| AC-1 ACCESS CONTROL | ACCESS CONTROL POLICY AND PROCEDURES |
|
| AC-2 ACCESS CONTROL | ACCOUNT MANAGEMENT |
| AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES |
| AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING/ATYPICAL USAGE |
| AC-3 ACCESS CONTROL | ACCESS ENFORCEMENT |
| AC-3 (3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL |
| AC-3 (4) ACCESS ENFORCEMENT | DISCRETIONARY ACCESS CONTROL |
| AC-3 (9) ACCESS ENFORCEMENT | CONTROLLED RELEASE |
| AC-7 ACCESS CONTROL | UNSUCCESSFUL LOGON ATTEMPTS |
| AC-8 ACCESS CONTROL | SYSTEM USE NOTIFICATION |
| AC-14 ACCESS CONTROL | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| AC-17 ACCESS CONTROL | REMOTE ACCESS |
| AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS |
| AC-18 ACCESS CONTROL | WIRELESS ACCESS |
| AC-19 ACCESS CONTROL | ACCESS CONTROL FOR MOBILE DEVICES |
| AC-19 (4) ACCESS CONTROL FOR MOBILE DEVICES | RESTRICTIONS FOR CLASSIFIED INFORMATION |
AC-20 ACCESS CONTROL | USE OF EXTERNAL INFORMATION SYSTEMS |
| AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
| AC-22 ACCESS CONTROL | PUBLICLY ACCESSIBLE CONTENT |
| AT-1 AWARENESS AND TRAINING | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
| AT-2 AWARENESS AND TRAINING | SECURITY AWARENESS TRAINING |
| AT-3 AWARENESS AND TRAINING | ROLE-BASED SECURITY TRAINING |
| AT-4 AWARENESS AND TRAINING | SECURITY TRAINING RECORDS |
| AU-1 AUDIT AND ACCOUNTABILITY | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
| AU-2 AUDIT AND ACCOUNTABILITY | AUDIT EVENTS |
| AU-3 AUDIT AND ACCOUNTABILITY | CONTENT OF AUDIT RECORDS |
| AU-4 AUDIT AND ACCOUNTABILITY | AUDIT STORAGE CAPACITY |
| AU-5 AUDIT AND ACCOUNTABILITY | RESPONSE TO AUDIT PROCESSING FAILURES |
| AU-6. AUDIT AND ACCOUNTABILITY | AUDIT REVIEW, ANALYSIS, AND REPORTING |
| AU-8 AUDIT AND ACCOUNTABILITY | TIME STAMPS |
| AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE |
| AU-9 AUDIT AND ACCOUNTABILITY | PROTECTION OF AUDIT INFORMATION |
| AU-11 AUDIT AND ACCOUNTABILITY | AUDIT RECORD RETENTION |
| AU-12 AUDIT AND ACCOUNTABILITY | AUDIT GENERATION |
| CA-1 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
| CA-2 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENTS |
| CA-3 SECURITY ASSESSMENT AND AUTHORIZATION | SYSTEM INTERCONNECTIONS |
CA-5 SECURITY ASSESSMENT AND AUTHORIZATION | PLAN OF ACTION AND MILESTONES |
| CA-6 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY AUTHORIZATION |
| CA-7 SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING |
| CA-9 SECURITY ASSESSMENT AND AUTHORIZATION | INTERNAL SYSTEM CONNECTIONS |
| CM-1 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| CM-2. CONFIGURATION MANAGEMENT | BASELINE CONFIGURATION |
| CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES |
| CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
| CM-4 CONFIGURATION MANAGEMENT | SECURITY IMPACT ANALYSIS |
| CM-6 CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS |
| CM-7 CONFIGURATION MANAGEMENT | LEAST FUNCTIONALITY |
| CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW |
| CM-7 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE/BLACKLISTING |
| CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE/WHITELISTING |
| CM-8 CONFIGURATION MANAGEMENT | INFORMATION SYSTEM COMPONENT INVENTORY |
| CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
| CM-8 (9) INFORMATION SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS |
| CM-10 CONFIGURATION MANAGEMENT | SOFTWARE USAGE RESTRICTIONS |
| CM-11 CONFIGURATION MANAGEMENT | USER-INSTALLED SOFTWARE |
| CP-1 CONTINGENCY PLANNING | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| CP-2 CONTINGENCY PLANNING |. CONTINGENCY PLAN |
| CP-3 CONTINGENCY PLANNING | CONTINGENCY TRAINING |
| CP-4 CONTINGENCY PLANNING |. CONTINGENCY PLAN TESTING |
| CP-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE |
| CP-9 CONTINGENCY PLANNING | INFORMATION SYSTEM BACKUP |
| CP-10 CONTINGENCY PLANNING | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| IA-1 iDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| IA-2 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
| IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
| IA-4 IDENTIFICATION AND AUTHENTICATION | IDENTIFIER MANAGEMENT |
| IA-5 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR MANAGEMENT |
| IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
| IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
| IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION |
| IA-6 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR FEEDBACK |
| IA-7 IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| IA-8 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
| IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
| IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS |
| IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS |
| IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES |
| IR-1 INCIDENT RESPONSE | INCIDENT RESPONSE POLICY AND PROCEDURES |
| IR-2 INCIDENT RESPONSE | INCIDENT RESPONSE TRAINING |
| IR-4 INCIDENT RESPONSE | INCIDENT HANDLING |
| IR-5 INCIDENT RESPONSE | INCIDENT MONITORING |
| IR-6 INCIDENT RESPONSE | INCIDENT REPORTING |
| IR-7 INCIDENT RESPONSE | INCIDENT RESPONSE ASSISTANCE |
| IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS |
| IR-8 INCIDENT RESPONSE | INCIDENT RESPONSE PLAN |
| MA-1 MAINTENANCE | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| MA-2 MAINTENANCE | CONTROLLED MAINTENANCE |
| MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES |
| MA-4 MAINTENANCE | NONLOCAL MAINTENANCE |
| MA-4 (1) NONLOCAL MAINTENANCE | AUDITING AND REVIEW |
| MA-4 (3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY / SANITIZATION |
| MA-4 (4) NONLOCAL MAINTENANCE | AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS |
| MA-4 (5) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS |
| MA-5 MAINTENANCE | MAINTENANCE PERSONNEL |
| MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS |
| MA-5 (4) MAINTENANCE PERSONNEL | FOREIGN NATIONALS |
| MP-1 MEDIA PROTECTION | MEDIA PROTECTION POLICY AND PROCEDURES |
| MP-2 MEDIA PROTECTION | MEDIA ACCESS |
| MP-6 MEDIA PROTECTION | MEDIA SANITIZATION |
| MP-7 MEDIA PROTECTION | MEDIA USE |
| PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| PE-2 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-3 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-6 PHYSICAL AND ENVIRONMENTAL PROTECTION | MONITORING PHYSICAL ACCESS |
| PE-8 PHYSICAL AND ENVIRONMENTAL PROTECTION | VISITOR ACCESS RECORDS |
| PE-12 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY LIGHTING |
| PE-13 PHYSICAL AND ENVIRONMENTAL PROTECTION | FIRE PROTECTION |
| PE-14 PHYSICAL AND ENVIRONMENTAL PROTECTION | TEMPERATURE AND HUMIDITY CONTROLS |
| PE-15 PHYSICAL AND ENVIRONMENTAL PROTECTION | WATER DAMAGE PROTECTION |
| PE-16 PHYSICAL AND ENVIRONMENTAL PROTECTION | DELIVERY AND REMOVAL |
| PL-1 PLANNING | SECURITY PLANNING POLICY AND PROCEDURES |
| PL-2 PLANNING | SYSTEM SECURITY PLAN |
| PL-4 PLANNING | RULES OF BEHAVIOR |
| PS-1 PERSONNEL SECURITY | PERSONNEL SECURITY POLICY AND PROCEDURES |
| PS-2 PERSONNEL SECURITY | POSITION RISK DESIGNATION |
| PS-3 PERSONNEL SECURITY | PERSONNEL SCREENING |
| PS-4 PERSONNEL SECURITY | PERSONNEL TERMINATION |
| PS-4 (1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS |
| PS-5 PERSONNEL SECURITY | PERSONNEL TRANSFER |
| PS-6 PERSONNEL SECURITY | ACCESS AGREEMENTS |
| PS-6 (2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION |
| PS-6 (3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS |
| PS-7 PERSONNEL SECURITY | THIRD-PARTY PERSONNEL SECURITY |
| PS-8 PERSONNEL SECURITY | PERSONNEL SANCTIONS |
| RA-1 RISK ASSESSMENT | RISK ASSESSMENT POLICY AND PROCEDURES |
| RA-2 RISK ASSESSMENT | RISK ASSESSMENT |
| RA-3 RISK ASSESSMENT | SECURITY CATEGORIZATION |
| RA-5 RISK ASSESSMENT | VULNERABILITY SCANNING |
| SA-1 SYSTEMS AND SERVICES ACQUISITION | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| SA-2 SYSTEMS AND SERVICES ACQUISITION | ALLOCATION OF RESOURCES |
| SA-3 SYSTEMS AND SERVICES ACQUISITION | SYSTEM DEVELOPMENT LIFE CYCLE |
| SA-4 SYSTEMS AND SERVICES ACQUISITION | ACQUISITION PROCESS |
| SA-4 (5) ACQUISITION PROCESS | SYSTEM / COMPONENT / SERVICE CONFIGURATIONS |
| SA-4 (6) ACQUISITION PROCESS | USE OF INFORMATION ASSURANCE PRODUCTS |
| SA-4 (7) ACQUISITION PROCESS | NIAP-APPROVED PROTECTION PROFILES |
| SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
| SA-5 SYSTEMS AND SERVICES ACQUISITION | INFORMATION SYSTEM DOCUMENTATION |
| SA-9 ACQUISITION PROCESS | EXTERNAL INFORMATION SYSTEM SERVICES |
| SA-9 (1) EXTERNAL INFORMATION SYSTEM SERVICES | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS |
| SC-1 SYSTEM AND COMMUNICATIONS PROTECTION | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| SC-5 SYSTEM AND COMMUNICATIONS PROTECTION | DENIAL OF SERVICE PROTECTION |
| SC-5 (3) DENIAL OF SERVICE PROTECTION | DETECTION/MONITORING |
| SC-7 SYSTEM AND COMMUNICATIONS PROTECTION | BOUNDARY PROTECTION |
| SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES |
| SC-7 (9) BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC |
| SC-12 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| SC-13 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC PROTECTION |
| SC-15 SYSTEM AND COMMUNICATIONS PROTECTION | COLLABORATIVE COMPUTING DEVICES |
| SC-20 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-22 SYSTEM AND COMMUNICATIONS PROTECTION | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| SC-39 SYSTEM AND COMMUNICATIONS PROTECTION | PROCESS ISOLATION |
| SI-1 SYSTEM AND INFORMATION INTEGRITY | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| SI-2 SYSTEM AND INFORMATION INTEGRITY | FLAW REMEDIATION |
| SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
| SI-3 SYSTEM AND INFORMATION INTEGRITY | MALICIOUS CODE PROTECTION |
| SI-3 (6) MALICIOUS CODE PROTECTION | TESTING/VERIFICATION |
| SI-3 (10) MALICIOUS CODE PROTECTION | MALICIOUS CODE ANALYSIS |
| SI-4 SYSTEM AND INFORMATION INTEGRITY | INFORMATION SYSTEM MONITORING |
| SI-4 (13) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / EVENT PATTERNS |
| SI-5 SYSTEM AND INFORMATION INTEGRITY | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
| SI-12 SYSTEM AND INFORMATION INTEGRITY | INFORMATION HANDLING AND RETENTION |
