Controls are policy- and technology-agnostic mechanisms for safeguarding information systems against compromises of the confidentiality, integrity, and/or availability of those systems.


Number Title Low Moderate High Privacy
AC-01 Policy and Procedures
AC-02 Account Management
AC-02(01) Automated System Account Management
AC-02(02) Automated Temporary and Emergency Account Management
AC-02(03) Disable Accounts
AC-02(04) Automated Audit Actions
AC-02(05) Inactivity Logout
AC-02(06) Dynamic Privilege Management
AC-02(07) Privileged User Accounts
AC-02(08) Dynamic Account Management
AC-02(09) Restrictions on Use of Shared and Group Accounts
AC-02(10) Shared and Group Account Credential Change Incorporated into AC-2_SMT.K.
AC-02(11) Usage Conditions
AC-02(12) Account Monitoring for Atypical Usage
AC-02(13) Disable Accounts for High-risk Individuals
AC-03 Access Enforcement
AC-03(01) Restricted Access to Privileged Functions Incorporated into AC-6.
AC-03(02) Dual Authorization
AC-03(03) Mandatory Access Control
AC-03(04) Discretionary Access Control
AC-03(05) Security-relevant Information
AC-03(06) Protection of User and System Information Incorporated into MP-4 AND SC-28.
AC-03(07) Role-based Access Control
AC-03(08) Revocation of Access Authorizations
AC-03(09) Controlled Release
AC-03(10) Audited Override of Access Control Mechanisms
AC-03(11) Restrict Access to Specific Information Types
AC-03(12) Assert and Enforce Application Access
AC-03(13) Attribute-based Access Control
AC-03(14) Individual Access
AC-03(15) Discretionary and Mandatory Access Control
AC-04 Information Flow Enforcement
AC-04(01) Object Security and Privacy Attributes
AC-04(02) Processing Domains
AC-04(03) Dynamic Information Flow Control
AC-04(04) Flow Control of Encrypted Information
AC-04(05) Embedded Data Types
AC-04(06) Metadata
AC-04(07) One-way Flow Mechanisms
AC-04(08) Security and Privacy Policy Filters
AC-04(09) Human Reviews
AC-04(10) Enable and Disable Security or Privacy Policy Filters
AC-04(11) Configuration of Security or Privacy Policy Filters
AC-04(12) Data Type Identifiers
AC-04(13) Decomposition into Policy-relevant Subcomponents
AC-04(14) Security or Privacy Policy Filter Constraints
AC-04(15) Detection of Unsanctioned Information
AC-04(16) Information Transfers on Interconnected Systems Incorporated into AC-4.
AC-04(17) Domain Authentication
AC-04(18) Security Attribute Binding Incorporated into AC-16.
AC-04(19) Validation of Metadata
AC-04(20) Approved Solutions
AC-04(21) Physical or Logical Separation of Information Flows
AC-04(22) Access Only
AC-04(23) Modify Non-releasable Information
AC-04(24) Internal Normalized Format
AC-04(25) Data Sanitization
AC-04(26) Audit Filtering Actions
AC-04(27) Redundant/Independent Filtering Mechanisms
AC-04(28) Linear Filter Pipelines
AC-04(29) Filter Orchestration Engines
AC-04(30) Filter Mechanisms Using Multiple Processes
AC-04(31) Failed Content Transfer Prevention
AC-04(32) Process Requirements for Information Transfer
AC-05 Separation of Duties
AC-06 Least Privilege
AC-06(01) Authorize Access to Security Functions
AC-06(02) Non-privileged Access for Nonsecurity Functions
AC-06(03) Network Access to Privileged Commands
AC-06(04) Separate Processing Domains
AC-06(05) Privileged Accounts
AC-06(06) Privileged Access by Non-organizational Users
AC-06(07) Review of User Privileges
AC-06(08) Privilege Levels for Code Execution
AC-06(09) Log Use of Privileged Functions
AC-06(10) Prohibit Non-privileged Users from Executing Privileged Functions
AC-07 Unsuccessful Logon Attempts
AC-07(01) Automatic Account Lock Incorporated into AC-7.
AC-07(02) Purge or Wipe Mobile Device
AC-07(03) Biometric Attempt Limiting
AC-07(04) Use of Alternate Authentication Factor
AC-08 System Use Notification
AC-09 Previous Logon Notification
AC-09(01) Unsuccessful Logons
AC-09(02) Successful and Unsuccessful Logons
AC-09(03) Notification of Account Changes
AC-09(04) Additional Logon Information
AC-10 Concurrent Session Control
AC-11 Device Lock
AC-11(01) Pattern-hiding Displays
AC-12 Session Termination
AC-12(01) User-initiated Logouts
AC-12(02) Termination Message
AC-12(03) Timeout Warning Message
AC-13 Supervision and Review — Access Control Incorporated into AC-2 AND AU-6.
AC-14 Permitted Actions Without Identification or Authentication
AC-14(01) Necessary Uses Incorporated into AC-14.
AC-15 Automated Marking Incorporated into MP-3.
AC-16 Security and Privacy Attributes
AC-16(01) Dynamic Attribute Association
AC-16(02) Attribute Value Changes by Authorized Individuals
AC-16(03) Maintenance of Attribute Associations by System
AC-16(04) Association of Attributes by Authorized Individuals
AC-16(05) Attribute Displays on Objects to Be Output
AC-16(06) Maintenance of Attribute Association
AC-16(07) Consistent Attribute Interpretation
AC-16(08) Association Techniques and Technologies
AC-16(09) Attribute Reassignment — Regrading Mechanisms
AC-16(10) Attribute Configuration by Authorized Individuals
AC-17 Remote Access
AC-17(01) Monitoring and Control
AC-17(02) Protection of Confidentiality and Integrity Using Encryption
AC-17(03) Managed Access Control Points
AC-17(04) Privileged Commands and Access
AC-17(05) Monitoring for Unauthorized Connections Incorporated into SI-4.
AC-17(06) Protection of Mechanism Information
AC-17(07) Additional Protection for Security Function Access Incorporated into AC-3.10.
AC-17(08) Disable Nonsecure Network Protocols Incorporated into CM-7.
AC-17(09) Disconnect or Disable Access
AC-17(10) Authenticate Remote Commands
AC-18 Wireless Access
AC-18(01) Authentication and Encryption
AC-18(02) Monitoring Unauthorized Connections Incorporated into SI-4.
AC-18(03) Disable Wireless Networking
AC-18(04) Restrict Configurations by Users
AC-18(05) Antennas and Transmission Power Levels
AC-19 Access Control for Mobile Devices
AC-19(01) Use of Writable and Portable Storage Devices Incorporated into MP-7.
AC-19(02) Use of Personally Owned Portable Storage Devices Incorporated into MP-7.
AC-19(03) Use of Portable Storage Devices with No Identifiable Owner Incorporated into MP-7.
AC-19(04) Restrictions for Classified Information
AC-19(05) Full Device or Container-based Encryption
AC-20 Use of External Systems
AC-20(01) Limits on Authorized Use
AC-20(02) Portable Storage Devices — Restricted Use
AC-20(03) Non-organizationally Owned Systems — Restricted Use
AC-20(04) Network Accessible Storage Devices — Prohibited Use
AC-20(05) Portable Storage Devices — Prohibited Use
AC-21 Information Sharing
AC-21(01) Automated Decision Support
AC-21(02) Information Search and Retrieval
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-24(01) Transmit Access Authorization Information
AC-24(02) No User or Process Identity
AC-25 Reference Monitor
AT-01 Policy and Procedures
AT-02 Literacy Training and Awareness
AT-02(01) Practical Exercises
AT-02(02) Insider Threat
AT-02(03) Social Engineering and Mining
AT-02(04) Suspicious Communications and Anomalous System Behavior
AT-02(05) Advanced Persistent Threat
AT-02(06) Cyber Threat Environment
AT-03 Role-based Training
AT-03(01) Environmental Controls
AT-03(02) Physical Security Controls
AT-03(03) Practical Exercises
AT-03(04) Suspicious Communications and Anomalous System Behavior Moved to AT-2.4.
AT-03(05) Processing Personally Identifiable Information
AT-04 Training Records
AT-05 Contacts with Security Groups and Associations Incorporated into PM-15.
AT-06 Training Feedback
AU-01 Policy and Procedures
AU-02 Event Logging
AU-02(01) Compilation of Audit Records from Multiple Sources Incorporated into AU-12.
AU-02(02) Selection of Audit Events by Component Incorporated into AU-12.
AU-02(03) Reviews and Updates Incorporated into AU-2.
AU-02(04) Privileged Functions Incorporated into AC-6.9.
AU-03 Content of Audit Records
AU-03(01) Additional Audit Information
AU-03(02) Centralized Management of Planned Audit Record Content Incorporated into PL-9.
AU-03(03) Limit Personally Identifiable Information Elements
AU-04 Audit Log Storage Capacity
AU-04(01) Transfer to Alternate Storage
AU-05 Response to Audit Logging Process Failures
AU-05(01) Storage Capacity Warning
AU-05(02) Real-time Alerts
AU-05(03) Configurable Traffic Volume Thresholds
AU-05(04) Shutdown on Failure
AU-05(05) Alternate Audit Logging Capability
AU-06 Audit Record Review, Analysis, and Reporting
AU-06(01) Automated Process Integration
AU-06(02) Automated Security Alerts Incorporated into SI-4.
AU-06(03) Correlate Audit Record Repositories
AU-06(04) Central Review and Analysis
AU-06(05) Integrated Analysis of Audit Records
AU-06(06) Correlation with Physical Monitoring
AU-06(07) Permitted Actions
AU-06(08) Full Text Analysis of Privileged Commands
AU-06(09) Correlation with Information from Nontechnical Sources
AU-06(10) Audit Level Adjustment Incorporated into AU-6.
AU-07 Audit Record Reduction and Report Generation
AU-07(01) Automatic Processing
AU-07(02) Automatic Sort and Search Incorporated into AU-7.1.
AU-08 Time Stamps
AU-08(01) Synchronization with Authoritative Time Source Moved to SC-45.1.
AU-08(02) Secondary Authoritative Time Source Moved to SC-45.2.
AU-09 Protection of Audit Information
AU-09(01) Hardware Write-once Media
AU-09(02) Store on Separate Physical Systems or Components
AU-09(03) Cryptographic Protection
AU-09(04) Access by Subset of Privileged Users
AU-09(05) Dual Authorization
AU-09(06) Read-only Access
AU-09(07) Store on Component with Different Operating System
AU-10 Non-repudiation
AU-10(01) Association of Identities
AU-10(02) Validate Binding of Information Producer Identity
AU-10(03) Chain of Custody
AU-10(04) Validate Binding of Information Reviewer Identity
AU-10(05) Digital Signatures Incorporated into SI-7.
AU-11 Audit Record Retention
AU-11(01) Long-term Retrieval Capability
AU-12 Audit Record Generation
AU-12(01) System-wide and Time-correlated Audit Trail
AU-12(02) Standardized Formats
AU-12(03) Changes by Authorized Individuals
AU-12(04) Query Parameter Audits of Personally Identifiable Information
AU-13 Monitoring for Information Disclosure
AU-13(01) Use of Automated Tools
AU-13(02) Review of Monitored Sites
AU-13(03) Unauthorized Replication of Information
AU-14 Session Audit
AU-14(01) System Start-up
AU-14(02) Capture and Record Content Incorporated into AU-14.
AU-14(03) Remote Viewing and Listening
AU-15 Alternate Audit Logging Capability Moved to AU-5.5.
AU-16 Cross-organizational Audit Logging
AU-16(01) Identity Preservation
AU-16(02) Sharing of Audit Information
AU-16(03) Disassociability
CA-01 Policy and Procedures
CA-02 Control Assessments
CA-02(01) Independent Assessors
CA-02(02) Specialized Assessments
CA-02(03) Leveraging Results from External Organizations
CA-03 Information Exchange
CA-03(01) Unclassified National Security System Connections Moved to SC-7.25.
CA-03(02) Classified National Security System Connections Moved to SC-7.26.
CA-03(03) Unclassified Non-national Security System Connections Moved to SC-7.27.
CA-03(04) Connections to Public Networks Moved to SC-7.28.
CA-03(05) Restrictions on External System Connections Moved to SC-7.5.
CA-03(06) Transfer Authorizations
CA-03(07) Transitive Information Exchanges
CA-04 Security Certification Incorporated into CA-2.
CA-05 Plan of Action and Milestones
CA-05(01) Automation Support for Accuracy and Currency
CA-06 Authorization
CA-06(01) Joint Authorization — Intra-organization
CA-06(02) Joint Authorization — Inter-organization
CA-07 Continuous Monitoring
CA-07(01) Independent Assessment
CA-07(02) Types of Assessments Incorporated into CA-2.
CA-07(03) Trend Analyses
CA-07(04) Risk Monitoring
CA-07(05) Consistency Analysis
CA-07(06) Automation Support for Monitoring
CA-08 Penetration Testing
CA-08(01) Independent Penetration Testing Agent or Team
CA-08(02) Red Team Exercises
CA-08(03) Facility Penetration Testing
CA-09 Internal System Connections
CA-09(01) Compliance Checks
CM-01 Policy and Procedures
CM-02 Baseline Configuration
CM-02(01) Reviews and Updates Incorporated into CM-2.
CM-02(02) Automation Support for Accuracy and Currency
CM-02(03) Retention of Previous Configurations
CM-02(04) Unauthorized Software Incorporated into CM-7.4.
CM-02(05) Authorized Software Incorporated into CM-7.5.
CM-02(06) Development and Test Environments
CM-02(07) Configure Systems and Components for High-risk Areas
CM-03 Configuration Change Control
CM-03(01) Automated Documentation, Notification, and Prohibition of Changes
CM-03(02) Testing, Validation, and Documentation of Changes
CM-03(03) Automated Change Implementation
CM-03(04) Security and Privacy Representatives
CM-03(05) Automated Security Response
CM-03(06) Cryptography Management
CM-03(07) Review System Changes
CM-03(08) Prevent or Restrict Configuration Changes
CM-04 Impact Analyses
CM-04(01) Separate Test Environments
CM-04(02) Verification of Controls
CM-05 Access Restrictions for Change
CM-05(01) Automated Access Enforcement and Audit Records
CM-05(02) Review System Changes Incorporated into CM-3.7.
CM-05(03) Signed Components Moved to CM-14.
CM-05(04) Dual Authorization
CM-05(05) Privilege Limitation for Production and Operation
CM-05(06) Limit Library Privileges
CM-05(07) Automatic Implementation of Security Safeguards Incorporated into SI-7.
CM-06 Configuration Settings
CM-06(01) Automated Management, Application, and Verification
CM-06(02) Respond to Unauthorized Changes
CM-06(03) Unauthorized Change Detection Incorporated into SI-7.
CM-06(04) Conformance Demonstration Incorporated into CM-4.
CM-07 Least Functionality
CM-07(01) Periodic Review
CM-07(02) Prevent Program Execution
CM-07(03) Registration Compliance
CM-07(04) Unauthorized Software — Deny-by-exception
CM-07(05) Authorized Software — Allow-by-exception
CM-07(06) Confined Environments with Limited Privileges
CM-07(07) Code Execution in Protected Environments
CM-07(08) Binary or Machine Executable Code
CM-07(09) Prohibiting The Use of Unauthorized Hardware
CM-08 System Component Inventory
CM-08(01) Updates During Installation and Removal
CM-08(02) Automated Maintenance
CM-08(03) Automated Unauthorized Component Detection
CM-08(04) Accountability Information
CM-08(05) No Duplicate Accounting of Components Incorporated into CM-8.
CM-08(06) Assessed Configurations and Approved Deviations
CM-08(07) Centralized Repository
CM-08(08) Automated Location Tracking
CM-08(09) Assignment of Components to Systems
CM-09 Configuration Management Plan
CM-09(01) Assignment of Responsibility
CM-10 Software Usage Restrictions
CM-10(01) Open-source Software
CM-11 User-installed Software
CM-11(01) Alerts for Unauthorized Installations Incorporated into CM-8.3.
CM-11(02) Software Installation with Privileged Status
CM-11(03) Automated Enforcement and Monitoring
CM-12 Information Location
CM-12(01) Automated Tools to Support Information Location
CM-13 Data Action Mapping
CM-14 Signed Components
CP-01 Policy and Procedures
CP-02 Contingency Plan
CP-02(01) Coordinate with Related Plans
CP-02(02) Capacity Planning
CP-02(03) Resume Mission and Business Functions
CP-02(04) Resume All Mission and Business Functions Incorporated into CP-2.3.
CP-02(05) Continue Mission and Business Functions
CP-02(06) Alternate Processing and Storage Sites
CP-02(07) Coordinate with External Service Providers
CP-02(08) Identify Critical Assets
CP-03 Contingency Training
CP-03(01) Simulated Events
CP-03(02) Mechanisms Used in Training Environments
CP-04 Contingency Plan Testing
CP-04(01) Coordinate with Related Plans
CP-04(02) Alternate Processing Site
CP-04(03) Automated Testing
CP-04(04) Full Recovery and Reconstitution
CP-04(05) Self-challenge
CP-05 Contingency Plan Update Incorporated into CP-2.
CP-06 Alternate Storage Site
CP-06(01) Separation from Primary Site
CP-06(02) Recovery Time and Recovery Point Objectives
CP-06(03) Accessibility
CP-07 Alternate Processing Site
CP-07(01) Separation from Primary Site
CP-07(02) Accessibility
CP-07(03) Priority of Service
CP-07(04) Preparation for Use
CP-07(05) Equivalent Information Security Safeguards Incorporated into CP-7.
CP-07(06) Inability to Return to Primary Site
CP-08 Telecommunications Services
CP-08(01) Priority of Service Provisions
CP-08(02) Single Points of Failure
CP-08(03) Separation of Primary and Alternate Providers
CP-08(04) Provider Contingency Plan
CP-08(05) Alternate Telecommunication Service Testing
CP-09 System Backup
CP-09(01) Testing for Reliability and Integrity
CP-09(02) Test Restoration Using Sampling
CP-09(03) Separate Storage for Critical Information
CP-09(04) Protection from Unauthorized Modification Incorporated into CP-9.
CP-09(05) Transfer to Alternate Storage Site
CP-09(06) Redundant Secondary System
CP-09(07) Dual Authorization for Deletion or Destruction
CP-09(08) Cryptographic Protection
CP-10 System Recovery and Reconstitution
CP-10(01) Contingency Plan Testing Incorporated into CP-4.
CP-10(02) Transaction Recovery
CP-10(03) Compensating Security Controls
CP-10(04) Restore Within Time Period
CP-10(05) Failover Capability Incorporated into SI-13.
CP-10(06) Component Protection
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
IA-01 Policy and Procedures
IA-02 Identification and Authentication (Organizational Users)
IA-02(01) Multi-factor Authentication to Privileged Accounts
IA-02(02) Multi-factor Authentication to Non-privileged Accounts
IA-02(03) Local Access to Privileged Accounts Incorporated into IA-2.1.
IA-02(04) Local Access to Non-privileged Accounts Incorporated into IA-2.2.
IA-02(05) Individual Authentication with Group Authentication
IA-02(06) Access to Accounts —separate Device
IA-02(07) Network Access to Non-privileged Accounts — Separate Device Incorporated into IA-2.6.
IA-02(08) Access to Accounts — Replay Resistant
IA-02(09) Network Access to Non-privileged Accounts — Replay Resistant Incorporated into IA-2.8.
IA-02(10) Single Sign-on
IA-02(11) Remote Access — Separate Device Incorporated into IA-2.6.
IA-02(12) Acceptance of PIV Credentials
IA-02(13) Out-of-band Authentication
IA-03 Device Identification and Authentication
IA-03(01) Cryptographic Bidirectional Authentication
IA-03(02) Cryptographic Bidirectional Network Authentication Incorporated into IA-3.1.
IA-03(03) Dynamic Address Allocation
IA-03(04) Device Attestation
IA-04 Identifier Management
IA-04(01) Prohibit Account Identifiers as Public Identifiers
IA-04(02) Supervisor Authorization Incorporated into IA-12.1.
IA-04(03) Multiple Forms of Certification Incorporated into IA-12.2.
IA-04(04) Identify User Status
IA-04(05) Dynamic Management
IA-04(06) Cross-organization Management
IA-04(07) In-person Registration Incorporated into IA-12.4.
IA-04(08) Pairwise Pseudonymous Identifiers
IA-04(09) Attribute Maintenance and Protection
IA-05 Authenticator Management
IA-05(01) Password-based Authentication
IA-05(02) Public Key-based Authentication
IA-05(03) In-person or Trusted External Party Registration Incorporated into IA-12.4.
IA-05(04) Automated Support for Password Strength Determination Incorporated into IA-5.1.
IA-05(05) Change Authenticators Prior to Delivery
IA-05(06) Protection of Authenticators
IA-05(07) No Embedded Unencrypted Static Authenticators
IA-05(08) Multiple System Accounts
IA-05(09) Federated Credential Management
IA-05(10) Dynamic Credential Binding
IA-05(11) Hardware Token-based Authentication Incorporated into IA-2.1 AND IA-2.2.
IA-05(12) Biometric Authentication Performance
IA-05(13) Expiration of Cached Authenticators
IA-05(14) Managing Content of PKI Trust Stores
IA-05(15) GSA-approved Products and Services
IA-05(16) In-person or Trusted External Party Authenticator Issuance
IA-05(17) Presentation Attack Detection for Biometric Authenticators
IA-05(18) Password Managers
IA-06 Authentication Feedback
IA-07 Cryptographic Module Authentication
IA-08 Identification and Authentication (Non-organizational Users)
IA-08(01) Acceptance of PIV Credentials from Other Agencies
IA-08(02) Acceptance of External Authenticators
IA-08(03) Use of FICAM-approved Products Incorporated into IA-8.2.
IA-08(04) Use of Defined Profiles
IA-08(05) Acceptance of PIV-I Credentials
IA-08(06) Disassociability
IA-09 Service Identification and Authentication
IA-09(01) Information Exchange Incorporated into IA-9.
IA-09(02) Transmission of Decisions Incorporated into IA-9.
IA-10 Adaptive Authentication
IA-11 Re-authentication
IA-12 Identity Proofing
IA-12(01) Supervisor Authorization
IA-12(02) Identity Evidence
IA-12(03) Identity Evidence Validation and Verification
IA-12(04) In-person Validation and Verification
IA-12(05) Address Confirmation
IA-12(06) Accept Externally-proofed Identities
IA-13 Identity Providers and Authorization Servers
IA-13(01) Protection of Cryptographic Keys
IA-13(02) Verification of Identity Assertions and Access Tokens
IA-13(03) Token Management
IR-01 Policy and Procedures
IR-02 Incident Response Training
IR-02(01) Simulated Events
IR-02(02) Automated Training Environments
IR-02(03) Breach
IR-03 Incident Response Testing
IR-03(01) Automated Testing
IR-03(02) Coordination with Related Plans
IR-03(03) Continuous Improvement
IR-04 Incident Handling
IR-04(01) Automated Incident Handling Processes
IR-04(02) Dynamic Reconfiguration
IR-04(03) Continuity of Operations
IR-04(04) Information Correlation
IR-04(05) Automatic Disabling of System
IR-04(06) Insider Threats
IR-04(07) Insider Threats — Intra-organization Coordination
IR-04(08) Correlation with External Organizations
IR-04(09) Dynamic Response Capability
IR-04(10) Supply Chain Coordination
IR-04(11) Integrated Incident Response Team
IR-04(12) Malicious Code and Forensic Analysis
IR-04(13) Behavior Analysis
IR-04(14) Security Operations Center
IR-04(15) Public Relations and Reputation Repair
IR-05 Incident Monitoring
IR-05(01) Automated Tracking, Data Collection, and Analysis
IR-06 Incident Reporting
IR-06(01) Automated Reporting
IR-06(02) Vulnerabilities Related to Incidents
IR-06(03) Supply Chain Coordination
IR-07 Incident Response Assistance
IR-07(01) Automation Support for Availability of Information and Support
IR-07(02) Coordination with External Providers
IR-08 Incident Response Plan
IR-08(01) Breaches
IR-09 Information Spillage Response
IR-09(01) Responsible Personnel Incorporated into IR-9.
IR-09(02) Training
IR-09(03) Post-spill Operations
IR-09(04) Exposure to Unauthorized Personnel
IR-10 Integrated Information Security Analysis Team Moved to IR-4.11.
MA-01 Policy and Procedures
MA-02 Controlled Maintenance
MA-02(01) Record Content Incorporated into MA-2.
MA-02(02) Automated Maintenance Activities
MA-03 Maintenance Tools
MA-03(01) Inspect Tools
MA-03(02) Inspect Media
MA-03(03) Prevent Unauthorized Removal
MA-03(04) Restricted Tool Use
MA-03(05) Execution with Privilege
MA-03(06) Software Updates and Patches
MA-04 Nonlocal Maintenance
MA-04(01) Logging and Review
MA-04(02) Document Nonlocal Maintenance Incorporated into MA-1 AND MA-4.
MA-04(03) Comparable Security and Sanitization
MA-04(04) Authentication and Separation of Maintenance Sessions
MA-04(05) Approvals and Notifications
MA-04(06) Cryptographic Protection
MA-04(07) Disconnect Verification
MA-05 Maintenance Personnel
MA-05(01) Individuals Without Appropriate Access
MA-05(02) Security Clearances for Classified Systems
MA-05(03) Citizenship Requirements for Classified Systems
MA-05(04) Foreign Nationals
MA-05(05) Non-system Maintenance
MA-06 Timely Maintenance
MA-06(01) Preventive Maintenance
MA-06(02) Predictive Maintenance
MA-06(03) Automated Support for Predictive Maintenance
MA-07 Field Maintenance
MP-01 Policy and Procedures
MP-02 Media Access
MP-02(01) Automated Restricted Access Incorporated into MP-4.2.
MP-02(02) Cryptographic Protection Incorporated into SC-28.1.
MP-03 Media Marking
MP-04 Media Storage
MP-04(01) Cryptographic Protection Incorporated into SC-28.1.
MP-04(02) Automated Restricted Access
MP-05 Media Transport
MP-05(01) Protection Outside of Controlled Areas Incorporated into MP-5.
MP-05(02) Documentation of Activities Incorporated into MP-5.
MP-05(03) Custodians
MP-05(04) Cryptographic Protection Incorporated into SC-28.1.
MP-06 Media Sanitization
MP-06(01) Review, Approve, Track, Document, and Verify
MP-06(02) Equipment Testing
MP-06(03) Nondestructive Techniques
MP-06(04) Controlled Unclassified Information Incorporated into MP-6.
MP-06(05) Classified Information Incorporated into MP-6.
MP-06(06) Media Destruction Incorporated into MP-6.
MP-06(07) Dual Authorization
MP-06(08) Remote Purging or Wiping of Information
MP-07 Media Use
MP-07(01) Prohibit Use Without Owner Incorporated into MP-7.
MP-07(02) Prohibit Use of Sanitization-resistant Media
MP-08 Media Downgrading
MP-08(01) Documentation of Process
MP-08(02) Equipment Testing
MP-08(03) Controlled Unclassified Information
MP-08(04) Classified Information
PE-01 Policy and Procedures
PE-02 Physical Access Authorizations
PE-02(01) Access by Position or Role
PE-02(02) Two Forms of Identification
PE-02(03) Restrict Unescorted Access
PE-03 Physical Access Control
PE-03(01) System Access
PE-03(02) Facility and Systems
PE-03(03) Continuous Guards
PE-03(04) Lockable Casings
PE-03(05) Tamper Protection
PE-03(06) Facility Penetration Testing Incorporated into CA-8.
PE-03(07) Physical Barriers
PE-03(08) Access Control Vestibules
PE-04 Access Control for Transmission
PE-05 Access Control for Output Devices
PE-05(01) Access to Output by Authorized Individuals Incorporated into PE-5.
PE-05(02) Link to Individual Identity
PE-05(03) Marking Output Devices Incorporated into PE-22.
PE-06 Monitoring Physical Access
PE-06(01) Intrusion Alarms and Surveillance Equipment
PE-06(02) Automated Intrusion Recognition and Responses
PE-06(03) Video Surveillance
PE-06(04) Monitoring Physical Access to Systems
PE-07 Visitor Control Incorporated into PE-2 AND PE-3.
PE-08 Visitor Access Records
PE-08(01) Automated Records Maintenance and Review
PE-08(02) Physical Access Records Incorporated into PE-2.
PE-08(03) Limit Personally Identifiable Information Elements
PE-09 Power Equipment and Cabling
PE-09(01) Redundant Cabling
PE-09(02) Automatic Voltage Controls
PE-10 Emergency Shutoff
PE-10(01) Accidental and Unauthorized Activation Incorporated into PE-10.
PE-11 Emergency Power
PE-11(01) Alternate Power Supply — Minimal Operational Capability
PE-11(02) Alternate Power Supply — Self-contained
PE-12 Emergency Lighting
PE-12(01) Essential Mission and Business Functions
PE-13 Fire Protection
PE-13(01) Detection Systems — Automatic Activation and Notification
PE-13(02) Suppression Systems — Automatic Activation and Notification
PE-13(03) Automatic Fire Suppression Incorporated into PE-13.2.
PE-13(04) Inspections
PE-14 Environmental Controls
PE-14(01) Automatic Controls
PE-14(02) Monitoring with Alarms and Notifications
PE-15 Water Damage Protection
PE-15(01) Automation Support
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of System Components
PE-18(01) Facility Site Moved to PE-23.
PE-19 Information Leakage
PE-19(01) National Emissions Policies and Procedures
PE-20 Asset Monitoring and Tracking
PE-21 Electromagnetic Pulse Protection
PE-22 Component Marking
PE-23 Facility Location
PL-01 Policy and Procedures
PL-02 System Security and Privacy Plans
PL-02(01) Concept of Operations Incorporated into PL-7.
PL-02(02) Functional Architecture Incorporated into PL-8.
PL-02(03) Plan and Coordinate with Other Organizational Entities Incorporated into PL-2.
PL-03 System Security Plan Update Incorporated into PL-2.
PL-04 Rules of Behavior
PL-04(01) Social Media and External Site/Application Usage Restrictions
PL-05 Privacy Impact Assessment Incorporated into RA-8.
PL-06 Security-related Activity Planning Incorporated into PL-2.
PL-07 Concept of Operations
PL-08 Security and Privacy Architectures
PL-08(01) Defense in Depth
PL-08(02) Supplier Diversity
PL-09 Central Management
PL-10 Baseline Selection
PL-11 Baseline Tailoring
PM-01 Information Security Program Plan
PM-02 Information Security Program Leadership Role
PM-03 Information Security and Privacy Resources
PM-04 Plan of Action and Milestones Process
PM-05 System Inventory
PM-05(01) Inventory of Personally Identifiable Information
PM-06 Measures of Performance
PM-07 Enterprise Architecture
PM-07(01) Offloading
PM-08 Critical Infrastructure Plan
PM-09 Risk Management Strategy
PM-10 Authorization Process
PM-11 Mission and Business Process Definition
PM-12 Insider Threat Program
PM-13 Security and Privacy Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Security and Privacy Groups and Associations
PM-16 Threat Awareness Program
PM-16(01) Automated Means for Sharing Threat Intelligence
PM-17 Protecting Controlled Unclassified Information on External Systems
PM-18 Privacy Program Plan
PM-19 Privacy Program Leadership Role
PM-20 Dissemination of Privacy Program Information
PM-20(01) Privacy Policies on Websites, Applications, and Digital Services
PM-21 Accounting of Disclosures
PM-22 Personally Identifiable Information Quality Management
PM-23 Data Governance Body
PM-24 Data Integrity Board
PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-26 Complaint Management
PM-27 Privacy Reporting
PM-28 Risk Framing
PM-29 Risk Management Program Leadership Roles
PM-30 Supply Chain Risk Management Strategy
PM-30(01) Suppliers of Critical or Mission-essential Items
PM-31 Continuous Monitoring Strategy
PM-32 Purposing
PS-01 Policy and Procedures
PS-02 Position Risk Designation
PS-03 Personnel Screening
PS-03(01) Classified Information
PS-03(02) Formal Indoctrination
PS-03(03) Information Requiring Special Protective Measures
PS-03(04) Citizenship Requirements
PS-04 Personnel Termination
PS-04(01) Post-employment Requirements
PS-04(02) Automated Actions
PS-05 Personnel Transfer
PS-06 Access Agreements
PS-06(01) Information Requiring Special Protection Incorporated into PS-3.
PS-06(02) Classified Information Requiring Special Protection
PS-06(03) Post-employment Requirements
PS-07 External Personnel Security
PS-08 Personnel Sanctions
PS-09 Position Descriptions
PT-01 Policy and Procedures
PT-02 Authority to Process Personally Identifiable Information
PT-02(01) Data Tagging
PT-02(02) Automation
PT-03 Personally Identifiable Information Processing Purposes
PT-03(01) Data Tagging
PT-03(02) Automation
PT-04 Consent
PT-04(01) Tailored Consent
PT-04(02) Just-in-time Consent
PT-04(03) Revocation
PT-05 Privacy Notice
PT-05(01) Just-in-time Notice
PT-05(02) Privacy Act Statements
PT-06 System of Records Notice
PT-06(01) Routine Uses
PT-06(02) Exemption Rules
PT-07 Specific Categories of Personally Identifiable Information
PT-07(01) Social Security Numbers
PT-07(02) First Amendment Information
PT-08 Computer Matching Requirements
RA-01 Policy and Procedures
RA-02 Security Categorization
RA-02(01) Impact-level Prioritization
RA-03 Risk Assessment
RA-03(01) Supply Chain Risk Assessment
RA-03(02) Use of All-source Intelligence
RA-03(03) Dynamic Threat Awareness
RA-03(04) Predictive Cyber Analytics
RA-04 Risk Assessment Update Incorporated into RA-3.
RA-05 Vulnerability Monitoring and Scanning
RA-05(01) Update Tool Capability Incorporated into RA-5.
RA-05(02) Update Vulnerabilities to Be Scanned
RA-05(03) Breadth and Depth of Coverage
RA-05(04) Discoverable Information
RA-05(05) Privileged Access
RA-05(06) Automated Trend Analyses
RA-05(07) Automated Detection and Notification of Unauthorized Components Incorporated into CM-8.
RA-05(08) Review Historic Audit Logs
RA-05(09) Penetration Testing and Analyses Incorporated into CA-8.
RA-05(10) Correlate Scanning Information
RA-05(11) Public Disclosure Program
RA-06 Technical Surveillance Countermeasures Survey
RA-07 Risk Response
RA-08 Privacy Impact Assessments
RA-09 Criticality Analysis
RA-10 Threat Hunting
SA-01 Policy and Procedures
SA-02 Allocation of Resources
SA-03 System Development Life Cycle
SA-03(01) Manage Preproduction Environment
SA-03(02) Use of Live or Operational Data
SA-03(03) Technology Refresh
SA-04 Acquisition Process
SA-04(01) Functional Properties of Controls
SA-04(02) Design and Implementation Information for Controls
SA-04(03) Development Methods, Techniques, and Practices
SA-04(04) Assignment of Components to Systems Incorporated into CM-8.9.
SA-04(05) System, Component, and Service Configurations
SA-04(06) Use of Information Assurance Products
SA-04(07) NIAP-approved Protection Profiles
SA-04(08) Continuous Monitoring Plan for Controls
SA-04(09) Functions, Ports, Protocols, and Services in Use
SA-04(10) Use of Approved PIV Products
SA-04(11) System of Records
SA-04(12) Data Ownership
SA-05 System Documentation
SA-05(01) Functional Properties of Security Controls Incorporated into SA-4.1.
SA-05(02) Security-relevant External System Interfaces Incorporated into SA-4.2.
SA-05(03) High-level Design Incorporated into SA-4.2.
SA-05(04) Low-level Design Incorporated into SA-4.2.
SA-05(05) Source Code Incorporated into SA-4.2.
SA-06 Software Usage Restrictions Incorporated into CM-10 AND SI-7.
SA-07 User-installed Software Incorporated into CM-11 AND SI-7.
SA-08 Security and Privacy Engineering Principles
SA-08(01) Clear Abstractions
SA-08(02) Least Common Mechanism
SA-08(03) Modularity and Layering
SA-08(04) Partially Ordered Dependencies
SA-08(05) Efficiently Mediated Access
SA-08(06) Minimized Sharing
SA-08(07) Reduced Complexity
SA-08(08) Secure Evolvability
SA-08(09) Trusted Components
SA-08(10) Hierarchical Trust
SA-08(11) Inverse Modification Threshold
SA-08(12) Hierarchical Protection
SA-08(13) Minimized Security Elements
SA-08(14) Least Privilege
SA-08(15) Predicate Permission
SA-08(16) Self-reliant Trustworthiness
SA-08(17) Secure Distributed Composition
SA-08(18) Trusted Communications Channels
SA-08(19) Continuous Protection
SA-08(20) Secure Metadata Management
SA-08(21) Self-analysis
SA-08(22) Accountability and Traceability
SA-08(23) Secure Defaults
SA-08(24) Secure Failure and Recovery
SA-08(25) Economic Security
SA-08(26) Performance Security
SA-08(27) Human Factored Security
SA-08(28) Acceptable Security
SA-08(29) Repeatable and Documented Procedures
SA-08(30) Procedural Rigor
SA-08(31) Secure System Modification
SA-08(32) Sufficient Documentation
SA-08(33) Minimization
SA-09 External System Services
SA-09(01) Risk Assessments and Organizational Approvals
SA-09(02) Identification of Functions, Ports, Protocols, and Services
SA-09(03) Establish and Maintain Trust Relationship with Providers
SA-09(04) Consistent Interests of Consumers and Providers
SA-09(05) Processing, Storage, and Service Location
SA-09(06) Organization-controlled Cryptographic Keys
SA-09(07) Organization-controlled Integrity Checking
SA-09(08) Processing and Storage Location — U.S. Jurisdiction
SA-10 Developer Configuration Management
SA-10(01) Software and Firmware Integrity Verification
SA-10(02) Alternative Configuration Management Processes
SA-10(03) Hardware Integrity Verification
SA-10(04) Trusted Generation
SA-10(05) Mapping Integrity for Version Control
SA-10(06) Trusted Distribution
SA-10(07) Security and Privacy Representatives
SA-11 Developer Testing and Evaluation
SA-11(01) Static Code Analysis
SA-11(02) Threat Modeling and Vulnerability Analyses
SA-11(03) Independent Verification of Assessment Plans and Evidence
SA-11(04) Manual Code Reviews
SA-11(05) Penetration Testing
SA-11(06) Attack Surface Reviews
SA-11(07) Verify Scope of Testing and Evaluation
SA-11(08) Dynamic Code Analysis
SA-11(09) Interactive Application Security Testing
SA-12 Supply Chain Protection Incorporated into SR.
SA-12(01) Acquisition Strategies / Tools / Methods Moved to SR-5.
SA-12(02) Supplier Reviews Moved to SR-6.
SA-12(03) Trusted Shipping and Warehousing Incorporated into SR-3.
SA-12(04) Diversity of Suppliers Moved to SR-3.1.
SA-12(05) Limitation of Harm Moved to SR-3.2.
SA-12(06) Minimizing Procurement Time Incorporated into SR-5.1.
SA-12(07) Assessments Prior to Selection / Acceptance / Update Moved to SR-5.2.
SA-12(08) Use of All-source Intelligence Incorporated into RA-3.2.
SA-12(09) Operations Security Moved to SR-7.
SA-12(10) Validate as Genuine and Not Altered Moved to SR-4.3.
SA-12(11) Penetration Testing / Analysis of Elements, Processes, and Actors Moved to SR-6.1.
SA-12(12) Inter-organizational Agreements Moved to SR-8.
SA-12(13) Critical Information System Components Incorporated into MA-6 AND RA-9.
SA-12(14) Identity and Traceability Incorporated into SR-4.1 AND SR-4.2.
SA-12(15) Processes to Address Weaknesses or Deficiencies Incorporated into SR-3.
SA-13 Trustworthiness Incorporated into SA-8.
SA-14 Criticality Analysis Incorporated into RA-9.
SA-14(01) Critical Components with No Viable Alternative Sourcing Incorporated into SA-20.
SA-15 Development Process, Standards, and Tools
SA-15(01) Quality Metrics
SA-15(02) Security and Privacy Tracking Tools
SA-15(03) Criticality Analysis
SA-15(04) Threat Modeling and Vulnerability Analysis Incorporated into SA-11.2.
SA-15(05) Attack Surface Reduction
SA-15(06) Continuous Improvement
SA-15(07) Automated Vulnerability Analysis
SA-15(08) Reuse of Threat and Vulnerability Information
SA-15(09) Use of Live Data Incorporated into SA-3.2.
SA-15(10) Incident Response Plan
SA-15(11) Archive System or Component
SA-15(12) Minimize Personally Identifiable Information
SA-16 Developer-provided Training
SA-17 Developer Security and Privacy Architecture and Design
SA-17(01) Formal Policy Model
SA-17(02) Security-relevant Components
SA-17(03) Formal Correspondence
SA-17(04) Informal Correspondence
SA-17(05) Conceptually Simple Design
SA-17(06) Structure for Testing
SA-17(07) Structure for Least Privilege
SA-17(08) Orchestration
SA-17(09) Design Diversity
SA-18 Tamper Resistance and Detection Moved to SR-9.
SA-18(01) Multiple Phases of System Development Life Cycle Moved to SR-9.1.
SA-18(2) Inspection of Systems or Components Moved to SR-10.
SA-19 Component Authenticity Moved to SR-11.
SA-19(01) Anti-counterfeit Training Moved to SR-11.1.
SA-19(02) Configuration Control for Component Service and Repair Moved to SR-11.2.
SA-19(03) Component Disposal Moved to SR-12.
SA-19(04) Anti-counterfeit Scanning Moved to SR-11.3.
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-21(01) Validation of Screening Incorporated into SA-21.
SA-22 Unsupported System Components
SA-22(01) Alternative Sources for Continued Support Incorporated into SA-22.
SA-23 Specialization
SC-01 Policy and Procedures
SC-02 Separation of System and User Functionality
SC-02(01) Interfaces for Non-privileged Users
SC-02(02) Disassociability
SC-03 Security Function Isolation
SC-03(01) Hardware Separation
SC-03(02) Access and Flow Control Functions
SC-03(03) Minimize Nonsecurity Functionality
SC-03(04) Module Coupling and Cohesiveness
SC-03(05) Layered Structures
SC-04 Information in Shared System Resources
SC-04(01) Security Levels Incorporated into SC-4.
SC-04(02) Multilevel or Periods Processing
SC-05 Denial-of-service Protection
SC-05(01) Restrict Ability to Attack Other Systems
SC-05(02) Capacity, Bandwidth, and Redundancy
SC-05(03) Detection and Monitoring
SC-06 Resource Availability
SC-07 Boundary Protection
SC-07(01) Physically Separated Subnetworks Incorporated into SC-7.
SC-07(02) Public Access Incorporated into SC-7.
SC-07(03) Access Points
SC-07(04) External Telecommunications Services
SC-07(05) Deny by Default — Allow by Exception
SC-07(06) Response to Recognized Failures Incorporated into SC-7.18.
SC-07(07) Split Tunneling for Remote Devices
SC-07(08) Route Traffic to Authenticated Proxy Servers
SC-07(09) Restrict Threatening Outgoing Communications Traffic
SC-07(10) Prevent Exfiltration
SC-07(11) Restrict Incoming Communications Traffic
SC-07(12) Host-based Protection
SC-07(13) Isolation of Security Tools, Mechanisms, and Support Components
SC-07(14) Protect Against Unauthorized Physical Connections
SC-07(15) Networked Privileged Accesses
SC-07(16) Prevent Discovery of System Components
SC-07(17) Automated Enforcement of Protocol Formats
SC-07(18) Fail Secure
SC-07(19) Block Communication from Non-organizationally Configured Hosts
SC-07(20) Dynamic Isolation and Segregation
SC-07(21) Isolation of System Components
SC-07(22) Separate Subnets for Connecting to Different Security Domains
SC-07(23) Disable Sender Feedback on Protocol Validation Failure
SC-07(24) Personally Identifiable Information
SC-07(25) Unclassified National Security System Connections
SC-07(26) Classified National Security System Connections
SC-07(27) Unclassified Non-national Security System Connections
SC-07(28) Connections to Public Networks
SC-07(29) Separate Subnets to Isolate Functions
SC-08 Transmission Confidentiality and Integrity
SC-08(01) Cryptographic Protection
SC-08(02) Pre- and Post-transmission Handling
SC-08(03) Cryptographic Protection for Message Externals
SC-08(04) Conceal or Randomize Communications
SC-08(05) Protected Distribution System
SC-09 Transmission Confidentiality Incorporated into SC-8.
SC-10 Network Disconnect
SC-11 Trusted Path
SC-11(01) Irrefutable Communications Path
SC-12 Cryptographic Key Establishment and Management
SC-12(01) Availability
SC-12(02) Symmetric Keys
SC-12(03) Asymmetric Keys
SC-12(04) PKI Certificates Incorporated into SC-12.3.
SC-12(05) PKI Certificates / Hardware Tokens Incorporated into SC-12.3.
SC-12(06) Physical Control of Keys
SC-13 Cryptographic Protection
SC-13(01) FIPS-validated Cryptography Incorporated into SC-13.
SC-13(02) NSA-approved Cryptography Incorporated into SC-13.
SC-13(03) Individuals Without Formal Access Approvals Incorporated into SC-13.
SC-13(04) Digital Signatures Incorporated into SC-13.
SC-14 Public Access Protections Incorporated into AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, AND SI-10.
SC-15 Collaborative Computing Devices and Applications
SC-15(01) Physical or Logical Disconnect
SC-15(02) Blocking Inbound and Outbound Communications Traffic Incorporated into SC-7.
SC-15(03) Disabling and Removal in Secure Work Areas
SC-15(04) Explicitly Indicate Current Participants
SC-16 Transmission of Security and Privacy Attributes
SC-16(01) Integrity Verification
SC-16(02) Anti-spoofing Mechanisms
SC-16(03) Cryptographic Binding
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-18(01) Identify Unacceptable Code and Take Corrective Actions
SC-18(02) Acquisition, Development, and Use
SC-18(03) Prevent Downloading and Execution
SC-18(04) Prevent Automatic Execution
SC-18(05) Allow Execution Only in Confined Environments
SC-19 Voice Over Internet Protocol
SC-20 Secure Name/Address Resolution Service (Authoritative Source)
SC-20(01) Child Subspaces Incorporated into SC-20.
SC-20(02) Data Origin and Integrity
SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-21(01) Data Origin and Integrity Incorporated into SC-21.
SC-22 Architecture and Provisioning for Name/Address Resolution Service
SC-23 Session Authenticity
SC-23(01) Invalidate Session Identifiers at Logout
SC-23(02) User-initiated Logouts and Message Displays Incorporated into AC-12.1.
SC-23(03) Unique System-generated Session Identifiers
SC-23(04) Unique Session Identifiers with Randomization Incorporated into SC-23.3.
SC-23(05) Allowed Certificate Authorities
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Decoys
SC-26(01) Detection of Malicious Code Incorporated into SC-35.
SC-27 Platform-independent Applications
SC-28 Protection of Information at Rest
SC-28(01) Cryptographic Protection
SC-28(02) Offline Storage
SC-28(03) Cryptographic Keys
SC-29 Heterogeneity
SC-29(01) Virtualization Techniques
SC-30 Concealment and Misdirection
SC-30(01) Virtualization Techniques Incorporated into SC-29.1.
SC-30(02) Randomness
SC-30(03) Change Processing and Storage Locations
SC-30(04) Misleading Information
SC-30(05) Concealment of System Components
SC-31 Covert Channel Analysis
SC-31(01) Test Covert Channels for Exploitability
SC-31(02) Maximum Bandwidth
SC-31(03) Measure Bandwidth in Operational Environments
SC-32 System Partitioning
SC-32(01) Separate Physical Domains for Privileged Functions
SC-33 Transmission Preparation Integrity Incorporated into SC-8.
SC-34 Non-modifiable Executable Programs
SC-34(01) No Writable Storage
SC-34(02) Integrity Protection on Read-only Media
SC-34(03) Hardware-based Protection Moved to SC-51.
SC-35 External Malicious Code Identification
SC-36 Distributed Processing and Storage
SC-36(01) Polling Techniques
SC-36(02) Synchronization
SC-37 Out-of-band Channels
SC-37(01) Ensure Delivery and Transmission
SC-38 Operations Security
SC-39 Process Isolation
SC-39(01) Hardware Separation
SC-39(02) Separate Execution Domain Per Thread
SC-40 Wireless Link Protection
SC-40(01) Electromagnetic Interference
SC-40(02) Reduce Detection Potential
SC-40(03) Imitative or Manipulative Communications Deception
SC-40(04) Signal Parameter Identification
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-42(01) Reporting to Authorized Individuals or Roles
SC-42(02) Authorized Use
SC-42(03) Prohibit Use of Devices Incorporated into SC-42.
SC-42(04) Notice of Collection
SC-42(05) Collection Minimization
SC-43 Usage Restrictions
SC-44 Detonation Chambers
SC-45 System Time Synchronization
SC-45(01) Synchronization with Authoritative Time Source
SC-45(02) Secondary Authoritative Time Source
SC-46 Cross Domain Policy Enforcement
SC-47 Alternate Communications Paths
SC-48 Sensor Relocation
SC-48(01) Dynamic Relocation of Sensors or Monitoring Capabilities
SC-49 Hardware-enforced Separation and Policy Enforcement
SC-50 Software-enforced Separation and Policy Enforcement
SC-51 Hardware-based Protection
SI-01 Policy and Procedures
SI-02 Flaw Remediation
SI-02(01) Central Management Incorporated into PL-9.
SI-02(02) Automated Flaw Remediation Status
SI-02(03) Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-02(04) Automated Patch Management Tools
SI-02(05) Automatic Software and Firmware Updates
SI-02(06) Removal of Previous Versions of Software and Firmware
SI-03 Malicious Code Protection
SI-03(01) Central Management Incorporated into PL-9.
SI-03(02) Automatic Updates Incorporated into SI-3.
SI-03(03) Non-privileged Users Incorporated into AC-6.10.
SI-03(04) Updates Only by Privileged Users
SI-03(05) Portable Storage Devices Incorporated into MP-7.
SI-03(06) Testing and Verification
SI-03(07) Nonsignature-based Detection Incorporated into SI-3.
SI-03(08) Detect Unauthorized Commands
SI-03(09) Authenticate Remote Commands Moved to AC-17.10.
SI-03(10) Malicious Code Analysis
SI-04 System Monitoring
SI-04(01) System-wide Intrusion Detection System
SI-04(02) Automated Tools and Mechanisms for Real-time Analysis
SI-04(03) Automated Tool and Mechanism Integration
SI-04(04) Inbound and Outbound Communications Traffic
SI-04(05) System-generated Alerts
SI-04(06) Restrict Non-privileged Users Incorporated into AC-6.10.
SI-04(07) Automated Response to Suspicious Events
SI-04(08) Protection of Monitoring Information Incorporated into SI-4.
SI-04(09) Testing of Monitoring Tools and Mechanisms
SI-04(10) Visibility of Encrypted Communications
SI-04(11) Analyze Communications Traffic Anomalies
SI-04(12) Automated Organization-generated Alerts
SI-04(13) Analyze Traffic and Event Patterns
SI-04(14) Wireless Intrusion Detection
SI-04(15) Wireless to Wireline Communications
SI-04(16) Correlate Monitoring Information
SI-04(17) Integrated Situational Awareness
SI-04(18) Analyze Traffic and Covert Exfiltration
SI-04(19) Risk for Individuals
SI-04(20) Privileged Users
SI-04(21) Probationary Periods
SI-04(22) Unauthorized Network Services
SI-04(23) Host-based Devices
SI-04(24) Indicators of Compromise
SI-04(25) Optimize Network Traffic Analysis
SI-05 Security Alerts, Advisories, and Directives
SI-05(01) Automated Alerts and Advisories
SI-06 Security and Privacy Function Verification
SI-06(01) Notification of Failed Security Tests Incorporated into SI-6.
SI-06(02) Automation Support for Distributed Testing
SI-06(03) Report Verification Results
SI-07 Software, Firmware, and Information Integrity
SI-07(01) Integrity Checks
SI-07(02) Automated Notifications of Integrity Violations
SI-07(03) Centrally Managed Integrity Tools
SI-07(04) Tamper-evident Packaging Incorporated into SR-9.
SI-07(05) Automated Response to Integrity Violations
SI-07(06) Cryptographic Protection
SI-07(07) Integration of Detection and Response
SI-07(08) Auditing Capability for Significant Events
SI-07(09) Verify Boot Process
SI-07(10) Protection of Boot Firmware
SI-07(11) Confined Environments with Limited Privileges Moved to CM-7.6.
SI-07(12) Integrity Verification
SI-07(13) Code Execution in Protected Environments Moved to CM-7.7.
SI-07(14) Binary or Machine Executable Code Moved to CM-7.8.
SI-07(15) Code Authentication
SI-07(16) Time Limit on Process Execution Without Supervision
SI-07(17) Runtime Application Self-protection
SI-08 Spam Protection
SI-08(01) Central Management Incorporated into PL-9.
SI-08(02) Automatic Updates
SI-08(03) Continuous Learning Capability
SI-09 Information Input Restrictions Incorporated into AC-2, AC-3, AC-5, AND AC-6.
SI-10 Information Input Validation
SI-10(01) Manual Override Capability
SI-10(02) Review and Resolve Errors
SI-10(03) Predictable Behavior
SI-10(04) Timing Interactions
SI-10(05) Restrict Inputs to Trusted Sources and Approved Formats
SI-10(06) Injection Prevention
SI-11 Error Handling
SI-12 Information Management and Retention
SI-12(01) Limit Personally Identifiable Information Elements
SI-12(02) Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12(03) Information Disposal
SI-13 Predictable Failure Prevention
SI-13(01) Transferring Component Responsibilities
SI-13(02) Time Limit on Process Execution Without Supervision Incorporated into SI-7.16.
SI-13(03) Manual Transfer Between Components
SI-13(04) Standby Component Installation and Notification
SI-13(05) Failover Capability
SI-14 Non-persistence
SI-14(01) Refresh from Trusted Sources
SI-14(02) Non-persistent Information
SI-14(03) Non-persistent Connectivity
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-safe Procedures
SI-18 Personally Identifiable Information Quality Operations
SI-18(01) Automation Support
SI-18(02) Data Tags
SI-18(03) Collection
SI-18(04) Individual Requests
SI-18(05) Notice of Correction or Deletion
SI-19 De-identification
SI-19(01) Collection
SI-19(02) Archiving
SI-19(03) Release
SI-19(04) Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
SI-19(05) Statistical Disclosure Control
SI-19(06) Differential Privacy
SI-19(07) Validated Algorithms and Software
SI-19(08) Motivated Intruder
SI-20 Tainting
SI-21 Information Refresh
SI-22 Information Diversity
SI-23 Information Fragmentation
SR-01 Policy and Procedures
SR-02 Supply Chain Risk Management Plan
SR-02(01) Establish SCRM Team
SR-03 Supply Chain Controls and Processes
SR-03(01) Diverse Supply Base
SR-03(02) Limitation of Harm
SR-03(03) Sub-tier Flow Down
SR-04 Provenance
SR-04(01) Identity
SR-04(02) Track and Trace
SR-04(03) Validate as Genuine and Not Altered
SR-04(04) Supply Chain Integrity — Pedigree
SR-05 Acquisition Strategies, Tools, and Methods
SR-05(01) Adequate Supply
SR-05(02) Assessments Prior to Selection, Acceptance, Modification, or Update
SR-06 Supplier Assessments and Reviews
SR-06(01) Testing and Analysis
SR-07 Supply Chain Operations Security
SR-08 Notification Agreements
SR-09 Tamper Resistance and Detection
SR-09(01) Multiple Stages of System Development Life Cycle
SR-10 Inspection of Systems or Components
SR-11 Component Authenticity
SR-11(01) Anti-counterfeit Training
SR-11(02) Configuration Control for Component Service and Repair
SR-11(03) Anti-counterfeit Scanning
SR-12 Component Disposal