| 💼 Access Control | 11 | | | |
| 💼 AC-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AC-2 Account Management (L)(M)(H) | | | 3 | |
| 💼 AC-3 Access Enforcement (L)(M)(H) | | | 47 | |
| 💼 AC-7 Unsuccessful Logon Attempts (L)(M)(H) | | | 1 | |
| 💼 AC-8 System Use Notification (L)(M)(H) | | | | |
| 💼 AC-14 Permitted Actions Without Identification or Authentication (L)(M)(H) | | | | |
| 💼 AC-17 Remote Access (L)(M)(H) | | | | |
| 💼 AC-18 Wireless Access (L)(M)(H) | | | | |
| 💼 AC-19 Access Control for Mobile Devices (L)(M)(H) | | | | |
| 💼 AC-20 Use of External Systems (L)(M)(H) | | | | |
| 💼 AC-22 Publicly Accessible Content (L)(M)(H) | | | | |
| 💼 Assessment, Authorization, and Monitoring | 8 | | | |
| 💼 CA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CA-2 Control Assessments (L)(M)(H) | 1 | | | |
| 💼 CA-2(1) Independent Assessors (L)(M)(H) | | | | |
| 💼 CA-3 Information Exchange (L)(M)(H) | | | | |
| 💼 CA-5 Plan of Action and Milestones (L)(M)(H) | | | | |
| 💼 CA-6 Authorization (L)(M)(H) | | | | |
| 💼 CA-7 Continuous Monitoring (L)(M)(H) | 1 | | 8 | |
| 💼 CA-7(4) Risk Monitoring (L)(M)(H) | | | | |
| 💼 CA-8 Penetration Testing (L)(M)(H) | | | | |
| 💼 CA-9 Internal System Connections (L)(M)(H) | | | | |
| 💼 Audit and Accountability | 10 | | | |
| 💼 AU-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AU-2 Event Logging (L)(M)(H) | | | 6 | |
| 💼 AU-3 Content of Audit Records (L)(M)(H) | | | 6 | |
| 💼 AU-4 Audit Log Storage Capacity (L)(M)(H) | | | | |
| 💼 AU-5 Response to Audit Logging Process Failures (L)(M)(H) | | | | |
| 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H) | | | 23 | |
| 💼 AU-8 Time Stamps (L)(M)(H) | | | | |
| 💼 AU-9 Protection of Audit Information (L)(M)(H) | | | 11 | |
| 💼 AU-11 Audit Record Retention (L)(M)(H) | | | 19 | |
| 💼 AU-12 Audit Record Generation (L)(M)(H) | | | 47 | |
| 💼 Awareness and Training | 4 | | | |
| 💼 AT-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 AT-2 Literacy Training and Awareness (L)(M)(H) | 1 | | | |
| 💼 AT-2(2) Insider Threat (L)(M)(H) | | | | |
| 💼 AT-3 Role-based Training (L)(M)(H) | | | | |
| 💼 AT-4 Training Records (L)(M)(H) | | | | |
| 💼 Configuration Management | 9 | | | |
| 💼 CM-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CM-2 Baseline Configuration (L)(M)(H) | | | 13 | |
| 💼 CM-4 Impact Analyses (L)(M)(H) | | | | |
| 💼 CM-5 Access Restrictions for Change (L)(M)(H) | | | 8 | |
| 💼 CM-6 Configuration Settings (L)(M)(H) | | | | |
| 💼 CM-7 Least Functionality (L)(M)(H) | | | 18 | |
| 💼 CM-8 System Component Inventory (L)(M)(H) | | | 1 | |
| 💼 CM-10 Software Usage Restrictions (L)(M)(H) | | | | |
| 💼 CM-11 User-installed Software (L)(M)(H) | | | 4 | |
| 💼 Contingency Planning | 6 | | | |
| 💼 CP-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 CP-2 Contingency Plan (L)(M)(H) | | | | |
| 💼 CP-3 Contingency Training (L)(M)(H) | | | | |
| 💼 CP-4 Contingency Plan Testing (L)(M)(H) | | | | |
| 💼 CP-9 System Backup (L)(M)(H) | | | 6 | |
| 💼 CP-10 System Recovery and Reconstitution (L)(M)(H) | | | 2 | |
| 💼 Identification and Authentication | 8 | | | |
| 💼 IA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 IA-2 Identification and Authentication (Organizational Users) (L)(M)(H) | 4 | | | |
| 💼 IA-2(1) Multi-factor Authentication to Privileged Accounts (L)(M)(H) | | | 2 | |
| 💼 IA-2(2) Multi-factor Authentication to Non-privileged Accounts (L)(M)(H) | | | 2 | |
| 💼 IA-2(8) Access to Accounts — Replay Resistant (L)(M)(H) | | | 2 | |
| 💼 IA-2(12) Acceptance of PIV Credentials (L)(M)(H) | | | | |
| 💼 IA-4 Identifier Management (L)(M)(H) | | | 1 | |
| 💼 IA-5 Authenticator Management (L)(M)(H) | 1 | | 17 | |
| 💼 IA-5(1) Password-based Authentication (L)(M)(H) | | | 4 | |
| 💼 IA-6 Authentication Feedback (L)(M)(H) | | | 1 | |
| 💼 IA-7 Cryptographic Module Authentication (L)(M)(H) | | | | |
| 💼 IA-8 Identification and Authentication (Non-organizational Users) (L)(M)(H) | 3 | | | |
| 💼 IA-8(1) Acceptance of PIV Credentials from Other Agencies (L)(M)(H) | | | | |
| 💼 IA-8(2) Acceptance of External Authenticators (L)(M)(H) | | | | |
| 💼 IA-8(4) Use of Defined Profiles (L)(M)(H) | | | | |
| 💼 IA-11 Re-authentication (L)(M)(H) | | | | |
| 💼 Incident Response | 7 | | | |
| 💼 IR-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 IR-2 Incident Response Training (L)(M)(H) | | | | |
| 💼 IR-4 Incident Handling (L)(M)(H) | | | | |
| 💼 IR-5 Incident Monitoring (L)(M)(H) | | | | |
| 💼 IR-6 Incident Reporting (L)(M)(H) | | | | |
| 💼 IR-7 Incident Response Assistance (L)(M)(H) | | | | |
| 💼 IR-8 Incident Response Plan (L)(M)(H) | | | | |
| 💼 Maintenance | 4 | | | |
| 💼 MA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 MA-2 Controlled Maintenance (L)(M)(H) | | | | |
| 💼 MA-4 Nonlocal Maintenance (L)(M)(H) | | | | |
| 💼 MA-5 Maintenance Personnel (L)(M)(H) | | | | |
| 💼 Media Protection | 4 | | | |
| 💼 MP-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 MP-2 Media Access (L)(M)(H) | | | | |
| 💼 MP-6 Media Sanitization (L)(M)(H) | | | | |
| 💼 MP-7 Media Use (L)(M)(H) | | | | |
| 💼 Personnel Security | 9 | | | |
| 💼 PS-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PS-2 Position Risk Designation (L)(M)(H) | | | | |
| 💼 PS-3 Personnel Screening (L)(M)(H) | | | | |
| 💼 PS-4 Personnel Termination (L)(M)(H) | | | | |
| 💼 PS-5 Personnel Transfer (L)(M)(H) | | | | |
| 💼 PS-6 Access Agreements (L)(M)(H) | | | | |
| 💼 PS-7 External Personnel Security (L)(M)(H) | | | | |
| 💼 PS-8 Personnel Sanctions (L)(M)(H) | | | | |
| 💼 PS-9 Position Descriptions (L)(M)(H) | | | | |
| 💼 Physical and Environmental Protection | 10 | | | |
| 💼 PE-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PE-2 Physical Access Authorizations (L)(M)(H) | | | | |
| 💼 PE-3 Physical Access Control (L)(M)(H) | | | | |
| 💼 PE-6 Monitoring Physical Access (L)(M)(H) | | | | |
| 💼 PE-8 Visitor Access Records (L)(M)(H) | | | | |
| 💼 PE-12 Emergency Lighting (L)(M)(H) | | | | |
| 💼 PE-13 Fire Protection (L)(M)(H) | | | | |
| 💼 PE-14 Environmental Controls (L)(M)(H) | | | | |
| 💼 PE-15 Water Damage Protection (L)(M)(H) | | | | |
| 💼 PE-16 Delivery and Removal (L)(M)(H) | | | | |
| 💼 Planning | 6 | | | |
| 💼 PL-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 PL-2 System Security and Privacy Plans (L)(M)(H) | | | | |
| 💼 PL-4 Rules of Behavior (L)(M)(H) | 1 | | | |
| 💼 PL-4(1) Social Media and External Site/Application Usage Restrictions (L)(M)(H) | | | | |
| 💼 PL-8 Security and Privacy Architectures (L)(M)(H) | | | | |
| 💼 PL-10 Baseline Selection (L)(M)(H) | | | | |
| 💼 PL-11 Baseline Tailoring (L)(M)(H) | | | | |
| 💼 Risk Assessment | 5 | | | |
| 💼 RA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 RA-2 Security Categorization (L)(M)(H) | | | | |
| 💼 RA-3 Risk Assessment (L)(M)(H) | 1 | | 7 | |
| 💼 RA-3(1) Supply Chain Risk Assessment (L)(M)(H) | | | | |
| 💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H) | 2 | | 7 | |
| 💼 RA-5(2) Update Vulnerabilities to Be Scanned (L)(M)(H) | | | | |
| 💼 RA-5(11) Public Disclosure Program (L)(M)(H) | | | | |
| 💼 RA-7 Risk Response (L)(M)(H) | | | | |
| 💼 Supply Chain Risk Management | 8 | | | |
| 💼 SR-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SR-2 Supply Chain Risk Management Plan (L)(M)(H) | 1 | | | |
| 💼 SR-2(1) Establish SCRM Team (L)(M)(H) | | | | |
| 💼 SR-3 Supply Chain Controls and Processes (L)(M)(H) | | | | |
| 💼 SR-5 Acquisition Strategies, Tools, and Methods (L)(M)(H) | | | | |
| 💼 SR-8 Notification Agreements (L)(M)(H) | | | | |
| 💼 SR-10 Inspection of Systems or Components (L)(M)(H) | | | | |
| 💼 SR-11 Component Authenticity (L)(M)(H) | 2 | | | |
| 💼 SR-11(1) Anti-counterfeit Training (L)(M)(H) | | | | |
| 💼 SR-11(2) Configuration Control for Component Service and Repair (L)(M)(H) | | | | |
| 💼 SR-12 Component Disposal (L)(M)(H) | | | | |
| 💼 System and Communications Protection | 12 | | | |
| 💼 SC-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SC-5 Denial-of-service Protection (L)(M)(H) | | | | |
| 💼 SC-7 Boundary Protection (L)(M)(H) | | | 23 | |
| 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H) | 1 | | 8 | |
| 💼 SC-8(1) Cryptographic Protection (L)(M)(H) | | | 10 | |
| 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H) | | | 11 | |
| 💼 SC-13 Cryptographic Protection (L)(M)(H) | | | 16 | |
| 💼 SC-15 Collaborative Computing Devices and Applications (L)(M)(H) | | | | |
| 💼 SC-20 Secure Name/Address Resolution Service (Authoritative Source) (L)(M)(H) | | | | |
| 💼 SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) (L)(M)(H) | | | | |
| 💼 SC-22 Architecture and Provisioning for Name/Address Resolution Service (L)(M)(H) | | | | |
| 💼 SC-28 Protection of Information at Rest (L)(M)(H) | 1 | | 15 | |
| 💼 SC-28(1) Cryptographic Protection (L)(M)(H) | | | 12 | |
| 💼 SC-39 Process Isolation (L)(M)(H) | | | | |
| 💼 System and Information Integrity | 6 | | | |
| 💼 SI-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SI-2 Flaw Remediation (L)(M)(H) | | | 9 | |
| 💼 SI-3 Malicious Code Protection (L)(M)(H) | | | 7 | |
| 💼 SI-4 System Monitoring (L)(M)(H) | | | 7 | |
| 💼 SI-5 Security Alerts, Advisories, and Directives (L)(M)(H) | | | | |
| 💼 SI-12 Information Management and Retention (L)(M)(H) | | | | |
| 💼 System and Services Acquisition | 8 | | | |
| 💼 SA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SA-2 Allocation of Resources (L)(M)(H) | | | | |
| 💼 SA-3 System Development Life Cycle (L)(M)(H) | | | | |
| 💼 SA-4 Acquisition Process (L)(M)(H) | 1 | | | |
| 💼 SA-4(10) Use of Approved PIV Products (L)(M)(H) | | | | |
| 💼 SA-5 System Documentation (L)(M)(H) | | | | |
| 💼 SA-8 Security and Privacy Engineering Principles (L)(M)(H) | | | | |
| 💼 SA-9 External System Services (L)(M)(H) | | | | |
| 💼 SA-22 Unsupported System Components (L)(M)(H) | | | | |