| AC-1 ACCESS CONTROL | ACCESS CONTROL POLICY AND PROCEDURES |
|
| AC-2 ACCESS CONTROL | ACCOUNT MANAGEMENT |
| AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT |
| AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS |
| AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS |
| AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS |
| AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT |
| AC-2 (6) ACCOUNT MANAGEMENT | DYNAMIC PRIVILEGE MANAGEMENT |
| AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES |
| AC-2 (8) ACCOUNT MANAGEMENT | DYNAMIC ACCOUNT CREATION |
| AC-2 (9) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS |
| AC-2 (10) ACCOUNT MANAGEMENT | SHARED/GROUP ACCOUNT CREDENTIAL TERMINATION |
| AC-2 (11) ACCOUNT MANAGEMENT | USAGE CONDITIONS |
| AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING/ATYPICAL USAGE |
| AC-2 (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS |
| AC-3 ACCESS CONTROL | ACCESS ENFORCEMENT |
| AC-3 (1) ACCESS ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS |
| AC-3 (2) ACCESS ENFORCEMENT | DUAL AUTHORIZATION |
| AC-3 (3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL |
| AC-3 (4) ACCESS ENFORCEMENT | DISCRETIONARY ACCESS CONTROL |
| AC-3 (5) ACCESS ENFORCEMENT | SECURITY-RELEVANT INFORMATION |
| AC-3 (6) ACCESS ENFORCEMENT | PROTECTION OF USER AND SYSTEM INFORMATION |
| AC-3 (7) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL |
| AC-3 (8) ACCESS ENFORCEMENT | REVOCATION OF ACCESS AUTHORIZATIONS |
| AC-3 (9) ACCESS ENFORCEMENT | CONTROLLED RELEASE |
| AC-3 (10) ACCESS ENFORCEMENT | AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS |
| AC-4 ACCESS CONTROL | INFORMATION FLOW ENFORCEMENT |
| AC-4 (1) INFORMATION FLOW ENFORCEMENT | OBJECT SECURITY ATTRIBUTES |
| AC-4 (2) INFORMATION FLOW ENFORCEMENT | PROCESSING DOMAINS |
| AC-4 (3) INFORMATION FLOW ENFORCEMENT | DYNAMIC INFORMATION FLOW CONTROL |
| AC-4 (4) INFORMATION FLOW ENFORCEMENT | CONTENT CHECK ENCRYPTED INFORMATION |
| AC-4 (5) INFORMATION FLOW ENFORCEMENT | EMBEDDED DATA TYPES |
| AC-4 (6) INFORMATION FLOW ENFORCEMENT | METADATA |
| AC-4 (7) INFORMATION FLOW ENFORCEMENT | ONE-WAY FLOW MECHANISMS |
| AC-4 (8) INFORMATION FLOW ENFORCEMENT | SECURITY POLICY FILTERS |
| AC-4 (9) INFORMATION FLOW ENFORCEMENT | HUMAN REVIEWS |
| AC-4 (10) INFORMATION FLOW ENFORCEMENT | ENABLE/DISABLE SECURITY POLICY FILTERS |
| AC-4 (11) INFORMATION FLOW ENFORCEMENT | CONFIGURATION OF SECURITY POLICY FILTERS |
| AC-4 (12) INFORMATION FLOW ENFORCEMENT | DATA TYPE IDENTIFIERS |
| AC-4 (13) INFORMATION FLOW ENFORCEMENT | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS |
| AC-4 (14) INFORMATION FLOW ENFORCEMENT | SECURITY POLICY FILTER CONSTRAINTS |
| AC-4 (15) INFORMATION FLOW ENFORCEMENT | DETECTION OF UNSANCTIONED INFORMATION |
| AC-4 (16) INFORMATION FLOW ENFORCEMENT | INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS |
| AC-4 (17) INFORMATION FLOW ENFORCEMENT | DOMAIN AUTHENTICATION |
| AC-4 (18) INFORMATION FLOW ENFORCEMENT | SECURITY ATTRIBUTE BINDING |
| AC-4 (19) INFORMATION FLOW ENFORCEMENT | VALIDATION OF METADATA |
| AC-4 (20) INFORMATION FLOW ENFORCEMENT | APPROVED SOLUTIONS |
| AC-4 (21) INFORMATION FLOW ENFORCEMENT | PHYSICAL/LOGICAL SEPARATION OF INFORMATION FLOWS |
| AC-4 (22) INFORMATION FLOW ENFORCEMENT | ACCESS ONLY |
| AC-5 ACCESS CONTROL | SEPARATION OF DUTIES |
| AC-6 ACCESS CONTROL | LEAST PRIVILEGE |
| AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS |
| AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS |
| AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS |
| AC-6 (4) LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS |
| AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS |
| AC-6 (6) LEAST PRIVILEGE | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS |
| AC-6 (7) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES |
| AC-6 (8) LEAST PRIVILEGE | PRIVILEGE LEVELS FOR CODE EXECUTION |
| AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS |
| AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS |
| AC-7 ACCESS CONTROL | UNSUCCESSFUL LOGON ATTEMPTS |
| AC-7 (1) UNSUCCESSFUL LOGON ATTEMPTS | AUTOMATIC ACCOUNT LOCK |
| AC-7 (2) UNSUCCESSFUL LOGON ATTEMPTS | PURGE/WIPE MOBILE DEVICE |
| AC-8 ACCESS CONTROL | SYSTEM USE NOTIFICATION |
| AC-9 ACCESS CONTROL | PREVIOUS LOGON (ACCESS) NOTIFICATION |
| AC-9 (1) PREVIOUS LOGON (ACCESS) NOTIFICATION | UNSUCCESSFUL LOGONS |
| AC-9 (2) PREVIOUS LOGON (ACCESS) NOTIFICATION | SUCCESSFUL / UNSUCCESSFUL LOGONS |
| AC-9 (3) PREVIOUS LOGON (ACCESS) NOTIFICATION | NOTIFICATION OF ACCOUNT CHANGES |
| AC-9 (4) PREVIOUS LOGON (ACCESS) NOTIFICATION | ADDITIONAL LOGON INFORMATION |
| AC-10 ACCESS CONTROL | CONCURRENT SESSION CONTROL |
| AC-11 ACCESS CONTROL | SESSION LOCK |
| AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS |
| AC-12 ACCESS CONTROL | SESSION TERMINATION |
| AC-12 (1) SESSION TERMINATION | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS |
| AC-13 ACCESS CONTROL | SUPERVISION AND REVIEW - ACCESS CONTROL |
| AC-14 ACCESS CONTROL | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| AC-14 (1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USE |
| AC-15 ACCESS CONTROL | NECESSARY USES |
| AC-16 ACCESS CONTROL | SECURITY ATTRIBUTES |
| AC-16 (1) SECURITY ATTRIBUTES | DYNAMIC ATTRIBUTE ASSOCIATION |
| AC-16 (2) SECURITY ATTRIBUTES | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS |
| AC-16 (3) SECURITY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM |
| AC-16 (4) SECURITY ATTRIBUTES | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS |
| AC-16 (5) SECURITY ATTRIBUTES | ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES |
| AC-16 (6) SECURITY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION |
| AC-16 (7) SECURITY ATTRIBUTES | CONSISTENT ATTRIBUTE INTERPRETATION |
| AC-16 (8) SECURITY ATTRIBUTES | ASSOCIATION TECHNIQUES / TECHNOLOGIES |
| AC-16 (9) SECURITY ATTRIBUTES | ATTRIBUTE REASSIGNMENT |
| AC-16 (10) SECURITY ATTRIBUTES | ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS |
| AC-17 ACCESS CONTROL | REMOTE ACCESS |
| AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL |
| AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION |
| AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS |
| AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS |
| AC-17 (5) REMOTE ACCESS | MONITORING FOR UNAUTHORIZED CONNECTIONS |
| AC-17 (6) REMOTE ACCESS | PROTECTION OF INFORMATION |
| AC-17 (7) REMOTE ACCESS | ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS |
| AC-17 (8) REMOTE ACCESS | DISABLE NONSECURE NETWORK PROTOCOLS |
| AC-17 (9) REMOTE ACCESS | DISCONNECT/DISABLE ACCESS |
| AC-18 ACCESS CONTROL | WIRELESS ACCESS |
| AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION |
| AC-18 (2) WIRELESS ACCESS | MONITORING UNAUTHORIZED CONNECTIONS |
| AC-18 (3) WIRELESS ACCESS | DISABLE WIRELESS NETWORKING |
| AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS |
| AC-18 (5) WIRELESS ACCESS | ANTENNAS/TRANSMISSION POWER LEVELS |
| AC-19 ACCESS CONTROL | ACCESS CONTROL FOR MOBILE DEVICES |
| AC-19 (1) ACCESS CONTROL FOR MOBILE DEVICES | USE OF WRITABLE / PORTABLE STORAGE DEVICES |
| AC-19 (2) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES |
| AC-19 (3) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER |
| AC-19 (4) ACCESS CONTROL FOR MOBILE DEVICES | RESTRICTIONS FOR CLASSIFIED INFORMATION |
| AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION |
| AC-20 ACCESS CONTROL | USE OF EXTERNAL INFORMATION SYSTEMS |
| AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
| AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES |
| AC-20 (3) USE OF EXTERNAL INFORMATION SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES |
| AC-20 (4) USE OF EXTERNAL INFORMATION SYSTEMS | NETWORK ACCESSIBLE STORAGE DEVICES |
| AC-21 ACCESS CONTROL | INFORMATION SHARING |
| AC-21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT |
| AC-21 (2) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL |
| AC-22 ACCESS CONTROL | PUBLICLY ACCESSIBLE CONTENT |
| AC-23 ACCESS CONTROL | DATA MINING PROTECTION |
| AC-24 ACCESS CONTROL | ACCESS CONTROL DECISIONS |
| AC-24 (1) ACCESS CONTROL DECISIONS | TRANSMIT ACCESS AUTHORIZATION INFORMATION |
| AC-24 (2) ACCESS CONTROL DECISIONS | NO USER OR PROCESS IDENTITY |
| AC-25 ACCESS CONTROL | REFERENCE MONITOR |
| AT-1 AWARENESS AND TRAINING | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
| AT-2 AWARENESS AND TRAINING | SECURITY AWARENESS TRAINING |
| AT-2 (1) SECURITY AWARENESS TRAINING | PRACTICAL EXERCISES |
| AT-2 (2) SECURITY AWARENESS TRAINING | INSIDER THREAT |
| AT-3 AWARENESS AND TRAINING | ROLE-BASED SECURITY TRAINING |
| AT-3 (1) ROLE-BASED SECURITY TRAINING | ENVIRONMENTAL CONTROLS |
| AT-3 (2) ROLE-BASED SECURITY TRAINING | PHYSICAL SECURITY CONTROLS |
| AT-3 (3) ROLE-BASED SECURITY TRAINING | PRACTICAL EXERCISES |
| AT-3 (4) ROLE-BASED SECURITY TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR |
| AT-4 AWARENESS AND TRAINING | SECURITY TRAINING RECORDS |
| AT-5 AWARENESS AND TRAINING | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS |
| AU-1 AUDIT AND ACCOUNTABILITY | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
| AU-2 AUDIT AND ACCOUNTABILITY | AUDIT EVENTS |
| AU-2 (1) AUDIT EVENTS | COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES |
| AU-2 (2) AUDIT EVENTS | SELECTION OF AUDIT EVENTS BY COMPONENT |
| AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES |
| AU-2 (4) AUDIT EVENTS | PRIVILEGED FUNCTIONS |
| AU-3 AUDIT AND ACCOUNTABILITY | CONTENT OF AUDIT RECORDS |
| AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION |
| AU-3 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT |
| AU-4 AUDIT AND ACCOUNTABILITY | AUDIT STORAGE CAPACITY |
| AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE |
| AU-5 AUDIT AND ACCOUNTABILITY | RESPONSE TO AUDIT PROCESSING FAILURES |
| AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY |
| AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS |
| AU-5 (3) RESPONSE TO AUDIT PROCESSING FAILURES | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS |
| AU-5 (4) RESPONSE TO AUDIT PROCESSING FAILURES | SHUTDOWN ON FAILURE |
| AU-6 AUDIT AND ACCOUNTABILITY | AUDIT REVIEW, ANALYSIS, AND REPORTING |
| AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION |
| AU-6 (2) AUDIT REVIEW, ANALYSIS, AND REPORTING | AUTOMATED SECURITY ALERTS |
| AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES |
| AU-6 (4) AUDIT REVIEW, ANALYSIS, AND REPORTING | CENTRAL REVIEW AND ANALYSIS |
| AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNING AND MONITORING CAPABILITIES |
| AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING |
| AU-6 (7) AUDIT REVIEW, ANALYSIS, AND REPORTING | PERMITTED ACTIONS |
| AU-6 (8) AUDIT REVIEW, ANALYSIS, AND REPORTING | FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS |
| AU-6 (9) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES |
| AU-6 (10) AUDIT REVIEW, ANALYSIS, AND REPORTING | AUDIT LEVEL ADJUSTMENT |
| AU-7 AUDIT AND ACCOUNTABILITY | AUDIT REDUCTION AND REPORT GENERATION |
| AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING |
| AU-7 (2) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC SORT AND SEARCH |
| AU-8 AUDIT AND ACCOUNTABILITY | TIME STAMPS |
| AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE |
| AU-8 (2) TIME STAMPS | SECONDARY AUTHORITATIVE TIME SOURCE |
| AU-9 AUDIT AND ACCOUNTABILITY | PROTECTION OF AUDIT INFORMATION |
| AU-9 (1) PROTECTION OF AUDIT INFORMATION | HARDWARE WRITE-ONCE MEDIA |
| AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS |
| AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION |
| AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS |
| AU-9 (5) PROTECTION OF AUDIT INFORMATION | DUAL AUTHORIZATION |
| AU-9 (6) PROTECTION OF AUDIT INFORMATION | READ ONLY ACCESS |
| AU-10 AUDIT AND ACCOUNTABILITY | NON-REPUDIATION |
| AU-10 (1) NON-REPUDIATION | ASSOCIATION OF IDENTITIES |
| AU-10 (2) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY |
| AU-10 (3) NON-REPUDIATION | CHAIN OF CUSTODY |
| AU-10 (4) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY |
| AU-10 (5) NON-REPUDIATION | DIGITAL SIGNATURES |
| AU-11 AUDIT AND ACCOUNTABILITY | AUDIT RECORD RETENTION |
| AU-11 (1) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY |
| AU-12 AUDIT AND ACCOUNTABILITY | AUDIT GENERATION |
| AU-12 (1) AUDIT GENERATION | SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL |
| AU-12 (2) AUDIT GENERATION | STANDARDIZED FORMATS |
| AU-12 (3) AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS |
| AU-13 AUDIT AND ACCOUNTABILITY | MONITORING FOR INFORMATION DISCLOSURE |
| AU-13 (1) MONITORING FOR INFORMATION DISCLOSURE | USE OF AUTOMATED TOOLS |
| AU-13 (2) MONITORING FOR INFORMATION DISCLOSURE | REVIEW OF MONITORED SITES |
| AU-14. AUDIT AND ACCOUNTABILITY | SESSION AUDIT |
| AU-14 (1) SESSION AUDIT | SYSTEM START-UP |
| AU-14 (2) SESSION AUDIT | CAPTURE/RECORD AND LOG CONTENT |
| AU-14 (3) SESSION AUDIT | REMOTE VIEWING/LISTENING |
| AU-15 AUDIT AND ACCOUNTABILITY | |
| AU-16 AUDIT AND ACCOUNTABILITY | CROSS-ORGANIZATIONAL AUDITING |
| AU-16 (1) CROSS-ORGANIZATIONAL AUDITING | IDENTITY PRESERVATION |
| AU-16 (2) CROSS-ORGANIZATIONAL AUDITING | SHARING OF AUDIT INFORMATION |
| CA-1 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
| CA-2 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENTS |
| CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS |
| CA-2 (2) SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS |
| CA-2 (3) SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS |
| CA-3 SECURITY ASSESSMENT AND AUTHORIZATION | SYSTEM INTERCONNECTIONS |
| CA-3 (1) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS |
| CA-3 (2) SYSTEM INTERCONNECTIONS | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS |
| CA-3 (3) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS |
| CA-3 (4) SYSTEM INTERCONNECTIONS | CONNECTIONS TO PUBLIC NETWORKS |
| CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
| CA-4 SECURITY ASSESSMENT AND AUTHORIZATION | |
| CA-5 SECURITY ASSESSMENT AND AUTHORIZATION | PLAN OF ACTION AND MILESTONES |
| CA-5 (1) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
| CA-6 SECURITY ASSESSMENT AND AUTHORIZATION | |
| CA-7 SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING |
| CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT |
| CA-7 (2) CONTINUOUS MONITORING | TYPES OF ASSESSMENTS |
| CA-7 (3) CONTINUOUS MONITORING | TREND ANALYSES |
| CA-8 SECURITY ASSESSMENT AND AUTHORIZATION | PENETRATION TESTING |
| CA-8 (1) PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM |
| CA-8 (2) PENETRATION TESTING | RED TEAM EXERCISES |
| CA-9 SECURITY ASSESSMENT AND AUTHORIZATION | INTERNAL SYSTEM CONNECTIONS |
| CA-9 (1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS |
| CM-1 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| CM-2. CONFIGURATION MANAGEMENT | BASELINE CONFIGURATION |
| CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES |
| CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
| CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
| CM-2 (4) BASELINE CONFIGURATION | UNAUTHORIZED SOFTWARE |
| CM-2 (5) BASELINE CONFIGURATION | AUTHORIZED SOFTWARE |
| CM-2 (6) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS |
| CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
| CM-3 CONFIGURATION MANAGEMENT | CONFIGURATION CHANGE CONTROL |
| CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES |
| CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST/VALIDATE/DOCUMENT CHANGES |
| CM-3 (3) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION |
| CM-3 (4) CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE |
| CM-3 (5) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE |
| CM-3 (6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT |
| CM-4 CONFIGURATION MANAGEMENT | SECURITY IMPACT ANALYSIS |
| CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS |
| CM-4 (2) SECURITY IMPACT ANALYSIS | VERIFICATION OF SECURITY FUNCTIONS |
| CM-5 CONFIGURATION MANAGEMENT | ACCESS RESTRICTIONS FOR CHANGE |
| CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
| CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES |
| CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS |
| CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION |
| CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES |
| CM-5 (6) ACCESS RESTRICTIONS FOR CHANGE | LIMIT LIBRARY PRIVILEGES |
| CM-5 (7) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS |
| CM-6 CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS |
| CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION |
| CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES |
| CM-6 (3) CONFIGURATION SETTINGS | UNAUTHORIZED CHANGE DETECTION |
| CM-6 (4) CONFIGURATION SETTINGS | CONFORMANCE DEMONSTRATION |
| CM-7 CONFIGURATION MANAGEMENT | LEAST FUNCTIONALITY |
| CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW |
| CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION |
| CM-7 (3) LEAST FUNCTIONALITY | REGISTRATION COMPLIANCE |
| CM-7 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE/BLACKLISTING |
| CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE/WHITELISTING |
| CM-8 CONFIGURATION MANAGEMENT | INFORMATION SYSTEM COMPONENT INVENTORY |
| CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS |
| CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE |
| CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
| CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION |
| CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
| CM-8 (6) INFORMATION SYSTEM COMPONENT INVENTORY | ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS |
| CM-8 (7) INFORMATION SYSTEM COMPONENT INVENTORY | CENTRALIZED REPOSITORY |
| CM-8 (8) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED LOCATION TRACKING |
| CM-8 (9) INFORMATION SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS |
| CM-9 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT PLAN |
| CM-9 (1) CONFIGURATION MANAGEMENT PLAN | ASSIGNMENT OF RESPONSIBILITY |
| CM-10 CONFIGURATION MANAGEMENT | SOFTWARE USAGE RESTRICTIONS |
| CM-10 (1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE |
| CM-11 CONFIGURATION MANAGEMENT | USER-INSTALLED SOFTWARE |
| CM-11 (1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS |
| CM-11 (2) USER-INSTALLED SOFTWARE | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS |
| CP-1 CONTINGENCY PLANNING | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| CP-2 CONTINGENCY PLANNING |. CONTINGENCY PLAN |
| CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS |
| CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING |
| CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (5) CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (6) CONTINGENCY PLAN | ALTERNATE PROCESSING/STORAGE SITE |
| CP-2 (7) CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS |
| CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS |
| CP-3 CONTINGENCY PLANNING | CONTINGENCY TRAINING |
| CP-3 (1) CONTINGENCY TRAINING | SIMULATED EVENTS |
| CP-3 (2) CONTINGENCY TRAINING | AUTOMATED TRAINING ENVIRONMENTS |
| CP-4 CONTINGENCY PLANNING |. CONTINGENCY PLAN TESTING |
| CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS |
| CP-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE |
| CP-4 (3) CONTINGENCY PLAN TESTING | AUTOMATED TESTING |
| CP-4 (4) CONTINGENCY PLAN TESTING | FULL RECOVERY / RECONSTITUTION |
| CP-5 CONTINGENCY PLANNING | CONTINGENCY PLAN UPDATE |
| CP-6 CONTINGENCY PLANNING | ALTERNATE STORAGE SITE |
| CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE |
| CP-6 (2) ALTERNATE STORAGE SITE | RECOVERY TIME/POINT OBJECTIVES |
| CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY |
| CP-7 CONTINGENCY PLANNING |. ALTERNATE PROCESSING SITE |
| CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE |
| CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY |
| CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE |
| CP-7 (4) ALTERNATE PROCESSING SITE | PREPARATION FOR USE |
| CP-7 (5) ALTERNATE PROCESSING SITE | EQUIVALENT INFORMATION SECURITY SAFEGUARDS |
| CP-7 (6) ALTERNATE PROCESSING SITE | INABILITY TO RETURN TO PRIMARY SITE |
| CP-8 CONTINGENCY PLANNING |. TELECOMMUNICATIONS SERVICES |
| CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS |
| CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE |
| CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS |
| CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN |
| CP-8 (5) TELECOMMUNICATIONS SERVICES | ALTERNATE TELECOMMUNICATION SERVICE TESTING |
| CP-9 CONTINGENCY PLANNING | INFORMATION SYSTEM BACKUP |
| CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
| CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING |
| CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION |
| CP-9 (4) INFORMATION SYSTEM BACKUP | PROTECTION FROM UNAUTHORIZED MODIFICATION |
| CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE |
| CP-9 (6) INFORMATION SYSTEM BACKUP | REDUNDANT SECONDARY SYSTEM |
| CP-9 (7) INFORMATION SYSTEM BACKUP | DUAL AUTHORIZATION |
| CP-10 CONTINGENCY PLANNING | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| CP-10 (1) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | CONTINGENCY PLAN TESTING |
| CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY |
| CP-10 (3) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | COMPENSATING SECURITY CONTROLS |
| CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD |
| CP-10 (5) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | FAILOVER CAPABILITY |
| CP-10 (6) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | COMPONENT PROTECTION |
| CP-11 CONTINGENCY PLANNING | ALTERNATE COMMUNICATIONS PROTOCOLS |
| CP-12 CONTINGENCY PLANNING | SAFE MODE |
| CP-13 CONTINGENCY PLANNING | ALTERNATIVE SECURITY MECHANISMS |
| IA-1 iDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| IA-2 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
| IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
| IA-2 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS |
| IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | GROUP AUTHENTICATION |
| IA-2 (6) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE |
| IA-2 (7) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE |
| IA-2 (8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
| IA-2 (9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
| IA-2 (10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | SINGLE SIGN-ON |
| IA-2 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS - SEPARATE DEVICE |
| IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
| IA-2 (13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | OUT-OF-BAND AUTHENTICATION |
| IA-3 IDENTIFICATION AND AUTHENTICATION | DEVICE IDENTIFICATION AND AUTHENTICATION |
| IA-3 (1) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION |
| IA-3 (2) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION |
| IA-3 (3) DEVICE IDENTIFICATION AND AUTHENTICATION | DYNAMIC ADDRESS ALLOCATION |
| IA-3 (4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION |
| IA-4 IDENTIFICATION AND AUTHENTICATION | IDENTIFIER MANAGEMENT |
| IA-4 (1) IDENTIFIER MANAGEMENT | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS |
| IA-4 (2) IDENTIFIER MANAGEMENT | SUPERVISOR AUTHORIZATION |
| IA-4 (3) IDENTIFIER MANAGEMENT | MULTIPLE FORMS OF CERTIFICATION |
| IA-4 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS |
| IA-4 (5) IDENTIFIER MANAGEMENT | DYNAMIC MANAGEMENT |
| IA-4 (6) IDENTIFIER MANAGEMENT | CROSS-ORGANIZATION MANAGEMENT |
| IA-4 (7) IDENTIFIER MANAGEMENT | IN-PERSON REGISTRATION |
| IA-5 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR MANAGEMENT |
| IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
| IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
| IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION |
| IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION |
| IA-5 (5) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY |
| IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS |
| IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS |
| IA-5 (8) AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS |
| IA-5 (9) AUTHENTICATOR MANAGEMENT | CROSS-ORGANIZATION CREDENTIAL MANAGEMENT |
| IA-5 (10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL ASSOCIATION |
| IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION |
| IA-5 (12) AUTHENTICATOR MANAGEMENT | BIOMETRIC-BASED AUTHENTICATION |
| IA-5 (13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS |
| IA-5 (14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES |
| IA-5 (15) AUTHENTICATOR MANAGEMENT | FICAM-APPROVED PRODUCTS AND SERVICES |
| IA-6 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR FEEDBACK |
| IA-7 IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| IA-8 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
| IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
| IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS |
| IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS |
| IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES |
| IA-8 (5) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV-I CREDENTIALS |
| IA-9 IDENTIFICATION AND AUTHENTICATION | SERVICE IDENTIFICATION AND AUTHENTICATION |
| IA-9 (1) SERVICE IDENTIFICATION AND AUTHENTICATION | INFORMATION EXCHANGE |
| IA-9 (2) SERVICE IDENTIFICATION AND AUTHENTICATION | TRANSMISSION OF DECISIONS |
| IA-10 IDENTIFICATION AND AUTHENTICATION | ADAPTIVE IDENTIFICATION AND AUTHENTICATION |
| IA-11 IDENTIFICATION AND AUTHENTICATION | RE-AUTHENTICATION |
| IR-1 INCIDENT RESPONSE | INCIDENT RESPONSE POLICY AND PROCEDURES |
| IR-2 INCIDENT RESPONSE | INCIDENT RESPONSE TRAINING |
| IR-2 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS |
| IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS |
| IR-3 INCIDENT RESPONSE | INCIDENT RESPONSE TESTING |
| IR-3 (1) INCIDENT RESPONSE TESTING | AUTOMATED TESTING |
| IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS |
| IR-4 INCIDENT RESPONSE | INCIDENT HANDLING |
| IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
| IR-4 (2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION |
| IR-4 (3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS |
| IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION |
| IR-4 (5) INCIDENT HANDLING | AUTOMATIC DISABLING OF INFORMATION SYSTEM |
| IR-4 (6) INCIDENT HANDLING | INSIDER THREATS - SPECIFIC CAPABILITIES |
| IR-4 (7) INCIDENT HANDLING | INSIDER THREATS - INTRA-ORGANIZATION COORDINATION |
| IR-4 (8) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS |
| IR-4 (9) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY |
| IR-4 (10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION |
| IR-5 INCIDENT RESPONSE | INCIDENT MONITORING |
| IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS |
| IR-6 INCIDENT RESPONSE | INCIDENT REPORTING |
| IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING |
| IR-6 (2) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS |
| IR-6 (3) INCIDENT REPORTING | COORDINATION WITH SUPPLY CHAIN |
| IR-7 INCIDENT RESPONSE | INCIDENT RESPONSE ASSISTANCE |
| IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT |
| IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS |
| IR-8 INCIDENT RESPONSE | INCIDENT RESPONSE PLAN |
| IR-9 INCIDENT RESPONSE | INFORMATION SPILLAGE RESPONSE |
| IR-9 (1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL |
| IR-9 (2) INFORMATION SPILLAGE RESPONSE | TRAINING |
| IR-9 (3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS |
| IR-9 (4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL |
| IR-10 INCIDENT RESPONSE | INTEGRATED INFORMATION SECURITY ANALYSIS TEAM |
| MA-1 MAINTENANCE | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| MA-2 MAINTENANCE | CONTROLLED MAINTENANCE |
| MA-2 (1) CONTROLLED MAINTENANCE | RECORD CONTENT |
| MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES |
| MA-3 MAINTENANCE | MAINTENANCE TOOLS |
| MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS |
| MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA |
| MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL |
| MA-3 (4) MAINTENANCE TOOLS | RESTRICTED TOOL USE |
| MA-4 MAINTENANCE | NONLOCAL MAINTENANCE |
| MA-4 (1) NONLOCAL MAINTENANCE | AUDITING AND REVIEW |
| MA-4 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE |
| MA-4 (3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY / SANITIZATION |
| MA-4 (4) NONLOCAL MAINTENANCE | AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS |
| MA-4 (5) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS |
| MA-4 (6) NONLOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION |
| MA-4 (7) NONLOCAL MAINTENANCE | REMOTE DISCONNECT VERIFICATION |
| MA-5 MAINTENANCE | MAINTENANCE PERSONNEL |
| MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS |
| MA-5 (2) MAINTENANCE PERSONNEL | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS |
| MA-5 (3) MAINTENANCE PERSONNEL | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS |
| MA-5 (4) MAINTENANCE PERSONNEL | FOREIGN NATIONALS |
| MA-5 (5) MAINTENANCE PERSONNEL | NONSYSTEM-RELATED MAINTENANCE |
| MA-6 MAINTENANCE | TIMELY MAINTENANCE |
| MA-6 (1) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE |
| MA-6 (2) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE |
| MA-6 (3) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE |
| MP-1 MEDIA PROTECTION | MEDIA PROTECTION POLICY AND PROCEDURES |
| MP-2 MEDIA PROTECTION | MEDIA ACCESS |
| MP-2 (1) MEDIA ACCESS | AUTOMATED RESTRICTED ACCESS |
| MP-2 (2) MEDIA ACCESS | CRYPTOGRAPHIC PROTECTION |
| MP-3 MEDIA PROTECTION | MEDIA MARKING |
| MP-4 MEDIA PROTECTON | MEDIA STORAGE |
| MP-4 (1) MEDIA STORAGE | CRYPTOGRAPHIC PROTECTION |
| MP-4 (2) MEDIA STORAGE | AUTOMATED RESTRICTED ACCESS |
| MP-5 MEDIA PROTECTION | MEDIA TRANSPORT |
| MP-5 (1) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS |
| MP-5 (2) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES |
| MP-5 (3) MEDIA TRANSPORT | CUSTODIANS |
| MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION |
| MP-6 MEDIA PROTECTION | MEDIA SANITIZATION |
| MP-6 (1) MEDIA SANITIZATION | REVIEW/APPROVE/TRACK/DOCUMENT/VERIFY |
| MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING |
| MP-6 (3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES |
| MP-6 (4) MEDIA SANITIZATION | CONTROLLED UNCLASSIFIED INFORMATION |
| MP-6 (5) MEDIA SANITIZATION | CLASSIFIED INFORMATION |
| MP-6 (6) MEDIA SANITIZATION | MEDIA DESTRUCTION |
| MP-6 (7) MEDIA SANITIZATION | DUAL AUTHORIZATION |
| MP-6 (8) MEDIA SANITIZATION | REMOTE PURGING / WIPING OF INFORMATION |
| MP-7 MEDIA PROTECTION | MEDIA USE |
| MP-7 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER |
| MP-7 (2) MEDIA USE | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA |
| MP-8 MEDIA PROTECTION | MEDIA DOWNGRADING |
| MP-8 (1) MEDIA DOWNGRADING | DOCUMENTATION OF PROCESS |
| MP-8 (2) MEDIA DOWNGRADING | EQUIPMENT TESTING |
| MP-8 (3) MEDIA DOWNGRADING | CONTROLLED UNCLASSIFIED INFORMATION |
| MP-8 (4) MEDIA DOWNGRADING | CLASSIFIED INFORMATION |
| PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| PE-2 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-2 (1) PHYSICAL ACCESS AUTHORIZATIONS | ACCESS BY POSITION / ROLE |
| PE-2 (2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION |
| PE-2 (3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS |
| PE-3 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM ACCESS |
| PE-3 (2) PHYSICAL ACCESS CONTROL | FACILITY/INFORMATION SYSTEM BOUNDARIES |
| PE-3 (3) PHYSICAL ACCESS CONTROL | CONTINUOUS GUARDS / ALARMS / MONITORING |
| PE-3 (4) PHYSICAL ACCESS CONTROL | LOCKABLE CASINGS |
| PE-3 (5) PHYSICAL ACCESS CONTROL | TAMPER PROTECTION |
| PE-3 (6) PHYSICAL ACCESS CONTROL | FACILITY PENETRATION TESTING |
| PE-4 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM |
| PE-5 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR OUTPUT DEVICES |
| PE-5 (1) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS |
| PE-5 (2) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY |
| PE-5 (3) ACCESS CONTROL FOR OUTPUT DEVICES | MARKING OUTPUT DEVICES |
| PE-6 PHYSICAL AND ENVIRONMENTAL PROTECTION | MONITORING PHYSICAL ACCESS |
| PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS/SURVEILLANCE EQUIPMENT |
| PE-6 (2) MONITORING PHYSICAL ACCESS | AUTOMATED INTRUSION RECOGNITION / RESPONSES |
| PE-6 (3) MONITORING PHYSICAL ACCESS | VIDEO SURVEILLANCE |
| PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS |
| PE-7 PHYSICAL AND ENVIRONMENTAL PROTECTION | VISITOR CONTROL |
| PE-8 PHYSICAL AND ENVIRONMENTAL PROTECTION | VISITOR ACCESS RECORDS |
| PE-8 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / REVIEW |
| PE-8 (2) VISITOR ACCESS RECORDS | PHYSICAL ACCESS RECORDS |
| PE-9 PHYSICAL AND ENVIRONMENTAL PROTECTION | POWER EQUIPMENT AND CABLING |
| PE-9 (1) POWER EQUIPMENT AND CABLING | REDUNDANT CABLING |
| PE-9 (2) POWER EQUIPMENT AND CABLING | AUTOMATIC VOLTAGE CONTROLS |
| PE-10 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY SHUTOFF |
| PE-10 (1) EMERGENCY SHUTOFF | ACCIDENTAL / UNAUTHORIZED ACTIVATION |
| PE-11 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY POWER |
| PE-11 (1) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY |
| PE-11 (2) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED |
| PE-12 PHYSICAL AND ENVIRONMENTAL PROTECTION | |
| PE-12 (1) EMERGENCY LIGHTING | ESSENTIAL MISSIONS / BUSINESS FUNCTIONS |
| PE-13 PHYSICAL AND ENVIRONMENTAL PROTECTION | FIRE PROTECTION |
| PE-13 (1) FIRE PROTECTION | DETECTION DEVICES / SYSTEMS |
| PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES/SYSTEMS |
| PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION |
| PE-13 (4) FIRE PROTECTION | INSPECTIONS |
| PE-14 PHYSICAL AND ENVIRONMENTAL PROTECTION | TEMPERATURE AND HUMIDITY CONTROLS |
| PE-14 (1) TEMPERATURE AND HUMIDITY CONTROLS | AUTOMATIC CONTROLS |
| PE-14 (2) TEMPERATURE AND HUMIDITY CONTROLS | MONITORING WITH ALARMS / NOTIFICATIONS |
| PE-15 PHYSICAL AND ENVIRONMENTAL PROTECTION | WATER DAMAGE PROTECTION |
| PE-15 (1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT |
| PE-16 PHYSICAL AND ENVIRONMENTAL PROTECTION | DELIVERY AND REMOVAL |
| PE-17 PHYSICAL AND ENVIRONMENTAL PROTECTION | ALTERNATE WORK SITE |
| PE-18 PHYSICAL AND ENVIRONMENTAL PROTECTION | LOCATION OF INFORMATION SYSTEM COMPONENTS |
| PE-18 (1) LOCATION OF INFORMATION SYSTEM COMPONENTS | FACILITY SITE |
| PE-19 PHYSICAL AND ENVIRONMENTAL PROTECTION | INFORMATION LEAKAGE |
| PE-19 (1) INFORMATION LEAKAGE | NATIONAL EMISSIONS/TEMPEST POLICIES AND PROCEDURES |
| PE-20 PHYSICAL AND ENVIRONMENTAL PROTECTION | ASSET MONITORING AND TRACKING |
| PL-1 PLANNING | SECURITY PLANNING POLICY AND PROCEDURES |
| PL-2 PLANNING | SYSTEM SECURITY PLAN |
| PL-2 (1) SYSTEM SECURITY PLAN | CONCEPT OF OPERATIONS |
| PL-2 (2) SYSTEM SECURITY PLAN | FUNCTIONAL ARCHITECTURE |
| PL-2 (3) SYSTEM SECURITY PLAN | PLAN/COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES |
| PL-3 PLANNING | SYSTEM SECURITY PLAN UPDATE |
| PL-4 PLANNNG | RULES OF BEHAVIOR |
| PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS |
| PL-5 PLANNING | PRIVACY IMPACT ASSESSMENT |
| PL-6 PLANNING | SECURITY-RELATED ACTIVITY PLANNING |
| PL-7 PLANNING | SECURITY CONCEPT OF OPERATIONS |
| PL-8 PLANNING | INFORMATION SECURITY ARCHITECTURE |
| PL-8 (1) INFORMATION SECURITY ARCHITECTURE | DEFENSE-IN-DEPTH |
| PL-8 (2) INFORMATION SECURITY ARCHITECTURE | SUPPLIER DIVERSITY |
| PL-9 PLANNING | CENTRAL MANAGEMENT |
| PM-1 PROGRAM MANAGEMENT | INFORMATION SECURITY PROGRAM PLAN |
| PM-2 PROGRAM MANAGEMENT | SENIOR INFORMATION SECURITY OFFICER |
| PM-3 PROGRAM MANAGEMENT | INFORMATION SECURITY RESOURCES |
| PM-4 PROGRAM MANAGEMENT | PLAN OF ACTION AND MILESTONES PROCESS |
| PM-5 PROGRAM MANAGEMENT | INFORMATION SYSTEM INVENTORY |
| PM-6 PROGRAM MANAGEMENT | INFORMATION SECURITY MEASURES OF PERFORMANCE |
| PM-7 PROGRAM MANAGEMENT | ENTERPRISE ARCHITECTURE |
| PM-8 PROGRAM MANAGEMENT | CRITICAL INFRASTRUCTURE PLAN |
| PM-9 PROGRAM MANAGEMENT | RISK MANAGEMENT STRATEGY |
| PM-10 PROGRAM MANAGEMENT | SECURITY AUTHORIZATION PROCESS |
| PM-11 PROGRAM MANAGEMENT | MISSION/BUSINESS PROCESS DEFINITIONS |
| PM-12 PROGRAM MANAGEMENT | INSIDER THREAT PROGRAM |
| PM-13 PROGRAM MANAGEMENT | INFORMATION SECURITY WORKFORCE |
| PM-14 PROGRAM MANAGEMENT | TESTING, TRAINING, AND MONITORING |
| PM-15 PROGRAM MANAGEMENT | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS |
| PM-16 PROGRAM MANAGEMENT | THREAT AWARENESS PROGRAM |
| PS-1 PERSONNEL SECURITY | PERSONNEL SECURITY POLICY AND PROCEDURES |
| PS-2 PERSONNEL SECURITY | POSITION RISK DESIGNATION |
| PS-3 PERSONNEL SECURITY | PERSONNEL SCREENING |
| PS-3 (1) PERSONNEL SCREENING| CLASSIFIED INFORMATION |
| PS-3 (2) PERSONNEL SCREENING | FORMAL INDOCTRINATION |
| PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES |
| PS-4 PERSONNEL SECURITY | PERSONNEL TERMINATION |
| PS-4 (1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS |
| PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION |
| PS-5 PERSONNEL SECURITY | PERSONNEL TRANSFER |
| PS-6 PERSONNEL SECURITY | ACCESS AGREEMENTS |
| PS-6 (1) ACCESS AGREEMENTS | INFORMATION REQUIRING SPECIAL PROTECTION |
| PS-6 (2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION |
| PS-6 (3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS |
| PS-7 PERSONNEL SECURITY | THIRD-PARTY PERSONNEL SECURITY |
| PS-8 PERSONNEL SECURITY | PERSONNEL SANCTIONS |
| RA-1 RISK ASSESSMENT | RISK ASSESSMENT POLICY AND PROCEDURES |
| RA-2 RISK ASSESSMENT | RISK ASSESSMENT |
| RA-3 RISK ASSESSMENT | SECURITY CATEGORIZATION |
| RA-4 RISK ASSESSMENT | RISK ASSESSMENT UPDATE |
| RA-5 RISK ASSESSMENT | VULNERABILITY SCANNING |
| RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY |
| RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED |
| RA-5 (3) VULNERABILITY SCANNING | BREADTH/DEPTH OF COVERAGE |
| RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION |
| RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS |
| RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES |
| RA-5 (7) VULNERABILITY SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS |
| RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS |
| RA-5 (9) VULNERABILITY SCANNING | PENETRATION TESTING AND ANALYSES |
| RA-5 (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION |
| RA-6 RISK ASSESSMENT | TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY |
| SA-1 SYSTEMS AND SERVICES ACQUISITION | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| SA-2 SYSTEMS AND SERVICES ACQUISITION | ALLOCATION OF RESOURCES |
| SA-3 SYSTEMS AND SERVICES ACQUISITION | SYSTEM DEVELOPMENT LIFE CYCLE |
| SA-4 SYSTEMS AND SERVICES ACQUISITION | ACQUISITION PROCESS |
| SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
| SA-4 (2) ACQUISITION PROCESS | DESIGN/IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS |
| SA-4 (3) ACQUISITION PROCESS | DEVELOPMENT METHODS / TECHNIQUES / PRACTICES |
| SA-4 (4) ACQUISITION PROCESS | ASSIGNMENT OF COMPONENTS TO SYSTEMS |
| SA-4 (5) ACQUISITION PROCESS | SYSTEM / COMPONENT / SERVICE CONFIGURATIONS |
| SA-4 (6) ACQUISITION PROCESS | USE OF INFORMATION ASSURANCE PRODUCTS |
| SA-4 (7) ACQUISITION PROCESS | NIAP-APPROVED PROTECTION PROFILES |
| SA-4 (8) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN |
| SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE |
| SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
| SA-5 SYSTEMS AND SERVICES ACQUISITION | INFORMATION SYSTEM DOCUMENTATION |
| SA-5 (1) INFORMATION SYSTEM DOCUMENTATION | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
| SA-5 (2) INFORMATION SYSTEM DOCUMENTATION | SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES |
| SA-5 (3) INFORMATION SYSTEM DOCUMENTATION | HIGH-LEVEL DESIGN |
| SA-5 (4) INFORMATION SYSTEM DOCUMENTATION | LOW-LEVEL DESIGN |
| SA-5 (5) INFORMATION SYSTEM DOCUMENTATION | SOURCE CODE |
| SA-6 SYSTEMS AND SERVICES ACQUISITION | SOFTWARE USAGE RESTRICTIONS |
| SA-7 SYSTEMS AND SERVICES ACQUISITIONS | USER-INSTALLED SOFTWARE |
| SA-8 SYSTEMS AND SERVICES ACQUISITIONS | SECURITY ENGINEERING PRINCIPLES |
| SA-9 ACQUISITION PROCESS | EXTERNAL INFORMATION SYSTEM SERVICES |
| SA-9 (1) EXTERNAL INFORMATION SYSTEM SERVICES | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS |
| SA-9 (2) EXTERNAL INFORMATION SYSTEM SERVICES | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES |
| SA-9 (3) EXTERNAL INFORMATION SYSTEM SERVICES | ESTABLISH/MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS |
| SA-9 (4) EXTERNAL INFORMATION SYSTEM SERVICES | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS |
| SA-9 (5) EXTERNAL INFORMATION SYSTEM SERVICES | PROCESSING, STORAGE, AND SERVICE LOCATION |
| SA-10 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER CONFIGURATION MANAGEMENT |
| SA-10 (1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE/FIRMWARE INTEGRITY VERIFICATION |
| SA-10 (2) DEVELOPER CONFIGURATION MANAGEMENT | ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES |
| SA-10 (3) DEVELOPER CONFIGURATION MANAGEMENT | HARDWARE INTEGRITY VERIFICATION |
| SA-10 (4) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED GENERATION |
| SA-10 (5) DEVELOPER CONFIGURATION MANAGEMENT | MAPPING INTEGRITY FOR VERSION CONTROL |
| SA-10 (6) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED DISTRIBUTION |
| SA-11 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SECURITY TESTING AND EVALUATION |
| SA-11 (1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS |
| SA-11 (2) DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES |
| SA-11 (3) DEVELOPER SECURITY TESTING AND EVALUATION | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE |
| SA-11 (4) DEVELOPER SECURITY TESTING AND EVALUATION | MANUAL CODE REVIEWS |
| SA-11 (5) DEVELOPER SECURITY TESTING AND EVALUATION | PENETRATION TESTING |
| SA-11 (6) DEVELOPER SECURITY TESTING AND EVALUATION | ATTACK SURFACE REVIEWS |
| SA-11 (7) DEVELOPER SECURITY TESTING AND EVALUATION | VERIFY SCOPE OF TESTING / EVALUATION |
| SA-11 (8) DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS |
| SA-12 SYSTEMS AND SERVICES ACQUISITION | SUPPLY CHAIN PROTECTION |
| SA-12 (1) SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES / TOOLS / METHODS |
| SA-12 (2) SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS |
| SA-12 (3) SUPPLY CHAIN PROTECTION | TRUSTED SHIPPING AND WAREHOUSING |
| SA-12 (4) SUPPLY CHAIN PROTECTION | DIVERSITY OF SUPPLIERS |
| SA-12 (5) SUPPLY CHAIN PROTECTION | LIMITATION OF HARM |
| SA-12 (6) SUPPLY CHAIN PROTECTION | MINIMIZING PROCUREMENT TIME |
| SA-12 (7) SUPPLY CHAIN PROTECTION | ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE |
| SA-12 (8) SUPPLY CHAIN PROTECTION | USE OF ALL-SOURCE INTELLIGENCE |
| SA-12 (9) SUPPLY CHAIN PROTECTION | OPERATIONS SECURITY |
| SA-12 (10) SUPPLY CHAIN PROTECTION | VALIDATE AS GENUINE AND NOT ALTERED |
| SA-12 (11) SUPPLY CHAIN PROTECTION | PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS |
| SA-12 (12) SUPPLY CHAIN PROTECTION | INTER-ORGANIZATIONAL AGREEMENTS |
| SA-12 (13) SUPPLY CHAIN PROTECTION | CRITICAL INFORMATION SYSTEM COMPONENTS |
| SA-12 (14) SUPPLY CHAIN PROTECTION | IDENTITY AND TRACEABILITY |
| SA-12 (15) SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES |
| SA-13 SYSTEMS AND SERVICES ACQUISITION | TRUSTWORTHINESS |
| SA-14 SYSTEMS AND SERVICES ACQUISITION | SUPPLY CHAIN PROTECTION |
| SA-14 (1) CRITICALITY ANALYSIS | CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING |
| SA-15 SYSTEMS AND SERVICES ACQUISITION | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS |
| SA-15 (1) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | QUALITY METRICS |
| SA-15 (2) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | SECURITY TRACKING TOOLS |
| SA-15 (3) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CRITICALITY ANALYSIS |
| SA-15 (4) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING/VULNERABILITY ANALYSIS |
| SA-15 (5) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION |
| SA-15 (6) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CONTINUOUS IMPROVEMENT |
| SA-15 (7) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS |
| SA-15 (8) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | REUSE OF THREAT/VULNERABILITY INFORMATION |
| SA-15 (9) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | USE OF LIVE DATA |
| SA-15 (10) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | INCIDENT RESPONSE PLAN |
| SA-15 (11) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ARCHIVE INFORMATION SYSTEM/COMPONENT |
| SA-16 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER-PROVIDED TRAINING |
| SA-17 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SECURITY ARCHITECTURE AND DESIGN |
| SA-17 (1) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL POLICY MODEL |
| SA-17 (2) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | SECURITY-RELEVANT COMPONENTS |
| SA-17 (3) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL CORRESPONDENCE |
| SA-17 (4) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | INFORMAL CORRESPONDENCE |
| SA-17 (5) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | CONCEPTUALLY SIMPLE DESIGN |
| SA-17 (6) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | STRUCTURE FOR TESTING |
| SA-17 (7) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | STRUCTURE FOR LEAST PRIVILEGE |
| SA-18 SYSTEMS AND SERVICES ACQUISITION | TAMPER RESISTANCE AND DETECTION |
| SA-18 (1) TAMPER RESISTANCE AND DETECTION | MULTIPLE PHASES OF SDLC |
| SA-18 (2) TAMPER RESISTANCE AND DETECTION | INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES |
| SA-19 SYSTEMS AND SERVICES ACQUISITION | COMPONENT AUTHENTICITY |
| SA-19 (1) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING |
| SA-19 (2) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE/REPAIR |
| SA-19 (3) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL |
| SA-19 (4) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING |
| SA-20 SYSTEMS AND SERVICES ACQUISITION | CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS |
| SA-21 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SCREENING |
| SA-21 (1) DEVELOPER SCREENING | VALIDATION OF SCREENING |
| SA-22 SYSTEMS AND SERVICES ACQUISITION | UNSUPPORTED SYSTEM COMPONENTS |
| SA-22 (1) UNSUPPORTED SYSTEM COMPONENTS | ALTERNATIVE SOURCES FOR CONTINUED SUPPORT |
| SC-1 SYSTEM AND COMMUNICATIONS PROTECTION | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| SC-2 SYSTEM AND COMMUNICATIONS PROTECTION | APPLICATION PARTITIONING |
| SC-2 (1) APPLICATION PARTITIONING | INTERFACES FOR NON-PRIVILEGED USERS |
| SC-3 SYSTEM AND COMMUNICATIONS PROTECTION | SECURITY FUNCTION ISOLATION |
| SC-3 (1) SECURITY FUNCTION ISOLATION | HARDWARE SEPARATION |
| SC-3 (2) SECURITY FUNCTION ISOLATION | ACCESS/FLOW CONTROL FUNCTIONS |
| SC-3 (3) SECURITY FUNCTION ISOLATION | MINIMIZE NONSECURITY FUNCTIONALITY |
| SC-3 (4) SECURITY FUNCTION ISOLATION | MODULE COUPLING AND COHESIVENESS |
| SC-3 (5) SECURITY FUNCTION ISOLATION | LAYERED STRUCTURES |
| SC-4 SYSTEM AND COMMUNICATIONS PROTECTION | INFORMATION IN SHARED RESOURCES |
| SC-4 (1) INFORMATION IN SHARED RESOURCES | SECURITY LEVELS |
| SC-4 (2) INFORMATION IN SHARED RESOURCES | PERIODS PROCESSING |
| SC-5 SYSTEM AND COMMUNICATIONS PROTECTION | DENIAL OF SERVICE PROTECTION |
| SC-5 (1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS |
| SC-5 (2) DENIAL OF SERVICE PROTECTION | EXCESS CAPACITY / BANDWIDTH / REDUNDANCY |
| SC-5 (3) DENIAL OF SERVICE PROTECTION | DETECTION/MONITORING |
| SC-6 SYSTEM AND COMMUNICATIONS PROTECTION | RESOURCE AVAILABILITY |
| SC-7 SYSTEM AND COMMUNICATIONS PROTECTION | BOUNDARY PROTECTION |
| SC-7 (1) BOUNDARY PROTECTION | PHYSICALLY SEPARATED SUBNETWORKS |
| SC-7 (2) BOUNDARY PROTECTION | PUBLIC ACCESS |
| SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS |
| SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES |
| SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION |
| SC-7 (6) BOUNDARY PROTECTION | RESPONSE TO RECOGNIZED FAILURES |
| SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES |
| SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS |
| SC-7 (9) BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC |
| SC-7 (10) BOUNDARY PROTECTION | RESTRICT INCOMING COMMUNICATIONS TRAFFIC |
| SC-7 (11) BOUNDARY PROTECTION | HOST-BASED PROTECTION |
| SC-7 (12) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS |
| SC-7 (13) BOUNDARY PROTECTION | PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS |
| SC-7 (14) BOUNDARY PROTECTION | PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS |
| SC-7 (15) BOUNDARY PROTECTION | ROUTE PRIVILEGED NETWORK ACCESSES |
| SC-7 (16) BOUNDARY PROTECTION | PREVENT DISCOVERY OF COMPONENTS / DEVICES |
| SC-7 (17) BOUNDARY PROTECTION | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS |
| SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE |
| SC-7 (19) BOUNDARY PROTECTION | BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS |
| SC-7 (20) BOUNDARY PROTECTION | DYNAMIC ISOLATION/SEGREGATION |
| SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPONENTS |
| SC-7 (22) BOUNDARY PROTECTION | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS |
| SC-7 (23) BOUNDARY PROTECTION | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE |
| SC-8 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
| SC-8 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION |
| SC-8 (2) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PRE/POST TRANSMISSION HANDLING |
| SC-8 (3) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS |
| SC-8 (4) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CONCEAL/RANDOMIZE COMMUNICATIONS |
| SC-9 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION CONFIDENTIALITY |
| SC-10 SYSTEM AND COMMUNICATIONS PROTECTION | NETWORK DISCONNECT |
| SC-11 SYSTEM AND COMMUNICATIONS PROTECTION | TRUSTED PATH |
| SC-11 (1) TRUSTED PATH | LOGICAL ISOLATION |
| SC-12 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY |
| SC-12 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS |
| SC-12 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS |
| SC-12 (4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES |
| SC-12 (5) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES / HARDWARE TOKENS |
| SC-13 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC PROTECTION |
| SC-13 (1) CRYPTOGRAPHIC PROTECTION | FIPS-VALIDATED CRYPTOGRAPHY |
| SC-13 (2) CRYPTOGRAPHIC PROTECTION | NSA-APPROVED CRYPTOGRAPHY |
| SC-13 (3) CRYPTOGRAPHIC PROTECTION | INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS |
| SC-13 (4) CRYPTOGRAPHIC PROTECTION | DIGITAL SIGNATURES |
| SC-14 SYSTEM AND COMMUNICATIONS PROTECTION | PUBLIC ACCESS PROTECTIONS |
| SC-15 SYSTEM AND COMMUNICATIONS PROTECTION | COLLABORATIVE COMPUTING DEVICES |
| SC-15 (1) COLLABORATIVE COMPUTING DEVICES | PHYSICAL DISCONNECT |
| SC-15 (2) COLLABORATIVE COMPUTING DEVICES | BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC |
| SC-15 (3) COLLABORATIVE COMPUTING DEVICES | DISABLING / REMOVAL IN SECURE WORK AREAS |
| SC-15 (4) COLLABORATIVE COMPUTING DEVICES | EXPLICITLY INDICATE CURRENT PARTICIPANTS |
| SC-16 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION OF SECURITY ATTRIBUTES |
| SC-16 (1) TRANSMISSION OF SECURITY ATTRIBUTES | INTEGRITY VALIDATION |
| SC-17 SYSTEM AND COMMUNICATIONS PROTECTION | PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
| SC-18 SYSTEM AND COMMUNICATIONS PROTECTION | MOBILE CODE |
| SC-18 (1) MOBILE CODE | IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS |
| SC-18 (2) MOBILE CODE | ACQUISITION / DEVELOPMENT / USE |
| SC-18 (3) MOBILE CODE | PREVENT DOWNLOADING / EXECUTION |
| SC-18 (4) MOBILE CODE | PREVENT AUTOMATIC EXECUTION |
| SC-18 (5) MOBILE CODE | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS |
| SC-19 SYSTEM AND COMMUNICATIONS PROTECTION | VOICE OVER INTERNET PROTOCOL |
| SC-20 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-20 (1) SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | CHILD SUBSPACES |
| SC-20 (2) SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | DATA ORIGIN/INTEGRITY |
| SC-21 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-21 (1) SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | DATA ORIGIN/INTEGRITY |
| SC-22 SYSTEM AND COMMUNICATIONS PROTECTION | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| SC-23 SYSTEM AND COMMUNICATIONS PROTECTION | SESSION AUTHENTICITY |
| SC-23 (1) SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT |
| SC-23 (2) SESSION AUTHENTICITY | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS |
| SC-23 (3) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION |
| SC-23 (4) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION |
| SC-23 (5) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES |
| SC-24 SYSTEM AND COMMUNICATIONS PROTECTION | FAIL IN KNOWN STATE |
| SC-25 SYSTEM AND COMMUNICATIONS PROTECTION | THIN NODES |
| SC-26 SYSTEM AND COMMUNICATIONS PROTECTION | HONEYPOTS |
| SC-26 (1) HONEYPOTS | DETECTION OF MALICIOUS CODE |
| SC-27 SYSTEM AND COMMUNICATIONS PROTECTION | HONEYPOTS |
| SC-28 SYSTEM AND COMMUNICATIONS PROTECTION | PROTECTION OF INFORMATION AT REST |
| SC-28 (1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION |
| SC-28 (2) PROTECTION OF INFORMATION AT REST | OFF-LINE STORAGE |
| SC-29 SYSTEM AND COMMUNICATIONS PROTECTION | HETEROGENEITY |
| SC-29 (1) HETEROGENEITY | VIRTUALIZATION TECHNIQUES |
| SC-30 SYSTEM AND COMMUNICATIONS PROTECTION | CONCEALMENT AND MISDIRECTION |
| SC-30 (1) CONCEALMENT AND MISDIRECTION | VIRTUALIZATION TECHNIQUES |
| SC-30 (2) CONCEALMENT AND MISDIRECTION | RANDOMNESS |
| SC-30 (3) CONCEALMENT AND MISDIRECTION | CHANGE PROCESSING/STORAGE LOCATIONS |
| SC-30 (4) CONCEALMENT AND MISDIRECTION | MISLEADING INFORMATION |
| SC-30 (5) CONCEALMENT AND MISDIRECTION | CONCEALMENT OF SYSTEM COMPONENTS |
| SC-31 SYSTEM AND COMMUNICATIONS PROTECTION | COVERT CHANNEL ANALYSIS |
| SC-31 (1) COVERT CHANNEL ANALYSIS | TEST COVERT CHANNELS FOR EXPLOITABILITY |
| SC-31 (2) COVERT CHANNEL ANALYSIS | MAXIMUM BANDWIDTH |
| SC-31 (3) COVERT CHANNEL ANALYSIS | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS |
| SC-32 SYSTEM AND COMMUNICATIONS PROTECTION | INFORMATION SYSTEM PARTITIONING |
| SC-33 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION PREPARATION INTEGRITY |
| SC-34 SYSTEM AND COMMUNICATIONS PROTECTION | NON-MODIFIABLE EXECUTABLE PROGRAMS |
| SC-34 (1) NON-MODIFIABLE EXECUTABLE PROGRAMS | NO WRITABLE STORAGE |
| SC-34 (2) NON-MODIFIABLE EXECUTABLE PROGRAMS | INTEGRITY PROTECTION / READ-ONLY MEDIA |
| SC-34 (3) NON-MODIFIABLE EXECUTABLE PROGRAMS | HARDWARE-BASED PROTECTION |
| SC-35 SYSTEM AND COMMUNICATIONS PROTECTION | HONEYCLIENTS |
| SC-36 SYSTEM AND COMMUNICATIONS PROTECTION | DISTRIBUTED PROCESSING AND STORAGE |
| SC-36 (1) DISTRIBUTED PROCESSING AND STORAGE | POLLING TECHNIQUES |
| SC-37 SYSTEM AND COMMUNICATIONS PROTECTION | OUT-OF-BAND CHANNELS |
| SC-37 (1) OUT-OF-BAND CHANNELS | ENSURE DELIVERY / TRANSMISSION |
| SC-38 SYSTEM AND COMMUNICATIONS PROTECTION | OPERATIONS SECURITY |
| SC-39 SYSTEM AND COMMUNICATIONS PROTECTION | PROCESS ISOLATION |
| SC-39 (1) PROCESS ISOLATION | HARDWARE SEPARATION |
| SC-39 (2) PROCESS ISOLATION | THREAD ISOLATION |
| SC-40 SYSTEM AND COMMUNICATIONS PROTECTION | WIRELESS LINK PROTECTION |
| SC-40 (1) WIRELESS LINK PROTECTION | ELECTROMAGNETIC INTERFERENCE |
| SC-40 (2) WIRELESS LINK PROTECTION | REDUCE DETECTION POTENTIAL |
| SC-40 (3) WIRELESS LINK PROTECTION | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION |
| SC-40 (4) WIRELESS LINK PROTECTION | SIGNAL PARAMETER IDENTIFICATION |
| SC-41 SYSTEM AND COMMUNICATIONS PROTECTION | PORT AND I/O DEVICE ACCESS |
| SC-42 SYSTEM AND COMMUNICATIONS PROTECTION | SENSOR CAPABILITY AND DATA |
| SC-42 (1) SENSOR CAPABILITY AND DATA | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES |
| SC-42 (2) SENSOR CAPABILITY AND DATA | AUTHORIZED USE |
| SC-42 (3) SENSOR CAPABILITY AND DATA | PROHIBIT USE OF DEVICES |
| SC-43 SYSTEM AND COMMUNICATIONS PROTECTION | USAGE RESTRICTIONS |
| SC-44 SYSTEM AND COMMUNICATIONS PROTECTION | DETONATION CHAMBERS |
| SI-1 SYSTEM AND INFORMATION INTEGRITY | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| SI-2 SYSTEM AND INFORMATION INTEGRITY | FLAW REMEDIATION |
| SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT |
| SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS |
| SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
| SI-2 (4) FLAW REMEDIATION | AUTOMATED PATCH MANAGEMENT TOOLS |
| SI-2 (5) FLAW REMEDIATION | AUTOMATIC SOFTWARE/FIRMWARE UPDATES |
| SI-2 (6) FLAW REMEDIATION | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE |
| SI-3 SYSTEM AND INFORMATION INTEGRITY | MALICIOUS CODE PROTECTION |
| SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT |
| SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES |
| SI-3 (3) MALICIOUS CODE PROTECTION | NON-PRIVILEGED USERS |
| SI-3 (4) MALICIOUS CODE PROTECTION | UPDATES ONLY BY PRIVILEGED USERS |
| SI-3 (5) MALICIOUS CODE PROTECTION | PORTABLE STORAGE DEVICES |
| SI-3 (6) MALICIOUS CODE PROTECTION | TESTING/VERIFICATION |
| SI-3 (7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION |
| SI-3 (8) MALICIOUS CODE PROTECTION | DETECT UNAUTHORIZED COMMANDS |
| SI-3 (9) MALICIOUS CODE PROTECTION | AUTHENTICATE REMOTE COMMANDS |
| SI-3 (10) MALICIOUS CODE PROTECTION | MALICIOUS CODE ANALYSIS |
| SI-4 SYSTEM AND INFORMATION INTEGRITY | INFORMATION SYSTEM MONITORING |
| SI-4 (1) INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM |
| SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS |
| SI-4 (3) INFORMATION SYSTEM MONITORING | AUTOMATED TOOL INTEGRATION |
| SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC |
| SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS |
| SI-4 (6) INFORMATION SYSTEM MONITORING | RESTRICT NON-PRIVILEGED USERS |
| SI-4 (7) INFORMATION SYSTEM MONITORING | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS |
| SI-4 (8) INFORMATION SYSTEM MONITORING | PROTECTION OF MONITORING INFORMATION |
| SI-4 (9) INFORMATION SYSTEM MONITORING | TESTING OF MONITORING TOOLS |
| SI-4 (10) INFORMATION SYSTEM MONITORING | VISIBILITY OF ENCRYPTED COMMUNICATIONS |
| SI-4 (11) INFORMATION SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES |
| SI-4 (12) INFORMATION SYSTEM MONITORING | AUTOMATED ALERTS |
| SI-4 (13) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / EVENT PATTERNS |
| SI-4 (14) INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION |
| SI-4 (15) INFORMATION SYSTEM MONITORING | WIRELESS TO WIRELINE COMMUNICATIONS |
| SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION |
| SI-4 (17) INFORMATION SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS |
| SI-4 (18) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / COVERT EXFILTRATION |
| SI-4 (19) INFORMATION SYSTEM MONITORING | INDIVIDUALS POSING GREATER RISK |
| SI-4 (20) INFORMATION SYSTEM MONITORING | PRIVILEGED USERS |
| SI-4 (21) INFORMATION SYSTEM MONITORING | PROBATIONARY PERIODS |
| SI-4 (22) INFORMATION SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES |
| SI-4 (23) INFORMATION SYSTEM MONITORING | HOST-BASED DEVICES |
| SI-4 (24) INFORMATION SYSTEM MONITORING | INDICATORS OF COMPROMISE |
| SI-5 SYSTEM AND INFORMATION INTEGRITY | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
| SI-5 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES |
| SI-6 SYSTEM AND INFORMATION INTEGRITY | SECURITY FUNCTION VERIFICATION |
| SI-6 (1) SECURITY FUNCTION VERIFICATION | NOTIFICATION OF FAILED SECURITY TESTS |
| SI-6 (2) SECURITY FUNCTION VERIFICATION | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING |
| SI-6 (3) SECURITY FUNCTION VERIFICATION | REPORT VERIFICATION RESULTS |
| SI-7 SYSTEM AND INFORMATION INTEGRITY | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS |
| SI-7 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS |
| SI-7 (3) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CENTRALLY-MANAGED INTEGRITY TOOLS |
| SI-7 (4) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TAMPER-EVIDENT PACKAGING |
| SI-7 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS |
| SI-7 (6) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION |
| SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE |
| SI-7 (8) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUDITING CAPABILITY FOR SIGNIFICANT EVENTS |
| SI-7 (9) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS |
| SI-7 (10) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | PROTECTION OF BOOT FIRMWARE |
| SI-7 (11) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES |
| SI-7 (12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION |
| SI-7 (13) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE EXECUTION IN PROTECTED ENVIRONMENTS |
| SI-7 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| SI-7 (15) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION |
| SI-7 (16) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION |
| SI-8 SYSTEM AND INFORMATION INTEGRITY | SPAM PROTECTION |
| SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT |
| SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES |
| SI-8 (3) SPAM PROTECTION | CONTINUOUS LEARNING CAPABILITY |
| SI-9 SYSTEM AND INFORMATION INTEGRITY | INFORMATION INPUT RESTRICTIONS |
| SI-10 SYSTEM AND INFORMATION INTEGRITY | INFORMATION INPUT VALIDATION |
| SI-10 (1) INFORMATION INPUT VALIDATION | MANUAL OVERRIDE CAPABILITY |
| SI-10 (2) INFORMATION INPUT VALIDATION | REVIEW/RESOLUTION OF ERRORS |
| SI-10 (3) INFORMATION INPUT VALIDATION | PREDICTABLE BEHAVIOR |
| SI-10 (4) INFORMATION INPUT VALIDATION | REVIEW/TIMING INTERACTIONS |
| SI-10 (5) INFORMATION INPUT VALIDATION | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED |
| SI-11 SYSTEM AND INFORMATION INTEGRITY | ERROR HANDLING |
| SI-12 SYSTEM AND INFORMATION INTEGRITY | INFORMATION HANDLING AND RETENTION |
| SI-13 SYSTEM AND INFORMATION INTEGRITY | PREDICTABLE FAILURE PREVENTION |
| SI-13 (1) PREDICTABLE FAILURE PREVENTION | TRANSFERRING COMPONENT RESPONSIBILITIES |
| SI-13 (2) PREDICTABLE FAILURE PREVENTION | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION |
| SI-13 (3) PREDICTABLE FAILURE PREVENTION | MANUAL TRANSFER BETWEEN COMPONENTS |
| SI-13 (4) PREDICTABLE FAILURE PREVENTION | STANDBY COMPONENT INSTALLATION / NOTIFICATION |
| SI-13 (5) PREDICTABLE FAILURE PREVENTION | FAILOVER CAPABILITY |
| SI-14 SYSTEM AND INFORMATION INTEGRITY | NON-PERSISTENCE |
| SI-14 (1) NON-PERSISTENCE | REFRESH FROM TRUSTED SOURCES |
| SI-15 SYSTEM AND INFORMATION INTEGRITY | INFORMATION OUTPUT FILTERING |
| SI-16 SYSTEM AND INFORMATION INTEGRITY | MEMORY PROTECTION |
| SI-17 SYSTEM AND INFORMATION INTEGRITY | FAIL-SAFE PROCEDURES |
