| 💼 SC-1 Policy and Procedures | | | | |
| 💼 SC-2 Separation of System and User Functionality | 2 | | | |
| 💼 SC-2(1) Separation of System and User Functionality _ Interfaces for Non-privileged Users | | | | |
| 💼 SC-2(2) Separation of System and User Functionality _ Disassociability | | | | |
| 💼 SC-3 Security Function Isolation | 5 | | | |
| 💼 SC-3(1) Security Function Isolation _ Hardware Separation | | | | |
| 💼 SC-3(2) Security Function Isolation _ Access and Flow Control Functions | | | | |
| 💼 SC-3(3) Security Function Isolation _ Minimize Nonsecurity Functionality | | | | |
| 💼 SC-3(4) Security Function Isolation _ Module Coupling and Cohesiveness | | | | |
| 💼 SC-3(5) Security Function Isolation _ Layered Structures | | | | |
| 💼 SC-4 Information in Shared System Resources | 2 | | | |
| 💼 SC-4(1) Information in Shared System Resources _ Security Levels | | | | |
| 💼 SC-4(2) Information in Shared System Resources _ Multilevel or Periods Processing | | | | |
| 💼 SC-5 Denial-of-service Protection | 3 | | | |
| 💼 SC-5(1) Denial-of-service Protection _ Restrict Ability to Attack Other Systems | | | | |
| 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy | | | 4 | |
| 💼 SC-5(3) Denial-of-service Protection _ Detection and Monitoring | | | | |
| 💼 SC-6 Resource Availability | | | | |
| 💼 SC-7 Boundary Protection | 29 | | 21 | |
| 💼 SC-7(1) Boundary Protection _ Physically Separated Subnetworks | | | | |
| 💼 SC-7(2) Boundary Protection _ Public Access | | | | |
| 💼 SC-7(3) Boundary Protection _ Access Points | | | 5 | |
| 💼 SC-7(4) Boundary Protection _ External Telecommunications Services | | | 25 | |
| 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception | | 4 | 18 | |
| 💼 SC-7(6) Boundary Protection _ Response to Recognized Failures | | | | |
| 💼 SC-7(7) Boundary Protection _ Split Tunneling for Remote Devices | | | | |
| 💼 SC-7(8) Boundary Protection _ Route Traffic to Authenticated Proxy Servers | | | | |
| 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic | | | 12 | |
| 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration | | | 6 | |
| 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic | | | 19 | |
| 💼 SC-7(12) Boundary Protection _ Host-based Protection | | | | |
| 💼 SC-7(13) Boundary Protection _ Isolation of Security Tools, Mechanisms, and Support Components | | | | |
| 💼 SC-7(14) Boundary Protection _ Protect Against Unauthorized Physical Connections | | | | |
| 💼 SC-7(15) Boundary Protection _ Networked Privileged Accesses | | | | |
| 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components | | | 20 | |
| 💼 SC-7(17) Boundary Protection _ Automated Enforcement of Protocol Formats | | | | |
| 💼 SC-7(18) Boundary Protection _ Fail Secure | | | | |
| 💼 SC-7(19) Boundary Protection _ Block Communication from Non-organizationally Configured Hosts | | | | |
| 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation | | | 5 | |
| 💼 SC-7(21) Boundary Protection _ Isolation of System Components | | | 19 | |
| 💼 SC-7(22) Boundary Protection _ Separate Subnets for Connecting to Different Security Domains | | | | |
| 💼 SC-7(23) Boundary Protection _ Disable Sender Feedback on Protocol Validation Failure | | | | |
| 💼 SC-7(24) Boundary Protection _ Personally Identifiable Information | | | | |
| 💼 SC-7(25) Boundary Protection _ Unclassified National Security System Connections | | | | |
| 💼 SC-7(26) Boundary Protection _ Classified National Security System Connections | | | | |
| 💼 SC-7(27) Boundary Protection _ Unclassified Non-national Security System Connections | | | | |
| 💼 SC-7(28) Boundary Protection _ Connections to Public Networks | | | | |
| 💼 SC-7(29) Boundary Protection _ Separate Subnets to Isolate Functions | | | | |
| 💼 SC-8 Transmission Confidentiality and Integrity | 5 | | 8 | |
| 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection | | 8 | 15 | |
| 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling | | | 7 | |
| 💼 SC-8(3) Transmission Confidentiality and Integrity _ Cryptographic Protection for Message Externals | | | | |
| 💼 SC-8(4) Transmission Confidentiality and Integrity _ Conceal or Randomize Communications | | | | |
| 💼 SC-8(5) Transmission Confidentiality and Integrity _ Protected Distribution System | | | | |
| 💼 SC-9 Transmission Confidentiality | | | | |
| 💼 SC-10 Network Disconnect | | | | |
| 💼 SC-11 Trusted Path | 1 | | | |
| 💼 SC-11(1) Trusted Path _ Irrefutable Communications Path | | | | |
| 💼 SC-12 Cryptographic Key Establishment and Management | 6 | | | |
| 💼 SC-12(1) Cryptographic Key Establishment and Management _ Availability | | | | |
| 💼 SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys | | 1 | 1 | |
| 💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys | | | 6 | |
| 💼 SC-12(4) Cryptographic Key Establishment and Management _ PKI Certificates | | | | |
| 💼 SC-12(5) Cryptographic Key Establishment and Management _ PKI Certificates / Hardware Tokens | | | | |
| 💼 SC-12(6) Cryptographic Key Establishment and Management _ Physical Control of Keys | | | | |
| 💼 SC-13 Cryptographic Protection | 4 | | 13 | |
| 💼 SC-13(1) Cryptographic Protection _ FIPS-validated Cryptography | | | | |
| 💼 SC-13(2) Cryptographic Protection _ NSA-approved Cryptography | | | | |
| 💼 SC-13(3) Cryptographic Protection _ Individuals Without Formal Access Approvals | | | | |
| 💼 SC-13(4) Cryptographic Protection _ Digital Signatures | | | | |
| 💼 SC-14 Public Access Protections | | | | |
| 💼 SC-15 Collaborative Computing Devices and Applications | 4 | | | |
| 💼 SC-15(1) Collaborative Computing Devices and Applications _ Physical or Logical Disconnect | | | | |
| 💼 SC-15(2) Collaborative Computing Devices and Applications _ Blocking Inbound and Outbound Communications Traffic | | | | |
| 💼 SC-15(3) Collaborative Computing Devices and Applications _ Disabling and Removal in Secure Work Areas | | | | |
| 💼 SC-15(4) Collaborative Computing Devices and Applications _ Explicitly Indicate Current Participants | | | | |
| 💼 SC-16 Transmission of Security and Privacy Attributes | 3 | | | |
| 💼 SC-16(1) Transmission of Security and Privacy Attributes _ Integrity Verification | | | | |
| 💼 SC-16(2) Transmission of Security and Privacy Attributes _ Anti-spoofing Mechanisms | | | | |
| 💼 SC-16(3) Transmission of Security and Privacy Attributes _ Cryptographic Binding | | | | |
| 💼 SC-17 Public Key Infrastructure Certificates | | | | |
| 💼 SC-18 Mobile Code | 5 | | | |
| 💼 SC-18(1) Mobile Code _ Identify Unacceptable Code and Take Corrective Actions | | | | |
| 💼 SC-18(2) Mobile Code _ Acquisition, Development, and Use | | | | |
| 💼 SC-18(3) Mobile Code _ Prevent Downloading and Execution | | | | |
| 💼 SC-18(4) Mobile Code _ Prevent Automatic Execution | | | | |
| 💼 SC-18(5) Mobile Code _ Allow Execution Only in Confined Environments | | | | |
| 💼 SC-19 Voice Over Internet Protocol | | | | |
| 💼 SC-20 Secure Name/address Resolution Service (authoritative Source) | 2 | | | |
| 💼 SC-20(1) Secure Name/address Resolution Service (authoritative Source) _ Child Subspaces | | | | |
| 💼 SC-20(2) Secure Name/address Resolution Service (authoritative Source) _ Data Origin and Integrity | | | | |
| 💼 SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) | 1 | | | |
| 💼 SC-21(1) Secure Name/address Resolution Service (recursive or Caching Resolver) _ Data Origin and Integrity | | | | |
| 💼 SC-22 Architecture and Provisioning for Name/address Resolution Service | | | | |
| 💼 SC-23 Session Authenticity | 5 | | 7 | |
| 💼 SC-23(1) Session Authenticity _ Invalidate Session Identifiers at Logout | | | | |
| 💼 SC-23(2) Session Authenticity _ User-initiated Logouts and Message Displays | | | | |
| 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers | | | 6 | |
| 💼 SC-23(4) Session Authenticity _ Unique Session Identifiers with Randomization | | | | |
| 💼 SC-23(5) Session Authenticity _ Allowed Certificate Authorities | | | | |
| 💼 SC-24 Fail in Known State | | | | |
| 💼 SC-25 Thin Nodes | | | | |
| 💼 SC-26 Decoys | 1 | | | |
| 💼 SC-26(1) Decoys _ Detection of Malicious Code | | | | |
| 💼 SC-27 Platform-independent Applications | | | | |
| 💼 SC-28 Protection of Information at Rest | 3 | 12 | 20 | |
| 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection | | 10 | 14 | |
| 💼 SC-28(2) Protection of Information at Rest _ Offline Storage | | | | |
| 💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys | | | 1 | |
| 💼 SC-29 Heterogeneity | 1 | | | |
| 💼 SC-29(1) Heterogeneity _ Virtualization Techniques | | | | |
| 💼 SC-30 Concealment and Misdirection | 5 | | | |
| 💼 SC-30(1) Concealment and Misdirection _ Virtualization Techniques | | | | |
| 💼 SC-30(2) Concealment and Misdirection _ Randomness | | | | |
| 💼 SC-30(3) Concealment and Misdirection _ Change Processing and Storage Locations | | | | |
| 💼 SC-30(4) Concealment and Misdirection _ Misleading Information | | | | |
| 💼 SC-30(5) Concealment and Misdirection _ Concealment of System Components | | | | |
| 💼 SC-31 Covert Channel Analysis | 3 | | | |
| 💼 SC-31(1) Covert Channel Analysis _ Test Covert Channels for Exploitability | | | | |
| 💼 SC-31(2) Covert Channel Analysis _ Maximum Bandwidth | | | | |
| 💼 SC-31(3) Covert Channel Analysis _ Measure Bandwidth in Operational Environments | | | | |
| 💼 SC-32 System Partitioning | 1 | | | |
| 💼 SC-32(1) System Partitioning _ Separate Physical Domains for Privileged Functions | | | | |
| 💼 SC-33 Transmission Preparation Integrity | | | | |
| 💼 SC-34 Non-modifiable Executable Programs | 3 | | | |
| 💼 SC-34(1) Non-modifiable Executable Programs _ No Writable Storage | | | | |
| 💼 SC-34(2) Non-modifiable Executable Programs _ Integrity Protection on Read-only Media | | | | |
| 💼 SC-34(3) Non-modifiable Executable Programs _ Hardware-based Protection | | | | |
| 💼 SC-35 External Malicious Code Identification | | | | |
| 💼 SC-36 Distributed Processing and Storage | 2 | | 2 | |
| 💼 SC-36(1) Distributed Processing and Storage _ Polling Techniques | | | | |
| 💼 SC-36(2) Distributed Processing and Storage _ Synchronization | | | | |
| 💼 SC-37 Out-of-band Channels | 1 | | | |
| 💼 SC-37(1) Out-of-band Channels _ Ensure Delivery and Transmission | | | | |
| 💼 SC-38 Operations Security | | | | |
| 💼 SC-39 Process Isolation | 2 | | | |
| 💼 SC-39(1) Process Isolation _ Hardware Separation | | | | |
| 💼 SC-39(2) Process Isolation _ Separate Execution Domain Per Thread | | | | |
| 💼 SC-40 Wireless Link Protection | 4 | | | |
| 💼 SC-40(1) Wireless Link Protection _ Electromagnetic Interference | | | | |
| 💼 SC-40(2) Wireless Link Protection _ Reduce Detection Potential | | | | |
| 💼 SC-40(3) Wireless Link Protection _ Imitative or Manipulative Communications Deception | | | | |
| 💼 SC-40(4) Wireless Link Protection _ Signal Parameter Identification | | | | |
| 💼 SC-41 Port and I/O Device Access | | | | |
| 💼 SC-42 Sensor Capability and Data | 5 | | | |
| 💼 SC-42(1) Sensor Capability and Data _ Reporting to Authorized Individuals or Roles | | | | |
| 💼 SC-42(2) Sensor Capability and Data _ Authorized Use | | | | |
| 💼 SC-42(3) Sensor Capability and Data _ Prohibit Use of Devices | | | | |
| 💼 SC-42(4) Sensor Capability and Data _ Notice of Collection | | | | |
| 💼 SC-42(5) Sensor Capability and Data _ Collection Minimization | | | | |
| 💼 SC-43 Usage Restrictions | | | | |
| 💼 SC-44 Detonation Chambers | | | | |
| 💼 SC-45 System Time Synchronization | 2 | | | |
| 💼 SC-45(1) System Time Synchronization _ Synchronization with Authoritative Time Source | | | | |
| 💼 SC-45(2) System Time Synchronization _ Secondary Authoritative Time Source | | | | |
| 💼 SC-46 Cross Domain Policy Enforcement | | | | |
| 💼 SC-47 Alternate Communications Paths | | | | |
| 💼 SC-48 Sensor Relocation | 1 | | | |
| 💼 SC-48(1) Sensor Relocation _ Dynamic Relocation of Sensors or Monitoring Capabilities | | | | |
| 💼 SC-49 Hardware-enforced Separation and Policy Enforcement | | | | |
| 💼 SC-50 Software-enforced Separation and Policy Enforcement | | | | |
| 💼 SC-51 Hardware-based Protection | | | | |