| 💼 AC-1 ACCESS CONTROL POLICY AND PROCEDURES | | | | |
| 💼 AC-2 ACCOUNT MANAGEMENT | 13 | 1 | 1 | |
| 💼 AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT | | | | |
| 💼 AC-2 (2) REMOVAL OF TEMPORARY _ EMERGENCY ACCOUNTS | | | | |
| 💼 AC-2 (3) DISABLE INACTIVE ACCOUNTS | | | | |
| 💼 AC-2 (4) AUTOMATED AUDIT ACTIONS | | | | |
| 💼 AC-2 (5) INACTIVITY LOGOUT | | | | |
| 💼 AC-2 (6) DYNAMIC PRIVILEGE MANAGEMENT | | | | |
| 💼 AC-2 (7) ROLE-BASED SCHEMES | | 1 | 1 | |
| 💼 AC-2 (8) DYNAMIC ACCOUNT CREATION | | | | |
| 💼 AC-2 (9) RESTRICTIONS ON USE OF SHARED _ GROUP ACCOUNTS | | | | |
| 💼 AC-2 (10) SHARED _ GROUP ACCOUNT CREDENTIAL TERMINATION | | | | |
| 💼 AC-2 (11) USAGE CONDITIONS | | | | |
| 💼 AC-2 (12) ACCOUNT MONITORING _ ATYPICAL USAGE | | | | |
| 💼 AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS | | | | |
| 💼 AC-3 ACCESS ENFORCEMENT | 10 | | | |
| 💼 AC-3 (1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS | | | | |
| 💼 AC-3 (2) DUAL AUTHORIZATION | | | | |
| 💼 AC-3 (3) MANDATORY ACCESS CONTROL | | | | |
| 💼 AC-3 (4) DISCRETIONARY ACCESS CONTROL | | | | |
| 💼 AC-3 (5) SECURITY-RELEVANT INFORMATION | | | | |
| 💼 AC-3 (6) PROTECTION OF USER AND SYSTEM INFORMATION | | | | |
| 💼 AC-3 (7) ROLE-BASED ACCESS CONTROL | | | | |
| 💼 AC-3 (8) REVOCATION OF ACCESS AUTHORIZATIONS | | | | |
| 💼 AC-3 (9) CONTROLLED RELEASE | | | | |
| 💼 AC-3 (10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS | | | | |
| 💼 AC-4 INFORMATION FLOW ENFORCEMENT | 22 | | | |
| 💼 AC-4 (1) OBJECT SECURITY ATTRIBUTES | | | | |
| 💼 AC-4 (2) PROCESSING DOMAINS | | | | |
| 💼 AC-4 (3) DYNAMIC INFORMATION FLOW CONTROL | | | | |
| 💼 AC-4 (4) CONTENT CHECK ENCRYPTED INFORMATION | | | | |
| 💼 AC-4 (5) EMBEDDED DATA TYPES | | 1 | 1 | |
| 💼 AC-4 (6) METADATA | | | | |
| 💼 AC-4 (7) ONE-WAY FLOW MECHANISMS | | | | |
| 💼 AC-4 (8) SECURITY POLICY FILTERS | | | | |
| 💼 AC-4 (9) HUMAN REVIEWS | | | | |
| 💼 AC-4 (10) ENABLE _ DISABLE SECURITY POLICY FILTERS | | | | |
| 💼 AC-4 (11) CONFIGURATION OF SECURITY POLICY FILTERS | | | | |
| 💼 AC-4 (12) DATA TYPE IDENTIFIERS | | | | |
| 💼 AC-4 (13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS | | | | |
| 💼 AC-4 (14) SECURITY POLICY FILTER CONSTRAINTS | | | | |
| 💼 AC-4 (15) DETECTION OF UNSANCTIONED INFORMATION | | | | |
| 💼 AC-4 (16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS | | | | |
| 💼 AC-4 (17) DOMAIN AUTHENTICATION | | | | |
| 💼 AC-4 (18) SECURITY ATTRIBUTE BINDING | | | | |
| 💼 AC-4 (19) VALIDATION OF METADATA | | | | |
| 💼 AC-4 (20) APPROVED SOLUTIONS | | | | |
| 💼 AC-4 (21) PHYSICAL _ LOGICAL SEPARATION OF INFORMATION FLOWS | | | | |
| 💼 AC-4 (22) ACCESS ONLY | | | | |
| 💼 AC-5 SEPARATION OF DUTIES | | 3 | 3 | |
| 💼 AC-6 LEAST PRIVILEGE | 10 | 1 | 1 | |
| 💼 AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS | | | | |
| 💼 AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS | | | | |
| 💼 AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS | | | | |
| 💼 AC-6 (4) SEPARATE PROCESSING DOMAINS | | | | |
| 💼 AC-6 (5) PRIVILEGED ACCOUNTS | | | | |
| 💼 AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS | | | | |
| 💼 AC-6 (7) REVIEW OF USER PRIVILEGES | | | | |
| 💼 AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION | | | | |
| 💼 AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS | | | | |
| 💼 AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS | | 1 | 1 | |
| 💼 AC-7 UNSUCCESSFUL LOGON ATTEMPTS | 2 | | | |
| 💼 AC-7 (1) AUTOMATIC ACCOUNT LOCK | | | | |
| 💼 AC-7 (2) PURGE _ WIPE MOBILE DEVICE | | | | |
| 💼 AC-8 SYSTEM USE NOTIFICATION | | | | |
| 💼 AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION | 4 | | | |
| 💼 AC-9 (1) UNSUCCESSFUL LOGONS | | | | |
| 💼 AC-9 (2) SUCCESSFUL _ UNSUCCESSFUL LOGONS | | | | |
| 💼 AC-9 (3) NOTIFICATION OF ACCOUNT CHANGES | | | | |
| 💼 AC-9 (4) ADDITIONAL LOGON INFORMATION | | | | |
| 💼 AC-10 CONCURRENT SESSION CONTROL | | | | |
| 💼 AC-11 SESSION LOCK | 1 | | | |
| 💼 AC-11 (1) PATTERN-HIDING DISPLAYS | | | | |
| 💼 AC-12 SESSION TERMINATION | 1 | | | |
| 💼 AC-12 (1) USER-INITIATED LOGOUTS _ MESSAGE DISPLAYS | | | | |
| 💼 AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL | | | | |
| 💼 AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | 1 | | | |
| 💼 AC-14 (1) NECESSARY USES | | | | |
| 💼 AC-15 AUTOMATED MARKING | | | | |
| 💼 AC-16 SECURITY ATTRIBUTES | 10 | | | |
| 💼 AC-16 (1) DYNAMIC ATTRIBUTE ASSOCIATION | | | | |
| 💼 AC-16 (2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS | | | | |
| 💼 AC-16 (3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM | | | | |
| 💼 AC-16 (4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS | | | | |
| 💼 AC-16 (5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES | | | | |
| 💼 AC-16 (6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION | | | | |
| 💼 AC-16 (7) CONSISTENT ATTRIBUTE INTERPRETATION | | | | |
| 💼 AC-16 (8) ASSOCIATION TECHNIQUES _ TECHNOLOGIES | | | | |
| 💼 AC-16 (9) ATTRIBUTE REASSIGNMENT | | | | |
| 💼 AC-16 (10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS | | | | |
| 💼 AC-17 REMOTE ACCESS | 9 | | | |
| 💼 AC-17 (1) AUTOMATED MONITORING _ CONTROL | | | | |
| 💼 AC-17 (2) PROTECTION OF CONFIDENTIALITY _ INTEGRITY USING ENCRYPTION | | | | |
| 💼 AC-17 (3) MANAGED ACCESS CONTROL POINTS | | | | |
| 💼 AC-17 (4) PRIVILEGED COMMANDS _ ACCESS | | | | |
| 💼 AC-17 (5) MONITORING FOR UNAUTHORIZED CONNECTIONS | | | | |
| 💼 AC-17 (6) PROTECTION OF INFORMATION | | | | |
| 💼 AC-17 (7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS | | | | |
| 💼 AC-17 (8) DISABLE NONSECURE NETWORK PROTOCOLS | | | | |
| 💼 AC-17 (9) DISCONNECT _ DISABLE ACCESS | | | | |
| 💼 AC-18 WIRELESS ACCESS | 5 | | | |
| 💼 AC-18 (1) AUTHENTICATION AND ENCRYPTION | | | | |
| 💼 AC-18 (2) MONITORING UNAUTHORIZED CONNECTIONS | | | | |
| 💼 AC-18 (3) DISABLE WIRELESS NETWORKING | | | | |
| 💼 AC-18 (4) RESTRICT CONFIGURATIONS BY USERS | | | | |
| 💼 AC-18 (5) ANTENNAS _ TRANSMISSION POWER LEVELS | | | | |
| 💼 AC-19 ACCESS CONTROL FOR MOBILE DEVICES | 5 | | | |
| 💼 AC-19 (1) USE OF WRITABLE _ PORTABLE STORAGE DEVICES | | | | |
| 💼 AC-19 (2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES | | | | |
| 💼 AC-19 (3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER | | | | |
| 💼 AC-19 (4) RESTRICTIONS FOR CLASSIFIED INFORMATION | | | | |
| 💼 AC-19 (5) FULL DEVICE _ CONTAINER-BASED ENCRYPTION | | | | |
| 💼 AC-20 USE OF EXTERNAL INFORMATION SYSTEMS | 4 | | | |
| 💼 AC-20 (1) LIMITS ON AUTHORIZED USE | | | | |
| 💼 AC-20 (2) PORTABLE STORAGE DEVICES | | | | |
| 💼 AC-20 (3) NON-ORGANIZATIONALLY OWNED SYSTEMS _ COMPONENTS _ DEVICES | | | | |
| 💼 AC-20 (4) NETWORK ACCESSIBLE STORAGE DEVICES | | | | |
| 💼 AC-21 INFORMATION SHARING | 2 | | | |
| 💼 AC-21 (1) AUTOMATED DECISION SUPPORT | | | | |
| 💼 AC-21 (2) INFORMATION SEARCH AND RETRIEVAL | | | | |
| 💼 AC-22 PUBLICLY ACCESSIBLE CONTENT | | | | |
| 💼 AC-23 DATA MINING PROTECTION | | | | |
| 💼 AC-24 ACCESS CONTROL DECISIONS | 2 | | | |
| 💼 AC-24 (1) TRANSMIT ACCESS AUTHORIZATION INFORMATION | | | | |
| 💼 AC-24 (2) NO USER OR PROCESS IDENTITY | | | | |
| 💼 AC-25 REFERENCE MONITOR | | | | |