| 💼 AC-1 Policy and Procedures | | | | |
| 💼 AC-2 Account Management | 13 | | 4 | |
| 💼 AC-2(1) Account Management _ Automated System Account Management | | 4 | 16 | |
| 💼 AC-2(2) Account Management _ Automated Temporary and Emergency Account Management | | | | |
| 💼 AC-2(3) Account Management _ Disable Accounts | | 1 | 4 | |
| 💼 AC-2(4) Account Management _ Automated Audit Actions | | 14 | 16 | |
| 💼 AC-2(5) Account Management _ Inactivity Logout | | | | |
| 💼 AC-2(6) Account Management _ Dynamic Privilege Management | | | | |
| 💼 AC-2(7) Account Management _ Privileged User Accounts | | 1 | 1 | |
| 💼 AC-2(8) Account Management _ Dynamic Account Management | | | | |
| 💼 AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts | | | | |
| 💼 AC-2(10) Account Management _ Shared and Group Account Credential Change | | | | |
| 💼 AC-2(11) Account Management _ Usage Conditions | | | | |
| 💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage | | | | |
| 💼 AC-2(13) Account Management _ Disable Accounts for High-risk Individuals | | | | |
| 💼 AC-3 Access Enforcement | 15 | 5 | 28 | |
| 💼 AC-3(1) Access Enforcement _ Restricted Access to Privileged Functions | | | | |
| 💼 AC-3(2) Access Enforcement _ Dual Authorization | | | | |
| 💼 AC-3(3) Access Enforcement _ Mandatory Access Control | | | | |
| 💼 AC-3(4) Access Enforcement _ Discretionary Access Control | | | | |
| 💼 AC-3(5) Access Enforcement _ Security-relevant Information | | | | |
| 💼 AC-3(6) Access Enforcement _ Protection of User and System Information | | | | |
| 💼 AC-3(7) Access Enforcement _ Role-based Access Control | | | 11 | |
| 💼 AC-3(8) Access Enforcement _ Revocation of Access Authorizations | | | | |
| 💼 AC-3(9) Access Enforcement _ Controlled Release | | | | |
| 💼 AC-3(10) Access Enforcement _ Audited Override of Access Control Mechanisms | | | | |
| 💼 AC-3(11) Access Enforcement _ Restrict Access to Specific Information Types | | | | |
| 💼 AC-3(12) Access Enforcement _ Assert and Enforce Application Access | | | | |
| 💼 AC-3(13) Access Enforcement _ Attribute-based Access Control | | | | |
| 💼 AC-3(14) Access Enforcement _ Individual Access | | | | |
| 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control | | | 11 | |
| 💼 AC-4 Information Flow Enforcement | 32 | 9 | 29 | |
| 💼 AC-4(1) Information Flow Enforcement _ Object Security and Privacy Attributes | | | | |
| 💼 AC-4(2) Information Flow Enforcement _ Processing Domains | | 30 | 32 | |
| 💼 AC-4(3) Information Flow Enforcement _ Dynamic Information Flow Control | | | | |
| 💼 AC-4(4) Information Flow Enforcement _ Flow Control of Encrypted Information | | | | |
| 💼 AC-4(5) Information Flow Enforcement _ Embedded Data Types | | 1 | 1 | |
| 💼 AC-4(6) Information Flow Enforcement _ Metadata | | | | |
| 💼 AC-4(7) Information Flow Enforcement _ One-way Flow Mechanisms | | | | |
| 💼 AC-4(8) Information Flow Enforcement _ Security and Privacy Policy Filters | | | | |
| 💼 AC-4(9) Information Flow Enforcement _ Human Reviews | | | | |
| 💼 AC-4(10) Information Flow Enforcement _ Enable and Disable Security or Privacy Policy Filters | | | | |
| 💼 AC-4(11) Information Flow Enforcement _ Configuration of Security or Privacy Policy Filters | | | | |
| 💼 AC-4(12) Information Flow Enforcement _ Data Type Identifiers | | | | |
| 💼 AC-4(13) Information Flow Enforcement _ Decomposition into Policy-relevant Subcomponents | | | | |
| 💼 AC-4(14) Information Flow Enforcement _ Security or Privacy Policy Filter Constraints | | 2 | 2 | |
| 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information | | 9 | 10 | |
| 💼 AC-4(16) Information Flow Enforcement _ Information Transfers on Interconnected Systems | | | | |
| 💼 AC-4(17) Information Flow Enforcement _ Domain Authentication | | | | |
| 💼 AC-4(18) Information Flow Enforcement _ Security Attribute Binding | | | | |
| 💼 AC-4(19) Information Flow Enforcement _ Validation of Metadata | | | | |
| 💼 AC-4(20) Information Flow Enforcement _ Approved Solutions | | | | |
| 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows | | 37 | 42 | |
| 💼 AC-4(22) Information Flow Enforcement _ Access Only | | | | |
| 💼 AC-4(23) Information Flow Enforcement _ Modify Non-releasable Information | | | | |
| 💼 AC-4(24) Information Flow Enforcement _ Internal Normalized Format | | | | |
| 💼 AC-4(25) Information Flow Enforcement _ Data Sanitization | | | | |
| 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions | | | 9 | |
| 💼 AC-4(27) Information Flow Enforcement _ Redundant/independent Filtering Mechanisms | | | | |
| 💼 AC-4(28) Information Flow Enforcement _ Linear Filter Pipelines | | | | |
| 💼 AC-4(29) Information Flow Enforcement _ Filter Orchestration Engines | | | | |
| 💼 AC-4(30) Information Flow Enforcement _ Filter Mechanisms Using Multiple Processes | | | | |
| 💼 AC-4(31) Information Flow Enforcement _ Failed Content Transfer Prevention | | | | |
| 💼 AC-4(32) Information Flow Enforcement _ Process Requirements for Information Transfer | | | | |
| 💼 AC-5 Separation of Duties | | | 13 | |
| 💼 AC-6 Least Privilege | 10 | | 24 | |
| 💼 AC-6(1) Least Privilege _ Authorize Access to Security Functions | | 2 | 2 | |
| 💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions | | 4 | 4 | |
| 💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands | | | 2 | |
| 💼 AC-6(4) Least Privilege _ Separate Processing Domains | | | | |
| 💼 AC-6(5) Least Privilege _ Privileged Accounts | | 3 | 3 | |
| 💼 AC-6(6) Least Privilege _ Privileged Access by Non-organizational Users | | | | |
| 💼 AC-6(7) Least Privilege _ Review of User Privileges | | | | |
| 💼 AC-6(8) Least Privilege _ Privilege Levels for Code Execution | | | | |
| 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions | | 17 | 19 | |
| 💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions | | | 2 | |
| 💼 AC-7 Unsuccessful Logon Attempts | 4 | | | |
| 💼 AC-7(1) Unsuccessful Logon Attempts _ Automatic Account Lock | | | | |
| 💼 AC-7(2) Unsuccessful Logon Attempts _ Purge or Wipe Mobile Device | | | | |
| 💼 AC-7(3) Unsuccessful Logon Attempts _ Biometric Attempt Limiting | | | | |
| 💼 AC-7(4) Unsuccessful Logon Attempts _ Use of Alternate Authentication Factor | | | | |
| 💼 AC-8 System Use Notification | | | | |
| 💼 AC-9 Previous Logon Notification | 4 | | | |
| 💼 AC-9(1) Previous Logon Notification _ Unsuccessful Logons | | | | |
| 💼 AC-9(2) Previous Logon Notification _ Successful and Unsuccessful Logons | | | | |
| 💼 AC-9(3) Previous Logon Notification _ Notification of Account Changes | | | | |
| 💼 AC-9(4) Previous Logon Notification _ Additional Logon Information | | | | |
| 💼 AC-10 Concurrent Session Control | | | | |
| 💼 AC-11 Device Lock | 1 | | | |
| 💼 AC-11(1) Device Lock _ Pattern-hiding Displays | | | | |
| 💼 AC-12 Session Termination | 3 | | | |
| 💼 AC-12(1) Session Termination _ User-initiated Logouts | | | | |
| 💼 AC-12(2) Session Termination _ Termination Message | | | | |
| 💼 AC-12(3) Session Termination _ Timeout Warning Message | | | | |
| 💼 AC-13 Supervision and Review — Access Control | | | | |
| 💼 AC-14 Permitted Actions Without Identification or Authentication | 1 | | | |
| 💼 AC-14(1) Permitted Actions Without Identification or Authentication _ Necessary Uses | | | | |
| 💼 AC-15 Automated Marking | | | | |
| 💼 AC-16 Security and Privacy Attributes | 10 | | | |
| 💼 AC-16(1) Security and Privacy Attributes _ Dynamic Attribute Association | | | | |
| 💼 AC-16(2) Security and Privacy Attributes _ Attribute Value Changes by Authorized Individuals | | | | |
| 💼 AC-16(3) Security and Privacy Attributes _ Maintenance of Attribute Associations by System | | | | |
| 💼 AC-16(4) Security and Privacy Attributes _ Association of Attributes by Authorized Individuals | | | | |
| 💼 AC-16(5) Security and Privacy Attributes _ Attribute Displays on Objects to Be Output | | | | |
| 💼 AC-16(6) Security and Privacy Attributes _ Maintenance of Attribute Association | | | | |
| 💼 AC-16(7) Security and Privacy Attributes _ Consistent Attribute Interpretation | | | | |
| 💼 AC-16(8) Security and Privacy Attributes _ Association Techniques and Technologies | | | | |
| 💼 AC-16(9) Security and Privacy Attributes _ Attribute Reassignment — Regrading Mechanisms | | | | |
| 💼 AC-16(10) Security and Privacy Attributes _ Attribute Configuration by Authorized Individuals | | | | |
| 💼 AC-17 Remote Access | 10 | | 1 | |
| 💼 AC-17(1) Remote Access _ Monitoring and Control | | 1 | 1 | |
| 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption | | 12 | 17 | |
| 💼 AC-17(3) Remote Access _ Managed Access Control Points | | | | |
| 💼 AC-17(4) Remote Access _ Privileged Commands and Access | | | | |
| 💼 AC-17(5) Remote Access _ Monitoring for Unauthorized Connections | | | | |
| 💼 AC-17(6) Remote Access _ Protection of Mechanism Information | | | | |
| 💼 AC-17(7) Remote Access _ Additional Protection for Security Function Access | | | | |
| 💼 AC-17(8) Remote Access _ Disable Nonsecure Network Protocols | | | | |
| 💼 AC-17(9) Remote Access _ Disconnect or Disable Access | | | | |
| 💼 AC-17(10) Remote Access _ Authenticate Remote Commands | | | | |
| 💼 AC-18 Wireless Access | 5 | | 5 | |
| 💼 AC-18(1) Wireless Access _ Authentication and Encryption | | | | |
| 💼 AC-18(2) Wireless Access _ Monitoring Unauthorized Connections | | | | |
| 💼 AC-18(3) Wireless Access _ Disable Wireless Networking | | | | |
| 💼 AC-18(4) Wireless Access _ Restrict Configurations by Users | | | | |
| 💼 AC-18(5) Wireless Access _ Antennas and Transmission Power Levels | | | | |
| 💼 AC-19 Access Control for Mobile Devices | 5 | | | |
| 💼 AC-19(1) Access Control for Mobile Devices _ Use of Writable and Portable Storage Devices | | | | |
| 💼 AC-19(2) Access Control for Mobile Devices _ Use of Personally Owned Portable Storage Devices | | | | |
| 💼 AC-19(3) Access Control for Mobile Devices _ Use of Portable Storage Devices with No Identifiable Owner | | | | |
| 💼 AC-19(4) Access Control for Mobile Devices _ Restrictions for Classified Information | | | | |
| 💼 AC-19(5) Access Control for Mobile Devices _ Full Device or Container-based Encryption | | | | |
| 💼 AC-20 Use of External Systems | 5 | | | |
| 💼 AC-20(1) Use of External Systems _ Limits on Authorized Use | | | | |
| 💼 AC-20(2) Use of External Systems _ Portable Storage Devices — Restricted Use | | | | |
| 💼 AC-20(3) Use of External Systems _ Non-organizationally Owned Systems — Restricted Use | | | | |
| 💼 AC-20(4) Use of External Systems _ Network Accessible Storage Devices — Prohibited Use | | | | |
| 💼 AC-20(5) Use of External Systems _ Portable Storage Devices — Prohibited Use | | | | |
| 💼 AC-21 Information Sharing | 2 | | 5 | |
| 💼 AC-21(1) Information Sharing _ Automated Decision Support | | | | |
| 💼 AC-21(2) Information Sharing _ Information Search and Retrieval | | | | |
| 💼 AC-22 Publicly Accessible Content | | | | |
| 💼 AC-23 Data Mining Protection | | | | |
| 💼 AC-24 Access Control Decisions | 2 | | | |
| 💼 AC-24(1) Access Control Decisions _ Transmit Access Authorization Information | | | | |
| 💼 AC-24(2) Access Control Decisions _ No User or Process Identity | | | | |
| 💼 AC-25 Reference Monitor | | | | |