| 💼 Access Control | 18 | | | |
| 💼 AC-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AC-2 Account Management (L)(M)(H) | 10 | | 3 | |
| 💼 AC-2(1) Automated System Account Management (M)(H) | | | 16 | |
| 💼 AC-2(2) Automated Temporary and Emergency Account Management (M)(H) | | | | |
| 💼 AC-2(3) Disable Accounts (M)(H) | | | 4 | |
| 💼 AC-2(4) Automated Audit Actions (M)(H) | | 1 | 13 | |
| 💼 AC-2(5) Inactivity Logout (M)(H) | | | | |
| 💼 AC-2(7) Privileged User Accounts (M)(H) | | 6 | 7 | |
| 💼 AC-2(9) Restrictions on Use of Shared and Group Accounts (M)(H) | | 2 | 2 | |
| 💼 AC-2(11) Usage Conditions (H) | | | | |
| 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H) | | 2 | 2 | |
| 💼 AC-2(13) Disable Accounts for High-risk Individuals (M)(H) | | | | |
| 💼 AC-3 Access Enforcement (L)(M)(H) | | 37 | 47 | |
| 💼 AC-4 Information Flow Enforcement (M)(H) | 2 | 6 | 27 | |
| 💼 AC-4(4) Flow Control of Encrypted Information (H) | | 20 | 21 | |
| 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H) | | 11 | 39 | |
| 💼 AC-5 Separation of Duties (M)(H) | | | 1 | |
| 💼 AC-6 Least Privilege (M)(H) | 8 | | 7 | |
| 💼 AC-6(1) Authorize Access to Security Functions (M)(H) | | 4 | 4 | |
| 💼 AC-6(2) Non-privileged Access for Nonsecurity Functions (M)(H) | | 1 | 4 | |
| 💼 AC-6(3) Network Access to Privileged Commands (H) | | 1 | 2 | |
| 💼 AC-6(5) Privileged Accounts (M)(H) | | 3 | 5 | |
| 💼 AC-6(7) Review of User Privileges (M)(H) | | 2 | 2 | |
| 💼 AC-6(8) Privilege Levels for Code Execution (H) | | | | |
| 💼 AC-6(9) Log Use of Privileged Functions (M)(H) | | 7 | 23 | |
| 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H) | | 1 | 3 | |
| 💼 AC-7 Unsuccessful Logon Attempts (L)(M)(H) | | 1 | 1 | |
| 💼 AC-8 System Use Notification (L)(M)(H) | | | | |
| 💼 AC-10 Concurrent Session Control (H) | | | | |
| 💼 AC-11 Device Lock (M)(H) | 1 | | | |
| 💼 AC-11(1) Pattern-hiding Displays (M)(H) | | | | |
| 💼 AC-12 Session Termination (M)(H) | | | | |
| 💼 AC-14 Permitted Actions Without Identification or Authentication (L)(M)(H) | | | | |
| 💼 AC-17 Remote Access (L)(M)(H) | 4 | | | |
| 💼 AC-17(1) Monitoring and Control (M)(H) | | | 1 | |
| 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H) | | | 13 | |
| 💼 AC-17(3) Managed Access Control Points (M)(H) | | | | |
| 💼 AC-17(4) Privileged Commands and Access (M)(H) | | | | |
| 💼 AC-18 Wireless Access (L)(M)(H) | 4 | | | |
| 💼 AC-18(1) Authentication and Encryption (M)(H) | | | | |
| 💼 AC-18(3) Disable Wireless Networking (M)(H) | | | | |
| 💼 AC-18(4) Restrict Configurations by Users (H) | | | | |
| 💼 AC-18(5) Antennas and Transmission Power Levels (H) | | | | |
| 💼 AC-19 Access Control for Mobile Devices (L)(M)(H) | 1 | | | |
| 💼 AC-19(5) Full Device or Container-based Encryption (M)(H) | | | | |
| 💼 AC-20 Use of External Systems (L)(M)(H) | 2 | | | |
| 💼 AC-20(1) Limits on Authorized Use (M)(H) | | | | |
| 💼 AC-20(2) Portable Storage Devices — Restricted Use (M)(H) | | | | |
| 💼 AC-21 Information Sharing (M)(H) | | | 2 | |
| 💼 AC-22 Publicly Accessible Content (L)(M)(H) | | | | |
| 💼 Assessment, Authorization, and Monitoring | 8 | | | |
| 💼 CA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CA-2 Control Assessments (L)(M)(H) | 3 | | | |
| 💼 CA-2(1) Independent Assessors (L)(M)(H) | | | | |
| 💼 CA-2(2) Specialized Assessments (H) | | | | |
| 💼 CA-2(3) Leveraging Results from External Organizations (M)(H) | | | | |
| 💼 CA-3 Information Exchange (L)(M)(H) | 1 | | | |
| 💼 CA-3(6) Transfer Authorizations (H) | | | | |
| 💼 CA-5 Plan of Action and Milestones (L)(M)(H) | | | | |
| 💼 CA-6 Authorization (L)(M)(H) | | | | |
| 💼 CA-7 Continuous Monitoring (L)(M)(H) | 2 | | 8 | |
| 💼 CA-7(1) Independent Assessment (M)(H) | | | | |
| 💼 CA-7(4) Risk Monitoring (L)(M)(H) | | | | |
| 💼 CA-8 Penetration Testing (L)(M)(H) | 2 | | | |
| 💼 CA-8(1) Independent Penetration Testing Agent or Team (M)(H) | | | | |
| 💼 CA-8(2) Red Team Exercises (M)(H) | | | | |
| 💼 CA-9 Internal System Connections (L)(M)(H) | | | | |
| 💼 Audit and Accountability | 12 | | | |
| 💼 AU-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AU-2 Event Logging (L)(M)(H) | | | 6 | |
| 💼 AU-3 Content of Audit Records (L)(M)(H) | 1 | | 6 | |
| 💼 AU-3(1) Additional Audit Information (M)(H) | | | 14 | |
| 💼 AU-4 Audit Log Storage Capacity (L)(M)(H) | | | | |
| 💼 AU-5 Response to Audit Logging Process Failures (L)(M)(H) | 2 | | | |
| 💼 AU-5(1) Storage Capacity Warning (H) | | | | |
| 💼 AU-5(2) Real-time Alerts (H) | | | | |
| 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H) | 6 | 21 | 23 | |
| 💼 AU-6(1) Automated Process Integration (M)(H) | | | 1 | |
| 💼 AU-6(3) Correlate Audit Record Repositories (M)(H) | | | 6 | |
| 💼 AU-6(4) Central Review and Analysis (H) | | | 6 | |
| 💼 AU-6(5) Integrated Analysis of Audit Records (H) | | | | |
| 💼 AU-6(6) Correlation with Physical Monitoring (H) | | | | |
| 💼 AU-6(7) Permitted Actions (H) | | | | |
| 💼 AU-7 Audit Record Reduction and Report Generation (M)(H) | 1 | | | |
| 💼 AU-7(1) Automatic Processing (M)(H) | | | 1 | |
| 💼 AU-8 Time Stamps (L)(M)(H) | | | | |
| 💼 AU-9 Protection of Audit Information (L)(M)(H) | 3 | 9 | 11 | |
| 💼 AU-9(2) Store on Separate Physical Systems or Components (H) | | | | |
| 💼 AU-9(3) Cryptographic Protection (H) | | | | |
| 💼 AU-9(4) Access by Subset of Privileged Users (M)(H) | | | | |
| 💼 AU-10 Non-repudiation (H) | | | 5 | |
| 💼 AU-11 Audit Record Retention (L)(M)(H) | | 17 | 19 | |
| 💼 AU-12 Audit Record Generation (L)(M)(H) | 2 | | 47 | |
| 💼 AU-12(1) System-wide and Time-correlated Audit Trail (H) | | | | |
| 💼 AU-12(3) Changes by Authorized Individuals (H) | | | | |
| 💼 Awareness and Training | 4 | | | |
| 💼 AT-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AT-2 Literacy Training and Awareness (L)(M)(H) | 2 | | | |
| 💼 AT-2(2) Insider Threat (L)(M)(H) | | | | |
| 💼 AT-2(3) Social Engineering and Mining (M)(H) | | | | |
| 💼 AT-3 Role-based Training (L)(M)(H) | | | | |
| 💼 AT-4 Training Records (L)(M)(H) | | | | |
| 💼 Configuration Management | 13 | | | |
| 💼 CM-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | | 13 | |
| 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | | | 13 | |
| 💼 CM-2(3) Retention of Previous Configurations (M)(H) | | 1 | 1 | |
| 💼 CM-2(7) Configure Systems and Components for High-risk Areas (M)(H) | | | | |
| 💼 CM-3 Configuration Change Control (M)(H) | 4 | | 17 | |
| 💼 CM-3(1) Automated Documentation, Notification, and Prohibition of Changes (H) | | | | |
| 💼 CM-3(2) Testing, Validation, and Documentation of Changes (M)(H) | | | | |
| 💼 CM-3(4) Security and Privacy Representatives (M)(H) | | | | |
| 💼 CM-3(6) Cryptography Management (H) | | | 4 | |
| 💼 CM-4 Impact Analyses (L)(M)(H) | 2 | | | |
| 💼 CM-4(1) Separate Test Environments (H) | | | | |
| 💼 CM-4(2) Verification of Controls (M)(H) | | | | |
| 💼 CM-5 Access Restrictions for Change (L)(M)(H) | 2 | 7 | 8 | |
| 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H) | | 8 | 9 | |
| 💼 CM-5(5) Privilege Limitation for Production and Operation (M)(H) | | 1 | 1 | |
| 💼 CM-6 Configuration Settings (L)(M)(H) | 2 | | | |
| 💼 CM-6(1) Automated Management, Application, and Verification (M)(H) | | | 1 | |
| 💼 CM-6(2) Respond to Unauthorized Changes (H) | | | | |
| 💼 CM-7 Least Functionality (L)(M)(H) | 3 | 7 | 18 | |
| 💼 CM-7(1) Periodic Review (M)(H) | | 11 | 11 | |
| 💼 CM-7(2) Prevent Program Execution (M)(H) | | | | |
| 💼 CM-7(5) Authorized Software — Allow-by-exception (M)(H) | | | | |
| 💼 CM-8 System Component Inventory (L)(M)(H) | 4 | | 1 | |
| 💼 CM-8(1) Updates During Installation and Removal (M)(H) | | | | |
| 💼 CM-8(2) Automated Maintenance (H) | | | 1 | |
| 💼 CM-8(3) Automated Unauthorized Component Detection (M)(H) | | | | |
| 💼 CM-8(4) Accountability Information (H) | | | | |
| 💼 CM-9 Configuration Management Plan (M)(H) | | | | |
| 💼 CM-10 Software Usage Restrictions (L)(M)(H) | | | | |
| 💼 CM-11 User-installed Software (L)(M)(H) | | 4 | 4 | |
| 💼 CM-12 Information Location (M)(H) | 1 | | | |
| 💼 CM-12(1) Automated Tools to Support Information Location (M)(H) | | | | |
| 💼 CM-14 Signed Components (H) | | | | |
| 💼 Contingency Planning | 9 | | | |
| 💼 CP-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CP-2 Contingency Plan (L)(M)(H) | 5 | | | |
| 💼 CP-2(1) Coordinate with Related Plans (M)(H) | | | | |
| 💼 CP-2(2) Capacity Planning (H) | | | 1 | |
| 💼 CP-2(3) Resume Mission and Business Functions (M)(H) | | | | |
| 💼 CP-2(5) Continue Mission and Business Functions (H) | | | | |
| 💼 CP-2(8) Identify Critical Assets (M)(H) | | | | |
| 💼 CP-3 Contingency Training (L)(M)(H) | 1 | | | |
| 💼 CP-3(1) Simulated Events (H) | | | | |
| 💼 CP-4 Contingency Plan Testing (L)(M)(H) | 2 | | | |
| 💼 CP-4(1) Coordinate with Related Plans (M)(H) | | | | |
| 💼 CP-4(2) Alternate Processing Site (H) | | | | |
| 💼 CP-6 Alternate Storage Site (M)(H) | 3 | | | |
| 💼 CP-6(1) Separation from Primary Site (M)(H) | | | | |
| 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H) | | | 2 | |
| 💼 CP-6(3) Accessibility (M)(H) | | | | |
| 💼 CP-7 Alternate Processing Site (M)(H) | 4 | | | |
| 💼 CP-7(1) Separation from Primary Site (M)(H) | | | | |
| 💼 CP-7(2) Accessibility (M)(H) | | | | |
| 💼 CP-7(3) Priority of Service (M)(H) | | | | |
| 💼 CP-7(4) Preparation for Use (H) | | | | |
| 💼 CP-8 Telecommunications Services (M)(H) | 4 | | | |
| 💼 CP-8(1) Priority of Service Provisions (M)(H) | | | | |
| 💼 CP-8(2) Single Points of Failure (M)(H) | | | | |
| 💼 CP-8(3) Separation of Primary and Alternate Providers (H) | | | | |
| 💼 CP-8(4) Provider Contingency Plan (H) | | | | |
| 💼 CP-9 System Backup (L)(M)(H) | 5 | 5 | 6 | |
| 💼 CP-9(1) Testing for Reliability and Integrity (M)(H) | | | | |
| 💼 CP-9(2) Test Restoration Using Sampling (H) | | | | |
| 💼 CP-9(3) Separate Storage for Critical Information (H) | | | | |
| 💼 CP-9(5) Transfer to Alternate Storage Site (H) | | | | |
| 💼 CP-9(8) Cryptographic Protection (M)(H) | | | | |
| 💼 CP-10 System Recovery and Reconstitution (L)(M)(H) | 2 | | 2 | |
| 💼 CP-10(2) Transaction Recovery (M)(H) | | | | |
| 💼 CP-10(4) Restore Within Time Period (H) | | | | |
| 💼 Identification and Authentication | 10 | | | |
| 💼 IA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 IA-2 Identification and Authentication (Organizational Users) (L)(M)(H) | 6 | 1 | 1 | |
| 💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H) | | | 2 | |
| 💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H) | | | 2 | |
| 💼 IA-2(5) Individual Authentication with Group Authentication (M)(H) | | | | |
| 💼 IA-2(6) Access to Accounts —separate Device (M)(H) | | | 2 | |
| 💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H) | | | 2 | |
| 💼 IA-2(12) Acceptance of PIV Credentials (L)(M)(H) | | | | |
| 💼 IA-3 Device Identification and Authentication (M)(H) | | | | |
| 💼 IA-4 Identifier Management (L)(M)(H) | 1 | 1 | 1 | |
| 💼 IA-4(4) Identify User Status (M)(H) | | | | |
| 💼 IA-5 Authenticator Management (L)(M)(H) | 6 | 14 | 17 | |
| 💼 IA-5(1) Password-based Authentication (L)(M)(H) | | 1 | 4 | |
| 💼 IA-5(2) Public Key-based Authentication (M)(H) | | 1 | 1 | |
| 💼 IA-5(6) Protection of Authenticators (M)(H) | | | | |
| 💼 IA-5(7) No Embedded Unencrypted Static Authenticators (M)(H) | | | | |
| 💼 IA-5(8) Multiple System Accounts (H) | | | | |
| 💼 IA-5(13) Expiration of Cached Authenticators (H) | | 1 | 1 | |
| 💼 IA-6 Authentication Feedback (L)(M)(H) | | 1 | 1 | |
| 💼 IA-7 Cryptographic Module Authentication (L)(M)(H) | | | | |
| 💼 IA-8 Identification and Authentication (Non-organizational Users) (L)(M)(H) | 3 | | | |
| 💼 IA-8(1) Acceptance of PIV Credentials from Other Agencies (L)(M)(H) | | | | |
| 💼 IA-8(2) Acceptance of External Authenticators (L)(M)(H) | | | | |
| 💼 IA-8(4) Use of Defined Profiles (L)(M)(H) | | | | |
| 💼 IA-11 Re-authentication (L)(M)(H) | | | | |
| 💼 IA-12 Identity Proofing (M)(H) | 4 | | | |
| � 💼 IA-12(2) Identity Evidence (M)(H) | | | | |
| 💼 IA-12(3) Identity Evidence Validation and Verification (M)(H) | | | | |
| 💼 IA-12(4) In-person Validation and Verification (H) | | | | |
| 💼 IA-12(5) Address Confirmation (M)(H) | | | | |
| 💼 Incident Response | 9 | | | |
| 💼 IR-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 IR-2 Incident Response Training (L)(M)(H) | 2 | | | |
| 💼 IR-2(1) Simulated Events (H) | | | | |
| 💼 IR-2(2) Automated Training Environments (H) | | | | |
| 💼 IR-3 Incident Response Testing (M)(H) | 1 | | | |
| 💼 IR-3(2) Coordination with Related Plans (M)(H) | | | | |
| 💼 IR-4 Incident Handling (L)(M)(H) | 5 | | | |
| 💼 IR-4(1) Automated Incident Handling Processes (M)(H) | | | | |
| 💼 IR-4(2) Dynamic Reconfiguration (H) | | | | |
| 💼 IR-4(4) Information Correlation (H) | | | | |
| 💼 IR-4(6) Insider Threats (H) | | | | |
| 💼 IR-4(11) Integrated Incident Response Team (H) | | | | |
| 💼 IR-5 Incident Monitoring (L)(M)(H) | 1 | | | |
| 💼 IR-5(1) Automated Tracking, Data Collection, and Analysis (H) | | | | |
| 💼 IR-6 Incident Reporting (L)(M)(H) | 2 | | | |
| 💼 IR-6(1) Automated Reporting (M)(H) | | 8 | 10 | |
| 💼 IR-6(3) Supply Chain Coordination (M)(H) | | 2 | 2 | |
| 💼 IR-7 Incident Response Assistance (L)(M)(H) | 1 | | | |
| 💼 IR-7(1) Automation Support for Availability of Information and Support (M)(H) | | | | |
| 💼 IR-8 Incident Response Plan (L)(M)(H) | | | | |
| 💼 IR-9 Information Spillage Response (M)(H) | 3 | | | |
| 💼 IR-9(2) Training (M)(H) | | | | |
| 💼 IR-9(3) Post-spill Operations (M)(H) | | | | |
| 💼 IR-9(4) Exposure to Unauthorized Personnel (M)(H) | | | | |
| 💼 Maintenance | 6 | | | |
| 💼 MA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 MA-2 Controlled Maintenance (L)(M)(H) | 1 | | | |
| 💼 MA-2(2) Automated Maintenance Activities (H) | | | | |
| 💼 MA-3 Maintenance Tools (M)(H) | 3 | | | |
| 💼 MA-3(1) Inspect Tools (M)(H) | | | | |
| 💼 MA-3(2) Inspect Media (M)(H) | | | | |
| 💼 MA-3(3) Prevent Unauthorized Removal (M)(H) | | | | |
| 💼 MA-4 Nonlocal Maintenance (L)(M)(H) | 1 | | | |
| 💼 MA-4(3) Comparable Security and Sanitization (H) | | | | |
| 💼 MA-5 Maintenance Personnel (L)(M)(H) | 1 | | | |
| 💼 MA-5(1) Individuals Without Appropriate Access (M)(H) | | | | |
| 💼 MA-6 Timely Maintenance (M)(H) | | | | |
| 💼 Media Protection | 7 | | | |
| 💼 MP-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 MP-2 Media Access (L)(M)(H) | | | | |
| 💼 MP-3 Media Marking (M)(H) | | | | |
| 💼 MP-4 Media Storage (M)(H) | | | | |
| 💼 MP-5 Media Transport (M)(H) | | | | |
| 💼 MP-6 Media Sanitization (L)(M)(H) | 3 | | | |
| 💼 MP-6(1) Review, Approve, Track, Document, and Verify (H) | | | | |
| 💼 MP-6(2) Equipment Testing (H) | | | | |
| 💼 MP-6(3) Nondestructive Techniques (H) | | | | |
| 💼 MP-7 Media Use (L)(M)(H) | | | | |
| 💼 Personnel Security | 9 | | | |
| 💼 PS-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PS-2 Position Risk Designation (L)(M)(H) | | | | |
| 💼 PS-3 Personnel Screening (L)(M)(H) | 1 | | | |
| 💼 PS-3(3) Information Requiring Special Protective Measures (M)(H) | | | | |
| 💼 PS-4 Personnel Termination (L)(M)(H) | 1 | | | |
| 💼 PS-4(2) Automated Actions (H) | | | | |
| 💼 PS-5 Personnel Transfer (L)(M)(H) | | | | |
| 💼 PS-6 Access Agreements (L)(M)(H) | | | | |
| 💼 PS-7 External Personnel Security (L)(M)(H) | | | | |
| 💼 PS-8 Personnel Sanctions (L)(M)(H) | | | | |
| 💼 PS-9 Position Descriptions (L)(M)(H) | | | | |
| 💼 Physical and Environmental Protection | 17 | | | |
| 💼 PE-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PE-2 Physical Access Authorizations (L)(M)(H) | | | | |
| 💼 PE-3 Physical Access Control (L)(M)(H) | 1 | | | |
| 💼 PE-3(1) System Access (H) | | | | |
| 💼 PE-4 Access Control for Transmission (M)(H) | | | | |
| 💼 PE-5 Access Control for Output Devices (M)(H) | | | | |
| 💼 PE-6 Monitoring Physical Access (L)(M)(H) | 2 | | | |
| 💼 PE-6(1) Intrusion Alarms and Surveillance Equipment (M)(H) | | | | |
| 💼 PE-6(4) Monitoring Physical Access to Systems (H) | | | | |
| 💼 PE-8 Visitor Access Records (L)(M)(H) | 1 | | | |
| 💼 PE-8(1) Automated Records Maintenance and Review (H) | | | | |
| 💼 PE-9 Power Equipment and Cabling (M)(H) | | | | |
| 💼 PE-10 Emergency Shutoff (M)(H) | | | | |
| 💼 PE-11 Emergency Power (M)(H) | 1 | | | |
| 💼 PE-11(1) Alternate Power Supply — Minimal Operational Capability (H) | | | | |
| 💼 PE-12 Emergency Lighting (L)(M)(H) | | | | |
| 💼 PE-13 Fire Protection (L)(M)(H) | 2 | | | |
| 💼 PE-13(1) Detection Systems — Automatic Activation and Notification (M)(H) | | | | |
| 💼 PE-13(2) Suppression Systems — Automatic Activation and Notification (M)(H) | | | | |
| 💼 PE-14 Environmental Controls (L)(M)(H) | 1 | | | |
| 💼 PE-14(2) Monitoring with Alarms and Notifications (H) | | | | |
| 💼 PE-15 Water Damage Protection (L)(M)(H) | 1 | | | |
| 💼 PE-15(1) Automation Support (H) | | | | |
| 💼 PE-16 Delivery and Removal (L)(M)(H) | | | | |
| 💼 PE-17 Alternate Work Site (M)(H) | | | | |
| 💼 PE-18 Location of System Components (H) | | | | |
| 💼 Planning | 6 | | | |
| 💼 PL-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PL-2 System Security and Privacy Plans (L)(M)(H) | | | | |
| 💼 PL-4 Rules of Behavior (L)(M)(H) | 1 | | | |
| 💼 PL-4(1) Social Media and External Site/Application Usage Restrictions (L)(M)(H) | | | | |
| 💼 PL-8 Security and Privacy Architectures (L)(M)(H) | | | | |
| 💼 PL-10 Baseline Selection (L)(M)(H) | | | | |
| 💼 PL-11 Baseline Tailoring (L)(M)(H) | | | | |
| 💼 Risk Assessment | 6 | | | |
| 💼 RA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 RA-2 Security Categorization (L)(M)(H) | | | | |
| 💼 RA-3 Risk Assessment (L)(M)(H) | 1 | 7 | 7 | |
| 💼 RA-3(1) Supply Chain Risk Assessment (L)(M)(H) | | | | |
| 💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H) | 6 | 7 | 7 | |
| 💼 RA-5(2) Update Vulnerabilities to Be Scanned (L)(M)(H) | | | | |
| 💼 RA-5(3) Breadth and Depth of Coverage (M)(H) | | | | |
| 💼 RA-5(4) Discoverable Information (H) | | | | |
| 💼 RA-5(5) Privileged Access (M)(H) | | | | |
| 💼 RA-5(8) Review Historic Audit Logs (H) | | | | |
| 💼 RA-5(11) Public Disclosure Program (L)(M)(H) | | | | |
| 💼 RA-7 Risk Response (L)(M)(H) | | | | |
| 💼 RA-9 Criticality Analysis (M)(H) | | | | |
| 💼 Supply Chain Risk Management | 10 | | | |
| 💼 SR-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SR-2 Supply Chain Risk Management Plan (L)(M)(H) | 1 | | | |
| 💼 SR-2(1) Establish SCRM Team (L)(M)(H) | | | | |
| 💼 SR-3 Supply Chain Controls and Processes (L)(M)(H) | | | | |
| 💼 SR-5 Acquisition Strategies, Tools, and Methods (L)(M)(H) | | | | |
| 💼 SR-6 Supplier Assessments and Reviews (M)(H) | | | | |
| 💼 SR-8 Notification Agreements (L)(M)(H) | | | | |
| 💼 SR-9 Tamper Resistance and Detection (H) | 1 | | | |
| 💼 SR-9(1) Multiple Stages of System Development Life Cycle (H) | | | | |
| 💼 SR-10 Inspection of Systems or Components (L)(M)(H) | | | | |
| 💼 SR-11 Component Authenticity (L)(M)(H) | 2 | | | |
| 💼 SR-11(1) Anti-counterfeit Training (L)(M)(H) | | | | |
| 💼 SR-11(2) Configuration Control for Component Service and Repair (L)(M)(H) | | | | |
| 💼 SR-12 Component Disposal (L)(M)(H) | | | | |
| 💼 System and Communications Protection | 21 | | | |
| 💼 SC-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SC-2 Separation of System and User Functionality (M)(H) | | | | |
| 💼 SC-3 Security Function Isolation (H) | | | | |
| 💼 SC-4 Information in Shared System Resources (M)(H) | | | | |
| 💼 SC-5 Denial-of-service Protection (L)(M)(H) | | | | |
| 💼 SC-7 Boundary Protection (L)(M)(H) | 10 | 6 | 23 | |
| 💼 SC-7(3) Access Points (M)(H) | | | 2 | |
| 💼 SC-7(4) External Telecommunications Services (M)(H) | | | 17 | |
| 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H) | | | 19 | |
| 💼 SC-7(7) Split Tunneling for Remote Devices (M)(H) | | | | |
| 💼 SC-7(8) Route Traffic to Authenticated Proxy Servers (M)(H) | | | | |
| 💼 SC-7(10) Prevent Exfiltration (H) | | | 4 | |
| 💼 SC-7(12) Host-based Protection (M)(H) | | | | |
| 💼 SC-7(18) Fail Secure (M)(H) | | | | |
| 💼 SC-7(20) Dynamic Isolation and Segregation (H) | | | 2 | |
| 💼 SC-7(21) Isolation of System Components (H) | | | 16 | |
| 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H) | 1 | 6 | 8 | |
| 💼 SC-8(1) Cryptographic Protection (L)(M)(H) | | 6 | 10 | |
| 💼 SC-10 Network Disconnect (M)(H) | | | | |
| 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H) | 1 | 9 | 11 | |
| 💼 SC-12(1) Availability (H) | | | | |
| 💼 SC-13 Cryptographic Protection (L)(M)(H) | | 13 | 16 | |
| 💼 SC-15 Collaborative Computing Devices and Applications (L)(M)(H) | | | | |
| 💼 SC-17 Public Key Infrastructure Certificates (M)(H) | | 1 | 1 | |
| 💼 SC-18 Mobile Code (M)(H) | | | | |
| 💼 SC-20 Secure Name/Address Resolution Service (Authoritative Source) (L)(M)(H) | | | | |
| 💼 SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) (L)(M)(H) | | | | |
| 💼 SC-22 Architecture and Provisioning for Name/Address Resolution Service (L)(M)(H) | | | | |
| 💼 SC-23 Session Authenticity (M)(H) | | 5 | 7 | |
| 💼 SC-24 Fail in Known State (H) | | | | |
| 💼 SC-28 Protection of Information at Rest (L)(M)(H) | 1 | 7 | 15 | |
| 💼 SC-28(1) Cryptographic Protection (L)(M)(H) | | 5 | 12 | |
| 💼 SC-39 Process Isolation (L)(M)(H) | | | | |
| 💼 SC-45 System Time Synchronization (M)(H) | 1 | | | |
| 💼 SC-45(1) Synchronization with Authoritative Time Source (M)(H) | | | | |
| 💼 System and Information Integrity | 12 | | | |
| 💼 SI-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SI-2 Flaw Remediation (L)(M)(H) | 2 | 7 | 9 | |
| 💼 SI-2(2) Automated Flaw Remediation Status (M)(H) | | | 1 | |
| 💼 SI-2(3) Time to Remediate Flaws and Benchmarks for Corrective Actions (M)(H) | | | | |
| 💼 SI-3 Malicious Code Protection (L)(M)(H) | | 7 | 7 | |
| 💼 SI-4 System Monitoring (L)(M)(H) | 14 | 7 | 7 | |
| 💼 SI-4(1) System-wide Intrusion Detection System (M)(H) | | 1 | 1 | |
| 💼 SI-4(2) Automated Tools and Mechanisms for Real-time Analysis (M)(H) | | | | |
| 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H) | | 7 | 9 | |
| 💼 SI-4(5) System-generated Alerts (M)(H) | | | | |
| 💼 SI-4(10) Visibility of Encrypted Communications (H) | | | | |
| 💼 SI-4(11) Analyze Communications Traffic Anomalies (H) | | | | |
| 💼 SI-4(12) Automated Organization-generated Alerts (H) | | | | |
| 💼 SI-4(14) Wireless Intrusion Detection (H) | | | | |
| 💼 SI-4(16) Correlate Monitoring Information (M)(H) | | | | |
| 💼 SI-4(18) Analyze Traffic and Covert Exfiltration (M)(H) | | | | |
| 💼 SI-4(19) Risk for Individuals (H) | | | | |
| 💼 SI-4(20) Privileged Users (H) | | 46 | 48 | |
| 💼 SI-4(22) Unauthorized Network Services (H) | | | | |
| 💼 SI-4(23) Host-based Devices (M)(H) | | | | |
| 💼 SI-5 Security Alerts, Advisories, and Directives (L)(M)(H) | 1 | | | |
| 💼 SI-5(1) Automated Alerts and Advisories (H) | | | | |
| 💼 SI-6 Security and Privacy Function Verification (M)(H) | | | | |
| 💼 SI-7 Software, Firmware, and Information Integrity (M)(H) | 5 | | | |
| 💼 SI-7(1) Integrity Checks (M)(H) | | | 1 | |
| � 💼 SI-7(2) Automated Notifications of Integrity Violations (H) | | | | |
| 💼 SI-7(5) Automated Response to Integrity Violations (H) | | | | |
| 💼 SI-7(7) Integration of Detection and Response (M)(H) | | | 1 | |
| 💼 SI-7(15) Code Authentication (H) | | | | |
| 💼 SI-8 Spam Protection (M)(H) | 1 | | | |
| 💼 SI-8(2) Automatic Updates (M)(H) | | | | |
| 💼 SI-10 Information Input Validation (M)(H) | | | | |
| 💼 SI-11 Error Handling (M)(H) | | | | |
| 💼 SI-12 Information Management and Retention (L)(M)(H) | | | | |
| 💼 SI-16 Memory Protection (M)(H) | | | | |
| 💼 System and Services Acquisition | 14 | | | |
| 💼 SA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SA-2 Allocation of Resources (L)(M)(H) | | | | |
| 💼 SA-3 System Development Life Cycle (L)(M)(H) | | | | |
| 💼 SA-4 Acquisition Process (L)(M)(H) | 5 | | | |
| 💼 SA-4(1) Functional Properties of Controls (M)(H) | | | | |
| 💼 SA-4(2) Design and Implementation Information for Controls (M)(H) | | | | |
| 💼 SA-4(5) System, Component, and Service Configurations (H) | | | | |
| 💼 SA-4(9) Functions, Ports, Protocols, and Services in Use (M)(H) | | | | |
| 💼 SA-4(10) Use of Approved PIV Products (L)(M)(H) | | | | |
| 💼 SA-5 System Documentation (L)(M)(H) | | | | |
| 💼 SA-8 Security and Privacy Engineering Principles (L)(M)(H) | | | | |
| 💼 SA-9 External System Services (L)(M)(H) | 3 | | | |
| 💼 SA-9(1) Risk Assessments and Organizational Approvals (M)(H) | | | | |
| 💼 SA-9(2) Identification of Functions, Ports, Protocols, and Services (M)(H) | | | | |
| 💼 SA-9(5) Processing, Storage, and Service Location (M)(H) | | | 1 | |
| 💼 SA-10 Developer Configuration Management (M)(H) | | | | |
| 💼 SA-11 Developer Testing and Evaluation (M)(H) | 2 | | | |
| 💼 SA-11(1) Static Code Analysis (M)(H) | | | | |
| 💼 SA-11(2) Threat Modeling and Vulnerability Analyses (M)(H) | | | | |
| 💼 SA-15 Development Process, Standards, and Tools (M)(H) | 1 | | | |
| 💼 SA-15(3) Criticality Analysis (M)(H) | | | | |
| 💼 SA-16 Developer-provided Training (H) | | | | |
| 💼 SA-17 Developer Security and Privacy Architecture and Design (H) | | | | |
| 💼 SA-21 Developer Screening (H) | | | | |
| 💼 SA-22 Unsupported System Components (L)(M)(H) | | | | |