|
SI-01
|
Policy and Procedures |
|
|
|
|
|
SI-02
|
Flaw Remediation |
|
|
|
|
|
SI-02(01)
|
Central Management |
Incorporated into
PL-9.
|
|
SI-02(02)
|
Automated Flaw Remediation Status |
|
|
|
|
|
SI-02(03)
|
Time to Remediate Flaws and Benchmarks for Corrective Actions |
|
|
|
|
|
SI-02(04)
|
Automated Patch Management Tools |
|
|
|
|
|
SI-02(05)
|
Automatic Software and Firmware Updates |
|
|
|
|
|
SI-02(06)
|
Removal of Previous Versions of Software and Firmware |
|
|
|
|
|
SI-03
|
Malicious Code Protection |
|
|
|
|
|
SI-03(01)
|
Central Management |
Incorporated into
PL-9.
|
|
SI-03(02)
|
Automatic Updates |
Incorporated into
SI-3.
|
|
SI-03(03)
|
Non-privileged Users |
Incorporated into
AC-6.10.
|
|
SI-03(04)
|
Updates Only by Privileged Users |
|
|
|
|
|
SI-03(05)
|
Portable Storage Devices |
Incorporated into
MP-7.
|
|
SI-03(06)
|
Testing and Verification |
|
|
|
|
|
SI-03(07)
|
Nonsignature-based Detection |
Incorporated into
SI-3.
|
|
SI-03(08)
|
Detect Unauthorized Commands |
|
|
|
|
|
SI-03(09)
|
Authenticate Remote Commands |
Moved to
AC-17.10.
|
|
SI-03(10)
|
Malicious Code Analysis |
|
|
|
|
|
SI-04
|
System Monitoring |
|
|
|
|
|
SI-04(01)
|
System-wide Intrusion Detection System |
|
|
|
|
|
SI-04(02)
|
Automated Tools and Mechanisms for Real-time Analysis |
|
|
|
|
|
SI-04(03)
|
Automated Tool and Mechanism Integration |
|
|
|
|
|
SI-04(04)
|
Inbound and Outbound Communications Traffic |
|
|
|
|
|
SI-04(05)
|
System-generated Alerts |
|
|
|
|
|
SI-04(06)
|
Restrict Non-privileged Users |
Incorporated into
AC-6.10.
|
|
SI-04(07)
|
Automated Response to Suspicious Events |
|
|
|
|
|
SI-04(08)
|
Protection of Monitoring Information |
Incorporated into
SI-4.
|
|
SI-04(09)
|
Testing of Monitoring Tools and Mechanisms |
|
|
|
|
|
SI-04(10)
|
Visibility of Encrypted Communications |
|
|
|
|
|
SI-04(11)
|
Analyze Communications Traffic Anomalies |
|
|
|
|
|
SI-04(12)
|
Automated Organization-generated Alerts |
|
|
|
|
|
SI-04(13)
|
Analyze Traffic and Event Patterns |
|
|
|
|
|
SI-04(14)
|
Wireless Intrusion Detection |
|
|
|
|
|
SI-04(15)
|
Wireless to Wireline Communications |
|
|
|
|
|
SI-04(16)
|
Correlate Monitoring Information |
|
|
|
|
|
SI-04(17)
|
Integrated Situational Awareness |
|
|
|
|
|
SI-04(18)
|
Analyze Traffic and Covert Exfiltration |
|
|
|
|
|
SI-04(19)
|
Risk for Individuals |
|
|
|
|
|
SI-04(20)
|
Privileged Users |
|
|
|
|
|
SI-04(21)
|
Probationary Periods |
|
|
|
|
|
SI-04(22)
|
Unauthorized Network Services |
|
|
|
|
|
SI-04(23)
|
Host-based Devices |
|
|
|
|
|
SI-04(24)
|
Indicators of Compromise |
|
|
|
|
|
SI-04(25)
|
Optimize Network Traffic Analysis |
|
|
|
|
|
SI-05
|
Security Alerts, Advisories, and Directives |
|
|
|
|
|
SI-05(01)
|
Automated Alerts and Advisories |
|
|
|
|
|
SI-06
|
Security and Privacy Function Verification |
|
|
|
|
|
SI-06(01)
|
Notification of Failed Security Tests |
Incorporated into
SI-6.
|
|
SI-06(02)
|
Automation Support for Distributed Testing |
|
|
|
|
|
SI-06(03)
|
Report Verification Results |
|
|
|
|
|
SI-07
|
Software, Firmware, and Information Integrity |
|
|
|
|
|
SI-07(01)
|
Integrity Checks |
|
|
|
|
|
SI-07(02)
|
Automated Notifications of Integrity Violations |
|
|
|
|
|
SI-07(03)
|
Centrally Managed Integrity Tools |
|
|
|
|
|
SI-07(04)
|
Tamper-evident Packaging |
Incorporated into
SR-9.
|
|
SI-07(05)
|
Automated Response to Integrity Violations |
|
|
|
|
|
SI-07(06)
|
Cryptographic Protection |
|
|
|
|
|
SI-07(07)
|
Integration of Detection and Response |
|
|
|
|
|
SI-07(08)
|
Auditing Capability for Significant Events |
|
|
|
|
|
SI-07(09)
|
Verify Boot Process |
|
|
|
|
|
SI-07(10)
|
Protection of Boot Firmware |
|
|
|
|
|
SI-07(11)
|
Confined Environments with Limited Privileges |
Moved to
CM-7.6.
|
|
SI-07(12)
|
Integrity Verification |
|
|
|
|
|
SI-07(13)
|
Code Execution in Protected Environments |
Moved to
CM-7.7.
|
|
SI-07(14)
|
Binary or Machine Executable Code |
Moved to
CM-7.8.
|
|
SI-07(15)
|
Code Authentication |
|
|
|
|
|
SI-07(16)
|
Time Limit on Process Execution Without Supervision |
|
|
|
|
|
SI-07(17)
|
Runtime Application Self-protection |
|
|
|
|
|
SI-08
|
Spam Protection |
|
|
|
|
|
SI-08(01)
|
Central Management |
Incorporated into
PL-9.
|
|
SI-08(02)
|
Automatic Updates |
|
|
|
|
|
SI-08(03)
|
Continuous Learning Capability |
|
|
|
|
|
SI-09
|
Information Input Restrictions |
Incorporated into
AC-2, AC-3, AC-5, AND AC-6.
|
|
SI-10
|
Information Input Validation |
|
|
|
|
|
SI-10(01)
|
Manual Override Capability |
|
|
|
|
|
SI-10(02)
|
Review and Resolve Errors |
|
|
|
|
|
SI-10(03)
|
Predictable Behavior |
|
|
|
|
|
SI-10(04)
|
Timing Interactions |
|
|
|
|
|
SI-10(05)
|
Restrict Inputs to Trusted Sources and Approved Formats |
|
|
|
|
|
SI-10(06)
|
Injection Prevention |
|
|
|
|
|
SI-11
|
Error Handling |
|
|
|
|
|
SI-12
|
Information Management and Retention |
|
|
|
|
|
SI-12(01)
|
Limit Personally Identifiable Information Elements |
|
|
|
|
|
SI-12(02)
|
Minimize Personally Identifiable Information in Testing, Training, and Research |
|
|
|
|
|
SI-12(03)
|
Information Disposal |
|
|
|
|
|
SI-13
|
Predictable Failure Prevention |
|
|
|
|
|
SI-13(01)
|
Transferring Component Responsibilities |
|
|
|
|
|
SI-13(02)
|
Time Limit on Process Execution Without Supervision |
Incorporated into
SI-7.16.
|
|
SI-13(03)
|
Manual Transfer Between Components |
|
|
|
|
|
SI-13(04)
|
Standby Component Installation and Notification |
|
|
|
|
|
SI-13(05)
|
Failover Capability |
|
|
|
|
|
SI-14
|
Non-persistence |
|
|
|
|
|
SI-14(01)
|
Refresh from Trusted Sources |
|
|
|
|
|
SI-14(02)
|
Non-persistent Information |
|
|
|
|
|
SI-14(03)
|
Non-persistent Connectivity |
|
|
|
|
|
SI-15
|
Information Output Filtering |
|
|
|
|
|
SI-16
|
Memory Protection |
|
|
|
|
|
SI-17
|
Fail-safe Procedures |
|
|
|
|
|
SI-18
|
Personally Identifiable Information Quality Operations |
|
|
|
|
|
SI-18(01)
|
Automation Support |
|
|
|
|
|
SI-18(02)
|
Data Tags |
|
|
|
|
|
SI-18(03)
|
Collection |
|
|
|
|
|
SI-18(04)
|
Individual Requests |
|
|
|
|
|
SI-18(05)
|
Notice of Correction or Deletion |
|
|
|
|
|
SI-19
|
De-identification |
|
|
|
|
|
SI-19(01)
|
Collection |
|
|
|
|
|
SI-19(02)
|
Archiving |
|
|
|
|
|
SI-19(03)
|
Release |
|
|
|
|
|
SI-19(04)
|
Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers |
|
|
|
|
|
SI-19(05)
|
Statistical Disclosure Control |
|
|
|
|
|
SI-19(06)
|
Differential Privacy |
|
|
|
|
|
SI-19(07)
|
Validated Algorithms and Software |
|
|
|
|
|
SI-19(08)
|
Motivated Intruder |
|
|
|
|
|
SI-20
|
Tainting |
|
|
|
|
|
SI-21
|
Information Refresh |
|
|
|
|
|
SI-22
|
Information Diversity |
|
|
|
|
|
SI-23
|
Information Fragmentation |
|
|
|
|