Skip to main content

💼 NIST SP 800-53 Revision 4

  • Contextual name: 💼 NIST SP 800-53 Revision 4
  • ID: /frameworks/nist-sp-800-53-r4

Description

Empty...

Similar

  • Internal
    • ID: dec-a-fec275af

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlags
💼 AC ACCESS CONTROL25
    💼 AC-1 ACCESS CONTROL POLICY AND PROCEDURES
    💼 AC-2 ACCOUNT MANAGEMENT1311
        💼 AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT
        💼 AC-2 (2) REMOVAL OF TEMPORARY _ EMERGENCY ACCOUNTS
        💼 AC-2 (3) DISABLE INACTIVE ACCOUNTS
        💼 AC-2 (4) AUTOMATED AUDIT ACTIONS
        💼 AC-2 (5) INACTIVITY LOGOUT
        💼 AC-2 (6) DYNAMIC PRIVILEGE MANAGEMENT
        💼 AC-2 (7) ROLE-BASED SCHEMES11
        💼 AC-2 (8) DYNAMIC ACCOUNT CREATION
        💼 AC-2 (9) RESTRICTIONS ON USE OF SHARED _ GROUP ACCOUNTS
        💼 AC-2 (10) SHARED _ GROUP ACCOUNT CREDENTIAL TERMINATION
        💼 AC-2 (11) USAGE CONDITIONS
        💼 AC-2 (12) ACCOUNT MONITORING _ ATYPICAL USAGE
        💼 AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS
    💼 AC-3 ACCESS ENFORCEMENT10
        💼 AC-3 (1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS
        💼 AC-3 (2) DUAL AUTHORIZATION
        💼 AC-3 (3) MANDATORY ACCESS CONTROL
        💼 AC-3 (4) DISCRETIONARY ACCESS CONTROL
        💼 AC-3 (5) SECURITY-RELEVANT INFORMATION
        💼 AC-3 (6) PROTECTION OF USER AND SYSTEM INFORMATION
        💼 AC-3 (7) ROLE-BASED ACCESS CONTROL
        💼 AC-3 (8) REVOCATION OF ACCESS AUTHORIZATIONS
        💼 AC-3 (9) CONTROLLED RELEASE
        💼 AC-3 (10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS
    💼 AC-4 INFORMATION FLOW ENFORCEMENT22
        💼 AC-4 (1) OBJECT SECURITY ATTRIBUTES
        💼 AC-4 (2) PROCESSING DOMAINS
        💼 AC-4 (3) DYNAMIC INFORMATION FLOW CONTROL
        💼 AC-4 (4) CONTENT CHECK ENCRYPTED INFORMATION
        💼 AC-4 (5) EMBEDDED DATA TYPES11
        💼 AC-4 (6) METADATA
        💼 AC-4 (7) ONE-WAY FLOW MECHANISMS
        💼 AC-4 (8) SECURITY POLICY FILTERS
        💼 AC-4 (9) HUMAN REVIEWS
        💼 AC-4 (10) ENABLE _ DISABLE SECURITY POLICY FILTERS
        💼 AC-4 (11) CONFIGURATION OF SECURITY POLICY FILTERS
        💼 AC-4 (12) DATA TYPE IDENTIFIERS
        💼 AC-4 (13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS
        💼 AC-4 (14) SECURITY POLICY FILTER CONSTRAINTS
        💼 AC-4 (15) DETECTION OF UNSANCTIONED INFORMATION
        💼 AC-4 (16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS
        💼 AC-4 (17) DOMAIN AUTHENTICATION
        💼 AC-4 (18) SECURITY ATTRIBUTE BINDING
        💼 AC-4 (19) VALIDATION OF METADATA
        💼 AC-4 (20) APPROVED SOLUTIONS
        💼 AC-4 (21) PHYSICAL _ LOGICAL SEPARATION OF INFORMATION FLOWS
        💼 AC-4 (22) ACCESS ONLY
    💼 AC-5 SEPARATION OF DUTIES33
    💼 AC-6 LEAST PRIVILEGE1011
        💼 AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS
        💼 AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS
        💼 AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS
        💼 AC-6 (4) SEPARATE PROCESSING DOMAINS
        💼 AC-6 (5) PRIVILEGED ACCOUNTS
        💼 AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS
        💼 AC-6 (7) REVIEW OF USER PRIVILEGES
        💼 AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION
        💼 AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS
        💼 AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS11
    💼 AC-7 UNSUCCESSFUL LOGON ATTEMPTS2
        💼 AC-7 (1) AUTOMATIC ACCOUNT LOCK
        💼 AC-7 (2) PURGE _ WIPE MOBILE DEVICE
    💼 AC-8 SYSTEM USE NOTIFICATION
    💼 AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION4
        💼 AC-9 (1) UNSUCCESSFUL LOGONS
        💼 AC-9 (2) SUCCESSFUL _ UNSUCCESSFUL LOGONS
        💼 AC-9 (3) NOTIFICATION OF ACCOUNT CHANGES
        💼 AC-9 (4) ADDITIONAL LOGON INFORMATION
    💼 AC-10 CONCURRENT SESSION CONTROL
    💼 AC-11 SESSION LOCK1
        💼 AC-11 (1) PATTERN-HIDING DISPLAYS
    💼 AC-12 SESSION TERMINATION1
        💼 AC-12 (1) USER-INITIATED LOGOUTS _ MESSAGE DISPLAYS
    💼 AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL
    💼 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION1
        💼 AC-14 (1) NECESSARY USES
    💼 AC-15 AUTOMATED MARKING
    💼 AC-16 SECURITY ATTRIBUTES10
        💼 AC-16 (1) DYNAMIC ATTRIBUTE ASSOCIATION
        💼 AC-16 (2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS
        💼 AC-16 (3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM
        💼 AC-16 (4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS
        💼 AC-16 (5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES
        💼 AC-16 (6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION
        💼 AC-16 (7) CONSISTENT ATTRIBUTE INTERPRETATION
        💼 AC-16 (8) ASSOCIATION TECHNIQUES _ TECHNOLOGIES
        💼 AC-16 (9) ATTRIBUTE REASSIGNMENT
        💼 AC-16 (10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS
    💼 AC-17 REMOTE ACCESS9
        💼 AC-17 (1) AUTOMATED MONITORING _ CONTROL
        💼 AC-17 (2) PROTECTION OF CONFIDENTIALITY _ INTEGRITY USING ENCRYPTION
        💼 AC-17 (3) MANAGED ACCESS CONTROL POINTS
        💼 AC-17 (4) PRIVILEGED COMMANDS _ ACCESS
        💼 AC-17 (5) MONITORING FOR UNAUTHORIZED CONNECTIONS
        💼 AC-17 (6) PROTECTION OF INFORMATION
        💼 AC-17 (7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS
        💼 AC-17 (8) DISABLE NONSECURE NETWORK PROTOCOLS
        💼 AC-17 (9) DISCONNECT _ DISABLE ACCESS
    💼 AC-18 WIRELESS ACCESS5
        💼 AC-18 (1) AUTHENTICATION AND ENCRYPTION
        💼 AC-18 (2) MONITORING UNAUTHORIZED CONNECTIONS
        💼 AC-18 (3) DISABLE WIRELESS NETWORKING
        💼 AC-18 (4) RESTRICT CONFIGURATIONS BY USERS
        💼 AC-18 (5) ANTENNAS _ TRANSMISSION POWER LEVELS
    💼 AC-19 ACCESS CONTROL FOR MOBILE DEVICES5
        💼 AC-19 (1) USE OF WRITABLE _ PORTABLE STORAGE DEVICES
        💼 AC-19 (2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES
        💼 AC-19 (3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER
        💼 AC-19 (4) RESTRICTIONS FOR CLASSIFIED INFORMATION
        💼 AC-19 (5) FULL DEVICE _ CONTAINER-BASED ENCRYPTION
    💼 AC-20 USE OF EXTERNAL INFORMATION SYSTEMS4
        💼 AC-20 (1) LIMITS ON AUTHORIZED USE
        💼 AC-20 (2) PORTABLE STORAGE DEVICES
        💼 AC-20 (3) NON-ORGANIZATIONALLY OWNED SYSTEMS _ COMPONENTS _ DEVICES
        💼 AC-20 (4) NETWORK ACCESSIBLE STORAGE DEVICES
    💼 AC-21 INFORMATION SHARING2
        💼 AC-21 (1) AUTOMATED DECISION SUPPORT
        💼 AC-21 (2) INFORMATION SEARCH AND RETRIEVAL
    💼 AC-22 PUBLICLY ACCESSIBLE CONTENT
    💼 AC-23 DATA MINING PROTECTION
    💼 AC-24 ACCESS CONTROL DECISIONS2
        💼 AC-24 (1) TRANSMIT ACCESS AUTHORIZATION INFORMATION
        💼 AC-24 (2) NO USER OR PROCESS IDENTITY
    💼 AC-25 REFERENCE MONITOR
💼 AT AWARENESS AND TRAINING5
    💼 AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
    💼 AT-2 SECURITY AWARENESS TRAINING2
        💼 AT-2 (1) PRACTICAL EXERCISES
        💼 AT-2 (2) INSIDER THREAT
    💼 AT-3 ROLE-BASED SECURITY TRAINING4
        💼 AT-3 (1) ENVIRONMENTAL CONTROLS
        💼 AT-3 (2) PHYSICAL SECURITY CONTROLS
        💼 AT-3 (3) PRACTICAL EXERCISES
        💼 AT-3 (4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR
    💼 AT-4 SECURITY TRAINING RECORDS
    💼 AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS
💼 AU AUDIT AND ACCOUNTABILITY16
    💼 AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
    💼 AU-2 AUDIT EVENTS423
        💼 AU-2 (1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES
        💼 AU-2 (2) SELECTION OF AUDIT EVENTS BY COMPONENT
        💼 AU-2 (3) REVIEWS AND UPDATES
        💼 AU-2 (4) PRIVILEGED FUNCTIONS
    💼 AU-3 CONTENT OF AUDIT RECORDS2
        💼 AU-3 (1) ADDITIONAL AUDIT INFORMATION
        💼 AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT
    💼 AU-4 AUDIT STORAGE CAPACITY1
        💼 AU-4 (1) TRANSFER TO ALTERNATE STORAGE
    💼 AU-5 RESPONSE TO AUDIT PROCESSING FAILURES4
        💼 AU-5 (1) AUDIT STORAGE CAPACITY
        💼 AU-5 (2) REAL-TIME ALERTS
        💼 AU-5 (3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS
        💼 AU-5 (4) SHUTDOWN ON FAILURE
    💼 AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING1022
        💼 AU-6 (1) PROCESS INTEGRATION
        💼 AU-6 (2) AUTOMATED SECURITY ALERTS
        💼 AU-6 (3) CORRELATE AUDIT REPOSITORIES
        💼 AU-6 (4) CENTRAL REVIEW AND ANALYSIS
        💼 AU-6 (5) INTEGRATION _ SCANNING AND MONITORING CAPABILITIES
        💼 AU-6 (6) CORRELATION WITH PHYSICAL MONITORING
        💼 AU-6 (7) PERMITTED ACTIONS
        💼 AU-6 (8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS
        💼 AU-6 (9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES
        💼 AU-6 (10) AUDIT LEVEL ADJUSTMENT
    💼 AU-7 AUDIT REDUCTION AND REPORT GENERATION2
        💼 AU-7 (1) AUTOMATIC PROCESSING
        💼 AU-7 (2) AUTOMATIC SORT AND SEARCH
    💼 AU-8 TIME STAMPS2
        💼 AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE
        💼 AU-8 (2) SECONDARY AUTHORITATIVE TIME SOURCE
    💼 AU-9 PROTECTION OF AUDIT INFORMATION6
        💼 AU-9 (1) HARDWARE WRITE-ONCE MEDIA
        💼 AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS _ COMPONENTS
        💼 AU-9 (3) CRYPTOGRAPHIC PROTECTION
        💼 AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS
        💼 AU-9 (5) DUAL AUTHORIZATION
        💼 AU-9 (6) READ ONLY ACCESS
    💼 AU-10 NON-REPUDIATION511
        💼 AU-10 (1) ASSOCIATION OF IDENTITIES
        💼 AU-10 (2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY
        💼 AU-10 (3) CHAIN OF CUSTODY
        💼 AU-10 (4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY
        💼 AU-10 (5) DIGITAL SIGNATURES
    💼 AU-11 AUDIT RECORD RETENTION111
        💼 AU-11 (1) LONG-TERM RETRIEVAL CAPABILITY
    💼 AU-12 AUDIT GENERATION3
        💼 AU-12 (1) SYSTEM-WIDE _ TIME-CORRELATED AUDIT TRAIL
        💼 AU-12 (2) STANDARDIZED FORMATS
        💼 AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS
    💼 AU-13 MONITORING FOR INFORMATION DISCLOSURE2
        💼 AU-13 (1) USE OF AUTOMATED TOOLS
        💼 AU-13 (2) REVIEW OF MONITORED SITES
    💼 AU-14 SESSION AUDIT3
        💼 AU-14 (1) SYSTEM START-UP
        💼 AU-14 (2) CAPTURE_RECORD AND LOG CONTENT
        💼 AU-14 (3) REMOTE VIEWING _ LISTENING
    💼 AU-15 ALTERNATE AUDIT CAPABILITY
    💼 AU-16 CROSS-ORGANIZATIONAL AUDITING2
        💼 AU-16 (1) IDENTITY PRESERVATION
        💼 AU-16 (2) SHARING OF AUDIT INFORMATION
💼 CA SECURITY ASSESSMENT AND AUTHORIZATION9
    💼 CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
    💼 CA-2 SECURITY ASSESSMENTS3
        💼 CA-2 (1) INDEPENDENT ASSESSORS
        💼 CA-2 (2) SPECIALIZED ASSESSMENTS
        💼 CA-2 (3) EXTERNAL ORGANIZATIONS
    💼 CA-3 SYSTEM INTERCONNECTIONS5
        💼 CA-3 (1) UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
        💼 CA-3 (2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS
        💼 CA-3 (3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS
        💼 CA-3 (4) CONNECTIONS TO PUBLIC NETWORKS
        💼 CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS
    💼 CA-4 SECURITY CERTIFICATION
    💼 CA-5 PLAN OF ACTION AND MILESTONES1
        💼 CA-5 (1) AUTOMATION SUPPORT FOR ACCURACY _ CURRENCY
    💼 CA-6 SECURITY AUTHORIZATION
    💼 CA-7 CONTINUOUS MONITORING3
        💼 CA-7 (1) INDEPENDENT ASSESSMENT
        💼 CA-7 (2) TYPES OF ASSESSMENTS
        💼 CA-7 (3) TREND ANALYSES
    💼 CA-8 PENETRATION TESTING2
        💼 CA-8 (1) INDEPENDENT PENETRATION AGENT OR TEAM
        💼 CA-8 (2) RED TEAM EXERCISES
    💼 CA-9 INTERNAL SYSTEM CONNECTIONS1
        💼 CA-9 (1) SECURITY COMPLIANCE CHECKS
💼 CM CONFIGURATION MANAGEMENT11
    💼 CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
    💼 CM-2 BASELINE CONFIGURATION711
        💼 CM-2 (1) REVIEWS AND UPDATES
        💼 CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY _ CURRENCY
        💼 CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS
        💼 CM-2 (4) UNAUTHORIZED SOFTWARE
        💼 CM-2 (5) AUTHORIZED SOFTWARE
        💼 CM-2 (6) DEVELOPMENT AND TEST ENVIRONMENTS
        💼 CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS
    💼 CM-3 CONFIGURATION CHANGE CONTROL6
        💼 CM-3 (1) AUTOMATED DOCUMENT _ NOTIFICATION _ PROHIBITION OF CHANGES
        💼 CM-3 (2) TEST _ VALIDATE _ DOCUMENT CHANGES
        💼 CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION
        💼 CM-3 (4) SECURITY REPRESENTATIVE
        💼 CM-3 (5) AUTOMATED SECURITY RESPONSE
        💼 CM-3 (6) CRYPTOGRAPHY MANAGEMENT
    💼 CM-4 SECURITY IMPACT ANALYSIS2
        💼 CM-4 (1) SEPARATE TEST ENVIRONMENTS
        💼 CM-4 (2) VERIFICATION OF SECURITY FUNCTIONS
    💼 CM-5 ACCESS RESTRICTIONS FOR CHANGE7
        💼 CM-5 (1) AUTOMATED ACCESS ENFORCEMENT _ AUDITING
        💼 CM-5 (2) REVIEW SYSTEM CHANGES
        💼 CM-5 (3) SIGNED COMPONENTS
        💼 CM-5 (4) DUAL AUTHORIZATION
        💼 CM-5 (5) LIMIT PRODUCTION _ OPERATIONAL PRIVILEGES
        💼 CM-5 (6) LIMIT LIBRARY PRIVILEGES
        💼 CM-5 (7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS
    💼 CM-6 CONFIGURATION SETTINGS411
        💼 CM-6 (1) AUTOMATED CENTRAL MANAGEMENT _ APPLICATION _ VERIFICATION
        💼 CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES
        💼 CM-6 (3) UNAUTHORIZED CHANGE DETECTION
        💼 CM-6 (4) CONFORMANCE DEMONSTRATION
    💼 CM-7 LEAST FUNCTIONALITY545
        💼 CM-7 (1) PERIODIC REVIEW34
        💼 CM-7 (2) PREVENT PROGRAM EXECUTION
        💼 CM-7 (3) REGISTRATION COMPLIANCE
        💼 CM-7 (4) UNAUTHORIZED SOFTWARE _ BLACKLISTING
        💼 CM-7 (5) AUTHORIZED SOFTWARE _ WHITELISTING
    💼 CM-8 INFORMATION SYSTEM COMPONENT INVENTORY912
        💼 CM-8 (1) UPDATES DURING INSTALLATIONS _ REMOVALS
        💼 CM-8 (2) AUTOMATED MAINTENANCE
        💼 CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION
        💼 CM-8 (4) ACCOUNTABILITY INFORMATION
        💼 CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS
        💼 CM-8 (6) ASSESSED CONFIGURATIONS _ APPROVED DEVIATIONS
        💼 CM-8 (7) CENTRALIZED REPOSITORY
        💼 CM-8 (8) AUTOMATED LOCATION TRACKING
        💼 CM-8 (9) ASSIGNMENT OF COMPONENTS TO SYSTEMS
    💼 CM-9 CONFIGURATION MANAGEMENT PLAN1
        💼 CM-9 (1) ASSIGNMENT OF RESPONSIBILITY
    💼 CM-10 SOFTWARE USAGE RESTRICTIONS1
        💼 CM-10 (1) OPEN SOURCE SOFTWARE
    💼 CM-11 USER-INSTALLED SOFTWARE2
        💼 CM-11 (1) ALERTS FOR UNAUTHORIZED INSTALLATIONS
        💼 CM-11 (2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS
💼 CP CONTINGENCY PLANNING13
    💼 CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
    💼 CP-2 CONTINGENCY PLAN8
        💼 CP-2 (1) COORDINATE WITH RELATED PLANS
        💼 CP-2 (2) CAPACITY PLANNING
        💼 CP-2 (3) RESUME ESSENTIAL MISSIONS _ BUSINESS FUNCTIONS
        💼 CP-2 (4) RESUME ALL MISSIONS _ BUSINESS FUNCTIONS
        💼 CP-2 (5) CONTINUE ESSENTIAL MISSIONS _ BUSINESS FUNCTIONS
        💼 CP-2 (6) ALTERNATE PROCESSING _ STORAGE SITE
        💼 CP-2 (7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS
        💼 CP-2 (8) IDENTIFY CRITICAL ASSETS
    💼 CP-3 CONTINGENCY TRAINING2
        💼 CP-3 (1) SIMULATED EVENTS
        💼 CP-3 (2) AUTOMATED TRAINING ENVIRONMENTS
    💼 CP-4 CONTINGENCY PLAN TESTING4
        💼 CP-4 (1) COORDINATE WITH RELATED PLANS
        💼 CP-4 (2) ALTERNATE PROCESSING SITE
        💼 CP-4 (3) AUTOMATED TESTING
        💼 CP-4 (4) FULL RECOVERY _ RECONSTITUTION
    💼 CP-5 CONTINGENCY PLAN UPDATE
    💼 CP-6 ALTERNATE STORAGE SITE3
        💼 CP-6 (1) SEPARATION FROM PRIMARY SITE
        💼 CP-6 (2) RECOVERY TIME _ POINT OBJECTIVES
        💼 CP-6 (3) ACCESSIBILITY
    💼 CP-7 ALTERNATE PROCESSING SITE6
        💼 CP-7 (1) SEPARATION FROM PRIMARY SITE
        💼 CP-7 (2) ACCESSIBILITY
        💼 CP-7 (3) PRIORITY OF SERVICE
        💼 CP-7 (4) PREPARATION FOR USE
        💼 CP-7 (5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS
        💼 CP-7 (6) INABILITY TO RETURN TO PRIMARY SITE
    💼 CP-8 TELECOMMUNICATIONS SERVICES5
        💼 CP-8 (1) PRIORITY OF SERVICE PROVISIONS
        💼 CP-8 (2) SINGLE POINTS OF FAILURE
        💼 CP-8 (3) SEPARATION OF PRIMARY _ ALTERNATE PROVIDERS
        💼 CP-8 (4) PROVIDER CONTINGENCY PLAN
        💼 CP-8 (5) ALTERNATE TELECOMMUNICATION SERVICE TESTING
    💼 CP-9 INFORMATION SYSTEM BACKUP7
        💼 CP-9 (1) TESTING FOR RELIABILITY _ INTEGRITY
        💼 CP-9 (2) TEST RESTORATION USING SAMPLING
        💼 CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION
        💼 CP-9 (4) PROTECTION FROM UNAUTHORIZED MODIFICATION
        💼 CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE
        💼 CP-9 (6) REDUNDANT SECONDARY SYSTEM
        💼 CP-9 (7) DUAL AUTHORIZATION
    💼 CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION6
        💼 CP-10 (1) CONTINGENCY PLAN TESTING
        💼 CP-10 (2) TRANSACTION RECOVERY
        💼 CP-10 (3) COMPENSATING SECURITY CONTROLS
        💼 CP-10 (4) RESTORE WITHIN TIME PERIOD
        💼 CP-10 (5) FAILOVER CAPABILITY
        💼 CP-10 (6) COMPONENT PROTECTION
    💼 CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS
    💼 CP-12 SAFE MODE
    💼 CP-13 ALTERNATIVE SECURITY MECHANISMS
💼 IA IDENTIFICATION AND AUTHENTICATION11
    💼 IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
    💼 IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)1311
        💼 IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS
        💼 IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS
        💼 IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS
        💼 IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS
        💼 IA-2 (5) GROUP AUTHENTICATION
        💼 IA-2 (6) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE
        💼 IA-2 (7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE
        💼 IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT
        💼 IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT
        💼 IA-2 (10) SINGLE SIGN-ON
        💼 IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE
        💼 IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS
        💼 IA-2 (13) OUT-OF-BAND AUTHENTICATION
    💼 IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION411
        💼 IA-3 (1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION
        💼 IA-3 (2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION
        💼 IA-3 (3) DYNAMIC ADDRESS ALLOCATION
        💼 IA-3 (4) DEVICE ATTESTATION
    💼 IA-4 IDENTIFIER MANAGEMENT7
        💼 IA-4 (1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS
        💼 IA-4 (2) SUPERVISOR AUTHORIZATION
        💼 IA-4 (3) MULTIPLE FORMS OF CERTIFICATION
        💼 IA-4 (4) IDENTIFY USER STATUS
        💼 IA-4 (5) DYNAMIC MANAGEMENT
        💼 IA-4 (6) CROSS-ORGANIZATION MANAGEMENT
        💼 IA-4 (7) IN-PERSON REGISTRATION
    💼 IA-5 AUTHENTICATOR MANAGEMENT1522
        💼 IA-5 (1) PASSWORD-BASED AUTHENTICATION
        💼 IA-5 (2) PKI-BASED AUTHENTICATION
        💼 IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION
        💼 IA-5 (4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION
        💼 IA-5 (5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY
        💼 IA-5 (6) PROTECTION OF AUTHENTICATORS
        💼 IA-5 (7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS
        💼 IA-5 (8) MULTIPLE INFORMATION SYSTEM ACCOUNTS
        💼 IA-5 (9) CROSS-ORGANIZATION CREDENTIAL MANAGEMENT
        💼 IA-5 (10) DYNAMIC CREDENTIAL ASSOCIATION
        💼 IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION
        💼 IA-5 (12) BIOMETRIC-BASED AUTHENTICATION
        💼 IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS11
        💼 IA-5 (14) MANAGING CONTENT OF PKI TRUST STORES
        💼 IA-5 (15) FICAM-APPROVED PRODUCTS AND SERVICES
    💼 IA-6 AUTHENTICATOR FEEDBACK
    💼 IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
    💼 IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)5
        💼 IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES
        💼 IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS
        💼 IA-8 (3) USE OF FICAM-APPROVED PRODUCTS
        💼 IA-8 (4) USE OF FICAM-ISSUED PROFILES
        💼 IA-8 (5) ACCEPTANCE OF PIV-I CREDENTIALS
    💼 IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION2
        💼 IA-9 (1) INFORMATION EXCHANGE
        💼 IA-9 (2) TRANSMISSION OF DECISIONS
    💼 IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION
    💼 IA-11 RE-AUTHENTICATION
💼 IR INCIDENT RESPONSE10
    💼 IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
    💼 IR-2 INCIDENT RESPONSE TRAINING2
        💼 IR-2 (1) SIMULATED EVENTS
        💼 IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS
    💼 IR-3 INCIDENT RESPONSE TESTING2
        💼 IR-3 (1) AUTOMATED TESTING
        💼 IR-3 (2) COORDINATION WITH RELATED PLANS
    💼 IR-4 INCIDENT HANDLING10
        💼 IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES
        💼 IR-4 (2) DYNAMIC RECONFIGURATION
        💼 IR-4 (3) CONTINUITY OF OPERATIONS
        💼 IR-4 (4) INFORMATION CORRELATION
        💼 IR-4 (5) AUTOMATIC DISABLING OF INFORMATION SYSTEM
        💼 IR-4 (6) INSIDER THREATS - SPECIFIC CAPABILITIES
        💼 IR-4 (7) INSIDER THREATS - INTRA-ORGANIZATION COORDINATION
        💼 IR-4 (8) CORRELATION WITH EXTERNAL ORGANIZATIONS
        💼 IR-4 (9) DYNAMIC RESPONSE CAPABILITY
        💼 IR-4 (10) SUPPLY CHAIN COORDINATION
    💼 IR-5 INCIDENT MONITORING1
        💼 IR-5 (1) AUTOMATED TRACKING _ DATA COLLECTION _ ANALYSIS
    💼 IR-6 INCIDENT REPORTING3
        💼 IR-6 (1) AUTOMATED REPORTING
        💼 IR-6 (2) VULNERABILITIES RELATED TO INCIDENTS
        💼 IR-6 (3) COORDINATION WITH SUPPLY CHAIN
    💼 IR-7 INCIDENT RESPONSE ASSISTANCE2
        💼 IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION _ SUPPORT
        💼 IR-7 (2) COORDINATION WITH EXTERNAL PROVIDERS
    💼 IR-8 INCIDENT RESPONSE PLAN
    💼 IR-9 INFORMATION SPILLAGE RESPONSE4
        💼 IR-9 (1) RESPONSIBLE PERSONNEL
        💼 IR-9 (2) TRAINING
        💼 IR-9 (3) POST-SPILL OPERATIONS
        💼 IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL
    💼 IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM
💼 MA MAINTENANCE6
    💼 MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
    💼 MA-2 CONTROLLED MAINTENANCE2
        💼 MA-2 (1) RECORD CONTENT
        💼 MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES
    💼 MA-3 MAINTENANCE TOOLS4
        💼 MA-3 (1) INSPECT TOOLS
        💼 MA-3 (2) INSPECT MEDIA
        💼 MA-3 (3) PREVENT UNAUTHORIZED REMOVAL
        💼 MA-3 (4) RESTRICTED TOOL USE
    💼 MA-4 NONLOCAL MAINTENANCE7
        💼 MA-4 (1) AUDITING AND REVIEW
        💼 MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE
        💼 MA-4 (3) COMPARABLE SECURITY _ SANITIZATION
        💼 MA-4 (4) AUTHENTICATION _ SEPARATION OF MAINTENANCE SESSIONS
        💼 MA-4 (5) APPROVALS AND NOTIFICATIONS
        💼 MA-4 (6) CRYPTOGRAPHIC PROTECTION
        💼 MA-4 (7) REMOTE DISCONNECT VERIFICATION
    💼 MA-5 MAINTENANCE PERSONNEL5
        💼 MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS
        💼 MA-5 (2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
        💼 MA-5 (3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS
        💼 MA-5 (4) FOREIGN NATIONALS
        💼 MA-5 (5) NONSYSTEM-RELATED MAINTENANCE
    💼 MA-6 TIMELY MAINTENANCE3
        💼 MA-6 (1) PREVENTIVE MAINTENANCE
        💼 MA-6 (2) PREDICTIVE MAINTENANCE
        💼 MA-6 (3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE
💼 MP MEDIA PROTECTION8
    💼 MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
    💼 MP-2 MEDIA ACCESS2
        💼 MP-2 (1) AUTOMATED RESTRICTED ACCESS
        💼 MP-2 (2) CRYPTOGRAPHIC PROTECTION
    💼 MP-3 MEDIA MARKING
    💼 MP-4 MEDIA STORAGE2
        💼 MP-4 (1) CRYPTOGRAPHIC PROTECTION
        💼 MP-4 (2) AUTOMATED RESTRICTED ACCESS
    💼 MP-5 MEDIA TRANSPORT4
        💼 MP-5 (1) PROTECTION OUTSIDE OF CONTROLLED AREAS
        💼 MP-5 (2) DOCUMENTATION OF ACTIVITIES
        💼 MP-5 (3) CUSTODIANS
        💼 MP-5 (4) CRYPTOGRAPHIC PROTECTION
    💼 MP-6 MEDIA SANITIZATION8
        💼 MP-6 (1) REVIEW _ APPROVE _ TRACK _ DOCUMENT _ VERIFY
        💼 MP-6 (2) EQUIPMENT TESTING
        💼 MP-6 (3) NONDESTRUCTIVE TECHNIQUES
        💼 MP-6 (4) CONTROLLED UNCLASSIFIED INFORMATION
        💼 MP-6 (5) CLASSIFIED INFORMATION
        💼 MP-6 (6) MEDIA DESTRUCTION
        💼 MP-6 (7) DUAL AUTHORIZATION
        💼 MP-6 (8) REMOTE PURGING _ WIPING OF INFORMATION
    💼 MP-7 MEDIA USE2
        💼 MP-7 (1) PROHIBIT USE WITHOUT OWNER
        💼 MP-7 (2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA
    💼 MP-8 MEDIA DOWNGRADING4
        💼 MP-8 (1) DOCUMENTATION OF PROCESS
        💼 MP-8 (2) EQUIPMENT TESTING
        💼 MP-8 (3) CONTROLLED UNCLASSIFIED INFORMATION
        💼 MP-8 (4) CLASSIFIED INFORMATION
💼 PE PHYSICAL AND ENVIRONMENTAL PROTECTION20
    💼 PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
    💼 PE-2 PHYSICAL ACCESS AUTHORIZATIONS3
        💼 PE-2 (1) ACCESS BY POSITION _ ROLE
        💼 PE-2 (2) TWO FORMS OF IDENTIFICATION
        💼 PE-2 (3) RESTRICT UNESCORTED ACCESS
    💼 PE-3 PHYSICAL ACCESS CONTROL6
        💼 PE-3 (1) INFORMATION SYSTEM ACCESS
        💼 PE-3 (2) FACILITY _ INFORMATION SYSTEM BOUNDARIES
        💼 PE-3 (3) CONTINUOUS GUARDS _ ALARMS _ MONITORING
        💼 PE-3 (4) LOCKABLE CASINGS
        💼 PE-3 (5) TAMPER PROTECTION
        💼 PE-3 (6) FACILITY PENETRATION TESTING
    💼 PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
    💼 PE-5 ACCESS CONTROL FOR OUTPUT DEVICES3
        💼 PE-5 (1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS
        💼 PE-5 (2) ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY
        💼 PE-5 (3) MARKING OUTPUT DEVICES
    💼 PE-6 MONITORING PHYSICAL ACCESS4
        💼 PE-6 (1) INTRUSION ALARMS _ SURVEILLANCE EQUIPMENT
        💼 PE-6 (2) AUTOMATED INTRUSION RECOGNITION _ RESPONSES
        💼 PE-6 (3) VIDEO SURVEILLANCE
        💼 PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS
    💼 PE-7 VISITOR CONTROL
    💼 PE-8 VISITOR ACCESS RECORDS2
        💼 PE-8 (1) AUTOMATED RECORDS MAINTENANCE _ REVIEW
        💼 PE-8 (2) PHYSICAL ACCESS RECORDS
    💼 PE-9 POWER EQUIPMENT AND CABLING2
        💼 PE-9 (1) REDUNDANT CABLING
        💼 PE-9 (2) AUTOMATIC VOLTAGE CONTROLS
    💼 PE-10 EMERGENCY SHUTOFF1
        💼 PE-10 (1) ACCIDENTAL _ UNAUTHORIZED ACTIVATION
    💼 PE-11 EMERGENCY POWER2
        💼 PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY
        💼 PE-11 (2) LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED
    💼 PE-12 EMERGENCY LIGHTING1
        💼 PE-12 (1) ESSENTIAL MISSIONS _ BUSINESS FUNCTIONS
    💼 PE-13 FIRE PROTECTION4
        💼 PE-13 (1) DETECTION DEVICES _ SYSTEMS
        💼 PE-13 (2) SUPPRESSION DEVICES _ SYSTEMS
        💼 PE-13 (3) AUTOMATIC FIRE SUPPRESSION
        💼 PE-13 (4) INSPECTIONS
    💼 PE-14 TEMPERATURE AND HUMIDITY CONTROLS2
        💼 PE-14 (1) AUTOMATIC CONTROLS
        💼 PE-14 (2) MONITORING WITH ALARMS _ NOTIFICATIONS
    💼 PE-15 WATER DAMAGE PROTECTION1
        💼 PE-15 (1) AUTOMATION SUPPORT
    💼 PE-16 DELIVERY AND REMOVAL
    💼 PE-17 ALTERNATE WORK SITE
    💼 PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS1
        💼 PE-18 (1) FACILITY SITE
    💼 PE-19 INFORMATION LEAKAGE1
        💼 PE-19 (1) NATIONAL EMISSIONS _ TEMPEST POLICIES AND PROCEDURES
    💼 PE-20 ASSET MONITORING AND TRACKING
💼 PL PLANNING9
    💼 PL-1 SECURITY PLANNING POLICY AND PROCEDURES
    💼 PL-2 SYSTEM SECURITY PLAN312
        💼 PL-2 (1) CONCEPT OF OPERATIONS
        💼 PL-2 (2) FUNCTIONAL ARCHITECTURE
        💼 PL-2 (3) PLAN _ COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES
    💼 PL-3 SYSTEM SECURITY PLAN UPDATE
    💼 PL-4 RULES OF BEHAVIOR1
        💼 PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS
    💼 PL-5 PRIVACY IMPACT ASSESSMENT
    💼 PL-6 SECURITY-RELATED ACTIVITY PLANNING
    💼 PL-7 SECURITY CONCEPT OF OPERATIONS
    💼 PL-8 INFORMATION SECURITY ARCHITECTURE2
        💼 PL-8 (1) DEFENSE-IN-DEPTH
        💼 PL-8 (2) SUPPLIER DIVERSITY
    💼 PL-9 CENTRAL MANAGEMENT
💼 PS PERSONNEL SECURITY8
    💼 PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
    💼 PS-2 POSITION RISK DESIGNATION
    💼 PS-3 PERSONNEL SCREENING3
        💼 PS-3 (1) CLASSIFIED INFORMATION
        💼 PS-3 (2) FORMAL INDOCTRINATION
        💼 PS-3 (3) INFORMATION WITH SPECIAL PROTECTION MEASURES
    💼 PS-4 PERSONNEL TERMINATION2
        💼 PS-4 (1) POST-EMPLOYMENT REQUIREMENTS
        💼 PS-4 (2) AUTOMATED NOTIFICATION
    💼 PS-5 PERSONNEL TRANSFER
    💼 PS-6 ACCESS AGREEMENTS3
        💼 PS-6 (1) INFORMATION REQUIRING SPECIAL PROTECTION
        💼 PS-6 (2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION
        💼 PS-6 (3) POST-EMPLOYMENT REQUIREMENTS
    💼 PS-7 THIRD-PARTY PERSONNEL SECURITY
    💼 PS-8 PERSONNEL SANCTIONS
💼 RA RISK ASSESSMENT6
    💼 RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
    💼 RA-2 SECURITY CATEGORIZATION
    💼 RA-3 RISK ASSESSMENT
    💼 RA-4 RISK ASSESSMENT UPDATE
    💼 RA-5 VULNERABILITY SCANNING10
        💼 RA-5 (1) UPDATE TOOL CAPABILITY
        💼 RA-5 (2) UPDATE BY FREQUENCY _ PRIOR TO NEW SCAN _ WHEN IDENTIFIED
        💼 RA-5 (3) BREADTH _ DEPTH OF COVERAGE
        💼 RA-5 (4) DISCOVERABLE INFORMATION
        💼 RA-5 (5) PRIVILEGED ACCESS
        💼 RA-5 (6) AUTOMATED TREND ANALYSES
        💼 RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS
        💼 RA-5 (8) REVIEW HISTORIC AUDIT LOGS
        💼 RA-5 (9) PENETRATION TESTING AND ANALYSES
        💼 RA-5 (10) CORRELATE SCANNING INFORMATION
    💼 RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
💼 SA SYSTEM AND SERVICES ACQUISITION22
    💼 SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
    💼 SA-2 ALLOCATION OF RESOURCES
    💼 SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
    💼 SA-4 ACQUISITION PROCESS10
        💼 SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS
        💼 SA-4 (2) DESIGN _ IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS
        💼 SA-4 (3) DEVELOPMENT METHODS _ TECHNIQUES _ PRACTICES
        💼 SA-4 (4) ASSIGNMENT OF COMPONENTS TO SYSTEMS
        💼 SA-4 (5) SYSTEM _ COMPONENT _ SERVICE CONFIGURATIONS
        💼 SA-4 (6) USE OF INFORMATION ASSURANCE PRODUCTS
        💼 SA-4 (7) NIAP-APPROVED PROTECTION PROFILES
        💼 SA-4 (8) CONTINUOUS MONITORING PLAN
        💼 SA-4 (9) FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES IN USE
        💼 SA-4 (10) USE OF APPROVED PIV PRODUCTS
    💼 SA-5 INFORMATION SYSTEM DOCUMENTATION5
        💼 SA-5 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS
        💼 SA-5 (2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES
        💼 SA-5 (3) HIGH-LEVEL DESIGN
        💼 SA-5 (4) LOW-LEVEL DESIGN
        💼 SA-5 (5) SOURCE CODE
    💼 SA-6 SOFTWARE USAGE RESTRICTIONS
    💼 SA-7 USER-INSTALLED SOFTWARE
    💼 SA-8 SECURITY ENGINEERING PRINCIPLES
    💼 SA-9 EXTERNAL INFORMATION SYSTEM SERVICES5
        💼 SA-9 (1) RISK ASSESSMENTS _ ORGANIZATIONAL APPROVALS
        💼 SA-9 (2) IDENTIFICATION OF FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES
        💼 SA-9 (3) ESTABLISH _ MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS
        💼 SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS
        💼 SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION
    💼 SA-10 DEVELOPER CONFIGURATION MANAGEMENT6
        💼 SA-10 (1) SOFTWARE _ FIRMWARE INTEGRITY VERIFICATION
        💼 SA-10 (2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES
        💼 SA-10 (3) HARDWARE INTEGRITY VERIFICATION
        💼 SA-10 (4) TRUSTED GENERATION
        💼 SA-10 (5) MAPPING INTEGRITY FOR VERSION CONTROL
        💼 SA-10 (6) TRUSTED DISTRIBUTION
    💼 SA-11 DEVELOPER SECURITY TESTING AND EVALUATION8
        💼 SA-11 (1) STATIC CODE ANALYSIS
        💼 SA-11 (2) THREAT AND VULNERABILITY ANALYSES
        💼 SA-11 (3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS _ EVIDENCE
        💼 SA-11 (4) MANUAL CODE REVIEWS
        💼 SA-11 (5) PENETRATION TESTING
        💼 SA-11 (6) ATTACK SURFACE REVIEWS
        💼 SA-11 (7) VERIFY SCOPE OF TESTING _ EVALUATION
        💼 SA-11 (8) DYNAMIC CODE ANALYSIS
    💼 SA-12 SUPPLY CHAIN PROTECTION15
        💼 SA-12 (1) ACQUISITION STRATEGIES _ TOOLS _ METHODS
        💼 SA-12 (2) SUPPLIER REVIEWS
        💼 SA-12 (3) TRUSTED SHIPPING AND WAREHOUSING
        💼 SA-12 (4) DIVERSITY OF SUPPLIERS
        💼 SA-12 (5) LIMITATION OF HARM
        💼 SA-12 (6) MINIMIZING PROCUREMENT TIME
        💼 SA-12 (7) ASSESSMENTS PRIOR TO SELECTION _ ACCEPTANCE _ UPDATE
        💼 SA-12 (8) USE OF ALL-SOURCE INTELLIGENCE
        💼 SA-12 (9) OPERATIONS SECURITY
        💼 SA-12 (10) VALIDATE AS GENUINE AND NOT ALTERED
        💼 SA-12 (11) PENETRATION TESTING _ ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS
        💼 SA-12 (12) INTER-ORGANIZATIONAL AGREEMENTS
        💼 SA-12 (13) CRITICAL INFORMATION SYSTEM COMPONENTS
        💼 SA-12 (14) IDENTITY AND TRACEABILITY
        💼 SA-12 (15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES
    💼 SA-13 TRUSTWORTHINESS
    💼 SA-14 CRITICALITY ANALYSIS1
        💼 SA-14 (1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING
    💼 SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS11
        💼 SA-15 (1) QUALITY METRICS
        💼 SA-15 (2) SECURITY TRACKING TOOLS
        💼 SA-15 (3) CRITICALITY ANALYSIS
        💼 SA-15 (4) THREAT MODELING _ VULNERABILITY ANALYSIS
        💼 SA-15 (5) ATTACK SURFACE REDUCTION
        💼 SA-15 (6) CONTINUOUS IMPROVEMENT
        💼 SA-15 (7) AUTOMATED VULNERABILITY ANALYSIS
        💼 SA-15 (8) REUSE OF THREAT _ VULNERABILITY INFORMATION
        💼 SA-15 (9) USE OF LIVE DATA
        💼 SA-15 (10) INCIDENT RESPONSE PLAN
        💼 SA-15 (11) ARCHIVE INFORMATION SYSTEM _ COMPONENT
    💼 SA-16 DEVELOPER-PROVIDED TRAINING
    💼 SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN7
        💼 SA-17 (1) FORMAL POLICY MODEL
        💼 SA-17 (2) SECURITY-RELEVANT COMPONENTS
        💼 SA-17 (3) FORMAL CORRESPONDENCE
        💼 SA-17 (4) INFORMAL CORRESPONDENCE
        💼 SA-17 (5) CONCEPTUALLY SIMPLE DESIGN
        💼 SA-17 (6) STRUCTURE FOR TESTING
        💼 SA-17 (7) STRUCTURE FOR LEAST PRIVILEGE
    💼 SA-18 TAMPER RESISTANCE AND DETECTION2
        💼 SA-18 (1) MULTIPLE PHASES OF SDLC
        💼 SA-18 (2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES
    💼 SA-19 COMPONENT AUTHENTICITY4
        💼 SA-19 (1) ANTI-COUNTERFEIT TRAINING
        💼 SA-19 (2) CONFIGURATION CONTROL FOR COMPONENT SERVICE _ REPAIR
        💼 SA-19 (3) COMPONENT DISPOSAL
        💼 SA-19 (4) ANTI-COUNTERFEIT SCANNING
    💼 SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
    💼 SA-21 DEVELOPER SCREENING1
        💼 SA-21 (1) VALIDATION OF SCREENING
    💼 SA-22 UNSUPPORTED SYSTEM COMPONENTS1
        💼 SA-22 (1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT
💼 SC SYSTEM AND COMMUNICATIONS PROTECTION44
    💼 SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
    💼 SC-2 APPLICATION PARTITIONING1
        💼 SC-2 (1) INTERFACES FOR NON-PRIVILEGED USERS
    💼 SC-3 SECURITY FUNCTION ISOLATION5
        💼 SC-3 (1) HARDWARE SEPARATION
        💼 SC-3 (2) ACCESS _ FLOW CONTROL FUNCTIONS
        💼 SC-3 (3) MINIMIZE NONSECURITY FUNCTIONALITY
        💼 SC-3 (4) MODULE COUPLING AND COHESIVENESS
        💼 SC-3 (5) LAYERED STRUCTURES
    💼 SC-4 INFORMATION IN SHARED RESOURCES2
        💼 SC-4 (1) SECURITY LEVELS
        💼 SC-4 (2) PERIODS PROCESSING
    💼 SC-5 DENIAL OF SERVICE PROTECTION3
        💼 SC-5 (1) RESTRICT INTERNAL USERS
        💼 SC-5 (2) EXCESS CAPACITY _ BANDWIDTH _ REDUNDANCY
        💼 SC-5 (3) DETECTION _ MONITORING
    💼 SC-6 RESOURCE AVAILABILITY
    💼 SC-7 BOUNDARY PROTECTION2356
        💼 SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS
        💼 SC-7 (2) PUBLIC ACCESS
        💼 SC-7 (3) ACCESS POINTS
        💼 SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES
        💼 SC-7 (5) DENY BY DEFAULT _ ALLOW BY EXCEPTION
        💼 SC-7 (6) RESPONSE TO RECOGNIZED FAILURES
        💼 SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES
        💼 SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS
        💼 SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC
        💼 SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION
        💼 SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC
        💼 SC-7 (12) HOST-BASED PROTECTION
        💼 SC-7 (13) ISOLATION OF SECURITY TOOLS _ MECHANISMS _ SUPPORT COMPONENTS
        💼 SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS
        💼 SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES
        💼 SC-7 (16) PREVENT DISCOVERY OF COMPONENTS _ DEVICES
        💼 SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS
        💼 SC-7 (18) FAIL SECURE
        💼 SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS
        💼 SC-7 (20) DYNAMIC ISOLATION _ SEGREGATION
        💼 SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS
        💼 SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS
        💼 SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE
    💼 SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY422
        💼 SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION
        💼 SC-8 (2) PRE _ POST TRANSMISSION HANDLING
        💼 SC-8 (3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS
        💼 SC-8 (4) CONCEAL _ RANDOMIZE COMMUNICATIONS
    💼 SC-9 TRANSMISSION CONFIDENTIALITY
    💼 SC-10 NETWORK DISCONNECT
    💼 SC-11 TRUSTED PATH1
        💼 SC-11 (1) LOGICAL ISOLATION
    💼 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT544
        💼 SC-12 (1) AVAILABILITY
        💼 SC-12 (2) SYMMETRIC KEYS11
        💼 SC-12 (3) ASYMMETRIC KEYS11
        💼 SC-12 (4) PKI CERTIFICATES
        💼 SC-12 (5) PKI CERTIFICATES _ HARDWARE TOKENS
    💼 SC-13 CRYPTOGRAPHIC PROTECTION411
        💼 SC-13 (1) FIPS-VALIDATED CRYPTOGRAPHY
        💼 SC-13 (2) NSA-APPROVED CRYPTOGRAPHY
        💼 SC-13 (3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS
        💼 SC-13 (4) DIGITAL SIGNATURES
    💼 SC-14 PUBLIC ACCESS PROTECTIONS
    💼 SC-15 COLLABORATIVE COMPUTING DEVICES4
        💼 SC-15 (1) PHYSICAL DISCONNECT
        💼 SC-15 (2) BLOCKING INBOUND _ OUTBOUND COMMUNICATIONS TRAFFIC
        💼 SC-15 (3) DISABLING _ REMOVAL IN SECURE WORK AREAS
        💼 SC-15 (4) EXPLICITLY INDICATE CURRENT PARTICIPANTS
    💼 SC-16 TRANSMISSION OF SECURITY ATTRIBUTES1
        💼 SC-16 (1) INTEGRITY VALIDATION
    💼 SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES22
    💼 SC-18 MOBILE CODE5
        💼 SC-18 (1) IDENTIFY UNACCEPTABLE CODE _ TAKE CORRECTIVE ACTIONS
        💼 SC-18 (2) ACQUISITION _ DEVELOPMENT _ USE
        💼 SC-18 (3) PREVENT DOWNLOADING _ EXECUTION
        💼 SC-18 (4) PREVENT AUTOMATIC EXECUTION
        💼 SC-18 (5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS
    💼 SC-19 VOICE OVER INTERNET PROTOCOL
    💼 SC-20 SECURE NAME _ ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)2
        💼 SC-20 (1) CHILD SUBSPACES
        💼 SC-20 (2) DATA ORIGIN _ INTEGRITY
    💼 SC-21 SECURE NAME _ ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)1
        💼 SC-21 (1) DATA ORIGIN _ INTEGRITY
    💼 SC-22 ARCHITECTURE AND PROVISIONING FOR NAME _ ADDRESS RESOLUTION SERVICE
    💼 SC-23 SESSION AUTHENTICITY4
        💼 SC-23 (1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT
        💼 SC-23 (2) USER-INITIATED LOGOUTS _ MESSAGE DISPLAYS
        💼 SC-23 (4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION
        💼 SC-23 (5) ALLOWED CERTIFICATE AUTHORITIES
    💼 SC-24 FAIL IN KNOWN STATE
    💼 SC-25 THIN NODES
    💼 SC-26 HONEYPOTS1
        💼 SC-26 (1) DETECTION OF MALICIOUS CODE
    💼 SC-27 PLATFORM-INDEPENDENT APPLICATIONS
    💼 SC-28 PROTECTION OF INFORMATION AT REST233
        💼 SC-28 (1) CRYPTOGRAPHIC PROTECTION
        💼 SC-28 (2) OFF-LINE STORAGE
    💼 SC-29 HETEROGENEITY1
        💼 SC-29 (1) VIRTUALIZATION TECHNIQUES
    💼 SC-30 CONCEALMENT AND MISDIRECTION5
        💼 SC-30 (1) VIRTUALIZATION TECHNIQUES
        💼 SC-30 (2) RANDOMNESS
        💼 SC-30 (3) CHANGE PROCESSING _ STORAGE LOCATIONS
        💼 SC-30 (4) MISLEADING INFORMATION
        💼 SC-30 (5) CONCEALMENT OF SYSTEM COMPONENTS
    💼 SC-31 COVERT CHANNEL ANALYSIS3
        💼 SC-31 (1) TEST COVERT CHANNELS FOR EXPLOITABILITY
        💼 SC-31 (2) MAXIMUM BANDWIDTH
        💼 SC-31 (3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS
    💼 SC-32 INFORMATION SYSTEM PARTITIONING
    💼 SC-33 TRANSMISSION PREPARATION INTEGRITY
    💼 SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS3
        💼 SC-34 (1) NO WRITABLE STORAGE
        💼 SC-34 (2) INTEGRITY PROTECTION _ READ-ONLY MEDIA
        💼 SC-34 (3) HARDWARE-BASED PROTECTION
    💼 SC-35 HONEYCLIENTS
    💼 SC-36 DISTRIBUTED PROCESSING AND STORAGE1
        💼 SC-36 (1) POLLING TECHNIQUES
    💼 SC-37 OUT-OF-BAND CHANNELS1
        💼 SC-37 (1) ENSURE DELIVERY _ TRANSMISSION
    💼 SC-38 OPERATIONS SECURITY
    💼 SC-39 PROCESS ISOLATION2
        💼 SC-39 (1) HARDWARE SEPARATION
        💼 SC-39 (2) THREAD ISOLATION
    💼 SC-40 WIRELESS LINK PROTECTION4
        💼 SC-40 (1) ELECTROMAGNETIC INTERFERENCE
        💼 SC-40 (2) REDUCE DETECTION POTENTIAL
        💼 SC-40 (3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION
        💼 SC-40 (4) SIGNAL PARAMETER IDENTIFICATION
    💼 SC-41 PORT AND I_O DEVICE ACCESS
    💼 SC-42 SENSOR CAPABILITY AND DATA3
        💼 SC-42 (1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES
        💼 SC-42 (2) AUTHORIZED USE
        💼 SC-42 (3) PROHIBIT USE OF DEVICES
    💼 SC-43 USAGE RESTRICTIONS
    💼 SC-44 DETONATION CHAMBERS
💼 SI SYSTEM AND INFORMATION INTEGRITY17
    💼 SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
    💼 SI-2 FLAW REMEDIATION611
        💼 SI-2 (1) CENTRAL MANAGEMENT
        💼 SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS
        💼 SI-2 (3) TIME TO REMEDIATE FLAWS _ BENCHMARKS FOR CORRECTIVE ACTIONS
        💼 SI-2 (4) AUTOMATED PATCH MANAGEMENT TOOLS
        💼 SI-2 (5) AUTOMATIC SOFTWARE _ FIRMWARE UPDATES
        💼 SI-2 (6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE _ FIRMWARE
    💼 SI-3 MALICIOUS CODE PROTECTION10
        💼 SI-3 (1) CENTRAL MANAGEMENT
        💼 SI-3 (2) AUTOMATIC UPDATES
        💼 SI-3 (3) NON-PRIVILEGED USERS
        💼 SI-3 (4) UPDATES ONLY BY PRIVILEGED USERS
        💼 SI-3 (5) PORTABLE STORAGE DEVICES
        💼 SI-3 (6) TESTING _ VERIFICATION
        💼 SI-3 (7) NONSIGNATURE-BASED DETECTION
        💼 SI-3 (8) DETECT UNAUTHORIZED COMMANDS
        💼 SI-3 (9) AUTHENTICATE REMOTE COMMANDS
        💼 SI-3 (10) MALICIOUS CODE ANALYSIS
    💼 SI-4 INFORMATION SYSTEM MONITORING24
        💼 SI-4 (1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM
        💼 SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS
        💼 SI-4 (3) AUTOMATED TOOL INTEGRATION
        💼 SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC
        💼 SI-4 (5) SYSTEM-GENERATED ALERTS
        💼 SI-4 (6) RESTRICT NON-PRIVILEGED USERS
        💼 SI-4 (7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS
        💼 SI-4 (8) PROTECTION OF MONITORING INFORMATION
        💼 SI-4 (9) TESTING OF MONITORING TOOLS
        💼 SI-4 (10) VISIBILITY OF ENCRYPTED COMMUNICATIONS
        💼 SI-4 (11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES
        💼 SI-4 (12) AUTOMATED ALERTS
        💼 SI-4 (13) ANALYZE TRAFFIC _ EVENT PATTERNS
        💼 SI-4 (14) WIRELESS INTRUSION DETECTION
        💼 SI-4 (15) WIRELESS TO WIRELINE COMMUNICATIONS
        💼 SI-4 (16) CORRELATE MONITORING INFORMATION
        💼 SI-4 (17) INTEGRATED SITUATIONAL AWARENESS
        💼 SI-4 (18) ANALYZE TRAFFIC _ COVERT EXFILTRATION
        💼 SI-4 (19) INDIVIDUALS POSING GREATER RISK
        💼 SI-4 (20) PRIVILEGED USERS
        💼 SI-4 (21) PROBATIONARY PERIODS
        💼 SI-4 (22) UNAUTHORIZED NETWORK SERVICES
        💼 SI-4 (23) HOST-BASED DEVICES
        💼 SI-4 (24) INDICATORS OF COMPROMISE
    💼 SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES1
        💼 SI-5 (1) AUTOMATED ALERTS AND ADVISORIES
    💼 SI-6 SECURITY FUNCTION VERIFICATION3
        💼 SI-6 (1) NOTIFICATION OF FAILED SECURITY TESTS
        💼 SI-6 (2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING
        💼 SI-6 (3) REPORT VERIFICATION RESULTS
    💼 SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY16
        💼 SI-7 (1) INTEGRITY CHECKS
        💼 SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS
        💼 SI-7 (3) CENTRALLY-MANAGED INTEGRITY TOOLS
        💼 SI-7 (4) TAMPER-EVIDENT PACKAGING
        💼 SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS
        💼 SI-7 (6) CRYPTOGRAPHIC PROTECTION
        💼 SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE
        💼 SI-7 (8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS
        💼 SI-7 (9) VERIFY BOOT PROCESS
        💼 SI-7 (10) PROTECTION OF BOOT FIRMWARE
        💼 SI-7 (11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES
        💼 SI-7 (12) INTEGRITY VERIFICATION
        💼 SI-7 (13) CODE EXECUTION IN PROTECTED ENVIRONMENTS
        💼 SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE
        💼 SI-7 (15) CODE AUTHENTICATION
        💼 SI-7 (16) TIME LIMIT ON PROCESS EXECUTION W_O SUPERVISION
    💼 SI-8 SPAM PROTECTION3
        💼 SI-8 (1) CENTRAL MANAGEMENT
        💼 SI-8 (2) AUTOMATIC UPDATES
        💼 SI-8 (3) CONTINUOUS LEARNING CAPABILITY
    💼 SI-9 INFORMATION INPUT RESTRICTIONS
    💼 SI-10 INFORMATION INPUT VALIDATION5
        💼 SI-10 (1) MANUAL OVERRIDE CAPABILITY
        💼 SI-10 (2) REVIEW _ RESOLUTION OF ERRORS
        💼 SI-10 (3) PREDICTABLE BEHAVIOR
        💼 SI-10 (4) REVIEW _ TIMING INTERACTIONS
        💼 SI-10 (5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS
    💼 SI-11 ERROR HANDLING
    💼 SI-12 INFORMATION HANDLING AND RETENTION
    💼 SI-13 PREDICTABLE FAILURE PREVENTION5
        💼 SI-13 (1) TRANSFERRING COMPONENT RESPONSIBILITIES
        💼 SI-13 (2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION
        💼 SI-13 (3) MANUAL TRANSFER BETWEEN COMPONENTS
        💼 SI-13 (4) STANDBY COMPONENT INSTALLATION _ NOTIFICATION
        💼 SI-13 (5) FAILOVER CAPABILITY
    💼 SI-14 NON-PERSISTENCE1
        💼 SI-14 (1) REFRESH FROM TRUSTED SOURCES
    💼 SI-15 INFORMATION OUTPUT FILTERING
    💼 SI-16 MEMORY PROTECTION
    💼 SI-17 FAIL-SAFE PROCEDURES