ARTIFACTS
THE LIST OF LISTS
What's Here
The lists of list is a compilation of all of the lists associated with all of the controls and control enhancements in the risk management framework (RMF). From here you can navigate to control family specific pages which have a consolidated list of lists recommended for that control family.
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
LISTS — A TIME HONORED DESIGN TOOL
Lists are a time honored tool for solving problems, building action plans (aka "The To-Do List"), understanding complex relationships and prioritizing tasks. Lists take an abstract idea, like risk-based cybersecurity, and distill it into its human users; its tangible elements; its physical components; and, its digital attributes. Lists are how humans keep track of things.
Lists are an effective tool in developing solutions architectures. A collection of well constructed lists can lead to insight on how to design your digital enterprise; the business rules that best protect your information supply chain; and how to assess and understand risk; and how to build security in without stifling agile DevOps and continuous innovation. Figuring out what you don't have on a list for might reveal holes and vulnerabilities in your security strategy. A collection of lists will enhance your security program providing a resource for assessing risk, investigating incidents, recovering from a disaster, or making it through an audit.
Here is a list of lists you can used for cybersecurity program management and operation of your digital enterprise. The list are organized alphabetically with the associated Risk Management Framework (RMF) controls and control enhancements. The control information tell you where a list is used to assess compliance.
For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
Pick the lists most relevent to your organization and get started.
When you're done you'll have a solid knowledge base about your digital enterprise and digital information supply chain.
| LIST | APPLICABLE CONTROL(S) |
| Access control list | AU-9 (4) AU-9 (6) |
| Authorized personnel access list | PE-2 PE-2 (3) |
| Incident response records, list of security-relevant changes to the information system | SI-7 (8) |
| Information system-generated list of emergency accounts removed and/or disabled | AC-2 (2) AC-2 (3) |
| Information system-generated list of privileged user accounts and associated role | AC-2 (7) |
| Information system-generated list of temporary accounts removed and/or disabled | AC-2 (2) AC-2 (3) |
| Information systems or information system components list of connection ports or input/output devices to be physically disabled or removed on information systems or information system components | SC-41 |
| List of acceptable formats for input restrictions | SI-10 (5) |
| List of acceptable forms of identification for visitor access to the facility where information system resides | PE-2 (2) |
| List of acceptable mobile code and mobile code technologies | SC-18 |
| List of acceptable thresholds for false positives and false negatives | SI-4 (13) |
| List of actions ensuring required access authorizations and screening criteria are satisfied | SA-21 (1) |
| List of actions required before execution of mobile code | SC-18 (4) |
| List of actions requiring dual authorization | AC-3 (2) |
| List of actions to be performed regarding information spillage | IR-9 |
| List of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation | SA-5 |
| List of actions to be taken once information system component failure is detected | SI-13 (4) |
| List of active system accounts along with the name of the individual associated with each account | AC-2 |
| List of all managed network access control points | AC-17 (3) |
| List of alternative communications protocols supporting continuity of operations | CP-11 |
| List of applicable, legally binding post-employment requirements | PS-4 (1) PS-6 (3) |
| List of applications to be loaded from hardware-enforced, read-only media | SC-34 |
| List of appropriate access authorizations required by developers of the information system | SA-21 SA-21 (1) |
| List of appropriate incident response actions | IR-4 (3) |
| List of approved authorizations (user privileges) | AC-3 AC-3 (2) |
| List of approved PKI Class 3 and Class 4 certificates | SC-12 (3) |
| List of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring | PE-6 (4) |
| List of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection | PE-3 (1) |
| List of assigned access authorizations (user privileges) | AC-6 |
| List of audit events | MA-4 (1) |
| List of auditable events | AU-12 |
| List of audited events | AC-6 (9) |
| List of authenticators requiring in-person registration | IA-5 (3) |
| List of authenticators requiring trusted third party registration | IA-5 (3) |
| List of authorized personnel | MA-5 |
| List of benchmarks for taking corrective action on flaws identified | SI-2 (3) |
| List of binding techniques to bind security attributes to information | AC-4 (18) |
| List of biometric quality requirements | IA-5 (12) |
| List of certificate authorities allowed for verification of the establishment of protected sessions | SC-23 (5) |
| List of characteristics identifying individual status | IA-4 (4) |
| List of circumstances or situations requiring re-authentication | IA-11 |
| List of circumstances requiring sanitization of portable storage devices | MP-6 (3) |
| List of classes of incidents | IR-4 (3) |
| List of code requiring manual reviews | SA-11 (4) |
| List of communication clients independently configured by end users and external service providers | SC-7 (19) |
| List of components or classes of components authorized as internal system connections | CA-9 CA-9 (1) |
| List of concealment and misdirection techniques to be employed for organizational information systems | SC-30 |
| List of conditions for group and role membership | AC-2 |
| List of conditions or trigger events requiring session disconnect | AC-12 |
| List of conditions requiring human reviews for information flows | AC-4 (9) |
| List of confined virtual machine environments for which execution of organizationally-acceptable mobile code is allowed | SC-18 (5) |
| List of corrective actions to be taken when unacceptable mobile code is identified | SC-18 (1) |
| List of covert channels | SC-31 (1) |
| List of critical information system components and functions identified by criticality analyses | SA-14 |
| List of critical information system components requiring automatic voltage controls | PE-9 (2) |
| List of critical security functions | SC-3 (2) |
| List of data content policy filters | AC-4 (14) |
| List of data type identifiers | AC-4 (12) |
| List of denial of service attacks launched by individuals against information systems | SC-5 (1) |
| List of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks | SC-5 |
| List of devices possessing environmental sensing capabilities | SC-42 (3) |
| List of devices requiring unique IDENTIFICATION & AUTHENTICATION | IA-3 IA-3 (1) |
| List of distributed processing and storage components subject to polling | SC-36 (1) |
| List of divisions of responsibility and separation of duties | AC-5 |
| List of external organizations | IR-4 (8) |
| List of failures requiring information system to fail in a known state | SC-24 |
| List of FICAM-approved information system components procured and implemented by organization | IA-8 (3) |
| List of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization | IA-8 (2) |
| List of FICAM-issued profiles and associated, approved protocols | IA-8 (4) |
| List of FIPS validated cryptographic modules | SC-13 |
| List of FIPS validated cryptographic products | SC-12 (2) |
| List of flaws and vulnerabilities potentially affecting the information system | SI-2 |
| List of identifiers generated from physical access control devices | IA-4 |
| List of inappropriate or unusual activities (with security implications) that trigger alerts | SI-4 (12) |
| List of individuals authorized to change security attributes | AC-16 (2) |
| List of individuals having accounts on multiple information systems | IA-5 (8) |
| List of individuals who have been identified as posing an increased level of risk | SI-4 (19) |
| List of information at rest requiring confidentiality and integrity protections | SC-28 |
| List of information flow authorizations | AC-4 |
| List of information inputs requiring validity checks | SI-10 |
| List of information sharing circumstances requiring user discretion | AC-21 |
| List of information system accounts | IA-2 IA-2 (1) IA-2 (2) IA-2 (3) IA-2 (4) IA-2 (5) IA-2 (6) IA-2 (7) IA-4 IA-8 PS-4 |
| List of information system accounts and services requiring single sign-on capability | IA-2 (10) |
| List of information system and facility access authorizations | PS-5 |
| List of information system authenticator types | IA-5 |
| List of information system components for vulnerability scanning | RA-5 (5) |
| List of information system components requiring host-based monitoring | SI-4 (23) |
| List of information system components requiring protection through lockable physical casings | PE-3 (4) |
| List of information system components to be dynamically isolated/segregated from other components of the system | SC-7 (20) |
| List of information system components to be employed without writeable storage capability | SC-34 (1) |
| List of information system components to be hidden or concealed | SC-30 (5) |
| List of information system execution domains for each thread in multi-threaded processing | SC-39 (2) |
| List of information system media marking security attributes | MP-3 |
| List of information system media requiring dual authorization for sanitization | MP-6 (7) |
| List of information system physical domains (or environments) | SC-32 |
| List of information system physical locations (or environments) with distributed processing and storage | SC-36 |
| List of information systems, information system components, or information system services requiring criticality analyses | SA-14 |
| List of information types from nontechnical sources for correlation with audit information | AU-6 (9) |
| List of information, information system components, or devices to be delivered to designated individuals or information systems | SC-37 (1) |
| List of key internal boundaries of the information system | SC-7 |
| List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system | PE-15 |
| List of limitations to be enforced on embedding data types within other data types | AC-4 (5) |
| List of maintenance personnel requiring escort/supervision | MA-5 (1) |
| List of measures to be employed to ensure data or information collected by sensors is only used for authorized purposes | SC-42 (2) |
| List of mechanisms and/or techniques used to logically or physically separate information flows | AC-4 (21) |
| List of media requiring downgrading | MP-8 MP-8 (1) |
| List of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts | AC-7 (2) |
| List of MTTF substitution criteria | SI-13 |
| List of network accessible storage devices prohibited from use in external information systems | AC-20 (4) |
| List of non-organizational users | AC-6 (6) |
| List of non-privileged information system accounts | IA-2 (9) |
| List of NSA-approved cryptographic products | SC-12 (2) SC-12 (3) |
| List of operating system components to be loaded from hardware-enforced, read-only media | SC-34 |
| List of operating systems and applications deployed using virtualization techniques | SC-29 (1) |
| List of operational needs for authorizing network access to privileged commands | AC-6 (3) |
| List of operations security safeguards | SC-38 |
| List of organization-defined auditable events | AU-2 (3) AU-3 AU-3 (1) AU-3 (2) |
| List of organizational assets requiring tracking and monitoring | PE-20 |
| List of out-of-band channels | SC-37 |
| List of output devices and associated outputs requiring physical access controls | PE-5 (1) |
| List of output devices and associated outputs requiring physical access controls | PE-5 (2) |
| List of personnel authorized to use maintenance tools | MA-3 (4) |
| List of personnel responsible for responding to information spillage | IR-9 (1) |
| List of personnel security requirements | PS-7 |
| List of personnel to be notified in case of an audit processing failure | AU-5 |
| List of physical and environmental hazards with potential to damage information system components within the facility | PE-18 |
| List of physical security safeguards applied to information system distribution and transmission lines | PE-4 |
| List of platform-independent applications | SC-27 |
| List of positions/roles and corresponding physical access authorizations | PE-2 (1) |
| List of potential accessibility problems to alternate storage site | CP-6 (3) |
| List of privileged and non-privileged information system accounts | IA-2 (11) |
| List of privileged commands requiring dual authorization | AC-3 (2) |
| List of privileged functions and associated user account assignments | AC-6 (10) |
| List of privileged functions to be audited | AC-6 (9) |
| List of privileged information system accounts | IA-2 (8) |
| List of privileged users | SI-4 (20) |
| List of processing/storage locations to be changed at organizational time intervals | SC-30 (3) |
| List of profiles representing common traffic patterns and/or events | SI-4 (13) |
| List of purging/wiping requirements or techniques for mobile devices | AC-7 (2) |
| List of quality control processes to be included in developer's system development life cycle process | SA-4 (3) |
| List of quality metrics | SA-15 (1) SA-15 (2) |
| List of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws) | SI-2 |
| List of recently disabled information system accounts along with the name of the individual associated with each account | AC-2 |
| List of required functions, ports, protocols, and other services | SA-9 (2) |
| List of required separation of information flows by information types | AC-4 (21) |
| List of response actions to be initiated when specific classes/types of intrusions are recognized | PE-6 (2) |
| List of restricted ports, protocols, functions and services | SA-15 (5) |
| List of risk designations for organizational positions | PS-2 |
| List of roles, users, and associated privileges required to control information system access | AC-3 (7) |
| List of rules governing user installed software | CM-11 |
| List of secure work areas | SC-15 (3) |
| List of security attributes and associated information, source, and destination objects enforcing information flow control policies | AC-4 (1) |
| List of security controls required for alternate work sites | PE-17 |
| List of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized | AC-6 (1) |
| List of security functions to be isolated from nonsecurity functions | SC-3 |
| List of security policy filtering criteria applied to metadata and data payloads | AC-4 (19) |
| List of security policy filters | AC-4 (11) AC-4 (14) |
| List of security policy filters enabled/disabled by privileged administrators | AC-4 (10) |
| List of security policy filters regulating flow control decisions | AC-4 (8) |
| List of security safeguards controlling access to designated publicly accessible areas within facility | PE-3 |
| List of security safeguards ensuring adequate supply of critical information system components | SA-12 (13) |
| List of security safeguards for delivering designated information, information system components, or devices to designated individuals or information systems | SC-37 (1) |
| List of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple information systems | IA-5 (8) |
| List of security safeguards protecting against or limiting the effects of denial of service attacks | SC-5 |
| List of security safeguards protecting information system memory from unauthorized code execution | SI-16 SI-17 |
| List of security safeguards provided by receiving information system or system components | AC-3 (9) |
| List of security safeguards to be employed to ensure designated individuals or information systems receive organization-defined information, information system components, or devices | SC-37 (1) |
| List of security safeguards to be taken against supply chain threats | SA-12 |
| List of security safeguards to be taken to protect organizational supply chain against potential supply chain threats | SA-12 (5) |
| List of security safeguards to detect/prevent physical tampering or alteration of information system hardware components | PE-3 (5) |
| List of security safeguards validating appropriateness of information designated for release | AC-3 (9) |
| List of security tools and support components to be isolated from other internal information system components | SC-7 (13) |
| List of security-relevant hardware, software, and firmware components | SA-17 (2) |
| List of signal parameter attacks or references to sources for attacks | SC-40 |
| List of software and firmware components to be prohibited from installation without a recognized and approved certificate | CM-5 (3) |
| List of software applications for which automatic execution of mobile code must be prohibited | SC-18 (4) |
| List of software development methods to be included in developer's system development life cycle process | SA-4 (3) |
| List of software programs authorized to execute on the information system | CM-7 (5) |
| List of software programs not authorized to execute on the information system | CM-7 (4) |
| List of software that should not execute at higher privilege levels than users executing software | AC-6 (8) |
| List of software usage restrictions | CM-10 |
| List of solutions in approved configurations | AC-4 (20) |
| List of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies | AC-3 (4) |
| List of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies | AC-3 (3) |
| List of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques and/or configurations | SA-12 (14) |
| List of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) subject to analysis and/or testing | SA-12 (11) |
| List of supply chain threats | SA-12 |
| List of system administration personnel | AC-6 (5) |
| List of system components requiring predictive maintenance | MA-6 (2) MA-6 (3) |
| List of system components requiring preventive maintenance | MA-6 (1) |
| List of system components to be dynamically reconfigured as part of incident response capability | IR-4 (2) |
| List of system transition states requiring security functionality verification | SI-6 |
| List of system-generated privileged accounts | AC-6 (5) AC-6 (6) |
| List of system-generated roles or classes of users and assigned privileges | AC-6 (7) |
| List of system-generated security functions or security-relevant information assigned to information system accounts or roles | AC-6 (2) |
| List of system/security engineering methods to be included in developer's system development life cycle process | SA-4 (3) |
| List of techniques employed to hide or conceal information system components | SC-30 (5) |
| List of techniques to be employed to introduce randomness into organizational operations and assets | SC-30 (2) |
| List of technologies deployed in the information system | SC-29 |
| List of testing/evaluation/validation techniques to be included in developer's system development life cycle process | SA-4 (3) |
| List of token quality requirements | IA-5 (11) |
| List of trusted sources for information inputs | SI-10 (5) |
| List of types of applications accessible from external information systems | AC-20 |
| List of types of meetings and teleconferences requiring explicit indication of current participants | SC-15 (4) |
| List of unacceptable mobile code | SC-18 (1) |
| List of unacceptable mobile code and mobile technologies | SC-18 |
| List of unsanctioned information types and associated information | AC-4 (15) |
| List of user actions that can be performed without identification or authentication | AC-14 |
| List of user activities posing significant organizational risk | AC-2 (13) |
| List of users authorized to associate security attributes to information | AC-16 (4) |
| List of users authorized to make information sharing/collaboration decisions | AC-21 |
| List of users authorized to post publicly accessible content on organizational information systems | AC-22 |
| List or internal and external wireless links | SC-40 |
| List or other documentation on the cross-discipline insider threat incident handling team | PM-12 |
| List or other documentation on the cross-organization information-sharing capability | PM-16 |
| Lists or other documentation about contact with and/or membership in security groups and associations | PM-15 |
| Lists or other documentation about security authorization process roles and responsibilities | PM-10 |
| Personnel access authorization list | RA-5 (5) |
| Physical access list reviews | PE-2 |
| PKI certification revocation lists | IA-5 (2) |
| Records of information spillage alerts/notifications, list of personnel who should receive alerts of information spillage | IR-9 |
| Review and update records associated with list of authorized software programs | CM-7 (5) |
| Review and update records associated with list of unauthorized software programs | CM-7 (4) |
| Security configuration checklists | CM-6 CM-6 (1) CM-7 CM-7 (1) CM-7 (4) CM-7 (5) |
| System-generated list of access restrictions regarding information to be shared | AC-21 (1) AC-21 (2) |
| System-generated list of disabled accounts | AC-2 (13) |
| System-generated list of dynamic privilege management capabilities | AC-2 (6) |
| System-generated list of individuals or roles authorized to change auditing to be performed | AU-12 (3) |
| System-generated list of information system accounts | AC-2 (8) |
| System-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions | AC-2 (11) |
| System-generated list of out-of-band authentication paths | IA-2 (13) |
| System-generated list of privileged users with access to management of audit functionality | AU-9 (4) |
| System-generated list of privileged users with read-only access to audit information | AU-9 (6) |
| System-generated list of shared/group accounts and associated role | AC-2 (9) |
| System-generated list of sharing partners and access authorizations | AC-21 (1) |
| System-generated list of users authorized to make information sharing/collaboration decisions | AC-21 (1) |