| AC-1 ACCESS CONTROL | ACCESS CONTROL POLICY AND PROCEDURES |
| AC-2 ACCESS CONTROL | ACCOUNT MANAGEMENT |
| AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT |
| AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS |
| AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS |
| AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS |
| AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT |
| AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES |
| AC-2 (11) ACCOUNT MANAGEMENT | USAGE CONDITIONS |
| AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING/ATYPICAL USAGE |
| AC-2 (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS |
| AC-3 ACCESS CONTROL | ACCESS ENFORCEMENT |
| AC-3 (3) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL |
| AC-3 (4) ACCESS ENFORCEMENT | DISCRETIONARY ACCESS CONTROL |
| AC-3 (9) ACCESS ENFORCEMENT | CONTROLLED RELEASE |
| AC-4 ACCESS CONTROL | INFORMATION FLOW ENFORCEMENT |
| AC-5 ACCESS CONTROL | SEPARATION OF DUTIES |
| AC-6 ACCESS CONTROL | LEAST PRIVILEGE |
| AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS |
| AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS |
| AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS |
| AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS |
| AC-6 (7) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES |
| AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS |
| AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS |
| AC-7 ACCESS CONTROL | UNSUCCESSFUL LOGON ATTEMPTS |
| AC-8 ACCESS CONTROL | SYSTEM USE NOTIFICATION |
| AC-10 ACCESS CONTROL | CONCURRENT SESSION CONTROL |
| AC-11 ACCESS CONTROL | SESSION LOCK |
| AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS |
| AC-12 ACCESS CONTROL | SESSION TERMINATION |
| AC-12 (1) SESSION TERMINATION | USER-INITIATED LOGOUTS / MESSAGE DISPLAYS |
| AC-14 ACCESS CONTROL | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
| AC-17 ACCESS CONTROL | REMOTE ACCESS |
| AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL |
| AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION |
| AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS |
| AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS |
| AC-18 ACCESS CONTROL | WIRELESS ACCESS |
| AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION |
| AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS |
| AC-18 (5) WIRELESS ACCESS | ANTENNAS/TRANSMISSION POWER LEVELS |
| AC-19 ACCESS CONTROL | ACCESS CONTROL FOR MOBILE DEVICES |
| AC-19 (4) ACCESS CONTROL FOR MOBILE DEVICES | RESTRICTIONS FOR CLASSIFIED INFORMATION |
| AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION |
| AC-20 ACCESS CONTROL | USE OF EXTERNAL INFORMATION SYSTEMS |
| AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE |
| AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES |
| AC-21 ACCESS CONTROL | INFORMATION SHARING |
| AC-22 ACCESS CONTROL | PUBLICLY ACCESSIBLE CONTENT |
| AT-1 AWARENESS AND TRAINING | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES |
| AT-2 AWARENESS AND TRAINING | SECURITY AWARENESS TRAINING |
| AT-2 (2) SECURITY AWARENESS TRAINING | INSIDER THREAT |
| AT-3 AWARENESS AND TRAINING | ROLE-BASED SECURITY TRAINING |
| AT-4 AWARENESS AND TRAINING | SECURITY TRAINING RECORDS |
| AU-1 AUDIT AND ACCOUNTABILITY | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES |
| AU-2 AUDIT AND ACCOUNTABILITY | AUDIT EVENTS |
| AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES |
| AU-3 AUDIT AND ACCOUNTABILITY | CONTENT OF AUDIT RECORDS |
| AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION |
| AU-3 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT |
| AU-4 AUDIT AND ACCOUNTABILITY | AUDIT STORAGE CAPACITY |
| AU-5 AUDIT AND ACCOUNTABILITY | RESPONSE TO AUDIT PROCESSING FAILURES |
| AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY |
| AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS |
| AU-6 AUDIT AND ACCOUNTABILITY | AUDIT REVIEW, ANALYSIS, AND REPORTING |
| AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION |
| AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES |
| AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNING AND MONITORING CAPABILITIES |
| AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING |
| AU-7 AUDIT AND ACCOUNTABILITY | AUDIT REDUCTION AND REPORT GENERATION |
| AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING |
| AU-8 AUDIT AND ACCOUNTABILITY | TIME STAMPS |
| AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE |
| AU-9 AUDIT AND ACCOUNTABILITY | PROTECTION OF AUDIT INFORMATION |
| AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS |
| AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION |
| AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS |
| AU-10 AUDIT AND ACCOUNTABILITY | NON-REPUDIATION |
| AU-10 (1) NON-REPUDIATION | ASSOCIATION OF IDENTITIES |
| AU-10 (2) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY |
| AU-10 (4) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY |
| AU-11 AUDIT AND ACCOUNTABILITY | AUDIT RECORD RETENTION |
| AU-12 AUDIT AND ACCOUNTABILITY | AUDIT GENERATION |
| AU-12 (1) AUDIT GENERATION | SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL |
| AU-12 (3) AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS |
| CA-1 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES |
| CA-2 SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENTS |
| CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS |
| CA-2 (2) SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS |
| CA-3 SECURITY ASSESSMENT AND AUTHORIZATION | SYSTEM INTERCONNECTIONS |
| CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS |
| CA-5 SECURITY ASSESSMENT AND AUTHORIZATION | PLAN OF ACTION AND MILESTONES |
| CA-6 SECURITY ASSESSMENT AND AUTHORIZATION | |
| CA-7 SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING |
| CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT |
| CA-8 SECURITY ASSESSMENT AND AUTHORIZATION | PENETRATION TESTING |
| CA-9 SECURITY ASSESSMENT AND AUTHORIZATION | INTERNAL SYSTEM CONNECTIONS |
| CM-1 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES |
| CM-2. CONFIGURATION MANAGEMENT | BASELINE CONFIGURATION |
| CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES |
| CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY |
| CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
| CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
| CM-3 CONFIGURATION MANAGEMENT | CONFIGURATION CHANGE CONTROL |
| CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES |
| CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST/VALIDATE/DOCUMENT CHANGES |
| CM-4 CONFIGURATION MANAGEMENT | SECURITY IMPACT ANALYSIS |
| CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS |
| CM-5 CONFIGURATION MANAGEMENT | ACCESS RESTRICTIONS FOR CHANGE |
| CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING |
| CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES |
| CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS |
| CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES |
| CM-6 CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS |
| CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION |
| CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES |
| CM-7 CONFIGURATION MANAGEMENT | LEAST FUNCTIONALITY |
| CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW |
| CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION |
| CM-7 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE/BLACKLISTING |
| CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE/WHITELISTING |
| CM-8 CONFIGURATION MANAGEMENT | INFORMATION SYSTEM COMPONENT INVENTORY |
| CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS |
| CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE |
| CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
| CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION |
| CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
| CM-8 (9) INFORMATION SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS |
| CM-9 CONFIGURATION MANAGEMENT | CONFIGURATION MANAGEMENT PLAN |
| CM-10 CONFIGURATION MANAGEMENT | SOFTWARE USAGE RESTRICTIONS |
| CM-11 CONFIGURATION MANAGEMENT | USER-INSTALLED SOFTWARE |
| CP-1 CONTINGENCY PLANNING | CONTINGENCY PLANNING POLICY AND PROCEDURES |
| CP-2 CONTINGENCY PLANNING |. CONTINGENCY PLAN |
| CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS |
| CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING |
| CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (5) CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS/BUSINESS FUNCTIONS |
| CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS |
| CP-3 CONTINGENCY PLANNING | CONTINGENCY TRAINING |
| CP-3 (1) CONTINGENCY TRAINING | SIMULATED EVENTS |
| CP-4 CONTINGENCY PLANNING |. CONTINGENCY PLAN TESTING |
| CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS |
| CP-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE |
| CP-6 CONTINGENCY PLANNING | ALTERNATE STORAGE SITE |
| CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE |
| CP-6 (2) ALTERNATE STORAGE SITE | RECOVERY TIME/POINT OBJECTIVES |
| CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY |
| CP-7 CONTINGENCY PLANNING |. ALTERNATE PROCESSING SITE |
| CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE |
| CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY |
| CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE |
| CP-7 (4) ALTERNATE PROCESSING SITE | PREPARATION FOR USE |
| CP-8 CONTINGENCY PLANNING |. TELECOMMUNICATIONS SERVICES |
| CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS |
| CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE |
| CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS |
| CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN |
| CP-9 CONTINGENCY PLANNING | INFORMATION SYSTEM BACKUP |
| CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY |
| CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING |
| CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION |
| CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE |
| CP-10 CONTINGENCY PLANNING | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION |
| CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY |
| CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD |
| IA-1 iDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES |
| IA-2 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
| IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS |
| IA-2 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS |
| IA-2 (4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS |
| IA-2 (8) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
| IA-2 (9) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT |
| IA-2 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS - SEPARATE DEVICE |
| IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS |
| IA-3 IDENTIFICATION AND AUTHENTICATION | DEVICE IDENTIFICATION AND AUTHENTICATION |
| IA-3 (3) DEVICE IDENTIFICATION AND AUTHENTICATION | DYNAMIC ADDRESS ALLOCATION |
| IA-4 IDENTIFICATION AND AUTHENTICATION | IDENTIFIER MANAGEMENT |
| IA-5 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR MANAGEMENT |
| IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION |
| IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION |
| IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION |
| IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION |
| IA-6 IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR FEEDBACK |
| IA-7 IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC MODULE AUTHENTICATION |
| IA-8 IDENTIFICATION AND AUTHENTICATION | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
| IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES |
| IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS |
| IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS |
| IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES |
| IR-1 INCIDENT RESPONSE | INCIDENT RESPONSE POLICY AND PROCEDURES |
| IR-2 INCIDENT RESPONSE | INCIDENT RESPONSE TRAINING |
| IR-2 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS |
| IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS |
| IR-3 INCIDENT RESPONSE | INCIDENT RESPONSE TESTING |
| IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS |
| IR-4 INCIDENT RESPONSE | INCIDENT HANDLING |
| IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES |
| IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION |
| IR-5 INCIDENT RESPONSE | INCIDENT MONITORING |
| IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS |
| IR-6 INCIDENT RESPONSE | INCIDENT REPORTING |
| IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING |
| IR-7 INCIDENT RESPONSE | INCIDENT RESPONSE ASSISTANCE |
| IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT |
| IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS |
| IR-8 INCIDENT RESPONSE | INCIDENT RESPONSE PLAN |
| MA-1 MAINTENANCE | SYSTEM MAINTENANCE POLICY AND PROCEDURES |
| MA-2 MAINTENANCE | CONTROLLED MAINTENANCE |
| MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES |
| MA-3 MAINTENANCE | MAINTENANCE TOOLS |
| MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS |
| MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA |
| MA-4 MAINTENANCE | NONLOCAL MAINTENANCE |
| MA-4 (1) NONLOCAL MAINTENANCE | AUDITING AND REVIEW |
| MA-4 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE |
| MA-4 (3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY / SANITIZATION |
| MA-4 (4) NONLOCAL MAINTENANCE | AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS |
| MA-4 (5) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS |
| MA-5 MAINTENANCE | MAINTENANCE PERSONNEL |
| MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS |
| MA-5 (4) MAINTENANCE PERSONNEL | FOREIGN NATIONALS |
| MA-6 MAINTENANCE | TIMELY MAINTENANCE |
| MP-1 MEDIA PROTECTION | MEDIA PROTECTION POLICY AND PROCEDURES |
| MP-2 MEDIA PROTECTION | MEDIA ACCESS |
| MP-3 MEDIA PROTECTION | MEDIA MARKING |
| MP-4 MEDIA PROTECTON | MEDIA STORAGE |
| MP-5 MEDIA PROTECTION | MEDIA TRANSPORT |
| MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION |
| MP-6 MEDIA PROTECTION | MEDIA SANITIZATION |
| MP-6 (1) MEDIA SANITIZATION | REVIEW/APPROVE/TRACK/DOCUMENT/VERIFY |
| MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING |
| MP-6 (3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES |
| MP-7 MEDIA PROTECTION | MEDIA USE |
| MP-7 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER |
| PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES |
| PE-2 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-3 PHYSICAL AND ENVIRONMENTAL PROTECTION | PHYSICAL ACCESS AUTHORIZATIONS |
| PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM ACCESS |
| PE-4 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM |
| PE-5 PHYSICAL AND ENVIRONMENTAL PROTECTION | ACCESS CONTROL FOR OUTPUT DEVICES |
| PE-5 (1) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS |
| PE-5 (2) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY |
| PE-6 PHYSICAL AND ENVIRONMENTAL PROTECTION | MONITORING PHYSICAL ACCESS |
| PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS/SURVEILLANCE EQUIPMENT |
| PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS |
| PE-8 PHYSICAL AND ENVIRONMENTAL PROTECTION | VISITOR ACCESS RECORDS |
| PE-8 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / REVIEW |
| PE-9 PHYSICAL AND ENVIRONMENTAL PROTECTION | POWER EQUIPMENT AND CABLING |
| PE-10 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY SHUTOFF |
| PE-11 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY POWER |
| PE-11 (1) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY |
| PE-11 (2) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED |
| PE-12 PHYSICAL AND ENVIRONMENTAL PROTECTION | EMERGENCY LIGHTING |
| PE-13 PHYSICAL AND ENVIRONMENTAL PROTECTION | FIRE PROTECTION |
| PE-13 (1) FIRE PROTECTION | DETECTION DEVICES / SYSTEMS |
| PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES/SYSTEMS |
| PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION |
| PE-14 PHYSICAL AND ENVIRONMENTAL PROTECTION | TEMPERATURE AND HUMIDITY CONTROLS |
| PE-15 PHYSICAL AND ENVIRONMENTAL PROTECTION | WATER DAMAGE PROTECTION |
| PE-15 (1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT |
| PE-16 PHYSICAL AND ENVIRONMENTAL PROTECTION | DELIVERY AND REMOVAL |
| PE-17 PHYSICAL AND ENVIRONMENTAL PROTECTION | ALTERNATE WORK SITE |
| PE-18 PHYSICAL AND ENVIRONMENTAL PROTECTION | LOCATION OF INFORMATION SYSTEM COMPONENTS |
| PL-1 PLANNING | SECURITY PLANNING POLICY AND PROCEDURES |
| PL-2 PLANNING | SYSTEM SECURITY PLAN |
| PL-2 (3) SYSTEM SECURITY PLAN | PLAN/COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES |
| PL-4 PLANNING | RULES OF BEHAVIOR |
| PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS |
| PL-8 PLANNING | INFORMATION SECURITY ARCHITECTURE |
| PL-8 (1) INFORMATION SECURITY ARCHITECTURE | DEFENSE-IN-DEPTH |
| PS-1 PERSONNEL SECURITY | PERSONNEL SECURITY POLICY AND PROCEDURES |
| PS-2 PERSONNEL SECURITY | POSITION RISK DESIGNATION |
| PS-3 PERSONNEL SECURITY | PERSONNEL SCREENING |
| PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES |
| PS-4 PERSONNEL SECURITY | PERSONNEL TERMINATION |
| PS-4 (1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS |
| PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION |
| PS-5 PERSONNEL SECURITY | PERSONNEL TRANSFER |
| PS-6 PERSONNEL SECURITY | ACCESS AGREEMENTS |
| PS-6 (2) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION |
| PS-6 (3) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS |
| PS-7 PERSONNEL SECURITY | THIRD-PARTY PERSONNEL SECURITY |
| PS-8 PERSONNEL SECURITY | PERSONNEL SANCTIONS |
| RA-1 RISK ASSESSMENT | RISK ASSESSMENT POLICY AND PROCEDURES |
| RA-2 RISK ASSESSMENT | RISK ASSESSMENT |
| RA-3 RISK ASSESSMENT | SECURITY CATEGORIZATION |
| RA-5 RISK ASSESSMENT | VULNERABILITY SCANNING |
| RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY |
| RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED |
| RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION |
| RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS |
| SA-1 SYSTEMS AND SERVICES ACQUISITION | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES |
| SA-2 SYSTEMS AND SERVICES ACQUISITION | ALLOCATION OF RESOURCES |
| SA-3 SYSTEMS AND SERVICES ACQUISITION | SYSTEM DEVELOPMENT LIFE CYCLE |
| SA-4 SYSTEMS AND SERVICES ACQUISITION | ACQUISITION PROCESS |
| SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS |
| SA-4 (2) ACQUISITION PROCESS | DESIGN/IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS |
| SA-4 (5) ACQUISITION PROCESS | SYSTEM / COMPONENT / SERVICE CONFIGURATIONS |
| SA-4 (6) ACQUISITION PROCESS | USE OF INFORMATION ASSURANCE PRODUCTS |
| SA-4 (7) ACQUISITION PROCESS | NIAP-APPROVED PROTECTION PROFILES |
| SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE |
| SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS |
| SA-5 SYSTEMS AND SERVICES ACQUISITION | INFORMATION SYSTEM DOCUMENTATION |
| SA-8 SYSTEMS AND SERVICES ACQUISITIONS | SECURITY ENGINEERING PRINCIPLES |
| SA-9 ACQUISITION PROCESS | EXTERNAL INFORMATION SYSTEM SERVICES |
| SA-9 (1) EXTERNAL INFORMATION SYSTEM SERVICES | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS |
| SA-9 (2) EXTERNAL INFORMATION SYSTEM SERVICES | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES |
| SA-10 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER CONFIGURATION MANAGEMENT |
| SA-11 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SECURITY TESTING AND EVALUATION |
| SA-11 (3) DEVELOPER SECURITY TESTING AND EVALUATION | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE |
| SA-12 SYSTEMS AND SERVICES ACQUISITION | SUPPLY CHAIN PROTECTION |
| SA-15 SYSTEMS AND SERVICES ACQUISITION | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS |
| SA-15 (1) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | QUALITY METRICS |
| SA-15 (4) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING/VULNERABILITY ANALYSIS |
| SA-15 (7) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS |
| SA-16 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER-PROVIDED TRAINING |
| SA-17 SYSTEMS AND SERVICES ACQUISITION | DEVELOPER SECURITY ARCHITECTURE AND DESIGN |
| SA-17 (1) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL POLICY MODEL |
| SA-17 (2) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | SECURITY-RELEVANT COMPONENTS |
| SA-17 (3) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | FORMAL CORRESPONDENCE |
| SA-17 (4) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | INFORMAL CORRESPONDENCE |
| SA-17 (5) DEVELOPER SECURITY ARCHITECTURE AND DESIGN | CONCEPTUALLY SIMPLE DESIGN |
SC-1 SYSTEM AND COMMUNICATIONS PROTECTION | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES |
| SC-2 SYSTEM AND COMMUNICATIONS PROTECTION | APPLICATION PARTITIONING |
| SC-3 SYSTEM AND COMMUNICATIONS PROTECTION | SECURITY FUNCTION ISOLATION |
| SC-4 SYSTEM AND COMMUNICATIONS PROTECTION | INFORMATION IN SHARED RESOURCES |
| SC-5 SYSTEM AND COMMUNICATIONS PROTECTION | DENIAL OF SERVICE PROTECTION |
| SC-5 (3) DENIAL OF SERVICE PROTECTION | DETECTION/MONITORING |
| SC-7 SYSTEM AND COMMUNICATIONS PROTECTION | BOUNDARY PROTECTION |
| SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS |
| SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES |
| SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION |
| SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES |
| SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS |
| SC-7 (9) BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC |
| SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE |
| SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPONENTS |
| SC-8 SYSTEM AND COMMUNICATIONS PROTECTION | TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
| SC-8 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION |
| SC-10 SYSTEM AND COMMUNICATIONS PROTECTION | NETWORK DISCONNECT |
| SC-12 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
| SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY |
| SC-13 SYSTEM AND COMMUNICATIONS PROTECTION | CRYPTOGRAPHIC PROTECTION |
| SC-15 SYSTEM AND COMMUNICATIONS PROTECTION | COLLABORATIVE COMPUTING DEVICES |
| SC-17 SYSTEM AND COMMUNICATIONS PROTECTION | PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
| SC-18 SYSTEM AND COMMUNICATIONS PROTECTION | MOBILE CODE |
| SC-19 SYSTEM AND COMMUNICATIONS PROTECTION | VOICE OVER INTERNET PROTOCOL |
| SC-20 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-21 SYSTEM AND COMMUNICATIONS PROTECTION | SECURE NAME |
| SC-22 SYSTEM AND COMMUNICATIONS PROTECTION | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE |
| SC-23 SYSTEM AND COMMUNICATIONS PROTECTION | SESSION AUTHENTICITY |
| SC-24 SYSTEM AND COMMUNICATIONS PROTECTION | FAIL IN KNOWN STATE |
| SC-28 SYSTEM AND COMMUNICATIONS PROTECTION | PROTECTION OF INFORMATION AT REST |
| SC-39 SYSTEM AND COMMUNICATIONS PROTECTION | PROCESS ISOLATION |
| SI-1 SYSTEM AND INFORMATION INTEGRITY | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES |
| SI-2 SYSTEM AND INFORMATION INTEGRITY | FLAW REMEDIATION |
| SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT |
| SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS |
| SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS |
| SI-3 SYSTEM AND INFORMATION INTEGRITY | MALICIOUS CODE PROTECTION |
| SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT |
| SI-3 (2) MALICIOUS CODE PROTECTION |
| SI-3 (6) MALICIOUS CODE PROTECTION | TESTING/VERIFICATION |
| SI-3 (10) MALICIOUS CODE PROTECTION | MALICIOUS CODE ANALYSIS |
| SI-4 SYSTEM AND INFORMATION INTEGRITY | INFORMATION SYSTEM MONITORING |
| SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS |
| SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC |
| SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS |
| SI-4 (13) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / EVENT PATTERNS |
| SI-5 SYSTEM AND INFORMATION INTEGRITY | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
| SI-5 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES |
| SI-6 SYSTEM AND INFORMATION INTEGRITY | SECURITY FUNCTION VERIFICATION |
| SI-7 SYSTEM AND INFORMATION INTEGRITY | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS |
| SI-7 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS |
| SI-7 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS |
| SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE |
| SI-7 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
| SI-8 SYSTEM AND INFORMATION INTEGRITY | SPAM PROTECTION |
| SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT |
| SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES |
| SI-10 SYSTEM AND INFORMATION INTEGRITY | INFORMATION INPUT VALIDATION |
| SI-10 (1) INFORMATION INPUT VALIDATION | MANUAL OVERRIDE CAPABILITY |
| SI-11 SYSTEM AND INFORMATION INTEGRITY | ERROR HANDLING |
| SI-12 SYSTEM AND INFORMATION INTEGRITY | INFORMATION HANDLING AND RETENTION |
| SI-16 SYSTEM AND INFORMATION INTEGRITY | MEMORY PROTECTION |
