💼 NIST SP 800-53 Revision 5

ID: /frameworks/nist-sp-800-53-r5

Description

Empty...

Similar

Internal
- ID: dec-a-815f9955

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AC Access Control	25	104	153	no data
💼 AC-1 Policy and Procedures				no data
💼 AC-2 Account Management	13	20	35	no data
💼 AC-2(1) Account Management _ Automated System Account Management		4	16	no data
💼 AC-2(2) Account Management _ Automated Temporary and Emergency Account Management				no data
💼 AC-2(3) Account Management _ Disable Accounts		1	4	no data
💼 AC-2(4) Account Management _ Automated Audit Actions		14	16	no data
💼 AC-2(5) Account Management _ Inactivity Logout				no data
💼 AC-2(6) Account Management _ Dynamic Privilege Management				no data
💼 AC-2(7) Account Management _ Privileged User Accounts		1	1	no data
💼 AC-2(8) Account Management _ Dynamic Account Management				no data
💼 AC-2(9) Account Management _ Restrictions on Use of Shared and Group Accounts				no data
💼 AC-2(10) Account Management _ Shared and Group Account Credential Change				no data
💼 AC-2(11) Account Management _ Usage Conditions				no data
💼 AC-2(12) Account Management _ Account Monitoring for Atypical Usage			1	no data
💼 AC-2(13) Account Management _ Disable Accounts for High-risk Individuals				no data
💼 AC-3 Access Enforcement	15	5	37	no data
💼 AC-3(1) Access Enforcement _ Restricted Access to Privileged Functions				no data
💼 AC-3(2) Access Enforcement _ Dual Authorization				no data
💼 AC-3(3) Access Enforcement _ Mandatory Access Control				no data
💼 AC-3(4) Access Enforcement _ Discretionary Access Control				no data
💼 AC-3(5) Access Enforcement _ Security-relevant Information				no data
💼 AC-3(6) Access Enforcement _ Protection of User and System Information				no data
💼 AC-3(7) Access Enforcement _ Role-based Access Control			14	no data
💼 AC-3(8) Access Enforcement _ Revocation of Access Authorizations				no data
💼 AC-3(9) Access Enforcement _ Controlled Release				no data
💼 AC-3(10) Access Enforcement _ Audited Override of Access Control Mechanisms				no data
💼 AC-3(11) Access Enforcement _ Restrict Access to Specific Information Types				no data
💼 AC-3(12) Access Enforcement _ Assert and Enforce Application Access				no data
💼 AC-3(13) Access Enforcement _ Attribute-based Access Control				no data
💼 AC-3(14) Access Enforcement _ Individual Access				no data
💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			11	no data
💼 AC-4 Information Flow Enforcement	32	68	89	no data
💼 AC-4(1) Information Flow Enforcement _ Object Security and Privacy Attributes				no data
💼 AC-4(2) Information Flow Enforcement _ Processing Domains		30	32	no data
💼 AC-4(3) Information Flow Enforcement _ Dynamic Information Flow Control				no data
💼 AC-4(4) Information Flow Enforcement _ Flow Control of Encrypted Information				no data
💼 AC-4(5) Information Flow Enforcement _ Embedded Data Types		1	1	no data
💼 AC-4(6) Information Flow Enforcement _ Metadata				no data
💼 AC-4(7) Information Flow Enforcement _ One-way Flow Mechanisms				no data
💼 AC-4(8) Information Flow Enforcement _ Security and Privacy Policy Filters				no data
💼 AC-4(9) Information Flow Enforcement _ Human Reviews				no data
💼 AC-4(10) Information Flow Enforcement _ Enable and Disable Security or Privacy Policy Filters				no data
💼 AC-4(11) Information Flow Enforcement _ Configuration of Security or Privacy Policy Filters				no data
💼 AC-4(12) Information Flow Enforcement _ Data Type Identifiers				no data
💼 AC-4(13) Information Flow Enforcement _ Decomposition into Policy-relevant Subcomponents				no data
💼 AC-4(14) Information Flow Enforcement _ Security or Privacy Policy Filter Constraints		2	2	no data
💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10	no data
💼 AC-4(16) Information Flow Enforcement _ Information Transfers on Interconnected Systems				no data
💼 AC-4(17) Information Flow Enforcement _ Domain Authentication				no data
💼 AC-4(18) Information Flow Enforcement _ Security Attribute Binding				no data
💼 AC-4(19) Information Flow Enforcement _ Validation of Metadata				no data
💼 AC-4(20) Information Flow Enforcement _ Approved Solutions				no data
💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	46	no data
💼 AC-4(22) Information Flow Enforcement _ Access Only				no data
💼 AC-4(23) Information Flow Enforcement _ Modify Non-releasable Information				no data
💼 AC-4(24) Information Flow Enforcement _ Internal Normalized Format				no data
💼 AC-4(25) Information Flow Enforcement _ Data Sanitization				no data
💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			9	no data
💼 AC-4(27) Information Flow Enforcement _ Redundant/independent Filtering Mechanisms				no data
💼 AC-4(28) Information Flow Enforcement _ Linear Filter Pipelines				no data
💼 AC-4(29) Information Flow Enforcement _ Filter Orchestration Engines				no data
💼 AC-4(30) Information Flow Enforcement _ Filter Mechanisms Using Multiple Processes				no data
💼 AC-4(31) Information Flow Enforcement _ Failed Content Transfer Prevention				no data
💼 AC-4(32) Information Flow Enforcement _ Process Requirements for Information Transfer				no data
💼 AC-5 Separation of Duties			13	no data
💼 AC-6 Least Privilege	10	23	49	no data
💼 AC-6(1) Least Privilege _ Authorize Access to Security Functions		2	2	no data
💼 AC-6(2) Least Privilege _ Non-privileged Access for Nonsecurity Functions		4	4	no data
💼 AC-6(3) Least Privilege _ Network Access to Privileged Commands			2	no data
💼 AC-6(4) Least Privilege _ Separate Processing Domains				no data
💼 AC-6(5) Least Privilege _ Privileged Accounts		3	3	no data
💼 AC-6(6) Least Privilege _ Privileged Access by Non-organizational Users				no data
💼 AC-6(7) Least Privilege _ Review of User Privileges				no data
💼 AC-6(8) Least Privilege _ Privilege Levels for Code Execution				no data
💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	19	no data
💼 AC-6(10) Least Privilege _ Prohibit Non-privileged Users from Executing Privileged Functions			2	no data
💼 AC-7 Unsuccessful Logon Attempts	4			no data
💼 AC-7(1) Unsuccessful Logon Attempts _ Automatic Account Lock				no data
💼 AC-7(2) Unsuccessful Logon Attempts _ Purge or Wipe Mobile Device				no data
💼 AC-7(3) Unsuccessful Logon Attempts _ Biometric Attempt Limiting				no data
💼 AC-7(4) Unsuccessful Logon Attempts _ Use of Alternate Authentication Factor				no data
💼 AC-8 System Use Notification				no data
💼 AC-9 Previous Logon Notification	4			no data
💼 AC-9(1) Previous Logon Notification _ Unsuccessful Logons				no data
💼 AC-9(2) Previous Logon Notification _ Successful and Unsuccessful Logons				no data
💼 AC-9(3) Previous Logon Notification _ Notification of Account Changes				no data
💼 AC-9(4) Previous Logon Notification _ Additional Logon Information				no data
💼 AC-10 Concurrent Session Control				no data
💼 AC-11 Device Lock	1			no data
💼 AC-11(1) Device Lock _ Pattern-hiding Displays				no data
💼 AC-12 Session Termination	3			no data
💼 AC-12(1) Session Termination _ User-initiated Logouts				no data
💼 AC-12(2) Session Termination _ Termination Message				no data
💼 AC-12(3) Session Termination _ Timeout Warning Message				no data
💼 AC-13 Supervision and Review — Access Control				no data
💼 AC-14 Permitted Actions Without Identification or Authentication	1			no data
💼 AC-14(1) Permitted Actions Without Identification or Authentication _ Necessary Uses				no data
💼 AC-15 Automated Marking				no data
💼 AC-16 Security and Privacy Attributes	10			no data
💼 AC-16(1) Security and Privacy Attributes _ Dynamic Attribute Association				no data
💼 AC-16(2) Security and Privacy Attributes _ Attribute Value Changes by Authorized Individuals				no data
💼 AC-16(3) Security and Privacy Attributes _ Maintenance of Attribute Associations by System				no data
💼 AC-16(4) Security and Privacy Attributes _ Association of Attributes by Authorized Individuals				no data
💼 AC-16(5) Security and Privacy Attributes _ Attribute Displays on Objects to Be Output				no data
💼 AC-16(6) Security and Privacy Attributes _ Maintenance of Attribute Association				no data
💼 AC-16(7) Security and Privacy Attributes _ Consistent Attribute Interpretation				no data
💼 AC-16(8) Security and Privacy Attributes _ Association Techniques and Technologies				no data
💼 AC-16(9) Security and Privacy Attributes _ Attribute Reassignment — Regrading Mechanisms				no data
💼 AC-16(10) Security and Privacy Attributes _ Attribute Configuration by Authorized Individuals				no data
💼 AC-17 Remote Access	10	13	19	no data
💼 AC-17(1) Remote Access _ Monitoring and Control		1	1	no data
💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	17	no data
💼 AC-17(3) Remote Access _ Managed Access Control Points				no data
💼 AC-17(4) Remote Access _ Privileged Commands and Access				no data
💼 AC-17(5) Remote Access _ Monitoring for Unauthorized Connections				no data
💼 AC-17(6) Remote Access _ Protection of Mechanism Information				no data
💼 AC-17(7) Remote Access _ Additional Protection for Security Function Access				no data
💼 AC-17(8) Remote Access _ Disable Nonsecure Network Protocols				no data
💼 AC-17(9) Remote Access _ Disconnect or Disable Access				no data
💼 AC-17(10) Remote Access _ Authenticate Remote Commands				no data
💼 AC-18 Wireless Access	5		5	no data
💼 AC-18(1) Wireless Access _ Authentication and Encryption				no data
💼 AC-18(2) Wireless Access _ Monitoring Unauthorized Connections				no data
💼 AC-18(3) Wireless Access _ Disable Wireless Networking				no data
💼 AC-18(4) Wireless Access _ Restrict Configurations by Users				no data
💼 AC-18(5) Wireless Access _ Antennas and Transmission Power Levels				no data
💼 AC-19 Access Control for Mobile Devices	5			no data
💼 AC-19(1) Access Control for Mobile Devices _ Use of Writable and Portable Storage Devices				no data
💼 AC-19(2) Access Control for Mobile Devices _ Use of Personally Owned Portable Storage Devices				no data
💼 AC-19(3) Access Control for Mobile Devices _ Use of Portable Storage Devices with No Identifiable Owner				no data
💼 AC-19(4) Access Control for Mobile Devices _ Restrictions for Classified Information				no data
💼 AC-19(5) Access Control for Mobile Devices _ Full Device or Container-based Encryption				no data
💼 AC-20 Use of External Systems	5			no data
💼 AC-20(1) Use of External Systems _ Limits on Authorized Use				no data
💼 AC-20(2) Use of External Systems _ Portable Storage Devices — Restricted Use				no data
💼 AC-20(3) Use of External Systems _ Non-organizationally Owned Systems — Restricted Use				no data
💼 AC-20(4) Use of External Systems _ Network Accessible Storage Devices — Prohibited Use				no data
💼 AC-20(5) Use of External Systems _ Portable Storage Devices — Prohibited Use				no data
💼 AC-21 Information Sharing	2		8	no data
💼 AC-21(1) Information Sharing _ Automated Decision Support				no data
💼 AC-21(2) Information Sharing _ Information Search and Retrieval				no data
💼 AC-22 Publicly Accessible Content				no data
💼 AC-23 Data Mining Protection				no data
💼 AC-24 Access Control Decisions	2			no data
💼 AC-24(1) Access Control Decisions _ Transmit Access Authorization Information				no data
💼 AC-24(2) Access Control Decisions _ No User or Process Identity				no data
💼 AC-25 Reference Monitor				no data
💼 AT Awareness And Training	6			no data
💼 AT-1 Policy and Procedures				no data
💼 AT-2 Literacy Training and Awareness	6			no data
💼 AT-2(1) Literacy Training and Awareness _ Practical Exercises				no data
💼 AT-2(2) Literacy Training and Awareness _ Insider Threat				no data
💼 AT-2(3) Literacy Training and Awareness _ Social Engineering and Mining				no data
💼 AT-2(4) Literacy Training and Awareness _ Suspicious Communications and Anomalous System Behavior				no data
💼 AT-2(5) Literacy Training and Awareness _ Advanced Persistent Threat				no data
💼 AT-2(6) Literacy Training and Awareness _ Cyber Threat Environment				no data
💼 AT-3 Role-based Training	5			no data
💼 AT-3(1) Role-based Training _ Environmental Controls				no data
💼 AT-3(2) Role-based Training _ Physical Security Controls				no data
💼 AT-3(3) Role-based Training _ Practical Exercises				no data
💼 AT-3(4) Role-based Training _ Suspicious Communications and Anomalous System Behavior				no data
💼 AT-3(5) Role-based Training _ Processing Personally Identifiable Information				no data
💼 AT-4 Training Records				no data
💼 AT-5 Contacts with Security Groups and Associations				no data
💼 AT-6 Training Feedback				no data
💼 AU Audit And Accountability	16	51	74	no data
💼 AU-1 Policy and Procedures				no data
💼 AU-2 Event Logging	4		17	no data
💼 AU-2(1) Event Logging _ Compilation of Audit Records from Multiple Sources				no data
💼 AU-2(2) Event Logging _ Selection of Audit Events by Component				no data
💼 AU-2(3) Event Logging _ Reviews and Updates				no data
💼 AU-2(4) Event Logging _ Privileged Functions				no data
💼 AU-3 Content of Audit Records	3	13	28	no data
💼 AU-3(1) Content of Audit Records _ Additional Audit Information		13	14	no data
💼 AU-3(2) Content of Audit Records _ Centralized Management of Planned Audit Record Content				no data
💼 AU-3(3) Content of Audit Records _ Limit Personally Identifiable Information Elements				no data
💼 AU-4 Audit Log Storage Capacity	1			no data
💼 AU-4(1) Audit Log Storage Capacity _ Transfer to Alternate Storage				no data
💼 AU-5 Response to Audit Logging Process Failures	5			no data
💼 AU-5(1) Response to Audit Logging Process Failures _ Storage Capacity Warning				no data
💼 AU-5(2) Response to Audit Logging Process Failures _ Real-time Alerts				no data
💼 AU-5(3) Response to Audit Logging Process Failures _ Configurable Traffic Volume Thresholds				no data
💼 AU-5(4) Response to Audit Logging Process Failures _ Shutdown on Failure				no data
💼 AU-5(5) Response to Audit Logging Process Failures _ Alternate Audit Logging Capability				no data
💼 AU-6 Audit Record Review, Analysis, and Reporting	10	1	13	no data
💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	3	no data
💼 AU-6(2) Audit Record Review, Analysis, and Reporting _ Automated Security Alerts				no data
💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			8	no data
💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			8	no data
💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records			2	no data
💼 AU-6(6) Audit Record Review, Analysis, and Reporting _ Correlation with Physical Monitoring				no data
💼 AU-6(7) Audit Record Review, Analysis, and Reporting _ Permitted Actions				no data
💼 AU-6(8) Audit Record Review, Analysis, and Reporting _ Full Text Analysis of Privileged Commands				no data
💼 AU-6(9) Audit Record Review, Analysis, and Reporting _ Correlation with Information from Nontechnical Sources				no data
💼 AU-6(10) Audit Record Review, Analysis, and Reporting _ Audit Level Adjustment				no data
💼 AU-7 Audit Record Reduction and Report Generation	2	1	18	no data
💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		1	1	no data
💼 AU-7(2) Audit Record Reduction and Report Generation _ Automatic Sort and Search				no data
💼 AU-8 Time Stamps	2			no data
💼 AU-8(1) Time Stamps _ Synchronization with Authoritative Time Source				no data
💼 AU-8(2) Time Stamps _ Secondary Authoritative Time Source				no data
💼 AU-9 Protection of Audit Information	7	2	4	no data
💼 AU-9(1) Protection of Audit Information _ Hardware Write-once Media				no data
💼 AU-9(2) Protection of Audit Information _ Store on Separate Physical Systems or Components				no data
💼 AU-9(3) Protection of Audit Information _ Cryptographic Protection				no data
💼 AU-9(4) Protection of Audit Information _ Access by Subset of Privileged Users		2	2	no data
💼 AU-9(5) Protection of Audit Information _ Dual Authorization				no data
💼 AU-9(6) Protection of Audit Information _ Read-only Access				no data
💼 AU-9(7) Protection of Audit Information _ Store on Component with Different Operating System				no data
💼 AU-10 Non-repudiation	5		7	no data
💼 AU-10(1) Non-repudiation _ Association of Identities				no data
💼 AU-10(2) Non-repudiation _ Validate Binding of Information Producer Identity				no data
💼 AU-10(3) Non-repudiation _ Chain of Custody				no data
💼 AU-10(4) Non-repudiation _ Validate Binding of Information Reviewer Identity				no data
💼 AU-10(5) Non-repudiation _ Digital Signatures				no data
💼 AU-11 Audit Record Retention	1			no data
💼 AU-11(1) Audit Record Retention _ Long-term Retrieval Capability				no data
💼 AU-12 Audit Record Generation	4	47	65	no data
💼 AU-12(1) Audit Record Generation _ System-wide and Time-correlated Audit Trail				no data
💼 AU-12(2) Audit Record Generation _ Standardized Formats				no data
💼 AU-12(3) Audit Record Generation _ Changes by Authorized Individuals				no data
💼 AU-12(4) Audit Record Generation _ Query Parameter Audits of Personally Identifiable Information				no data
💼 AU-13 Monitoring for Information Disclosure	3			no data
💼 AU-13(1) Monitoring for Information Disclosure _ Use of Automated Tools				no data
💼 AU-13(2) Monitoring for Information Disclosure _ Review of Monitored Sites				no data
💼 AU-13(3) Monitoring for Information Disclosure _ Unauthorized Replication of Information				no data
💼 AU-14 Session Audit	3		1	no data
💼 AU-14(1) Session Audit _ System Start-up			1	no data
💼 AU-14(2) Session Audit _ Capture and Record Content				no data
💼 AU-14(3) Session Audit _ Remote Viewing and Listening				no data
💼 AU-15 Alternate Audit Logging Capability				no data
💼 AU-16 Cross-organizational Audit Logging	3			no data
💼 AU-16(1) Cross-organizational Audit Logging _ Identity Preservation				no data
💼 AU-16(2) Cross-organizational Audit Logging _ Sharing of Audit Information				no data
💼 AU-16(3) Cross-organizational Audit Logging _ Disassociability				no data
💼 CA Assessment, Authorization, And Monitoring	9		36	no data
💼 CA-1 Policy and Procedures				no data
💼 CA-2 Control Assessments	3			no data
💼 CA-2(1) Control Assessments _ Independent Assessors				no data
💼 CA-2(2) Control Assessments _ Specialized Assessments				no data
💼 CA-2(3) Control Assessments _ Leveraging Results from External Organizations				no data
💼 CA-3 Information Exchange	7			no data
💼 CA-3(1) Information Exchange _ Unclassified National Security System Connections				no data
💼 CA-3(2) Information Exchange _ Classified National Security System Connections				no data
💼 CA-3(3) Information Exchange _ Unclassified Non-national Security System Connections				no data
💼 CA-3(4) Information Exchange _ Connections to Public Networks				no data
💼 CA-3(5) Information Exchange _ Restrictions on External System Connections				no data
💼 CA-3(6) Information Exchange _ Transfer Authorizations				no data
💼 CA-3(7) Information Exchange _ Transitive Information Exchanges				no data
💼 CA-4 Security Certification				no data
💼 CA-5 Plan of Action and Milestones	1			no data
💼 CA-5(1) Plan of Action and Milestones _ Automation Support for Accuracy and Currency				no data
💼 CA-6 Authorization	2			no data
💼 CA-6(1) Authorization _ Joint Authorization — Intra-organization				no data
💼 CA-6(2) Authorization _ Joint Authorization — Inter-organization				no data
💼 CA-7 Continuous Monitoring	6		12	no data
💼 CA-7(1) Continuous Monitoring _ Independent Assessment				no data
💼 CA-7(2) Continuous Monitoring _ Types of Assessments				no data
💼 CA-7(3) Continuous Monitoring _ Trend Analyses				no data
💼 CA-7(4) Continuous Monitoring _ Risk Monitoring				no data
💼 CA-7(5) Continuous Monitoring _ Consistency Analysis				no data
💼 CA-7(6) Continuous Monitoring _ Automation Support for Monitoring				no data
💼 CA-8 Penetration Testing	3			no data
💼 CA-8(1) Penetration Testing _ Independent Penetration Testing Agent or Team				no data
💼 CA-8(2) Penetration Testing _ Red Team Exercises				no data
💼 CA-8(3) Penetration Testing _ Facility Penetration Testing				no data
💼 CA-9 Internal System Connections	1		24	no data
💼 CA-9(1) Internal System Connections _ Compliance Checks			23	no data
💼 CM Configuration Management	14	17	60	no data
💼 CM-1 Policy and Procedures			3	no data
💼 CM-2 Baseline Configuration	7		27	no data
💼 CM-2(1) Baseline Configuration _ Reviews and Updates				no data
💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			16	no data
💼 CM-2(3) Baseline Configuration _ Retention of Previous Configurations				no data
💼 CM-2(4) Baseline Configuration _ Unauthorized Software				no data
💼 CM-2(5) Baseline Configuration _ Authorized Software				no data
💼 CM-2(6) Baseline Configuration _ Development and Test Environments				no data
💼 CM-2(7) Baseline Configuration _ Configure Systems and Components for High-risk Areas				no data
💼 CM-3 Configuration Change Control	8	17	25	no data
💼 CM-3(1) Configuration Change Control _ Automated Documentation, Notification, and Prohibition of Changes				no data
💼 CM-3(2) Configuration Change Control _ Testing, Validation, and Documentation of Changes				no data
💼 CM-3(3) Configuration Change Control _ Automated Change Implementation				no data
💼 CM-3(4) Configuration Change Control _ Security and Privacy Representatives				no data
💼 CM-3(5) Configuration Change Control _ Automated Security Response				no data
💼 CM-3(6) Configuration Change Control _ Cryptography Management			6	no data
💼 CM-3(7) Configuration Change Control _ Review System Changes				no data
💼 CM-3(8) Configuration Change Control _ Prevent or Restrict Configuration Changes				no data
💼 CM-4 Impact Analyses	2			no data
💼 CM-4(1) Impact Analyses _ Separate Test Environments				no data
💼 CM-4(2) Impact Analyses _ Verification of Controls				no data
💼 CM-5 Access Restrictions for Change	7			no data
💼 CM-5(1) Access Restrictions for Change _ Automated Access Enforcement and Audit Records				no data
💼 CM-5(2) Access Restrictions for Change _ Review System Changes				no data
💼 CM-5(3) Access Restrictions for Change _ Signed Components				no data
💼 CM-5(4) Access Restrictions for Change _ Dual Authorization				no data
💼 CM-5(5) Access Restrictions for Change _ Privilege Limitation for Production and Operation				no data
💼 CM-5(6) Access Restrictions for Change _ Limit Library Privileges				no data
💼 CM-5(7) Access Restrictions for Change _ Automatic Implementation of Security Safeguards				no data
💼 CM-6 Configuration Settings	4		12	no data
💼 CM-6(1) Configuration Settings _ Automated Management, Application, and Verification			1	no data
💼 CM-6(2) Configuration Settings _ Respond to Unauthorized Changes				no data
💼 CM-6(3) Configuration Settings _ Unauthorized Change Detection				no data
💼 CM-6(4) Configuration Settings _ Conformance Demonstration				no data
💼 CM-7 Least Functionality	9		23	no data
💼 CM-7(1) Least Functionality _ Periodic Review				no data
💼 CM-7(2) Least Functionality _ Prevent Program Execution				no data
💼 CM-7(3) Least Functionality _ Registration Compliance				no data
💼 CM-7(4) Least Functionality _ Unauthorized Software — Deny-by-exception				no data
💼 CM-7(5) Least Functionality _ Authorized Software — Allow-by-exception				no data
💼 CM-7(6) Least Functionality _ Confined Environments with Limited Privileges				no data
💼 CM-7(7) Least Functionality _ Code Execution in Protected Environments				no data
💼 CM-7(8) Least Functionality _ Binary or Machine Executable Code				no data
💼 CM-7(9) Least Functionality _ Prohibiting The Use of Unauthorized Hardware				no data
💼 CM-8 System Component Inventory	9		5	no data
💼 CM-8(1) System Component Inventory _ Updates During Installation and Removal			2	no data
💼 CM-8(2) System Component Inventory _ Automated Maintenance			1	no data
💼 CM-8(3) System Component Inventory _ Automated Unauthorized Component Detection			1	no data
💼 CM-8(4) System Component Inventory _ Accountability Information				no data
💼 CM-8(5) System Component Inventory _ No Duplicate Accounting of Components				no data
💼 CM-8(6) System Component Inventory _ Assessed Configurations and Approved Deviations				no data
💼 CM-8(7) System Component Inventory _ Centralized Repository				no data
💼 CM-8(8) System Component Inventory _ Automated Location Tracking				no data
💼 CM-8(9) System Component Inventory _ Assignment of Components to Systems				no data
💼 CM-9 Configuration Management Plan	1		8	no data
💼 CM-9(1) Configuration Management Plan _ Assignment of Responsibility				no data
💼 CM-10 Software Usage Restrictions	1			no data
💼 CM-10(1) Software Usage Restrictions _ Open-source Software				no data
💼 CM-11 User-installed Software	3			no data
💼 CM-11(1) User-installed Software _ Alerts for Unauthorized Installations				no data
💼 CM-11(2) User-installed Software _ Software Installation with Privileged Status				no data
💼 CM-11(3) User-installed Software _ Automated Enforcement and Monitoring				no data
💼 CM-12 Information Location	1			no data
💼 CM-12(1) Information Location _ Automated Tools to Support Information Location				no data
💼 CM-13 Data Action Mapping				no data
💼 CM-14 Signed Components				no data
💼 CP Contingency Planning	13		10	no data
💼 CP-1 Policy and Procedures				no data
💼 CP-2 Contingency Plan	8		2	no data
💼 CP-2(1) Contingency Plan _ Coordinate with Related Plans				no data
💼 CP-2(2) Contingency Plan _ Capacity Planning			2	no data
💼 CP-2(3) Contingency Plan _ Resume Mission and Business Functions				no data
💼 CP-2(4) Contingency Plan _ Resume All Mission and Business Functions				no data
💼 CP-2(5) Contingency Plan _ Continue Mission and Business Functions				no data
💼 CP-2(6) Contingency Plan _ Alternate Processing and Storage Sites				no data
💼 CP-2(7) Contingency Plan _ Coordinate with External Service Providers				no data
💼 CP-2(8) Contingency Plan _ Identify Critical Assets				no data
💼 CP-3 Contingency Training	2			no data
💼 CP-3(1) Contingency Training _ Simulated Events				no data
💼 CP-3(2) Contingency Training _ Mechanisms Used in Training Environments				no data
💼 CP-4 Contingency Plan Testing	5			no data
💼 CP-4(1) Contingency Plan Testing _ Coordinate with Related Plans				no data
💼 CP-4(2) Contingency Plan Testing _ Alternate Processing Site				no data
💼 CP-4(3) Contingency Plan Testing _ Automated Testing				no data
💼 CP-4(4) Contingency Plan Testing _ Full Recovery and Reconstitution				no data
💼 CP-4(5) Contingency Plan Testing _ Self-challenge				no data
💼 CP-5 Contingency Plan Update				no data
💼 CP-6 Alternate Storage Site	3		7	no data
💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site				no data
💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			7	no data
💼 CP-6(3) Alternate Storage Site _ Accessibility				no data
💼 CP-7 Alternate Processing Site	6			no data
💼 CP-7(1) Alternate Processing Site _ Separation from Primary Site				no data
💼 CP-7(2) Alternate Processing Site _ Accessibility				no data
💼 CP-7(3) Alternate Processing Site _ Priority of Service				no data
💼 CP-7(4) Alternate Processing Site _ Preparation for Use				no data
💼 CP-7(5) Alternate Processing Site _ Equivalent Information Security Safeguards				no data
💼 CP-7(6) Alternate Processing Site _ Inability to Return to Primary Site				no data
💼 CP-8 Telecommunications Services	5			no data
💼 CP-8(1) Telecommunications Services _ Priority of Service Provisions				no data
💼 CP-8(2) Telecommunications Services _ Single Points of Failure				no data
💼 CP-8(3) Telecommunications Services _ Separation of Primary and Alternate Providers				no data
💼 CP-8(4) Telecommunications Services _ Provider Contingency Plan				no data
💼 CP-8(5) Telecommunications Services _ Alternate Telecommunication Service Testing				no data
💼 CP-9 System Backup	8		4	no data
💼 CP-9(1) System Backup _ Testing for Reliability and Integrity				no data
💼 CP-9(2) System Backup _ Test Restoration Using Sampling				no data
💼 CP-9(3) System Backup _ Separate Storage for Critical Information				no data
💼 CP-9(4) System Backup _ Protection from Unauthorized Modification				no data
💼 CP-9(5) System Backup _ Transfer to Alternate Storage Site				no data
💼 CP-9(6) System Backup _ Redundant Secondary System				no data
💼 CP-9(7) System Backup _ Dual Authorization for Deletion or Destruction				no data
💼 CP-9(8) System Backup _ Cryptographic Protection			1	no data
💼 CP-10 System Recovery and Reconstitution	6		8	no data
💼 CP-10(1) System Recovery and Reconstitution _ Contingency Plan Testing				no data
💼 CP-10(2) System Recovery and Reconstitution _ Transaction Recovery				no data
💼 CP-10(3) System Recovery and Reconstitution _ Compensating Security Controls				no data
💼 CP-10(4) System Recovery and Reconstitution _ Restore Within Time Period				no data
💼 CP-10(5) System Recovery and Reconstitution _ Failover Capability				no data
💼 CP-10(6) System Recovery and Reconstitution _ Component Protection				no data
💼 CP-11 Alternate Communications Protocols				no data
💼 CP-12 Safe Mode				no data
💼 CP-13 Alternative Security Mechanisms				no data
💼 IA Identification And Authentication	12		18	no data
💼 IA-1 Policy and Procedures				no data
💼 IA-2 Identification and Authentication (organizational Users)	13		2	no data
💼 IA-2(1) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Privileged Accounts			2	no data
💼 IA-2(2) Identification and Authentication (organizational Users) _ Multi-factor Authentication to Non-privileged Accounts			2	no data
💼 IA-2(3) Identification and Authentication (organizational Users) _ Local Access to Privileged Accounts				no data
💼 IA-2(4) Identification and Authentication (organizational Users) _ Local Access to Non-privileged Accounts				no data
💼 IA-2(5) Identification and Authentication (organizational Users) _ Individual Authentication with Group Authentication				no data
💼 IA-2(6) Identification and Authentication (organizational Users) _ Access to Accounts —separate Device			2	no data
💼 IA-2(7) Identification and Authentication (organizational Users) _ Network Access to Non-privileged Accounts — Separate Device				no data
💼 IA-2(8) Identification and Authentication (organizational Users) _ Access to Accounts — Replay Resistant			2	no data
💼 IA-2(9) Identification and Authentication (organizational Users) _ Network Access to Non-privileged Accounts — Replay Resistant				no data
💼 IA-2(10) Identification and Authentication (organizational Users) _ Single Sign-on				no data
💼 IA-2(11) Identification and Authentication (organizational Users) _ Remote Access — Separate Device				no data
💼 IA-2(12) Identification and Authentication (organizational Users) _ Acceptance of PIV Credentials				no data
💼 IA-2(13) Identification and Authentication (organizational Users) _ Out-of-band Authentication				no data
💼 IA-3 Device Identification and Authentication	4			no data
💼 IA-3(1) Device Identification and Authentication _ Cryptographic Bidirectional Authentication				no data
💼 IA-3(2) Device Identification and Authentication _ Cryptographic Bidirectional Network Authentication				no data
💼 IA-3(3) Device Identification and Authentication _ Dynamic Address Allocation				no data
💼 IA-3(4) Device Identification and Authentication _ Device Attestation				no data
💼 IA-4 Identifier Management	9			no data
💼 IA-4(1) Identifier Management _ Prohibit Account Identifiers as Public Identifiers				no data
💼 IA-4(2) Identifier Management _ Supervisor Authorization				no data
💼 IA-4(3) Identifier Management _ Multiple Forms of Certification				no data
💼 IA-4(4) Identifier Management _ Identify User Status				no data
💼 IA-4(5) Identifier Management _ Dynamic Management				no data
💼 IA-4(6) Identifier Management _ Cross-organization Management				no data
💼 IA-4(7) Identifier Management _ In-person Registration				no data
💼 IA-4(8) Identifier Management _ Pairwise Pseudonymous Identifiers				no data
💼 IA-4(9) Identifier Management _ Attribute Maintenance and Protection				no data
💼 IA-5 Authenticator Management	18		16	no data
💼 IA-5(1) Authenticator Management _ Password-based Authentication			8	no data
💼 IA-5(2) Authenticator Management _ Public Key-based Authentication				no data
💼 IA-5(3) Authenticator Management _ In-person or Trusted External Party Registration				no data
💼 IA-5(4) Authenticator Management _ Automated Support for Password Strength Determination				no data
💼 IA-5(5) Authenticator Management _ Change Authenticators Prior to Delivery				no data
💼 IA-5(6) Authenticator Management _ Protection of Authenticators				no data
💼 IA-5(7) Authenticator Management _ No Embedded Unencrypted Static Authenticators				no data
💼 IA-5(8) Authenticator Management _ Multiple System Accounts				no data
💼 IA-5(9) Authenticator Management _ Federated Credential Management				no data
💼 IA-5(10) Authenticator Management _ Dynamic Credential Binding				no data
💼 IA-5(11) Authenticator Management _ Hardware Token-based Authentication				no data
💼 IA-5(12) Authenticator Management _ Biometric Authentication Performance				no data
💼 IA-5(13) Authenticator Management _ Expiration of Cached Authenticators				no data
💼 IA-5(14) Authenticator Management _ Managing Content of PKI Trust Stores				no data
💼 IA-5(15) Authenticator Management _ GSA-approved Products and Services				no data
💼 IA-5(16) Authenticator Management _ In-person or Trusted External Party Authenticator Issuance				no data
💼 IA-5(17) Authenticator Management _ Presentation Attack Detection for Biometric Authenticators				no data
💼 IA-5(18) Authenticator Management _ Password Managers				no data
💼 IA-6 Authentication Feedback				no data
💼 IA-7 Cryptographic Module Authentication				no data
💼 IA-8 Identification and Authentication (non-organizational Users)	6			no data
💼 IA-8(1) Identification and Authentication (non-organizational Users) _ Acceptance of PIV Credentials from Other Agencies				no data
💼 IA-8(2) Identification and Authentication (non-organizational Users) _ Acceptance of External Authenticators				no data
💼 IA-8(3) Identification and Authentication (non-organizational Users) _ Use of FICAM-approved Products				no data
💼 IA-8(4) Identification and Authentication (non-organizational Users) _ Use of Defined Profiles				no data
💼 IA-8(5) Identification and Authentication (non-organizational Users) _ Acceptance of PVI-I Credentials				no data
💼 IA-8(6) Identification and Authentication (non-organizational Users) _ Disassociability				no data
💼 IA-9 Service Identification and Authentication	2			no data
💼 IA-9(1) Service Identification and Authentication _ Information Exchange				no data
💼 IA-9(2) Service Identification and Authentication _ Transmission of Decisions				no data
💼 IA-10 Adaptive Authentication				no data
💼 IA-11 Re-authentication				no data
💼 IA-12 Identity Proofing	6			no data
💼 IA-12(1) Identity Proofing _ Supervisor Authorization				no data
💼 IA-12(2) Identity Proofing _ Identity Evidence				no data
💼 IA-12(3) Identity Proofing _ Identity Evidence Validation and Verification				no data
💼 IA-12(4) Identity Proofing _ In-person Validation and Verification				no data
💼 IA-12(5) Identity Proofing _ Address Confirmation				no data
💼 IA-12(6) Identity Proofing _ Accept Externally-proofed Identities				no data
💼 IR Incident Response	10		1	no data
💼 IR-1 Policy and Procedures				no data
💼 IR-2 Incident Response Training	3			no data
💼 IR-2(1) Incident Response Training _ Simulated Events				no data
💼 IR-2(2) Incident Response Training _ Automated Training Environments				no data
💼 IR-2(3) Incident Response Training _ Breach				no data
💼 IR-3 Incident Response Testing	3			no data
💼 IR-3(1) Incident Response Testing _ Automated Testing				no data
💼 IR-3(2) Incident Response Testing _ Coordination with Related Plans				no data
💼 IR-3(3) Incident Response Testing _ Continuous Improvement				no data
💼 IR-4 Incident Handling	15			no data
💼 IR-4(1) Incident Handling _ Automated Incident Handling Processes				no data
💼 IR-4(2) Incident Handling _ Dynamic Reconfiguration				no data
💼 IR-4(3) Incident Handling _ Continuity of Operations				no data
💼 IR-4(4) Incident Handling _ Information Correlation				no data
💼 IR-4(5) Incident Handling _ Automatic Disabling of System				no data
💼 IR-4(6) Incident Handling _ Insider Threats				no data
💼 IR-4(7) Incident Handling _ Insider Threats — Intra-organization Coordination				no data
💼 IR-4(8) Incident Handling _ Correlation with External Organizations				no data
💼 IR-4(9) Incident Handling _ Dynamic Response Capability				no data
💼 IR-4(10) Incident Handling _ Supply Chain Coordination				no data
💼 IR-4(11) Incident Handling _ Integrated Incident Response Team				no data
💼 IR-4(12) Incident Handling _ Malicious Code and Forensic Analysis				no data
💼 IR-4(13) Incident Handling _ Behavior Analysis				no data
💼 IR-4(14) Incident Handling _ Security Operations Center				no data
💼 IR-4(15) Incident Handling _ Public Relations and Reputation Repair				no data
💼 IR-5 Incident Monitoring	1			no data
💼 IR-5(1) Incident Monitoring _ Automated Tracking, Data Collection, and Analysis				no data
💼 IR-6 Incident Reporting	3		1	no data
💼 IR-6(1) Incident Reporting _ Automated Reporting				no data
💼 IR-6(2) Incident Reporting _ Vulnerabilities Related to Incidents				no data
💼 IR-6(3) Incident Reporting _ Supply Chain Coordination				no data
💼 IR-7 Incident Response Assistance	2			no data
💼 IR-7(1) Incident Response Assistance _ Automation Support for Availability of Information and Support				no data
💼 IR-7(2) Incident Response Assistance _ Coordination with External Providers				no data
💼 IR-8 Incident Response Plan	1			no data
💼 IR-8(1) Incident Response Plan _ Breaches				no data
💼 IR-9 Information Spillage Response	4			no data
💼 IR-9(1) Information Spillage Response _ Responsible Personnel				no data
💼 IR-9(2) Information Spillage Response _ Training				no data
💼 IR-9(3) Information Spillage Response _ Post-spill Operations				no data
💼 IR-9(4) Information Spillage Response _ Exposure to Unauthorized Personnel				no data
💼 IR-10 Integrated Information Security Analysis Team				no data
💼 MA Maintenance	7		1	no data
💼 MA-1 Policy and Procedures				no data
💼 MA-2 Controlled Maintenance	2			no data
💼 MA-2(1) Controlled Maintenance _ Record Content				no data
💼 MA-2(2) Controlled Maintenance _ Automated Maintenance Activities				no data
💼 MA-3 Maintenance Tools	6			no data
💼 MA-3(1) Maintenance Tools _ Inspect Tools				no data
💼 MA-3(2) Maintenance Tools _ Inspect Media				no data
💼 MA-3(3) Maintenance Tools _ Prevent Unauthorized Removal				no data
💼 MA-3(4) Maintenance Tools _ Restricted Tool Use				no data
💼 MA-3(5) Maintenance Tools _ Execution with Privilege				no data
💼 MA-3(6) Maintenance Tools _ Software Updates and Patches				no data
💼 MA-4 Nonlocal Maintenance	7		1	no data
💼 MA-4(1) Nonlocal Maintenance _ Logging and Review				no data
💼 MA-4(2) Nonlocal Maintenance _ Document Nonlocal Maintenance				no data
💼 MA-4(3) Nonlocal Maintenance _ Comparable Security and Sanitization				no data
💼 MA-4(4) Nonlocal Maintenance _ Authentication and Separation of Maintenance Sessions				no data
💼 MA-4(5) Nonlocal Maintenance _ Approvals and Notifications				no data
💼 MA-4(6) Nonlocal Maintenance _ Cryptographic Protection				no data
💼 MA-4(7) Nonlocal Maintenance _ Disconnect Verification				no data
💼 MA-5 Maintenance Personnel	5			no data
💼 MA-5(1) Maintenance Personnel _ Individuals Without Appropriate Access				no data
💼 MA-5(2) Maintenance Personnel _ Security Clearances for Classified Systems				no data
💼 MA-5(3) Maintenance Personnel _ Citizenship Requirements for Classified Systems				no data
💼 MA-5(4) Maintenance Personnel _ Foreign Nationals				no data
💼 MA-5(5) Maintenance Personnel _ Non-system Maintenance				no data
💼 MA-6 Timely Maintenance	3			no data
💼 MA-6(1) Timely Maintenance _ Preventive Maintenance				no data
💼 MA-6(2) Timely Maintenance _ Predictive Maintenance				no data
💼 MA-6(3) Timely Maintenance _ Automated Support for Predictive Maintenance				no data
💼 MA-7 Field Maintenance				no data
💼 MP Media Protection	8		12	no data
💼 MP-1 Policy and Procedures				no data
💼 MP-2 Media Access	2		12	no data
💼 MP-2(1) Media Access _ Automated Restricted Access				no data
💼 MP-2(2) Media Access _ Cryptographic Protection				no data
💼 MP-3 Media Marking				no data
💼 MP-4 Media Storage	2			no data
💼 MP-4(1) Media Storage _ Cryptographic Protection				no data
💼 MP-4(2) Media Storage _ Automated Restricted Access				no data
💼 MP-5 Media Transport	4			no data
💼 MP-5(1) Media Transport _ Protection Outside of Controlled Areas				no data
💼 MP-5(2) Media Transport _ Documentation of Activities				no data
💼 MP-5(3) Media Transport _ Custodians				no data
💼 MP-5(4) Media Transport _ Cryptographic Protection				no data
💼 MP-6 Media Sanitization	8			no data
💼 MP-6(1) Media Sanitization _ Review, Approve, Track, Document, and Verify				no data
💼 MP-6(2) Media Sanitization _ Equipment Testing				no data
💼 MP-6(3) Media Sanitization _ Nondestructive Techniques				no data
💼 MP-6(4) Media Sanitization _ Controlled Unclassified Information				no data
💼 MP-6(5) Media Sanitization _ Classified Information				no data
💼 MP-6(6) Media Sanitization _ Media Destruction				no data
💼 MP-6(7) Media Sanitization _ Dual Authorization				no data
💼 MP-6(8) Media Sanitization _ Remote Purging or Wiping of Information				no data
💼 MP-7 Media Use	2			no data
💼 MP-7(1) Media Use _ Prohibit Use Without Owner				no data
💼 MP-7(2) Media Use _ Prohibit Use of Sanitization-resistant Media				no data
💼 MP-8 Media Downgrading	4			no data
💼 MP-8(1) Media Downgrading _ Documentation of Process				no data
💼 MP-8(2) Media Downgrading _ Equipment Testing				no data
💼 MP-8(3) Media Downgrading _ Controlled Unclassified Information				no data
💼 MP-8(4) Media Downgrading _ Classified Information				no data
💼 PE Physical And Environmental Protection	23			no data
💼 PE-1 Policy and Procedures				no data
💼 PE-2 Physical Access Authorizations	3			no data
💼 PE-2(1) Physical Access Authorizations _ Access by Position or Role				no data
💼 PE-2(2) Physical Access Authorizations _ Two Forms of Identification				no data
💼 PE-2(3) Physical Access Authorizations _ Restrict Unescorted Access				no data
💼 PE-3 Physical Access Control	8			no data
💼 PE-3(1) Physical Access Control _ System Access				no data
💼 PE-3(2) Physical Access Control _ Facility and Systems				no data
💼 PE-3(3) Physical Access Control _ Continuous Guards				no data
💼 PE-3(4) Physical Access Control _ Lockable Casings				no data
💼 PE-3(5) Physical Access Control _ Tamper Protection				no data
💼 PE-3(6) Physical Access Control _ Facility Penetration Testing				no data
💼 PE-3(7) Physical Access Control _ Physical Barriers				no data
💼 PE-3(8) Physical Access Control _ Access Control Vestibules				no data
💼 PE-4 Access Control for Transmission				no data
💼 PE-5 Access Control for Output Devices	3			no data
💼 PE-5(1) Access Control for Output Devices _ Access to Output by Authorized Individuals				no data
💼 PE-5(2) Access Control for Output Devices _ Link to Individual Identity				no data
💼 PE-5(3) Access Control for Output Devices _ Marking Output Devices				no data
💼 PE-6 Monitoring Physical Access	4			no data
💼 PE-6(1) Monitoring Physical Access _ Intrusion Alarms and Surveillance Equipment				no data
💼 PE-6(2) Monitoring Physical Access _ Automated Intrusion Recognition and Responses				no data
💼 PE-6(3) Monitoring Physical Access _ Video Surveillance				no data
💼 PE-6(4) Monitoring Physical Access _ Monitoring Physical Access to Systems				no data
💼 PE-7 Visitor Control				no data
💼 PE-8 Visitor Access Records	3			no data
💼 PE-8(1) Visitor Access Records _ Automated Records Maintenance and Review				no data
💼 PE-8(2) Visitor Access Records _ Physical Access Records				no data
💼 PE-8(3) Visitor Access Records _ Limit Personally Identifiable Information Elements				no data
💼 PE-9 Power Equipment and Cabling	2			no data
💼 PE-9(1) Power Equipment and Cabling _ Redundant Cabling				no data
💼 PE-9(2) Power Equipment and Cabling _ Automatic Voltage Controls				no data
💼 PE-10 Emergency Shutoff	1			no data
💼 PE-10(1) Emergency Shutoff _ Accidental and Unauthorized Activation				no data
💼 PE-11 Emergency Power	2			no data
💼 PE-11(1) Emergency Power _ Alternate Power Supply — Minimal Operational Capability				no data
💼 PE-11(2) Emergency Power _ Alternate Power Supply — Self-contained				no data
💼 PE-12 Emergency Lighting	1			no data
💼 PE-12(1) Emergency Lighting _ Essential Mission and Business Functions				no data
💼 PE-13 Fire Protection	4			no data
💼 PE-13(1) Fire Protection _ Detection Systems — Automatic Activation and Notification				no data
💼 PE-13(2) Fire Protection _ Suppression Systems — Automatic Activation and Notification				no data
💼 PE-13(3) Fire Protection _ Automatic Fire Suppression				no data
💼 PE-13(4) Fire Protection _ Inspections				no data
💼 PE-14 Environmental Controls	2			no data
💼 PE-14(1) Environmental Controls _ Automatic Controls				no data
💼 PE-14(2) Environmental Controls _ Monitoring with Alarms and Notifications				no data
💼 PE-15 Water Damage Protection	1			no data
💼 PE-15(1) Water Damage Protection _ Automation Support				no data
💼 PE-16 Delivery and Removal				no data
💼 PE-17 Alternate Work Site				no data
💼 PE-18 Location of System Components	1			no data
💼 PE-18(1) Location of System Components _ Facility Site				no data
💼 PE-19 Information Leakage	1			no data
💼 PE-19(1) Information Leakage _ National Emissions Policies and Procedures				no data
💼 PE-20 Asset Monitoring and Tracking				no data
💼 PE-21 Electromagnetic Pulse Protection				no data
💼 PE-22 Component Marking				no data
💼 PE-23 Facility Location				no data
💼 PL Planning	11		3	no data
💼 PL-1 Policy and Procedures				no data
💼 PL-2 System Security and Privacy Plans	3			no data
💼 PL-2(1) System Security and Privacy Plans _ Concept of Operations				no data
💼 PL-2(2) System Security and Privacy Plans _ Functional Architecture				no data
💼 PL-2(3) System Security and Privacy Plans _ Plan and Coordinate with Other Organizational Entities				no data
💼 PL-3 System Security Plan Update				no data
💼 PL-4 Rules of Behavior	1			no data
💼 PL-4(1) Rules of Behavior _ Social Media and External Site/application Usage Restrictions				no data
💼 PL-5 Privacy Impact Assessment				no data
💼 PL-6 Security-related Activity Planning				no data
💼 PL-7 Concept of Operations				no data
💼 PL-8 Security and Privacy Architectures	2		3	no data
💼 PL-8(1) Security and Privacy Architectures _ Defense in Depth				no data
💼 PL-8(2) Security and Privacy Architectures _ Supplier Diversity				no data
💼 PL-9 Central Management				no data
💼 PL-10 Baseline Selection				no data
💼 PL-11 Baseline Tailoring				no data
💼 PM Program Management	32		1	no data
💼 PM-1 Information Security Program Plan				no data
💼 PM-2 Information Security Program Leadership Role				no data
💼 PM-3 Information Security and Privacy Resources				no data
💼 PM-4 Plan of Action and Milestones Process				no data
💼 PM-5 System Inventory	1		1	no data
💼 PM-5(1) System Inventory _ Inventory of Personally Identifiable Information				no data
💼 PM-6 Measures of Performance				no data
💼 PM-7 Enterprise Architecture	1			no data
💼 PM-7(1) Enterprise Architecture _ Offloading				no data
💼 PM-8 Critical Infrastructure Plan				no data
💼 PM-9 Risk Management Strategy				no data
💼 PM-10 Authorization Process				no data
💼 PM-11 Mission and Business Process Definition				no data
💼 PM-12 Insider Threat Program				no data
💼 PM-13 Security and Privacy Workforce				no data
💼 PM-14 Testing, Training, and Monitoring				no data
💼 PM-15 Security and Privacy Groups and Associations				no data
💼 PM-16 Threat Awareness Program	1			no data
💼 PM-16(1) Threat Awareness Program _ Automated Means for Sharing Threat Intelligence				no data
💼 PM-17 Protecting Controlled Unclassified Information on External Systems				no data
💼 PM-18 Privacy Program Plan				no data
💼 PM-19 Privacy Program Leadership Role				no data
💼 PM-20 Dissemination of Privacy Program Information	1			no data
💼 PM-20(1) Dissemination of Privacy Program Information _ Privacy Policies on Websites, Applications, and Digital Services				no data
💼 PM-21 Accounting of Disclosures				no data
💼 PM-22 Personally Identifiable Information Quality Management				no data
💼 PM-23 Data Governance Body				no data
💼 PM-24 Data Integrity Board				no data
💼 PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research				no data
💼 PM-26 Complaint Management				no data
💼 PM-27 Privacy Reporting				no data
💼 PM-28 Risk Framing				no data
💼 PM-29 Risk Management Program Leadership Roles				no data
💼 PM-30 Supply Chain Risk Management Strategy	1			no data
💼 PM-30(1) Supply Chain Risk Management Strategy _ Suppliers of Critical or Mission-essential Items				no data
💼 PM-31 Continuous Monitoring Strategy				no data
💼 PM-32 Purposing				no data
💼 PS Personnel Security	9			no data
💼 PS-1 Policy and Procedures				no data
💼 PS-2 Position Risk Designation				no data
💼 PS-3 Personnel Screening	4			no data
💼 PS-3(1) Personnel Screening _ Classified Information				no data
💼 PS-3(2) Personnel Screening _ Formal Indoctrination				no data
💼 PS-3(3) Personnel Screening _ Information Requiring Special Protective Measures				no data
💼 PS-3(4) Personnel Screening _ Citizenship Requirements				no data
💼 PS-4 Personnel Termination	2			no data
💼 PS-4(1) Personnel Termination _ Post-employment Requirements				no data
💼 PS-4(2) Personnel Termination _ Automated Actions				no data
💼 PS-5 Personnel Transfer				no data
💼 PS-6 Access Agreements	3			no data
💼 PS-6(1) Access Agreements _ Information Requiring Special Protection				no data
💼 PS-6(2) Access Agreements _ Classified Information Requiring Special Protection				no data
💼 PS-6(3) Access Agreements _ Post-employment Requirements				no data
💼 PS-7 External Personnel Security				no data
💼 PS-8 Personnel Sanctions				no data
💼 PS-9 Position Descriptions				no data
💼 PT Personally Identifiable Information Processing And Transparency	8			no data
💼 PT-1 Policy and Procedures				no data
💼 PT-2 Authority to Process Personally Identifiable Information	2			no data
💼 PT-2(1) Authority to Process Personally Identifiable Information _ Data Tagging				no data
💼 PT-2(2) Authority to Process Personally Identifiable Information _ Automation				no data
💼 PT-3 Personally Identifiable Information Processing Purposes	2			no data
💼 PT-3(1) Personally Identifiable Information Processing Purposes _ Data Tagging				no data
💼 PT-3(2) Personally Identifiable Information Processing Purposes _ Automation				no data
💼 PT-4 Consent	3			no data
💼 PT-4(1) Consent _ Tailored Consent				no data
💼 PT-4(2) Consent _ Just-in-time Consent				no data
💼 PT-4(3) Consent _ Revocation				no data
💼 PT-5 Privacy Notice	2			no data
💼 PT-5(1) Privacy Notice _ Just-in-time Notice				no data
💼 PT-5(2) Privacy Notice _ Privacy Act Statements				no data
💼 PT-6 System of Records Notice	2			no data
💼 PT-6(1) System of Records Notice _ Routine Uses				no data
💼 PT-6(2) System of Records Notice _ Exemption Rules				no data
💼 PT-7 Specific Categories of Personally Identifiable Information	2			no data
💼 PT-7(1) Specific Categories of Personally Identifiable Information _ Social Security Numbers				no data
💼 PT-7(2) Specific Categories of Personally Identifiable Information _ First Amendment Information				no data
💼 PT-8 Computer Matching Requirements				no data
💼 RA Risk Assessment	10		2	no data
💼 RA-1 Policy and Procedures				no data
💼 RA-2 Security Categorization	1			no data
💼 RA-2(1) Security Categorization _ Impact-level Prioritization				no data
💼 RA-3 Risk Assessment	4		1	no data
💼 RA-3(1) Risk Assessment _ Supply Chain Risk Assessment				no data
💼 RA-3(2) Risk Assessment _ Use of All-source Intelligence				no data
💼 RA-3(3) Risk Assessment _ Dynamic Threat Awareness				no data
💼 RA-3(4) Risk Assessment _ Predictive Cyber Analytics			1	no data
💼 RA-4 Risk Assessment Update				no data
💼 RA-5 Vulnerability Monitoring and Scanning	11		1	no data
💼 RA-5(1) Vulnerability Monitoring and Scanning _ Update Tool Capability				no data
💼 RA-5(2) Vulnerability Monitoring and Scanning _ Update Vulnerabilities to Be Scanned				no data
💼 RA-5(3) Vulnerability Monitoring and Scanning _ Breadth and Depth of Coverage				no data
💼 RA-5(4) Vulnerability Monitoring and Scanning _ Discoverable Information				no data
💼 RA-5(5) Vulnerability Monitoring and Scanning _ Privileged Access				no data
💼 RA-5(6) Vulnerability Monitoring and Scanning _ Automated Trend Analyses				no data
💼 RA-5(7) Vulnerability Monitoring and Scanning _ Automated Detection and Notification of Unauthorized Components				no data
💼 RA-5(8) Vulnerability Monitoring and Scanning _ Review Historic Audit Logs				no data
💼 RA-5(9) Vulnerability Monitoring and Scanning _ Penetration Testing and Analyses				no data
💼 RA-5(10) Vulnerability Monitoring and Scanning _ Correlate Scanning Information				no data
💼 RA-5(11) Vulnerability Monitoring and Scanning _ Public Disclosure Program				no data
💼 RA-6 Technical Surveillance Countermeasures Survey				no data
💼 RA-7 Risk Response				no data
💼 RA-8 Privacy Impact Assessments				no data
💼 RA-9 Criticality Analysis				no data
💼 RA-10 Threat Hunting				no data
💼 SA System And Services Acquisition	23	1	10	no data
💼 SA-1 Policy and Procedures				no data
💼 SA-2 Allocation of Resources				no data
💼 SA-3 System Development Life Cycle	3		4	no data
💼 SA-3(1) System Development Life Cycle _ Manage Preproduction Environment				no data
💼 SA-3(2) System Development Life Cycle _ Use of Live or Operational Data				no data
💼 SA-3(3) System Development Life Cycle _ Technology Refresh				no data
💼 SA-4 Acquisition Process	12			no data
💼 SA-4(1) Acquisition Process _ Functional Properties of Controls				no data
💼 SA-4(2) Acquisition Process _ Design and Implementation Information for Controls				no data
💼 SA-4(3) Acquisition Process _ Development Methods, Techniques, and Practices				no data
💼 SA-4(4) Acquisition Process _ Assignment of Components to Systems				no data
💼 SA-4(5) Acquisition Process _ System, Component, and Service Configurations				no data
💼 SA-4(6) Acquisition Process _ Use of Information Assurance Products				no data
💼 SA-4(7) Acquisition Process _ NIAP-approved Protection Profiles				no data
💼 SA-4(8) Acquisition Process _ Continuous Monitoring Plan for Controls				no data
💼 SA-4(9) Acquisition Process _ Functions, Ports, Protocols, and Services in Use				no data
💼 SA-4(10) Acquisition Process _ Use of Approved PIV Products				no data
💼 SA-4(11) Acquisition Process _ System of Records				no data
💼 SA-4(12) Acquisition Process _ Data Ownership				no data
💼 SA-5 System Documentation	5			no data
💼 SA-5(1) System Documentation _ Functional Properties of Security Controls				no data
💼 SA-5(2) System Documentation _ Security-relevant External System Interfaces				no data
💼 SA-5(3) System Documentation _ High-level Design				no data
💼 SA-5(4) System Documentation _ Low-level Design				no data
💼 SA-5(5) System Documentation _ Source Code				no data
💼 SA-6 Software Usage Restrictions				no data
💼 SA-7 User-installed Software				no data
💼 SA-8 Security and Privacy Engineering Principles	33		8	no data
💼 SA-8(1) Security and Privacy Engineering Principles _ Clear Abstractions				no data
💼 SA-8(2) Security and Privacy Engineering Principles _ Least Common Mechanism				no data
💼 SA-8(3) Security and Privacy Engineering Principles _ Modularity and Layering				no data
💼 SA-8(4) Security and Privacy Engineering Principles _ Partially Ordered Dependencies				no data
💼 SA-8(5) Security and Privacy Engineering Principles _ Efficiently Mediated Access				no data
💼 SA-8(6) Security and Privacy Engineering Principles _ Minimized Sharing				no data
💼 SA-8(7) Security and Privacy Engineering Principles _ Reduced Complexity				no data
💼 SA-8(8) Security and Privacy Engineering Principles _ Secure Evolvability				no data
💼 SA-8(9) Security and Privacy Engineering Principles _ Trusted Components				no data
💼 SA-8(10) Security and Privacy Engineering Principles _ Hierarchical Trust				no data
💼 SA-8(11) Security and Privacy Engineering Principles _ Inverse Modification Threshold				no data
💼 SA-8(12) Security and Privacy Engineering Principles _ Hierarchical Protection				no data
💼 SA-8(13) Security and Privacy Engineering Principles _ Minimized Security Elements				no data
💼 SA-8(14) Security and Privacy Engineering Principles _ Least Privilege				no data
💼 SA-8(15) Security and Privacy Engineering Principles _ Predicate Permission				no data
💼 SA-8(16) Security and Privacy Engineering Principles _ Self-reliant Trustworthiness				no data
💼 SA-8(17) Security and Privacy Engineering Principles _ Secure Distributed Composition				no data
💼 SA-8(18) Security and Privacy Engineering Principles _ Trusted Communications Channels				no data
💼 SA-8(19) Security and Privacy Engineering Principles _ Continuous Protection			1	no data
💼 SA-8(20) Security and Privacy Engineering Principles _ Secure Metadata Management				no data
💼 SA-8(21) Security and Privacy Engineering Principles _ Self-analysis			1	no data
💼 SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability			1	no data
💼 SA-8(23) Security and Privacy Engineering Principles _ Secure Defaults				no data
💼 SA-8(24) Security and Privacy Engineering Principles _ Secure Failure and Recovery				no data
💼 SA-8(25) Security and Privacy Engineering Principles _ Economic Security			1	no data
💼 SA-8(26) Security and Privacy Engineering Principles _ Performance Security				no data
💼 SA-8(27) Security and Privacy Engineering Principles _ Human Factored Security				no data
💼 SA-8(28) Security and Privacy Engineering Principles _ Acceptable Security				no data
💼 SA-8(29) Security and Privacy Engineering Principles _ Repeatable and Documented Procedures				no data
💼 SA-8(30) Security and Privacy Engineering Principles _ Procedural Rigor				no data
💼 SA-8(31) Security and Privacy Engineering Principles _ Secure System Modification				no data
💼 SA-8(32) Security and Privacy Engineering Principles _ Sufficient Documentation				no data
💼 SA-8(33) Security and Privacy Engineering Principles _ Minimization				no data
💼 SA-9 External System Services	8	1	1	no data
💼 SA-9(1) External System Services _ Risk Assessments and Organizational Approvals				no data
💼 SA-9(2) External System Services _ Identification of Functions, Ports, Protocols, and Services				no data
💼 SA-9(3) External System Services _ Establish and Maintain Trust Relationship with Providers				no data
💼 SA-9(4) External System Services _ Consistent Interests of Consumers and Providers				no data
💼 SA-9(5) External System Services _ Processing, Storage, and Service Location		1	1	no data
💼 SA-9(6) External System Services _ Organization-controlled Cryptographic Keys				no data
💼 SA-9(7) External System Services _ Organization-controlled Integrity Checking				no data
💼 SA-9(8) External System Services _ Processing and Storage Location — U.S. Jurisdiction				no data
💼 SA-10 Developer Configuration Management	7		3	no data
💼 SA-10(1) Developer Configuration Management _ Software and Firmware Integrity Verification				no data
💼 SA-10(2) Developer Configuration Management _ Alternative Configuration Management Processes				no data
💼 SA-10(3) Developer Configuration Management _ Hardware Integrity Verification				no data
💼 SA-10(4) Developer Configuration Management _ Trusted Generation				no data
💼 SA-10(5) Developer Configuration Management _ Mapping Integrity for Version Control				no data
💼 SA-10(6) Developer Configuration Management _ Trusted Distribution				no data
💼 SA-10(7) Developer Configuration Management _ Security and Privacy Representatives				no data
💼 SA-11 Developer Testing and Evaluation	9		1	no data
💼 SA-11(1) Developer Testing and Evaluation _ Static Code Analysis			1	no data
💼 SA-11(2) Developer Testing and Evaluation _ Threat Modeling and Vulnerability Analyses				no data
💼 SA-11(3) Developer Testing and Evaluation _ Independent Verification of Assessment Plans and Evidence				no data
💼 SA-11(4) Developer Testing and Evaluation _ Manual Code Reviews				no data
💼 SA-11(5) Developer Testing and Evaluation _ Penetration Testing				no data
💼 SA-11(6) Developer Testing and Evaluation _ Attack Surface Reviews			1	no data
💼 SA-11(7) Developer Testing and Evaluation _ Verify Scope of Testing and Evaluation				no data
💼 SA-11(8) Developer Testing and Evaluation _ Dynamic Code Analysis				no data
💼 SA-11(9) Developer Testing and Evaluation _ Interactive Application Security Testing				no data
💼 SA-12 Supply Chain Protection	15			no data
💼 SA-12(1) Supply Chain Protection _ Acquisition Strategies / Tools / Methods				no data
💼 SA-12(2) Supply Chain Protection _ Supplier Reviews				no data
💼 SA-12(3) Supply Chain Protection _ Trusted Shipping and Warehousing				no data
💼 SA-12(4) Supply Chain Protection _ Diversity of Suppliers				no data
💼 SA-12(5) Supply Chain Protection _ Limitation of Harm				no data
💼 SA-12(6) Supply Chain Protection _ Minimizing Procurement Time				no data
💼 SA-12(7) Supply Chain Protection _ Assessments Prior to Selection / Acceptance / Update				no data
💼 SA-12(8) Supply Chain Protection _ Use of All-source Intelligence				no data
💼 SA-12(9) Supply Chain Protection _ Operations Security				no data
💼 SA-12(10) Supply Chain Protection _ Validate as Genuine and Not Altered				no data
💼 SA-12(11) Supply Chain Protection _ Penetration Testing / Analysis of Elements, Processes, and Actors				no data
💼 SA-12(12) Supply Chain Protection _ Inter-organizational Agreements				no data
💼 SA-12(13) Supply Chain Protection _ Critical Information System Components				no data
💼 SA-12(14) Supply Chain Protection _ Identity and Traceability				no data
💼 SA-12(15) Supply Chain Protection _ Processes to Address Weaknesses or Deficiencies				no data
💼 SA-13 Trustworthiness				no data
💼 SA-14 Criticality Analysis	1			no data
💼 SA-14(1) Criticality Analysis _ Critical Components with No Viable Alternative Sourcing				no data
💼 SA-15 Development Process, Standards, and Tools	12		1	no data
💼 SA-15(1) Development Process, Standards, and Tools _ Quality Metrics				no data
💼 SA-15(2) Development Process, Standards, and Tools _ Security and Privacy Tracking Tools			1	no data
💼 SA-15(3) Development Process, Standards, and Tools _ Criticality Analysis				no data
💼 SA-15(4) Development Process, Standards, and Tools _ Threat Modeling and Vulnerability Analysis				no data
💼 SA-15(5) Development Process, Standards, and Tools _ Attack Surface Reduction				no data
💼 SA-15(6) Development Process, Standards, and Tools _ Continuous Improvement				no data
💼 SA-15(7) Development Process, Standards, and Tools _ Automated Vulnerability Analysis				no data
💼 SA-15(8) Development Process, Standards, and Tools _ Reuse of Threat and Vulnerability Information			1	no data
💼 SA-15(9) Development Process, Standards, and Tools _ Use of Live Data				no data
💼 SA-15(10) Development Process, Standards, and Tools _ Incident Response Plan				no data
💼 SA-15(11) Development Process, Standards, and Tools _ Archive System or Component				no data
💼 SA-15(12) Development Process, Standards, and Tools _ Minimize Personally Identifiable Information				no data
💼 SA-16 Developer-provided Training				no data
💼 SA-17 Developer Security and Privacy Architecture and Design	9			no data
💼 SA-17(1) Developer Security and Privacy Architecture and Design _ Formal Policy Model				no data
💼 SA-17(2) Developer Security and Privacy Architecture and Design _ Security-relevant Components				no data
💼 SA-17(3) Developer Security and Privacy Architecture and Design _ Formal Correspondence				no data
💼 SA-17(4) Developer Security and Privacy Architecture and Design _ Informal Correspondence				no data
💼 SA-17(5) Developer Security and Privacy Architecture and Design _ Conceptually Simple Design				no data
💼 SA-17(6) Developer Security and Privacy Architecture and Design _ Structure for Testing				no data
💼 SA-17(7) Developer Security and Privacy Architecture and Design _ Structure for Least Privilege				no data
💼 SA-17(8) Developer Security and Privacy Architecture and Design _ Orchestration				no data
💼 SA-17(9) Developer Security and Privacy Architecture and Design _ Design Diversity				no data
💼 SA-18 Tamper Resistance and Detection	2			no data
💼 SA-18(1) Tamper Resistance and Detection _ Multiple Phases of System Development Life Cycle				no data
💼 SA-18(2) Tamper Resistance and Detection _ Inspection of Systems or Components				no data
💼 SA-19 Component Authenticity	4			no data
💼 SA-19(1) Component Authenticity _ Anti-counterfeit Training				no data
💼 SA-19(2) Component Authenticity _ Configuration Control for Component Service and Repair				no data
💼 SA-19(3) Component Authenticity _ Component Disposal				no data
💼 SA-19(4) Component Authenticity _ Anti-counterfeit Scanning				no data
💼 SA-20 Customized Development of Critical Components				no data
💼 SA-21 Developer Screening	1			no data
💼 SA-21(1) Developer Screening _ Validation of Screening				no data
💼 SA-22 Unsupported System Components	1			no data
💼 SA-22(1) Unsupported System Components _ Alternative Sources for Continued Support				no data
💼 SA-23 Specialization				no data
💼 SC System And Communications Protection	51	26	82	no data
💼 SC-1 Policy and Procedures				no data
💼 SC-2 Separation of System and User Functionality	2			no data
💼 SC-2(1) Separation of System and User Functionality _ Interfaces for Non-privileged Users				no data
💼 SC-2(2) Separation of System and User Functionality _ Disassociability				no data
💼 SC-3 Security Function Isolation	5			no data
💼 SC-3(1) Security Function Isolation _ Hardware Separation				no data
💼 SC-3(2) Security Function Isolation _ Access and Flow Control Functions				no data
💼 SC-3(3) Security Function Isolation _ Minimize Nonsecurity Functionality				no data
💼 SC-3(4) Security Function Isolation _ Module Coupling and Cohesiveness				no data
💼 SC-3(5) Security Function Isolation _ Layered Structures				no data
💼 SC-4 Information in Shared System Resources	2			no data
💼 SC-4(1) Information in Shared System Resources _ Security Levels				no data
💼 SC-4(2) Information in Shared System Resources _ Multilevel or Periods Processing				no data
💼 SC-5 Denial-of-service Protection	3		8	no data
💼 SC-5(1) Denial-of-service Protection _ Restrict Ability to Attack Other Systems			1	no data
💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy			7	no data
💼 SC-5(3) Denial-of-service Protection _ Detection and Monitoring			1	no data
💼 SC-6 Resource Availability				no data
💼 SC-7 Boundary Protection	29	4	50	no data
💼 SC-7(1) Boundary Protection _ Physically Separated Subnetworks				no data
💼 SC-7(2) Boundary Protection _ Public Access				no data
💼 SC-7(3) Boundary Protection _ Access Points			8	no data
💼 SC-7(4) Boundary Protection _ External Telecommunications Services			28	no data
💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception		4	18	no data
💼 SC-7(6) Boundary Protection _ Response to Recognized Failures				no data
💼 SC-7(7) Boundary Protection _ Split Tunneling for Remote Devices				no data
💼 SC-7(8) Boundary Protection _ Route Traffic to Authenticated Proxy Servers				no data
💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			14	no data
💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			6	no data
💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			22	no data
💼 SC-7(12) Boundary Protection _ Host-based Protection				no data
💼 SC-7(13) Boundary Protection _ Isolation of Security Tools, Mechanisms, and Support Components				no data
💼 SC-7(14) Boundary Protection _ Protect Against Unauthorized Physical Connections				no data
💼 SC-7(15) Boundary Protection _ Networked Privileged Accesses				no data
💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			23	no data
💼 SC-7(17) Boundary Protection _ Automated Enforcement of Protocol Formats				no data
💼 SC-7(18) Boundary Protection _ Fail Secure				no data
💼 SC-7(19) Boundary Protection _ Block Communication from Non-organizationally Configured Hosts				no data
💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			8	no data
💼 SC-7(21) Boundary Protection _ Isolation of System Components			22	no data
💼 SC-7(22) Boundary Protection _ Separate Subnets for Connecting to Different Security Domains				no data
💼 SC-7(23) Boundary Protection _ Disable Sender Feedback on Protocol Validation Failure				no data
💼 SC-7(24) Boundary Protection _ Personally Identifiable Information				no data
💼 SC-7(25) Boundary Protection _ Unclassified National Security System Connections				no data
💼 SC-7(26) Boundary Protection _ Classified National Security System Connections				no data
💼 SC-7(27) Boundary Protection _ Unclassified Non-national Security System Connections				no data
💼 SC-7(28) Boundary Protection _ Connections to Public Networks				no data
💼 SC-7(29) Boundary Protection _ Separate Subnets to Isolate Functions				no data
💼 SC-8 Transmission Confidentiality and Integrity	5	8	16	no data
💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	15	no data
💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			7	no data
💼 SC-8(3) Transmission Confidentiality and Integrity _ Cryptographic Protection for Message Externals				no data
💼 SC-8(4) Transmission Confidentiality and Integrity _ Conceal or Randomize Communications				no data
💼 SC-8(5) Transmission Confidentiality and Integrity _ Protected Distribution System				no data
💼 SC-9 Transmission Confidentiality				no data
💼 SC-10 Network Disconnect				no data
💼 SC-11 Trusted Path	1			no data
💼 SC-11(1) Trusted Path _ Irrefutable Communications Path				no data
💼 SC-12 Cryptographic Key Establishment and Management	6	1	7	no data
💼 SC-12(1) Cryptographic Key Establishment and Management _ Availability				no data
💼 SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys		1	1	no data
💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			6	no data
💼 SC-12(4) Cryptographic Key Establishment and Management _ PKI Certificates				no data
💼 SC-12(5) Cryptographic Key Establishment and Management _ PKI Certificates / Hardware Tokens				no data
💼 SC-12(6) Cryptographic Key Establishment and Management _ Physical Control of Keys				no data
💼 SC-13 Cryptographic Protection	4		13	no data
💼 SC-13(1) Cryptographic Protection _ FIPS-validated Cryptography				no data
💼 SC-13(2) Cryptographic Protection _ NSA-approved Cryptography				no data
💼 SC-13(3) Cryptographic Protection _ Individuals Without Formal Access Approvals				no data
💼 SC-13(4) Cryptographic Protection _ Digital Signatures				no data
💼 SC-14 Public Access Protections				no data
💼 SC-15 Collaborative Computing Devices and Applications	4			no data
💼 SC-15(1) Collaborative Computing Devices and Applications _ Physical or Logical Disconnect				no data
💼 SC-15(2) Collaborative Computing Devices and Applications _ Blocking Inbound and Outbound Communications Traffic				no data
💼 SC-15(3) Collaborative Computing Devices and Applications _ Disabling and Removal in Secure Work Areas				no data
💼 SC-15(4) Collaborative Computing Devices and Applications _ Explicitly Indicate Current Participants				no data
💼 SC-16 Transmission of Security and Privacy Attributes	3			no data
💼 SC-16(1) Transmission of Security and Privacy Attributes _ Integrity Verification				no data
💼 SC-16(2) Transmission of Security and Privacy Attributes _ Anti-spoofing Mechanisms				no data
💼 SC-16(3) Transmission of Security and Privacy Attributes _ Cryptographic Binding				no data
💼 SC-17 Public Key Infrastructure Certificates				no data
💼 SC-18 Mobile Code	5			no data
💼 SC-18(1) Mobile Code _ Identify Unacceptable Code and Take Corrective Actions				no data
💼 SC-18(2) Mobile Code _ Acquisition, Development, and Use				no data
💼 SC-18(3) Mobile Code _ Prevent Downloading and Execution				no data
💼 SC-18(4) Mobile Code _ Prevent Automatic Execution				no data
💼 SC-18(5) Mobile Code _ Allow Execution Only in Confined Environments				no data
💼 SC-19 Voice Over Internet Protocol				no data
💼 SC-20 Secure Name/address Resolution Service (authoritative Source)	2			no data
💼 SC-20(1) Secure Name/address Resolution Service (authoritative Source) _ Child Subspaces				no data
💼 SC-20(2) Secure Name/address Resolution Service (authoritative Source) _ Data Origin and Integrity				no data
💼 SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver)	1			no data
💼 SC-21(1) Secure Name/address Resolution Service (recursive or Caching Resolver) _ Data Origin and Integrity				no data
💼 SC-22 Architecture and Provisioning for Name/address Resolution Service				no data
💼 SC-23 Session Authenticity	5		7	no data
💼 SC-23(1) Session Authenticity _ Invalidate Session Identifiers at Logout				no data
💼 SC-23(2) Session Authenticity _ User-initiated Logouts and Message Displays				no data
💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			6	no data
💼 SC-23(4) Session Authenticity _ Unique Session Identifiers with Randomization				no data
💼 SC-23(5) Session Authenticity _ Allowed Certificate Authorities				no data
💼 SC-24 Fail in Known State				no data
💼 SC-25 Thin Nodes				no data
💼 SC-26 Decoys	1			no data
💼 SC-26(1) Decoys _ Detection of Malicious Code				no data
💼 SC-27 Platform-independent Applications				no data
💼 SC-28 Protection of Information at Rest	3	16	25	no data
💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	14	no data
💼 SC-28(2) Protection of Information at Rest _ Offline Storage				no data
💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys			1	no data
💼 SC-29 Heterogeneity	1			no data
💼 SC-29(1) Heterogeneity _ Virtualization Techniques				no data
💼 SC-30 Concealment and Misdirection	5			no data
💼 SC-30(1) Concealment and Misdirection _ Virtualization Techniques				no data
💼 SC-30(2) Concealment and Misdirection _ Randomness				no data
💼 SC-30(3) Concealment and Misdirection _ Change Processing and Storage Locations				no data
💼 SC-30(4) Concealment and Misdirection _ Misleading Information				no data
💼 SC-30(5) Concealment and Misdirection _ Concealment of System Components				no data
💼 SC-31 Covert Channel Analysis	3			no data
💼 SC-31(1) Covert Channel Analysis _ Test Covert Channels for Exploitability				no data
💼 SC-31(2) Covert Channel Analysis _ Maximum Bandwidth				no data
💼 SC-31(3) Covert Channel Analysis _ Measure Bandwidth in Operational Environments				no data
💼 SC-32 System Partitioning	1			no data
💼 SC-32(1) System Partitioning _ Separate Physical Domains for Privileged Functions				no data
💼 SC-33 Transmission Preparation Integrity				no data
💼 SC-34 Non-modifiable Executable Programs	3			no data
💼 SC-34(1) Non-modifiable Executable Programs _ No Writable Storage				no data
💼 SC-34(2) Non-modifiable Executable Programs _ Integrity Protection on Read-only Media				no data
💼 SC-34(3) Non-modifiable Executable Programs _ Hardware-based Protection				no data
💼 SC-35 External Malicious Code Identification				no data
💼 SC-36 Distributed Processing and Storage	2		5	no data
💼 SC-36(1) Distributed Processing and Storage _ Polling Techniques				no data
💼 SC-36(2) Distributed Processing and Storage _ Synchronization				no data
💼 SC-37 Out-of-band Channels	1			no data
💼 SC-37(1) Out-of-band Channels _ Ensure Delivery and Transmission				no data
💼 SC-38 Operations Security				no data
💼 SC-39 Process Isolation	2			no data
💼 SC-39(1) Process Isolation _ Hardware Separation				no data
💼 SC-39(2) Process Isolation _ Separate Execution Domain Per Thread				no data
💼 SC-40 Wireless Link Protection	4			no data
💼 SC-40(1) Wireless Link Protection _ Electromagnetic Interference				no data
💼 SC-40(2) Wireless Link Protection _ Reduce Detection Potential				no data
💼 SC-40(3) Wireless Link Protection _ Imitative or Manipulative Communications Deception				no data
💼 SC-40(4) Wireless Link Protection _ Signal Parameter Identification				no data
💼 SC-41 Port and I/O Device Access				no data
💼 SC-42 Sensor Capability and Data	5			no data
💼 SC-42(1) Sensor Capability and Data _ Reporting to Authorized Individuals or Roles				no data
💼 SC-42(2) Sensor Capability and Data _ Authorized Use				no data
💼 SC-42(3) Sensor Capability and Data _ Prohibit Use of Devices				no data
💼 SC-42(4) Sensor Capability and Data _ Notice of Collection				no data
💼 SC-42(5) Sensor Capability and Data _ Collection Minimization				no data
💼 SC-43 Usage Restrictions				no data
💼 SC-44 Detonation Chambers				no data
💼 SC-45 System Time Synchronization	2			no data
💼 SC-45(1) System Time Synchronization _ Synchronization with Authoritative Time Source				no data
💼 SC-45(2) System Time Synchronization _ Secondary Authoritative Time Source				no data
💼 SC-46 Cross Domain Policy Enforcement				no data
💼 SC-47 Alternate Communications Paths				no data
💼 SC-48 Sensor Relocation	1			no data
💼 SC-48(1) Sensor Relocation _ Dynamic Relocation of Sensors or Monitoring Capabilities				no data
💼 SC-49 Hardware-enforced Separation and Policy Enforcement				no data
💼 SC-50 Software-enforced Separation and Policy Enforcement				no data
💼 SC-51 Hardware-based Protection				no data
💼 SI System And Information Integrity	23	20	57	no data
💼 SI-1 Policy and Procedures				no data
💼 SI-2 Flaw Remediation	6	6	10	no data
💼 SI-2(1) Flaw Remediation _ Central Management				no data
💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status		1	4	no data
💼 SI-2(3) Flaw Remediation _ Time to Remediate Flaws and Benchmarks for Corrective Actions				no data
💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools			4	no data
💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates		2	4	no data
💼 SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware		6	6	no data
💼 SI-3 Malicious Code Protection	10		6	no data
💼 SI-3(1) Malicious Code Protection _ Central Management				no data
💼 SI-3(2) Malicious Code Protection _ Automatic Updates				no data
💼 SI-3(3) Malicious Code Protection _ Non-privileged Users				no data
💼 SI-3(4) Malicious Code Protection _ Updates Only by Privileged Users				no data
💼 SI-3(5) Malicious Code Protection _ Portable Storage Devices				no data
💼 SI-3(6) Malicious Code Protection _ Testing and Verification				no data
💼 SI-3(7) Malicious Code Protection _ Nonsignature-based Detection				no data
💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			6	no data
💼 SI-3(9) Malicious Code Protection _ Authenticate Remote Commands				no data
💼 SI-3(10) Malicious Code Protection _ Malicious Code Analysis				no data
💼 SI-4 System Monitoring	25	1	10	no data
💼 SI-4(1) System Monitoring _ System-wide Intrusion Detection System			1	no data
💼 SI-4(2) System Monitoring _ Automated Tools and Mechanisms for Real-time Analysis			1	no data
💼 SI-4(3) System Monitoring _ Automated Tool and Mechanism Integration				no data
💼 SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic		1	2	no data
💼 SI-4(5) System Monitoring _ System-generated Alerts			1	no data
💼 SI-4(6) System Monitoring _ Restrict Non-privileged Users				no data
💼 SI-4(7) System Monitoring _ Automated Response to Suspicious Events				no data
💼 SI-4(8) System Monitoring _ Protection of Monitoring Information				no data
💼 SI-4(9) System Monitoring _ Testing of Monitoring Tools and Mechanisms				no data
💼 SI-4(10) System Monitoring _ Visibility of Encrypted Communications				no data
💼 SI-4(11) System Monitoring _ Analyze Communications Traffic Anomalies				no data
💼 SI-4(12) System Monitoring _ Automated Organization-generated Alerts			1	no data
💼 SI-4(13) System Monitoring _ Analyze Traffic and Event Patterns			1	no data
💼 SI-4(14) System Monitoring _ Wireless Intrusion Detection				no data
💼 SI-4(15) System Monitoring _ Wireless to Wireline Communications				no data
💼 SI-4(16) System Monitoring _ Correlate Monitoring Information				no data
💼 SI-4(17) System Monitoring _ Integrated Situational Awareness				no data
💼 SI-4(18) System Monitoring _ Analyze Traffic and Covert Exfiltration				no data
💼 SI-4(19) System Monitoring _ Risk for Individuals				no data
💼 SI-4(20) System Monitoring _ Privileged Users			5	no data
💼 SI-4(21) System Monitoring _ Probationary Periods				no data
💼 SI-4(22) System Monitoring _ Unauthorized Network Services			1	no data
💼 SI-4(23) System Monitoring _ Host-based Devices				no data
💼 SI-4(24) System Monitoring _ Indicators of Compromise				no data
💼 SI-4(25) System Monitoring _ Optimize Network Traffic Analysis			1	no data
💼 SI-5 Security Alerts, Advisories, and Directives	1			no data
💼 SI-5(1) Security Alerts, Advisories, and Directives _ Automated Alerts and Advisories				no data
💼 SI-6 Security and Privacy Function Verification	3			no data
💼 SI-6(1) Security and Privacy Function Verification _ Notification of Failed Security Tests				no data
💼 SI-6(2) Security and Privacy Function Verification _ Automation Support for Distributed Testing				no data
💼 SI-6(3) Security and Privacy Function Verification _ Report Verification Results				no data
💼 SI-7 Software, Firmware, and Information Integrity	17	19	43	no data
💼 SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks			1	no data
💼 SI-7(2) Software, Firmware, and Information Integrity _ Automated Notifications of Integrity Violations				no data
💼 SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools			1	no data
💼 SI-7(4) Software, Firmware, and Information Integrity _ Tamper-evident Packaging				no data
💼 SI-7(5) Software, Firmware, and Information Integrity _ Automated Response to Integrity Violations				no data
💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			12	no data
💼 SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response			1	no data
💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			8	no data
💼 SI-7(9) Software, Firmware, and Information Integrity _ Verify Boot Process				no data
💼 SI-7(10) Software, Firmware, and Information Integrity _ Protection of Boot Firmware				no data
💼 SI-7(11) Software, Firmware, and Information Integrity _ Confined Environments with Limited Privileges				no data
💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21	no data
💼 SI-7(13) Software, Firmware, and Information Integrity _ Code Execution in Protected Environments				no data
💼 SI-7(14) Software, Firmware, and Information Integrity _ Binary or Machine Executable Code				no data
💼 SI-7(15) Software, Firmware, and Information Integrity _ Code Authentication				no data
💼 SI-7(16) Software, Firmware, and Information Integrity _ Time Limit on Process Execution Without Supervision				no data
💼 SI-7(17) Software, Firmware, and Information Integrity _ Runtime Application Self-protection				no data
💼 SI-8 Spam Protection	3			no data
💼 SI-8(1) Spam Protection _ Central Management				no data
💼 SI-8(2) Spam Protection _ Automatic Updates				no data
💼 SI-8(3) Spam Protection _ Continuous Learning Capability				no data
💼 SI-9 Information Input Restrictions				no data
💼 SI-10 Information Input Validation	6			no data
💼 SI-10(1) Information Input Validation _ Manual Override Capability				no data
💼 SI-10(2) Information Input Validation _ Review and Resolve Errors				no data
💼 SI-10(3) Information Input Validation _ Predictable Behavior				no data
💼 SI-10(4) Information Input Validation _ Timing Interactions				no data
💼 SI-10(5) Information Input Validation _ Restrict Inputs to Trusted Sources and Approved Formats				no data
💼 SI-10(6) Information Input Validation _ Injection Prevention				no data
💼 SI-11 Error Handling				no data
💼 SI-12 Information Management and Retention	3		2	no data
💼 SI-12(1) Information Management and Retention _ Limit Personally Identifiable Information Elements				no data
💼 SI-12(2) Information Management and Retention _ Minimize Personally Identifiable Information in Testing, Training, and Research				no data
💼 SI-12(3) Information Management and Retention _ Information Disposal				no data
💼 SI-13 Predictable Failure Prevention	5		7	no data
💼 SI-13(1) Predictable Failure Prevention _ Transferring Component Responsibilities				no data
💼 SI-13(2) Predictable Failure Prevention _ Time Limit on Process Execution Without Supervision				no data
💼 SI-13(3) Predictable Failure Prevention _ Manual Transfer Between Components				no data
💼 SI-13(4) Predictable Failure Prevention _ Standby Component Installation and Notification				no data
💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			7	no data
💼 SI-14 Non-persistence	3			no data
💼 SI-14(1) Non-persistence _ Refresh from Trusted Sources				no data
💼 SI-14(2) Non-persistence _ Non-persistent Information				no data
💼 SI-14(3) Non-persistence _ Non-persistent Connectivity				no data
💼 SI-15 Information Output Filtering				no data
💼 SI-16 Memory Protection				no data
💼 SI-17 Fail-safe Procedures				no data
💼 SI-18 Personally Identifiable Information Quality Operations	5			no data
💼 SI-18(1) Personally Identifiable Information Quality Operations _ Automation Support				no data
💼 SI-18(2) Personally Identifiable Information Quality Operations _ Data Tags				no data
💼 SI-18(3) Personally Identifiable Information Quality Operations _ Collection				no data
💼 SI-18(4) Personally Identifiable Information Quality Operations _ Individual Requests				no data
💼 SI-18(5) Personally Identifiable Information Quality Operations _ Notice of Correction or Deletion				no data
💼 SI-19 De-identification	8			no data
💼 SI-19(1) De-identification _ Collection				no data
💼 SI-19(2) De-identification _ Archiving				no data
💼 SI-19(3) De-identification _ Release				no data
💼 SI-19(4) De-identification _ Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers				no data
💼 SI-19(5) De-identification _ Statistical Disclosure Control				no data
💼 SI-19(6) De-identification _ Differential Privacy				no data
💼 SI-19(7) De-identification _ Validated Algorithms and Software				no data
💼 SI-19(8) De-identification _ Motivated Intruder				no data
💼 SI-20 Tainting			1	no data
💼 SI-21 Information Refresh				no data
💼 SI-22 Information Diversity				no data
💼 SI-23 Information Fragmentation				no data
💼 SR Supply Chain Risk Management	12			no data
💼 SR-1 Policy and Procedures				no data
💼 SR-2 Supply Chain Risk Management Plan	1			no data
💼 SR-2(1) Supply Chain Risk Management Plan _ Establish SCRM Team				no data
💼 SR-3 Supply Chain Controls and Processes	3			no data
💼 SR-3(1) Supply Chain Controls and Processes _ Diverse Supply Base				no data
💼 SR-3(2) Supply Chain Controls and Processes _ Limitation of Harm				no data
💼 SR-3(3) Supply Chain Controls and Processes _ Sub-tier Flow Down				no data
💼 SR-4 Provenance	4			no data
💼 SR-4(1) Provenance _ Identity				no data
💼 SR-4(2) Provenance _ Track and Trace				no data
💼 SR-4(3) Provenance _ Validate as Genuine and Not Altered				no data
💼 SR-4(4) Provenance _ Supply Chain Integrity — Pedigree				no data
💼 SR-5 Acquisition Strategies, Tools, and Methods	2			no data
💼 SR-5(1) Acquisition Strategies, Tools, and Methods _ Adequate Supply				no data
💼 SR-5(2) Acquisition Strategies, Tools, and Methods _ Assessments Prior to Selection, Acceptance, Modification, or Update				no data
💼 SR-6 Supplier Assessments and Reviews	1			no data
💼 SR-6(1) Supplier Assessments and Reviews _ Testing and Analysis				no data
💼 SR-7 Supply Chain Operations Security				no data
💼 SR-8 Notification Agreements				no data
💼 SR-9 Tamper Resistance and Detection	1			no data
💼 SR-9(1) Tamper Resistance and Detection _ Multiple Stages of System Development Life Cycle				no data
💼 SR-10 Inspection of Systems or Components				no data
💼 SR-11 Component Authenticity	3			no data
💼 SR-11(1) Component Authenticity _ Anti-counterfeit Training				no data
💼 SR-11(2) Component Authenticity _ Configuration Control for Component Service and Repair				no data
💼 SR-11(3) Component Authenticity _ Anti-counterfeit Scanning				no data
💼 SR-12 Component Disposal				no data

Description​

Similar​

Sub Sections​

Description

Similar

Sub Sections