💼 NIST SP 800-53 Revision 5

• Contextual name: 💼 NIST SP 800-53 Revision 5
• ID: /frameworks/nist-sp-800-53-r5

Description

Empty...

Similar

• Internal
  • ID: dec-a-815f9955

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AC Access Control	25
💼 AC-1 Policy and Procedures
💼 AC-2 Account Management	13		3
💼 AC-2(1) Account Management _ Automated System Account Management		4	16
💼 AC-2(2) Account Management _ Automated Temporary and Emergency Account Management
💼 AC-2(3) Account Management _ Disable Accounts		1	4
💼 AC-2(4) Account Management _ Automated Audit Actions		11	13
💼 AC-2(5) Account Management _ Inactivity Logout
💼 AC-2(6) Account Management _ Dynamic Privilege Management
💼 AC-2(7) Account Management _ Privileged User Accounts		1	1
💼 AC-2(8) Account Management _ Dynamic Account Management
💼 AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts
💼 AC-2(10) Account Management _ Shared and Group Account Credential Change
💼 AC-2(11) Account Management _ Usage Conditions
💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage
💼 AC-2(13) Account Management _ Disable Accounts for High-risk Individuals
💼 AC-3 Access Enforcement	15	4	11
💼 AC-3(1) Access Enforcement _ Restricted Access to Privileged Functions
💼 AC-3(2) Access Enforcement _ Dual Authorization
💼 AC-3(3) Access Enforcement _ Mandatory Access Control
💼 AC-3(4) Access Enforcement _ Discretionary Access Control
💼 AC-3(5) Access Enforcement _ Security-relevant Information
💼 AC-3(6) Access Enforcement _ Protection of User and System Information
💼 AC-3(7) Access Enforcement _ Role-based Access Control			7
💼 AC-3(8) Access Enforcement _ Revocation of Access Authorizations
💼 AC-3(9) Access Enforcement _ Controlled Release
💼 AC-3(10) Access Enforcement _ Audited Override of Access Control Mechanisms
💼 AC-3(11) Access Enforcement _ Restrict Access to Specific Information Types
💼 AC-3(12) Access Enforcement _ Assert and Enforce Application Access
💼 AC-3(13) Access Enforcement _ Attribute-based Access Control
💼 AC-3(14) Access Enforcement _ Individual Access
💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			10
💼 AC-4 Information Flow Enforcement	32	7	21
💼 AC-4(1) Information Flow Enforcement _ Object Security and Privacy Attributes
💼 AC-4(2) Information Flow Enforcement _ Processing Domains		25	27
💼 AC-4(3) Information Flow Enforcement _ Dynamic Information Flow Control
💼 AC-4(4) Information Flow Enforcement _ Flow Control of Encrypted Information
💼 AC-4(5) Information Flow Enforcement _ Embedded Data Types		1	1
💼 AC-4(6) Information Flow Enforcement _ Metadata
💼 AC-4(7) Information Flow Enforcement _ One-way Flow Mechanisms
💼 AC-4(8) Information Flow Enforcement _ Security and Privacy Policy Filters
💼 AC-4(9) Information Flow Enforcement _ Human Reviews
💼 AC-4(10) Information Flow Enforcement _ Enable and Disable Security or Privacy Policy Filters
💼 AC-4(11) Information Flow Enforcement _ Configuration of Security or Privacy Policy Filters
💼 AC-4(12) Information Flow Enforcement _ Data Type Identifiers
💼 AC-4(13) Information Flow Enforcement _ Decomposition into Policy-relevant Subcomponents
💼 AC-4(14) Information Flow Enforcement _ Security or Privacy Policy Filter Constraints		2	2
💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		7	8
💼 AC-4(16) Information Flow Enforcement _ Information Transfers on Interconnected Systems
💼 AC-4(17) Information Flow Enforcement _ Domain Authentication
💼 AC-4(18) Information Flow Enforcement _ Security Attribute Binding
💼 AC-4(19) Information Flow Enforcement _ Validation of Metadata
💼 AC-4(20) Information Flow Enforcement _ Approved Solutions
💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		35	39
💼 AC-4(22) Information Flow Enforcement _ Access Only
💼 AC-4(23) Information Flow Enforcement _ Modify Non-releasable Information
💼 AC-4(24) Information Flow Enforcement _ Internal Normalized Format
💼 AC-4(25) Information Flow Enforcement _ Data Sanitization
💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			7
💼 AC-4(27) Information Flow Enforcement _ Redundant/independent Filtering Mechanisms
💼 AC-4(28) Information Flow Enforcement _ Linear Filter Pipelines
💼 AC-4(29) Information Flow Enforcement _ Filter Orchestration Engines
💼 AC-4(30) Information Flow Enforcement _ Filter Mechanisms Using Multiple Processes
💼 AC-4(31) Information Flow Enforcement _ Failed Content Transfer Prevention
💼 AC-4(32) Information Flow Enforcement _ Process Requirements for Information Transfer
💼 AC-5 Separation of Duties			1
💼 AC-6 Least Privilege	10		7
💼 AC-6(1) Least Privilege _ Authorize Access to Security Functions		2	2
💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	4
💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			2
💼 AC-6(4) Least Privilege _ Separate Processing Domains
💼 AC-6(5) Least Privilege _ Privileged Accounts		3	3
💼 AC-6(6) Least Privilege _ Privileged Access by Non-organizational Users
💼 AC-6(7) Least Privilege _ Review of User Privileges
💼 AC-6(8) Least Privilege _ Privilege Levels for Code Execution
💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		15	16
💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions			2
💼 AC-7 Unsuccessful Logon Attempts	4
💼 AC-7(1) Unsuccessful Logon Attempts _ Automatic Account Lock
💼 AC-7(2) Unsuccessful Logon Attempts _ Purge or Wipe Mobile Device
💼 AC-7(3) Unsuccessful Logon Attempts _ Biometric Attempt Limiting
💼 AC-7(4) Unsuccessful Logon Attempts _ Use of Alternate Authentication Factor
💼 AC-8 System Use Notification
💼 AC-9 Previous Logon Notification	4
💼 AC-9(1) Previous Logon Notification _ Unsuccessful Logons
💼 AC-9(2) Previous Logon Notification _ Successful and Unsuccessful Logons
💼 AC-9(3) Previous Logon Notification _ Notification of Account Changes
💼 AC-9(4) Previous Logon Notification _ Additional Logon Information
💼 AC-10 Concurrent Session Control
💼 AC-11 Device Lock	1
💼 AC-11(1) Device Lock _ Pattern-hiding Displays
💼 AC-12 Session Termination	3
💼 AC-12(1) Session Termination _ User-initiated Logouts
💼 AC-12(2) Session Termination _ Termination Message
💼 AC-12(3) Session Termination _ Timeout Warning Message
💼 AC-13 Supervision and Review — Access Control
💼 AC-14 Permitted Actions Without Identification or Authentication	1
💼 AC-14(1) Permitted Actions Without Identification or Authentication _ Necessary Uses
💼 AC-15 Automated Marking
💼 AC-16 Security and Privacy Attributes	10
💼 AC-16(1) Security and Privacy Attributes _ Dynamic Attribute Association
💼 AC-16(2) Security and Privacy Attributes _ Attribute Value Changes by Authorized Individuals
💼 AC-16(3) Security and Privacy Attributes _ Maintenance of Attribute Associations by System
💼 AC-16(4) Security and Privacy Attributes _ Association of Attributes by Authorized Individuals
💼 AC-16(5) Security and Privacy Attributes _ Attribute Displays on Objects to Be Output
💼 AC-16(6) Security and Privacy Attributes _ Maintenance of Attribute Association
💼 AC-16(7) Security and Privacy Attributes _ Consistent Attribute Interpretation
💼 AC-16(8) Security and Privacy Attributes _ Association Techniques and Technologies
💼 AC-16(9) Security and Privacy Attributes _ Attribute Reassignment — Regrading Mechanisms
💼 AC-16(10) Security and Privacy Attributes _ Attribute Configuration by Authorized Individuals
💼 AC-17 Remote Access	10
💼 AC-17(1) Remote Access _ Monitoring and Control		1	1
💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		11	13
💼 AC-17(3) Remote Access _ Managed Access Control Points
💼 AC-17(4) Remote Access _ Privileged Commands and Access
💼 AC-17(5) Remote Access _ Monitoring for Unauthorized Connections
💼 AC-17(6) Remote Access _ Protection of Mechanism Information
💼 AC-17(7) Remote Access _ Additional Protection for Security Function Access
💼 AC-17(8) Remote Access _ Disable Nonsecure Network Protocols
💼 AC-17(9) Remote Access _ Disconnect or Disable Access
💼 AC-17(10) Remote Access _ Authenticate Remote Commands
💼 AC-18 Wireless Access	5
💼 AC-18(1) Wireless Access _ Authentication and Encryption
💼 AC-18(2) Wireless Access _ Monitoring Unauthorized Connections
💼 AC-18(3) Wireless Access _ Disable Wireless Networking
💼 AC-18(4) Wireless Access _ Restrict Configurations by Users
💼 AC-18(5) Wireless Access _ Antennas and Transmission Power Levels
💼 AC-19 Access Control for Mobile Devices	5
💼 AC-19(1) Access Control for Mobile Devices _ Use of Writable and Portable Storage Devices
💼 AC-19(2) Access Control for Mobile Devices _ Use of Personally Owned Portable Storage Devices
💼 AC-19(3) Access Control for Mobile Devices _ Use of Portable Storage Devices with No Identifiable Owner
💼 AC-19(4) Access Control for Mobile Devices _ Restrictions for Classified Information
💼 AC-19(5) Access Control for Mobile Devices _ Full Device or Container-based Encryption
💼 AC-20 Use of External Systems	5
💼 AC-20(1) Use of External Systems _ Limits on Authorized Use
💼 AC-20(2) Use of External Systems _ Portable Storage Devices — Restricted Use
💼 AC-20(3) Use of External Systems _ Non-organizationally Owned Systems — Restricted Use
💼 AC-20(4) Use of External Systems _ Network Accessible Storage Devices — Prohibited Use
💼 AC-20(5) Use of External Systems _ Portable Storage Devices — Prohibited Use
💼 AC-21 Information Sharing	2		2
💼 AC-21(1) Information Sharing _ Automated Decision Support
💼 AC-21(2) Information Sharing _ Information Search and Retrieval
💼 AC-22 Publicly Accessible Content
💼 AC-23 Data Mining Protection
💼 AC-24 Access Control Decisions	2
💼 AC-24(1) Access Control Decisions _ Transmit Access Authorization Information
💼 AC-24(2) Access Control Decisions _ No User or Process Identity
💼 AC-25 Reference Monitor
💼 AT Awareness And Training	6
💼 AT-1 Policy and Procedures
💼 AT-2 Literacy Training and Awareness	6
💼 AT-2(1) Literacy Training and Awareness _ Practical Exercises
💼 AT-2(2) Literacy Training and Awareness _ Insider Threat
💼 AT-2(3) Literacy Training and Awareness _ Social Engineering and Mining
💼 AT-2(4) Literacy Training and Awareness _ Suspicious Communications and Anomalous System Behavior
💼 AT-2(5) Literacy Training and Awareness _ Advanced Persistent Threat
💼 AT-2(6) Literacy Training and Awareness _ Cyber Threat Environment
💼 AT-3 Role-based Training	5
💼 AT-3(1) Role-based Training _ Environmental Controls
💼 AT-3(2) Role-based Training _ Physical Security Controls
💼 AT-3(3) Role-based Training _ Practical Exercises
💼 AT-3(4) Role-based Training _ Suspicious Communications and Anomalous System Behavior
💼 AT-3(5) Role-based Training _ Processing Personally Identifiable Information
💼 AT-4 Training Records
💼 AT-5 Contacts with Security Groups and Associations
💼 AT-6 Training Feedback
💼 AU Audit And Accountability	16
💼 AU-1 Policy and Procedures
💼 AU-2 Event Logging	4		6
💼 AU-2(1) Event Logging _ Compilation of Audit Records from Multiple Sources
💼 AU-2(2) Event Logging _ Selection of Audit Events by Component
💼 AU-2(3) Event Logging _ Reviews and Updates
💼 AU-2(4) Event Logging _ Privileged Functions
💼 AU-3 Content of Audit Records	3		6
💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14
💼 AU-3(2) Content of Audit Records _ Centralized Management of Planned Audit Record Content
💼 AU-3(3) Content of Audit Records _ Limit Personally Identifiable Information Elements
💼 AU-4 Audit Log Storage Capacity	1
💼 AU-4(1) Audit Log Storage Capacity _ Transfer to Alternate Storage
💼 AU-5 Response to Audit Logging Process Failures	5
💼 AU-5(1) Response to Audit Logging Process Failures _ Storage Capacity Warning
💼 AU-5(2) Response to Audit Logging Process Failures _ Real-time Alerts
💼 AU-5(3) Response to Audit Logging Process Failures _ Configurable Traffic Volume Thresholds
💼 AU-5(4) Response to Audit Logging Process Failures _ Shutdown on Failure
💼 AU-5(5) Response to Audit Logging Process Failures _ Alternate Audit Logging Capability
💼 AU-6 Audit Record Review, Analysis, and Reporting	10
💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	1
💼 AU-6(2) Audit Record Review, Analysis, and Reporting _ Automated Security Alerts
💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			6
💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			6
💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records
💼 AU-6(6) Audit Record Review, Analysis, and Reporting _ Correlation with Physical Monitoring
💼 AU-6(7) Audit Record Review, Analysis, and Reporting _ Permitted Actions
💼 AU-6(8) Audit Record Review, Analysis, and Reporting _ Full Text Analysis of Privileged Commands
💼 AU-6(9) Audit Record Review, Analysis, and Reporting _ Correlation with Information from Nontechnical Sources
💼 AU-6(10) Audit Record Review, Analysis, and Reporting _ Audit Level Adjustment
💼 AU-7 Audit Record Reduction and Report Generation	2
💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		1	1
💼 AU-7(2) Audit Record Reduction and Report Generation _ Automatic Sort and Search
💼 AU-8 Time Stamps	2
💼 AU-8(1) Time Stamps _ Synchronization with Authoritative Time Source
💼 AU-8(2) Time Stamps _ Secondary Authoritative Time Source
💼 AU-9 Protection of Audit Information	7		2
💼 AU-9(1) Protection of Audit Information _ Hardware Write-once Media
💼 AU-9(2) Protection of Audit Information _ Store on Separate Physical Systems or Components
💼 AU-9(3) Protection of Audit Information _ Cryptographic Protection
💼 AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users		2	2
💼 AU-9(5) Protection of Audit Information _ Dual Authorization
💼 AU-9(6) Protection of Audit Information _ Read-only Access
💼 AU-9(7) Protection of Audit Information _ Store on Component with Different Operating System
💼 AU-10 Non-repudiation	5		5
💼 AU-10(1) Non-repudiation _ Association of Identities
💼 AU-10(2) Non-repudiation _ Validate Binding of Information Producer Identity
💼 AU-10(3) Non-repudiation _ Chain of Custody
💼 AU-10(4) Non-repudiation _ Validate Binding of Information Reviewer Identity
💼 AU-10(5) Non-repudiation _ Digital Signatures
💼 AU-11 Audit Record Retention	1
💼 AU-11(1) Audit Record Retention _ Long-term Retrieval Capability
💼 AU-12 Audit Record Generation	4	45	47
💼 AU-12(1) Audit Record Generation _ System-wide and Time-correlated Audit Trail
💼 AU-12(2) Audit Record Generation _ Standardized Formats
💼 AU-12(3) Audit Record Generation _ Changes by Authorized Individuals
💼 AU-12(4) Audit Record Generation _ Query Parameter Audits of Personally Identifiable Information
💼 AU-13 Monitoring for Information Disclosure	3
💼 AU-13(1) Monitoring for Information Disclosure _ Use of Automated Tools
💼 AU-13(2) Monitoring for Information Disclosure _ Review of Monitored Sites
💼 AU-13(3) Monitoring for Information Disclosure _ Unauthorized Replication of Information
💼 AU-14 Session Audit	3
💼 AU-14(1) Session Audit _ System Start-up			1
💼 AU-14(2) Session Audit _ Capture and Record Content
💼 AU-14(3) Session Audit _ Remote Viewing and Listening
💼 AU-15 Alternate Audit Logging Capability
💼 AU-16 Cross-organizational Audit Logging	3
💼 AU-16(1) Cross-organizational Audit Logging _ Identity Preservation
💼 AU-16(2) Cross-organizational Audit Logging _ Sharing of Audit Information
💼 AU-16(3) Cross-organizational Audit Logging _ Disassociability
💼 CA Assessment, Authorization, And Monitoring	9
💼 CA-1 Policy and Procedures
💼 CA-2 Control Assessments	3
💼 CA-2(1) Control Assessments _ Independent Assessors
💼 CA-2(2) Control Assessments _ Specialized Assessments
💼 CA-2(3) Control Assessments _ Leveraging Results from External Organizations
💼 CA-3 Information Exchange	7
💼 CA-3(1) Information Exchange _ Unclassified National Security System Connections
💼 CA-3(2) Information Exchange _ Classified National Security System Connections
💼 CA-3(3) Information Exchange _ Unclassified Non-national Security System Connections
💼 CA-3(4) Information Exchange _ Connections to Public Networks
💼 CA-3(5) Information Exchange _ Restrictions on External System Connections
💼 CA-3(6) Information Exchange _ Transfer Authorizations
💼 CA-3(7) Information Exchange _ Transitive Information Exchanges
💼 CA-4 Security Certification
💼 CA-5 Plan of Action and Milestones	1
💼 CA-5(1) Plan of Action and Milestones _ Automation Support for Accuracy and Currency
💼 CA-6 Authorization	2
💼 CA-6(1) Authorization _ Joint Authorization — Intra-organization
💼 CA-6(2) Authorization _ Joint Authorization — Inter-organization
💼 CA-7 Continuous Monitoring	6		8
💼 CA-7(1) Continuous Monitoring _ Independent Assessment
💼 CA-7(2) Continuous Monitoring _ Types of Assessments
💼 CA-7(3) Continuous Monitoring _ Trend Analyses
💼 CA-7(4) Continuous Monitoring _ Risk Monitoring
💼 CA-7(5) Continuous Monitoring _ Consistency Analysis
💼 CA-7(6) Continuous Monitoring _ Automation Support for Monitoring
💼 CA-8 Penetration Testing	3
💼 CA-8(1) Penetration Testing _ Independent Penetration Testing Agent or Team
💼 CA-8(2) Penetration Testing _ Red Team Exercises
💼 CA-8(3) Penetration Testing _ Facility Penetration Testing
💼 CA-9 Internal System Connections	1
💼 CA-9(1) Internal System Connections _ Compliance Checks			15
💼 CM Configuration Management	14
💼 CM-1 Policy and Procedures
💼 CM-2 Baseline Configuration	7		13
💼 CM-2(1) Baseline Configuration _ Reviews and Updates
💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			13
💼 CM-2(3) Baseline Configuration _ Retention of Previous Configurations
💼 CM-2(4) Baseline Configuration _ Unauthorized Software
💼 CM-2(5) Baseline Configuration _ Authorized Software
💼 CM-2(6) Baseline Configuration _ Development and Test Environments
💼 CM-2(7) Baseline Configuration _ Configure Systems and Components for High-risk Areas
💼 CM-3 Configuration Change Control	8	15	17
💼 CM-3(1) Configuration Change Control _ Automated Documentation, Notification, and Prohibition of Changes
💼 CM-3(2) Configuration Change Control _ Testing, Validation, and Documentation of Changes
💼 CM-3(3) Configuration Change Control _ Automated Change Implementation
💼 CM-3(4) Configuration Change Control _ Security and Privacy Representatives
💼 CM-3(5) Configuration Change Control _ Automated Security Response
💼 CM-3(6) Configuration Change Control _ Cryptography Management			4
💼 CM-3(7) Configuration Change Control _ Review System Changes
💼 CM-3(8) Configuration Change Control _ Prevent or Restrict Configuration Changes
💼 CM-4 Impact Analyses	2
💼 CM-4(1) Impact Analyses _ Separate Test Environments
💼 CM-4(2) Impact Analyses _ Verification of Controls
💼 CM-5 Access Restrictions for Change	7
💼 CM-5(1) Access Restrictions for Change _ Automated Access Enforcement and Audit Records
💼 CM-5(2) Access Restrictions for Change _ Review System Changes
💼 CM-5(3) Access Restrictions for Change _ Signed Components
💼 CM-5(4) Access Restrictions for Change _ Dual Authorization
💼 CM-5(5) Access Restrictions for Change _ Privilege Limitation for Production and Operation
💼 CM-5(6) Access Restrictions for Change _ Limit Library Privileges
💼 CM-5(7) Access Restrictions for Change _ Automatic Implementation of Security Safeguards
💼 CM-6 Configuration Settings	4
💼 CM-6(1) Configuration Settings _ Automated Management, Application, and Verification			1
💼 CM-6(2) Configuration Settings _ Respond to Unauthorized Changes
💼 CM-6(3) Configuration Settings _ Unauthorized Change Detection
💼 CM-6(4) Configuration Settings _ Conformance Demonstration
💼 CM-7 Least Functionality	9		11
💼 CM-7(1) Least Functionality _ Periodic Review
💼 CM-7(2) Least Functionality _ Prevent Program Execution
💼 CM-7(3) Least Functionality _ Registration Compliance
💼 CM-7(4) Least Functionality _ Unauthorized Software — Deny-by-exception
💼 CM-7(5) Least Functionality _ Authorized Software — Allow-by-exception
💼 CM-7(6) Least Functionality _ Confined Environments with Limited Privileges
💼 CM-7(7) Least Functionality _ Code Execution in Protected Environments
💼 CM-7(8) Least Functionality _ Binary or Machine Executable Code
💼 CM-7(9) Least Functionality _ Prohibiting The Use of Unauthorized Hardware
💼 CM-8 System Component Inventory	9		1
💼 CM-8(1) System Component Inventory _ Updates During Installation and Removal
💼 CM-8(2) System Component Inventory _ Automated Maintenance			1
💼 CM-8(3) System Component Inventory _ Automated Unauthorized Component Detection
💼 CM-8(4) System Component Inventory _ Accountability Information
💼 CM-8(5) System Component Inventory _ No Duplicate Accounting of Components
💼 CM-8(6) System Component Inventory _ Assessed Configurations and Approved Deviations
💼 CM-8(7) System Component Inventory _ Centralized Repository
💼 CM-8(8) System Component Inventory _ Automated Location Tracking
💼 CM-8(9) System Component Inventory _ Assignment of Components to Systems
💼 CM-9 Configuration Management Plan	1
💼 CM-9(1) Configuration Management Plan _ Assignment of Responsibility
💼 CM-10 Software Usage Restrictions	1
💼 CM-10(1) Software Usage Restrictions _ Open-source Software
💼 CM-11 User-installed Software	3
💼 CM-11(1) User-installed Software _ Alerts for Unauthorized Installations
💼 CM-11(2) User-installed Software _ Software Installation with Privileged Status
💼 CM-11(3) User-installed Software _ Automated Enforcement and Monitoring
💼 CM-12 Information Location	1
💼 CM-12(1) Information Location _ Automated Tools to Support Information Location
💼 CM-13 Data Action Mapping
💼 CM-14 Signed Components
💼 CP Contingency Planning	13
💼 CP-1 Policy and Procedures
💼 CP-2 Contingency Plan	8
💼 CP-2(1) Contingency Plan _ Coordinate with Related Plans
💼 CP-2(2) Contingency Plan _ Capacity Planning			1
💼 CP-2(3) Contingency Plan _ Resume Mission and Business Functions
💼 CP-2(4) Contingency Plan _ Resume All Mission and Business Functions
💼 CP-2(5) Contingency Plan _ Continue Mission and Business Functions
💼 CP-2(6) Contingency Plan _ Alternate Processing and Storage Sites
💼 CP-2(7) Contingency Plan _ Coordinate with External Service Providers
💼 CP-2(8) Contingency Plan _ Identify Critical Assets
💼 CP-3 Contingency Training	2
💼 CP-3(1) Contingency Training _ Simulated Events
💼 CP-3(2) Contingency Training _ Mechanisms Used in Training Environments
💼 CP-4 Contingency Plan Testing	5
💼 CP-4(1) Contingency Plan Testing _ Coordinate with Related Plans
💼 CP-4(2) Contingency Plan Testing _ Alternate Processing Site
💼 CP-4(3) Contingency Plan Testing _ Automated Testing
💼 CP-4(4) Contingency Plan Testing _ Full Recovery and Reconstitution
💼 CP-4(5) Contingency Plan Testing _ Self-challenge
💼 CP-5 Contingency Plan Update
💼 CP-6 Alternate Storage Site	3
💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site
💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			2
💼 CP-6(3) Alternate Storage Site _ Accessibility
💼 CP-7 Alternate Processing Site	6
💼 CP-7(1) Alternate Processing Site _ Separation from Primary Site
💼 CP-7(2) Alternate Processing Site _ Accessibility
💼 CP-7(3) Alternate Processing Site _ Priority of Service
💼 CP-7(4) Alternate Processing Site _ Preparation for Use
💼 CP-7(5) Alternate Processing Site _ Equivalent Information Security Safeguards
💼 CP-7(6) Alternate Processing Site _ Inability to Return to Primary Site
💼 CP-8 Telecommunications Services	5
💼 CP-8(1) Telecommunications Services _ Priority of Service Provisions
💼 CP-8(2) Telecommunications Services _ Single Points of Failure
💼 CP-8(3) Telecommunications Services _ Separation of Primary and Alternate Providers
💼 CP-8(4) Telecommunications Services _ Provider Contingency Plan
💼 CP-8(5) Telecommunications Services _ Alternate Telecommunication Service Testing
💼 CP-9 System Backup	8		1
💼 CP-9(1) System Backup _ Testing for Reliability and Integrity
💼 CP-9(2) System Backup _ Test Restoration Using Sampling
💼 CP-9(3) System Backup _ Separate Storage for Critical Information
💼 CP-9(4) System Backup _ Protection from Unauthorized Modification
💼 CP-9(5) System Backup _ Transfer to Alternate Storage Site
💼 CP-9(6) System Backup _ Redundant Secondary System
💼 CP-9(7) System Backup _ Dual Authorization for Deletion or Destruction
💼 CP-9(8) System Backup _ Cryptographic Protection
💼 CP-10 System Recovery and Reconstitution	6		2
💼 CP-10(1) System Recovery and Reconstitution _ Contingency Plan Testing
💼 CP-10(2) System Recovery and Reconstitution _ Transaction Recovery
💼 CP-10(3) System Recovery and Reconstitution _ Compensating Security Controls
💼 CP-10(4) System Recovery and Reconstitution _ Restore Within Time Period
💼 CP-10(5) System Recovery and Reconstitution _ Failover Capability
💼 CP-10(6) System Recovery and Reconstitution _ Component Protection
💼 CP-11 Alternate Communications Protocols
💼 CP-12 Safe Mode
💼 CP-13 Alternative Security Mechanisms
💼 IA Identification And Authentication	12
💼 IA-1 Policy and Procedures
💼 IA-2 Identification and Authentication (organizational Users)	13
💼 IA-2(1) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Privileged Accounts			2
💼 IA-2(2) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Non-privileged Accounts			2
💼 IA-2(3) Identification and Authentication (organizational Users) _ Local Access to Privileged Accounts
💼 IA-2(4) Identification and Authentication (organizational Users) _ Local Access to Non-privileged Accounts
💼 IA-2(5) Identification and Authentication (organizational Users) _ Individual Authentication with Group Authentication
💼 IA-2(6) Identification and Authentication (organizational Users) _ Access to Accounts —separate Device			2
💼 IA-2(7) Identification and Authentication (organizational Users) _ Network Access to Non-privileged Accounts — Separate Device
💼 IA-2(8) Identification and Authentication (organizational Users) _ Access to Accounts — Replay Resistant			2
💼 IA-2(9) Identification and Authentication (organizational Users) _ Network Access to Non-privileged Accounts — Replay Resistant
💼 IA-2(10) Identification and Authentication (organizational Users) _ Single Sign-on
💼 IA-2(11) Identification and Authentication (organizational Users) _ Remote Access — Separate Device
💼 IA-2(12) Identification and Authentication (organizational Users) _ Acceptance of PIV Credentials
💼 IA-2(13) Identification and Authentication (organizational Users) _ Out-of-band Authentication
💼 IA-3 Device Identification and Authentication	4
💼 IA-3(1) Device Identification and Authentication _ Cryptographic Bidirectional Authentication
💼 IA-3(2) Device Identification and Authentication _ Cryptographic Bidirectional Network Authentication
💼 IA-3(3) Device Identification and Authentication _ Dynamic Address Allocation
💼 IA-3(4) Device Identification and Authentication _ Device Attestation
💼 IA-4 Identifier Management	9
💼 IA-4(1) Identifier Management _ Prohibit Account Identifiers as Public Identifiers
💼 IA-4(2) Identifier Management _ Supervisor Authorization
💼 IA-4(3) Identifier Management _ Multiple Forms of Certification
💼 IA-4(4) Identifier Management _ Identify User Status
💼 IA-4(5) Identifier Management _ Dynamic Management
💼 IA-4(6) Identifier Management _ Cross-organization Management
💼 IA-4(7) Identifier Management _ In-person Registration
💼 IA-4(8) Identifier Management _ Pairwise Pseudonymous Identifiers
💼 IA-4(9) Identifier Management _ Attribute Maintenance and Protection
💼 IA-5 Authenticator Management	18
💼 IA-5(1) Authenticator Management _ Password-based Authentication			4
💼 IA-5(2) Authenticator Management _ Public Key-based Authentication
💼 IA-5(3) Authenticator Management _ In-person or Trusted External Party Registration
💼 IA-5(4) Authenticator Management _ Automated Support for Password Strength Determination
💼 IA-5(5) Authenticator Management _ Change Authenticators Prior to Delivery
💼 IA-5(6) Authenticator Management _ Protection of Authenticators
💼 IA-5(7) Authenticator Management _ No Embedded Unencrypted Static Authenticators
💼 IA-5(8) Authenticator Management _ Multiple System Accounts
💼 IA-5(9) Authenticator Management _ Federated Credential Management
💼 IA-5(10) Authenticator Management _ Dynamic Credential Binding
💼 IA-5(11) Authenticator Management _ Hardware Token-based Authentication
💼 IA-5(12) Authenticator Management _ Biometric Authentication Performance
💼 IA-5(13) Authenticator Management _ Expiration of Cached Authenticators
💼 IA-5(14) Authenticator Management _ Managing Content of PKI Trust Stores
💼 IA-5(15) Authenticator Management _ GSA-approved Products and Services
💼 IA-5(16) Authenticator Management _ In-person or Trusted External Party Authenticator Issuance
💼 IA-5(17) Authenticator Management _ Presentation Attack Detection for Biometric Authenticators
💼 IA-5(18) Authenticator Management _ Password Managers
💼 IA-6 Authentication Feedback
💼 IA-7 Cryptographic Module Authentication
💼 IA-8 Identification and Authentication (non-organizational Users)	6
💼 IA-8(1) Identification and Authentication (non-organizational Users) _ Acceptance of PIV Credentials from Other Agencies
💼 IA-8(2) Identification and Authentication (non-organizational Users) _ Acceptance of External Authenticators
💼 IA-8(3) Identification and Authentication (non-organizational Users) _ Use of FICAM-approved Products
💼 IA-8(4) Identification and Authentication (non-organizational Users) _ Use of Defined Profiles
💼 IA-8(5) Identification and Authentication (non-organizational Users) _ Acceptance of PVI-I Credentials
💼 IA-8(6) Identification and Authentication (non-organizational Users) _ Disassociability
💼 IA-9 Service Identification and Authentication	2
💼 IA-9(1) Service Identification and Authentication _ Information Exchange
💼 IA-9(2) Service Identification and Authentication _ Transmission of Decisions
💼 IA-10 Adaptive Authentication
💼 IA-11 Re-authentication
💼 IA-12 Identity Proofing	6
💼 IA-12(1) Identity Proofing _ Supervisor Authorization
💼 IA-12(2) Identity Proofing _ Identity Evidence
💼 IA-12(3) Identity Proofing _ Identity Evidence Validation and Verification
💼 IA-12(4) Identity Proofing _ In-person Validation and Verification
💼 IA-12(5) Identity Proofing _ Address Confirmation
💼 IA-12(6) Identity Proofing _ Accept Externally-proofed Identities
💼 IR Incident Response	10
💼 IR-1 Policy and Procedures
💼 IR-2 Incident Response Training	3
💼 IR-2(1) Incident Response Training _ Simulated Events
💼 IR-2(2) Incident Response Training _ Automated Training Environments
💼 IR-2(3) Incident Response Training _ Breach
💼 IR-3 Incident Response Testing	3
💼 IR-3(1) Incident Response Testing _ Automated Testing
💼 IR-3(2) Incident Response Testing _ Coordination with Related Plans
💼 IR-3(3) Incident Response Testing _ Continuous Improvement
💼 IR-4 Incident Handling	15
💼 IR-4(1) Incident Handling _ Automated Incident Handling Processes
💼 IR-4(2) Incident Handling _ Dynamic Reconfiguration
💼 IR-4(3) Incident Handling _ Continuity of Operations
💼 IR-4(4) Incident Handling _ Information Correlation
💼 IR-4(5) Incident Handling _ Automatic Disabling of System
💼 IR-4(6) Incident Handling _ Insider Threats
💼 IR-4(7) Incident Handling _ Insider Threats — Intra-organization Coordination
💼 IR-4(8) Incident Handling _ Correlation with External Organizations
💼 IR-4(9) Incident Handling _ Dynamic Response Capability
💼 IR-4(10) Incident Handling _ Supply Chain Coordination
💼 IR-4(11) Incident Handling _ Integrated Incident Response Team
💼 IR-4(12) Incident Handling _ Malicious Code and Forensic Analysis
💼 IR-4(13) Incident Handling _ Behavior Analysis
💼 IR-4(14) Incident Handling _ Security Operations Center
💼 IR-4(15) Incident Handling _ Public Relations and Reputation Repair
💼 IR-5 Incident Monitoring	1
💼 IR-5(1) Incident Monitoring _ Automated Tracking, Data Collection, and Analysis
💼 IR-6 Incident Reporting	3
💼 IR-6(1) Incident Reporting _ Automated Reporting
💼 IR-6(2) Incident Reporting _ Vulnerabilities Related to Incidents
💼 IR-6(3) Incident Reporting _ Supply Chain Coordination
💼 IR-7 Incident Response Assistance	2
💼 IR-7(1) Incident Response Assistance _ Automation Support for Availability of Information and Support
💼 IR-7(2) Incident Response Assistance _ Coordination with External Providers
💼 IR-8 Incident Response Plan	1
💼 IR-8(1) Incident Response Plan _ Breaches
💼 IR-9 Information Spillage Response	4
💼 IR-9(1) Information Spillage Response _ Responsible Personnel
💼 IR-9(2) Information Spillage Response _ Training
💼 IR-9(3) Information Spillage Response _ Post-spill Operations
💼 IR-9(4) Information Spillage Response _ Exposure to Unauthorized Personnel
💼 IR-10 Integrated Information Security Analysis Team
💼 MA Maintenance	7
💼 MA-1 Policy and Procedures
💼 MA-2 Controlled Maintenance	2
💼 MA-2(1) Controlled Maintenance _ Record Content
💼 MA-2(2) Controlled Maintenance _ Automated Maintenance Activities
💼 MA-3 Maintenance Tools	6
💼 MA-3(1) Maintenance Tools _ Inspect Tools
💼 MA-3(2) Maintenance Tools _ Inspect Media
💼 MA-3(3) Maintenance Tools _ Prevent Unauthorized Removal
💼 MA-3(4) Maintenance Tools _ Restricted Tool Use
💼 MA-3(5) Maintenance Tools _ Execution with Privilege
💼 MA-3(6) Maintenance Tools _ Software Updates and Patches
💼 MA-4 Nonlocal Maintenance	7
💼 MA-4(1) Nonlocal Maintenance _ Logging and Review
💼 MA-4(2) Nonlocal Maintenance _ Document Nonlocal Maintenance
💼 MA-4(3) Nonlocal Maintenance _ Comparable Security and Sanitization
💼 MA-4(4) Nonlocal Maintenance _ Authentication and Separation of Maintenance Sessions
💼 MA-4(5) Nonlocal Maintenance _ Approvals and Notifications
💼 MA-4(6) Nonlocal Maintenance _ Cryptographic Protection
💼 MA-4(7) Nonlocal Maintenance _ Disconnect Verification
💼 MA-5 Maintenance Personnel	5
💼 MA-5(1) Maintenance Personnel _ Individuals Without Appropriate Access
💼 MA-5(2) Maintenance Personnel _ Security Clearances for Classified Systems
💼 MA-5(3) Maintenance Personnel _ Citizenship Requirements for Classified Systems
💼 MA-5(4) Maintenance Personnel _ Foreign Nationals
💼 MA-5(5) Maintenance Personnel _ Non-system Maintenance
💼 MA-6 Timely Maintenance	3
💼 MA-6(1) Timely Maintenance _ Preventive Maintenance
💼 MA-6(2) Timely Maintenance _ Predictive Maintenance
💼 MA-6(3) Timely Maintenance _ Automated Support for Predictive Maintenance
💼 MA-7 Field Maintenance
💼 MP Media Protection	8
💼 MP-1 Policy and Procedures
💼 MP-2 Media Access	2
💼 MP-2(1) Media Access _ Automated Restricted Access
💼 MP-2(2) Media Access _ Cryptographic Protection
💼 MP-3 Media Marking
💼 MP-4 Media Storage	2
💼 MP-4(1) Media Storage _ Cryptographic Protection
💼 MP-4(2) Media Storage _ Automated Restricted Access
💼 MP-5 Media Transport	4
💼 MP-5(1) Media Transport _ Protection Outside of Controlled Areas
💼 MP-5(2) Media Transport _ Documentation of Activities
💼 MP-5(3) Media Transport _ Custodians
💼 MP-5(4) Media Transport _ Cryptographic Protection
💼 MP-6 Media Sanitization	8
💼 MP-6(1) Media Sanitization _ Review, Approve, Track, Document, and Verify
💼 MP-6(2) Media Sanitization _ Equipment Testing
💼 MP-6(3) Media Sanitization _ Nondestructive Techniques
💼 MP-6(4) Media Sanitization _ Controlled Unclassified Information
💼 MP-6(5) Media Sanitization _ Classified Information
💼 MP-6(6) Media Sanitization _ Media Destruction
💼 MP-6(7) Media Sanitization _ Dual Authorization
💼 MP-6(8) Media Sanitization _ Remote Purging or Wiping of Information
💼 MP-7 Media Use	2
💼 MP-7(1) Media Use _ Prohibit Use Without Owner
💼 MP-7(2) Media Use _ Prohibit Use of Sanitization-resistant Media
💼 MP-8 Media Downgrading	4
💼 MP-8(1) Media Downgrading _ Documentation of Process
💼 MP-8(2) Media Downgrading _ Equipment Testing
💼 MP-8(3) Media Downgrading _ Controlled Unclassified Information
💼 MP-8(4) Media Downgrading _ Classified Information
💼 PE Physical And Environmental Protection	23
💼 PE-1 Policy and Procedures
💼 PE-2 Physical Access Authorizations	3
💼 PE-2(1) Physical Access Authorizations _ Access by Position or Role
💼 PE-2(2) Physical Access Authorizations _ Two Forms of Identification
💼 PE-2(3) Physical Access Authorizations _ Restrict Unescorted Access
💼 PE-3 Physical Access Control	8
💼 PE-3(1) Physical Access Control _ System Access
💼 PE-3(2) Physical Access Control _ Facility and Systems
💼 PE-3(3) Physical Access Control _ Continuous Guards
💼 PE-3(4) Physical Access Control _ Lockable Casings
💼 PE-3(5) Physical Access Control _ Tamper Protection
💼 PE-3(6) Physical Access Control _ Facility Penetration Testing
💼 PE-3(7) Physical Access Control _ Physical Barriers
💼 PE-3(8) Physical Access Control _ Access Control Vestibules
💼 PE-4 Access Control for Transmission
💼 PE-5 Access Control for Output Devices	3
💼 PE-5(1) Access Control for Output Devices _ Access to Output by Authorized Individuals
💼 PE-5(2) Access Control for Output Devices _ Link to Individual Identity
💼 PE-5(3) Access Control for Output Devices _ Marking Output Devices
💼 PE-6 Monitoring Physical Access	4
💼 PE-6(1) Monitoring Physical Access _ Intrusion Alarms and Surveillance Equipment
💼 PE-6(2) Monitoring Physical Access _ Automated Intrusion Recognition and Responses
💼 PE-6(3) Monitoring Physical Access _ Video Surveillance
💼 PE-6(4) Monitoring Physical Access _ Monitoring Physical Access to Systems
💼 PE-7 Visitor Control
💼 PE-8 Visitor Access Records	3
💼 PE-8(1) Visitor Access Records _ Automated Records Maintenance and Review
💼 PE-8(2) Visitor Access Records _ Physical Access Records
💼 PE-8(3) Visitor Access Records _ Limit Personally Identifiable Information Elements
💼 PE-9 Power Equipment and Cabling	2
💼 PE-9(1) Power Equipment and Cabling _ Redundant Cabling
💼 PE-9(2) Power Equipment and Cabling _ Automatic Voltage Controls
💼 PE-10 Emergency Shutoff	1
💼 PE-10(1) Emergency Shutoff _ Accidental and Unauthorized Activation
💼 PE-11 Emergency Power	2
💼 PE-11(1) Emergency Power _ Alternate Power Supply — Minimal Operational Capability
💼 PE-11(2) Emergency Power _ Alternate Power Supply — Self-contained
💼 PE-12 Emergency Lighting	1
💼 PE-12(1) Emergency Lighting _ Essential Mission and Business Functions
💼 PE-13 Fire Protection	4
💼 PE-13(1) Fire Protection _ Detection Systems — Automatic Activation and Notification
💼 PE-13(2) Fire Protection _ Suppression Systems — Automatic Activation and Notification
💼 PE-13(3) Fire Protection _ Automatic Fire Suppression
💼 PE-13(4) Fire Protection _ Inspections
💼 PE-14 Environmental Controls	2
💼 PE-14(1) Environmental Controls _ Automatic Controls
💼 PE-14(2) Environmental Controls _ Monitoring with Alarms and Notifications
💼 PE-15 Water Damage Protection	1
💼 PE-15(1) Water Damage Protection _ Automation Support
💼 PE-16 Delivery and Removal
💼 PE-17 Alternate Work Site
💼 PE-18 Location of System Components	1
💼 PE-18(1) Location of System Components _ Facility Site
💼 PE-19 Information Leakage	1
💼 PE-19(1) Information Leakage _ National Emissions Policies and Procedures
💼 PE-20 Asset Monitoring and Tracking
💼 PE-21 Electromagnetic Pulse Protection
💼 PE-22 Component Marking
💼 PE-23 Facility Location
💼 PL Planning	11
💼 PL-1 Policy and Procedures
💼 PL-2 System Security and Privacy Plans	3
💼 PL-2(1) System Security and Privacy Plans _ Concept of Operations
💼 PL-2(2) System Security and Privacy Plans _ Functional Architecture
💼 PL-2(3) System Security and Privacy Plans _ Plan and Coordinate with Other Organizational Entities
💼 PL-3 System Security Plan Update
💼 PL-4 Rules of Behavior	1
💼 PL-4(1) Rules of Behavior _ Social Media and External Site/application Usage Restrictions
💼 PL-5 Privacy Impact Assessment
💼 PL-6 Security-related Activity Planning
💼 PL-7 Concept of Operations
💼 PL-8 Security and Privacy Architectures	2
💼 PL-8(1) Security and Privacy Architectures _ Defense in Depth
💼 PL-8(2) Security and Privacy Architectures _ Supplier Diversity
💼 PL-9 Central Management
💼 PL-10 Baseline Selection
💼 PL-11 Baseline Tailoring
💼 PM Program Management	32
💼 PM-1 Information Security Program Plan
💼 PM-2 Information Security Program Leadership Role
💼 PM-3 Information Security and Privacy Resources
💼 PM-4 Plan of Action and Milestones Process
💼 PM-5 System Inventory	1
💼 PM-5(1) System Inventory _ Inventory of Personally Identifiable Information
💼 PM-6 Measures of Performance
💼 PM-7 Enterprise Architecture	1
💼 PM-7(1) Enterprise Architecture _ Offloading
💼 PM-8 Critical Infrastructure Plan
💼 PM-9 Risk Management Strategy
💼 PM-10 Authorization Process
💼 PM-11 Mission and Business Process Definition
💼 PM-12 Insider Threat Program
💼 PM-13 Security and Privacy Workforce
💼 PM-14 Testing, Training, and Monitoring
💼 PM-15 Security and Privacy Groups and Associations
💼 PM-16 Threat Awareness Program	1
💼 PM-16(1) Threat Awareness Program _ Automated Means for Sharing Threat Intelligence
💼 PM-17 Protecting Controlled Unclassified Information on External Systems
💼 PM-18 Privacy Program Plan
💼 PM-19 Privacy Program Leadership Role
💼 PM-20 Dissemination of Privacy Program Information	1
💼 PM-20(1) Dissemination of Privacy Program Information _ Privacy Policies on Websites, Applications, and Digital Services
💼 PM-21 Accounting of Disclosures
💼 PM-22 Personally Identifiable Information Quality Management
💼 PM-23 Data Governance Body
💼 PM-24 Data Integrity Board
💼 PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
💼 PM-26 Complaint Management
💼 PM-27 Privacy Reporting
💼 PM-28 Risk Framing
💼 PM-29 Risk Management Program Leadership Roles
💼 PM-30 Supply Chain Risk Management Strategy	1
💼 PM-30(1) Supply Chain Risk Management Strategy _ Suppliers of Critical or Mission-essential Items
💼 PM-31 Continuous Monitoring Strategy
💼 PM-32 Purposing
💼 PS Personnel Security	9
💼 PS-1 Policy and Procedures
💼 PS-2 Position Risk Designation
💼 PS-3 Personnel Screening	4
💼 PS-3(1) Personnel Screening _ Classified Information
💼 PS-3(2) Personnel Screening _ Formal Indoctrination
💼 PS-3(3) Personnel Screening _ Information Requiring Special Protective Measures
💼 PS-3(4) Personnel Screening _ Citizenship Requirements
💼 PS-4 Personnel Termination	2
💼 PS-4(1) Personnel Termination _ Post-employment Requirements
💼 PS-4(2) Personnel Termination _ Automated Actions
💼 PS-5 Personnel Transfer
💼 PS-6 Access Agreements	3
💼 PS-6(1) Access Agreements _ Information Requiring Special Protection
💼 PS-6(2) Access Agreements _ Classified Information Requiring Special Protection
💼 PS-6(3) Access Agreements _ Post-employment Requirements
💼 PS-7 External Personnel Security
💼 PS-8 Personnel Sanctions
💼 PS-9 Position Descriptions
💼 PT Personally Identifiable Information Processing And Transparency	8
💼 PT-1 Policy and Procedures
💼 PT-2 Authority to Process Personally Identifiable Information	2
💼 PT-2(1) Authority to Process Personally Identifiable Information _ Data Tagging
💼 PT-2(2) Authority to Process Personally Identifiable Information _ Automation
💼 PT-3 Personally Identifiable Information Processing Purposes	2
💼 PT-3(1) Personally Identifiable Information Processing Purposes _ Data Tagging
💼 PT-3(2) Personally Identifiable Information Processing Purposes _ Automation
💼 PT-4 Consent	3
💼 PT-4(1) Consent _ Tailored Consent
💼 PT-4(2) Consent _ Just-in-time Consent
💼 PT-4(3) Consent _ Revocation
💼 PT-5 Privacy Notice	2
💼 PT-5(1) Privacy Notice _ Just-in-time Notice
💼 PT-5(2) Privacy Notice _ Privacy Act Statements
💼 PT-6 System of Records Notice	2
💼 PT-6(1) System of Records Notice _ Routine Uses
💼 PT-6(2) System of Records Notice _ Exemption Rules
💼 PT-7 Specific Categories of Personally Identifiable Information	2
💼 PT-7(1) Specific Categories of Personally Identifiable Information _ Social Security Numbers
💼 PT-7(2) Specific Categories of Personally Identifiable Information _ First Amendment Information
💼 PT-8 Computer Matching Requirements
💼 RA Risk Assessment	10
💼 RA-1 Policy and Procedures
💼 RA-2 Security Categorization	1
💼 RA-2(1) Security Categorization _ Impact-level Prioritization
💼 RA-3 Risk Assessment	4
💼 RA-3(1) Risk Assessment _ Supply Chain Risk Assessment
💼 RA-3(2) Risk Assessment _ Use of All-source Intelligence
💼 RA-3(3) Risk Assessment _ Dynamic Threat Awareness
💼 RA-3(4) Risk Assessment _ Predictive Cyber Analytics
💼 RA-4 Risk Assessment Update
💼 RA-5 Vulnerability Monitoring and Scanning	11
💼 RA-5(1) Vulnerability Monitoring and Scanning _ Update Tool Capability
💼 RA-5(2) Vulnerability Monitoring and Scanning _ Update Vulnerabilities to Be Scanned
💼 RA-5(3) Vulnerability Monitoring and Scanning _ Breadth and Depth of Coverage
💼 RA-5(4) Vulnerability Monitoring and Scanning _ Discoverable Information
💼 RA-5(5) Vulnerability Monitoring and Scanning _ Privileged Access
💼 RA-5(6) Vulnerability Monitoring and Scanning _ Automated Trend Analyses
💼 RA-5(7) Vulnerability Monitoring and Scanning _ Automated Detection and Notification of Unauthorized Components
💼 RA-5(8) Vulnerability Monitoring and Scanning _ Review Historic Audit Logs
💼 RA-5(9) Vulnerability Monitoring and Scanning _ Penetration Testing and Analyses
💼 RA-5(10) Vulnerability Monitoring and Scanning _ Correlate Scanning Information
💼 RA-5(11) Vulnerability Monitoring and Scanning _ Public Disclosure Program
💼 RA-6 Technical Surveillance Countermeasures Survey
💼 RA-7 Risk Response
💼 RA-8 Privacy Impact Assessments
💼 RA-9 Criticality Analysis
💼 RA-10 Threat Hunting
💼 SA System And Services Acquisition	23
💼 SA-1 Policy and Procedures
💼 SA-2 Allocation of Resources
💼 SA-3 System Development Life Cycle	3
💼 SA-3(1) System Development Life Cycle _ Manage Preproduction Environment
💼 SA-3(2) System Development Life Cycle _ Use of Live or Operational Data
💼 SA-3(3) System Development Life Cycle _ Technology Refresh
💼 SA-4 Acquisition Process	12
💼 SA-4(1) Acquisition Process _ Functional Properties of Controls
💼 SA-4(2) Acquisition Process _ Design and Implementation Information for Controls
💼 SA-4(3) Acquisition Process _ Development Methods, Techniques, and Practices
💼 SA-4(4) Acquisition Process _ Assignment of Components to Systems
💼 SA-4(5) Acquisition Process _ System, Component, and Service Configurations
💼 SA-4(6) Acquisition Process _ Use of Information Assurance Products
💼 SA-4(7) Acquisition Process _ NIAP-approved Protection Profiles
💼 SA-4(8) Acquisition Process _ Continuous Monitoring Plan for Controls
💼 SA-4(9) Acquisition Process _ Functions, Ports, Protocols, and Services in Use
💼 SA-4(10) Acquisition Process _ Use of Approved PIV Products
💼 SA-4(11) Acquisition Process _ System of Records
💼 SA-4(12) Acquisition Process _ Data Ownership
💼 SA-5 System Documentation	5
💼 SA-5(1) System Documentation _ Functional Properties of Security Controls
💼 SA-5(2) System Documentation _ Security-relevant External System Interfaces
💼 SA-5(3) System Documentation _ High-level Design
💼 SA-5(4) System Documentation _ Low-level Design
💼 SA-5(5) System Documentation _ Source Code
💼 SA-6 Software Usage Restrictions
💼 SA-7 User-installed Software
💼 SA-8 Security and Privacy Engineering Principles	33
💼 SA-8(1) Security and Privacy Engineering Principles _ Clear Abstractions
💼 SA-8(2) Security and Privacy Engineering Principles _ Least Common Mechanism
💼 SA-8(3) Security and Privacy Engineering Principles _ Modularity and Layering
💼 SA-8(4) Security and Privacy Engineering Principles _ Partially Ordered Dependencies
💼 SA-8(5) Security and Privacy Engineering Principles _ Efficiently Mediated Access
💼 SA-8(6) Security and Privacy Engineering Principles _ Minimized Sharing
💼 SA-8(7) Security and Privacy Engineering Principles _ Reduced Complexity
💼 SA-8(8) Security and Privacy Engineering Principles _ Secure Evolvability
💼 SA-8(9) Security and Privacy Engineering Principles _ Trusted Components
💼 SA-8(10) Security and Privacy Engineering Principles _ Hierarchical Trust
💼 SA-8(11) Security and Privacy Engineering Principles _ Inverse Modification Threshold
💼 SA-8(12) Security and Privacy Engineering Principles _ Hierarchical Protection
💼 SA-8(13) Security and Privacy Engineering Principles _ Minimized Security Elements
💼 SA-8(14) Security and Privacy Engineering Principles _ Least Privilege
💼 SA-8(15) Security and Privacy Engineering Principles _ Predicate Permission
💼 SA-8(16) Security and Privacy Engineering Principles _ Self-reliant Trustworthiness
💼 SA-8(17) Security and Privacy Engineering Principles _ Secure Distributed Composition
💼 SA-8(18) Security and Privacy Engineering Principles _ Trusted Communications Channels
💼 SA-8(19) Security and Privacy Engineering Principles _ Continuous Protection
💼 SA-8(20) Security and Privacy Engineering Principles _ Secure Metadata Management
💼 SA-8(21) Security and Privacy Engineering Principles _ Self-analysis
💼 SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability			1
💼 SA-8(23) Security and Privacy Engineering Principles _ Secure Defaults
💼 SA-8(24) Security and Privacy Engineering Principles _ Secure Failure and Recovery
💼 SA-8(25) Security and Privacy Engineering Principles _ Economic Security
💼 SA-8(26) Security and Privacy Engineering Principles _ Performance Security
💼 SA-8(27) Security and Privacy Engineering Principles _ Human Factored Security
💼 SA-8(28) Security and Privacy Engineering Principles _ Acceptable Security
💼 SA-8(29) Security and Privacy Engineering Principles _ Repeatable and Documented Procedures
💼 SA-8(30) Security and Privacy Engineering Principles _ Procedural Rigor
💼 SA-8(31) Security and Privacy Engineering Principles _ Secure System Modification
💼 SA-8(32) Security and Privacy Engineering Principles _ Sufficient Documentation
💼 SA-8(33) Security and Privacy Engineering Principles _ Minimization
💼 SA-9 External System Services	8
💼 SA-9(1) External System Services _ Risk Assessments and Organizational Approvals
💼 SA-9(2) External System Services _ Identification of Functions, Ports, Protocols, and Services
💼 SA-9(3) External System Services _ Establish and Maintain Trust Relationship with Providers
💼 SA-9(4) External System Services _ Consistent Interests of Consumers and Providers
💼 SA-9(5) External System Services _ Processing, Storage, and Service Location		1	1
💼 SA-9(6) External System Services _ Organization-controlled Cryptographic Keys
💼 SA-9(7) External System Services _ Organization-controlled Integrity Checking
💼 SA-9(8) External System Services _ Processing and Storage Location — U.S. Jurisdiction
💼 SA-10 Developer Configuration Management	7
💼 SA-10(1) Developer Configuration Management _ Software and Firmware Integrity Verification
💼 SA-10(2) Developer Configuration Management _ Alternative Configuration Management Processes
💼 SA-10(3) Developer Configuration Management _ Hardware Integrity Verification
💼 SA-10(4) Developer Configuration Management _ Trusted Generation
💼 SA-10(5) Developer Configuration Management _ Mapping Integrity for Version Control
💼 SA-10(6) Developer Configuration Management _ Trusted Distribution
💼 SA-10(7) Developer Configuration Management _ Security and Privacy Representatives
💼 SA-11 Developer Testing and Evaluation	9
💼 SA-11(1) Developer Testing and Evaluation _ Static Code Analysis
💼 SA-11(2) Developer Testing and Evaluation _ Threat Modeling and Vulnerability Analyses
💼 SA-11(3) Developer Testing and Evaluation _ Independent Verification of Assessment Plans and Evidence
💼 SA-11(4) Developer Testing and Evaluation _ Manual Code Reviews
💼 SA-11(5) Developer Testing and Evaluation _ Penetration Testing
💼 SA-11(6) Developer Testing and Evaluation _ Attack Surface Reviews
💼 SA-11(7) Developer Testing and Evaluation _ Verify Scope of Testing and Evaluation
💼 SA-11(8) Developer Testing and Evaluation _ Dynamic Code Analysis
💼 SA-11(9) Developer Testing and Evaluation _ Interactive Application Security Testing
💼 SA-12 Supply Chain Protection	15
💼 SA-12(1) Supply Chain Protection _ Acquisition Strategies / Tools / Methods
💼 SA-12(2) Supply Chain Protection _ Supplier Reviews
💼 SA-12(3) Supply Chain Protection _ Trusted Shipping and Warehousing
💼 SA-12(4) Supply Chain Protection _ Diversity of Suppliers
💼 SA-12(5) Supply Chain Protection _ Limitation of Harm
💼 SA-12(6) Supply Chain Protection _ Minimizing Procurement Time
💼 SA-12(7) Supply Chain Protection _ Assessments Prior to Selection / Acceptance / Update
💼 SA-12(8) Supply Chain Protection _ Use of All-source Intelligence
💼 SA-12(9) Supply Chain Protection _ Operations Security
💼 SA-12(10) Supply Chain Protection _ Validate as Genuine and Not Altered
💼 SA-12(11) Supply Chain Protection _ Penetration Testing / Analysis of Elements, Processes, and Actors
💼 SA-12(12) Supply Chain Protection _ Inter-organizational Agreements
💼 SA-12(13) Supply Chain Protection _ Critical Information System Components
💼 SA-12(14) Supply Chain Protection _ Identity and Traceability
💼 SA-12(15) Supply Chain Protection _ Processes to Address Weaknesses or Deficiencies
💼 SA-13 Trustworthiness
💼 SA-14 Criticality Analysis	1
💼 SA-14(1) Criticality Analysis _ Critical Components with No Viable Alternative Sourcing
💼 SA-15 Development Process, Standards, and Tools	12
💼 SA-15(1) Development Process, Standards, and Tools _ Quality Metrics
💼 SA-15(2) Development Process, Standards, and Tools _ Security and Privacy Tracking Tools
💼 SA-15(3) Development Process, Standards, and Tools _ Criticality Analysis
💼 SA-15(4) Development Process, Standards, and Tools _ Threat Modeling and Vulnerability Analysis
💼 SA-15(5) Development Process, Standards, and Tools _ Attack Surface Reduction
💼 SA-15(6) Development Process, Standards, and Tools _ Continuous Improvement
💼 SA-15(7) Development Process, Standards, and Tools _ Automated Vulnerability Analysis
💼 SA-15(8) Development Process, Standards, and Tools _ Reuse of Threat and Vulnerability Information
💼 SA-15(9) Development Process, Standards, and Tools _ Use of Live Data
💼 SA-15(10) Development Process, Standards, and Tools _ Incident Response Plan
💼 SA-15(11) Development Process, Standards, and Tools _ Archive System or Component
💼 SA-15(12) Development Process, Standards, and Tools _ Minimize Personally Identifiable Information
💼 SA-16 Developer-provided Training
💼 SA-17 Developer Security and Privacy Architecture and Design	9
💼 SA-17(1) Developer Security and Privacy Architecture and Design _ Formal Policy Model
💼 SA-17(2) Developer Security and Privacy Architecture and Design _ Security-relevant Components
💼 SA-17(3) Developer Security and Privacy Architecture and Design _ Formal Correspondence
💼 SA-17(4) Developer Security and Privacy Architecture and Design _ Informal Correspondence
💼 SA-17(5) Developer Security and Privacy Architecture and Design _ Conceptually Simple Design
💼 SA-17(6) Developer Security and Privacy Architecture and Design _ Structure for Testing
💼 SA-17(7) Developer Security and Privacy Architecture and Design _ Structure for Least Privilege
💼 SA-17(8) Developer Security and Privacy Architecture and Design _ Orchestration
💼 SA-17(9) Developer Security and Privacy Architecture and Design _ Design Diversity
💼 SA-18 Tamper Resistance and Detection	2
💼 SA-18(1) Tamper Resistance and Detection _ Multiple Phases of System Development Life Cycle
💼 SA-18(2) Tamper Resistance and Detection _ Inspection of Systems or Components
💼 SA-19 Component Authenticity	4
💼 SA-19(1) Component Authenticity _ Anti-counterfeit Training
💼 SA-19(2) Component Authenticity _ Configuration Control for Component Service and Repair
💼 SA-19(3) Component Authenticity _ Component Disposal
💼 SA-19(4) Component Authenticity _ Anti-counterfeit Scanning
💼 SA-20 Customized Development of Critical Components
💼 SA-21 Developer Screening	1
💼 SA-21(1) Developer Screening _ Validation of Screening
💼 SA-22 Unsupported System Components	1
💼 SA-22(1) Unsupported System Components _ Alternative Sources for Continued Support
💼 SA-23 Specialization
💼 SC System And Communications Protection	51
💼 SC-1 Policy and Procedures
💼 SC-2 Separation of System and User Functionality	2
💼 SC-2(1) Separation of System and User Functionality _ Interfaces for Non-privileged Users
💼 SC-2(2) Separation of System and User Functionality _ Disassociability
💼 SC-3 Security Function Isolation	5
💼 SC-3(1) Security Function Isolation _ Hardware Separation
💼 SC-3(2) Security Function Isolation _ Access and Flow Control Functions
💼 SC-3(3) Security Function Isolation _ Minimize Nonsecurity Functionality
💼 SC-3(4) Security Function Isolation _ Module Coupling and Cohesiveness
💼 SC-3(5) Security Function Isolation _ Layered Structures
💼 SC-4 Information in Shared System Resources	2
💼 SC-4(1) Information in Shared System Resources _ Security Levels
💼 SC-4(2) Information in Shared System Resources _ Multilevel or Periods Processing
💼 SC-5 Denial-of-service Protection	3
💼 SC-5(1) Denial-of-service Protection _ Restrict Ability to Attack Other Systems
💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			2
💼 SC-5(3) Denial-of-service Protection _ Detection and Monitoring
💼 SC-6 Resource Availability
💼 SC-7 Boundary Protection	29		16
💼 SC-7(1) Boundary Protection _ Physically Separated Subnetworks
💼 SC-7(2) Boundary Protection _ Public Access
💼 SC-7(3) Boundary Protection _ Access Points			2
💼 SC-7(4) Boundary Protection _ External Telecommunications Services			17
💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception		5	19
💼 SC-7(6) Boundary Protection _ Response to Recognized Failures
💼 SC-7(7) Boundary Protection _ Split Tunneling for Remote Devices
💼 SC-7(8) Boundary Protection _ Route Traffic to Authenticated Proxy Servers
💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			7
💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			4
💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			15
💼 SC-7(12) Boundary Protection _ Host-based Protection
💼 SC-7(13) Boundary Protection _ Isolation of Security Tools, Mechanisms, and Support Components
💼 SC-7(14) Boundary Protection _ Protect Against Unauthorized Physical Connections
💼 SC-7(15) Boundary Protection _ Networked Privileged Accesses
💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			16
💼 SC-7(17) Boundary Protection _ Automated Enforcement of Protocol Formats
💼 SC-7(18) Boundary Protection _ Fail Secure
💼 SC-7(19) Boundary Protection _ Block Communication from Non-organizationally Configured Hosts
💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			2
💼 SC-7(21) Boundary Protection _ Isolation of System Components			16
💼 SC-7(22) Boundary Protection _ Separate Subnets for Connecting to Different Security Domains
💼 SC-7(23) Boundary Protection _ Disable Sender Feedback on Protocol Validation Failure
💼 SC-7(24) Boundary Protection _ Personally Identifiable Information
💼 SC-7(25) Boundary Protection _ Unclassified National Security System Connections
💼 SC-7(26) Boundary Protection _ Classified National Security System Connections
💼 SC-7(27) Boundary Protection _ Unclassified Non-national Security System Connections
💼 SC-7(28) Boundary Protection _ Connections to Public Networks
💼 SC-7(29) Boundary Protection _ Separate Subnets to Isolate Functions
💼 SC-8 Transmission Confidentiality and Integrity	5		2
💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	10
💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			2
💼 SC-8(3) Transmission Confidentiality and Integrity _ Cryptographic Protection for Message Externals
💼 SC-8(4) Transmission Confidentiality and Integrity _ Conceal or Randomize Communications
💼 SC-8(5) Transmission Confidentiality and Integrity _ Protected Distribution System
💼 SC-9 Transmission Confidentiality
💼 SC-10 Network Disconnect
💼 SC-11 Trusted Path	1
💼 SC-11(1) Trusted Path _ Irrefutable Communications Path
💼 SC-12 Cryptographic Key Establishment and Management	6
💼 SC-12(1) Cryptographic Key Establishment and Management _ Availability
💼 SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys		1	1
💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			2
💼 SC-12(4) Cryptographic Key Establishment and Management _ PKI Certificates
💼 SC-12(5) Cryptographic Key Establishment and Management _ PKI Certificates / Hardware Tokens
💼 SC-12(6) Cryptographic Key Establishment and Management _ Physical Control of Keys
💼 SC-13 Cryptographic Protection	4		6
💼 SC-13(1) Cryptographic Protection _ FIPS-validated Cryptography
💼 SC-13(2) Cryptographic Protection _ NSA-approved Cryptography
💼 SC-13(3) Cryptographic Protection _ Individuals Without Formal Access Approvals
💼 SC-13(4) Cryptographic Protection _ Digital Signatures
💼 SC-14 Public Access Protections
💼 SC-15 Collaborative Computing Devices and Applications	4
💼 SC-15(1) Collaborative Computing Devices and Applications _ Physical or Logical Disconnect
💼 SC-15(2) Collaborative Computing Devices and Applications _ Blocking Inbound and Outbound Communications Traffic
💼 SC-15(3) Collaborative Computing Devices and Applications _ Disabling and Removal in Secure Work Areas
💼 SC-15(4) Collaborative Computing Devices and Applications _ Explicitly Indicate Current Participants
💼 SC-16 Transmission of Security and Privacy Attributes	3
💼 SC-16(1) Transmission of Security and Privacy Attributes _ Integrity Verification
💼 SC-16(2) Transmission of Security and Privacy Attributes _ Anti-spoofing Mechanisms
💼 SC-16(3) Transmission of Security and Privacy Attributes _ Cryptographic Binding
💼 SC-17 Public Key Infrastructure Certificates
💼 SC-18 Mobile Code	5
💼 SC-18(1) Mobile Code _ Identify Unacceptable Code and Take Corrective Actions
💼 SC-18(2) Mobile Code _ Acquisition, Development, and Use
💼 SC-18(3) Mobile Code _ Prevent Downloading and Execution
💼 SC-18(4) Mobile Code _ Prevent Automatic Execution
💼 SC-18(5) Mobile Code _ Allow Execution Only in Confined Environments
💼 SC-19 Voice Over Internet Protocol
💼 SC-20 Secure Name/address Resolution Service (authoritative Source)	2
💼 SC-20(1) Secure Name/address Resolution Service (authoritative Source) _ Child Subspaces
💼 SC-20(2) Secure Name/address Resolution Service (authoritative Source) _ Data Origin and Integrity
💼 SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver)	1
💼 SC-21(1) Secure Name/address Resolution Service (recursive or Caching Resolver) _ Data Origin and Integrity
💼 SC-22 Architecture and Provisioning for Name/address Resolution Service
💼 SC-23 Session Authenticity	5		2
💼 SC-23(1) Session Authenticity _ Invalidate Session Identifiers at Logout
💼 SC-23(2) Session Authenticity _ User-initiated Logouts and Message Displays
💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			2
💼 SC-23(4) Session Authenticity _ Unique Session Identifiers with Randomization
💼 SC-23(5) Session Authenticity _ Allowed Certificate Authorities
💼 SC-24 Fail in Known State
💼 SC-25 Thin Nodes
💼 SC-26 Decoys	1
💼 SC-26(1) Decoys _ Detection of Malicious Code
💼 SC-27 Platform-independent Applications
💼 SC-28 Protection of Information at Rest	3	11	13
💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	12
💼 SC-28(2) Protection of Information at Rest _ Offline Storage
💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys			1
💼 SC-29 Heterogeneity	1
💼 SC-29(1) Heterogeneity _ Virtualization Techniques
💼 SC-30 Concealment and Misdirection	5
💼 SC-30(1) Concealment and Misdirection _ Virtualization Techniques
💼 SC-30(2) Concealment and Misdirection _ Randomness
💼 SC-30(3) Concealment and Misdirection _ Change Processing and Storage Locations
💼 SC-30(4) Concealment and Misdirection _ Misleading Information
💼 SC-30(5) Concealment and Misdirection _ Concealment of System Components
💼 SC-31 Covert Channel Analysis	3
💼 SC-31(1) Covert Channel Analysis _ Test Covert Channels for Exploitability
💼 SC-31(2) Covert Channel Analysis _ Maximum Bandwidth
💼 SC-31(3) Covert Channel Analysis _ Measure Bandwidth in Operational Environments
💼 SC-32 System Partitioning	1
💼 SC-32(1) System Partitioning _ Separate Physical Domains for Privileged Functions
💼 SC-33 Transmission Preparation Integrity
💼 SC-34 Non-modifiable Executable Programs	3
💼 SC-34(1) Non-modifiable Executable Programs _ No Writable Storage
💼 SC-34(2) Non-modifiable Executable Programs _ Integrity Protection on Read-only Media
💼 SC-34(3) Non-modifiable Executable Programs _ Hardware-based Protection
💼 SC-35 External Malicious Code Identification
💼 SC-36 Distributed Processing and Storage	2		1
💼 SC-36(1) Distributed Processing and Storage _ Polling Techniques
💼 SC-36(2) Distributed Processing and Storage _ Synchronization
💼 SC-37 Out-of-band Channels	1
💼 SC-37(1) Out-of-band Channels _ Ensure Delivery and Transmission
💼 SC-38 Operations Security
💼 SC-39 Process Isolation	2
💼 SC-39(1) Process Isolation _ Hardware Separation
💼 SC-39(2) Process Isolation _ Separate Execution Domain Per Thread
💼 SC-40 Wireless Link Protection	4
💼 SC-40(1) Wireless Link Protection _ Electromagnetic Interference
💼 SC-40(2) Wireless Link Protection _ Reduce Detection Potential
💼 SC-40(3) Wireless Link Protection _ Imitative or Manipulative Communications Deception
💼 SC-40(4) Wireless Link Protection _ Signal Parameter Identification
💼 SC-41 Port and I/O Device Access
💼 SC-42 Sensor Capability and Data	5
💼 SC-42(1) Sensor Capability and Data _ Reporting to Authorized Individuals or Roles
💼 SC-42(2) Sensor Capability and Data _ Authorized Use
💼 SC-42(3) Sensor Capability and Data _ Prohibit Use of Devices
💼 SC-42(4) Sensor Capability and Data _ Notice of Collection
💼 SC-42(5) Sensor Capability and Data _ Collection Minimization
💼 SC-43 Usage Restrictions
💼 SC-44 Detonation Chambers
💼 SC-45 System Time Synchronization	2
💼 SC-45(1) System Time Synchronization _ Synchronization with Authoritative Time Source
💼 SC-45(2) System Time Synchronization _ Secondary Authoritative Time Source
💼 SC-46 Cross Domain Policy Enforcement
💼 SC-47 Alternate Communications Paths
💼 SC-48 Sensor Relocation	1
💼 SC-48(1) Sensor Relocation _ Dynamic Relocation of Sensors or Monitoring Capabilities
💼 SC-49 Hardware-enforced Separation and Policy Enforcement
💼 SC-50 Software-enforced Separation and Policy Enforcement
💼 SC-51 Hardware-based Protection
💼 SI System And Information Integrity	23
💼 SI-1 Policy and Procedures
💼 SI-2 Flaw Remediation	6		2
💼 SI-2(1) Flaw Remediation _ Central Management
💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status		1	1
💼 SI-2(3) Flaw Remediation _ Time to Remediate Flaws and Benchmarks for Corrective Actions
💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools			1
💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates		1	1
💼 SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware		5	5
💼 SI-3 Malicious Code Protection	10
💼 SI-3(1) Malicious Code Protection _ Central Management
💼 SI-3(2) Malicious Code Protection _ Automatic Updates
💼 SI-3(3) Malicious Code Protection _ Non-privileged Users
💼 SI-3(4) Malicious Code Protection _ Updates Only by Privileged Users
💼 SI-3(5) Malicious Code Protection _ Portable Storage Devices
💼 SI-3(6) Malicious Code Protection _ Testing and Verification
💼 SI-3(7) Malicious Code Protection _ Nonsignature-based Detection
💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			3
💼 SI-3(9) Malicious Code Protection _ Authenticate Remote Commands
💼 SI-3(10) Malicious Code Protection _ Malicious Code Analysis
💼 SI-4 System Monitoring	25		1
💼 SI-4(1) System Monitoring _ System-wide Intrusion Detection System
💼 SI-4(2) System Monitoring _ Automated Tools and Mechanisms for Real-time Analysis
💼 SI-4(3) System Monitoring _ Automated Tool and Mechanism Integration
💼 SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic		2	2
💼 SI-4(5) System Monitoring _ System-generated Alerts
💼 SI-4(6) System Monitoring _ Restrict Non-privileged Users
💼 SI-4(7) System Monitoring _ Automated Response to Suspicious Events
💼 SI-4(8) System Monitoring _ Protection of Monitoring Information
💼 SI-4(9) System Monitoring _ Testing of Monitoring Tools and Mechanisms
💼 SI-4(10) System Monitoring _ Visibility of Encrypted Communications
💼 SI-4(11) System Monitoring _ Analyze Communications Traffic Anomalies
💼 SI-4(12) System Monitoring _ Automated Organization-generated Alerts
💼 SI-4(13) System Monitoring _ Analyze Traffic and Event Patterns
💼 SI-4(14) System Monitoring _ Wireless Intrusion Detection
💼 SI-4(15) System Monitoring _ Wireless to Wireline Communications
💼 SI-4(16) System Monitoring _ Correlate Monitoring Information
💼 SI-4(17) System Monitoring _ Integrated Situational Awareness
💼 SI-4(18) System Monitoring _ Analyze Traffic and Covert Exfiltration
💼 SI-4(19) System Monitoring _ Risk for Individuals
💼 SI-4(20) System Monitoring _ Privileged Users			3
💼 SI-4(21) System Monitoring _ Probationary Periods
💼 SI-4(22) System Monitoring _ Unauthorized Network Services
💼 SI-4(23) System Monitoring _ Host-based Devices
💼 SI-4(24) System Monitoring _ Indicators of Compromise
💼 SI-4(25) System Monitoring _ Optimize Network Traffic Analysis
💼 SI-5 Security Alerts, Advisories, and Directives	1
💼 SI-5(1) Security Alerts, Advisories, and Directives _ Automated Alerts and Advisories
💼 SI-6 Security and Privacy Function Verification	3
💼 SI-6(1) Security and Privacy Function Verification _ Notification of Failed Security Tests
💼 SI-6(2) Security and Privacy Function Verification _ Automation Support for Distributed Testing
💼 SI-6(3) Security and Privacy Function Verification _ Report Verification Results
💼 SI-7 Software, Firmware, and Information Integrity	17
💼 SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks			1
💼 SI-7(2) Software, Firmware, and Information Integrity _ Automated Notifications of Integrity Violations
💼 SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools			1
💼 SI-7(4) Software, Firmware, and Information Integrity _ Tamper-evident Packaging
💼 SI-7(5) Software, Firmware, and Information Integrity _ Automated Response to Integrity Violations
💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			6
💼 SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response			1
💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			6
💼 SI-7(9) Software, Firmware, and Information Integrity _ Verify Boot Process
💼 SI-7(10) Software, Firmware, and Information Integrity _ Protection of Boot Firmware
💼 SI-7(11) Software, Firmware, and Information Integrity _ Confined Environments with Limited Privileges
💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		18	20
💼 SI-7(13) Software, Firmware, and Information Integrity _ Code Execution in Protected Environments
💼 SI-7(14) Software, Firmware, and Information Integrity _ Binary or Machine Executable Code
💼 SI-7(15) Software, Firmware, and Information Integrity _ Code Authentication
💼 SI-7(16) Software, Firmware, and Information Integrity _ Time Limit on Process Execution Without Supervision
💼 SI-7(17) Software, Firmware, and Information Integrity _ Runtime Application Self-protection
💼 SI-8 Spam Protection	3
💼 SI-8(1) Spam Protection _ Central Management
💼 SI-8(2) Spam Protection _ Automatic Updates
💼 SI-8(3) Spam Protection _ Continuous Learning Capability
💼 SI-9 Information Input Restrictions
💼 SI-10 Information Input Validation	6
💼 SI-10(1) Information Input Validation _ Manual Override Capability
💼 SI-10(2) Information Input Validation _ Review and Resolve Errors
💼 SI-10(3) Information Input Validation _ Predictable Behavior
💼 SI-10(4) Information Input Validation _ Timing Interactions
💼 SI-10(5) Information Input Validation _ Restrict Inputs to Trusted Sources and Approved Formats
💼 SI-10(6) Information Input Validation _ Injection Prevention
💼 SI-11 Error Handling
💼 SI-12 Information Management and Retention	3
💼 SI-12(1) Information Management and Retention _ Limit Personally Identifiable Information Elements
💼 SI-12(2) Information Management and Retention _ Minimize Personally Identifiable Information in Testing, Training, and Research
💼 SI-12(3) Information Management and Retention _ Information Disposal
💼 SI-13 Predictable Failure Prevention	5
💼 SI-13(1) Predictable Failure Prevention _ Transferring Component Responsibilities
💼 SI-13(2) Predictable Failure Prevention _ Time Limit on Process Execution Without Supervision
💼 SI-13(3) Predictable Failure Prevention _ Manual Transfer Between Components
💼 SI-13(4) Predictable Failure Prevention _ Standby Component Installation and Notification
💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			2
💼 SI-14 Non-persistence	3
💼 SI-14(1) Non-persistence _ Refresh from Trusted Sources
💼 SI-14(2) Non-persistence _ Non-persistent Information
💼 SI-14(3) Non-persistence _ Non-persistent Connectivity
💼 SI-15 Information Output Filtering
💼 SI-16 Memory Protection
💼 SI-17 Fail-safe Procedures
💼 SI-18 Personally Identifiable Information Quality Operations	5
💼 SI-18(1) Personally Identifiable Information Quality Operations _ Automation Support
💼 SI-18(2) Personally Identifiable Information Quality Operations _ Data Tags
💼 SI-18(3) Personally Identifiable Information Quality Operations _ Collection
💼 SI-18(4) Personally Identifiable Information Quality Operations _ Individual Requests
💼 SI-18(5) Personally Identifiable Information Quality Operations _ Notice of Correction or Deletion
💼 SI-19 De-identification	8
💼 SI-19(1) De-identification _ Collection
💼 SI-19(2) De-identification _ Archiving
💼 SI-19(3) De-identification _ Release
💼 SI-19(4) De-identification _ Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
💼 SI-19(5) De-identification _ Statistical Disclosure Control
💼 SI-19(6) De-identification _ Differential Privacy
💼 SI-19(7) De-identification _ Validated Algorithms and Software
💼 SI-19(8) De-identification _ Motivated Intruder
💼 SI-20 Tainting
💼 SI-21 Information Refresh
💼 SI-22 Information Diversity
💼 SI-23 Information Fragmentation
💼 SR Supply Chain Risk Management	12
💼 SR-1 Policy and Procedures
💼 SR-2 Supply Chain Risk Management Plan	1
💼 SR-2(1) Supply Chain Risk Management Plan _ Establish SCRM Team
💼 SR-3 Supply Chain Controls and Processes	3
💼 SR-3(1) Supply Chain Controls and Processes _ Diverse Supply Base
💼 SR-3(2) Supply Chain Controls and Processes _ Limitation of Harm
💼 SR-3(3) Supply Chain Controls and Processes _ Sub-tier Flow Down
💼 SR-4 Provenance	4
💼 SR-4(1) Provenance _ Identity
💼 SR-4(2) Provenance _ Track and Trace
💼 SR-4(3) Provenance _ Validate as Genuine and Not Altered
💼 SR-4(4) Provenance _ Supply Chain Integrity — Pedigree
💼 SR-5 Acquisition Strategies, Tools, and Methods	2
💼 SR-5(1) Acquisition Strategies, Tools, and Methods _ Adequate Supply
💼 SR-5(2) Acquisition Strategies, Tools, and Methods _ Assessments Prior to Selection, Acceptance, Modification, or Update
💼 SR-6 Supplier Assessments and Reviews	1
💼 SR-6(1) Supplier Assessments and Reviews _ Testing and Analysis
💼 SR-7 Supply Chain Operations Security
💼 SR-8 Notification Agreements
💼 SR-9 Tamper Resistance and Detection	1
💼 SR-9(1) Tamper Resistance and Detection _ Multiple Stages of System Development Life Cycle
💼 SR-10 Inspection of Systems or Components
💼 SR-11 Component Authenticity	3
💼 SR-11(1) Component Authenticity _ Anti-counterfeit Training
💼 SR-11(2) Component Authenticity _ Configuration Control for Component Service and Repair
💼 SR-11(3) Component Authenticity _ Anti-counterfeit Scanning
💼 SR-12 Component Disposal