | Policy and Procedures | ||||
| AC-02 | Account Management | ||||
| AC-02(01) | Automated System Account Management | ||||
| AC-02(02) | Automated Temporary and Emergency Account Management | ||||
| AC-02(03) | Disable Accounts | ||||
| AC-02(04) | Automated Audit Actions | ||||
| AC-02(05) | Inactivity Logout | ||||
| AC-02(06) | Dynamic Privilege Management | ||||
| AC-02(07) | Privileged User Accounts | ||||
| AC-02(08) | Dynamic Account Management | ||||
| AC-02(09) | Restrictions on Use of Shared and Group Accounts | ||||
| AC-02(10) | Shared and Group Account Credential Change | Incorporated into AC-2_SMT.K. | |||
| AC-02(11) | Usage Conditions | ||||
| AC-02(12) | Account Monitoring for Atypical Usage | ||||
| AC-02(13) | Disable Accounts for High-risk Individuals | ||||
| AC-03 | Access Enforcement | ||||
| AC-03(01) | Restricted Access to Privileged Functions | Incorporated into AC-6. | |||
| AC-03(02) | Dual Authorization | ||||
| AC-03(03) | Mandatory Access Control | ||||
| AC-03(04) | Discretionary Access Control | ||||
| AC-03(05) | Security-relevant Information | ||||
| AC-03(06) | Protection of User and System Information | Incorporated into MP-4 AND SC-28. | |||
| AC-03(07) | Role-based Access Control | ||||
| AC-03(08) | Revocation of Access Authorizations | ||||
| AC-03(09) | Controlled Release | ||||
| AC-03(10) | Audited Override of Access Control Mechanisms | ||||
| AC-03(11) | Restrict Access to Specific Information Types | ||||
| AC-03(12) | Assert and Enforce Application Access | ||||
| AC-03(13) | Attribute-based Access Control | ||||
| AC-03(14) | Individual Access | ||||
| AC-03(15) | Discretionary and Mandatory Access Control | ||||
| AC-04 | Information Flow Enforcement | ||||
| AC-04(01) | Object Security and Privacy Attributes | ||||
| AC-04(02) | Processing Domains | ||||
| AC-04(03) | Dynamic Information Flow Control | ||||
| AC-04(04) | Flow Control of Encrypted Information | ||||
| AC-04(05) | Embedded Data Types | ||||
| AC-04(06) | Metadata | ||||
| AC-04(07) | One-way Flow Mechanisms | ||||
| AC-04(08) | Security and Privacy Policy Filters | ||||
| AC-04(09) | Human Reviews | ||||
| AC-04(10) | Enable and Disable Security or Privacy Policy Filters | ||||
| AC-04(11) | Configuration of Security or Privacy Policy Filters | ||||
| AC-04(12) | Data Type Identifiers | ||||
| AC-04(13) | Decomposition into Policy-relevant Subcomponents | ||||
| AC-04(14) | Security or Privacy Policy Filter Constraints | ||||
| AC-04(15) | Detection of Unsanctioned Information | ||||
| AC-04(16) | Information Transfers on Interconnected Systems | Incorporated into AC-4. | |||
| AC-04(17) | Domain Authentication | ||||
| AC-04(18) | Security Attribute Binding | Incorporated into AC-16. | |||
| AC-04(19) | Validation of Metadata | ||||
| AC-04(20) | Approved Solutions | ||||
| AC-04(21) | Physical or Logical Separation of Information Flows | ||||
| AC-04(22) | Access Only | ||||
| AC-04(23) | Modify Non-releasable Information | ||||
| AC-04(24) | Internal Normalized Format | ||||
| AC-04(25) | Data Sanitization | ||||
| AC-04(26) | Audit Filtering Actions | ||||
| AC-04(27) | Redundant/Independent Filtering Mechanisms | ||||
| AC-04(28) | Linear Filter Pipelines | ||||
| AC-04(29) | Filter Orchestration Engines | ||||
| AC-04(30) | Filter Mechanisms Using Multiple Processes | ||||
| AC-04(31) | Failed Content Transfer Prevention | ||||
| AC-04(32) | Process Requirements for Information Transfer | ||||
| AC-05 | Separation of Duties | ||||
| AC-06 | Least Privilege | ||||
| AC-06(01) | Authorize Access to Security Functions | ||||
| AC-06(02) | Non-privileged Access for Nonsecurity Functions | ||||
| AC-06(03) | Network Access to Privileged Commands | ||||
| AC-06(04) | Separate Processing Domains | ||||
| AC-06(05) | Privileged Accounts | ||||
| AC-06(06) | Privileged Access by Non-organizational Users | ||||
| AC-06(07) | Review of User Privileges | ||||
| AC-06(08) | Privilege Levels for Code Execution | ||||
| AC-06(09) | Log Use of Privileged Functions | ||||
| AC-06(10) | Prohibit Non-privileged Users from Executing Privileged Functions | ||||
| AC-07 | Unsuccessful Logon Attempts | ||||
| AC-07(01) | Automatic Account Lock | Incorporated into AC-7. | |||
| AC-07(02) | Purge or Wipe Mobile Device | ||||
| AC-07(03) | Biometric Attempt Limiting | ||||
| AC-07(04) | Use of Alternate Authentication Factor | ||||
| AC-08 | System Use Notification | ||||
| AC-09 | Previous Logon Notification | ||||
| AC-09(01) | Unsuccessful Logons | ||||
| AC-09(02) | Successful and Unsuccessful Logons | ||||
| AC-09(03) | Notification of Account Changes | ||||
| AC-09(04) | Additional Logon Information | ||||
| AC-10 | Concurrent Session Control | ||||
| AC-11 | Device Lock | ||||
| AC-11(01) | Pattern-hiding Displays | ||||
| AC-12 | Session Termination | ||||
| AC-12(01) | User-initiated Logouts | ||||
| AC-12(02) | Termination Message | ||||
| AC-12(03) | Timeout Warning Message | ||||
| AC-13 | Supervision and Review — Access Control | Incorporated into AC-2 AND AU-6. | |||
| AC-14 | Permitted Actions Without Identification or Authentication | ||||
| AC-14(01) | Necessary Uses | Incorporated into AC-14. | |||
| AC-15 | Automated Marking | Incorporated into MP-3. | |||
| AC-16 | Security and Privacy Attributes | ||||
| AC-16(01) | Dynamic Attribute Association | ||||
| AC-16(02) | Attribute Value Changes by Authorized Individuals | ||||
| AC-16(03) | Maintenance of Attribute Associations by System | ||||
| AC-16(04) | Association of Attributes by Authorized Individuals | ||||
| AC-16(05) | Attribute Displays on Objects to Be Output | ||||
| AC-16(06) | Maintenance of Attribute Association | ||||
| AC-16(07) | Consistent Attribute Interpretation | ||||
| AC-16(08) | Association Techniques and Technologies | ||||
| AC-16(09) | Attribute Reassignment — Regrading Mechanisms | ||||
| AC-16(10) | Attribute Configuration by Authorized Individuals | ||||
| AC-17 | Remote Access | ||||
| AC-17(01) | Monitoring and Control | ||||
| AC-17(02) | Protection of Confidentiality and Integrity Using Encryption | ||||
| AC-17(03) | Managed Access Control Points | ||||
| AC-17(04) | Privileged Commands and Access | ||||
| AC-17(05) | Monitoring for Unauthorized Connections | Incorporated into SI-4. | |||
| AC-17(06) | Protection of Mechanism Information | ||||
| AC-17(07) | Additional Protection for Security Function Access | Incorporated into AC-3.10. | |||
| AC-17(08) | Disable Nonsecure Network Protocols | Incorporated into CM-7. | |||
| AC-17(09) | Disconnect or Disable Access | ||||
| AC-17(10) | Authenticate Remote Commands | ||||
| AC-18 | Wireless Access | ||||
| AC-18(01) | Authentication and Encryption | ||||
| AC-18(02) | Monitoring Unauthorized Connections | Incorporated into SI-4. | |||
| AC-18(03) | Disable Wireless Networking | ||||
| AC-18(04) | Restrict Configurations by Users | ||||
| AC-18(05) | Antennas and Transmission Power Levels | ||||
| AC-19 | Access Control for Mobile Devices | ||||
| AC-19(01) | Use of Writable and Portable Storage Devices | Incorporated into MP-7. | |||
| AC-19(02) | Use of Personally Owned Portable Storage Devices | Incorporated into MP-7. | |||
| AC-19(03) | Use of Portable Storage Devices with No Identifiable Owner | Incorporated into MP-7. | |||
| AC-19(04) | Restrictions for Classified Information | ||||
| AC-19(05) | Full Device or Container-based Encryption | ||||
| AC-20 | Use of External Systems | ||||
| AC-20(01) | Limits on Authorized Use | ||||
| AC-20(02) | Portable Storage Devices — Restricted Use | ||||
| AC-20(03) | Non-organizationally Owned Systems — Restricted Use | ||||
| AC-20(04) | Network Accessible Storage Devices — Prohibited Use | ||||
| AC-20(05) | Portable Storage Devices — Prohibited Use | ||||
| AC-21 | Information Sharing | ||||
| AC-21(01) | Automated Decision Support | ||||
| AC-21(02) | Information Search and Retrieval | ||||
| AC-22 | Publicly Accessible Content | ||||
| AC-23 | Data Mining Protection | ||||
| AC-24 | Access Control Decisions | ||||
| AC-24(01) | Transmit Access Authorization Information | ||||
| AC-24(02) | No User or Process Identity | ||||
| AC-25 | Reference Monitor | ||||
| AT-01 | Policy and Procedures | ||||
| AT-02 | Literacy Training and Awareness | ||||
| AT-02(01) | Practical Exercises | ||||
| AT-02(02) | Insider Threat | ||||
| AT-02(03) | Social Engineering and Mining | ||||
| AT-02(04) | Suspicious Communications and Anomalous System Behavior | ||||
| AT-02(05) | Advanced Persistent Threat | ||||
| AT-02(06) | Cyber Threat Environment | ||||
| AT-03 | Role-based Training | ||||
| AT-03(01) | Environmental Controls | ||||
| AT-03(02) | Physical Security Controls | ||||
| AT-03(03) | Practical Exercises | ||||
| AT-03(04) | Suspicious Communications and Anomalous System Behavior | Moved to AT-2.4. | |||
| AT-03(05) | Processing Personally Identifiable Information | ||||
| AT-04 | Training Records | ||||
| AT-05 | Contacts with Security Groups and Associations | Incorporated into PM-15. | |||
| AT-06 | Training Feedback | ||||
| AU-01 | Policy and Procedures | ||||
| AU-02 | Event Logging | ||||
| AU-02(01) | Compilation of Audit Records from Multiple Sources | Incorporated into AU-12. | |||
| AU-02(02) | Selection of Audit Events by Component | Incorporated into AU-12. | |||
| AU-02(03) | Reviews and Updates | Incorporated into AU-2. | |||
| AU-02(04) | Privileged Functions | Incorporated into AC-6.9. | |||
| AU-03 | Content of Audit Records | ||||
| AU-03(01) | Additional Audit Information | ||||
| AU-03(02) | Centralized Management of Planned Audit Record Content | Incorporated into PL-9. | |||
| AU-03(03) | Limit Personally Identifiable Information Elements | ||||
| AU-04 | Audit Log Storage Capacity | ||||
| AU-04(01) | Transfer to Alternate Storage | ||||
| AU-05 | Response to Audit Logging Process Failures | ||||
| AU-05(01) | Storage Capacity Warning | ||||
| AU-05(02) | Real-time Alerts | ||||
| AU-05(03) | Configurable Traffic Volume Thresholds | ||||
| AU-05(04) | Shutdown on Failure | ||||
| AU-05(05) | Alternate Audit Logging Capability | ||||
| AU-06 | Audit Record Review, Analysis, and Reporting | ||||
| AU-06(01) | Automated Process Integration | ||||
| AU-06(02) | Automated Security Alerts | Incorporated into SI-4. | |||
| AU-06(03) | Correlate Audit Record Repositories | ||||
| AU-06(04) | Central Review and Analysis | ||||
| AU-06(05) | Integrated Analysis of Audit Records | ||||
| AU-06(06) | Correlation with Physical Monitoring | ||||
| AU-06(07) | Permitted Actions | ||||
| AU-06(08) | Full Text Analysis of Privileged Commands | ||||
| AU-06(09) | Correlation with Information from Nontechnical Sources | ||||
| AU-06(10) | Audit Level Adjustment | Incorporated into AU-6. | |||
| AU-07 | Audit Record Reduction and Report Generation | ||||
| AU-07(01) | Automatic Processing | ||||
| AU-07(02) | Automatic Sort and Search | Incorporated into AU-7.1. | |||
| AU-08 | Time Stamps | ||||
| AU-08(01) | Synchronization with Authoritative Time Source | Moved to SC-45.1. | |||
| AU-08(02) | Secondary Authoritative Time Source | Moved to SC-45.2. | |||
| AU-09 | Protection of Audit Information | ||||
| AU-09(01) | Hardware Write-once Media | ||||
| AU-09(02) | Store on Separate Physical Systems or Components | ||||
| AU-09(03) | Cryptographic Protection | ||||
| AU-09(04) | Access by Subset of Privileged Users | ||||
| AU-09(05) | Dual Authorization | ||||
| AU-09(06) | Read-only Access | ||||
| AU-09(07) | Store on Component with Different Operating System | ||||
| AU-10 | Non-repudiation | ||||
| AU-10(01) | Association of Identities | ||||
| AU-10(02) | Validate Binding of Information Producer Identity | ||||
| AU-10(03) | Chain of Custody | ||||
| AU-10(04) | Validate Binding of Information Reviewer Identity | ||||
| AU-10(05) | Digital Signatures | Incorporated into SI-7. | |||
| AU-11 | Audit Record Retention | ||||
| AU-11(01) | Long-term Retrieval Capability | ||||
| AU-12 | Audit Record Generation | ||||
| AU-12(01) | System-wide and Time-correlated Audit Trail | ||||
| AU-12(02) | Standardized Formats | ||||
| AU-12(03) | Changes by Authorized Individuals | ||||
| AU-12(04) | Query Parameter Audits of Personally Identifiable Information | ||||
| AU-13 | Monitoring for Information Disclosure | ||||
| AU-13(01) | Use of Automated Tools | ||||
| AU-13(02) | Review of Monitored Sites | ||||
| AU-13(03) | Unauthorized Replication of Information | ||||
| AU-14 | Session Audit | ||||
| AU-14(01) | System Start-up | ||||
| AU-14(02) | Capture and Record Content | Incorporated into AU-14. | |||
| AU-14(03) | Remote Viewing and Listening | ||||
| AU-15 | Alternate Audit Logging Capability | Moved to AU-5.5. | |||
| AU-16 | Cross-organizational Audit Logging | ||||
| AU-16(01) | Identity Preservation | ||||
| AU-16(02) | Sharing of Audit Information | ||||
| AU-16(03) | Disassociability | ||||
| CA-01 | Policy and Procedures | ||||
| CA-02 | Control Assessments | ||||
| CA-02(01) | Independent Assessors | ||||
| CA-02(02) | Specialized Assessments | ||||
| CA-02(03) | Leveraging Results from External Organizations | ||||
| CA-03 | Information Exchange | ||||
| CA-03(01) | Unclassified National Security System Connections | Moved to SC-7.25. | |||
| CA-03(02) | Classified National Security System Connections | Moved to SC-7.26. | |||
| CA-03(03) | Unclassified Non-national Security System Connections | Moved to SC-7.27. | |||
| CA-03(04) | Connections to Public Networks | Moved to SC-7.28. | |||
| CA-03(05) | Restrictions on External System Connections | Moved to SC-7.5. | |||
| CA-03(06) | Transfer Authorizations | ||||
| CA-03(07) | Transitive Information Exchanges | ||||
| CA-04 | Security Certification | Incorporated into CA-2. | |||
| CA-05 | Plan of Action and Milestones | ||||
| CA-05(01) | Automation Support for Accuracy and Currency | ||||
| CA-06 | Authorization | ||||
| CA-06(01) | Joint Authorization — Intra-organization | ||||
| CA-06(02) | Joint Authorization — Inter-organization | ||||
| CA-07 | Continuous Monitoring | ||||
| CA-07(01) | Independent Assessment | ||||
| CA-07(02) | Types of Assessments | Incorporated into CA-2. | |||
| CA-07(03) | Trend Analyses | ||||
| CA-07(04) | Risk Monitoring | ||||
| CA-07(05) | Consistency Analysis | ||||
| CA-07(06) | Automation Support for Monitoring | ||||
| CA-08 | Penetration Testing | ||||
| CA-08(01) | Independent Penetration Testing Agent or Team | ||||
| CA-08(02) | Red Team Exercises | ||||
| CA-08(03) | Facility Penetration Testing | ||||
| CA-09 | Internal System Connections | ||||
| CA-09(01) | Compliance Checks | ||||
| CM-01 | Policy and Procedures | ||||
| CM-02 | Baseline Configuration | ||||
| CM-02(01) | Reviews and Updates | Incorporated into CM-2. | |||
| CM-02(02) | Automation Support for Accuracy and Currency | ||||
| CM-02(03) | Retention of Previous Configurations | ||||
| CM-02(04) | Unauthorized Software | Incorporated into CM-7.4. | |||
| CM-02(05) | Authorized Software | Incorporated into CM-7.5. | |||
| CM-02(06) | Development and Test Environments | ||||
| CM-02(07) | Configure Systems and Components for High-risk Areas | ||||
| CM-03 | Configuration Change Control | ||||
| CM-03(01) | Automated Documentation, Notification, and Prohibition of Changes | ||||
| CM-03(02) | Testing, Validation, and Documentation of Changes | ||||
| CM-03(03) | Automated Change Implementation | ||||
| CM-03(04) | Security and Privacy Representatives | ||||
| CM-03(05) | Automated Security Response | ||||
| CM-03(06) | Cryptography Management | ||||
| CM-03(07) | Review System Changes | ||||
| CM-03(08) | Prevent or Restrict Configuration Changes | ||||
| CM-04 | Impact Analyses | ||||
| CM-04(01) | Separate Test Environments | ||||
| CM-04(02) | Verification of Controls | ||||
| CM-05 | Access Restrictions for Change | ||||
| CM-05(01) | Automated Access Enforcement and Audit Records | ||||
| CM-05(02) | Review System Changes | Incorporated into CM-3.7. | |||
| CM-05(03) | Signed Components | Moved to CM-14. | |||
| CM-05(04) | Dual Authorization | ||||
| CM-05(05) | Privilege Limitation for Production and Operation | ||||
| CM-05(06) | Limit Library Privileges | ||||
| CM-05(07) | Automatic Implementation of Security Safeguards | Incorporated into SI-7. | |||
| CM-06 | Configuration Settings | ||||
| CM-06(01) | Automated Management, Application, and Verification | ||||
| CM-06(02) | Respond to Unauthorized Changes | ||||
| CM-06(03) | Unauthorized Change Detection | Incorporated into SI-7. | |||
| CM-06(04) | Conformance Demonstration | Incorporated into CM-4. | |||
| CM-07 | Least Functionality | ||||
| CM-07(01) | Periodic Review | ||||
| CM-07(02) | Prevent Program Execution | ||||
| CM-07(03) | Registration Compliance | ||||
| CM-07(04) | Unauthorized Software — Deny-by-exception | ||||
| CM-07(05) | Authorized Software — Allow-by-exception | ||||
| CM-07(06) | Confined Environments with Limited Privileges | ||||
| CM-07(07) | Code Execution in Protected Environments | ||||
| CM-07(08) | Binary or Machine Executable Code | ||||
| CM-07(09) | Prohibiting The Use of Unauthorized Hardware | ||||
| CM-08 | System Component Inventory | ||||
| CM-08(01) | Updates During Installation and Removal | ||||
| CM-08(02) | Automated Maintenance | ||||
| CM-08(03) | Automated Unauthorized Component Detection | ||||
| CM-08(04) | Accountability Information | ||||
| CM-08(05) | No Duplicate Accounting of Components | Incorporated into CM-8. | |||
| CM-08(06) | Assessed Configurations and Approved Deviations | ||||
| CM-08(07) | Centralized Repository | ||||
| CM-08(08) | Automated Location Tracking | ||||
| CM-08(09) | Assignment of Components to Systems | ||||
| CM-09 | Configuration Management Plan | ||||
| CM-09(01) | Assignment of Responsibility | ||||
| CM-10 | Software Usage Restrictions | ||||
| CM-10(01) | Open-source Software | ||||
| CM-11 | User-installed Software | ||||
| CM-11(01) | Alerts for Unauthorized Installations | Incorporated into CM-8.3. | |||
| CM-11(02) | Software Installation with Privileged Status | ||||
| CM-11(03) | Automated Enforcement and Monitoring | ||||
| CM-12 | Information Location | ||||
| CM-12(01) | Automated Tools to Support Information Location | ||||
| CM-13 | Data Action Mapping | ||||
| CM-14 | Signed Components | ||||
| CP-01 | Policy and Procedures | ||||
| CP-02 | Contingency Plan | ||||
| CP-02(01) | Coordinate with Related Plans | ||||
| CP-02(02) | Capacity Planning | ||||
| CP-02(03) | Resume Mission and Business Functions | ||||
| CP-02(04) | Resume All Mission and Business Functions | Incorporated into CP-2.3. | |||
| CP-02(05) | Continue Mission and Business Functions | ||||
| CP-02(06) | Alternate Processing and Storage Sites | ||||
| CP-02(07) | Coordinate with External Service Providers | ||||
| CP-02(08) | Identify Critical Assets | ||||
| CP-03 | Contingency Training | ||||
| CP-03(01) | Simulated Events | ||||
| CP-03(02) | Mechanisms Used in Training Environments | ||||
| CP-04 | Contingency Plan Testing | ||||
| CP-04(01) | Coordinate with Related Plans | ||||
| CP-04(02) | Alternate Processing Site | ||||
| CP-04(03) | Automated Testing | ||||
| CP-04(04) | Full Recovery and Reconstitution | ||||
| CP-04(05) | Self-challenge | ||||
| CP-05 | Contingency Plan Update | Incorporated into CP-2. | |||
| CP-06 | Alternate Storage Site | ||||
| CP-06(01) | Separation from Primary Site | ||||
| CP-06(02) | Recovery Time and Recovery Point Objectives | ||||
| CP-06(03) | Accessibility | ||||
| CP-07 | Alternate Processing Site | ||||
| CP-07(01) | Separation from Primary Site | ||||
| CP-07(02) | Accessibility | ||||
| CP-07(03) | Priority of Service | ||||
| CP-07(04) | Preparation for Use | ||||
| CP-07(05) | Equivalent Information Security Safeguards | Incorporated into CP-7. | |||
| CP-07(06) | Inability to Return to Primary Site | ||||
| CP-08 | Telecommunications Services | ||||
| CP-08(01) | Priority of Service Provisions | ||||
| CP-08(02) | Single Points of Failure | ||||
| CP-08(03) | Separation of Primary and Alternate Providers | ||||
| CP-08(04) | Provider Contingency Plan | ||||
| CP-08(05) | Alternate Telecommunication Service Testing | ||||
| CP-09 | System Backup | ||||
| CP-09(01) | Testing for Reliability and Integrity | ||||
| CP-09(02) | Test Restoration Using Sampling | ||||
| CP-09(03) | Separate Storage for Critical Information | ||||
| CP-09(04) | Protection from Unauthorized Modification | Incorporated into CP-9. | |||
| CP-09(05) | Transfer to Alternate Storage Site | ||||
| CP-09(06) | Redundant Secondary System | ||||
| CP-09(07) | Dual Authorization for Deletion or Destruction | ||||
| CP-09(08) | Cryptographic Protection | ||||
| CP-10 | System Recovery and Reconstitution | ||||
| CP-10(01) | Contingency Plan Testing | Incorporated into CP-4. | |||
| CP-10(02) | Transaction Recovery | ||||
| CP-10(03) | Compensating Security Controls | ||||
| CP-10(04) | Restore Within Time Period | ||||
| CP-10(05) | Failover Capability | Incorporated into SI-13. | |||
| CP-10(06) | Component Protection | ||||
| CP-11 | Alternate Communications Protocols | ||||
| CP-12 | Safe Mode | ||||
| CP-13 | Alternative Security Mechanisms | ||||
| IA-01 | Policy and Procedures | ||||
| IA-02 | Identification and Authentication (Organizational Users) | ||||
| IA-02(01) | Multi-factor Authentication to Privileged Accounts | ||||
| IA-02(02) | Multi-factor Authentication to Non-privileged Accounts | ||||
| IA-02(03) | Local Access to Privileged Accounts | Incorporated into IA-2.1. | |||
| IA-02(04) | Local Access to Non-privileged Accounts | Incorporated into IA-2.2. | |||
| IA-02(05) | Individual Authentication with Group Authentication | ||||
| IA-02(06) | Access to Accounts —separate Device | ||||
| IA-02(07) | Network Access to Non-privileged Accounts — Separate Device | Incorporated into IA-2.6. | |||
| IA-02(08) | Access to Accounts — Replay Resistant | ||||
| IA-02(09) | Network Access to Non-privileged Accounts — Replay Resistant | Incorporated into IA-2.8. | |||
| IA-02(10) | Single Sign-on | ||||
| IA-02(11) | Remote Access — Separate Device | Incorporated into IA-2.6. | |||
| IA-02(12) | Acceptance of PIV Credentials | ||||
| IA-02(13) | Out-of-band Authentication | ||||
| IA-03 | Device Identification and Authentication | ||||
| IA-03(01) | Cryptographic Bidirectional Authentication | ||||
| IA-03(02) | Cryptographic Bidirectional Network Authentication | Incorporated into IA-3.1. | |||
| IA-03(03) | Dynamic Address Allocation | ||||
| IA-03(04) | Device Attestation | ||||
| IA-04 | Identifier Management | ||||
| IA-04(01) | Prohibit Account Identifiers as Public Identifiers | ||||
| IA-04(02) | Supervisor Authorization | Incorporated into IA-12.1. | |||
| IA-04(03) | Multiple Forms of Certification | Incorporated into IA-12.2. | |||
| IA-04(04) | Identify User Status | ||||
| IA-04(05) | Dynamic Management | ||||
| IA-04(06) | Cross-organization Management | ||||
| IA-04(07) | In-person Registration | Incorporated into IA-12.4. | |||
| IA-04(08) | Pairwise Pseudonymous Identifiers | ||||
| IA-04(09) | Attribute Maintenance and Protection | ||||
| IA-05 | Authenticator Management | ||||
| IA-05(01) | Password-based Authentication | ||||
| IA-05(02) | Public Key-based Authentication | ||||
| IA-05(03) | In-person or Trusted External Party Registration | Incorporated into IA-12.4. | |||
| IA-05(04) | Automated Support for Password Strength Determination | Incorporated into IA-5.1. | |||
| IA-05(05) | Change Authenticators Prior to Delivery | ||||
| IA-05(06) | Protection of Authenticators | ||||
| IA-05(07) | No Embedded Unencrypted Static Authenticators | ||||
| IA-05(08) | Multiple System Accounts | ||||
| IA-05(09) | Federated Credential Management | ||||
| IA-05(10) | Dynamic Credential Binding | ||||
| IA-05(11) | Hardware Token-based Authentication | Incorporated into IA-2.1 AND IA-2.2. | |||
| IA-05(12) | Biometric Authentication Performance | ||||
| IA-05(13) | Expiration of Cached Authenticators | ||||
| IA-05(14) | Managing Content of PKI Trust Stores | ||||
| IA-05(15) | GSA-approved Products and Services | ||||
| IA-05(16) | In-person or Trusted External Party Authenticator Issuance | ||||
| IA-05(17) | Presentation Attack Detection for Biometric Authenticators | ||||
| IA-05(18) | Password Managers | ||||
| IA-06 | Authentication Feedback | ||||
| IA-07 | Cryptographic Module Authentication | ||||
| IA-08 | Identification and Authentication (Non-organizational Users) | ||||
| IA-08(01) | Acceptance of PIV Credentials from Other Agencies | ||||
| IA-08(02) | Acceptance of External Authenticators | ||||
| IA-08(03) | Use of FICAM-approved Products | Incorporated into IA-8.2. | |||
| IA-08(04) | Use of Defined Profiles | ||||
| IA-08(05) | Acceptance of PIV-I Credentials | ||||
| IA-08(06) | Disassociability | ||||
| IA-09 | Service Identification and Authentication | ||||
| IA-09(01) | Information Exchange | Incorporated into IA-9. | |||
| IA-09(02) | Transmission of Decisions | Incorporated into IA-9. | |||
| IA-10 | Adaptive Authentication | ||||
| IA-11 | Re-authentication | ||||
| IA-12 | Identity Proofing | ||||
| IA-12(01) | Supervisor Authorization | ||||
| IA-12(02) | Identity Evidence | ||||
| IA-12(03) | Identity Evidence Validation and Verification | ||||
| IA-12(04) | In-person Validation and Verification | ||||
| IA-12(05) | Address Confirmation | ||||
| IA-12(06) | Accept Externally-proofed Identities | ||||
| IA-13 | Identity Providers and Authorization Servers | ||||
| IA-13(01) | Protection of Cryptographic Keys | ||||
| IA-13(02) | Verification of Identity Assertions and Access Tokens | ||||
| IA-13(03) | Token Management | ||||
| IR-01 | Policy and Procedures | ||||
| IR-02 | Incident Response Training | ||||
| IR-02(01) | Simulated Events | ||||
| IR-02(02) | Automated Training Environments | ||||
| IR-02(03) | Breach | ||||
| IR-03 | Incident Response Testing | ||||
| IR-03(01) | Automated Testing | ||||
| IR-03(02) | Coordination with Related Plans | ||||
| IR-03(03) | Continuous Improvement | ||||
| IR-04 | Incident Handling | ||||
| IR-04(01) | Automated Incident Handling Processes | ||||
| IR-04(02) | Dynamic Reconfiguration | ||||
| IR-04(03) | Continuity of Operations | ||||
| IR-04(04) | Information Correlation | ||||
| IR-04(05) | Automatic Disabling of System | ||||
| IR-04(06) | Insider Threats | ||||
| IR-04(07) | Insider Threats — Intra-organization Coordination | ||||
| IR-04(08) | Correlation with External Organizations | ||||
| IR-04(09) | Dynamic Response Capability | ||||
| IR-04(10) | Supply Chain Coordination | ||||
| IR-04(11) | Integrated Incident Response Team | ||||
| IR-04(12) | Malicious Code and Forensic Analysis | ||||
| IR-04(13) | Behavior Analysis | ||||
| IR-04(14) | Security Operations Center | ||||
| IR-04(15) | Public Relations and Reputation Repair | ||||
| IR-05 | Incident Monitoring | ||||
| IR-05(01) | Automated Tracking, Data Collection, and Analysis | ||||
| IR-06 | Incident Reporting | ||||
| IR-06(01) | Automated Reporting | ||||
| IR-06(02) | Vulnerabilities Related to Incidents | ||||
| IR-06(03) | Supply Chain Coordination | ||||
| IR-07 | Incident Response Assistance | ||||
| IR-07(01) | Automation Support for Availability of Information and Support | ||||
| IR-07(02) | Coordination with External Providers | ||||
| IR-08 | Incident Response Plan | ||||
| IR-08(01) | Breaches | ||||
| IR-09 | Information Spillage Response | ||||
| IR-09(01) | Responsible Personnel | Incorporated into IR-9. | |||
| IR-09(02) | Training | ||||
| IR-09(03) | Post-spill Operations | ||||
| IR-09(04) | Exposure to Unauthorized Personnel | ||||
| IR-10 | Integrated Information Security Analysis Team | Moved to IR-4.11. | |||
| MA-01 | Policy and Procedures | ||||
| MA-02 | Controlled Maintenance | ||||
| MA-02(01) | Record Content | Incorporated into MA-2. | |||
| MA-02(02) | Automated Maintenance Activities | ||||
| MA-03 | Maintenance Tools | ||||
| MA-03(01) | Inspect Tools | ||||
| MA-03(02) | Inspect Media | ||||
| MA-03(03) | Prevent Unauthorized Removal | ||||
| MA-03(04) | Restricted Tool Use | ||||
| MA-03(05) | Execution with Privilege | ||||
| MA-03(06) | Software Updates and Patches | ||||
| MA-04 | Nonlocal Maintenance | ||||
| MA-04(01) | Logging and Review | ||||
| MA-04(02) | Document Nonlocal Maintenance | Incorporated into MA-1 AND MA-4. | |||
| MA-04(03) | Comparable Security and Sanitization | ||||
| MA-04(04) | Authentication and Separation of Maintenance Sessions | ||||
| MA-04(05) | Approvals and Notifications | ||||
| MA-04(06) | Cryptographic Protection | ||||
| MA-04(07) | Disconnect Verification | ||||
| MA-05 | Maintenance Personnel | ||||
| MA-05(01) | Individuals Without Appropriate Access | ||||
| MA-05(02) | Security Clearances for Classified Systems | ||||
| MA-05(03) | Citizenship Requirements for Classified Systems | ||||
| MA-05(04) | Foreign Nationals | ||||
| MA-05(05) | Non-system Maintenance | ||||
| MA-06 | Timely Maintenance | ||||
| MA-06(01) | Preventive Maintenance | ||||
| MA-06(02) | Predictive Maintenance | ||||
| MA-06(03) | Automated Support for Predictive Maintenance | ||||
| MA-07 | Field Maintenance | ||||
| MP-01 | Policy and Procedures | ||||
| MP-02 | Media Access | ||||
| MP-02(01) | Automated Restricted Access | Incorporated into MP-4.2. | |||
| MP-02(02) | Cryptographic Protection | Incorporated into SC-28.1. | |||
| MP-03 | Media Marking | ||||
| MP-04 | Media Storage | ||||
| MP-04(01) | Cryptographic Protection | Incorporated into SC-28.1. | |||
| MP-04(02) | Automated Restricted Access | ||||
| MP-05 | Media Transport | ||||
| MP-05(01) | Protection Outside of Controlled Areas | Incorporated into MP-5. | |||
| MP-05(02) | Documentation of Activities | Incorporated into MP-5. | |||
| MP-05(03) | Custodians | ||||
| MP-05(04) | Cryptographic Protection | Incorporated into SC-28.1. | |||
| MP-06 | Media Sanitization | ||||
| MP-06(01) | Review, Approve, Track, Document, and Verify | ||||
| MP-06(02) | Equipment Testing | ||||
| MP-06(03) | Nondestructive Techniques | ||||
| MP-06(04) | Controlled Unclassified Information | Incorporated into MP-6. | |||
| MP-06(05) | Classified Information | Incorporated into MP-6. | |||
| MP-06(06) | Media Destruction | Incorporated into MP-6. | |||
| MP-06(07) | Dual Authorization | ||||
| MP-06(08) | Remote Purging or Wiping of Information | ||||
| MP-07 | Media Use | ||||
| MP-07(01) | Prohibit Use Without Owner | Incorporated into MP-7. | |||
| MP-07(02) | Prohibit Use of Sanitization-resistant Media | ||||
| MP-08 | Media Downgrading | ||||
| MP-08(01) | Documentation of Process | ||||
| MP-08(02) | Equipment Testing | ||||
| MP-08(03) | Controlled Unclassified Information | ||||
| MP-08(04) | Classified Information | ||||
| PE-01 | Policy and Procedures | ||||
| PE-02 | Physical Access Authorizations | ||||
| PE-02(01) | Access by Position or Role | ||||
| PE-02(02) | Two Forms of Identification | ||||
| PE-02(03) | Restrict Unescorted Access | ||||
| PE-03 | Physical Access Control | ||||
| PE-03(01) | System Access | ||||
| PE-03(02) | Facility and Systems | ||||
| PE-03(03) | Continuous Guards | ||||
| PE-03(04) | Lockable Casings | ||||
| PE-03(05) | Tamper Protection | ||||
| PE-03(06) | Facility Penetration Testing | Incorporated into CA-8. | |||
| PE-03(07) | Physical Barriers | ||||
| PE-03(08) | Access Control Vestibules | ||||
| PE-04 | Access Control for Transmission | ||||
| PE-05 | Access Control for Output Devices | ||||
| PE-05(01) | Access to Output by Authorized Individuals | Incorporated into PE-5. | |||
| PE-05(02) | Link to Individual Identity | ||||
| PE-05(03) | Marking Output Devices | Incorporated into PE-22. | |||
| PE-06 | Monitoring Physical Access | ||||
| PE-06(01) | Intrusion Alarms and Surveillance Equipment | ||||
| PE-06(02) | Automated Intrusion Recognition and Responses | ||||
| PE-06(03) | Video Surveillance | ||||
| PE-06(04) | Monitoring Physical Access to Systems | ||||
| PE-07 | Visitor Control | Incorporated into PE-2 AND PE-3. | |||
| PE-08 | Visitor Access Records | ||||
| PE-08(01) | Automated Records Maintenance and Review | ||||
| PE-08(02) | Physical Access Records | Incorporated into PE-2. | |||
| PE-08(03) | Limit Personally Identifiable Information Elements | ||||
| PE-09 | Power Equipment and Cabling | ||||
| PE-09(01) | Redundant Cabling | ||||
| PE-09(02) | Automatic Voltage Controls | ||||
| PE-10 | Emergency Shutoff | ||||
| PE-10(01) | Accidental and Unauthorized Activation | Incorporated into PE-10. | |||
| PE-11 | Emergency Power | ||||
| PE-11(01) | Alternate Power Supply — Minimal Operational Capability | ||||
| PE-11(02) | Alternate Power Supply — Self-contained | ||||
| PE-12 | Emergency Lighting | ||||
| PE-12(01) | Essential Mission and Business Functions | ||||
| PE-13 | Fire Protection | ||||
| PE-13(01) | Detection Systems — Automatic Activation and Notification | ||||
| PE-13(02) | Suppression Systems — Automatic Activation and Notification | ||||
| PE-13(03) | Automatic Fire Suppression | Incorporated into PE-13.2. | |||
| PE-13(04) | Inspections | ||||
| PE-14 | Environmental Controls | ||||
| PE-14(01) | Automatic Controls | ||||
| PE-14(02) | Monitoring with Alarms and Notifications | ||||
| PE-15 | Water Damage Protection | ||||
| PE-15(01) | Automation Support | ||||
| PE-16 | Delivery and Removal | ||||
| PE-17 | Alternate Work Site | ||||
| PE-18 | Location of System Components | ||||
| PE-18(01) | Facility Site | Moved to PE-23. | |||
| PE-19 | Information Leakage | ||||
| PE-19(01) | National Emissions Policies and Procedures | ||||
| PE-20 | Asset Monitoring and Tracking | ||||
| PE-21 | Electromagnetic Pulse Protection | ||||
| PE-22 | Component Marking | ||||
| PE-23 | Facility Location | ||||
| PL-01 | Policy and Procedures | ||||
| PL-02 | System Security and Privacy Plans | ||||
| PL-02(01) | Concept of Operations | Incorporated into PL-7. | |||
| PL-02(02) | Functional Architecture | Incorporated into PL-8. | |||
| PL-02(03) | Plan and Coordinate with Other Organizational Entities | Incorporated into PL-2. | |||
| PL-03 | System Security Plan Update | Incorporated into PL-2. | |||
| PL-04 | Rules of Behavior | ||||
| PL-04(01) | Social Media and External Site/Application Usage Restrictions | ||||
| PL-05 | Privacy Impact Assessment | Incorporated into RA-8. | |||
| PL-06 | Security-related Activity Planning | Incorporated into PL-2. | |||
| PL-07 | Concept of Operations | ||||
| PL-08 | Security and Privacy Architectures | ||||
| PL-08(01) | Defense in Depth | ||||
| PL-08(02) | Supplier Diversity | ||||
| PL-09 | Central Management | ||||
| PL-10 | Baseline Selection | ||||
| PL-11 | Baseline Tailoring | ||||
| PM-01 | Information Security Program Plan | ||||
| PM-02 | Information Security Program Leadership Role | ||||
| PM-03 | Information Security and Privacy Resources | ||||
| PM-04 | Plan of Action and Milestones Process | ||||
| PM-05 | System Inventory | ||||
| PM-05(01) | Inventory of Personally Identifiable Information | ||||
| PM-06 | Measures of Performance | ||||
| PM-07 | Enterprise Architecture | ||||
| PM-07(01) | Offloading | ||||
| PM-08 | Critical Infrastructure Plan | ||||
| PM-09 | Risk Management Strategy | ||||
| PM-10 | Authorization Process | ||||
| PM-11 | Mission and Business Process Definition | ||||
| PM-12 | Insider Threat Program | ||||
| PM-13 | Security and Privacy Workforce | ||||
| PM-14 | Testing, Training, and Monitoring | ||||
| PM-15 | Security and Privacy Groups and Associations | ||||
| PM-16 | Threat Awareness Program | ||||
| PM-16(01) | Automated Means for Sharing Threat Intelligence | ||||
| PM-17 | Protecting Controlled Unclassified Information on External Systems | ||||
| PM-18 | Privacy Program Plan | ||||
| PM-19 | Privacy Program Leadership Role | ||||
| PM-20 | Dissemination of Privacy Program Information | ||||
| PM-20(01) | Privacy Policies on Websites, Applications, and Digital Services | ||||
| PM-21 | Accounting of Disclosures | ||||
| PM-22 | Personally Identifiable Information Quality Management | ||||
| PM-23 | Data Governance Body | ||||
| PM-24 | Data Integrity Board | ||||
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | ||||
| PM-26 | Complaint Management | ||||
| PM-27 | Privacy Reporting | ||||
| PM-28 | Risk Framing | ||||
| PM-29 | Risk Management Program Leadership Roles | ||||
| PM-30 | Supply Chain Risk Management Strategy | ||||
| PM-30(01) | Suppliers of Critical or Mission-essential Items | ||||
| PM-31 | Continuous Monitoring Strategy | ||||
| PM-32 | Purposing | ||||
| PS-01 | Policy and Procedures | ||||
| PS-02 | Position Risk Designation | ||||
| PS-03 | Personnel Screening | ||||
| PS-03(01) | Classified Information | ||||
| PS-03(02) | Formal Indoctrination | ||||
| PS-03(03) | Information Requiring Special Protective Measures | ||||
| PS-03(04) | Citizenship Requirements | ||||
| PS-04 | Personnel Termination | ||||
| PS-04(01) | Post-employment Requirements | ||||
| PS-04(02) | Automated Actions | ||||
| PS-05 | Personnel Transfer | ||||
| PS-06 | Access Agreements | ||||
| PS-06(01) | Information Requiring Special Protection | Incorporated into PS-3. | |||
| PS-06(02) | Classified Information Requiring Special Protection | ||||
| PS-06(03) | Post-employment Requirements | ||||
| PS-07 | External Personnel Security | ||||
| PS-08 | Personnel Sanctions | ||||
| PS-09 | Position Descriptions | ||||
| PT-01 | Policy and Procedures | ||||
| PT-02 | Authority to Process Personally Identifiable Information | ||||
| PT-02(01) | Data Tagging | ||||
| PT-02(02) | Automation | ||||
| PT-03 | Personally Identifiable Information Processing Purposes | ||||
| PT-03(01) | Data Tagging | ||||
| PT-03(02) | Automation | ||||
| PT-04 | Consent | ||||
| PT-04(01) | Tailored Consent | ||||
| PT-04(02) | Just-in-time Consent | ||||
| PT-04(03) | Revocation | ||||
| PT-05 | Privacy Notice | ||||
| PT-05(01) | Just-in-time Notice | ||||
| PT-05(02) | Privacy Act Statements | ||||
| PT-06 | System of Records Notice | ||||
| PT-06(01) | Routine Uses | ||||
| PT-06(02) | Exemption Rules | ||||
| PT-07 | Specific Categories of Personally Identifiable Information | ||||
| PT-07(01) | Social Security Numbers | ||||
| PT-07(02) | First Amendment Information | ||||
| PT-08 | Computer Matching Requirements | ||||
| RA-01 | Policy and Procedures | ||||
| RA-02 | Security Categorization | ||||
| RA-02(01) | Impact-level Prioritization | ||||
| RA-03 | Risk Assessment | ||||
| RA-03(01) | Supply Chain Risk Assessment | ||||
| RA-03(02) | Use of All-source Intelligence | ||||
| RA-03(03) | Dynamic Threat Awareness | ||||
| RA-03(04) | Predictive Cyber Analytics | ||||
| RA-04 | Risk Assessment Update | Incorporated into RA-3. | |||
| RA-05 | Vulnerability Monitoring and Scanning | ||||
| RA-05(01) | Update Tool Capability | Incorporated into RA-5. | |||
| RA-05(02) | Update Vulnerabilities to Be Scanned | ||||
| RA-05(03) | Breadth and Depth of Coverage | ||||
| RA-05(04) | Discoverable Information | ||||
| RA-05(05) | Privileged Access | ||||
| RA-05(06) | Automated Trend Analyses | ||||
| RA-05(07) | Automated Detection and Notification of Unauthorized Components | Incorporated into CM-8. | |||
| RA-05(08) | Review Historic Audit Logs | ||||
| RA-05(09) | Penetration Testing and Analyses | Incorporated into CA-8. | |||
| RA-05(10) | Correlate Scanning Information | ||||
| RA-05(11) | Public Disclosure Program | ||||
| RA-06 | Technical Surveillance Countermeasures Survey | ||||
| RA-07 | Risk Response | ||||
| RA-08 | Privacy Impact Assessments | ||||
| RA-09 | Criticality Analysis | ||||
| RA-10 | Threat Hunting | ||||
| SA-01 | Policy and Procedures | ||||
| SA-02 | Allocation of Resources | ||||
| SA-03 | System Development Life Cycle | ||||
| SA-03(01) | Manage Preproduction Environment | ||||
| SA-03(02) | Use of Live or Operational Data | ||||
| SA-03(03) | Technology Refresh | ||||
| SA-04 | Acquisition Process | ||||
| SA-04(01) | Functional Properties of Controls | ||||
| SA-04(02) | Design and Implementation Information for Controls | ||||
| SA-04(03) | Development Methods, Techniques, and Practices | ||||
| SA-04(04) | Assignment of Components to Systems | Incorporated into CM-8.9. | |||
| SA-04(05) | System, Component, and Service Configurations | ||||
| SA-04(06) | Use of Information Assurance Products | ||||
| SA-04(07) | NIAP-approved Protection Profiles | ||||
| SA-04(08) | Continuous Monitoring Plan for Controls | ||||
| SA-04(09) | Functions, Ports, Protocols, and Services in Use | ||||
| SA-04(10) | Use of Approved PIV Products | ||||
| SA-04(11) | System of Records | ||||
| SA-04(12) | Data Ownership | ||||
| SA-05 | System Documentation | ||||
| SA-05(01) | Functional Properties of Security Controls | Incorporated into SA-4.1. | |||
| SA-05(02) | Security-relevant External System Interfaces | Incorporated into SA-4.2. | |||
| SA-05(03) | High-level Design | Incorporated into SA-4.2. | |||
| SA-05(04) | Low-level Design | Incorporated into SA-4.2. | |||
| SA-05(05) | Source Code | Incorporated into SA-4.2. | |||
| SA-06 | Software Usage Restrictions | Incorporated into CM-10 AND SI-7. | |||
| SA-07 | User-installed Software | Incorporated into CM-11 AND SI-7. | |||
| SA-08 | Security and Privacy Engineering Principles | ||||
| SA-08(01) | Clear Abstractions | ||||
| SA-08(02) | Least Common Mechanism | ||||
| SA-08(03) | Modularity and Layering | ||||
| SA-08(04) | Partially Ordered Dependencies | ||||
| SA-08(05) | Efficiently Mediated Access | ||||
| SA-08(06) | Minimized Sharing | ||||
| SA-08(07) | Reduced Complexity | ||||
| SA-08(08) | Secure Evolvability | ||||
| SA-08(09) | Trusted Components | ||||
| SA-08(10) | Hierarchical Trust | ||||
| SA-08(11) | Inverse Modification Threshold | ||||
| SA-08(12) | Hierarchical Protection | ||||
| SA-08(13) | Minimized Security Elements | ||||
| SA-08(14) | Least Privilege | ||||
| SA-08(15) | Predicate Permission | ||||
| SA-08(16) | Self-reliant Trustworthiness | ||||
| SA-08(17) | Secure Distributed Composition | ||||
| SA-08(18) | Trusted Communications Channels | ||||
| SA-08(19) | Continuous Protection | ||||
| SA-08(20) | Secure Metadata Management | ||||
| SA-08(21) | Self-analysis | ||||
| SA-08(22) | Accountability and Traceability | ||||
| SA-08(23) | Secure Defaults | ||||
| SA-08(24) | Secure Failure and Recovery | ||||
| SA-08(25) | Economic Security | ||||
| SA-08(26) | Performance Security | ||||
| SA-08(27) | Human Factored Security | ||||
| SA-08(28) | Acceptable Security | ||||
| SA-08(29) | Repeatable and Documented Procedures | ||||
| SA-08(30) | Procedural Rigor | ||||
| SA-08(31) | Secure System Modification | ||||
| SA-08(32) | Sufficient Documentation | ||||
| SA-08(33) | Minimization | ||||
| SA-09 | External System Services | ||||
| SA-09(01) | Risk Assessments and Organizational Approvals | ||||
| SA-09(02) | Identification of Functions, Ports, Protocols, and Services | ||||
| SA-09(03) | Establish and Maintain Trust Relationship with Providers | ||||
| SA-09(04) | Consistent Interests of Consumers and Providers | ||||
| SA-09(05) | Processing, Storage, and Service Location | ||||
| SA-09(06) | Organization-controlled Cryptographic Keys | ||||
| SA-09(07) | Organization-controlled Integrity Checking | ||||
| SA-09(08) | Processing and Storage Location — U.S. Jurisdiction | ||||
| SA-10 | Developer Configuration Management | ||||
| SA-10(01) | Software and Firmware Integrity Verification | ||||
| SA-10(02) | Alternative Configuration Management Processes | ||||
| SA-10(03) | Hardware Integrity Verification | ||||
| SA-10(04) | Trusted Generation | ||||
| SA-10(05) | Mapping Integrity for Version Control | ||||
| SA-10(06) | Trusted Distribution | ||||
| SA-10(07) | Security and Privacy Representatives | ||||
| SA-11 | Developer Testing and Evaluation | ||||
| SA-11(01) | Static Code Analysis | ||||
| SA-11(02) | Threat Modeling and Vulnerability Analyses | ||||
| SA-11(03) | Independent Verification of Assessment Plans and Evidence | ||||
| SA-11(04) | Manual Code Reviews | ||||
| SA-11(05) | Penetration Testing | ||||
| SA-11(06) | Attack Surface Reviews | ||||
| SA-11(07) | Verify Scope of Testing and Evaluation | ||||
| SA-11(08) | Dynamic Code Analysis | ||||
| SA-11(09) | Interactive Application Security Testing | ||||
| SA-12 | Supply Chain Protection | Incorporated into SR. | |||
| SA-12(01) | Acquisition Strategies / Tools / Methods | Moved to SR-5. | |||
| SA-12(02) | Supplier Reviews | Moved to SR-6. | |||
| SA-12(03) | Trusted Shipping and Warehousing | Incorporated into SR-3. | |||
| SA-12(04) | Diversity of Suppliers | Moved to SR-3.1. | |||
| SA-12(05) | Limitation of Harm | Moved to SR-3.2. | |||
| SA-12(06) | Minimizing Procurement Time | Incorporated into SR-5.1. | |||
| SA-12(07) | Assessments Prior to Selection / Acceptance / Update | Moved to SR-5.2. | |||
| SA-12(08) | Use of All-source Intelligence | Incorporated into RA-3.2. | |||
| SA-12(09) | Operations Security | Moved to SR-7. | |||
| SA-12(10) | Validate as Genuine and Not Altered | Moved to SR-4.3. | |||
| SA-12(11) | Penetration Testing / Analysis of Elements, Processes, and Actors | Moved to SR-6.1. | |||
| SA-12(12) | Inter-organizational Agreements | Moved to SR-8. | |||
| SA-12(13) | Critical Information System Components | Incorporated into MA-6 AND RA-9. | |||
| SA-12(14) | Identity and Traceability | Incorporated into SR-4.1 AND SR-4.2. | |||
| SA-12(15) | Processes to Address Weaknesses or Deficiencies | Incorporated into SR-3. | |||
| SA-13 | Trustworthiness | Incorporated into SA-8. | |||
| SA-14 | Criticality Analysis | Incorporated into RA-9. | |||
| SA-14(01) | Critical Components with No Viable Alternative Sourcing | Incorporated into SA-20. | |||
| SA-15 | Development Process, Standards, and Tools | ||||
| SA-15(01) | Quality Metrics | ||||
| SA-15(02) | Security and Privacy Tracking Tools | ||||
| SA-15(03) | Criticality Analysis | ||||
| SA-15(04) | Threat Modeling and Vulnerability Analysis | Incorporated into SA-11.2. | |||
| SA-15(05) | Attack Surface Reduction | ||||
| SA-15(06) | Continuous Improvement | ||||
| SA-15(07) | Automated Vulnerability Analysis | ||||
| SA-15(08) | Reuse of Threat and Vulnerability Information | ||||
| SA-15(09) | Use of Live Data | Incorporated into SA-3.2. | |||
| SA-15(10) | Incident Response Plan | ||||
| SA-15(11) | Archive System or Component | ||||
| SA-15(12) | Minimize Personally Identifiable Information | ||||
| SA-16 | Developer-provided Training | ||||
| SA-17 | Developer Security and Privacy Architecture and Design | ||||
| SA-17(01) | Formal Policy Model | ||||
| SA-17(02) | Security-relevant Components | ||||
| SA-17(03) | Formal Correspondence | ||||
| SA-17(04) | Informal Correspondence | ||||
| SA-17(05) | Conceptually Simple Design | ||||
| SA-17(06) | Structure for Testing | ||||
| SA-17(07) | Structure for Least Privilege | ||||
| SA-17(08) | Orchestration | ||||
| SA-17(09) | Design Diversity | ||||
| SA-18 | Tamper Resistance and Detection | Moved to SR-9. | |||
| SA-18(01) | Multiple Phases of System Development Life Cycle | Moved to SR-9.1. | |||
| SA-18(2) | Inspection of Systems or Components | Moved to SR-10. | |||
| SA-19 | Component Authenticity | Moved to SR-11. | |||
| SA-19(01) | Anti-counterfeit Training | Moved to SR-11.1. | |||
| SA-19(02) | Configuration Control for Component Service and Repair | Moved to SR-11.2. | |||
| SA-19(03) | Component Disposal | Moved to SR-12. | |||
| SA-19(04) | Anti-counterfeit Scanning | Moved to SR-11.3. | |||
| SA-20 | Customized Development of Critical Components | ||||
| SA-21 | Developer Screening | ||||
| SA-21(01) | Validation of Screening | Incorporated into SA-21. | |||
| SA-22 | Unsupported System Components | ||||
| SA-22(01) | Alternative Sources for Continued Support | Incorporated into SA-22. | |||
| SA-23 | Specialization | ||||
| SC-01 | Policy and Procedures | ||||
| SC-02 | Separation of System and User Functionality | ||||
| SC-02(01) | Interfaces for Non-privileged Users | ||||
| SC-02(02) | Disassociability | ||||
| SC-03 | Security Function Isolation | ||||
| SC-03(01) | Hardware Separation | ||||
| SC-03(02) | Access and Flow Control Functions | ||||
| SC-03(03) | Minimize Nonsecurity Functionality | ||||
| SC-03(04) | Module Coupling and Cohesiveness | ||||
| SC-03(05) | Layered Structures | ||||
| SC-04 | Information in Shared System Resources | ||||
| SC-04(01) | Security Levels | Incorporated into SC-4. | |||
| SC-04(02) | Multilevel or Periods Processing | ||||
| SC-05 | Denial-of-service Protection | ||||
| SC-05(01) | Restrict Ability to Attack Other Systems | ||||
| SC-05(02) | Capacity, Bandwidth, and Redundancy | ||||
| SC-05(03) | Detection and Monitoring | ||||
| SC-06 | Resource Availability | ||||
| SC-07 | Boundary Protection | ||||
| SC-07(01) | Physically Separated Subnetworks | Incorporated into SC-7. | |||
| SC-07(02) | Public Access | Incorporated into SC-7. | |||
| SC-07(03) | Access Points | ||||
| SC-07(04) | External Telecommunications Services | ||||
| SC-07(05) | Deny by Default — Allow by Exception | ||||
| SC-07(06) | Response to Recognized Failures | Incorporated into SC-7.18. | |||
| SC-07(07) | Split Tunneling for Remote Devices | ||||
| SC-07(08) | Route Traffic to Authenticated Proxy Servers | ||||
| SC-07(09) | Restrict Threatening Outgoing Communications Traffic | ||||
| SC-07(10) | Prevent Exfiltration | ||||
| SC-07(11) | Restrict Incoming Communications Traffic | ||||
| SC-07(12) | Host-based Protection | ||||
| SC-07(13) | Isolation of Security Tools, Mechanisms, and Support Components | ||||
| SC-07(14) | Protect Against Unauthorized Physical Connections | ||||
| SC-07(15) | Networked Privileged Accesses | ||||
| SC-07(16) | Prevent Discovery of System Components | ||||
| SC-07(17) | Automated Enforcement of Protocol Formats | ||||
| SC-07(18) | Fail Secure | ||||
| SC-07(19) | Block Communication from Non-organizationally Configured Hosts | ||||
| SC-07(20) | Dynamic Isolation and Segregation | ||||
| SC-07(21) | Isolation of System Components | ||||
| SC-07(22) | Separate Subnets for Connecting to Different Security Domains | ||||
| SC-07(23) | Disable Sender Feedback on Protocol Validation Failure | ||||
| SC-07(24) | Personally Identifiable Information | ||||
| SC-07(25) | Unclassified National Security System Connections | ||||
| SC-07(26) | Classified National Security System Connections | ||||
| SC-07(27) | Unclassified Non-national Security System Connections | ||||
| SC-07(28) | Connections to Public Networks | ||||
| SC-07(29) | Separate Subnets to Isolate Functions | ||||
| SC-08 | Transmission Confidentiality and Integrity | ||||
| SC-08(01) | Cryptographic Protection | ||||
| SC-08(02) | Pre- and Post-transmission Handling | ||||
| SC-08(03) | Cryptographic Protection for Message Externals | ||||
| SC-08(04) | Conceal or Randomize Communications | ||||
| SC-08(05) | Protected Distribution System | ||||
| SC-09 | Transmission Confidentiality | Incorporated into SC-8. | |||
| SC-10 | Network Disconnect | ||||
| SC-11 | Trusted Path | ||||
| SC-11(01) | Irrefutable Communications Path | ||||
| SC-12 | Cryptographic Key Establishment and Management | ||||
| SC-12(01) | Availability | ||||
| SC-12(02) | Symmetric Keys | ||||
| SC-12(03) | Asymmetric Keys | ||||
| SC-12(04) | PKI Certificates | Incorporated into SC-12.3. | |||
| SC-12(05) | PKI Certificates / Hardware Tokens | Incorporated into SC-12.3. | |||
| SC-12(06) | Physical Control of Keys | ||||
| SC-13 | Cryptographic Protection | ||||
| SC-13(01) | FIPS-validated Cryptography | Incorporated into SC-13. | |||
| SC-13(02) | NSA-approved Cryptography | Incorporated into SC-13. | |||
| SC-13(03) | Individuals Without Formal Access Approvals | Incorporated into SC-13. | |||
| SC-13(04) | Digital Signatures | Incorporated into SC-13. | |||
| SC-14 | Public Access Protections | Incorporated into AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, AND SI-10. | |||
| SC-15 | Collaborative Computing Devices and Applications | ||||
| SC-15(01) | Physical or Logical Disconnect | ||||
| SC-15(02) | Blocking Inbound and Outbound Communications Traffic | Incorporated into SC-7. | |||
| SC-15(03) | Disabling and Removal in Secure Work Areas | ||||
| SC-15(04) | Explicitly Indicate Current Participants | ||||
| SC-16 | Transmission of Security and Privacy Attributes | ||||
| SC-16(01) | Integrity Verification | ||||
| SC-16(02) | Anti-spoofing Mechanisms | ||||
| SC-16(03) | Cryptographic Binding | ||||
| SC-17 | Public Key Infrastructure Certificates | ||||
| SC-18 | Mobile Code | ||||
| SC-18(01) | Identify Unacceptable Code and Take Corrective Actions | ||||
| SC-18(02) | Acquisition, Development, and Use | ||||
| SC-18(03) | Prevent Downloading and Execution | ||||
| SC-18(04) | Prevent Automatic Execution | ||||
| SC-18(05) | Allow Execution Only in Confined Environments | ||||
| SC-19 | Voice Over Internet Protocol | ||||
| SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | ||||
| SC-20(01) | Child Subspaces | Incorporated into SC-20. | |||
| SC-20(02) | Data Origin and Integrity | ||||
| SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | ||||
| SC-21(01) | Data Origin and Integrity | Incorporated into SC-21. | |||
| SC-22 | Architecture and Provisioning for Name/Address Resolution Service | ||||
| SC-23 | Session Authenticity | ||||
| SC-23(01) | Invalidate Session Identifiers at Logout | ||||
| SC-23(02) | User-initiated Logouts and Message Displays | Incorporated into AC-12.1. | |||
| SC-23(03) | Unique System-generated Session Identifiers | ||||
| SC-23(04) | Unique Session Identifiers with Randomization | Incorporated into SC-23.3. | |||
| SC-23(05) | Allowed Certificate Authorities | ||||
| SC-24 | Fail in Known State | ||||
| SC-25 | Thin Nodes | ||||
| SC-26 | Decoys | ||||
| SC-26(01) | Detection of Malicious Code | Incorporated into SC-35. | |||
| SC-27 | Platform-independent Applications | ||||
| SC-28 | Protection of Information at Rest | ||||
| SC-28(01) | Cryptographic Protection | ||||
| SC-28(02) | Offline Storage | ||||
| SC-28(03) | Cryptographic Keys | ||||
| SC-29 | Heterogeneity | ||||
| SC-29(01) | Virtualization Techniques | ||||
| SC-30 | Concealment and Misdirection | ||||
| SC-30(01) | Virtualization Techniques | Incorporated into SC-29.1. | |||
| SC-30(02) | Randomness | ||||
| SC-30(03) | Change Processing and Storage Locations | ||||
| SC-30(04) | Misleading Information | ||||
| SC-30(05) | Concealment of System Components | ||||
| SC-31 | Covert Channel Analysis | ||||
| SC-31(01) | Test Covert Channels for Exploitability | ||||
| SC-31(02) | Maximum Bandwidth | ||||
| SC-31(03) | Measure Bandwidth in Operational Environments | ||||
| SC-32 | System Partitioning | ||||
| SC-32(01) | Separate Physical Domains for Privileged Functions | ||||
| SC-33 | Transmission Preparation Integrity | Incorporated into SC-8. | |||
| SC-34 | Non-modifiable Executable Programs | ||||
| SC-34(01) | No Writable Storage | ||||
| SC-34(02) | Integrity Protection on Read-only Media | ||||
| SC-34(03) | Hardware-based Protection | Moved to SC-51. | |||
| SC-35 | External Malicious Code Identification | ||||
| SC-36 | Distributed Processing and Storage | ||||
| SC-36(01) | Polling Techniques | ||||
| SC-36(02) | Synchronization | ||||
| SC-37 | Out-of-band Channels | ||||
| SC-37(01) | Ensure Delivery and Transmission | ||||
| SC-38 | Operations Security | ||||
| SC-39 | Process Isolation | ||||
| SC-39(01) | Hardware Separation | ||||
| SC-39(02) | Separate Execution Domain Per Thread | ||||
| SC-40 | Wireless Link Protection | ||||
| SC-40(01) | Electromagnetic Interference | ||||
| SC-40(02) | Reduce Detection Potential | ||||
| SC-40(03) | Imitative or Manipulative Communications Deception | ||||
| SC-40(04) | Signal Parameter Identification | ||||
| SC-41 | Port and I/O Device Access | ||||
| SC-42 | Sensor Capability and Data | ||||
| SC-42(01) | Reporting to Authorized Individuals or Roles | ||||
| SC-42(02) | Authorized Use | ||||
| SC-42(03) | Prohibit Use of Devices | Incorporated into SC-42. | |||
| SC-42(04) | Notice of Collection | ||||
| SC-42(05) | Collection Minimization | ||||
| SC-43 | Usage Restrictions | ||||
| SC-44 | Detonation Chambers | ||||
| SC-45 | System Time Synchronization | ||||
| SC-45(01) | Synchronization with Authoritative Time Source | ||||
| SC-45(02) | Secondary Authoritative Time Source | ||||
| SC-46 | Cross Domain Policy Enforcement | ||||
| SC-47 | Alternate Communications Paths | ||||
| SC-48 | Sensor Relocation | ||||
| SC-48(01) | Dynamic Relocation of Sensors or Monitoring Capabilities | ||||
| SC-49 | Hardware-enforced Separation and Policy Enforcement | ||||
| SC-50 | Software-enforced Separation and Policy Enforcement | ||||
| SC-51 | Hardware-based Protection | ||||
| SI-01 | Policy and Procedures | ||||
| SI-02 | Flaw Remediation | ||||
| SI-02(01) | Central Management | Incorporated into PL-9. | |||
| SI-02(02) | Automated Flaw Remediation Status | ||||
| SI-02(03) | Time to Remediate Flaws and Benchmarks for Corrective Actions | ||||
| SI-02(04) | Automated Patch Management Tools | ||||
| SI-02(05) | Automatic Software and Firmware Updates | ||||
| SI-02(06) | Removal of Previous Versions of Software and Firmware | ||||
| SI-03 | Malicious Code Protection | ||||
| SI-03(01) | Central Management | Incorporated into PL-9. | |||
| SI-03(02) | Automatic Updates | Incorporated into SI-3. | |||
| SI-03(03) | Non-privileged Users | Incorporated into AC-6.10. | |||
| SI-03(04) | Updates Only by Privileged Users | ||||
| SI-03(05) | Portable Storage Devices | Incorporated into MP-7. | |||
| SI-03(06) | Testing and Verification | ||||
| SI-03(07) | Nonsignature-based Detection | Incorporated into SI-3. | |||
| SI-03(08) | Detect Unauthorized Commands | ||||
| SI-03(09) | Authenticate Remote Commands | Moved to AC-17.10. | |||
| SI-03(10) | Malicious Code Analysis | ||||
| SI-04 | System Monitoring | ||||
| SI-04(01) | System-wide Intrusion Detection System | ||||
| SI-04(02) | Automated Tools and Mechanisms for Real-time Analysis | ||||
| SI-04(03) | Automated Tool and Mechanism Integration | ||||
| SI-04(04) | Inbound and Outbound Communications Traffic | ||||
| SI-04(05) | System-generated Alerts | ||||
| SI-04(06) | Restrict Non-privileged Users | Incorporated into AC-6.10. | |||
| SI-04(07) | Automated Response to Suspicious Events | ||||
| SI-04(08) | Protection of Monitoring Information | Incorporated into SI-4. | |||
| SI-04(09) | Testing of Monitoring Tools and Mechanisms | ||||
| SI-04(10) | Visibility of Encrypted Communications | ||||
| SI-04(11) | Analyze Communications Traffic Anomalies | ||||
| SI-04(12) | Automated Organization-generated Alerts | ||||
| SI-04(13) | Analyze Traffic and Event Patterns | ||||
| SI-04(14) | Wireless Intrusion Detection | ||||
| SI-04(15) | Wireless to Wireline Communications | ||||
| SI-04(16) | Correlate Monitoring Information | ||||
| SI-04(17) | Integrated Situational Awareness | ||||
| SI-04(18) | Analyze Traffic and Covert Exfiltration | ||||
| SI-04(19) | Risk for Individuals | ||||
| SI-04(20) | Privileged Users | ||||
| SI-04(21) | Probationary Periods | ||||
| SI-04(22) | Unauthorized Network Services | ||||
| SI-04(23) | Host-based Devices | ||||
| SI-04(24) | Indicators of Compromise | ||||
| SI-04(25) | Optimize Network Traffic Analysis | ||||
| SI-05 | Security Alerts, Advisories, and Directives | ||||
| SI-05(01) | Automated Alerts and Advisories | ||||
| SI-06 | Security and Privacy Function Verification | ||||
| SI-06(01) | Notification of Failed Security Tests | Incorporated into SI-6. | |||
| SI-06(02) | Automation Support for Distributed Testing | ||||
| SI-06(03) | Report Verification Results | ||||
| SI-07 | Software, Firmware, and Information Integrity | ||||
| SI-07(01) | Integrity Checks | ||||
| SI-07(02) | Automated Notifications of Integrity Violations | ||||
| SI-07(03) | Centrally Managed Integrity Tools | ||||
| SI-07(04) | Tamper-evident Packaging | Incorporated into SR-9. | |||
| SI-07(05) | Automated Response to Integrity Violations | ||||
| SI-07(06) | Cryptographic Protection | ||||
| SI-07(07) | Integration of Detection and Response | ||||
| SI-07(08) | Auditing Capability for Significant Events | ||||
| SI-07(09) | Verify Boot Process | ||||
| SI-07(10) | Protection of Boot Firmware | ||||
| SI-07(11) | Confined Environments with Limited Privileges | Moved to CM-7.6. | |||
| SI-07(12) | Integrity Verification | ||||
| SI-07(13) | Code Execution in Protected Environments | Moved to CM-7.7. | |||
| SI-07(14) | Binary or Machine Executable Code | Moved to CM-7.8. | |||
| SI-07(15) | Code Authentication | ||||
| SI-07(16) | Time Limit on Process Execution Without Supervision | ||||
| SI-07(17) | Runtime Application Self-protection | ||||
| SI-08 | Spam Protection | ||||
| SI-08(01) | Central Management | Incorporated into PL-9. | |||
| SI-08(02) | Automatic Updates | ||||
| SI-08(03) | Continuous Learning Capability | ||||
| SI-09 | Information Input Restrictions | Incorporated into AC-2, AC-3, AC-5, AND AC-6. | |||
| SI-10 | Information Input Validation | ||||
| SI-10(01) | Manual Override Capability | ||||
| SI-10(02) | Review and Resolve Errors | ||||
| SI-10(03) | Predictable Behavior | ||||
| SI-10(04) | Timing Interactions | ||||
| SI-10(05) | Restrict Inputs to Trusted Sources and Approved Formats | ||||
| SI-10(06) | Injection Prevention | ||||
| SI-11 | Error Handling | ||||
| SI-12 | Information Management and Retention | ||||
| SI-12(01) | Limit Personally Identifiable Information Elements | ||||
| SI-12(02) | Minimize Personally Identifiable Information in Testing, Training, and Research | ||||
| SI-12(03) | Information Disposal | ||||
| SI-13 | Predictable Failure Prevention | ||||
| SI-13(01) | Transferring Component Responsibilities | ||||
| SI-13(02) | Time Limit on Process Execution Without Supervision | Incorporated into SI-7.16. | |||
| SI-13(03) | Manual Transfer Between Components | ||||
| SI-13(04) | Standby Component Installation and Notification | ||||
| SI-13(05) | Failover Capability | ||||
| SI-14 | Non-persistence | ||||
| SI-14(01) | Refresh from Trusted Sources | ||||
| SI-14(02) | Non-persistent Information | ||||
| SI-14(03) | Non-persistent Connectivity | ||||
| SI-15 | Information Output Filtering | ||||
| SI-16 | Memory Protection | ||||
| SI-17 | Fail-safe Procedures | ||||
| SI-18 | Personally Identifiable Information Quality Operations | ||||
| SI-18(01) | Automation Support | ||||
| SI-18(02) | Data Tags | ||||
| SI-18(03) | Collection | ||||
| SI-18(04) | Individual Requests | ||||
| SI-18(05) | Notice of Correction or Deletion | ||||
| SI-19 | De-identification | ||||
| SI-19(01) | Collection | ||||
| SI-19(02) | Archiving | ||||
| SI-19(03) | Release | ||||
| SI-19(04) | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers | ||||
| SI-19(05) | Statistical Disclosure Control | ||||
| SI-19(06) | Differential Privacy | ||||
| SI-19(07) | Validated Algorithms and Software | ||||
| SI-19(08) | Motivated Intruder | ||||
| SI-20 | Tainting | ||||
| SI-21 | Information Refresh | ||||
| SI-22 | Information Diversity | ||||
| SI-23 | Information Fragmentation | ||||
| SR-01 | Policy and Procedures | ||||
| SR-02 | Supply Chain Risk Management Plan | ||||
| SR-02(01) | Establish SCRM Team | ||||
| SR-03 | Supply Chain Controls and Processes | ||||
| SR-03(01) | Diverse Supply Base | ||||
| SR-03(02) | Limitation of Harm | ||||
| SR-03(03) | Sub-tier Flow Down | ||||
| SR-04 | Provenance | ||||
| SR-04(01) | Identity | ||||
| SR-04(02) | Track and Trace | ||||
| SR-04(03) | Validate as Genuine and Not Altered | ||||
| SR-04(04) | Supply Chain Integrity — Pedigree | ||||
| SR-05 | Acquisition Strategies, Tools, and Methods | ||||
| SR-05(01) | Adequate Supply | ||||
| SR-05(02) | Assessments Prior to Selection, Acceptance, Modification, or Update | ||||
| SR-06 | Supplier Assessments and Reviews | ||||
| SR-06(01) | Testing and Analysis | ||||
| SR-07 | Supply Chain Operations Security | ||||
| SR-08 | Notification Agreements | ||||
| SR-09 | Tamper Resistance and Detection | ||||
| SR-09(01) | Multiple Stages of System Development Life Cycle | ||||
| SR-10 | Inspection of Systems or Components | ||||
| SR-11 | Component Authenticity | ||||
| SR-11(01) | Anti-counterfeit Training | ||||
| SR-11(02) | Configuration Control for Component Service and Repair | ||||
| SR-11(03) | Anti-counterfeit Scanning | ||||
| SR-12 | Component Disposal | ||||