| AC-1 ACCESS CONTROL | ACCESS CONTROL POLICY AND PROCEDURES |
| AC-2 ACCESS CONTROL | ACCOUNT MANAGEMENT |
| AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT |
| AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS |
| AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS |
| AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS |
| AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT |
| AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES |
| AC-2 (9) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS |
| AC-2 (10) ACCOUNT MANAGEMENT | SHARED/GROUP ACCOUNT CREDENTIAL TERMINATION |
| AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING/ATYPICAL USAGE |
| AC-3 ACCESS CONTROL | ACCESS ENFORCEMENT |
| AC-4 ACCESS CONTROL | INFORMATION FLOW ENFORCEMENT |
| AC-4 (21) INFORMATION FLOW ENFORCEMENT | PHYSICAL/LOGICAL SEPARATION OF INFORMATION FLOWS |
| AC-5 ACCESS CONTROL | SEPARATION OF DUTIES |
| AC-6 ACCESS CONTROL | LEAST PRIVILEGE |
| AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS |
| AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS |
| AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS |
| AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS |
| AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS |
| AC-7 ACCESS CONTROL | UNSUCCESSFUL LOGON ATTEMPTS |
| AC-7 (1) UNSUCCESSFUL LOGON ATTEMPTS | AUTOMATIC ACCOUNT LOCK |
| AC-7 (2) UNSUCCESSFUL LOGON ATTEMPTS | PURGE/WIPE MOBILE DEVICE |
| AC-8 ACCESS CONTROL | SYSTEM USE NOTIFICATION |
| AC-10 ACCESS CONTROL | CONCURRENT SESSION CONTROL |
| AC-11 ACCESS CONTROL | SESSION LOCK |
| AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS |
| AC-12 ACCESS CONTROL | SESSION TERMINATION |
| AC-14 ACCESS CONTROL | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| AC-14 (1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USE |
| AC-17 ACCESS CONTROL | REMOTE ACCESS |
| AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL |
| AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION |
| AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS |
| AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS |
| AC-17 (9) REMOTE ACCESS | DISCONNECT/DISABLE ACCESS |
| AC-18 ACCESS CONTROL | WIRELESS ACCESS |
| AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION |
| AC-19 ACCESS CONTROL | ACCESS CONTROL FOR MOBILE DEVICES |
| AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION |
| AC-20 ACCESS CONTROL | USE OF EXTERNAL INFORMATION SYSTEMS |
| AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
| AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES |
| AC-21 ACCESS CONTROL | INFORMATION SHARING |
AC-22 ACCESS CONTROL | PUBLICLY ACCESSIBLE CONTENT |
| AT-1 AWARENESS AND TRAINING | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
| AT-2 AWARENESS AND TRAINING | SECURITY AWARENESS TRAINING |
| AT-2 (2) SECURITY AWARENESS TRAINING | INSIDER THREAT |
| AT-3 AWARENESS AND TRAINING | ROLE-BASED SECURITY TRAINING |
| AT-4 AWARENESS AND TRAINING | SECURITY TRAINING RECORDS |
| AU-1 AUDIT AND ACCOUNTABILITY | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
| AU-2 AUDIT AND ACCOUNTABILITY | AUDIT EVENTS |
| AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES |
| AU-3 AUDIT AND ACCOUNTABILITY | CONTENT OF AUDIT RECORDS |
| AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION |
| AU-4 AUDIT AND ACCOUNTABILITY | AUDIT STORAGE CAPACITY |
| AU-5 AUDIT AND ACCOUNTABILITY | RESPONSE TO AUDIT PROCESSING FAILURES |
| AU-6. AUDIT AND ACCOUNTABILITY | AUDIT REVIEW, ANALYSIS, AND REPORTING |
| AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION |
| AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES |
| AU-7 AUDIT AND ACCOUNTABILITY | AUDIT REDUCTION AND REPORT GENERATION |
| AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING |
| AU-8 AUDIT AND ACCOUNTABILITY | TIME STAMPS |
| AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE |
| AU-9 AUDIT AND ACCOUNTABILITY | PROTECTION OF AUDIT INFORMATION |
| AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS |
| AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS |
| AU-11 AUDIT AND ACCOUNTABILITY | AUDIT RECORD RETENTION |
| AU-12 AUDIT AND ACCOUNTABILITY | AUDIT GENERATION |
| CA-1 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
| CA-2 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENTS |
| CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS |
| CA-2 (2) SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS |
| CA-2 (3) SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS |
| CA-3 SECURITY ASSESSMENT AND AUTHORIZATION | SYSTEM INTERCONNECTIONS |
| CA-3 (3) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS |
| CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
| CA-5 SECURITY ASSESSMENT AND AUTHORIZATION | PLAN OF ACTION AND MILESTONES |
| CA-6 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY AUTHORIZATION |
| CA-7 SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING |
| CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT |
| CA-8 SECURITY ASSESSMENT AND AUTHORIZATION | PENETRATION TESTING |
| CA-8 (1) PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM |
| CA-9 SECURITY ASSESSMENT AND AUTHORIZATION | INTERNAL SYSTEM CONNECTIONS |
| CM-1 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| CM-2. CONFIGURATION MANAGEMENT | BASELINE CONFIGURATION |
| CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES |
| CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
| CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
| CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
| CM-3 CONFIGURATION MANAGEMENT | CONFIGURATION CHANGE CONTROL |
| CM-5 CONFIGURATION MANAGEMENT | ACCESS RESTRICTIONS FOR CHANGE |
| CM-6 CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS |
| CM-7 CONFIGURATION MANAGEMENT | LEAST FUNCTIONALITY |
| CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW |
| CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION |
| CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE/WHITELISTING |
| CM-8 CONFIGURATION MANAGEMENT | INFORMATION SYSTEM COMPONENT INVENTORY |
| CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS |
| CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
| CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
| CM-9 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT PLAN |
| CM-9 (1) CONFIGURATION MANAGEMENT PLAN | ASSIGNMENT OF RESPONSIBILITY |
| CM-10 CONFIGURATION MANAGEMENT | SOFTWARE USAGE RESTRICTIONS |
| CM-10 (1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE |
| CM-11 CONFIGURATION MANAGEMENT | USER-INSTALLED SOFTWARE |
| CP-1 CONTINGENCY PLANNING | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| CP-2 CONTINGENCY PLANNING |. CONTINGENCY PLAN |
| CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS |
| CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING |
| CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS |
| CP-3 CONTINGENCY PLANNING | CONTINGENCY TRAINING |
| CP-4 CONTINGENCY PLANNING |. CONTINGENCY PLAN TESTING |
| CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS |
| CP-6 CONTINGENCY PLANNING | ALTERNATE STORAGE SITE |
| CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE |
| CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY |
| CP-7 CONTINGENCY PLANNING |. ALTERNATE PROCESSING SITE |
| CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE |
| CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY |
| CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE |
| CP-8 CONTINGENCY PLANNING |. TELECOMMUNICATIONS SERVICES |
| CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS |
| CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE |
| CP-9 CONTINGENCY PLANNING | INFORMATION SYSTEM BACKUP |
| CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
| CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION |
| CP-10 CONTINGENCY PLANNING | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY |
| IA-1 iDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| IA-2 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
| IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
| IA-2 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | GROUP AUTHENTICATION |
| IA-2 (8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
| IA-2 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS - SEPARATE DEVICE |
| IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
| IA-3 IDENTIFICATION AND AUTHENTICATION | DEVICE IDENTIFICATION AND AUTHENTICATION |
| IA-4 IDENTIFICATION AND AUTHENTICATION | IDENTIFIER MANAGEMENT |
| IA-4 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS |
| IA-5 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR MANAGEMENT |
| IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
| IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
| IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION |
| IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION |
| IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS |
| IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS |
| IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION |
| IA-6 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR FEEDBACK |
| IA-7 IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| IA-8 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
| IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
| IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS |
| IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS |
| IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES |
| IR-1 INCIDENT RESPONSE | INCIDENT RESPONSE POLICY AND PROCEDURES |
| IR-2 INCIDENT RESPONSE | INCIDENT RESPONSE TRAINING |
| IR-3 INCIDENT RESPONSE | INCIDENT RESPONSE TESTING |
| IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS |
| IR-4 INCIDENT RESPONSE | INCIDENT HANDLING |
| IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
| IR-5 INCIDENT RESPONSE | INCIDENT MONITORING |
| IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS |
| IR-6 INCIDENT RESPONSE | INCIDENT REPORTING |
| IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING |
| IR-7 INCIDENT RESPONSE | INCIDENT RESPONSE ASSISTANCE |
| IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT |
| IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS |
| IR-8 INCIDENT RESPONSE | INCIDENT RESPONSE PLAN |
| IR-9 INCIDENT RESPONSE | INFORMATION SPILLAGE RESPONSE |
| IR-9 (1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL |
| IR-9 (2) INFORMATION SPILLAGE RESPONSE | TRAINING |
| IR-9 (3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS |
| IR-9 (4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL |
| MA-1 MAINTENANCE | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| MA-2 MAINTENANCE | CONTROLLED MAINTENANCE |
| MA-3 MAINTENANCE | MAINTENANCE TOOLS |
| MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS |
| MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA |
| MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL |
| MA-4 MAINTENANCE | NONLOCAL MAINTENANCE |
| MA-4 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE |
| MA-5 MAINTENANCE | MAINTENANCE PERSONNEL |
| MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS |
| MA-6 MAINTENANCE | TIMELY MAINTENANCE |
| MP-1 MEDIA PROTECTION | MEDIA PROTECTION POLICY AND PROCEDURES |
| MP-2 MEDIA PROTECTION | MEDIA ACCESS |
| MP-3 MEDIA PROTECTION | MEDIA MARKING |
| MP-4 MEDIA PROTECTON | MEDIA STORAGE |
| MP-5 MEDIA PROTECTION | MEDIA TRANSPORT |
| MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION |
| MP-6 MEDIA PROTECTION | MEDIA SANITIZATION |
| MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING |
| MP-7 MEDIA PROTECTION | MEDIA USE |
| MP-7 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER |
| PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| PE-2 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-3 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-4 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM |
| PE-5 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR OUTPUT DEVICES |
| PE-6 PHYSICAL AND ENVIRONMENTAL PROTECTION | MONITORING PHYSICAL ACCESS |
| PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS/SURVEILLANCE EQUIPMENT |
| PE-8 PHYSICAL AND ENVIRONMENTAL PROTECTION | VISITOR ACCESS RECORDS |
| PE-9 PHYSICAL AND ENVIRONMENTAL PROTECTION | POWER EQUIPMENT AND CABLING |
| PE-10 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY SHUTOFF |
| PE-11 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY POWER |
| PE-12 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY LIGHTING |
| PE-13 PHYSICAL AND ENVIRONMENTAL PROTECTION | FIRE PROTECTION |
| PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES/SYSTEMS |
| PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION |
| PE-14 PHYSICAL AND ENVIRONMENTAL PROTECTION | TEMPERATURE AND HUMIDITY CONTROLS |
| PE-14 (2) TEMPERATURE AND HUMIDITY CONTROLS | MONITORING WITH ALARMS / NOTIFICATIONS |
| PE-15 PHYSICAL AND ENVIRONMENTAL PROTECTION | WATER DAMAGE PROTECTION |
| PE-16 PHYSICAL AND ENVIRONMENTAL PROTECTION | DELIVERY AND REMOVAL |
| PE-17 PHYSICAL AND ENVIRONMENTAL PROTECTION | ALTERNATE WORK SITE |
| PL-1 PLANNING | SECURITY PLANNING POLICY AND PROCEDURES |
| PL-2 PLANNING | SYSTEM SECURITY PLAN |
| PL-2 (3) SYSTEM SECURITY PLAN | PLAN/COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES |
| PL-3 PLANNING | SYSTEM SECURITY PLAN UPDATE |
| PL-4 PLANNING | RULES OF BEHAVIOR |
| PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS |
| PL-8 PLANNING | INFORMATION SECURITY ARCHITECTURE |
| PS-1 PERSONNEL SECURITY | PERSONNEL SECURITY POLICY AND PROCEDURES |
| PS-2 PERSONNEL SECURITY | POSITION RISK DESIGNATION |
| PS-3 PERSONNEL SECURITY | PERSONNEL SCREENING |
| PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES |
| PS-4 PERSONNEL SECURITY | PERSONNEL TERMINATION |
| PS-5 PERSONNEL SECURITY | PERSONNEL TRANSFER |
| PS-6 PERSONNEL SECURITY | ACCESS AGREEMENTS |
| PS-7 PERSONNEL SECURITY | THIRD-PARTY PERSONNEL SECURITY |
| PS-8 PERSONNEL SECURITY | PERSONNEL SANCTIONS |
| RA-1 RISK ASSESSMENT | RISK ASSESSMENT POLICY AND PROCEDURES |
| RA-2 RISK ASSESSMENT | RISK ASSESSMENT |
| RA-3 RISK ASSESSMENT | SECURITY CATEGORIZATION |
| RA-5 RISK ASSESSMENT | VULNERABILITY SCANNING |
| RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY |
| RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED |
| RA-5 (3) VULNERABILITY SCANNING | BREADTH/DEPTH OF COVERAGE |
| RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS |
| RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES |
| RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS |
| SA-1 SYSTEMS AND SERVICES ACQUISITION | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| SA-2 SYSTEMS AND SERVICES ACQUISITION | ALLOCATION OF RESOURCES |
| SA-3 SYSTEMS AND SERVICES ACQUISITION | SYSTEM DEVELOPMENT LIFE CYCLE |
| SA-4 SYSTEMS AND SERVICES ACQUISITION | ACQUISITION PROCESS |
| SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
| SA-4 (2) ACQUISITION PROCESS | DESIGN/IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS |
| SA-4 (8) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN |
| SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE |
| SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
| SA-5 SYSTEMS AND SERVICES ACQUISITION | INFORMATION SYSTEM DOCUMENTATION |
| SA-8 SYSTEMS AND SERVICES ACQUISITIONS | SECURITY ENGINEERING PRINCIPLES |
| SA-9 ACQUISITION PROCESS | EXTERNAL INFORMATION SYSTEM SERVICES |
| SA-9 (1) EXTERNAL INFORMATION SYSTEM SERVICES | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS |
| SA-9 (2) EXTERNAL INFORMATION SYSTEM SERVICES | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES |
| SA-9 (4) EXTERNAL INFORMATION SYSTEM SERVICES | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS |
| SA-9 (5) EXTERNAL INFORMATION SYSTEM SERVICES | PROCESSING, STORAGE, AND SERVICE LOCATION |
| SA-10 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER CONFIGURATION MANAGEMENT |
| SA-10 (1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE/FIRMWARE INTEGRITY VERIFICATION |
| SA-11 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SECURITY TESTING AND EVALUATION |
| SA-11 (1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS |
| SA-11 (2) DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES |
| SA-11 (8) DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS |
| SC-1 SYSTEM AND COMMUNICATIONS PROTECTION | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| SC-2 SYSTEM AND COMMUNICATIONS PROTECTION | APPLICATION PARTITIONING |
| SC-4 SYSTEM AND COMMUNICATIONS PROTECTION | INFORMATION IN SHARED RESOURCES |
| SC-5 SYSTEM AND COMMUNICATIONS PROTECTION | DENIAL OF SERVICE PROTECTION |
| SC-6 SYSTEM AND COMMUNICATIONS PROTECTION | RESOURCE AVAILABILITY |
| SC-7 SYSTEM AND COMMUNICATIONS PROTECTION | BOUNDARY PROTECTION |
| SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS |
| SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES |
| SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION |
| SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES |
| SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS |
| SC-7 (12) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS |
| SC-7 (13) BOUNDARY PROTECTION | PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS |
| SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE |
| SC-8 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
| SC-8 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION |
| SC-10 SYSTEM AND COMMUNICATIONS PROTECTION | NETWORK DISCONNECT |
| SC-12 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| SC-12 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS |
| SC-12 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS |
| SC-13 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC PROTECTION |
| SC-15 SYSTEM AND COMMUNICATIONS PROTECTION | COLLABORATIVE COMPUTING DEVICES |
| SC-17 SYSTEM AND COMMUNICATIONS PROTECTION | PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
| SC-18 SYSTEM AND COMMUNICATIONS PROTECTION | MOBILE CODE |
| SC-19 SYSTEM AND COMMUNICATIONS PROTECTION | VOICE OVER INTERNET PROTOCOL |
| SC-20 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-21 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-22 SYSTEM AND COMMUNICATIONS PROTECTION | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| SC-23 SYSTEM AND COMMUNICATIONS PROTECTION | SESSION AUTHENTICITY |
| SC-28 SYSTEM AND COMMUNICATIONS PROTECTION | PROTECTION OF INFORMATION AT REST |
| SC-28 (1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION |
| SC-39 SYSTEM AND COMMUNICATIONS PROTECTION | PROCESS ISOLATION |
| SI-1 SYSTEM AND INFORMATION INTEGRITY | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| SI-2 SYSTEM AND INFORMATION INTEGRITY | FLAW REMEDIATION |
| SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS |
| SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
| SI-3 SYSTEM AND INFORMATION INTEGRITY | MALICIOUS CODE PROTECTION |
| SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT |
| SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES |
| SI-3 (7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION |
| SI-4 SYSTEM AND INFORMATION INTEGRITY | INFORMATION SYSTEM MONITORING |
| SI-4 (1) INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM |
| SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS |
| SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC |
| SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS |
| SI-4 (14) INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION |
| SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION |
| SI-4 (23) INFORMATION SYSTEM MONITORING | HOST-BASED DEVICES |
| SI-5 SYSTEM AND INFORMATION INTEGRITY | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
| SI-6 SYSTEM AND INFORMATION INTEGRITY | SECURITY FUNCTION VERIFICATION |
| SI-7 SYSTEM AND INFORMATION INTEGRITY | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS |
| SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE |
| SI-8 SYSTEM AND INFORMATION INTEGRITY | SPAM PROTECTION |
| SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT |
| SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES |
| SI-10 SYSTEM AND INFORMATION INTEGRITY | INFORMATION INPUT VALIDATION |
| SI-11 SYSTEM AND INFORMATION INTEGRITY | ERROR HANDLING |
| SI-12 SYSTEM AND INFORMATION INTEGRITY | INFORMATION HANDLING AND RETENTION |
| SI-16 SYSTEM AND INFORMATION INTEGRITY | MEMORY PROTECTION |
