| 💼 SI-1 Policy and Procedures | | | | |
| 💼 SI-2 Flaw Remediation | 6 | | 2 | |
| 💼 SI-2(1) Flaw Remediation _ Central Management | | | | |
| 💼 SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status | | 1 | 1 | |
| 💼 SI-2(3) Flaw Remediation _ Time to Remediate Flaws and Benchmarks for Corrective Actions | | | | |
| 💼 SI-2(4) Flaw Remediation _ Automated Patch Management Tools | | | 1 | |
| 💼 SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates | | 1 | 1 | |
| 💼 SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware | | 5 | 5 | |
| 💼 SI-3 Malicious Code Protection | 10 | | | |
| 💼 SI-3(1) Malicious Code Protection _ Central Management | | | | |
| 💼 SI-3(2) Malicious Code Protection _ Automatic Updates | | | | |
| 💼 SI-3(3) Malicious Code Protection _ Non-privileged Users | | | | |
| 💼 SI-3(4) Malicious Code Protection _ Updates Only by Privileged Users | | | | |
| 💼 SI-3(5) Malicious Code Protection _ Portable Storage Devices | | | | |
| 💼 SI-3(6) Malicious Code Protection _ Testing and Verification | | | | |
| 💼 SI-3(7) Malicious Code Protection _ Nonsignature-based Detection | | | | |
| 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands | | | 3 | |
| 💼 SI-3(9) Malicious Code Protection _ Authenticate Remote Commands | | | | |
| 💼 SI-3(10) Malicious Code Protection _ Malicious Code Analysis | | | | |
| 💼 SI-4 System Monitoring | 25 | | 1 | |
| 💼 SI-4(1) System Monitoring _ System-wide Intrusion Detection System | | | | |
| 💼 SI-4(2) System Monitoring _ Automated Tools and Mechanisms for Real-time Analysis | | | | |
| 💼 SI-4(3) System Monitoring _ Automated Tool and Mechanism Integration | | | | |
| 💼 SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic | | 2 | 2 | |
| 💼 SI-4(5) System Monitoring _ System-generated Alerts | | | | |
| 💼 SI-4(6) System Monitoring _ Restrict Non-privileged Users | | | | |
| 💼 SI-4(7) System Monitoring _ Automated Response to Suspicious Events | | | | |
| 💼 SI-4(8) System Monitoring _ Protection of Monitoring Information | | | | |
| 💼 SI-4(9) System Monitoring _ Testing of Monitoring Tools and Mechanisms | | | | |
| 💼 SI-4(10) System Monitoring _ Visibility of Encrypted Communications | | | | |
| 💼 SI-4(11) System Monitoring _ Analyze Communications Traffic Anomalies | | | | |
| 💼 SI-4(12) System Monitoring _ Automated Organization-generated Alerts | | | | |
| 💼 SI-4(13) System Monitoring _ Analyze Traffic and Event Patterns | | | | |
| 💼 SI-4(14) System Monitoring _ Wireless Intrusion Detection | | | | |
| 💼 SI-4(15) System Monitoring _ Wireless to Wireline Communications | | | | |
| 💼 SI-4(16) System Monitoring _ Correlate Monitoring Information | | | | |
| 💼 SI-4(17) System Monitoring _ Integrated Situational Awareness | | | | |
| 💼 SI-4(18) System Monitoring _ Analyze Traffic and Covert Exfiltration | | | | |
| 💼 SI-4(19) System Monitoring _ Risk for Individuals | | | | |
| 💼 SI-4(20) System Monitoring _ Privileged Users | | | 3 | |
| 💼 SI-4(21) System Monitoring _ Probationary Periods | | | | |
| 💼 SI-4(22) System Monitoring _ Unauthorized Network Services | | | | |
| 💼 SI-4(23) System Monitoring _ Host-based Devices | | | | |
| 💼 SI-4(24) System Monitoring _ Indicators of Compromise | | | | |
| 💼 SI-4(25) System Monitoring _ Optimize Network Traffic Analysis | | | | |
| 💼 SI-5 Security Alerts, Advisories, and Directives | 1 | | | |
| 💼 SI-5(1) Security Alerts, Advisories, and Directives _ Automated Alerts and Advisories | | | | |
| 💼 SI-6 Security and Privacy Function Verification | 3 | | | |
| 💼 SI-6(1) Security and Privacy Function Verification _ Notification of Failed Security Tests | | | | |
| 💼 SI-6(2) Security and Privacy Function Verification _ Automation Support for Distributed Testing | | | | |
| 💼 SI-6(3) Security and Privacy Function Verification _ Report Verification Results | | | | |
| 💼 SI-7 Software, Firmware, and Information Integrity | 17 | | | |
| 💼 SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks | | | 1 | |
| 💼 SI-7(2) Software, Firmware, and Information Integrity _ Automated Notifications of Integrity Violations | | | | |
| 💼 SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools | | | 1 | |
| 💼 SI-7(4) Software, Firmware, and Information Integrity _ Tamper-evident Packaging | | | | |
| 💼 SI-7(5) Software, Firmware, and Information Integrity _ Automated Response to Integrity Violations | | | | |
| 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection | | | 6 | |
| 💼 SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response | | | 1 | |
| 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events | | | 6 | |
| 💼 SI-7(9) Software, Firmware, and Information Integrity _ Verify Boot Process | | | | |
| 💼 SI-7(10) Software, Firmware, and Information Integrity _ Protection of Boot Firmware | | | | |
| 💼 SI-7(11) Software, Firmware, and Information Integrity _ Confined Environments with Limited Privileges | | | | |
| 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification | | 18 | 20 | |
| 💼 SI-7(13) Software, Firmware, and Information Integrity _ Code Execution in Protected Environments | | | | |
| 💼 SI-7(14) Software, Firmware, and Information Integrity _ Binary or Machine Executable Code | | | | |
| 💼 SI-7(15) Software, Firmware, and Information Integrity _ Code Authentication | | | | |
| 💼 SI-7(16) Software, Firmware, and Information Integrity _ Time Limit on Process Execution Without Supervision | | | | |
| 💼 SI-7(17) Software, Firmware, and Information Integrity _ Runtime Application Self-protection | | | | |
| 💼 SI-8 Spam Protection | 3 | | | |
| 💼 SI-8(1) Spam Protection _ Central Management | | | | |
| 💼 SI-8(2) Spam Protection _ Automatic Updates | | | | |
| 💼 SI-8(3) Spam Protection _ Continuous Learning Capability | | | | |
| 💼 SI-9 Information Input Restrictions | | | | |
| 💼 SI-10 Information Input Validation | 6 | | | |
| 💼 SI-10(1) Information Input Validation _ Manual Override Capability | | | | |
| 💼 SI-10(2) Information Input Validation _ Review and Resolve Errors | | | | |
| 💼 SI-10(3) Information Input Validation _ Predictable Behavior | | | | |
| 💼 SI-10(4) Information Input Validation _ Timing Interactions | | | | |
| 💼 SI-10(5) Information Input Validation _ Restrict Inputs to Trusted Sources and Approved Formats | | | | |
| 💼 SI-10(6) Information Input Validation _ Injection Prevention | | | | |
| 💼 SI-11 Error Handling | | | | |
| 💼 SI-12 Information Management and Retention | 3 | | | |
| 💼 SI-12(1) Information Management and Retention _ Limit Personally Identifiable Information Elements | | | | |
| 💼 SI-12(2) Information Management and Retention _ Minimize Personally Identifiable Information in Testing, Training, and Research | | | | |
| 💼 SI-12(3) Information Management and Retention _ Information Disposal | | | | |
| 💼 SI-13 Predictable Failure Prevention | 5 | | | |
| 💼 SI-13(1) Predictable Failure Prevention _ Transferring Component Responsibilities | | | | |
| 💼 SI-13(2) Predictable Failure Prevention _ Time Limit on Process Execution Without Supervision | | | | |
| 💼 SI-13(3) Predictable Failure Prevention _ Manual Transfer Between Components | | | | |
| 💼 SI-13(4) Predictable Failure Prevention _ Standby Component Installation and Notification | | | | |
| 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability | | | 2 | |
| 💼 SI-14 Non-persistence | 3 | | | |
| 💼 SI-14(1) Non-persistence _ Refresh from Trusted Sources | | | | |
| 💼 SI-14(2) Non-persistence _ Non-persistent Information | | | | |
| 💼 SI-14(3) Non-persistence _ Non-persistent Connectivity | | | | |
| 💼 SI-15 Information Output Filtering | | | | |
| 💼 SI-16 Memory Protection | | | | |
| 💼 SI-17 Fail-safe Procedures | | | | |
| 💼 SI-18 Personally Identifiable Information Quality Operations | 5 | | | |
| 💼 SI-18(1) Personally Identifiable Information Quality Operations _ Automation Support | | | | |
| 💼 SI-18(2) Personally Identifiable Information Quality Operations _ Data Tags | | | | |
| 💼 SI-18(3) Personally Identifiable Information Quality Operations _ Collection | | | | |
| 💼 SI-18(4) Personally Identifiable Information Quality Operations _ Individual Requests | | | | |
| 💼 SI-18(5) Personally Identifiable Information Quality Operations _ Notice of Correction or Deletion | | | | |
| 💼 SI-19 De-identification | 8 | | | |
| 💼 SI-19(1) De-identification _ Collection | | | | |
| 💼 SI-19(2) De-identification _ Archiving | | | | |
| 💼 SI-19(3) De-identification _ Release | | | | |
| 💼 SI-19(4) De-identification _ Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers | | | | |
| 💼 SI-19(5) De-identification _ Statistical Disclosure Control | | | | |
| 💼 SI-19(6) De-identification _ Differential Privacy | | | | |
| 💼 SI-19(7) De-identification _ Validated Algorithms and Software | | | | |
| 💼 SI-19(8) De-identification _ Motivated Intruder | | | | |
| 💼 SI-20 Tainting | | | | |
| 💼 SI-21 Information Refresh | | | | |
| 💼 SI-22 Information Diversity | | | | |
| 💼 SI-23 Information Fragmentation | | | | |