Last updated July 30 2021 06:59 EDT.
The author welcomes comments and suggestions regarding document content and format.
This document is an analysis of National Institue of Standards and Technology (NIST) Special Publication 800-53 Revision 5 (SP 800-53r5) Security and Privacy Controls for Information Systems and Organizations comparing it with the now superseded Special Publication 800-53 Revision 4 (SP 800-53r4).
The term "control" as used in this document refers to both (in SP 800-53 parlance) controls and control enhancements.
NIST introduced a separate document Special Publication 800-53B (SP 800-53B) Control Baselines for Information Systems and Organizations which specifies baselines to be used in conjunction with SP 800-53r5 controls. Control baselines had previously appeared in SP 800-53r4 appendix D.
NIST published SP 800-53r5 in September, 2020 and updated it with a large number of errata in December, 2020.
This document would not have been possible without structured information made available by NIST in OSCAL format. See OSCAL: the Open Security Controls Assessment Language for information about OSCAL.
The deadline for complete SP 800-53r5 adoption by US Federal Government agencies is September 23, 2021 — one year after its publication. Time remaining: .
Office of Management and Budget Circular A-130 Managing Information as a Strategic Resource, July 2016 Appendix I §5 part a "NIST Standards and Guidelines" ¶3 (page I-16, PDF page 53) specifies
For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems.
In other words, adoption should be immediate or no later than one year after publication. OMB A-130 has, by the way, an impressive number of requirements (NIST Special Publication adoption amongst them).
Large numbers of controls and ODPs were introduced, and pre-existing controls were augmented with novel ODPs. The PT (21 controls) and SR (27 controls) families are entirely new.
Virtually all pre-existing controls had syntactic changes and many had substantial semantic changes which will require manual review in order to assess the consequences of the changes.
Control statement grammar was changed from indicative to imperative mood. In many cases the occasion of this mood change was accompanied by additional changes to clarify, refine, and augment control statements. For example,
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Incident Handling a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. | Incident Handling The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Control Assessments a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation ca-2_prm_1[Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to ca-2_prm_2[Assignment: organization-defined individuals or roles]. | Security Assessments The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation ca-2_prm_1[Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to ca-2_prm_2[Assignment: organization-defined individuals or roles]. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Role-based Training a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: at-3_prm_1[Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and at-3_prm_2[Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content at-3_prm_3[Assignment: organization-defined frequency] and following at-3_prm_4[Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. | Role-based Security Training The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. at-3_prm_1[Assignment: organization-defined frequency] thereafter. |
The term "information system" previously found in 437 control statements was changed to just "system" or was disappeared entirely. For example,
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Impact Analyses Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. | Security Impact Analysis The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Audit Record Reduction and Report Generation Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. | Audit Reduction and Report Generation The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records. |
Privacy considerations were commingled in 86 controls. For example,
| SP 800-53r5 | SP 800-53r4 |
|---|---|
System Security and Privacy Plans a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with pl-2_prm_1[Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to pl-2_prm_2[Assignment: organization-defined personnel or roles]; c. Review the plans pl-2_prm_3[Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. | System Security Plan The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to pl-2_prm_1[Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system pl-2_prm_2[Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Information Flow Enforcement | Object Security and Privacy Attributes Use ac-4.1_prm_1[Assignment: organization-defined security and privacy attributes] associated with ac-4.1_prm_2[Assignment: organization-defined information, source, and destination objects] to enforce ac-4.1_prm_3[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | Information Flow Enforcement | Object Security Attributes The information system uses ac-4.1_prm_1[Assignment: organization-defined security attributes] associated with ac-4.1_prm_2[Assignment: organization-defined information, source, and destination objects] to enforce ac-4.1_prm_3[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Configuration Change Control | Security and Privacy Representatives Require cm-3.4_prm_1[Assignment: organization-defined security and privacy representatives] to be members of the cm-3.4_prm_2[Assignment: organization-defined configuration change control element]. | Configuration Change Control | Security Representative The organization requires an information security representative to be a member of the cm-3.4_prm_1[Assignment: organization-defined configuration change control element]. |
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Security and Privacy Engineering Principles Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: sa-8_prm_1[Assignment: organization-defined systems security and privacy engineering principles]. | Security Engineering Principles The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
All 20 of the XX-1 "Policy and Procedures" controls were re-worked with 4 additional ODPs each. For example,
| SP 800-53r5 | SP 800-53r4 |
|---|---|
Policy and Procedures a. Develop, document, and disseminate to si-1_prm_1[Assignment: organization-defined personnel or roles]: 1. si-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and information integrity policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an si-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy si-1_prm_4[Assignment: organization-defined frequency] and following si-1_prm_5[Assignment: organization-defined events]; and 2. Procedures si-1_prm_6[Assignment: organization-defined frequency] and following si-1_prm_7[Assignment: organization-defined events]. | System and Information Integrity Policy and Procedures The organization: a. Develops, documents, and disseminates to si-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and b. Reviews and updates the current: 1. System and information integrity policy si-1_prm_2[Assignment: organization-defined frequency]; and 2. System and information integrity procedures si-1_prm_3[Assignment: organization-defined frequency]. |
There are 1,007 active (i.e., not withdrawn) controls (there were 86 newly withdrawn in SP 800-53r5, and 96 previously withdrawn in earlier versions).
There are 1,258 organization-defined parameters (ODPs).
Controls which are selected in baselines are destined to be employed and thus any related ODPs are destined to be tailored.
SP 800-53r5 has 423 controls selected in one or more baselines and these collectively incorporate 662 organization-defined parameters.
SP 800-53r5 has 267 novel (i.e., not in SP 800-53r4) controls. 75 of those are selected in one or more SP 800-53B baselines, and collectively incorporate 94 (novel) organization-defined parameters.
Organization-defined parameter selections and assignments may (but need not necessarily) vary by impact when 800-53B baselines are selected (PL-10) and tailored (PL-11).
The following shows the 75 novel SP 800-53r5 controls which appear in SP 800-53B Low, Moderate, High, or Privacy control baselines.
These are just controls that appear in baselines; there are 192 other novel controls.
| Control | Title | ODPs |
|---|---|---|
| AC-3(14) | Access Control | Access Enforcement | Individual AccessⓅ | 2 |
| AT-2(3) | Awareness and Training | Literacy Training and Awareness | Social Engineering and MiningⓂ Ⓗ | |
| AT-3(5) | Awareness and Training | Role-based Training | Processing Personally Identifiable InformationⓅ | 2 |
| AU-3(3) | Audit and Accountability | Content of Audit Records | Limit Personally Identifiable Information ElementsⓅ | 1 |
| CA-3(6) | Assessment, Authorization, and Monitoring | Information Exchange | Transfer AuthorizationsⒽ | |
| CA-7(4) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Risk MonitoringⓁ Ⓜ Ⓗ Ⓟ | |
| CM-12 | Configuration Management | Information LocationⓂ Ⓗ | 1 |
| CM-12(1) | Configuration Management | Information Location | Automated Tools to Support Information LocationⓂ Ⓗ | 2 |
| CP-9(8) | Contingency Planning | System Backup | Cryptographic ProtectionⓂ Ⓗ | 1 |
| IA-12 | Identification and Authentication | Identity ProofingⓂ Ⓗ | |
| IA-12(2) | Identification and Authentication | Identity Proofing | Identity EvidenceⓂ Ⓗ | |
| IA-12(3) | Identification and Authentication | Identity Proofing | Identity Evidence Validation and VerificationⓂ Ⓗ | 1 |
| IA-12(4) | Identification and Authentication | Identity Proofing | In-person Validation and VerificationⒽ | |
| IA-12(5) | Identification and Authentication | Identity Proofing | Address ConfirmationⓂ Ⓗ | 1 |
| IR-2(3) | Incident Response | Incident Response Training | BreachⓅ | |
| IR-4(11) | Incident Response | Incident Handling | Integrated Incident Response TeamⒽ | 1 |
| IR-8(1) | Incident Response | Incident Response Plan | BreachesⓅ | |
| PE-8(3) | Physical and Environmental Protection | Visitor Access Records | Limit Personally Identifiable Information ElementsⓅ | 1 |
| PL-10 | Planning | Baseline SelectionⓁ Ⓜ Ⓗ | |
| PL-11 | Planning | Baseline TailoringⓁ Ⓜ Ⓗ | |
| PM-5(1) | Program Management | System Inventory | Inventory of Personally Identifiable InformationⓅ | 1 |
| PM-17 | Program Management | Protecting Controlled Unclassified Information on External SystemsⓅ | 1 |
| PM-18 | Program Management | Privacy Program PlanⓅ | 1 |
| PM-19 | Program Management | Privacy Program Leadership RoleⓅ | |
| PM-20 | Program Management | Dissemination of Privacy Program InformationⓅ | |
| PM-20(1) | Program Management | Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital ServicesⓅ | |
| PM-21 | Program Management | Accounting of DisclosuresⓅ | |
| PM-22 | Program Management | Personally Identifiable Information Quality ManagementⓅ | |
| PM-24 | Program Management | Data Integrity BoardⓅ | |
| PM-25 | Program Management | Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchⓅ | 1 |
| PM-26 | Program Management | Complaint ManagementⓅ | 3 |
| PM-27 | Program Management | Privacy ReportingⓅ | 4 |
| PM-28 | Program Management | Risk FramingⓅ | 2 |
| PM-31 | Program Management | Continuous Monitoring StrategyⓅ | 5 |
| PS-9 | Personnel Security | Position DescriptionsⓁ Ⓜ Ⓗ | |
| PT-1 | Personally Identifiable Information Processing and Transparency | Policy and ProceduresⓅ | 7 |
| PT-2 | Personally Identifiable Information Processing and Transparency | Authority to Process Personally Identifiable InformationⓅ | 3 |
| PT-3 | Personally Identifiable Information Processing and Transparency | Personally Identifiable Information Processing PurposesⓅ | 4 |
| PT-4 | Personally Identifiable Information Processing and Transparency | ConsentⓅ | 1 |
| PT-5 | Personally Identifiable Information Processing and Transparency | Privacy NoticeⓅ | 2 |
| PT-5(2) | Personally Identifiable Information Processing and Transparency | Privacy Notice | Privacy Act StatementsⓅ | |
| PT-6 | Personally Identifiable Information Processing and Transparency | System of Records NoticeⓅ | |
| PT-6(1) | Personally Identifiable Information Processing and Transparency | System of Records Notice | Routine UsesⓅ | 1 |
| PT-6(2) | Personally Identifiable Information Processing and Transparency | System of Records Notice | Exemption RulesⓅ | 1 |
| PT-7 | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable InformationⓅ | 1 |
| PT-7(1) | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable Information | Social Security NumbersⓅ | |
| PT-7(2) | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable Information | First Amendment InformationⓅ | |
| PT-8 | Personally Identifiable Information Processing and Transparency | Computer Matching RequirementsⓅ | |
| RA-3(1) | Risk Assessment | Risk Assessment | Supply Chain Risk AssessmentⓁ Ⓜ Ⓗ | 2 |
| RA-5(11) | Risk Assessment | Vulnerability Monitoring and Scanning | Public Disclosure ProgramⓁ Ⓜ Ⓗ | |
| RA-7 | Risk Assessment | Risk ResponseⓁ Ⓜ Ⓗ Ⓟ | |
| RA-8 | Risk Assessment | Privacy Impact AssessmentsⓅ | |
| RA-9 | Risk Assessment | Criticality AnalysisⓂ Ⓗ | 2 |
| SA-8(33) | System and Services Acquisition | Security and Privacy Engineering Principles | MinimizationⓅ | 1 |
| SC-7(24) | System and Communications Protection | Boundary Protection | Personally Identifiable InformationⓅ | 1 |
| SI-12(1) | System and Information Integrity | Information Management and Retention | Limit Personally Identifiable Information ElementsⓅ | 1 |
| SI-12(2) | System and Information Integrity | Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and ResearchⓅ | 1 |
| SI-12(3) | System and Information Integrity | Information Management and Retention | Information DisposalⓅ | 1 |
| SI-18 | System and Information Integrity | Personally Identifiable Information Quality OperationsⓅ | 1 |
| SI-18(4) | System and Information Integrity | Personally Identifiable Information Quality Operations | Individual RequestsⓅ | |
| SI-19 | System and Information Integrity | De-identificationⓅ | 2 |
| SR-1 | Supply Chain Risk Management | Policy and ProceduresⓁ Ⓜ Ⓗ | 7 |
| SR-2 | Supply Chain Risk Management | Supply Chain Risk Management PlanⓁ Ⓜ Ⓗ | 2 |
| SR-2(1) | Supply Chain Risk Management | Supply Chain Risk Management Plan | Establish Scrm TeamⓁ Ⓜ Ⓗ | 2 |
| SR-3 | Supply Chain Risk Management | Supply Chain Controls and ProcessesⓁ Ⓜ Ⓗ | 5 |
| SR-5 | Supply Chain Risk Management | Acquisition Strategies, Tools, and MethodsⓁ Ⓜ Ⓗ | 1 |
| SR-6 | Supply Chain Risk Management | Supplier Assessments and ReviewsⓂ Ⓗ | 1 |
| SR-8 | Supply Chain Risk Management | Notification AgreementsⓁ Ⓜ Ⓗ | 2 |
| SR-9 | Supply Chain Risk Management | Tamper Resistance and DetectionⒽ | |
| SR-9(1) | Supply Chain Risk Management | Tamper Resistance and Detection | Multiple Stages of System Development Life CycleⒽ | |
| SR-10 | Supply Chain Risk Management | Inspection of Systems or ComponentsⓁ Ⓜ Ⓗ | 4 |
| SR-11 | Supply Chain Risk Management | Component AuthenticityⓁ Ⓜ Ⓗ | 3 |
| SR-11(1) | Supply Chain Risk Management | Component Authenticity | Anti-counterfeit TrainingⓁ Ⓜ Ⓗ | 1 |
| SR-11(2) | Supply Chain Risk Management | Component Authenticity | Configuration Control for Component Service and RepairⓁ Ⓜ Ⓗ | 1 |
| SR-12 | Supply Chain Risk Management | Component DisposalⓁ Ⓜ Ⓗ | 2 |
Novel ODPs occur in previously existing controls as well as controls novel to SP 800-53r5 (indicated by ⑤).
There are 519 novel ODPs in SP 800-53r5 (relative to SP 800-53r4). 269 of those novel ODPs appear in baselined controls.
| Control | Title | ODP | Context |
|---|---|---|---|
| AC-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | ac-1_prm_2 | ac-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] access control policy that: |
| ac-1_prm_3 | Designate an ac-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and | ||
| ac-1_prm_5 | Policy ac-1_prm_4[Assignment: organization-defined frequency] and following ac-1_prm_5[Assignment: organization-defined events]; and | ||
| ac-1_prm_7 | Procedures ac-1_prm_6[Assignment: organization-defined frequency] and following ac-1_prm_7[Assignment: organization-defined events]. | ||
| AC-2 | Account ManagementⓁ Ⓜ Ⓗ | ac-2_prm_1 | Require ac-2_prm_1[Assignment: organization-defined prerequisites and criteria] for group and role membership; |
| ac-2_prm_2 | Access authorizations (i.e., privileges) and ac-2_prm_2[Assignment: organization-defined attributes (as required)] for each account; | ||
| ac-2_prm_5 | Notify account managers and ac-2_prm_5[Assignment: organization-defined personnel or roles] within: | ||
| ac-2_prm_6 | ac-2_prm_6[Assignment: organization-defined time period] when accounts are no longer required; | ||
| ac-2_prm_7 | ac-2_prm_7[Assignment: organization-defined time period] when users are terminated or transferred; and | ||
| ac-2_prm_8 | ac-2_prm_8[Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; | ||
| ac-2_prm_9 | ac-2_prm_9[Assignment: organization-defined attributes (as required)]; | ||
| AC-2(1) | Account Management | Automated System Account ManagementⓂ Ⓗ | ac-2.1_prm_1 | Support the management of system accounts using ac-2.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| AC-2(3) | Account Management | Disable AccountsⓂ Ⓗ | ac-2.3_prm_1 | Disable accounts within ac-2.3_prm_1[Assignment: organization-defined time period] when the accounts: |
| AC-2(13) | Account Management | Disable Accounts for High-risk IndividualsⓂ Ⓗ | ac-2.13_prm_2 | Disable accounts of individuals within ac-2.13_prm_1[Assignment: organization-defined time period] of discovery of ac-2.13_prm_2[Assignment: organization-defined significant risks]. |
| ⑤ AC-3(14) | Access Enforcement | Individual AccessⓅ | ac-3.14_prm_1 | Provide ac-3.14_prm_1[Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: ac-3.14_prm_2[Assignment: organization-defined elements]. |
| ac-3.14_prm_2 | Provide ac-3.14_prm_1[Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: ac-3.14_prm_2[Assignment: organization-defined elements]. | ||
| AC-4(4) | Information Flow Enforcement | Flow Control of Encrypted InformationⒽ | ac-4.4_prm_1 | Prevent encrypted information from bypassing ac-4.4_prm_1[Assignment: organization-defined information flow control mechanisms] by ac-4.4_prm_2[Selection: decrypting the information or blocking the flow of the encrypted information or terminating communications sessions attempting to pass encrypted information or ac-4.4_prm_3[Assignment: organization-defined procedure or method]]. |
| AC-6(1) | Least Privilege | Authorize Access to Security FunctionsⓂ Ⓗ | ac-6.1_prm_1 | Authorize access for ac-6.1_prm_1[Assignment: organization-defined individuals or roles] to: |
| AC-7 | Unsuccessful Logon AttemptsⓁ Ⓜ Ⓗ | ac-7_prm_6 | [Selection: lock the account or node for an or ac-7_prm_4[Assignment: organization-defined time period] or lock the account or node until released by an administrator or delay next logon prompt per or ac-7_prm_5[Assignment: organization-defined delay algorithm] or notify system administrator or take other or ac-7_prm_6[Assignment: organization-defined action]] |
| AC-11 | Device LockⓂ Ⓗ | ac-11_prm_1 | Prevent further access to the system by ac-11_prm_1[Selection: initiating a device lock after or ac-11_prm_2[Assignment: organization-defined time period] or of inactivity or requiring the user to initiate a device lock before leaving the system unattended]; and |
| AC-20 | Use of External SystemsⓁ Ⓜ Ⓗ | ac-20_prm_1 | ac-20_prm_1[Selection: Establish or ac-20_prm_2[Assignment: organization-defined terms and conditions] or Identify or ac-20_prm_3[Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: |
| ac-20_prm_2 | [Selection: Establish or ac-20_prm_2[Assignment: organization-defined terms and conditions] or Identify or ac-20_prm_3[Assignment: organization-defined controls asserted to be implemented on external systems]] | ||
| ac-20_prm_3 | [Selection: Establish or ac-20_prm_2[Assignment: organization-defined terms and conditions] or Identify or ac-20_prm_3[Assignment: organization-defined controls asserted to be implemented on external systems]] | ||
| ac-20_prm_4 | Prohibit the use of ac-20_prm_4[Assignment: organizationally-defined types of external systems]. | ||
| AC-20(2) | Use of External Systems | Portable Storage Devices — Restricted UseⓂ Ⓗ | ac-20.2_prm_1 | Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using ac-20.2_prm_1[Assignment: organization-defined restrictions]. |
| AT-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | at-1_prm_2 | at-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] awareness and training policy that: |
| at-1_prm_3 | Designate an at-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and | ||
| at-1_prm_5 | Policy at-1_prm_4[Assignment: organization-defined frequency] and following at-1_prm_5[Assignment: organization-defined events]; and | ||
| at-1_prm_7 | Procedures at-1_prm_6[Assignment: organization-defined frequency] and following at-1_prm_7[Assignment: organization-defined events]. | ||
| AT-2 | Literacy Training and AwarenessⓁ Ⓜ Ⓗ Ⓟ | at-2_prm_2 | When required by system changes or following at-2_prm_2[Assignment: organization-defined events]; |
| at-2_prm_3 | Employ the following techniques to increase the security and privacy awareness of system users at-2_prm_3[Assignment: organization-defined awareness techniques]; | ||
| at-2_prm_4 | Update literacy training and awareness content at-2_prm_4[Assignment: organization-defined frequency] and following at-2_prm_5[Assignment: organization-defined events]; and | ||
| at-2_prm_5 | Update literacy training and awareness content at-2_prm_4[Assignment: organization-defined frequency] and following at-2_prm_5[Assignment: organization-defined events]; and | ||
| AT-3 | Role-based TrainingⓁ Ⓜ Ⓗ Ⓟ | at-3_prm_1 | Provide role-based security and privacy training to personnel with the following roles and responsibilities: at-3_prm_1[Assignment: organization-defined roles and responsibilities]: |
| at-3_prm_3 | Update role-based training content at-3_prm_3[Assignment: organization-defined frequency] and following at-3_prm_4[Assignment: organization-defined events]; and | ||
| at-3_prm_4 | Update role-based training content at-3_prm_3[Assignment: organization-defined frequency] and following at-3_prm_4[Assignment: organization-defined events]; and | ||
| ⑤ AT-3(5) | Role-based Training | Processing Personally Identifiable InformationⓅ | at-3.5_prm_1 | Provide at-3.5_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.5_prm_2[Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. |
| at-3.5_prm_2 | Provide at-3.5_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.5_prm_2[Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. | ||
| AU-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | au-1_prm_2 | au-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] audit and accountability policy that: |
| au-1_prm_3 | Designate an au-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and | ||
| au-1_prm_5 | Policy au-1_prm_4[Assignment: organization-defined frequency] and following au-1_prm_5[Assignment: organization-defined events]; and | ||
| au-1_prm_7 | Procedures au-1_prm_6[Assignment: organization-defined frequency] and following au-1_prm_7[Assignment: organization-defined events]. | ||
| AU-2 | Event LoggingⓁ Ⓜ Ⓗ Ⓟ | au-2_prm_1 | Identify the types of events that the system is capable of logging in support of the audit function: au-2_prm_1[Assignment: organization-defined event types that the system is capable of logging]; |
| ⑤ AU-3(3) | Content of Audit Records | Limit Personally Identifiable Information ElementsⓅ | au-3.3_prm_1 | Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: au-3.3_prm_1[Assignment: organization-defined elements]. |
| AU-5 | Response to Audit Logging Process FailuresⓁ Ⓜ Ⓗ | au-5_prm_2 | Alert au-5_prm_1[Assignment: organization-defined personnel or roles] within au-5_prm_2[Assignment: organization-defined time period] in the event of an audit logging process failure; and |
| AU-6(1) | Audit Record Review, Analysis, and Reporting | Automated Process IntegrationⓂ Ⓗ | au-6.1_prm_1 | Integrate audit record review, analysis, and reporting processes using au-6.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| AU-9 | Protection of Audit InformationⓁ Ⓜ Ⓗ | au-9_prm_1 | Alert au-9_prm_1[Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. |
| CA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | ca-1_prm_2 | ca-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] assessment, authorization, and monitoring policy that: |
| ca-1_prm_3 | Designate an ca-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and | ||
| ca-1_prm_5 | Policy ca-1_prm_4[Assignment: organization-defined frequency] and following ca-1_prm_5[Assignment: organization-defined events]; and | ||
| ca-1_prm_7 | Procedures ca-1_prm_6[Assignment: organization-defined frequency] and following ca-1_prm_7[Assignment: organization-defined events]. | ||
| CA-3 | Information ExchangeⓁ Ⓜ Ⓗ | ca-3_prm_1 | Approve and manage the exchange of information between the system and other systems using ca-3_prm_1[Selection: interconnection security agreements or information exchange security agreements or memoranda of understanding or agreement or service level agreements or user agreements or nondisclosure agreements or ca-3_prm_2[Assignment: organization-defined type of agreement]]; |
| ca-3_prm_2 | [Selection: interconnection security agreements or information exchange security agreements or memoranda of understanding or agreement or service level agreements or user agreements or nondisclosure agreements or ca-3_prm_2[Assignment: organization-defined type of agreement]] | ||
| CA-9 | Internal System ConnectionsⓁ Ⓜ Ⓗ | ca-9_prm_2 | Terminate internal system connections after ca-9_prm_2[Assignment: organization-defined conditions]; and |
| ca-9_prm_3 | Review ca-9_prm_3[Assignment: organization-defined frequency] the continued need for each internal connection. | ||
| CM-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | cm-1_prm_2 | cm-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] configuration management policy that: |
| cm-1_prm_3 | Designate an cm-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and | ||
| cm-1_prm_5 | Policy cm-1_prm_4[Assignment: organization-defined frequency] and following cm-1_prm_5[Assignment: organization-defined events]; and | ||
| cm-1_prm_7 | Procedures cm-1_prm_6[Assignment: organization-defined frequency] and following cm-1_prm_7[Assignment: organization-defined events]. | ||
| CM-2 | Baseline ConfigurationⓁ Ⓜ Ⓗ | cm-2_prm_1 | cm-2_prm_1[Assignment: organization-defined frequency]; |
| cm-2_prm_2 | When required due to cm-2_prm_2[Assignment: organization-defined circumstances]; and | ||
| CM-2(2) | Baseline Configuration | Automation Support for Accuracy and CurrencyⓂ Ⓗ | cm-2.2_prm_1 | Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using cm-2.2_prm_1[Assignment: organization-defined automated mechanisms]. |
| CM-3(1) | Configuration Change Control | Automated Documentation, Notification, and Prohibition of ChangesⒽ | cm-3.1_prm_1 | Use cm-3.1_prm_1[Assignment: organization-defined automated mechanisms] to: |
| CM-3(4) | Configuration Change Control | Security and Privacy RepresentativesⓂ Ⓗ | cm-3.4_prm_1 | Require cm-3.4_prm_1[Assignment: organization-defined security and privacy representatives] to be members of the cm-3.4_prm_2[Assignment: organization-defined configuration change control element]. |
| CM-5(1) | Access Restrictions for Change | Automated Access Enforcement and Audit RecordsⒽ | cm-5.1_prm_1 | Enforce access restrictions using cm-5.1_prm_1[Assignment: organization-defined automated mechanisms]; and |
| CM-6(1) | Configuration Settings | Automated Management, Application, and VerificationⒽ | cm-6.1_prm_2 | Manage, apply, and verify configuration settings for cm-6.1_prm_1[Assignment: organization-defined system components] using cm-6.1_prm_2[Assignment: organization-defined automated mechanisms]. |
| CM-6(2) | Configuration Settings | Respond to Unauthorized ChangesⒽ | cm-6.2_prm_1 | Take the following actions in response to unauthorized changes to cm-6.2_prm_1[Assignment: organization-defined configuration settings]: cm-6.2_prm_2[Assignment: organization-defined actions]. |
| cm-6.2_prm_2 | Take the following actions in response to unauthorized changes to cm-6.2_prm_1[Assignment: organization-defined configuration settings]: cm-6.2_prm_2[Assignment: organization-defined actions]. | ||
| CM-7 | Least FunctionalityⓁ Ⓜ Ⓗ | cm-7_prm_1 | Configure the system to provide only cm-7_prm_1[Assignment: organization-defined mission essential capabilities]; and |
| CM-8(2) | System Component Inventory | Automated MaintenanceⒽ | cm-8.2_prm_1 | Maintain the currency, completeness, accuracy, and availability of the inventory of system components using cm-8.2_prm_1[Assignment: organization-defined automated mechanisms]. |
| CM-8(3) | System Component Inventory | Automated Unauthorized Component DetectionⓂ Ⓗ | cm-8.3_prm_1 | Detect the presence of unauthorized hardware, software, and firmware components within the system using cm-8.3_prm_1[Assignment: organization-defined automated mechanisms]cm-8.3_prm_2[Assignment: organization-defined frequency]; and |
| CM-9 | Configuration Management PlanⓂ Ⓗ | cm-9_prm_1 | Is reviewed and approved by cm-9_prm_1[Assignment: organization-defined personnel or roles]; and |
| ⑤ CM-12 | Information LocationⓂ Ⓗ | cm-12_prm_1 | Identify and document the location of cm-12_prm_1[Assignment: organization-defined information] and the specific system components on which the information is processed and stored; |
| ⑤ CM-12(1) | Information Location | Automated Tools to Support Information LocationⓂ Ⓗ | cm-12.1_prm_1 | Use automated tools to identify cm-12.1_prm_1[Assignment: organization-defined information by information type] on cm-12.1_prm_2[Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. |
| cm-12.1_prm_2 | Use automated tools to identify cm-12.1_prm_1[Assignment: organization-defined information by information type] on cm-12.1_prm_2[Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. | ||
| CP-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | cp-1_prm_2 | cp-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] contingency planning policy that: |
| cp-1_prm_3 | Designate an cp-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and | ||
| cp-1_prm_5 | Policy cp-1_prm_4[Assignment: organization-defined frequency] and following cp-1_prm_5[Assignment: organization-defined events]; and | ||
| cp-1_prm_7 | Procedures cp-1_prm_6[Assignment: organization-defined frequency] and following cp-1_prm_7[Assignment: organization-defined events]. | ||
| CP-2(3) | Contingency Plan | Resume Mission and Business FunctionsⓂ Ⓗ | cp-2.3_prm_1 | Plan for the resumption of cp-2.3_prm_1[Selection: all or essential] mission and business functions within cp-2.3_prm_2[Assignment: organization-defined time period] of contingency plan activation. |
| CP-2(5) | Contingency Plan | Continue Mission and Business FunctionsⒽ | cp-2.5_prm_1 | Plan for the continuance of cp-2.5_prm_1[Selection: all or essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. |
| CP-2(8) | Contingency Plan | Identify Critical AssetsⓂ Ⓗ | cp-2.8_prm_1 | Identify critical system assets supporting cp-2.8_prm_1[Selection: all or essential] mission and business functions. |
| CP-3 | Contingency TrainingⓁ Ⓜ Ⓗ | cp-3_prm_3 | Review and update contingency training content cp-3_prm_3[Assignment: organization-defined frequency] and following cp-3_prm_4[Assignment: organization-defined events]. |
| cp-3_prm_4 | Review and update contingency training content cp-3_prm_3[Assignment: organization-defined frequency] and following cp-3_prm_4[Assignment: organization-defined events]. | ||
| CP-9 | System BackupⓁ Ⓜ Ⓗ | cp-9_prm_1 | Conduct backups of user-level information contained in cp-9_prm_1[Assignment: organization-defined system components]cp-9_prm_2[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; |
| ⑤ CP-9(8) | System Backup | Cryptographic ProtectionⓂ Ⓗ | cp-9.8_prm_1 | Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of cp-9.8_prm_1[Assignment: organization-defined backup information]. |
| CP-10 | System Recovery and ReconstitutionⓁ Ⓜ Ⓗ | cp-10_prm_1 | Provide for the recovery and reconstitution of the system to a known state within cp-10_prm_1[Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
| IA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | ia-1_prm_2 | ia-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] identification and authentication policy that: |
| ia-1_prm_3 | Designate an ia-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and | ||
| ia-1_prm_5 | Policy ia-1_prm_4[Assignment: organization-defined frequency] and following ia-1_prm_5[Assignment: organization-defined events]; and | ||
| ia-1_prm_7 | Procedures ia-1_prm_6[Assignment: organization-defined frequency] and following ia-1_prm_7[Assignment: organization-defined events]. | ||
| IA-2(8) | Identification and Authentication (organizational Users) | Access to Accounts — Replay ResistantⓁ Ⓜ Ⓗ | ia-2.8_prm_1 | Implement replay-resistant authentication mechanisms for access to ia-2.8_prm_1[Selection: privileged accounts or non-privileged accounts]. |
| IA-5 | Authenticator ManagementⓁ Ⓜ Ⓗ | ia-5_prm_2 | Changing or refreshing authenticators ia-5_prm_1[Assignment: organization-defined time period by authenticator type] or when ia-5_prm_2[Assignment: organization-defined events] occur; |
| IA-5(1) | Authenticator Management | Password-based AuthenticationⓁ Ⓜ Ⓗ | ia-5.1_prm_1 | Maintain a list of commonly-used, expected, or compromised passwords and update the list ia-5.1_prm_1[Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; |
| ia-5.1_prm_2 | Enforce the following composition and complexity rules: ia-5.1_prm_2[Assignment: organization-defined composition and complexity rules]. | ||
| IA-8(4) | Identification and Authentication (non-organizational Users) | Use of Defined ProfilesⓁ Ⓜ Ⓗ | ia-8.4_prm_1 | Conform to the following profiles for identity management ia-8.4_prm_1[Assignment: organization-defined identity management profiles]. |
| ⑤ IA-12(3) | Identity Proofing | Identity Evidence Validation and VerificationⓂ Ⓗ | ia-12.3_prm_1 | Require that the presented identity evidence be validated and verified through ia-12.3_prm_1[Assignment: organizational defined methods of validation and verification]. |
| ⑤ IA-12(5) | Identity Proofing | Address ConfirmationⓂ Ⓗ | ia-12.5_prm_1 | Require that a ia-12.5_prm_1[Selection: registration code or notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. |
| IR-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | ir-1_prm_2 | ir-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] incident response policy that: |
| ir-1_prm_3 | Designate an ir-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and | ||
| ir-1_prm_5 | Policy ir-1_prm_4[Assignment: organization-defined frequency] and following ir-1_prm_5[Assignment: organization-defined events]; and | ||
| ir-1_prm_7 | Procedures ir-1_prm_6[Assignment: organization-defined frequency] and following ir-1_prm_7[Assignment: organization-defined events]. | ||
| IR-2 | Incident Response TrainingⓁ Ⓜ Ⓗ Ⓟ | ir-2_prm_3 | Review and update incident response training content ir-2_prm_3[Assignment: organization-defined frequency] and following ir-2_prm_4[Assignment: organization-defined events]. |
| ir-2_prm_4 | Review and update incident response training content ir-2_prm_3[Assignment: organization-defined frequency] and following ir-2_prm_4[Assignment: organization-defined events]. | ||
| IR-2(2) | Incident Response Training | Automated Training EnvironmentsⒽ | ir-2.2_prm_1 | Provide an incident response training environment using ir-2.2_prm_1[Assignment: organization-defined automated mechanisms]. |
| IR-4(1) | Incident Handling | Automated Incident Handling ProcessesⓂ Ⓗ | ir-4.1_prm_1 | Support the incident handling process using ir-4.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| ⑤ IR-4(11) | Incident Handling | Integrated Incident Response TeamⒽ | ir-4.11_prm_1 | Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in ir-4.11_prm_1[Assignment: organization-defined time period]. |
| IR-5(1) | Incident Monitoring | Automated Tracking, Data Collection, and AnalysisⒽ | ir-5.1_prm_1 | Track incidents and collect and analyze incident information using ir-5.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| IR-6(1) | Incident Reporting | Automated ReportingⓂ Ⓗ | ir-6.1_prm_1 | Report incidents using ir-6.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| IR-7(1) | Incident Response Assistance | Automation Support for Availability of Information and SupportⓂ Ⓗ | ir-7.1_prm_1 | Increase the availability of incident response information and support using ir-7.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| IR-8 | Incident Response PlanⓁ Ⓜ Ⓗ Ⓟ | ir-8_prm_3 | Explicitly designates responsibility for incident response to ir-8_prm_3[Assignment: organization-defined entities, personnel, or roles]. |
| MA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | ma-1_prm_2 | ma-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] maintenance policy that: |
| ma-1_prm_3 | Designate an ma-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and | ||
| ma-1_prm_5 | Policy ma-1_prm_4[Assignment: organization-defined frequency] and following ma-1_prm_5[Assignment: organization-defined events]; and | ||
| ma-1_prm_7 | Procedures ma-1_prm_6[Assignment: organization-defined frequency] and following ma-1_prm_7[Assignment: organization-defined events]. | ||
| MA-2 | Controlled MaintenanceⓁ Ⓜ Ⓗ | ma-2_prm_2 | Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ma-2_prm_2[Assignment: organization-defined information]; |
| MA-2(2) | Controlled Maintenance | Automated Maintenance ActivitiesⒽ | ma-2.2_prm_1 | Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ma-2.2_prm_1[Assignment: organization-defined automated mechanisms]; and |
| MA-3 | Maintenance ToolsⓂ Ⓗ | ma-3_prm_1 | Review previously approved system maintenance tools ma-3_prm_1[Assignment: organization-defined frequency]. |
| MA-5(1) | Maintenance Personnel | Individuals Without Appropriate AccessⒽ | ma-5.1_prm_1 | Develop and implement ma-5.1_prm_1[Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. |
| MP-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | mp-1_prm_2 | mp-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] media protection policy that: |
| mp-1_prm_3 | Designate an mp-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and | ||
| mp-1_prm_5 | Policy mp-1_prm_4[Assignment: organization-defined frequency] and following mp-1_prm_5[Assignment: organization-defined events]; and | ||
| mp-1_prm_7 | Procedures mp-1_prm_6[Assignment: organization-defined frequency] and following mp-1_prm_7[Assignment: organization-defined events]. | ||
| PE-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | pe-1_prm_2 | pe-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] physical and environmental protection policy that: |
| pe-1_prm_3 | Designate an pe-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and | ||
| pe-1_prm_5 | Policy pe-1_prm_4[Assignment: organization-defined frequency] and following pe-1_prm_5[Assignment: organization-defined events]; and | ||
| pe-1_prm_7 | Procedures pe-1_prm_6[Assignment: organization-defined frequency] and following pe-1_prm_7[Assignment: organization-defined events]. | ||
| PE-3 | Physical Access ControlⓁ Ⓜ Ⓗ | pe-3_prm_5 | Control access to areas within the facility designated as publicly accessible by implementing the following controls: pe-3_prm_5[Assignment: organization-defined physical access controls]; |
| PE-5 | Access Control for Output DevicesⓂ Ⓗ | pe-5_prm_1 | Control physical access to output from pe-5_prm_1[Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. |
| PE-8 | Visitor Access RecordsⓁ Ⓜ Ⓗ | pe-8_prm_3 | Report anomalies in visitor access records to pe-8_prm_3[Assignment: organization-defined personnel]. |
| PE-8(1) | Visitor Access Records | Automated Records Maintenance and ReviewⒽ | pe-8.1_prm_1 | Maintain and review visitor access records using pe-8.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| ⑤ PE-8(3) | Visitor Access Records | Limit Personally Identifiable Information ElementsⓅ | pe-8.3_prm_1 | Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: pe-8.3_prm_1[Assignment: organization-defined elements]. |
| PE-11(1) | Emergency Power | Alternate Power Supply — Minimal Operational CapabilityⒽ | pe-11.1_prm_1 | Provide an alternate power supply for the system that is activated pe-11.1_prm_1[Selection: manually or automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. |
| PE-14 | Environmental ControlsⓁ Ⓜ Ⓗ | pe-14_prm_1 | Maintain pe-14_prm_1[Selection: temperature or humidity or pressure or radiation or pe-14_prm_2[Assignment: organization-defined environmental control]] levels within the facility where the system resides at pe-14_prm_3[Assignment: organization-defined acceptable levels]; and |
| pe-14_prm_2 | [Selection: temperature or humidity or pressure or radiation or pe-14_prm_2[Assignment: organization-defined environmental control]] | ||
| pe-14_prm_3 | Maintain pe-14_prm_1[Selection: temperature or humidity or pressure or radiation or pe-14_prm_2[Assignment: organization-defined environmental control]] levels within the facility where the system resides at pe-14_prm_3[Assignment: organization-defined acceptable levels]; and | ||
| pe-14_prm_4 | Monitor environmental control levels pe-14_prm_4[Assignment: organization-defined frequency]. | ||
| PE-15(1) | Water Damage Protection | Automation SupportⒽ | pe-15.1_prm_2 | Detect the presence of water near the system and alert pe-15.1_prm_1[Assignment: organization-defined personnel or roles] using pe-15.1_prm_2[Assignment: organization-defined automated mechanisms]. |
| PE-17 | Alternate Work SiteⓂ Ⓗ | pe-17_prm_1 | Determine and document the pe-17_prm_1[Assignment: organization-defined alternate work sites] allowed for use by employees; |
| PL-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | pl-1_prm_2 | pl-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] planning policy that: |
| pl-1_prm_3 | Designate an pl-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and | ||
| pl-1_prm_5 | Policy pl-1_prm_4[Assignment: organization-defined frequency] and following pl-1_prm_5[Assignment: organization-defined events]; and | ||
| pl-1_prm_7 | Procedures pl-1_prm_6[Assignment: organization-defined frequency] and following pl-1_prm_7[Assignment: organization-defined events]. | ||
| PL-2 | System Security and Privacy PlansⓁ Ⓜ Ⓗ Ⓟ | pl-2_prm_1 | Include security- and privacy-related activities affecting the system that require planning and coordination with pl-2_prm_1[Assignment: organization-defined individuals or groups]; and |
| PL-4 | Rules of BehaviorⓁ Ⓜ Ⓗ Ⓟ | pl-4_prm_2 | Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge pl-4_prm_2[Selection: pl-4_prm_3[Assignment: organization-defined frequency] or when the rules are revised or updated]. |
| pl-4_prm_3 | [Selection: pl-4_prm_3[Assignment: organization-defined frequency] or when the rules are revised or updated] | ||
| ⑤ PM-5(1) | System Inventory | Inventory of Personally Identifiable InformationⓅ | pm-5.1_prm_1 | Establish, maintain, and update pm-5.1_prm_1[Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. |
| PM-11 | Mission and Business Process DefinitionⓅ | pm-11_prm_1 | Review and revise the mission and business processes pm-11_prm_1[Assignment: organization-defined frequency]. |
| ⑤ PM-17 | Protecting Controlled Unclassified Information on External SystemsⓅ | pm-17_prm_1 | Review and update the policy and procedures pm-17_prm_1[Assignment: organization-defined frequency]. |
| ⑤ PM-18 | Privacy Program PlanⓅ | pm-18_prm_1 | Update the plan pm-18_prm_1[Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. |
| ⑤ PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchⓅ | pm-25_prm_1 | Review and update policies and procedures pm-25_prm_1[Assignment: organization-defined frequency]. |
| ⑤ PM-26 | Complaint ManagementⓅ | pm-26_prm_1 | Tracking mechanisms to ensure all complaints received are reviewed and addressed within pm-26_prm_1[Assignment: organization-defined time period]; |
| pm-26_prm_2 | Acknowledgement of receipt of complaints, concerns, or questions from individuals within pm-26_prm_2[Assignment: organization-defined time period]; and | ||
| pm-26_prm_3 | Response to complaints, concerns, or questions from individuals within pm-26_prm_3[Assignment: organization-defined time period]. | ||
| ⑤ PM-27 | Privacy ReportingⓅ | pm-27_prm_1 | Develop pm-27_prm_1[Assignment: organization-defined privacy reports] and disseminate to: |
| pm-27_prm_2 | pm-27_prm_2[Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and | ||
| pm-27_prm_3 | pm-27_prm_3[Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and | ||
| pm-27_prm_4 | Review and update privacy reports pm-27_prm_4[Assignment: organization-defined frequency]. | ||
| ⑤ PM-28 | Risk FramingⓅ | pm-28_prm_1 | Distribute the results of risk framing activities to pm-28_prm_1[Assignment: organization-defined personnel]; and |
| pm-28_prm_2 | Review and update risk framing considerations pm-28_prm_2[Assignment: organization-defined frequency]. | ||
| ⑤ PM-31 | Continuous Monitoring StrategyⓅ | pm-31_prm_1 | Establishing the following organization-wide metrics to be monitored: pm-31_prm_1[Assignment: organization-defined metrics]; |
| pm-31_prm_2 | Establishing pm-31_prm_2[Assignment: organization-defined frequencies] for monitoring and pm-31_prm_3[Assignment: organization-defined frequencies] for assessment of control effectiveness; | ||
| pm-31_prm_3 | Establishing pm-31_prm_2[Assignment: organization-defined frequencies] for monitoring and pm-31_prm_3[Assignment: organization-defined frequencies] for assessment of control effectiveness; | ||
| pm-31_prm_4 | Reporting the security and privacy status of organizational systems to pm-31_prm_4[Assignment: organization-defined personnel or roles]pm-31_prm_5[Assignment: organization-defined frequency]. | ||
| pm-31_prm_5 | Reporting the security and privacy status of organizational systems to pm-31_prm_4[Assignment: organization-defined personnel or roles]pm-31_prm_5[Assignment: organization-defined frequency]. | ||
| PS-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | ps-1_prm_2 | ps-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] personnel security policy that: |
| ps-1_prm_3 | Designate an ps-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and | ||
| ps-1_prm_5 | Policy ps-1_prm_4[Assignment: organization-defined frequency] and following ps-1_prm_5[Assignment: organization-defined events]; and | ||
| ps-1_prm_7 | Procedures ps-1_prm_6[Assignment: organization-defined frequency] and following ps-1_prm_7[Assignment: organization-defined events]. | ||
| PS-4(2) | Personnel Termination | Automated ActionsⒽ | ps-4.2_prm_1 | Use ps-4.2_prm_1[Assignment: organization-defined automated mechanisms] to ps-4.2_prm_2[Selection: notify or ps-4.2_prm_3[Assignment: organization-defined personnel or roles] or of individual termination actions or disable access to system resources]. |
| ps-4.2_prm_2 | Use ps-4.2_prm_1[Assignment: organization-defined automated mechanisms] to ps-4.2_prm_2[Selection: notify or ps-4.2_prm_3[Assignment: organization-defined personnel or roles] or of individual termination actions or disable access to system resources]. | ||
| ⑤ PT-1 | Policy and ProceduresⓅ | pt-1_prm_1 | Develop, document, and disseminate to pt-1_prm_1[Assignment: organization-defined personnel or roles]: |
| pt-1_prm_2 | pt-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] personally identifiable information processing and transparency policy that: | ||
| pt-1_prm_3 | Designate an pt-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and | ||
| pt-1_prm_4 | Policy pt-1_prm_4[Assignment: organization-defined frequency] and following pt-1_prm_5[Assignment: organization-defined events]; and | ||
| pt-1_prm_5 | Policy pt-1_prm_4[Assignment: organization-defined frequency] and following pt-1_prm_5[Assignment: organization-defined events]; and | ||
| pt-1_prm_6 | Procedures pt-1_prm_6[Assignment: organization-defined frequency] and following pt-1_prm_7[Assignment: organization-defined events]. | ||
| pt-1_prm_7 | Procedures pt-1_prm_6[Assignment: organization-defined frequency] and following pt-1_prm_7[Assignment: organization-defined events]. | ||
| ⑤ PT-2 | Authority to Process Personally Identifiable InformationⓅ | pt-2_prm_1 | Determine and document the pt-2_prm_1[Assignment: organization-defined authority] that permits the pt-2_prm_2[Assignment: organization-defined processing] of personally identifiable information; and |
| pt-2_prm_2 | Determine and document the pt-2_prm_1[Assignment: organization-defined authority] that permits the pt-2_prm_2[Assignment: organization-defined processing] of personally identifiable information; and | ||
| pt-2_prm_3 | Restrict the pt-2_prm_3[Assignment: organization-defined processing] of personally identifiable information to only that which is authorized. | ||
| ⑤ PT-3 | Personally Identifiable Information Processing PurposesⓅ | pt-3_prm_1 | Identify and document the pt-3_prm_1[Assignment: organization-defined purpose(s)] for processing personally identifiable information; |
| pt-3_prm_2 | Restrict the pt-3_prm_2[Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and | ||
| pt-3_prm_3 | Monitor changes in processing personally identifiable information and implement pt-3_prm_3[Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with pt-3_prm_4[Assignment: organization-defined requirements]. | ||
| pt-3_prm_4 | Monitor changes in processing personally identifiable information and implement pt-3_prm_3[Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with pt-3_prm_4[Assignment: organization-defined requirements]. | ||
| ⑤ PT-4 | ConsentⓅ | pt-4_prm_1 | Implement pt-4_prm_1[Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. |
| ⑤ PT-5 | Privacy NoticeⓅ | pt-5_prm_1 | Is available to individuals upon first interacting with an organization, and subsequently at pt-5_prm_1[Assignment: organization-defined frequency]; |
| pt-5_prm_2 | Includes pt-5_prm_2[Assignment: organization-defined information]. | ||
| ⑤ PT-6(1) | System of Records Notice | Routine UsesⓅ | pt-6.1_prm_1 | Review all routine uses published in the system of records notice at pt-6.1_prm_1[Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. |
| ⑤ PT-6(2) | System of Records Notice | Exemption RulesⓅ | pt-6.2_prm_1 | Review all Privacy Act exemptions claimed for the system of records at pt-6.2_prm_1[Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. |
| ⑤ PT-7 | Specific Categories of Personally Identifiable InformationⓅ | pt-7_prm_1 | Apply pt-7_prm_1[Assignment: organization-defined processing conditions] for specific categories of personally identifiable information. |
| RA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | ra-1_prm_2 | ra-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] risk assessment policy that: |
| ra-1_prm_3 | Designate an ra-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and | ||
| ra-1_prm_5 | Policy ra-1_prm_4[Assignment: organization-defined frequency] and following ra-1_prm_5[Assignment: organization-defined events]; and | ||
| ra-1_prm_7 | Procedures ra-1_prm_6[Assignment: organization-defined frequency] and following ra-1_prm_7[Assignment: organization-defined events]. | ||
| ⑤ RA-3(1) | Risk Assessment | Supply Chain Risk AssessmentⓁ Ⓜ Ⓗ | ra-3.1_prm_1 | Assess supply chain risks associated with ra-3.1_prm_1[Assignment: organization-defined systems, system components, and system services]; and |
| ra-3.1_prm_2 | Update the supply chain risk assessment ra-3.1_prm_2[Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. | ||
| ⑤ RA-9 | Criticality AnalysisⓂ Ⓗ | ra-9_prm_1 | Identify critical system components and functions by performing a criticality analysis for ra-9_prm_1[Assignment: organization-defined systems, system components, or system services] at ra-9_prm_2[Assignment: organization-defined decision points in the system development life cycle]. |
| ra-9_prm_2 | Identify critical system components and functions by performing a criticality analysis for ra-9_prm_1[Assignment: organization-defined systems, system components, or system services] at ra-9_prm_2[Assignment: organization-defined decision points in the system development life cycle]. | ||
| SA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | sa-1_prm_2 | sa-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and services acquisition policy that: |
| sa-1_prm_3 | Designate an sa-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and | ||
| sa-1_prm_5 | Policy sa-1_prm_4[Assignment: organization-defined frequency] and following sa-1_prm_5[Assignment: organization-defined events]; and | ||
| sa-1_prm_7 | Procedures sa-1_prm_6[Assignment: organization-defined frequency] and following sa-1_prm_7[Assignment: organization-defined events]. | ||
| SA-4 | Acquisition ProcessⓁ Ⓜ Ⓗ Ⓟ | sa-4_prm_1 | Include the following requirements, descriptions, and criteria, explicitly or by reference, using sa-4_prm_1[Selection: standardized contract language or sa-4_prm_2[Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: |
| sa-4_prm_2 | [Selection: standardized contract language or sa-4_prm_2[Assignment: organization-defined contract language]] | ||
| SA-8 | Security and Privacy Engineering PrinciplesⓁ Ⓜ Ⓗ | sa-8_prm_1 | Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: sa-8_prm_1[Assignment: organization-defined systems security and privacy engineering principles]. |
| ⑤ SA-8(33) | Security and Privacy Engineering Principles | MinimizationⓅ | sa-8.33_prm_1 | Implement the privacy principle of minimization using sa-8.33_prm_1[Assignment: organization-defined processes]. |
| SA-11 | Developer Testing and EvaluationⓂ Ⓗ Ⓟ | sa-11_prm_2 | Perform sa-11_prm_1[Selection: unit or integration or system or regression] testing/evaluation sa-11_prm_2[Assignment: organization-defined frequency] at sa-11_prm_3[Assignment: organization-defined depth and coverage]; |
| SA-22 | Unsupported System ComponentsⓁ Ⓜ Ⓗ | sa-22_prm_1 | Provide the following options for alternative sources for continued support for unsupported components sa-22_prm_1[Selection: in-house support or sa-22_prm_2[Assignment: organization-defined support from external providers]]. |
| sa-22_prm_2 | [Selection: in-house support or sa-22_prm_2[Assignment: organization-defined support from external providers]] | ||
| SC-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | sc-1_prm_2 | sc-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and communications protection policy that: |
| sc-1_prm_3 | Designate an sc-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and | ||
| sc-1_prm_5 | Policy sc-1_prm_4[Assignment: organization-defined frequency] and following sc-1_prm_5[Assignment: organization-defined events]; and | ||
| sc-1_prm_7 | Procedures sc-1_prm_6[Assignment: organization-defined frequency] and following sc-1_prm_7[Assignment: organization-defined events]. | ||
| SC-5 | Denial-of-service ProtectionⓁ Ⓜ Ⓗ | sc-5_prm_1 | sc-5_prm_1[Selection: Protect against or Limit] the effects of the following types of denial-of-service events: sc-5_prm_2[Assignment: organization-defined types of denial-of-service events]; and |
| SC-7(5) | Boundary Protection | Deny by Default — Allow by ExceptionⓂ Ⓗ | sc-7.5_prm_1 | Deny network communications traffic by default and allow network communications traffic by exception sc-7.5_prm_1[Selection: at managed interfaces or for or sc-7.5_prm_2[Assignment: organization-defined systems]]. |
| sc-7.5_prm_2 | [Selection: at managed interfaces or for or sc-7.5_prm_2[Assignment: organization-defined systems]] | ||
| SC-7(7) | Boundary Protection | Split Tunneling for Remote DevicesⓂ Ⓗ | sc-7.7_prm_1 | Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using sc-7.7_prm_1[Assignment: organization-defined safeguards]. |
| ⑤ SC-7(24) | Boundary Protection | Personally Identifiable InformationⓅ | sc-7.24_prm_1 | Apply the following processing rules to data elements of personally identifiable information: sc-7.24_prm_1[Assignment: organization-defined processing rules]; |
| SI-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ | si-1_prm_2 | si-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and information integrity policy that: |
| si-1_prm_3 | Designate an si-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and | ||
| si-1_prm_5 | Policy si-1_prm_4[Assignment: organization-defined frequency] and following si-1_prm_5[Assignment: organization-defined events]; and | ||
| si-1_prm_7 | Procedures si-1_prm_6[Assignment: organization-defined frequency] and following si-1_prm_7[Assignment: organization-defined events]. | ||
| SI-2(2) | Flaw Remediation | Automated Flaw Remediation StatusⓂ Ⓗ | si-2.2_prm_1 | Determine if system components have applicable security-relevant software and firmware updates installed using si-2.2_prm_1[Assignment: organization-defined automated mechanisms]si-2.2_prm_2[Assignment: organization-defined frequency]. |
| SI-3 | Malicious Code ProtectionⓁ Ⓜ Ⓗ | si-3_prm_1 | Implement si-3_prm_1[Selection: signature based or non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; |
| si-3_prm_6 | si-3_prm_4[Selection: block malicious code or quarantine malicious code or take or si-3_prm_5[Assignment: organization-defined action]]; and send alert to si-3_prm_6[Assignment: organization-defined personnel or roles] in response to malicious code detection; and | ||
| SI-4(4) | System Monitoring | Inbound and Outbound Communications TrafficⓂ Ⓗ | si-4.4_prm_2 | Monitor inbound and outbound communications traffic si-4.4_prm_1[Assignment: organization-defined frequency] for si-4.4_prm_2[Assignment: organization-defined unusual or unauthorized activities or conditions]. |
| SI-4(12) | System Monitoring | Automated Organization-generated AlertsⒽ | si-4.12_prm_1 | Alert si-4.12_prm_1[Assignment: organization-defined personnel or roles] using si-4.12_prm_2[Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: si-4.12_prm_3[Assignment: organization-defined activities that trigger alerts]. |
| si-4.12_prm_2 | Alert si-4.12_prm_1[Assignment: organization-defined personnel or roles] using si-4.12_prm_2[Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: si-4.12_prm_3[Assignment: organization-defined activities that trigger alerts]. | ||
| SI-5(1) | Security Alerts, Advisories, and Directives | Automated Alerts and AdvisoriesⒽ | si-5.1_prm_1 | Broadcast security alert and advisory information throughout the organization using si-5.1_prm_1[Assignment: organization-defined automated mechanisms]. |
| SI-7 | Software, Firmware, and Information IntegrityⓂ Ⓗ | si-7_prm_2 | Take the following actions when unauthorized changes to the software, firmware, and information are detected: si-7_prm_2[Assignment: organization-defined actions]. |
| SI-8(2) | Spam Protection | Automatic UpdatesⓂ Ⓗ | si-8.2_prm_1 | Automatically update spam protection mechanisms si-8.2_prm_1[Assignment: organization-defined frequency]. |
| ⑤ SI-12(1) | Information Management and Retention | Limit Personally Identifiable Information ElementsⓅ | si-12.1_prm_1 | Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: si-12.1_prm_1[Assignment: organization-defined elements of personally identifiable information]. |
| ⑤ SI-12(2) | Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and ResearchⓅ | si-12.2_prm_1 | Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: si-12.2_prm_1[Assignment: organization-defined techniques]. |
| ⑤ SI-12(3) | Information Management and Retention | Information DisposalⓅ | si-12.3_prm_1 | Use the following techniques to dispose of, destroy, or erase information following the retention period: si-12.3_prm_1[Assignment: organization-defined techniques]. |
| ⑤ SI-18 | Personally Identifiable Information Quality OperationsⓅ | si-18_prm_1 | Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle si-18_prm_1[Assignment: organization-defined frequency]; and |
| ⑤ SI-19 | De-identificationⓅ | si-19_prm_1 | Remove the following elements of personally identifiable information from datasets: si-19_prm_1[Assignment: organization-defined elements of personally identifiable information]; and |
| si-19_prm_2 | Evaluate si-19_prm_2[Assignment: organization-defined frequency] for effectiveness of de-identification. | ||
| ⑤ SR-1 | Policy and ProceduresⓁ Ⓜ Ⓗ | sr-1_prm_1 | Develop, document, and disseminate to sr-1_prm_1[Assignment: organization-defined personnel or roles]: |
| sr-1_prm_2 | sr-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] supply chain risk management policy that: | ||
| sr-1_prm_3 | Designate an sr-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and | ||
| sr-1_prm_4 | Policy sr-1_prm_4[Assignment: organization-defined frequency] and following sr-1_prm_5[Assignment: organization-defined events]; and | ||
| sr-1_prm_5 | Policy sr-1_prm_4[Assignment: organization-defined frequency] and following sr-1_prm_5[Assignment: organization-defined events]; and | ||
| sr-1_prm_6 | Procedures sr-1_prm_6[Assignment: organization-defined frequency] and following sr-1_prm_7[Assignment: organization-defined events]. | ||
| sr-1_prm_7 | Procedures sr-1_prm_6[Assignment: organization-defined frequency] and following sr-1_prm_7[Assignment: organization-defined events]. | ||
| ⑤ SR-2 | Supply Chain Risk Management PlanⓁ Ⓜ Ⓗ | sr-2_prm_1 | Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: sr-2_prm_1[Assignment: organization-defined systems, system components, or system services]; |
| sr-2_prm_2 | Review and update the supply chain risk management plan sr-2_prm_2[Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and | ||
| ⑤ SR-2(1) | Supply Chain Risk Management Plan | Establish Scrm TeamⓁ Ⓜ Ⓗ | sr-2.1_prm_1 | Establish a supply chain risk management team consisting of sr-2.1_prm_1[Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: sr-2.1_prm_2[Assignment: organization-defined supply chain risk management activities]. |
| sr-2.1_prm_2 | Establish a supply chain risk management team consisting of sr-2.1_prm_1[Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: sr-2.1_prm_2[Assignment: organization-defined supply chain risk management activities]. | ||
| ⑤ SR-3 | Supply Chain Controls and ProcessesⓁ Ⓜ Ⓗ | sr-3_prm_1 | Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of sr-3_prm_1[Assignment: organization-defined system or system component] in coordination with sr-3_prm_2[Assignment: organization-defined supply chain personnel]; |
| sr-3_prm_2 | Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of sr-3_prm_1[Assignment: organization-defined system or system component] in coordination with sr-3_prm_2[Assignment: organization-defined supply chain personnel]; | ||
| sr-3_prm_3 | Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: sr-3_prm_3[Assignment: organization-defined supply chain controls]; and | ||
| sr-3_prm_4 | Document the selected and implemented supply chain processes and controls in sr-3_prm_4[Selection: security and privacy plans or supply chain risk management plan or sr-3_prm_5[Assignment: organization-defined document]]. | ||
| sr-3_prm_5 | [Selection: security and privacy plans or supply chain risk management plan or sr-3_prm_5[Assignment: organization-defined document]] | ||
| ⑤ SR-5 | Acquisition Strategies, Tools, and MethodsⓁ Ⓜ Ⓗ | sr-5_prm_1 | Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: sr-5_prm_1[Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. |
| ⑤ SR-6 | Supplier Assessments and ReviewsⓂ Ⓗ | sr-6_prm_1 | Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide sr-6_prm_1[Assignment: organization-defined frequency]. |
| ⑤ SR-8 | Notification AgreementsⓁ Ⓜ Ⓗ | sr-8_prm_1 | Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the sr-8_prm_1[Selection: notification of supply chain compromises or results of assessments or audits or sr-8_prm_2[Assignment: organization-defined information]]. |
| sr-8_prm_2 | [Selection: notification of supply chain compromises or results of assessments or audits or sr-8_prm_2[Assignment: organization-defined information]] | ||
| ⑤ SR-10 | Inspection of Systems or ComponentsⓁ Ⓜ Ⓗ | sr-10_prm_1 | Inspect the following systems or system components sr-10_prm_1[Selection: at random or at or sr-10_prm_2[Assignment: organization-defined frequency] or , upon or sr-10_prm_3[Assignment: organization-defined indications of need for inspection]] to detect tampering: sr-10_prm_4[Assignment: organization-defined systems or system components]. |
| sr-10_prm_2 | [Selection: at random or at or sr-10_prm_2[Assignment: organization-defined frequency] or , upon or sr-10_prm_3[Assignment: organization-defined indications of need for inspection]] | ||
| sr-10_prm_3 | [Selection: at random or at or sr-10_prm_2[Assignment: organization-defined frequency] or , upon or sr-10_prm_3[Assignment: organization-defined indications of need for inspection]] | ||
| sr-10_prm_4 | Inspect the following systems or system components sr-10_prm_1[Selection: at random or at or sr-10_prm_2[Assignment: organization-defined frequency] or , upon or sr-10_prm_3[Assignment: organization-defined indications of need for inspection]] to detect tampering: sr-10_prm_4[Assignment: organization-defined systems or system components]. | ||
| ⑤ SR-11 | Component AuthenticityⓁ Ⓜ Ⓗ | sr-11_prm_1 | Report counterfeit system components to sr-11_prm_1[Selection: source of counterfeit component or sr-11_prm_2[Assignment: organization-defined external reporting organizations] or sr-11_prm_3[Assignment: organization-defined personnel or roles]]. |
| sr-11_prm_2 | [Selection: source of counterfeit component or sr-11_prm_2[Assignment: organization-defined external reporting organizations] or sr-11_prm_3[Assignment: organization-defined personnel or roles]] | ||
| sr-11_prm_3 | [Selection: source of counterfeit component or sr-11_prm_2[Assignment: organization-defined external reporting organizations] or sr-11_prm_3[Assignment: organization-defined personnel or roles]] | ||
| ⑤ SR-11(1) | Component Authenticity | Anti-counterfeit TrainingⓁ Ⓜ Ⓗ | sr-11.1_prm_1 | Train sr-11.1_prm_1[Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). |
| ⑤ SR-11(2) | Component Authenticity | Configuration Control for Component Service and RepairⓁ Ⓜ Ⓗ | sr-11.2_prm_1 | Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: sr-11.2_prm_1[Assignment: organization-defined system components]. |
| ⑤ SR-12 | Component DisposalⓁ Ⓜ Ⓗ | sr-12_prm_1 | Dispose of sr-12_prm_1[Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: sr-12_prm_2[Assignment: organization-defined techniques and methods]. |
| sr-12_prm_2 | Dispose of sr-12_prm_1[Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: sr-12_prm_2[Assignment: organization-defined techniques and methods]. |
Modified ODPs occur in previously existing controls as well as controls novel to SP 800-53r5 (indicated by ⑤).
There are 33 modified ODPs in SP 800-53r5 (relative to SP 800-53r4).
Modified ODPs should have previously tailored values reviewed and updated where necessary.
| Control | ODP | Changes | Context |
|---|---|---|---|
| AC-4(1) | ac-4.1_prm_1 | adds privacy considerations | Use ac-4.1_prm_1[Assignment: organization-defined security and privacy attributes] associated with ac-4.1_prm_2[Assignment: organization-defined information, source, and destination objects] to enforce ac-4.1_prm_3[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
| AC-4(8) | ac-4.8_prm_1 | adds privacy considerations | Enforce information flow control using ac-4.8_prm_1[Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for ac-4.8_prm_2[Assignment: organization-defined information flows]; and |
| AC-4(10) | ac-4.10_prm_1 | adds privacy considerations | Provide the capability for privileged administrators to enable and disable ac-4.10_prm_1[Assignment: organization-defined security or privacy policy filters] under the following conditions: ac-4.10_prm_2[Assignment: organization-defined conditions]. |
| AC-4(11) | ac-4.11_prm_1 | adds privacy considerations | Provide the capability for privileged administrators to configure ac-4.11_prm_1[Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. |
| AC-4(14) | ac-4.14_prm_1 | adds privacy considerations | When transferring information between different security domains, implement ac-4.14_prm_1[Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. |
| AC-4(15) | ac-4.15_prm_2 | adds privacy considerations | When transferring information between different security domains, examine the information for the presence of ac-4.15_prm_1[Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the ac-4.15_prm_2[Assignment: organization-defined security or privacy policy]. |
| AC-6(1)Ⓜ Ⓗ | ac-6.1_prm_2 | splits merge | ac-6.1_prm_2[Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and |
| AC-6(1)Ⓜ Ⓗ | ac-6.1_prm_3 | splits merge | ac-6.1_prm_3[Assignment: organization-defined security-relevant information]. |
| AC-16 | ac-16_prm_1 | adds privacy considerations | Provide the means to associate ac-16_prm_1[Assignment: organization-defined types of security and privacy attributes] with ac-16_prm_2[Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; |
| AC-16 | ac-16_prm_2 | adds privacy considerations | Provide the means to associate ac-16_prm_1[Assignment: organization-defined types of security and privacy attributes] with ac-16_prm_2[Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; |
| AC-16 | ac-16_prm_4 | adds privacy considerations | Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for ac-16_prm_3[Assignment: organization-defined systems]: ac-16_prm_4[Assignment: organization-defined security and privacy attributes]; |
| AC-16(1) | ac-16.1_prm_2 | adds privacy considerations | Dynamically associate security and privacy attributes with ac-16.1_prm_1[Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: ac-16.1_prm_2[Assignment: organization-defined security and privacy policies]. |
| AC-16(3) | ac-16.3_prm_1 | adds privacy considerations | Maintain the association and integrity of ac-16.3_prm_1[Assignment: organization-defined security and privacy attributes] to ac-16.3_prm_2[Assignment: organization-defined subjects and objects]. |
| AC-16(4) | ac-16.4_prm_1 | adds privacy considerations | Provide the capability to associate ac-16.4_prm_1[Assignment: organization-defined security and privacy attributes] with ac-16.4_prm_2[Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| AC-16(5) | ac-16.5_prm_1 | adds privacy considerations | Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify ac-16.5_prm_1[Assignment: organization-defined special dissemination, handling, or distribution instructions] using ac-16.5_prm_2[Assignment: organization-defined human-readable, standard naming conventions]. |
| AC-16(5) | ac-16.5_prm_2 | adds privacy considerations | Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify ac-16.5_prm_1[Assignment: organization-defined special dissemination, handling, or distribution instructions] using ac-16.5_prm_2[Assignment: organization-defined human-readable, standard naming conventions]. |
| AC-16(6) | ac-16.6_prm_1 | adds privacy considerations | Require personnel to associate and maintain the association of ac-16.6_prm_1[Assignment: organization-defined security and privacy attributes] with ac-16.6_prm_2[Assignment: organization-defined subjects and objects] in accordance with ac-16.6_prm_3[Assignment: organization-defined security and privacy policies]. |
| AC-16(6) | ac-16.6_prm_3 | adds privacy considerations | Require personnel to associate and maintain the association of ac-16.6_prm_1[Assignment: organization-defined security and privacy attributes] with ac-16.6_prm_2[Assignment: organization-defined subjects and objects] in accordance with ac-16.6_prm_3[Assignment: organization-defined security and privacy policies]. |
| AC-24(2) | ac-24.2_prm_1 | adds privacy considerations | Enforce access control decisions based on ac-24.2_prm_1[Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. |
| AU-9(4)Ⓜ Ⓗ | au-9.4_prm_1 | adds roles | Authorize access to management of audit logging functionality to only au-9.4_prm_1[Assignment: organization-defined subset of privileged users or roles]. |
| AU-9(6) | au-9.6_prm_1 | adds roles | Authorize read-only access to audit information to au-9.6_prm_1[Assignment: organization-defined subset of privileged users or roles]. |
| CA-2(2)Ⓗ | ca-2.2_prm_3 | augmented | Include as part of control assessments, ca-2.2_prm_1[Assignment: organization-defined frequency], ca-2.2_prm_2[Selection: announced or unannounced], ca-2.2_prm_3[Selection: in-depth monitoring or security instrumentation or automated security test cases or vulnerability scanning or malicious user testing or insider threat assessment or performance and load testing or data leakage or data loss assessment or ca-2.2_prm_4[Assignment: organization-defined other forms of assessment]]. |
| RA-3Ⓛ Ⓜ Ⓗ Ⓟ | ra-3_prm_1 | adds privacy considerations | Document risk assessment results in ra-3_prm_1[Selection: security and privacy plans or risk assessment report or ra-3_prm_2[Assignment: organization-defined document]]; |
| SA-9(3) | sa-9.3_prm_1 | adds privacy considerations | Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: sa-9.3_prm_1[Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| SA-10Ⓜ Ⓗ | sa-10_prm_1 | adds disposal | Perform configuration management during system, component, or service sa-10_prm_1[Selection: design or development or implementation or operation or disposal]; |
| SA-15Ⓜ Ⓗ | sa-15_prm_2 | adds privacy considerations | Review the development process, standards, tools, tool options, and tool configurations sa-15_prm_1[Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: sa-15_prm_2[Assignment: organization-defined security and privacy requirements]. |
| SA-17(1) | sa-17.1_prm_1 | adds privacy considerations | Produce, as an integral part of the development process, a formal policy model describing the sa-17.1_prm_1[Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and |
| SC-12(3) | sc-12.3_prm_1 | not quite the same | Produce, control, and distribute asymmetric cryptographic keys using sc-12.3_prm_1[Selection: NSA-approved key management technology and processes or prepositioned keying material or DoD-approved or DoD-issued Medium Assurance PKI certificates or DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key or certificates issued in accordance with organization-defined requirements]. |
| SC-13Ⓛ Ⓜ Ⓗ | sc-13_prm_1 | splits merge | Determine the sc-13_prm_1[Assignment: organization-defined cryptographic uses]; and |
| SC-13Ⓛ Ⓜ Ⓗ | sc-13_prm_2 | splits merge | Implement the following types of cryptography required for each specified cryptographic use: sc-13_prm_2[Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
| SC-16 | sc-16_prm_1 | adds privacy considerations | Associate sc-16_prm_1[Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components. |
| SI-6Ⓗ | si-6_prm_1 | adds privacy considerations | Verify the correct operation of si-6_prm_1[Assignment: organization-defined security and privacy functions]; |
| SI-17 | si-17_prm_1 | merges split merges split | Implement the indicated fail-safe procedures when the indicated failures occur: si-17_prm_1[Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. |
The following shows SP 800-53r5 controls and indicates (with Ⓛ, Ⓜ, Ⓗ, and Ⓟ) whether they appear in SP 800-53B Low, Moderate, High, or Privacy control baselines (or SP 800-53r4 Low, Moderate, or High control baselines).
The corresponding SP 800-53r4 control, when present, appears just below each SP 800-53r5 control.
ODPs within control statements are rendered as illustrated in the following examples with the parameter identifier as a preceding superscript:
Hovering over an ODP will also display the parameter identifier. Parameter identifiers are unique within an SP 800-53 version OSCAL instance document and are specific to an SP 800-53 version (i.e., they are not guaranteed to be identical from version to version).
| Control | SP 800-53r5 | SP 800-53r4 |
|---|---|---|
| AC-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to ac-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ac-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an ac-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy ac-1_prm_4[Assignment: organization-defined frequency] and following ac-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ac-1_prm_6[Assignment: organization-defined frequency] and following ac-1_prm_7[Assignment: organization-defined events]. | Access Control Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ac-1_prm_1[Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy ac-1_prm_2[Assignment: organization-defined frequency]; and 2. Access control procedures ac-1_prm_3[Assignment: organization-defined frequency]. |
| AC-2 | Account ManagementⓁ Ⓜ Ⓗ a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require ac-2_prm_1[Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and ac-2_prm_2[Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by ac-2_prm_3[Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with ac-2_prm_4[Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and ac-2_prm_5[Assignment: organization-defined personnel or roles] within: 1. ac-2_prm_6[Assignment: organization-defined time period] when accounts are no longer required; 2. ac-2_prm_7[Assignment: organization-defined time period] when users are terminated or transferred; and 3. ac-2_prm_8[Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. ac-2_prm_9[Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements ac-2_prm_10[Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. | Account ManagementⓁ Ⓜ Ⓗ The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: ac-2_prm_1[Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by ac-2_prm_2[Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with ac-2_prm_3[Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements ac-2_prm_4[Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
| AC-2(1) | Account Management | Automated System Account ManagementⓂ Ⓗ Support the management of system accounts using ac-2.1_prm_1[Assignment: organization-defined automated mechanisms]. | Account Management | Automated System Account ManagementⓂ Ⓗ The organization employs automated mechanisms to support the management of information system accounts. |
| AC-2(2) | Account Management | Automated Temporary and Emergency Account ManagementⓂ Ⓗ Automatically ac-2.2_prm_1[Selection: remove or disable] temporary and emergency accounts after ac-2.2_prm_2[Assignment: organization-defined time period for each type of account]. | Account Management | Removal of Temporary / Emergency AccountsⓂ Ⓗ The information system automatically ac-2.2_prm_1[Selection: removes or disables] temporary and emergency accounts after ac-2.2_prm_2[Assignment: organization-defined time period for each type of account]. |
| AC-2(3) | Account Management | Disable AccountsⓂ Ⓗ Disable accounts within ac-2.3_prm_1[Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for ac-2.3_prm_2[Assignment: organization-defined time period]. | Account Management | Disable Inactive AccountsⓂ Ⓗ The information system automatically disables inactive accounts after ac-2.3_prm_1[Assignment: organization-defined time period]. |
| AC-2(4) | Account Management | Automated Audit ActionsⓂ Ⓗ Automatically audit account creation, modification, enabling, disabling, and removal actions. | Account Management | Automated Audit ActionsⓂ Ⓗ The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies ac-2.4_prm_1[Assignment: organization-defined personnel or roles]. |
| AC-2(5) | Account Management | Inactivity LogoutⓂ Ⓗ Require that users log out when ac-2.5_prm_1[Assignment: organization-defined time period of expected inactivity or description of when to log out]. | Account Management | Inactivity LogoutⒽ The organization requires that users log out when ac-2.5_prm_1[Assignment: organization-defined time-period of expected inactivity or description of when to log out]. |
| AC-2(6) | Account Management | Dynamic Privilege Management Implement ac-2.6_prm_1[Assignment: organization-defined dynamic privilege management capabilities]. | Account Management | Dynamic Privilege Management The information system implements the following dynamic privilege management capabilities: ac-2.6_prm_1[Assignment: organization-defined list of dynamic privilege management capabilities]. |
| AC-2(7) | Account Management | Privileged User Accounts (a) Establish and administer privileged user accounts in accordance with ac-2.7_prm_1[Selection: a role-based access scheme or an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. | Account Management | Role-based Schemes The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes ac-2.7_prm_1[Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. |
| AC-2(8) | Account Management | Dynamic Account Management Create, activate, manage, and deactivate ac-2.8_prm_1[Assignment: organization-defined system accounts] dynamically. | Account Management | Dynamic Account Creation The information system creates ac-2.8_prm_1[Assignment: organization-defined information system accounts] dynamically. |
| AC-2(9) | Account Management | Restrictions on Use of Shared and Group Accounts Only permit the use of shared and group accounts that meet ac-2.9_prm_1[Assignment: organization-defined conditions for establishing shared and group accounts]. | Account Management | Restrictions On Use of Shared / Group Accounts The organization only permits the use of shared/group accounts that meet ac-2.9_prm_1[Assignment: organization-defined conditions for establishing shared/group accounts]. |
| AC-2(10) | Account Management | Shared and Group Account Credential Change Withdrawn — incorporated into ac-2_smt.k. | Account Management | Shared / Group Account Credential Termination The information system terminates shared/group account credentials when members leave the group. |
| AC-2(11) | Account Management | Usage ConditionsⒽ Enforce ac-2.11_prm_1[Assignment: organization-defined circumstances and/or usage conditions] for ac-2.11_prm_2[Assignment: organization-defined system accounts]. | Account Management | Usage ConditionsⒽ The information system enforces ac-2.11_prm_1[Assignment: organization-defined circumstances and/or usage conditions] for ac-2.11_prm_2[Assignment: organization-defined information system accounts]. |
| AC-2(12) | Account Management | Account Monitoring for Atypical UsageⒽ (a) Monitor system accounts for ac-2.12_prm_1[Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to ac-2.12_prm_2[Assignment: organization-defined personnel or roles]. | Account Management | Account Monitoring / Atypical UsageⒽ The organization: (a) Monitors information system accounts for ac-2.12_prm_1[Assignment: organization-defined atypical usage]; and (b) Reports atypical usage of information system accounts to ac-2.12_prm_2[Assignment: organization-defined personnel or roles]. |
| AC-2(13) | Account Management | Disable Accounts for High-risk IndividualsⓂ Ⓗ Disable accounts of individuals within ac-2.13_prm_1[Assignment: organization-defined time period] of discovery of ac-2.13_prm_2[Assignment: organization-defined significant risks]. | Account Management | Disable Accounts for High-risk IndividualsⒽ The organization disables accounts of users posing a significant risk within ac-2.13_prm_1[Assignment: organization-defined time period] of discovery of the risk. |
| AC-3 | Access EnforcementⓁ Ⓜ Ⓗ Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | Access EnforcementⓁ Ⓜ Ⓗ The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| AC-3(1) | Access Enforcement | Restricted Access to Privileged Functions Withdrawn — incorporated into AC-6. | Access Enforcement | Restricted Access to Privileged Functions Withdrawn — incorporated into AC-6. |
| AC-3(2) | Access Enforcement | Dual Authorization Enforce dual authorization for ac-3.2_prm_1[Assignment: organization-defined privileged commands and/or other organization-defined actions]. | Access Enforcement | Dual Authorization The information system enforces dual authorization for ac-3.2_prm_1[Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
| AC-3(3) | Access Enforcement | Mandatory Access Control Enforce ac-3.3_prm_1[Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that ac-3.3_prm_2[Assignment: organization-defined subjects] may explicitly be granted ac-3.3_prm_3[Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. | Access Enforcement | Mandatory Access Control The information system enforces ac-3.3_prm_1[Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: (a) Is uniformly enforced across all subjects and objects within the boundary of the information system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes on subjects, objects, the information system, or information system components; (4) Choosing the security attributes and attribute values to be associated with newly created or modified objects; or (5) Changing the rules governing access control; and (c) Specifies that ac-3.3_prm_2[Assignment: organization-defined subjects] may explicitly be granted ac-3.3_prm_3[Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints. |
| AC-3(4) | Access Enforcement | Discretionary Access Control Enforce ac-3.4_prm_1[Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. | Access Enforcement | Discretionary Access Control The information system enforces ac-3.4_prm_1[Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the information system, or the information system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. |
| AC-3(5) | Access Enforcement | Security-relevant Information Prevent access to ac-3.5_prm_1[Assignment: organization-defined security-relevant information] except during secure, non-operable system states. | Access Enforcement | Security-relevant Information The information system prevents access to ac-3.5_prm_1[Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
| AC-3(6) | Access Enforcement | Protection of User and System Information | |
| AC-3(7) | Access Enforcement | Role-based Access Control Enforce a role-based access control policy over defined subjects and objects and control access based upon ac-3.7_prm_1[Assignment: organization-defined roles and users authorized to assume such roles]. | Access Enforcement | Role-based Access Control The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon ac-3.7_prm_1[Assignment: organization-defined roles and users authorized to assume such roles]. |
| AC-3(8) | Access Enforcement | Revocation of Access Authorizations Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on ac-3.8_prm_1[Assignment: organization-defined rules governing the timing of revocations of access authorizations]. | Access Enforcement | Revocation of Access Authorizations The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on ac-3.8_prm_1[Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
| AC-3(9) | Access Enforcement | Controlled Release Release information outside of the system only if: (a) The receiving ac-3.9_prm_1[Assignment: organization-defined system or system component] provides ac-3.9_prm_2[Assignment: organization-defined controls]; and (b) ac-3.9_prm_3[Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. | Access Enforcement | Controlled Release The information system does not release information outside of the established system boundary unless: (a) The receiving ac-3.9_prm_1[Assignment: organization-defined information system or system component] provides ac-3.9_prm_2[Assignment: organization-defined security safeguards]; and (b) ac-3.9_prm_3[Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release. |
| AC-3(10) | Access Enforcement | Audited Override of Access Control Mechanisms Employ an audited override of automated access control mechanisms under ac-3.10_prm_1[Assignment: organization-defined conditions] by ac-3.10_prm_2[Assignment: organization-defined roles]. | Access Enforcement | Audited Override of Access Control Mechanisms The organization employs an audited override of automated access control mechanisms under ac-3.10_prm_1[Assignment: organization-defined conditions]. |
| AC-3(11) | Access Enforcement | Restrict Access to Specific Information Types Restrict access to data repositories containing ac-3.11_prm_1[Assignment: organization-defined information types]. | No predecessor |
| AC-3(12) | Access Enforcement | Assert and Enforce Application Access (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: ac-3.12_prm_1[Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. | No predecessor |
| AC-3(13) | Access Enforcement | Attribute-based Access Control Enforce attribute-based access control policy over defined subjects and objects and control access based upon ac-3.13_prm_1[Assignment: organization-defined attributes to assume access permissions]. | No predecessor |
| AC-3(14) | Access Enforcement | Individual AccessⓅ Provide ac-3.14_prm_1[Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: ac-3.14_prm_2[Assignment: organization-defined elements]. | No predecessor |
| AC-3(15) | Access Enforcement | Discretionary and Mandatory Access Control (a) Enforce ac-3.15_prm_1[Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce ac-3.15_prm_2[Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. | No predecessor |
| AC-4 | Information Flow EnforcementⓂ Ⓗ Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on ac-4_prm_1[Assignment: organization-defined information flow control policies]. | Information Flow EnforcementⓂ Ⓗ The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on ac-4_prm_1[Assignment: organization-defined information flow control policies]. |
| AC-4(1) | Information Flow Enforcement | Object Security and Privacy Attributes Use ac-4.1_prm_1[Assignment: organization-defined security and privacy attributes] associated with ac-4.1_prm_2[Assignment: organization-defined information, source, and destination objects] to enforce ac-4.1_prm_3[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | Information Flow Enforcement | Object Security Attributes The information system uses ac-4.1_prm_1[Assignment: organization-defined security attributes] associated with ac-4.1_prm_2[Assignment: organization-defined information, source, and destination objects] to enforce ac-4.1_prm_3[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
| AC-4(2) | Information Flow Enforcement | Processing Domains Use protected processing domains to enforce ac-4.2_prm_1[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | Information Flow Enforcement | Processing Domains The information system uses protected processing domains to enforce ac-4.2_prm_1[Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
| AC-4(3) | Information Flow Enforcement | Dynamic Information Flow Control Enforce ac-4.3_prm_1[Assignment: organization-defined information flow control policies]. | Information Flow Enforcement | Dynamic Information Flow Control The information system enforces dynamic information flow control based on ac-4.3_prm_1[Assignment: organization-defined policies]. |
| AC-4(4) | Information Flow Enforcement | Flow Control of Encrypted InformationⒽ Prevent encrypted information from bypassing ac-4.4_prm_1[Assignment: organization-defined information flow control mechanisms] by ac-4.4_prm_2[Selection: decrypting the information or blocking the flow of the encrypted information or terminating communications sessions attempting to pass encrypted information or ac-4.4_prm_3[Assignment: organization-defined procedure or method]]. | Information Flow Enforcement | Content Check Encrypted Information The information system prevents encrypted information from bypassing content-checking mechanisms by ac-4.4_prm_1[Selection: decrypting the information or blocking the flow of the encrypted information or terminating communications sessions attempting to pass encrypted information or ac-4.4_prm_2[Assignment: organization-defined procedure or method]]. |
| AC-4(5) | Information Flow Enforcement | Embedded Data Types Enforce ac-4.5_prm_1[Assignment: organization-defined limitations] on embedding data types within other data types. | Information Flow Enforcement | Embedded Data Types The information system enforces ac-4.5_prm_1[Assignment: organization-defined limitations] on embedding data types within other data types. |
| AC-4(6) | Information Flow Enforcement | Metadata Enforce information flow control based on ac-4.6_prm_1[Assignment: organization-defined metadata]. | Information Flow Enforcement | Metadata The information system enforces information flow control based on ac-4.6_prm_1[Assignment: organization-defined metadata]. |
| AC-4(7) | Information Flow Enforcement | One-way Flow Mechanisms Enforce one-way information flows through hardware-based flow control mechanisms. | Information Flow Enforcement | One-way Flow Mechanisms The information system enforces ac-4.7_prm_1[Assignment: organization-defined one-way information flows] using hardware mechanisms. |
| AC-4(8) | Information Flow Enforcement | Security and Privacy Policy Filters (a) Enforce information flow control using ac-4.8_prm_1[Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for ac-4.8_prm_2[Assignment: organization-defined information flows]; and (b) ac-4.8_prm_3[Selection: Block or Strip or Modify or Quarantine] data after a filter processing failure in accordance with ac-4.8_prm_4[Assignment: organization-defined security or privacy policy]. | Information Flow Enforcement | Security Policy Filters The information system enforces information flow control using ac-4.8_prm_1[Assignment: organization-defined security policy filters] as a basis for flow control decisions for ac-4.8_prm_2[Assignment: organization-defined information flows]. |
| AC-4(9) | Information Flow Enforcement | Human Reviews Enforce the use of human reviews for ac-4.9_prm_1[Assignment: organization-defined information flows] under the following conditions: ac-4.9_prm_2[Assignment: organization-defined conditions]. | Information Flow Enforcement | Human Reviews The information system enforces the use of human reviews for ac-4.9_prm_1[Assignment: organization-defined information flows] under the following conditions: ac-4.9_prm_2[Assignment: organization-defined conditions]. |
| AC-4(10) | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters Provide the capability for privileged administrators to enable and disable ac-4.10_prm_1[Assignment: organization-defined security or privacy policy filters] under the following conditions: ac-4.10_prm_2[Assignment: organization-defined conditions]. | Information Flow Enforcement | Enable / Disable Security Policy Filters The information system provides the capability for privileged administrators to enable/disable ac-4.10_prm_1[Assignment: organization-defined security policy filters] under the following conditions: ac-4.10_prm_2[Assignment: organization-defined conditions]. |
| AC-4(11) | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters Provide the capability for privileged administrators to configure ac-4.11_prm_1[Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. | Information Flow Enforcement | Configuration of Security Policy Filters The information system provides the capability for privileged administrators to configure ac-4.11_prm_1[Assignment: organization-defined security policy filters] to support different security policies. |
| AC-4(12) | Information Flow Enforcement | Data Type Identifiers When transferring information between different security domains, use ac-4.12_prm_1[Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. | Information Flow Enforcement | Data Type Identifiers The information system, when transferring information between different security domains, uses ac-4.12_prm_1[Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
| AC-4(13) | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents When transferring information between different security domains, decompose information into ac-4.13_prm_1[Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents The information system, when transferring information between different security domains, decomposes information into ac-4.13_prm_1[Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
| AC-4(14) | Information Flow Enforcement | Security or Privacy Policy Filter Constraints When transferring information between different security domains, implement ac-4.14_prm_1[Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. | Information Flow Enforcement | Security Policy Filter Constraints The information system, when transferring information between different security domains, implements ac-4.14_prm_1[Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content. |
| AC-4(15) | Information Flow Enforcement | Detection of Unsanctioned Information When transferring information between different security domains, examine the information for the presence of ac-4.15_prm_1[Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the ac-4.15_prm_2[Assignment: organization-defined security or privacy policy]. | Information Flow Enforcement | Detection of Unsanctioned Information The information system, when transferring information between different security domains, examines the information for the presence of ac-4.15_prm_1[Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the ac-4.15_prm_2[Assignment: organization-defined security policy]. |
| AC-4(16) | Information Flow Enforcement | Information Transfers on Interconnected Systems Withdrawn — incorporated into AC-4. | Information Flow Enforcement | Information Transfers On Interconnected Systems Withdrawn — incorporated into AC-4. |
| AC-4(17) | Information Flow Enforcement | Domain Authentication Uniquely identify and authenticate source and destination points by ac-4.17_prm_1[Selection: organization or system or application or service or individual] for information transfer. | Information Flow Enforcement | Domain Authentication The information system uniquely identifies and authenticates source and destination points by ac-4.17_prm_1[Selection: organization, system, application, individual] for information transfer. |
| AC-4(18) | Information Flow Enforcement | Security Attribute Binding Withdrawn — incorporated into AC-16. | Information Flow Enforcement | Security Attribute Binding The information system binds security attributes to information using ac-4.18_prm_1[Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement. |
| AC-4(19) | Information Flow Enforcement | Validation of Metadata When transferring information between different security domains, implement ac-4.19_prm_1[Assignment: organization-defined security or privacy policy filters] on metadata. | Information Flow Enforcement | Validation of Metadata The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. |
| AC-4(20) | Information Flow Enforcement | Approved Solutions Employ ac-4.20_prm_1[Assignment: organization-defined solutions in approved configurations] to control the flow of ac-4.20_prm_2[Assignment: organization-defined information] across security domains. | Information Flow Enforcement | Approved Solutions The organization employs ac-4.20_prm_1[Assignment: organization-defined solutions in approved configurations] to control the flow of ac-4.20_prm_2[Assignment: organization-defined information] across security domains. |
| AC-4(21) | Information Flow Enforcement | Physical or Logical Separation of Information Flows Separate information flows logically or physically using ac-4.21_prm_1[Assignment: organization-defined mechanisms and/or techniques] to accomplish ac-4.21_prm_2[Assignment: organization-defined required separations by types of information]. | Information Flow Enforcement | Physical / Logical Separation of Information Flows The information system separates information flows logically or physically using ac-4.21_prm_1[Assignment: organization-defined mechanisms and/or techniques] to accomplish ac-4.21_prm_2[Assignment: organization-defined required separations by types of information]. |
| AC-4(22) | Information Flow Enforcement | Access Only Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. | Information Flow Enforcement | Access Only The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. |
| AC-4(23) | Information Flow Enforcement | Modify Non-releasable Information When transferring information between different security domains, modify non-releasable information by implementing ac-4.23_prm_1[Assignment: organization-defined modification action]. | No predecessor |
| AC-4(24) | Information Flow Enforcement | Internal Normalized Format When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. | No predecessor |
| AC-4(25) | Information Flow Enforcement | Data Sanitization When transferring information between different security domains, sanitize data to minimize ac-4.25_prm_1[Selection: delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data or spillage of sensitive information] in accordance with ac-4.25_prm_2[Assignment: organization-defined policy]. | No predecessor |
| AC-4(26) | Information Flow Enforcement | Audit Filtering Actions When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. | No predecessor |
| AC-4(27) | Information Flow Enforcement | Redundant/independent Filtering Mechanisms When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. | No predecessor |
| AC-4(28) | Information Flow Enforcement | Linear Filter Pipelines When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. | No predecessor |
| AC-4(29) | Information Flow Enforcement | Filter Orchestration Engines When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with ac-4.29_prm_1[Assignment: organization-defined policy]. | No predecessor |
| AC-4(30) | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes When transferring information between different security domains, implement content filtering mechanisms using multiple processes. | No predecessor |
| AC-4(31) | Information Flow Enforcement | Failed Content Transfer Prevention When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. | No predecessor |
| AC-4(32) | Information Flow Enforcement | Process Requirements for Information Transfer When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. | No predecessor |
| AC-5 | Separation of DutiesⓂ Ⓗ a. Identify and document ac-5_prm_1[Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. | Separation of DutiesⓂ Ⓗ The organization: a. Separates ac-5_prm_1[Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. |
| AC-6 | Least PrivilegeⓂ Ⓗ Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. | Least PrivilegeⓂ Ⓗ The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
| AC-6(1) | Least Privilege | Authorize Access to Security FunctionsⓂ Ⓗ Authorize access for ac-6.1_prm_1[Assignment: organization-defined individuals or roles] to: (a) ac-6.1_prm_2[Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) ac-6.1_prm_3[Assignment: organization-defined security-relevant information]. | Least Privilege | Authorize Access to Security FunctionsⓂ Ⓗ The organization explicitly authorizes access to ac-6.1_prm_1[Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. |
| AC-6(2) | Least Privilege | Non-privileged Access for Nonsecurity FunctionsⓂ Ⓗ Require that users of system accounts (or roles) with access to ac-6.2_prm_1[Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. | Least Privilege | Non-privileged Access for Nonsecurity FunctionsⓂ Ⓗ The organization requires that users of information system accounts, or roles, with access to ac-6.2_prm_1[Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions. |
| AC-6(3) | Least Privilege | Network Access to Privileged CommandsⒽ Authorize network access to ac-6.3_prm_1[Assignment: organization-defined privileged commands] only for ac-6.3_prm_2[Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. | Least Privilege | Network Access to Privileged CommandsⒽ The organization authorizes network access to ac-6.3_prm_1[Assignment: organization-defined privileged commands] only for ac-6.3_prm_2[Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. |
| AC-6(4) | Least Privilege | Separate Processing Domains Provide separate processing domains to enable finer-grained allocation of user privileges. | Least Privilege | Separate Processing Domains The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
| AC-6(5) | Least Privilege | Privileged AccountsⓂ Ⓗ Restrict privileged accounts on the system to ac-6.5_prm_1[Assignment: organization-defined personnel or roles]. | Least Privilege | Privileged AccountsⓂ Ⓗ The organization restricts privileged accounts on the information system to ac-6.5_prm_1[Assignment: organization-defined personnel or roles]. |
| AC-6(6) | Least Privilege | Privileged Access by Non-organizational Users Prohibit privileged access to the system by non-organizational users. | Least Privilege | Privileged Access by Non-organizational Users The organization prohibits privileged access to the information system by non-organizational users. |
| AC-6(7) | Least Privilege | Review of User PrivilegesⓂ Ⓗ (a) Review ac-6.7_prm_1[Assignment: organization-defined frequency] the privileges assigned to ac-6.7_prm_2[Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. | Least Privilege | Review of User Privileges The organization: (a) Reviews ac-6.7_prm_1[Assignment: organization-defined frequency] the privileges assigned to ac-6.7_prm_2[Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. |
| AC-6(8) | Least Privilege | Privilege Levels for Code Execution Prevent the following software from executing at higher privilege levels than users executing the software: ac-6.8_prm_1[Assignment: organization-defined software]. | Least Privilege | Privilege Levels for Code Execution The information system prevents ac-6.8_prm_1[Assignment: organization-defined software] from executing at higher privilege levels than users executing the software. |
| AC-6(9) | Least Privilege | Log Use of Privileged FunctionsⓂ Ⓗ Log the execution of privileged functions. | Least Privilege | Auditing Use of Privileged FunctionsⓂ Ⓗ The information system audits the execution of privileged functions. |
| AC-6(10) | Least Privilege | Prohibit Non-privileged Users from Executing Privileged FunctionsⓂ Ⓗ Prevent non-privileged users from executing privileged functions. | Least Privilege | Prohibit Non-privileged Users from Executing Privileged FunctionsⓂ Ⓗ The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| AC-7 | Unsuccessful Logon AttemptsⓁ Ⓜ Ⓗ a. Enforce a limit of ac-7_prm_1[Assignment: organization-defined number] consecutive invalid logon attempts by a user during a ac-7_prm_2[Assignment: organization-defined time period]; and b. Automatically ac-7_prm_3[Selection: lock the account or node for an or ac-7_prm_4[Assignment: organization-defined time period] or lock the account or node until released by an administrator or delay next logon prompt per or ac-7_prm_5[Assignment: organization-defined delay algorithm] or notify system administrator or take other or ac-7_prm_6[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded. | Unsuccessful Logon AttemptsⓁ Ⓜ Ⓗ The information system: a. Enforces a limit of ac-7_prm_1[Assignment: organization-defined number] consecutive invalid logon attempts by a user during a ac-7_prm_2[Assignment: organization-defined time period]; and b. Automatically ac-7_prm_3[Selection: locks the account/node for an or ac-7_prm_4[Assignment: organization-defined time period] or locks the account/node until released by an administrator or delays next logon prompt according to or ac-7_prm_5[Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. |
| AC-7(1) | Unsuccessful Logon Attempts | Automatic Account Lock Withdrawn — incorporated into AC-7. | Unsuccessful Logon Attempts | Automatic Account Lock Withdrawn — incorporated into AC-7. |
| AC-7(2) | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device Purge or wipe information from ac-7.2_prm_1[Assignment: organization-defined mobile devices] based on ac-7.2_prm_2[Assignment: organization-defined purging or wiping requirements and techniques] after ac-7.2_prm_3[Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. | Unsuccessful Logon Attempts | Purge / Wipe Mobile Device The information system purges/wipes information from ac-7.2_prm_1[Assignment: organization-defined mobile devices] based on ac-7.2_prm_2[Assignment: organization-defined purging/wiping requirements/techniques] after ac-7.2_prm_3[Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
| AC-7(3) | Unsuccessful Logon Attempts | Biometric Attempt Limiting Limit the number of unsuccessful biometric logon attempts to ac-7.3_prm_1[Assignment: organization-defined number]. | No predecessor |
| AC-7(4) | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor (a) Allow the use of ac-7.4_prm_1[Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of ac-7.4_prm_2[Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a ac-7.4_prm_3[Assignment: organization-defined time period]. | No predecessor |
| AC-8 | System Use NotificationⓁ Ⓜ Ⓗ a. Display ac-8_prm_1[Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information ac-8_prm_2[Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. | System Use NotificationⓁ Ⓜ Ⓗ The information system: a. Displays to users ac-8_prm_1[Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Users are accessing a U.S. Government information system; 2. Information system usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and 4. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: 1. Displays system use information ac-8_prm_2[Assignment: organization-defined conditions], before granting further access; 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Includes a description of the authorized uses of the system. |
| AC-9 | Previous Logon Notification Notify the user, upon successful logon to the system, of the date and time of the last logon. | Previous Logon (access) Notification The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). |
| AC-9(1) | Previous Logon Notification | Unsuccessful Logons Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. | Previous Logon (access) Notification | Unsuccessful Logons The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
| AC-9(2) | Previous Logon Notification | Successful and Unsuccessful Logons Notify the user, upon successful logon, of the number of ac-9.2_prm_1[Selection: successful logons or unsuccessful logon attempts or both] during ac-9.2_prm_2[Assignment: organization-defined time period]. | Previous Logon (access) Notification | Successful / Unsuccessful Logons The information system notifies the user of the number of ac-9.2_prm_1[Selection: successful logons/accesses or unsuccessful logon/access attempts or both] during ac-9.2_prm_2[Assignment: organization-defined time period]. |
| AC-9(3) | Previous Logon Notification | Notification of Account Changes Notify the user, upon successful logon, of changes to ac-9.3_prm_1[Assignment: organization-defined security-related characteristics or parameters of the user’s account] during ac-9.3_prm_2[Assignment: organization-defined time period]. | Previous Logon (access) Notification | Notification of Account Changes The information system notifies the user of changes to ac-9.3_prm_1[Assignment: organization-defined security-related characteristics/parameters of the user’s account] during ac-9.3_prm_2[Assignment: organization-defined time period]. |
| AC-9(4) | Previous Logon Notification | Additional Logon Information Notify the user, upon successful logon, of the following additional information: ac-9.4_prm_1[Assignment: organization-defined additional information]. | Previous Logon (access) Notification | Additional Logon Information The information system notifies the user, upon successful logon (access), of the following additional information: ac-9.4_prm_1[Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)]. |
| AC-10 | Concurrent Session ControlⒽ Limit the number of concurrent sessions for each ac-10_prm_1[Assignment: organization-defined account and/or account type] to ac-10_prm_2[Assignment: organization-defined number]. | Concurrent Session ControlⒽ The information system limits the number of concurrent sessions for each ac-10_prm_1[Assignment: organization-defined account and/or account type] to ac-10_prm_2[Assignment: organization-defined number]. |
| AC-11 | Device LockⓂ Ⓗ a. Prevent further access to the system by ac-11_prm_1[Selection: initiating a device lock after or ac-11_prm_2[Assignment: organization-defined time period] or of inactivity or requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. | Session LockⓂ Ⓗ The information system: a. Prevents further access to the system by initiating a session lock after ac-11_prm_1[Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. |
| AC-11(1) | Device Lock | Pattern-hiding DisplaysⓂ Ⓗ Conceal, via the device lock, information previously visible on the display with a publicly viewable image. | Session Lock | Pattern-hiding DisplaysⓂ Ⓗ The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
| AC-12 | Session TerminationⓂ Ⓗ Automatically terminate a user session after ac-12_prm_1[Assignment: organization-defined conditions or trigger events requiring session disconnect]. | Session TerminationⓂ Ⓗ The information system automatically terminates a user session after ac-12_prm_1[Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
| AC-12(1) | Session Termination | User-initiated Logouts Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to ac-12.1_prm_1[Assignment: organization-defined information resources]. | Session Termination | User-initiated Logouts / Message Displays The information system: (a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to ac-12.1_prm_1[Assignment: organization-defined information resources]; and (b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions. |
| AC-12(2) | Session Termination | Termination Message Display an explicit logout message to users indicating the termination of authenticated communications sessions. | No predecessor |
| AC-12(3) | Session Termination | Timeout Warning Message Display an explicit message to users indicating that the session will end in ac-12.3_prm_1[Assignment: organization-defined time until end of session]. | No predecessor |
| AC-13 | Supervision and Review — Access Control | |
| AC-14 | Permitted Actions Without Identification or AuthenticationⓁ Ⓜ Ⓗ a. Identify ac-14_prm_1[Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. | Permitted Actions Without Identification or AuthenticationⓁ Ⓜ Ⓗ The organization: a. Identifies ac-14_prm_1[Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. |
| AC-14(1) | Permitted Actions Without Identification or Authentication | Necessary Uses Withdrawn — incorporated into AC-14. | Permitted Actions Without Identification or Authentication | Necessary Uses Withdrawn — incorporated into AC-14. |
| AC-15 | Automated Marking Withdrawn — incorporated into MP-3. | Automated Marking Withdrawn — incorporated into MP-3. |
| AC-16 | Security and Privacy Attributes a. Provide the means to associate ac-16_prm_1[Assignment: organization-defined types of security and privacy attributes] with ac-16_prm_2[Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for ac-16_prm_3[Assignment: organization-defined systems]: ac-16_prm_4[Assignment: organization-defined security and privacy attributes]; d. Determine the following permitted attribute values or ranges for each of the established attributes: ac-16_prm_5[Assignment: organization-defined attribute values or ranges for established attributes]; e. Audit changes to attributes; and f. Review ac-16_prm_6[Assignment: organization-defined security and privacy attributes] for applicability ac-16_prm_7[Assignment: organization-defined frequency]. | Security Attributes The organization: a. Provides the means to associate ac-16_prm_1[Assignment: organization-defined types of security attributes] having ac-16_prm_2[Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; b. Ensures that the security attribute associations are made and retained with the information; c. Establishes the permitted ac-16_prm_3[Assignment: organization-defined security attributes] for ac-16_prm_4[Assignment: organization-defined information systems]; and d. Determines the permitted ac-16_prm_5[Assignment: organization-defined values or ranges] for each of the established security attributes. |
| AC-16(1) | Security and Privacy Attributes | Dynamic Attribute Association Dynamically associate security and privacy attributes with ac-16.1_prm_1[Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: ac-16.1_prm_2[Assignment: organization-defined security and privacy policies]. | Security Attributes | Dynamic Attribute Association The information system dynamically associates security attributes with ac-16.1_prm_1[Assignment: organization-defined subjects and objects] in accordance with ac-16.1_prm_2[Assignment: organization-defined security policies] as information is created and combined. |
| AC-16(2) | Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. | Security Attributes | Attribute Value Changes by Authorized Individuals The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes. |
| AC-16(3) | Security and Privacy Attributes | Maintenance of Attribute Associations by System Maintain the association and integrity of ac-16.3_prm_1[Assignment: organization-defined security and privacy attributes] to ac-16.3_prm_2[Assignment: organization-defined subjects and objects]. | Security Attributes | Maintenance of Attribute Associations by Information System The information system maintains the association and integrity of ac-16.3_prm_1[Assignment: organization-defined security attributes] to ac-16.3_prm_2[Assignment: organization-defined subjects and objects]. |
| AC-16(4) | Security and Privacy Attributes | Association of Attributes by Authorized Individuals Provide the capability to associate ac-16.4_prm_1[Assignment: organization-defined security and privacy attributes] with ac-16.4_prm_2[Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). | Security Attributes | Association of Attributes by Authorized Individuals The information system supports the association of ac-16.4_prm_1[Assignment: organization-defined security attributes] with ac-16.4_prm_2[Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
| AC-16(5) | Security and Privacy Attributes | Attribute Displays on Objects to Be Output Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify ac-16.5_prm_1[Assignment: organization-defined special dissemination, handling, or distribution instructions] using ac-16.5_prm_2[Assignment: organization-defined human-readable, standard naming conventions]. | Security Attributes | Attribute Displays for Output Devices The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify ac-16.5_prm_1[Assignment: organization-identified special dissemination, handling, or distribution instructions] using ac-16.5_prm_2[Assignment: organization-identified human-readable, standard naming conventions]. |
| AC-16(6) | Security and Privacy Attributes | Maintenance of Attribute Association Require personnel to associate and maintain the association of ac-16.6_prm_1[Assignment: organization-defined security and privacy attributes] with ac-16.6_prm_2[Assignment: organization-defined subjects and objects] in accordance with ac-16.6_prm_3[Assignment: organization-defined security and privacy policies]. | Security Attributes | Maintenance of Attribute Association by Organization The organization allows personnel to associate, and maintain the association of ac-16.6_prm_1[Assignment: organization-defined security attributes] with ac-16.6_prm_2[Assignment: organization-defined subjects and objects] in accordance with ac-16.6_prm_3[Assignment: organization-defined security policies]. |
| AC-16(7) | Security and Privacy Attributes | Consistent Attribute Interpretation Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. | Security Attributes | Consistent Attribute Interpretation The organization provides a consistent interpretation of security attributes transmitted between distributed information system components. |
| AC-16(8) | Security and Privacy Attributes | Association Techniques and Technologies Implement ac-16.8_prm_1[Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. | Security Attributes | Association Techniques / Technologies The information system implements ac-16.8_prm_1[Assignment: organization-defined techniques or technologies] with ac-16.8_prm_2[Assignment: organization-defined level of assurance] in associating security attributes to information. |
| AC-16(9) | Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms Change security and privacy attributes associated with information only via regrading mechanisms validated using ac-16.9_prm_1[Assignment: organization-defined techniques or procedures]. | Security Attributes | Attribute Reassignment The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using ac-16.9_prm_1[Assignment: organization-defined techniques or procedures]. |
| AC-16(10) | Security and Privacy Attributes | Attribute Configuration by Authorized Individuals Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. | Security Attributes | Attribute Configuration by Authorized Individuals The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects. |
| AC-17 | Remote AccessⓁ Ⓜ Ⓗ a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. | Remote AccessⓁ Ⓜ Ⓗ The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. |
| AC-17(1) | Remote Access | Monitoring and ControlⓂ Ⓗ Employ automated mechanisms to monitor and control remote access methods. | Remote Access | Automated Monitoring / ControlⓂ Ⓗ The information system monitors and controls remote access methods. |
| AC-17(2) | Remote Access | Protection of Confidentiality and Integrity Using EncryptionⓂ Ⓗ Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. | Remote Access | Protection of Confidentiality / Integrity Using EncryptionⓂ Ⓗ The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
| AC-17(3) | Remote Access | Managed Access Control PointsⓂ Ⓗ Route remote accesses through authorized and managed network access control points. | Remote Access | Managed Access Control PointsⓂ Ⓗ The information system routes all remote accesses through ac-17.3_prm_1[Assignment: organization-defined number] managed network access control points. |
| AC-17(4) | Remote Access | Privileged Commands and AccessⓂ Ⓗ (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ac-17.4_prm_1[Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. | Remote Access | Privileged Commands / AccessⓂ Ⓗ The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for ac-17.4_prm_1[Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. |
| AC-17(5) | Remote Access | Monitoring for Unauthorized Connections Withdrawn — incorporated into SI-4. | Remote Access | Monitoring for Unauthorized Connections Withdrawn — incorporated into SI-4. |
| AC-17(6) | Remote Access | Protection of Mechanism Information Protect information about remote access mechanisms from unauthorized use and disclosure. | Remote Access | Protection of Information The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. |
| AC-17(7) | Remote Access | Additional Protection for Security Function Access Withdrawn — incorporated into AC-3(10). | Remote Access | Additional Protection for Security Function Access Withdrawn — incorporated into AC-3(10). |
| AC-17(8) | Remote Access | Disable Nonsecure Network Protocols Withdrawn — incorporated into CM-7. | Remote Access | Disable Nonsecure Network Protocols Withdrawn — incorporated into CM-7. |
| AC-17(9) | Remote Access | Disconnect or Disable Access Provide the capability to disconnect or disable remote access to the system within ac-17.9_prm_1[Assignment: organization-defined time period]. | Remote Access | Disconnect / Disable Access The organization provides the capability to expeditiously disconnect or disable remote access to the information system within ac-17.9_prm_1[Assignment: organization-defined time period]. |
| AC-17(10) | Remote Access | Authenticate Remote Commands Implement ac-17.10_prm_1[Assignment: organization-defined mechanisms] to authenticate ac-17.10_prm_2[Assignment: organization-defined remote commands]. | No predecessor |
| AC-18 | Wireless AccessⓁ Ⓜ Ⓗ a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. | Wireless AccessⓁ Ⓜ Ⓗ The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections. |
| AC-18(1) | Wireless Access | Authentication and EncryptionⓂ Ⓗ Protect wireless access to the system using authentication of ac-18.1_prm_1[Selection: users or devices] and encryption. | Wireless Access | Authentication and EncryptionⓂ Ⓗ The information system protects wireless access to the system using authentication of ac-18.1_prm_1[Selection: users or devices] and encryption. |
| AC-18(2) | Wireless Access | Monitoring Unauthorized Connections Withdrawn — incorporated into SI-4. | Wireless Access | Monitoring Unauthorized Connections Withdrawn — incorporated into SI-4. |
| AC-18(3) | Wireless Access | Disable Wireless NetworkingⓂ Ⓗ Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. | Wireless Access | Disable Wireless Networking The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
| AC-18(4) | Wireless Access | Restrict Configurations by UsersⒽ Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. | Wireless Access | Restrict Configurations by UsersⒽ The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. |
| AC-18(5) | Wireless Access | Antennas and Transmission Power LevelsⒽ Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. | Wireless Access | Antennas / Transmission Power LevelsⒽ The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. |
| AC-19 | Access Control for Mobile DevicesⓁ Ⓜ Ⓗ a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. | Access Control for Mobile DevicesⓁ Ⓜ Ⓗ The organization: a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devices to organizational information systems. |
| AC-19(1) | Access Control for Mobile Devices | Use of Writable and Portable Storage Devices Withdrawn — incorporated into MP-7. | Access Control for Mobile Devices | Use of Writable / Portable Storage Devices Withdrawn — incorporated into MP-7. |
| AC-19(2) | Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices Withdrawn — incorporated into MP-7. | Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices Withdrawn — incorporated into MP-7. |
| AC-19(3) | Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner Withdrawn — incorporated into MP-7. | Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner Withdrawn — incorporated into MP-7. |
| AC-19(4) | Access Control for Mobile Devices | Restrictions for Classified Information (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified systems is prohibited; (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by ac-19.4_prm_1[Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restrict the connection of classified mobile devices to classified systems in accordance with ac-19.4_prm_2[Assignment: organization-defined security policies]. | Access Control for Mobile Devices | Restrictions for Classified Information The organization: (a) Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified information systems is prohibited; (2) Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by ac-19.4_prm_1[Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restricts the connection of classified mobile devices to classified information systems in accordance with ac-19.4_prm_2[Assignment: organization-defined security policies]. |
| AC-19(5) | Access Control for Mobile Devices | Full Device or Container-based EncryptionⓂ Ⓗ Employ ac-19.5_prm_1[Selection: full-device encryption or container-based encryption] to protect the confidentiality and integrity of information on ac-19.5_prm_2[Assignment: organization-defined mobile devices]. | Access Control for Mobile Devices | Full Device / Container-based EncryptionⓂ Ⓗ The organization employs ac-19.5_prm_1[Selection: full-device encryption or container encryption] to protect the confidentiality and integrity of information on ac-19.5_prm_2[Assignment: organization-defined mobile devices]. |
| AC-20 | Use of External SystemsⓁ Ⓜ Ⓗ a. ac-20_prm_1[Selection: Establish or ac-20_prm_2[Assignment: organization-defined terms and conditions] or Identify or ac-20_prm_3[Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of ac-20_prm_4[Assignment: organizationally-defined types of external systems]. | Use of External Information SystemsⓁ Ⓜ Ⓗ The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: a. Access the information system from external information systems; and b. Process, store, or transmit organization-controlled information using external information systems. |
| AC-20(1) | Use of External Systems | Limits on Authorized UseⓂ Ⓗ Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. | Use of External Information Systems | Limits On Authorized UseⓂ Ⓗ The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. |
| AC-20(2) | Use of External Systems | Portable Storage Devices — Restricted UseⓂ Ⓗ Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using ac-20.2_prm_1[Assignment: organization-defined restrictions]. | Use of External Information Systems | Portable Storage DevicesⓂ Ⓗ The organization ac-20.2_prm_1[Selection: restricts or prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
| AC-20(3) | Use of External Systems | Non-organizationally Owned Systems — Restricted Use Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using ac-20.3_prm_1[Assignment: organization-defined restrictions]. | Use of External Information Systems | Non-organizationally Owned Systems / Components / Devices The organization ac-20.3_prm_1[Selection: restricts or prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
| AC-20(4) | Use of External Systems | Network Accessible Storage Devices — Prohibited Use Prohibit the use of ac-20.4_prm_1[Assignment: organization-defined network accessible storage devices] in external systems. | Use of External Information Systems | Network Accessible Storage Devices The organization prohibits the use of ac-20.4_prm_1[Assignment: organization-defined network accessible storage devices] in external information systems. |
| AC-20(5) | Use of External Systems | Portable Storage Devices — Prohibited Use Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. | No predecessor |
| AC-21 | Information SharingⓂ Ⓗ a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ac-21_prm_1[Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ ac-21_prm_2[Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. | Information SharingⓂ Ⓗ The organization: a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for ac-21_prm_1[Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employs ac-21_prm_2[Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions. |
| AC-21(1) | Information Sharing | Automated Decision Support Employ ac-21.1_prm_1[Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. | Information Sharing | Automated Decision Support The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
| AC-21(2) | Information Sharing | Information Search and Retrieval Implement information search and retrieval services that enforce ac-21.2_prm_1[Assignment: organization-defined information sharing restrictions]. | Information Sharing | Information Search and Retrieval The information system implements information search and retrieval services that enforce ac-21.2_prm_1[Assignment: organization-defined information sharing restrictions]. |
| AC-22 | Publicly Accessible ContentⓁ Ⓜ Ⓗ a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information ac-22_prm_1[Assignment: organization-defined frequency] and remove such information, if discovered. | Publicly Accessible ContentⓁ Ⓜ Ⓗ The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information ac-22_prm_1[Assignment: organization-defined frequency] and removes such information, if discovered. |
| AC-23 | Data Mining Protection Employ ac-23_prm_1[Assignment: organization-defined data mining prevention and detection techniques] for ac-23_prm_2[Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. | Data Mining Protection The organization employs ac-23_prm_1[Assignment: organization-defined data mining prevention and detection techniques] for ac-23_prm_2[Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. |
| AC-24 | Access Control Decisions ac-24_prm_1[Selection: Establish procedures or Implement mechanisms] to ensure ac-24_prm_2[Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. | Access Control Decisions The organization establishes procedures to ensure ac-24_prm_1[Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
| AC-24(1) | Access Control Decisions | Transmit Access Authorization Information Transmit ac-24.1_prm_1[Assignment: organization-defined access authorization information] using ac-24.1_prm_2[Assignment: organization-defined controls] to ac-24.1_prm_3[Assignment: organization-defined systems] that enforce access control decisions. | Access Control Decisions | Transmit Access Authorization Information The information system transmits ac-24.1_prm_1[Assignment: organization-defined access authorization information] using ac-24.1_prm_2[Assignment: organization-defined security safeguards] to ac-24.1_prm_3[Assignment: organization-defined information systems] that enforce access control decisions. |
| AC-24(2) | Access Control Decisions | No User or Process Identity Enforce access control decisions based on ac-24.2_prm_1[Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. | Access Control Decisions | No User or Process Identity The information system enforces access control decisions based on ac-24.2_prm_1[Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user. |
| AC-25 | Reference Monitor Implement a reference monitor for ac-25_prm_1[Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. | Reference Monitor The information system implements a reference monitor for ac-25_prm_1[Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
| AT-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to at-1_prm_1[Assignment: organization-defined personnel or roles]: 1. at-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an at-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy at-1_prm_4[Assignment: organization-defined frequency] and following at-1_prm_5[Assignment: organization-defined events]; and 2. Procedures at-1_prm_6[Assignment: organization-defined frequency] and following at-1_prm_7[Assignment: organization-defined events]. | Security Awareness and Training Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to at-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy at-1_prm_2[Assignment: organization-defined frequency]; and 2. Security awareness and training procedures at-1_prm_3[Assignment: organization-defined frequency]. |
| AT-2 | Literacy Training and AwarenessⓁ Ⓜ Ⓗ Ⓟ a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and at-2_prm_1[Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following at-2_prm_2[Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users at-2_prm_3[Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content at-2_prm_4[Assignment: organization-defined frequency] and following at-2_prm_5[Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. | Security Awareness TrainingⓁ Ⓜ Ⓗ The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. at-2_prm_1[Assignment: organization-defined frequency] thereafter. |
| AT-2(1) | Literacy Training and Awareness | Practical Exercises Provide practical exercises in literacy training that simulate events and incidents. | Security Awareness Training | Practical Exercises The organization includes practical exercises in security awareness training that simulate actual cyber attacks. |
| AT-2(2) | Literacy Training and Awareness | Insider ThreatⓁ Ⓜ Ⓗ Provide literacy training on recognizing and reporting potential indicators of insider threat. | Security Awareness Training | Insider ThreatⓂ Ⓗ The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. |
| AT-2(3) | Literacy Training and Awareness | Social Engineering and MiningⓂ Ⓗ Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. | No predecessor |
| AT-2(4) | Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using at-2.4_prm_1[Assignment: organization-defined indicators of malicious code]. | No predecessor |
| AT-2(5) | Literacy Training and Awareness | Advanced Persistent Threat Provide literacy training on the advanced persistent threat. | No predecessor |
| AT-2(6) | Literacy Training and Awareness | Cyber Threat Environment (a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations. | No predecessor |
| AT-3 | Role-based TrainingⓁ Ⓜ Ⓗ Ⓟ a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: at-3_prm_1[Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and at-3_prm_2[Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content at-3_prm_3[Assignment: organization-defined frequency] and following at-3_prm_4[Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. | Role-based Security TrainingⓁ Ⓜ Ⓗ The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. at-3_prm_1[Assignment: organization-defined frequency] thereafter. |
| AT-3(1) | Role-based Training | Environmental Controls Provide at-3.1_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.1_prm_2[Assignment: organization-defined frequency] training in the employment and operation of environmental controls. | Role-based Security Training | Environmental Controls The organization provides at-3.1_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.1_prm_2[Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
| AT-3(2) | Role-based Training | Physical Security Controls Provide at-3.2_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.2_prm_2[Assignment: organization-defined frequency] training in the employment and operation of physical security controls. | Role-based Security Training | Physical Security Controls The organization provides at-3.2_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.2_prm_2[Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
| AT-3(3) | Role-based Training | Practical Exercises Provide practical exercises in security and privacy training that reinforce training objectives. | Role-based Security Training | Practical Exercises The organization includes practical exercises in security training that reinforce training objectives. |
| AT-3(4) | Role-based Training | Suspicious Communications and Anomalous System Behavior . | Role-based Security Training | Suspicious Communications and Anomalous System Behavior The organization provides training to its personnel on at-3.4_prm_1[Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. |
| AT-3(5) | Role-based Training | Processing Personally Identifiable InformationⓅ Provide at-3.5_prm_1[Assignment: organization-defined personnel or roles] with initial and at-3.5_prm_2[Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. | No predecessor |
| AT-4 | Training RecordsⓁ Ⓜ Ⓗ Ⓟ a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for at-4_prm_1[Assignment: organization-defined time period]. | Security Training RecordsⓁ Ⓜ Ⓗ The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for at-4_prm_1[Assignment: organization-defined time period]. |
| AT-5 | Contacts with Security Groups and Associations Withdrawn — incorporated into PM-15. | Contacts with Security Groups and Associations Withdrawn — incorporated into PM-15. |
| AT-6 | Training Feedback Provide feedback on organizational training results to the following personnel at-6_prm_1[Assignment: organization-defined frequency]: at-6_prm_2[Assignment: organization-defined personnel]. | No predecessor |
| AU-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to au-1_prm_1[Assignment: organization-defined personnel or roles]: 1. au-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an au-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy au-1_prm_4[Assignment: organization-defined frequency] and following au-1_prm_5[Assignment: organization-defined events]; and 2. Procedures au-1_prm_6[Assignment: organization-defined frequency] and following au-1_prm_7[Assignment: organization-defined events]. | Audit and Accountability Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to au-1_prm_1[Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy au-1_prm_2[Assignment: organization-defined frequency]; and 2. Audit and accountability procedures au-1_prm_3[Assignment: organization-defined frequency]. |
| AU-2 | Event LoggingⓁ Ⓜ Ⓗ Ⓟ a. Identify the types of events that the system is capable of logging in support of the audit function: au-2_prm_1[Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: au-2_prm_2[Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging au-2_prm_3[Assignment: organization-defined frequency]. | Audit EventsⓁ Ⓜ Ⓗ The organization: a. Determines that the information system is capable of auditing the following events: au-2_prm_1[Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: au-2_prm_2[Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. |
| AU-2(1) | Event Logging | Compilation of Audit Records from Multiple Sources Withdrawn — incorporated into AU-12. | Audit Events | Compilation of Audit Records from Multiple Sources Withdrawn — incorporated into AU-12. |
| AU-2(2) | Event Logging | Selection of Audit Events by Component Withdrawn — incorporated into AU-12. | Audit Events | Selection of Audit Events by Component Withdrawn — incorporated into AU-12. |
| AU-2(3) | Event Logging | Reviews and Updates Withdrawn — incorporated into AU-2. | Audit Events | Reviews and UpdatesⓂ Ⓗ The organization reviews and updates the audited events au-2.3_prm_1[Assignment: organization-defined frequency]. |
| AU-2(4) | Event Logging | Privileged Functions Withdrawn — incorporated into AC-6(9). | Audit Events | Privileged Functions Withdrawn — incorporated into AC-6(9). |
| AU-3 | Content of Audit RecordsⓁ Ⓜ Ⓗ Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event. | Content of Audit RecordsⓁ Ⓜ Ⓗ The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. |
| AU-3(1) | Content of Audit Records | Additional Audit InformationⓂ Ⓗ Generate audit records containing the following additional information: au-3.1_prm_1[Assignment: organization-defined additional information]. | Content of Audit Records | Additional Audit InformationⓂ Ⓗ The information system generates audit records containing the following additional information: au-3.1_prm_1[Assignment: organization-defined additional, more detailed information]. |
| AU-3(2) | Content of Audit Records | Centralized Management of Planned Audit Record Content Withdrawn — incorporated into PL-9. | Content of Audit Records | Centralized Management of Planned Audit Record ContentⒽ The information system provides centralized management and configuration of the content to be captured in audit records generated by au-3.2_prm_1[Assignment: organization-defined information system components]. |
| AU-3(3) | Content of Audit Records | Limit Personally Identifiable Information ElementsⓅ Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: au-3.3_prm_1[Assignment: organization-defined elements]. | No predecessor |
| AU-4 | Audit Log Storage CapacityⓁ Ⓜ Ⓗ Allocate audit log storage capacity to accommodate au-4_prm_1[Assignment: organization-defined audit log retention requirements]. | Audit Storage CapacityⓁ Ⓜ Ⓗ The organization allocates audit record storage capacity in accordance with au-4_prm_1[Assignment: organization-defined audit record storage requirements]. |
| AU-4(1) | Audit Log Storage Capacity | Transfer to Alternate Storage Transfer audit logs au-4.1_prm_1[Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. | Audit Storage Capacity | Transfer to Alternate Storage The information system off-loads audit records au-4.1_prm_1[Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
| AU-5 | Response to Audit Logging Process FailuresⓁ Ⓜ Ⓗ a. Alert au-5_prm_1[Assignment: organization-defined personnel or roles] within au-5_prm_2[Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: au-5_prm_3[Assignment: organization-defined additional actions]. | Response to Audit Processing FailuresⓁ Ⓜ Ⓗ The information system: a. Alerts au-5_prm_1[Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: au-5_prm_2[Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
| AU-5(1) | Response to Audit Logging Process Failures | Storage Capacity WarningⒽ Provide a warning to au-5.1_prm_1[Assignment: organization-defined personnel, roles, and/or locations] within au-5.1_prm_2[Assignment: organization-defined time period] when allocated audit log storage volume reaches au-5.1_prm_3[Assignment: organization-defined percentage] of repository maximum audit log storage capacity. | Response to Audit Processing Failures | Audit Storage CapacityⒽ The information system provides a warning to au-5.1_prm_1[Assignment: organization-defined personnel, roles, and/or locations] within au-5.1_prm_2[Assignment: organization-defined time period] when allocated audit record storage volume reaches au-5.1_prm_3[Assignment: organization-defined percentage] of repository maximum audit record storage capacity. |
| AU-5(2) | Response to Audit Logging Process Failures | Real-time AlertsⒽ Provide an alert within au-5.2_prm_1[Assignment: organization-defined real-time period] to au-5.2_prm_2[Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: au-5.2_prm_3[Assignment: organization-defined audit logging failure events requiring real-time alerts]. | Response to Audit Processing Failures | Real-time AlertsⒽ The information system provides an alert in au-5.2_prm_1[Assignment: organization-defined real-time period] to au-5.2_prm_2[Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: au-5.2_prm_3[Assignment: organization-defined audit failure events requiring real-time alerts]. |
| AU-5(3) | Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and au-5.3_prm_1[Selection: reject or delay] network traffic above those thresholds. | Response to Audit Processing Failures | Configurable Traffic Volume Thresholds The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and au-5.3_prm_1[Selection: rejects or delays] network traffic above those thresholds. |
| AU-5(4) | Response to Audit Logging Process Failures | Shutdown on Failure Invoke a au-5.4_prm_1[Selection: full system shutdown or partial system shutdown or degraded operational mode with limited mission or business functionality available] in the event of au-5.4_prm_2[Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. | Response to Audit Processing Failures | Shutdown On Failure The information system invokes a au-5.4_prm_1[Selection: full system shutdown or partial system shutdown or degraded operational mode with limited mission/business functionality available] in the event of au-5.4_prm_2[Assignment: organization-defined audit failures], unless an alternate audit capability exists. |
| AU-5(5) | Response to Audit Logging Process Failures | Alternate Audit Logging Capability Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements au-5.5_prm_1[Assignment: organization-defined alternate audit logging functionality]. | No predecessor |
| AU-6 | Audit Record Review, Analysis, and ReportingⓁ Ⓜ Ⓗ a. Review and analyze system audit records au-6_prm_1[Assignment: organization-defined frequency] for indications of au-6_prm_2[Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to au-6_prm_3[Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. | Audit Review, Analysis, and ReportingⓁ Ⓜ Ⓗ The organization: a. Reviews and analyzes information system audit records au-6_prm_1[Assignment: organization-defined frequency] for indications of au-6_prm_2[Assignment: organization-defined inappropriate or unusual activity]; and b. Reports findings to au-6_prm_3[Assignment: organization-defined personnel or roles]. |
| AU-6(1) | Audit Record Review, Analysis, and Reporting | Automated Process IntegrationⓂ Ⓗ Integrate audit record review, analysis, and reporting processes using au-6.1_prm_1[Assignment: organization-defined automated mechanisms]. | Audit Review, Analysis, and Reporting | Process IntegrationⓂ Ⓗ The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. |
| AU-6(2) | Audit Record Review, Analysis, and Reporting | Automated Security Alerts Withdrawn — incorporated into SI-4. | Audit Review, Analysis, and Reporting | Automated Security Alerts Withdrawn — incorporated into SI-4. |
| AU-6(3) | Audit Record Review, Analysis, and Reporting | Correlate Audit Record RepositoriesⓂ Ⓗ Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. | Audit Review, Analysis, and Reporting | Correlate Audit RepositoriesⓂ Ⓗ The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
| AU-6(4) | Audit Record Review, Analysis, and Reporting | Central Review and Analysis Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. | Audit Review, Analysis, and Reporting | Central Review and Analysis The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| AU-6(5) | Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit RecordsⒽ Integrate analysis of audit records with analysis of au-6.5_prm_1[Selection: vulnerability scanning information or performance data or system monitoring information or au-6.5_prm_2[Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. | Audit Review, Analysis, and Reporting | Integration / Scanning and Monitoring CapabilitiesⒽ The organization integrates analysis of audit records with analysis of au-6.5_prm_1[Selection: vulnerability scanning information or performance data or information system monitoring information or au-6.5_prm_2[Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
| AU-6(6) | Audit Record Review, Analysis, and Reporting | Correlation with Physical MonitoringⒽ Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. | Audit Review, Analysis, and Reporting | Correlation with Physical MonitoringⒽ The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
| AU-6(7) | Audit Record Review, Analysis, and Reporting | Permitted Actions Specify the permitted actions for each au-6.7_prm_1[Selection: system process or role or user] associated with the review, analysis, and reporting of audit record information. | Audit Review, Analysis, and Reporting | Permitted Actions The organization specifies the permitted actions for each au-6.7_prm_1[Selection: information system process or role or user] associated with the review, analysis, and reporting of audit information. |
| AU-6(8) | Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. | Audit Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis. |
| AU-6(9) | Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. | Audit Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness. |
| AU-6(10) | Audit Record Review, Analysis, and Reporting | Audit Level Adjustment Withdrawn — incorporated into AU-6. | Audit Review, Analysis, and Reporting | Audit Level Adjustment The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
| AU-7 | Audit Record Reduction and Report GenerationⓂ Ⓗ Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. | Audit Reduction and Report GenerationⓂ Ⓗ The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records. |
| AU-7(1) | Audit Record Reduction and Report Generation | Automatic ProcessingⓂ Ⓗ Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: au-7.1_prm_1[Assignment: organization-defined fields within audit records]. | Audit Reduction and Report Generation | Automatic ProcessingⓂ Ⓗ The information system provides the capability to process audit records for events of interest based on au-7.1_prm_1[Assignment: organization-defined audit fields within audit records]. |
| AU-7(2) | Audit Record Reduction and Report Generation | Automatic Sort and Search Withdrawn — incorporated into AU-7(1). | Audit Reduction and Report Generation | Automatic Sort and Search The information system provides the capability to sort and search audit records for events of interest based on the content of au-7.2_prm_1[Assignment: organization-defined audit fields within audit records]. |
| AU-8 | Time StampsⓁ Ⓜ Ⓗ a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet au-8_prm_1[Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. | Time StampsⓁ Ⓜ Ⓗ The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets au-8_prm_1[Assignment: organization-defined granularity of time measurement]. |
| AU-8(1) | Time Stamps | Synchronization with Authoritative Time Source . | Time Stamps | Synchronization with Authoritative Time SourceⓂ Ⓗ The information system: (a) Compares the internal information system clocks au-8.1_prm_1[Assignment: organization-defined frequency] with au-8.1_prm_2[Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than au-8.1_prm_3[Assignment: organization-defined time period]. |
| AU-8(2) | Time Stamps | Secondary Authoritative Time Source . | Time Stamps | Secondary Authoritative Time Source The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source. |
| AU-9 | Protection of Audit InformationⓁ Ⓜ Ⓗ a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert au-9_prm_1[Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. | Protection of Audit InformationⓁ Ⓜ Ⓗ The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
| AU-9(1) | Protection of Audit Information | Hardware Write-once Media Write audit trails to hardware-enforced, write-once media. | Protection of Audit Information | Hardware Write-once Media The information system writes audit trails to hardware-enforced, write-once media. |
| AU-9(2) | Protection of Audit Information | Store on Separate Physical Systems or ComponentsⒽ Store audit records au-9.2_prm_1[Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. | Protection of Audit Information | Audit Backup On Separate Physical Systems / ComponentsⒽ The information system backs up audit records au-9.2_prm_1[Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. |
| AU-9(3) | Protection of Audit Information | Cryptographic ProtectionⒽ Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. | Protection of Audit Information | Cryptographic ProtectionⒽ The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. |
| AU-9(4) | Protection of Audit Information | Access by Subset of Privileged UsersⓂ Ⓗ Authorize access to management of audit logging functionality to only au-9.4_prm_1[Assignment: organization-defined subset of privileged users or roles]. | Protection of Audit Information | Access by Subset of Privileged UsersⓂ Ⓗ The organization authorizes access to management of audit functionality to only au-9.4_prm_1[Assignment: organization-defined subset of privileged users]. |
| AU-9(5) | Protection of Audit Information | Dual Authorization Enforce dual authorization for au-9.5_prm_1[Selection: movement or deletion] of au-9.5_prm_2[Assignment: organization-defined audit information]. | Protection of Audit Information | Dual Authorization The organization enforces dual authorization for au-9.5_prm_1[Selection: movement or deletion] of au-9.5_prm_2[Assignment: organization-defined audit information]. |
| AU-9(6) | Protection of Audit Information | Read-only Access Authorize read-only access to audit information to au-9.6_prm_1[Assignment: organization-defined subset of privileged users or roles]. | Protection of Audit Information | Read Only Access The organization authorizes read-only access to audit information to au-9.6_prm_1[Assignment: organization-defined subset of privileged users]. |
| AU-9(7) | Protection of Audit Information | Store on Component with Different Operating System Store audit information on a component running a different operating system than the system or component being audited. | No predecessor |
| AU-10 | Non-repudiationⒽ Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed au-10_prm_1[Assignment: organization-defined actions to be covered by non-repudiation]. | Non-repudiationⒽ The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed au-10_prm_1[Assignment: organization-defined actions to be covered by non-repudiation]. |
| AU-10(1) | Non-repudiation | Association of Identities (a) Bind the identity of the information producer with the information to au-10.1_prm_1[Assignment: organization-defined strength of binding]; and (b) Provide the means for authorized individuals to determine the identity of the producer of the information. | Non-repudiation | Association of Identities The information system: (a) Binds the identity of the information producer with the information to au-10.1_prm_1[Assignment: organization-defined strength of binding]; and (b) Provides the means for authorized individuals to determine the identity of the producer of the information. |
| AU-10(2) | Non-repudiation | Validate Binding of Information Producer Identity (a) Validate the binding of the information producer identity to the information at au-10.2_prm_1[Assignment: organization-defined frequency]; and (b) Perform au-10.2_prm_2[Assignment: organization-defined actions] in the event of a validation error. | Non-repudiation | Validate Binding of Information Producer Identity The information system: (a) Validates the binding of the information producer identity to the information at au-10.2_prm_1[Assignment: organization-defined frequency]; and (b) Performs au-10.2_prm_2[Assignment: organization-defined actions] in the event of a validation error. |
| AU-10(3) | Non-repudiation | Chain of Custody Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. | Non-repudiation | Chain of Custody The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. |
| AU-10(4) | Non-repudiation | Validate Binding of Information Reviewer Identity (a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between au-10.4_prm_1[Assignment: organization-defined security domains]; and (b) Perform au-10.4_prm_2[Assignment: organization-defined actions] in the event of a validation error. | Non-repudiation | Validate Binding of Information Reviewer Identity The information system: (a) Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between au-10.4_prm_1[Assignment: organization-defined security domains]; and (b) Performs au-10.4_prm_2[Assignment: organization-defined actions] in the event of a validation error. |
| AU-10(5) | Non-repudiation | Digital Signatures Withdrawn — incorporated into SI-7. | Non-repudiation | Digital Signatures Withdrawn — incorporated into SI-7. |
| AU-11 | Audit Record RetentionⓁ Ⓜ Ⓗ Ⓟ Retain audit records for au-11_prm_1[Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. | Audit Record RetentionⓁ Ⓜ Ⓗ The organization retains audit records for au-11_prm_1[Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. |
| AU-11(1) | Audit Record Retention | Long-term Retrieval Capability Employ au-11.1_prm_1[Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. | Audit Record Retention | Long-term Retrieval Capability The organization employs au-11.1_prm_1[Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. |
| AU-12 | Audit Record GenerationⓁ Ⓜ Ⓗ a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on au-12_prm_1[Assignment: organization-defined system components]; b. Allow au-12_prm_2[Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and | Audit GenerationⓁ Ⓜ Ⓗ The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at au-12_prm_1[Assignment: organization-defined information system components]; b. Allows au-12_prm_2[Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| AU-12(1) | Audit Record Generation | System-wide and Time-correlated Audit TrailⒽ Compile audit records from au-12.1_prm_1[Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within au-12.1_prm_2[Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. | Audit Generation | System-wide / Time-correlated Audit TrailⒽ The information system compiles audit records from au-12.1_prm_1[Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within au-12.1_prm_2[Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. |
| AU-12(2) | Audit Record Generation | Standardized Formats Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. | Audit Generation | Standardized Formats The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
| AU-12(3) | Audit Record Generation | Changes by Authorized IndividualsⒽ Provide and implement the capability for au-12.3_prm_1[Assignment: organization-defined individuals or roles] to change the logging to be performed on au-12.3_prm_2[Assignment: organization-defined system components] based on au-12.3_prm_3[Assignment: organization-defined selectable event criteria] within au-12.3_prm_4[Assignment: organization-defined time thresholds]. | Audit Generation | Changes by Authorized IndividualsⒽ The information system provides the capability for au-12.3_prm_1[Assignment: organization-defined individuals or roles] to change the auditing to be performed on au-12.3_prm_2[Assignment: organization-defined information system components] based on au-12.3_prm_3[Assignment: organization-defined selectable event criteria] within au-12.3_prm_4[Assignment: organization-defined time thresholds]. |
| AU-12(4) | Audit Record Generation | Query Parameter Audits of Personally Identifiable Information Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. | No predecessor |
| AU-13 | Monitoring for Information Disclosure a. Monitor au-13_prm_1[Assignment: organization-defined open-source information and/or information sites]au-13_prm_2[Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and b. If an information disclosure is discovered: 1. Notify au-13_prm_3[Assignment: organization-defined personnel or roles]; and 2. Take the following additional actions: au-13_prm_4[Assignment: organization-defined additional actions]. | Monitoring for Information Disclosure The organization monitors au-13_prm_1[Assignment: organization-defined open source information and/or information sites]au-13_prm_2[Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information. |
| AU-13(1) | Monitoring for Information Disclosure | Use of Automated Tools Monitor open-source information and information sites using au-13.1_prm_1[Assignment: organization-defined automated mechanisms]. | Monitoring for Information Disclosure | Use of Automated Tools The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner. |
| AU-13(2) | Monitoring for Information Disclosure | Review of Monitored Sites Review the list of open-source information sites being monitored au-13.2_prm_1[Assignment: organization-defined frequency]. | Monitoring for Information Disclosure | Review of Monitored Sites The organization reviews the open source information sites being monitored au-13.2_prm_1[Assignment: organization-defined frequency]. |
| AU-13(3) | Monitoring for Information Disclosure | Unauthorized Replication of Information Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner. | No predecessor |
| AU-14 | Session Audit a. Provide and implement the capability for au-14_prm_1[Assignment: organization-defined users or roles] to au-14_prm_2[Selection: record or view or hear or log] the content of a user session under au-14_prm_3[Assignment: organization-defined circumstances]; and b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. | Session Audit The information system provides the capability for authorized users to select a user session to capture/record or view/hear. |
| AU-14(1) | Session Audit | System Start-up Initiate session audits automatically at system start-up. | Session Audit | System Start-up The information system initiates session audits at system start-up. |
| AU-14(2) | Session Audit | Capture and Record Content Withdrawn — incorporated into AU-14. | Session Audit | Capture/record and Log Content The information system provides the capability for authorized users to capture/record and log content related to a user session. |
| AU-14(3) | Session Audit | Remote Viewing and Listening Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. | Session Audit | Remote Viewing / Listening The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time. |
| AU-15 | Alternate Audit Logging Capability . | Alternate Audit Capability The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides au-15_prm_1[Assignment: organization-defined alternate audit functionality]. |
| AU-16 | Cross-organizational Audit Logging Employ au-16_prm_1[Assignment: organization-defined methods] for coordinating au-16_prm_2[Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. | Cross-organizational Auditing The organization employs au-16_prm_1[Assignment: organization-defined methods] for coordinating au-16_prm_2[Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
| AU-16(1) | Cross-organizational Audit Logging | Identity Preservation Preserve the identity of individuals in cross-organizational audit trails. | Cross-organizational Auditing | Identity Preservation The organization requires that the identity of individuals be preserved in cross-organizational audit trails. |
| AU-16(2) | Cross-organizational Audit Logging | Sharing of Audit Information Provide cross-organizational audit information to au-16.2_prm_1[Assignment: organization-defined organizations] based on au-16.2_prm_2[Assignment: organization-defined cross-organizational sharing agreements]. | Cross-organizational Auditing | Sharing of Audit Information The organization provides cross-organizational audit information to au-16.2_prm_1[Assignment: organization-defined organizations] based on au-16.2_prm_2[Assignment: organization-defined cross-organizational sharing agreements]. |
| AU-16(3) | Cross-organizational Audit Logging | Disassociability Implement au-16.3_prm_1[Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries. | No predecessor |
| CA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to ca-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ca-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate an ca-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring: 1. Policy ca-1_prm_4[Assignment: organization-defined frequency] and following ca-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ca-1_prm_6[Assignment: organization-defined frequency] and following ca-1_prm_7[Assignment: organization-defined events]. | Security Assessment and Authorization Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ca-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy ca-1_prm_2[Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures ca-1_prm_3[Assignment: organization-defined frequency]. |
| CA-2 | Control AssessmentsⓁ Ⓜ Ⓗ Ⓟ a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation ca-2_prm_1[Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to ca-2_prm_2[Assignment: organization-defined individuals or roles]. | Security AssessmentsⓁ Ⓜ Ⓗ The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation ca-2_prm_1[Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to ca-2_prm_2[Assignment: organization-defined individuals or roles]. |
| CA-2(1) | Control Assessments | Independent AssessorsⓂ Ⓗ Employ independent assessors or assessment teams to conduct control assessments. | Security Assessments | Independent AssessorsⓂ Ⓗ The organization employs assessors or assessment teams with ca-2.1_prm_1[Assignment: organization-defined level of independence] to conduct security control assessments. |
| CA-2(2) | Control Assessments | Specialized AssessmentsⒽ Include as part of control assessments, ca-2.2_prm_1[Assignment: organization-defined frequency], ca-2.2_prm_2[Selection: announced or unannounced], ca-2.2_prm_3[Selection: in-depth monitoring or security instrumentation or automated security test cases or vulnerability scanning or malicious user testing or insider threat assessment or performance and load testing or data leakage or data loss assessment or ca-2.2_prm_4[Assignment: organization-defined other forms of assessment]]. | Security Assessments | Specialized AssessmentsⒽ The organization includes as part of security control assessments, ca-2.2_prm_1[Assignment: organization-defined frequency], ca-2.2_prm_2[Selection: announced or unannounced], ca-2.2_prm_3[Selection: in-depth monitoring or vulnerability scanning or malicious user testing or insider threat assessment or performance/load testing or ca-2.2_prm_4[Assignment: organization-defined other forms of security assessment]]. |
| CA-2(3) | Control Assessments | Leveraging Results from External Organizations Leverage the results of control assessments performed by ca-2.3_prm_1[Assignment: organization-defined external organization] on ca-2.3_prm_2[Assignment: organization-defined system] when the assessment meets ca-2.3_prm_3[Assignment: organization-defined requirements]. | Security Assessments | External Organizations The organization accepts the results of an assessment of ca-2.3_prm_1[Assignment: organization-defined information system] performed by ca-2.3_prm_2[Assignment: organization-defined external organization] when the assessment meets ca-2.3_prm_3[Assignment: organization-defined requirements]. |
| CA-3 | Information ExchangeⓁ Ⓜ Ⓗ a. Approve and manage the exchange of information between the system and other systems using ca-3_prm_1[Selection: interconnection security agreements or information exchange security agreements or memoranda of understanding or agreement or service level agreements or user agreements or nondisclosure agreements or ca-3_prm_2[Assignment: organization-defined type of agreement]]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements ca-3_prm_3[Assignment: organization-defined frequency]. | System InterconnectionsⓁ Ⓜ Ⓗ The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements ca-3_prm_1[Assignment: organization-defined frequency]. |
| CA-3(1) | Information Exchange | Unclassified National Security System Connections . | System Interconnections | Unclassified National Security System Connections The organization prohibits the direct connection of an ca-3.1_prm_1[Assignment: organization-defined unclassified, national security system] to an external network without the use of ca-3.1_prm_2[Assignment: organization-defined boundary protection device]. |
| CA-3(2) | Information Exchange | Classified National Security System Connections . | System Interconnections | Classified National Security System Connections The organization prohibits the direct connection of a classified, national security system to an external network without the use of ca-3.2_prm_1[Assignment: organization-defined boundary protection device]. |
| CA-3(3) | Information Exchange | Unclassified Non-national Security System Connections . | System Interconnections | Unclassified Non-national Security System Connections The organization prohibits the direct connection of an ca-3.3_prm_1[Assignment: organization-defined unclassified, non-national security system] to an external network without the use of ca-3.3_prm_2[Assignment: Assignment; organization-defined boundary protection device]. |
| CA-3(4) | Information Exchange | Connections to Public Networks . | System Interconnections | Connections to Public Networks The organization prohibits the direct connection of an ca-3.4_prm_1[Assignment: organization-defined information system] to a public network. |
| CA-3(5) | Information Exchange | Restrictions on External System Connections . | System Interconnections | Restrictions On External System ConnectionsⓂ Ⓗ The organization employs ca-3.5_prm_1[Selection: allow-all, deny-by-exception or deny-all, permit-by-exception] policy for allowing ca-3.5_prm_2[Assignment: organization-defined information systems] to connect to external information systems. |
| CA-3(6) | Information Exchange | Transfer AuthorizationsⒽ Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. | No predecessor |
| CA-3(7) | Information Exchange | Transitive Information Exchanges (a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and (b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. | No predecessor |
| CA-4 | Security Certification Withdrawn — incorporated into CA-2. | Security Certification Withdrawn — incorporated into CA-2. |
| CA-5 | Plan of Action and MilestonesⓁ Ⓜ Ⓗ Ⓟ a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones ca-5_prm_1[Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. | Plan of Action and MilestonesⓁ Ⓜ Ⓗ The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones ca-5_prm_1[Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. |
| CA-5(1) | Plan of Action and Milestones | Automation Support for Accuracy and Currency Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using ca-5.1_prm_1[Assignment: organization-defined automated mechanisms]. | Plan of Action and Milestones | Automation Support for Accuracy / Currency The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. |
| CA-6 | AuthorizationⓁ Ⓜ Ⓗ Ⓟ a. Assign a senior official as the authorizing official for the system; b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; c. Ensure that the authorizing official for the system, before commencing operations: 1. Accepts the use of common controls inherited by the system; and 2. Authorizes the system to operate; d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; e. Update the authorizations ca-6_prm_1[Assignment: organization-defined frequency]. | Security AuthorizationⓁ Ⓜ Ⓗ The organization: a. Assigns a senior-level executive or manager as the authorizing official for the information system; b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c. Updates the security authorization ca-6_prm_1[Assignment: organization-defined frequency]. |
| CA-6(1) | Authorization | Joint Authorization — Intra-organization Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. | No predecessor |
| CA-6(2) | Authorization | Joint Authorization — Inter-organization Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. | No predecessor |
| CA-7 | Continuous MonitoringⓁ Ⓜ Ⓗ Ⓟ Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: ca-7_prm_1[Assignment: organization-defined system-level metrics]; b. Establishing ca-7_prm_2[Assignment: organization-defined frequencies] for monitoring and ca-7_prm_3[Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to ca-7_prm_4[Assignment: organization-defined personnel or roles]ca-7_prm_5[Assignment: organization-defined frequency]. | Continuous MonitoringⓁ Ⓜ Ⓗ The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of ca-7_prm_1[Assignment: organization-defined metrics] to be monitored; b. Establishment of ca-7_prm_2[Assignment: organization-defined frequencies] for monitoring and ca-7_prm_3[Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to ca-7_prm_4[Assignment: organization-defined personnel or roles]ca-7_prm_5[Assignment: organization-defined frequency]. |
| CA-7(1) | Continuous Monitoring | Independent AssessmentⓂ Ⓗ Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. | Continuous Monitoring | Independent AssessmentⓂ Ⓗ The organization employs assessors or assessment teams with ca-7.1_prm_1[Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. |
| CA-7(2) | Continuous Monitoring | Types of Assessments Withdrawn — incorporated into CA-2. | Continuous Monitoring | Types of Assessments Withdrawn — incorporated into CA-2. |
| CA-7(3) | Continuous Monitoring | Trend Analyses Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. | Continuous Monitoring | Trend Analyses The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
| CA-7(4) | Continuous Monitoring | Risk MonitoringⓁ Ⓜ Ⓗ Ⓟ Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (a) Effectiveness monitoring; (b) Compliance monitoring; and (c) Change monitoring. | No predecessor |
| CA-7(5) | Continuous Monitoring | Consistency Analysis Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: ca-7.5_prm_1[Assignment: organization-defined actions]. | No predecessor |
| CA-7(6) | Continuous Monitoring | Automation Support for Monitoring Ensure the accuracy, currency, and availability of monitoring results for the system using ca-7.6_prm_1[Assignment: organization-defined automated mechanisms]. | No predecessor |
| CA-8 | Penetration TestingⒽ Conduct penetration testing ca-8_prm_1[Assignment: organization-defined frequency] on ca-8_prm_2[Assignment: organization-defined systems or system components]. | Penetration TestingⒽ The organization conducts penetration testing ca-8_prm_1[Assignment: organization-defined frequency] on ca-8_prm_2[Assignment: organization-defined information systems or system components]. |
| CA-8(1) | Penetration Testing | Independent Penetration Testing Agent or TeamⒽ Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. | Penetration Testing | Independent Penetration Agent or Team The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. |
| CA-8(2) | Penetration Testing | Red Team Exercises Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: ca-8.2_prm_1[Assignment: organization-defined red team exercises]. | Penetration Testing | Red Team Exercises The organization employs ca-8.2_prm_1[Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with ca-8.2_prm_2[Assignment: organization-defined rules of engagement]. |
| CA-8(3) | Penetration Testing | Facility Penetration Testing Employ a penetration testing process that includes ca-8.3_prm_1[Assignment: organization-defined frequency]ca-8.3_prm_2[Selection: announced or unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. | No predecessor |
| CA-9 | Internal System ConnectionsⓁ Ⓜ Ⓗ a. Authorize internal connections of ca-9_prm_1[Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after ca-9_prm_2[Assignment: organization-defined conditions]; and d. Review ca-9_prm_3[Assignment: organization-defined frequency] the continued need for each internal connection. | Internal System ConnectionsⓁ Ⓜ Ⓗ The organization: a. Authorizes internal connections of ca-9_prm_1[Assignment: organization-defined information system components or classes of components] to the information system; and b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. |
| CA-9(1) | Internal System Connections | Compliance Checks Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. | Internal System Connections | Security Compliance Checks The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection. |
| CM-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to cm-1_prm_1[Assignment: organization-defined personnel or roles]: 1. cm-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] configuration management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b. Designate an cm-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c. Review and update the current configuration management: 1. Policy cm-1_prm_4[Assignment: organization-defined frequency] and following cm-1_prm_5[Assignment: organization-defined events]; and 2. Procedures cm-1_prm_6[Assignment: organization-defined frequency] and following cm-1_prm_7[Assignment: organization-defined events]. | Configuration Management Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to cm-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy cm-1_prm_2[Assignment: organization-defined frequency]; and 2. Configuration management procedures cm-1_prm_3[Assignment: organization-defined frequency]. |
| CM-2 | Baseline ConfigurationⓁ Ⓜ Ⓗ a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. cm-2_prm_1[Assignment: organization-defined frequency]; 2. When required due to cm-2_prm_2[Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded. | Baseline ConfigurationⓁ Ⓜ Ⓗ The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. |
| CM-2(1) | Baseline Configuration | Reviews and Updates Withdrawn — incorporated into CM-2. | Baseline Configuration | Reviews and UpdatesⓂ Ⓗ The organization reviews and updates the baseline configuration of the information system: (a) cm-2.1_prm_1[Assignment: organization-defined frequency]; (b) When required due to cm-2.1_prm_2[Assignment: Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades. |
| CM-2(2) | Baseline Configuration | Automation Support for Accuracy and CurrencyⓂ Ⓗ Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using cm-2.2_prm_1[Assignment: organization-defined automated mechanisms]. | Baseline Configuration | Automation Support for Accuracy / CurrencyⒽ The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. |
| CM-2(3) | Baseline Configuration | Retention of Previous ConfigurationsⓂ Ⓗ Retain cm-2.3_prm_1[Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. | Baseline Configuration | Retention of Previous ConfigurationsⓂ Ⓗ The organization retains cm-2.3_prm_1[Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. |
| CM-2(4) | Baseline Configuration | Unauthorized Software Withdrawn — incorporated into CM-7(4). | Baseline Configuration | Unauthorized Software Withdrawn — incorporated into CM-7(4). |
| CM-2(5) | Baseline Configuration | Authorized Software Withdrawn — incorporated into CM-7(5). | Baseline Configuration | Authorized Software Withdrawn — incorporated into CM-7(5). |
| CM-2(6) | Baseline Configuration | Development and Test Environments Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. | Baseline Configuration | Development and Test Environments The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. |
| CM-2(7) | Baseline Configuration | Configure Systems and Components for High-risk AreasⓂ Ⓗ (a) Issue cm-2.7_prm_1[Assignment: organization-defined systems or system components] with cm-2.7_prm_2[Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: cm-2.7_prm_3[Assignment: organization-defined controls]. | Baseline Configuration | Configure Systems, Components, or Devices for High-risk AreasⓂ Ⓗ The organization: (a) Issues cm-2.7_prm_1[Assignment: organization-defined information systems, system components, or devices] with cm-2.7_prm_2[Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Applies cm-2.7_prm_3[Assignment: organization-defined security safeguards] to the devices when the individuals return. |
| CM-3 | Configuration Change ControlⓂ Ⓗ a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for cm-3_prm_1[Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through cm-3_prm_2[Assignment: organization-defined configuration change control element] that convenes cm-3_prm_3[Selection: cm-3_prm_4[Assignment: organization-defined frequency] or when or cm-3_prm_5[Assignment: organization-defined configuration change conditions]]. | Configuration Change ControlⓂ Ⓗ The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for cm-3_prm_1[Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through cm-3_prm_2[Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes cm-3_prm_3[Selection: cm-3_prm_4[Assignment: organization-defined frequency] or cm-3_prm_5[Assignment: organization-defined configuration change conditions]]. |
| CM-3(1) | Configuration Change Control | Automated Documentation, Notification, and Prohibition of ChangesⒽ Use cm-3.1_prm_1[Assignment: organization-defined automated mechanisms] to: (a) Document proposed changes to the system; (b) Notify cm-3.1_prm_2[Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval; (c) Highlight proposed changes to the system that have not been approved or disapproved within cm-3.1_prm_3[Assignment: organization-defined time period]; (d) Prohibit changes to the system until designated approvals are received; (e) Document all changes to the system; and (f) Notify cm-3.1_prm_4[Assignment: organization-defined personnel] when approved changes to the system are completed. | Configuration Change Control | Automated Document / Notification / Prohibition of ChangesⒽ The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify cm-3.1_prm_1[Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by cm-3.1_prm_2[Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify cm-3.1_prm_3[Assignment: organization-defined personnel] when approved changes to the information system are completed. |
| CM-3(2) | Configuration Change Control | Testing, Validation, and Documentation of ChangesⓂ Ⓗ Test, validate, and document changes to the system before finalizing the implementation of the changes. | Configuration Change Control | Test / Validate / Document ChangesⓂ Ⓗ The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. |
| CM-3(3) | Configuration Change Control | Automated Change Implementation Implement changes to the current system baseline and deploy the updated baseline across the installed base using cm-3.3_prm_1[Assignment: organization-defined automated mechanisms]. | Configuration Change Control | Automated Change Implementation The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base. |
| CM-3(4) | Configuration Change Control | Security and Privacy RepresentativesⓂ Ⓗ Require cm-3.4_prm_1[Assignment: organization-defined security and privacy representatives] to be members of the cm-3.4_prm_2[Assignment: organization-defined configuration change control element]. | Configuration Change Control | Security Representative The organization requires an information security representative to be a member of the cm-3.4_prm_1[Assignment: organization-defined configuration change control element]. |
| CM-3(5) | Configuration Change Control | Automated Security Response Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: cm-3.5_prm_1[Assignment: organization-defined security responses]. | Configuration Change Control | Automated Security Response The information system implements cm-3.5_prm_1[Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner. |
| CM-3(6) | Configuration Change Control | Cryptography ManagementⒽ Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: cm-3.6_prm_1[Assignment: organization-defined controls]. | Configuration Change Control | Cryptography Management The organization ensures that cryptographic mechanisms used to provide cm-3.6_prm_1[Assignment: organization-defined security safeguards] are under configuration management. |
| CM-3(7) | Configuration Change Control | Review System Changes Review changes to the system cm-3.7_prm_1[Assignment: organization-defined frequency] or when cm-3.7_prm_2[Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. | No predecessor |
| CM-3(8) | Configuration Change Control | Prevent or Restrict Configuration Changes Prevent or restrict changes to the configuration of the system under the following circumstances: cm-3.8_prm_1[Assignment: organization-defined circumstances]. | No predecessor |
| CM-4 | Impact AnalysesⓁ Ⓜ Ⓗ Ⓟ Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. | Security Impact AnalysisⓁ Ⓜ Ⓗ The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. |
| CM-4(1) | Impact Analyses | Separate Test EnvironmentsⒽ Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. | Security Impact Analysis | Separate Test EnvironmentsⒽ The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
| CM-4(2) | Impact Analyses | Verification of ControlsⓂ Ⓗ After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. | Security Impact Analysis | Verification of Security Functions The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system. |
| CM-5 | Access Restrictions for ChangeⓁ Ⓜ Ⓗ Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. | Access Restrictions for ChangeⓂ Ⓗ The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
| CM-5(1) | Access Restrictions for Change | Automated Access Enforcement and Audit RecordsⒽ (a) Enforce access restrictions using cm-5.1_prm_1[Assignment: organization-defined automated mechanisms]; and (b) Automatically generate audit records of the enforcement actions. | Access Restrictions for Change | Automated Access Enforcement / AuditingⒽ The information system enforces access restrictions and supports auditing of the enforcement actions. |
| CM-5(2) | Access Restrictions for Change | Review System Changes Withdrawn — incorporated into CM-3(7). | Access Restrictions for Change | Review System ChangesⒽ The organization reviews information system changes cm-5.2_prm_1[Assignment: organization-defined frequency] and cm-5.2_prm_2[Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
| CM-5(3) | Access Restrictions for Change | Signed Components . | Access Restrictions for Change | Signed ComponentsⒽ The information system prevents the installation of cm-5.3_prm_1[Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
| CM-5(4) | Access Restrictions for Change | Dual Authorization Enforce dual authorization for implementing changes to cm-5.4_prm_1[Assignment: organization-defined system components and system-level information]. | Access Restrictions for Change | Dual Authorization The organization enforces dual authorization for implementing changes to cm-5.4_prm_1[Assignment: organization-defined information system components and system-level information]. |
| CM-5(5) | Access Restrictions for Change | Privilege Limitation for Production and Operation (a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges cm-5.5_prm_1[Assignment: organization-defined frequency]. | Access Restrictions for Change | Limit Production / Operational Privileges The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates privileges cm-5.5_prm_1[Assignment: organization-defined frequency]. |
| CM-5(6) | Access Restrictions for Change | Limit Library Privileges Limit privileges to change software resident within software libraries. | Access Restrictions for Change | Limit Library Privileges The organization limits privileges to change software resident within software libraries. |
| CM-5(7) | Access Restrictions for Change | Automatic Implementation of Security Safeguards Withdrawn — incorporated into SI-7. | Access Restrictions for Change | Automatic Implementation of Security Safeguards Withdrawn — incorporated into SI-7. |
| CM-6 | Configuration SettingsⓁ Ⓜ Ⓗ a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using cm-6_prm_1[Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for cm-6_prm_2[Assignment: organization-defined system components] based on cm-6_prm_3[Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. | Configuration SettingsⓁ Ⓜ Ⓗ The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using cm-6_prm_1[Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for cm-6_prm_2[Assignment: organization-defined information system components] based on cm-6_prm_3[Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
| CM-6(1) | Configuration Settings | Automated Management, Application, and VerificationⒽ Manage, apply, and verify configuration settings for cm-6.1_prm_1[Assignment: organization-defined system components] using cm-6.1_prm_2[Assignment: organization-defined automated mechanisms]. | Configuration Settings | Automated Central Management / Application / VerificationⒽ The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for cm-6.1_prm_1[Assignment: organization-defined information system components]. |
| CM-6(2) | Configuration Settings | Respond to Unauthorized ChangesⒽ Take the following actions in response to unauthorized changes to cm-6.2_prm_1[Assignment: organization-defined configuration settings]: cm-6.2_prm_2[Assignment: organization-defined actions]. | Configuration Settings | Respond to Unauthorized ChangesⒽ The organization employs cm-6.2_prm_1[Assignment: organization-defined security safeguards] to respond to unauthorized changes to cm-6.2_prm_2[Assignment: organization-defined configuration settings]. |
| CM-6(3) | Configuration Settings | Unauthorized Change Detection Withdrawn — incorporated into SI-7. | Configuration Settings | Unauthorized Change Detection Withdrawn — incorporated into SI-7. |
| CM-6(4) | Configuration Settings | Conformance Demonstration Withdrawn — incorporated into CM-4. | Configuration Settings | Conformance Demonstration Withdrawn — incorporated into CM-4. |
| CM-7 | Least FunctionalityⓁ Ⓜ Ⓗ a. Configure the system to provide only cm-7_prm_1[Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: cm-7_prm_2[Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. | Least FunctionalityⓁ Ⓜ Ⓗ The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: cm-7_prm_1[Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. |
| CM-7(1) | Least Functionality | Periodic ReviewⓂ Ⓗ (a) Review the system cm-7.1_prm_1[Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove cm-7.1_prm_2[Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. | Least Functionality | Periodic ReviewⓂ Ⓗ The organization: (a) Reviews the information system cm-7.1_prm_1[Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and (b) Disables cm-7.1_prm_2[Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. |
| CM-7(2) | Least Functionality | Prevent Program ExecutionⓂ Ⓗ Prevent program execution in accordance with cm-7.2_prm_1[Selection: cm-7.2_prm_2[Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] or rules authorizing the terms and conditions of software program usage]. | Least Functionality | Prevent Program ExecutionⓂ Ⓗ The information system prevents program execution in accordance with cm-7.2_prm_1[Selection: cm-7.2_prm_2[Assignment: organization-defined policies regarding software program usage and restrictions] or rules authorizing the terms and conditions of software program usage]. |
| CM-7(3) | Least Functionality | Registration Compliance Ensure compliance with cm-7.3_prm_1[Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. | Least Functionality | Registration Compliance The organization ensures compliance with cm-7.3_prm_1[Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
| CM-7(4) | Least Functionality | Unauthorized Software — Deny-by-exception (a) Identify cm-7.4_prm_1[Assignment: organization-defined software programs not authorized to execute on the system]; (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (c) Review and update the list of unauthorized software programs cm-7.4_prm_2[Assignment: organization-defined frequency]. | Least Functionality | Unauthorized Software / BlacklistingⓂ The organization: (a) Identifies cm-7.4_prm_1[Assignment: organization-defined software programs not authorized to execute on the information system]; (b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and (c) Reviews and updates the list of unauthorized software programs cm-7.4_prm_2[Assignment: organization-defined frequency]. |
| CM-7(5) | Least Functionality | Authorized Software — Allow-by-exceptionⓂ Ⓗ (a) Identify cm-7.5_prm_1[Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs cm-7.5_prm_2[Assignment: organization-defined frequency]. | Least Functionality | Authorized Software / WhitelistingⒽ The organization: (a) Identifies cm-7.5_prm_1[Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs cm-7.5_prm_2[Assignment: organization-defined frequency]. |
| CM-7(6) | Least Functionality | Confined Environments with Limited Privileges Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: cm-7.6_prm_1[Assignment: organization-defined user-installed software]. | No predecessor |
| CM-7(7) | Least Functionality | Code Execution in Protected Environments Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of cm-7.7_prm_1[Assignment: organization-defined personnel or roles] when such code is: (a) Obtained from sources with limited or no warranty; and/or (b) Without the provision of source code. | No predecessor |
| CM-7(8) | Least Functionality | Binary or Machine Executable Code (a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and (b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. | No predecessor |
| CM-7(9) | Least Functionality | Prohibiting The Use of Unauthorized Hardware (a) Identify cm-7.9_prm_1[Assignment: organization-defined hardware components authorized for system use]; (b) Prohibit the use or connection of unauthorized hardware components; (c) Review and update the list of authorized hardware components cm-7.9_prm_2[Assignment: organization-defined frequency]. | No predecessor |
| CM-8 | System Component InventoryⓁ Ⓜ Ⓗ a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: cm-8_prm_1[Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory cm-8_prm_2[Assignment: organization-defined frequency]. | Information System Component InventoryⓁ Ⓜ Ⓗ The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes cm-8_prm_1[Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory cm-8_prm_2[Assignment: organization-defined frequency]. |
| CM-8(1) | System Component Inventory | Updates During Installation and RemovalⓂ Ⓗ Update the inventory of system components as part of component installations, removals, and system updates. | Information System Component Inventory | Updates During Installations / RemovalsⓂ Ⓗ The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
| CM-8(2) | System Component Inventory | Automated MaintenanceⒽ Maintain the currency, completeness, accuracy, and availability of the inventory of system components using cm-8.2_prm_1[Assignment: organization-defined automated mechanisms]. | Information System Component Inventory | Automated MaintenanceⒽ The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
| CM-8(3) | System Component Inventory | Automated Unauthorized Component DetectionⓂ Ⓗ (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using cm-8.3_prm_1[Assignment: organization-defined automated mechanisms]cm-8.3_prm_2[Assignment: organization-defined frequency]; and (b) Take the following actions when unauthorized components are detected: cm-8.3_prm_3[Selection: disable network access by such components or isolate the components or notify or cm-8.3_prm_4[Assignment: organization-defined personnel or roles]]. | Information System Component Inventory | Automated Unauthorized Component DetectionⓂ Ⓗ The organization: (a) Employs automated mechanisms cm-8.3_prm_1[Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (b) Takes the following actions when unauthorized components are detected: cm-8.3_prm_2[Selection: disables network access by such components or isolates the components or notifies or cm-8.3_prm_3[Assignment: organization-defined personnel or roles]]. |
| CM-8(4) | System Component Inventory | Accountability InformationⒽ Include in the system component inventory information, a means for identifying by cm-8.4_prm_1[Selection: name or position or role], individuals responsible and accountable for administering those components. | Information System Component Inventory | Accountability InformationⒽ The organization includes in the information system component inventory information, a means for identifying by cm-8.4_prm_1[Selection: name or position or role], individuals responsible/accountable for administering those components. |
| CM-8(5) | System Component Inventory | No Duplicate Accounting of Components Withdrawn — incorporated into CM-8. | Information System Component Inventory | No Duplicate Accounting of ComponentsⓂ Ⓗ The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. |
| CM-8(6) | System Component Inventory | Assessed Configurations and Approved Deviations Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. | Information System Component Inventory | Assessed Configurations / Approved Deviations The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory. |
| CM-8(7) | System Component Inventory | Centralized Repository Provide a centralized repository for the inventory of system components. | Information System Component Inventory | Centralized Repository The organization provides a centralized repository for the inventory of information system components. |
| CM-8(8) | System Component Inventory | Automated Location Tracking Support the tracking of system components by geographic location using cm-8.8_prm_1[Assignment: organization-defined automated mechanisms]. | Information System Component Inventory | Automated Location Tracking The organization employs automated mechanisms to support tracking of information system components by geographic location. |
| CM-8(9) | System Component Inventory | Assignment of Components to Systems (a) Assign system components to a system; and (b) Receive an acknowledgement from cm-8.9_prm_1[Assignment: organization-defined personnel or roles] of this assignment. | Information System Component Inventory | Assignment of Components to Systems The organization: (a) Assigns cm-8.9_prm_1[Assignment: organization-defined acquired information system components] to an information system; and (b) Receives an acknowledgement from the information system owner of this assignment. |
| CM-9 | Configuration Management PlanⓂ Ⓗ Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by cm-9_prm_1[Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. | Configuration Management PlanⓂ Ⓗ The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the information system and places the configuration items under configuration management; and d. Protects the configuration management plan from unauthorized disclosure and modification. |
| CM-9(1) | Configuration Management Plan | Assignment of Responsibility Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. | Configuration Management Plan | Assignment of Responsibility The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. |
| CM-10 | Software Usage RestrictionsⓁ Ⓜ Ⓗ a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. | Software Usage RestrictionsⓁ Ⓜ Ⓗ The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
| CM-10(1) | Software Usage Restrictions | Open-source Software Establish the following restrictions on the use of open-source software: cm-10.1_prm_1[Assignment: organization-defined restrictions]. | Software Usage Restrictions | Open Source Software The organization establishes the following restrictions on the use of open source software: cm-10.1_prm_1[Assignment: organization-defined restrictions]. |
| CM-11 | User-installed SoftwareⓁ Ⓜ Ⓗ a. Establish cm-11_prm_1[Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: cm-11_prm_2[Assignment: organization-defined methods]; and c. Monitor policy compliance cm-11_prm_3[Assignment: organization-defined frequency]. | User-installed SoftwareⓁ Ⓜ Ⓗ The organization: a. Establishes cm-11_prm_1[Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through cm-11_prm_2[Assignment: organization-defined methods]; and c. Monitors policy compliance at cm-11_prm_3[Assignment: organization-defined frequency]. |
| CM-11(1) | User-installed Software | Alerts for Unauthorized Installations Withdrawn — incorporated into CM-8(3). | User-installed Software | Alerts for Unauthorized Installations The information system alerts cm-11.1_prm_1[Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. |
| CM-11(2) | User-installed Software | Software Installation with Privileged Status Allow user installation of software only with explicit privileged status. | User-installed Software | Prohibit Installation Without Privileged Status The information system prohibits user installation of software without explicit privileged status. |
| CM-11(3) | User-installed Software | Automated Enforcement and Monitoring Enforce and monitor compliance with software installation policies using cm-11.3_prm_1[Assignment: organization-defined automated mechanisms]. | No predecessor |
| CM-12 | Information LocationⓂ Ⓗ a. Identify and document the location of cm-12_prm_1[Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored. | No predecessor |
| CM-12(1) | Information Location | Automated Tools to Support Information LocationⓂ Ⓗ Use automated tools to identify cm-12.1_prm_1[Assignment: organization-defined information by information type] on cm-12.1_prm_2[Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. | No predecessor |
| CM-13 | Data Action Mapping Develop and document a map of system data actions. | No predecessor |
| CM-14 | Signed Components Prevent the installation of cm-14_prm_1[Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. | No predecessor |
| CP-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to cp-1_prm_1[Assignment: organization-defined personnel or roles]: 1. cp-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an cp-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy cp-1_prm_4[Assignment: organization-defined frequency] and following cp-1_prm_5[Assignment: organization-defined events]; and 2. Procedures cp-1_prm_6[Assignment: organization-defined frequency] and following cp-1_prm_7[Assignment: organization-defined events]. | Contingency Planning Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to cp-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy cp-1_prm_2[Assignment: organization-defined frequency]; and 2. Contingency planning procedures cp-1_prm_3[Assignment: organization-defined frequency]. |
| CP-2 | Contingency PlanⓁ Ⓜ Ⓗ a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by cp-2_prm_1[Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to cp-2_prm_2[Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system cp-2_prm_3[Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to cp-2_prm_4[Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification. | Contingency PlanⓁ Ⓜ Ⓗ The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by cp-2_prm_1[Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to cp-2_prm_2[Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system cp-2_prm_3[Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to cp-2_prm_4[Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification. |
| CP-2(1) | Contingency Plan | Coordinate with Related PlansⓂ Ⓗ Coordinate contingency plan development with organizational elements responsible for related plans. | Contingency Plan | Coordinate with Related PlansⓂ Ⓗ The organization coordinates contingency plan development with organizational elements responsible for related plans. |
| CP-2(2) | Contingency Plan | Capacity PlanningⒽ Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. | Contingency Plan | Capacity PlanningⒽ The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
| CP-2(3) | Contingency Plan | Resume Mission and Business FunctionsⓂ Ⓗ Plan for the resumption of cp-2.3_prm_1[Selection: all or essential] mission and business functions within cp-2.3_prm_2[Assignment: organization-defined time period] of contingency plan activation. | Contingency Plan | Resume Essential Missions / Business FunctionsⓂ Ⓗ The organization plans for the resumption of essential missions and business functions within cp-2.3_prm_1[Assignment: organization-defined time period] of contingency plan activation. |
| CP-2(4) | Contingency Plan | Resume All Mission and Business Functions Withdrawn — incorporated into CP-2(3). | Contingency Plan | Resume All Missions / Business FunctionsⒽ The organization plans for the resumption of all missions and business functions within cp-2.4_prm_1[Assignment: organization-defined time period] of contingency plan activation. |
| CP-2(5) | Contingency Plan | Continue Mission and Business FunctionsⒽ Plan for the continuance of cp-2.5_prm_1[Selection: all or essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. | Contingency Plan | Continue Essential Missions / Business FunctionsⒽ The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. |
| CP-2(6) | Contingency Plan | Alternate Processing and Storage Sites Plan for the transfer of cp-2.6_prm_1[Selection: all or essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. | Contingency Plan | Alternate Processing / Storage Site The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites. |
| CP-2(7) | Contingency Plan | Coordinate with External Service Providers Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. | Contingency Plan | Coordinate with External Service Providers The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
| CP-2(8) | Contingency Plan | Identify Critical AssetsⓂ Ⓗ Identify critical system assets supporting cp-2.8_prm_1[Selection: all or essential] mission and business functions. | Contingency Plan | Identify Critical AssetsⓂ Ⓗ The organization identifies critical information system assets supporting essential missions and business functions. |
| CP-3 | Contingency TrainingⓁ Ⓜ Ⓗ a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within cp-3_prm_1[Assignment: organization-defined time period] of assuming a contingency role or responsibility; 2. When required by system changes; and 3. cp-3_prm_2[Assignment: organization-defined frequency] thereafter; and b. Review and update contingency training content cp-3_prm_3[Assignment: organization-defined frequency] and following cp-3_prm_4[Assignment: organization-defined events]. | Contingency TrainingⓁ Ⓜ Ⓗ The organization provides contingency training to information system users consistent with assigned roles and responsibilities: a. Within cp-3_prm_1[Assignment: organization-defined time period] of assuming a contingency role or responsibility; b. When required by information system changes; and c. cp-3_prm_2[Assignment: organization-defined frequency] thereafter. |
| CP-3(1) | Contingency Training | Simulated EventsⒽ Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. | Contingency Training | Simulated EventsⒽ The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
| CP-3(2) | Contingency Training | Mechanisms Used in Training Environments Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. | Contingency Training | Automated Training Environments The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment. |
| CP-4 | Contingency Plan TestingⓁ Ⓜ Ⓗ a. Test the contingency plan for the system cp-4_prm_1[Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: cp-4_prm_2[Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed. | Contingency Plan TestingⓁ Ⓜ Ⓗ The organization: a. Tests the contingency plan for the information system cp-4_prm_1[Assignment: organization-defined frequency] using cp-4_prm_2[Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions, if needed. |
| CP-4(1) | Contingency Plan Testing | Coordinate with Related PlansⓂ Ⓗ Coordinate contingency plan testing with organizational elements responsible for related plans. | Contingency Plan Testing | Coordinate with Related PlansⓂ Ⓗ The organization coordinates contingency plan testing with organizational elements responsible for related plans. |
| CP-4(2) | Contingency Plan Testing | Alternate Processing SiteⒽ Test the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alternate processing site to support contingency operations. | Contingency Plan Testing | Alternate Processing SiteⒽ The organization tests the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
| CP-4(3) | Contingency Plan Testing | Automated Testing Test the contingency plan using cp-4.3_prm_1[Assignment: organization-defined automated mechanisms]. | Contingency Plan Testing | Automated Testing The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan. |
| CP-4(4) | Contingency Plan Testing | Full Recovery and Reconstitution Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. | Contingency Plan Testing | Full Recovery / Reconstitution The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing. |
| CP-4(5) | Contingency Plan Testing | Self-challenge Employ cp-4.5_prm_1[Assignment: organization-defined mechanisms] to cp-4.5_prm_2[Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. | No predecessor |
| CP-5 | Contingency Plan Update Withdrawn — incorporated into CP-2. | Contingency Plan Update Withdrawn — incorporated into CP-2. |
| CP-6 | Alternate Storage SiteⓂ Ⓗ a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. | Alternate Storage SiteⓂ Ⓗ The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. |
| CP-6(1) | Alternate Storage Site | Separation from Primary SiteⓂ Ⓗ Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. | Alternate Storage Site | Separation from Primary SiteⓂ Ⓗ The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. |
| CP-6(2) | Alternate Storage Site | Recovery Time and Recovery Point ObjectivesⒽ Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. | Alternate Storage Site | Recovery Time / Point ObjectivesⒽ The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
| CP-6(3) | Alternate Storage Site | AccessibilityⓂ Ⓗ Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. | Alternate Storage Site | AccessibilityⓂ Ⓗ The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CP-7 | Alternate Processing SiteⓂ Ⓗ a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of cp-7_prm_1[Assignment: organization-defined system operations] for essential mission and business functions within cp-7_prm_2[Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. | Alternate Processing SiteⓂ Ⓗ The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of cp-7_prm_1[Assignment: organization-defined information system operations] for essential missions/business functions within cp-7_prm_2[Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site. |
| CP-7(1) | Alternate Processing Site | Separation from Primary SiteⓂ Ⓗ Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. | Alternate Processing Site | Separation from Primary SiteⓂ Ⓗ The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. |
| CP-7(2) | Alternate Processing Site | AccessibilityⓂ Ⓗ Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. | Alternate Processing Site | AccessibilityⓂ Ⓗ The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
| CP-7(3) | Alternate Processing Site | Priority of ServiceⓂ Ⓗ Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). | Alternate Processing Site | Priority of ServiceⓂ Ⓗ The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). |
| CP-7(4) | Alternate Processing Site | Preparation for UseⒽ Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. | Alternate Processing Site | Preparation for UseⒽ The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. |
| CP-7(5) | Alternate Processing Site | Equivalent Information Security Safeguards Withdrawn — incorporated into CP-7. | Alternate Processing Site | Equivalent Information Security Safeguards Withdrawn — incorporated into CP-7. |
| CP-7(6) | Alternate Processing Site | Inability to Return to Primary Site Plan and prepare for circumstances that preclude returning to the primary processing site. | Alternate Processing Site | Inability to Return to Primary Site The organization plans and prepares for circumstances that preclude returning to the primary processing site. |
| CP-8 | Telecommunications ServicesⓂ Ⓗ Establish alternate telecommunications services, including necessary agreements to permit the resumption of cp-8_prm_1[Assignment: organization-defined system operations] for essential mission and business functions within cp-8_prm_2[Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | Telecommunications ServicesⓂ Ⓗ The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of cp-8_prm_1[Assignment: organization-defined information system operations] for essential missions and business functions within cp-8_prm_2[Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
| CP-8(1) | Telecommunications Services | Priority of Service ProvisionsⓂ Ⓗ (a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. | Telecommunications Services | Priority of Service ProvisionsⓂ Ⓗ The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. |
| CP-8(2) | Telecommunications Services | Single Points of FailureⓂ Ⓗ Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. | Telecommunications Services | Single Points of FailureⓂ Ⓗ The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
| CP-8(3) | Telecommunications Services | Separation of Primary and Alternate ProvidersⒽ Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. | Telecommunications Services | Separation of Primary / Alternate ProvidersⒽ The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
| CP-8(4) | Telecommunications Services | Provider Contingency PlanⒽ (a) Require primary and alternate telecommunications service providers to have contingency plans; (b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtain evidence of contingency testing and training by providers cp-8.4_prm_1[Assignment: organization-defined frequency]. | Telecommunications Services | Provider Contingency PlanⒽ The organization: (a) Requires primary and alternate telecommunications service providers to have contingency plans; (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtains evidence of contingency testing/training by providers cp-8.4_prm_1[Assignment: organization-defined frequency]. |
| CP-8(5) | Telecommunications Services | Alternate Telecommunication Service Testing Test alternate telecommunication services cp-8.5_prm_1[Assignment: organization-defined frequency]. | Telecommunications Services | Alternate Telecommunication Service Testing The organization tests alternate telecommunication services cp-8.5_prm_1[Assignment: organization-defined frequency]. |
| CP-9 | System BackupⓁ Ⓜ Ⓗ a. Conduct backups of user-level information contained in cp-9_prm_1[Assignment: organization-defined system components]cp-9_prm_2[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system cp-9_prm_3[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation cp-9_prm_4[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. | Information System BackupⓁ Ⓜ Ⓗ The organization: a. Conducts backups of user-level information contained in the information system cp-9_prm_1[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts backups of system-level information contained in the information system cp-9_prm_2[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts backups of information system documentation including security-related documentation cp-9_prm_3[Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protects the confidentiality, integrity, and availability of backup information at storage locations. |
| CP-9(1) | System Backup | Testing for Reliability and IntegrityⓂ Ⓗ Test backup information cp-9.1_prm_1[Assignment: organization-defined frequency] to verify media reliability and information integrity. | Information System Backup | Testing for Reliability / IntegrityⓂ Ⓗ The organization tests backup information cp-9.1_prm_1[Assignment: organization-defined frequency] to verify media reliability and information integrity. |
| CP-9(2) | System Backup | Test Restoration Using SamplingⒽ Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. | Information System Backup | Test Restoration Using SamplingⒽ The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. |
| CP-9(3) | System Backup | Separate Storage for Critical InformationⒽ Store backup copies of cp-9.3_prm_1[Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. | Information System Backup | Separate Storage for Critical InformationⒽ The organization stores backup copies of cp-9.3_prm_1[Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. |
| CP-9(4) | System Backup | Protection from Unauthorized Modification Withdrawn — incorporated into CP-9. | Information System Backup | Protection from Unauthorized Modification Withdrawn — incorporated into CP-9. |
| CP-9(5) | System Backup | Transfer to Alternate Storage SiteⒽ Transfer system backup information to the alternate storage site cp-9.5_prm_1[Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. | Information System Backup | Transfer to Alternate Storage SiteⒽ The organization transfers information system backup information to the alternate storage site cp-9.5_prm_1[Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
| CP-9(6) | System Backup | Redundant Secondary System Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. | Information System Backup | Redundant Secondary System The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
| CP-9(7) | System Backup | Dual Authorization for Deletion or Destruction Enforce dual authorization for the deletion or destruction of cp-9.7_prm_1[Assignment: organization-defined backup information]. | Information System Backup | Dual Authorization The organization enforces dual authorization for the deletion or destruction of cp-9.7_prm_1[Assignment: organization-defined backup information]. |
| CP-9(8) | System Backup | Cryptographic ProtectionⓂ Ⓗ Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of cp-9.8_prm_1[Assignment: organization-defined backup information]. | No predecessor |
| CP-10 | System Recovery and ReconstitutionⓁ Ⓜ Ⓗ Provide for the recovery and reconstitution of the system to a known state within cp-10_prm_1[Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. | Information System Recovery and ReconstitutionⓁ Ⓜ Ⓗ The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. |
| CP-10(1) | System Recovery and Reconstitution | Contingency Plan Testing Withdrawn — incorporated into CP-4. | Information System Recovery and Reconstitution | Contingency Plan Testing Withdrawn — incorporated into CP-4. |
| CP-10(2) | System Recovery and Reconstitution | Transaction RecoveryⓂ Ⓗ Implement transaction recovery for systems that are transaction-based. | Information System Recovery and Reconstitution | Transaction RecoveryⓂ Ⓗ The information system implements transaction recovery for systems that are transaction-based. |
| CP-10(3) | System Recovery and Reconstitution | Compensating Security Controls . | Information System Recovery and Reconstitution | Compensating Security Controls . |
| CP-10(4) | System Recovery and Reconstitution | Restore Within Time PeriodⒽ Provide the capability to restore system components within cp-10.4_prm_1[Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. | Information System Recovery and Reconstitution | Restore Within Time PeriodⒽ The organization provides the capability to restore information system components within cp-10.4_prm_1[Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
| CP-10(5) | System Recovery and Reconstitution | Failover Capability Withdrawn — incorporated into SI-13. | Information System Recovery and Reconstitution | Failover Capability Withdrawn — incorporated into SI-13. |
| CP-10(6) | System Recovery and Reconstitution | Component Protection Protect system components used for recovery and reconstitution. | Information System Recovery and Reconstitution | Component Protection The organization protects backup and restoration hardware, firmware, and software. |
| CP-11 | Alternate Communications Protocols Provide the capability to employ cp-11_prm_1[Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. | Alternate Communications Protocols The information system provides the capability to employ cp-11_prm_1[Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
| CP-12 | Safe Mode When cp-12_prm_1[Assignment: organization-defined conditions] are detected, enter a safe mode of operation with cp-12_prm_2[Assignment: organization-defined restrictions of safe mode of operation]. | Safe Mode The information system, when cp-12_prm_1[Assignment: organization-defined conditions] are detected, enters a safe mode of operation with cp-12_prm_2[Assignment: organization-defined restrictions of safe mode of operation]. |
| CP-13 | Alternative Security Mechanisms Employ cp-13_prm_1[Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying cp-13_prm_2[Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. | Alternative Security Mechanisms The organization employs cp-13_prm_1[Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying cp-13_prm_2[Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
| IA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to ia-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ia-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] identification and authentication policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b. Designate an ia-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c. Review and update the current identification and authentication: 1. Policy ia-1_prm_4[Assignment: organization-defined frequency] and following ia-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ia-1_prm_6[Assignment: organization-defined frequency] and following ia-1_prm_7[Assignment: organization-defined events]. | Identification and Authentication Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ia-1_prm_1[Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy ia-1_prm_2[Assignment: organization-defined frequency]; and 2. Identification and authentication procedures ia-1_prm_3[Assignment: organization-defined frequency]. |
| IA-2 | Identification and Authentication (organizational Users)Ⓛ Ⓜ Ⓗ Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. | Identification and Authentication (organizational Users)Ⓛ Ⓜ Ⓗ The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
| IA-2(1) | Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged AccountsⓁ Ⓜ Ⓗ Implement multi-factor authentication for access to privileged accounts. | Identification and Authentication (organizational Users) | Network Access to Privileged AccountsⓁ Ⓜ Ⓗ The information system implements multifactor authentication for network access to privileged accounts. |
| IA-2(2) | Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged AccountsⓁ Ⓜ Ⓗ Implement multi-factor authentication for access to non-privileged accounts. | Identification and Authentication (organizational Users) | Network Access to Non-privileged AccountsⓂ Ⓗ The information system implements multifactor authentication for network access to non-privileged accounts. |
| IA-2(3) | Identification and Authentication (organizational Users) | Local Access to Privileged Accounts Withdrawn — incorporated into IA-2(1). | Identification and Authentication (organizational Users) | Local Access to Privileged AccountsⓂ Ⓗ The information system implements multifactor authentication for local access to privileged accounts. |
| IA-2(4) | Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts Withdrawn — incorporated into IA-2(2). | Identification and Authentication (organizational Users) | Local Access to Non-privileged AccountsⒽ The information system implements multifactor authentication for local access to non-privileged accounts. |
| IA-2(5) | Identification and Authentication (organizational Users) | Individual Authentication with Group AuthenticationⒽ When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. | Identification and Authentication (organizational Users) | Group Authentication The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| IA-2(6) | Identification and Authentication (organizational Users) | Access to Accounts —separate Device Implement multi-factor authentication for ia-2.6_prm_1[Selection: local or network or remote] access to ia-2.6_prm_2[Selection: privileged accounts or non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets ia-2.6_prm_3[Assignment: organization-defined strength of mechanism requirements]. | Identification and Authentication (organizational Users) | Network Access to Privileged Accounts - Separate Device The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets ia-2.6_prm_1[Assignment: organization-defined strength of mechanism requirements]. |
| IA-2(7) | Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Separate Device Withdrawn — incorporated into IA-2(6). | Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts - Separate Device The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets ia-2.7_prm_1[Assignment: organization-defined strength of mechanism requirements]. |
| IA-2(8) | Identification and Authentication (organizational Users) | Access to Accounts — Replay ResistantⓁ Ⓜ Ⓗ Implement replay-resistant authentication mechanisms for access to ia-2.8_prm_1[Selection: privileged accounts or non-privileged accounts]. | Identification and Authentication (organizational Users) | Network Access to Privileged Accounts - Replay ResistantⓂ Ⓗ The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
| IA-2(9) | Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Replay Resistant Withdrawn — incorporated into IA-2(8). | Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts - Replay ResistantⒽ The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| IA-2(10) | Identification and Authentication (organizational Users) | Single Sign-on Provide a single sign-on capability for ia-2.10_prm_1[Assignment: organization-defined system accounts and services]. | Identification and Authentication (organizational Users) | Single Sign-on The information system provides a single sign-on capability for ia-2.10_prm_1[Assignment: organization-defined information system accounts and services]. |
| IA-2(11) | Identification and Authentication (organizational Users) | Remote Access — Separate Device Withdrawn — incorporated into IA-2(6). | Identification and Authentication (organizational Users) | Remote Access - Separate DeviceⓂ Ⓗ The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets ia-2.11_prm_1[Assignment: organization-defined strength of mechanism requirements]. |
| IA-2(12) | Identification and Authentication (organizational Users) | Acceptance of PIV CredentialsⓁ Ⓜ Ⓗ Accept and electronically verify Personal Identity Verification-compliant credentials. | Identification and Authentication (organizational Users) | Acceptance of PIV CredentialsⓁ Ⓜ Ⓗ The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. |
| IA-2(13) | Identification and Authentication (organizational Users) | Out-of-band Authentication Implement the following out-of-band authentication mechanisms under ia-2.13_prm_1[Assignment: organization-defined conditions]: ia-2.13_prm_2[Assignment: organization-defined out-of-band authentication]. | Identification and Authentication (organizational Users) | Out-of-band Authentication The information system implements ia-2.13_prm_1[Assignment: organization-defined out-of-band authentication] under ia-2.13_prm_2[Assignment: organization-defined conditions]. |
| IA-3 | Device Identification and AuthenticationⓂ Ⓗ Uniquely identify and authenticate ia-3_prm_1[Assignment: organization-defined devices and/or types of devices] before establishing a ia-3_prm_2[Selection: local or remote or network] connection. | Device Identification and AuthenticationⓂ Ⓗ The information system uniquely identifies and authenticates ia-3_prm_1[Assignment: organization-defined specific and/or types of devices] before establishing a ia-3_prm_2[Selection: local or remote or network] connection. |
| IA-3(1) | Device Identification and Authentication | Cryptographic Bidirectional Authentication Authenticate ia-3.1_prm_1[Assignment: organization-defined devices and/or types of devices] before establishing ia-3.1_prm_2[Selection: local or remote or network] connection using bidirectional authentication that is cryptographically based. | Device Identification and Authentication | Cryptographic Bidirectional Authentication The information system authenticates ia-3.1_prm_1[Assignment: organization-defined specific devices and/or types of devices] before establishing ia-3.1_prm_2[Selection: local or remote or network] connection using bidirectional authentication that is cryptographically based. |
| IA-3(2) | Device Identification and Authentication | Cryptographic Bidirectional Network Authentication Withdrawn — incorporated into IA-3(1). | Device Identification and Authentication | Cryptographic Bidirectional Network Authentication Withdrawn — incorporated into IA-3(1). |
| IA-3(3) | Device Identification and Authentication | Dynamic Address Allocation (a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with ia-3.3_prm_1[Assignment: organization-defined lease information and lease duration]; and (b) Audit lease information when assigned to a device. | Device Identification and Authentication | Dynamic Address Allocation The organization: (a) Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with ia-3.3_prm_1[Assignment: organization-defined lease information and lease duration]; and (b) Audits lease information when assigned to a device. |
| IA-3(4) | Device Identification and Authentication | Device Attestation Handle device identification and authentication based on attestation by ia-3.4_prm_1[Assignment: organization-defined configuration management process]. | Device Identification and Authentication | Device Attestation The organization ensures that device identification and authentication based on attestation is handled by ia-3.4_prm_1[Assignment: organization-defined configuration management process]. |
| IA-4 | Identifier ManagementⓁ Ⓜ Ⓗ Manage system identifiers by: a. Receiving authorization from ia-4_prm_1[Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; b. Selecting an identifier that identifies an individual, group, role, service, or device; c. Assigning the identifier to the intended individual, group, role, service, or device; and d. Preventing reuse of identifiers for ia-4_prm_2[Assignment: organization-defined time period]. | Identifier ManagementⓁ Ⓜ Ⓗ The organization manages information system identifiers by: a. Receiving authorization from ia-4_prm_1[Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; b. Selecting an identifier that identifies an individual, group, role, or device; c. Assigning the identifier to the intended individual, group, role, or device; d. Preventing reuse of identifiers for ia-4_prm_2[Assignment: organization-defined time period]; and e. Disabling the identifier after ia-4_prm_3[Assignment: organization-defined time period of inactivity]. |
| IA-4(1) | Identifier Management | Prohibit Account Identifiers as Public Identifiers Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. | Identifier Management | Prohibit Account Identifiers as Public Identifiers The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts. |
| IA-4(2) | Identifier Management | Supervisor Authorization Withdrawn — incorporated into IA-12(1). | Identifier Management | Supervisor Authorization The organization requires that the registration process to receive an individual identifier includes supervisor authorization. |
| IA-4(3) | Identifier Management | Multiple Forms of Certification Withdrawn — incorporated into IA-12(2). | Identifier Management | Multiple Forms of Certification The organization requires multiple forms of certification of individual identification be presented to the registration authority. |
| IA-4(4) | Identifier Management | Identify User StatusⓂ Ⓗ Manage individual identifiers by uniquely identifying each individual as ia-4.4_prm_1[Assignment: organization-defined characteristic identifying individual status]. | Identifier Management | Identify User Status The organization manages individual identifiers by uniquely identifying each individual as ia-4.4_prm_1[Assignment: organization-defined characteristic identifying individual status]. |
| IA-4(5) | Identifier Management | Dynamic Management Manage individual identifiers dynamically in accordance with ia-4.5_prm_1[Assignment: organization-defined dynamic identifier policy]. | Identifier Management | Dynamic Management The information system dynamically manages identifiers. |
| IA-4(6) | Identifier Management | Cross-organization Management Coordinate with the following external organizations for cross-organization management of identifiers: ia-4.6_prm_1[Assignment: organization-defined external organizations]. | Identifier Management | Cross-organization Management The organization coordinates with ia-4.6_prm_1[Assignment: organization-defined external organizations] for cross-organization management of identifiers. |
| IA-4(7) | Identifier Management | In-person Registration Withdrawn — incorporated into IA-12(4). | Identifier Management | In-person Registration The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority. |
| IA-4(8) | Identifier Management | Pairwise Pseudonymous Identifiers Generate pairwise pseudonymous identifiers. | No predecessor |
| IA-4(9) | Identifier Management | Attribute Maintenance and Protection Maintain the attributes for each uniquely identified individual, device, or service in ia-4.9_prm_1[Assignment: organization-defined protected central storage]. | No predecessor |
| IA-5 | Authenticator ManagementⓁ Ⓜ Ⓗ Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators ia-5_prm_1[Assignment: organization-defined time period by authenticator type] or when ia-5_prm_2[Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. | Authenticator ManagementⓁ Ⓜ Ⓗ The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators ia-5_prm_1[Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. |
| IA-5(1) | Authenticator Management | Password-based AuthenticationⓁ Ⓜ Ⓗ For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list ia-5.1_prm_1[Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: ia-5.1_prm_2[Assignment: organization-defined composition and complexity rules]. | Authenticator Management | Password-based AuthenticationⓁ Ⓜ Ⓗ The information system, for password-based authentication: (a) Enforces minimum password complexity of ia-5.1_prm_1[Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: ia-5.1_prm_2[Assignment: organization-defined number]; (c) Stores and transmits only cryptographically-protected passwords; (d) Enforces password minimum and maximum lifetime restrictions of ia-5.1_prm_3[Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for ia-5.1_prm_4[Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| IA-5(2) | Authenticator Management | Public Key-based AuthenticationⓂ Ⓗ (a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; and (b) When public key infrastructure (PKI) is used: (1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) Implement a local cache of revocation data to support path discovery and validation. | Authenticator Management | Pki-based AuthenticationⓂ Ⓗ The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| IA-5(3) | Authenticator Management | In-person or Trusted External Party Registration Withdrawn — incorporated into IA-12(4). | Authenticator Management | In-person or Trusted Third-party RegistrationⓂ Ⓗ The organization requires that the registration process to receive ia-5.3_prm_1[Assignment: organization-defined types of and/or specific authenticators] be conducted ia-5.3_prm_2[Selection: in person or by a trusted third party] before ia-5.3_prm_3[Assignment: organization-defined registration authority] with authorization by ia-5.3_prm_4[Assignment: organization-defined personnel or roles]. |
| IA-5(4) | Authenticator Management | Automated Support for Password Strength Determination Withdrawn — incorporated into IA-5(1). | Authenticator Management | Automated Support for Password Strength Determination The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy ia-5.4_prm_1[Assignment: organization-defined requirements]. |
| IA-5(5) | Authenticator Management | Change Authenticators Prior to Delivery Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. | Authenticator Management | Change Authenticators Prior to Delivery The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. |
| IA-5(6) | Authenticator Management | Protection of AuthenticatorsⓂ Ⓗ Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. | Authenticator Management | Protection of Authenticators The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
| IA-5(7) | Authenticator Management | No Embedded Unencrypted Static Authenticators Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. | Authenticator Management | No Embedded Unencrypted Static Authenticators The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. |
| IA-5(8) | Authenticator Management | Multiple System Accounts Implement ia-5.8_prm_1[Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. | Authenticator Management | Multiple Information System Accounts The organization implements ia-5.8_prm_1[Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. |
| IA-5(9) | Authenticator Management | Federated Credential Management Use the following external organizations to federate credentials: ia-5.9_prm_1[Assignment: organization-defined external organizations]. | Authenticator Management | Cross-organization Credential Management The organization coordinates with ia-5.9_prm_1[Assignment: organization-defined external organizations] for cross-organization management of credentials. |
| IA-5(10) | Authenticator Management | Dynamic Credential Binding Bind identities and authenticators dynamically using the following rules: ia-5.10_prm_1[Assignment: organization-defined binding rules]. | Authenticator Management | Dynamic Credential Association The information system dynamically provisions identities. |
| IA-5(11) | Authenticator Management | Hardware Token-based Authentication | Authenticator Management | Hardware Token-based AuthenticationⓁ Ⓜ Ⓗ The information system, for hardware token-based authentication, employs mechanisms that satisfy ia-5.11_prm_1[Assignment: organization-defined token quality requirements]. |
| IA-5(12) | Authenticator Management | Biometric Authentication Performance For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements ia-5.12_prm_1[Assignment: organization-defined biometric quality requirements]. | Authenticator Management | Biometric-based Authentication The information system, for biometric-based authentication, employs mechanisms that satisfy ia-5.12_prm_1[Assignment: organization-defined biometric quality requirements]. |
| IA-5(13) | Authenticator Management | Expiration of Cached Authenticators Prohibit the use of cached authenticators after ia-5.13_prm_1[Assignment: organization-defined time period]. | Authenticator Management | Expiration of Cached Authenticators The information system prohibits the use of cached authenticators after ia-5.13_prm_1[Assignment: organization-defined time period]. |
| IA-5(14) | Authenticator Management | Managing Content of PKI Trust Stores For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. | Authenticator Management | Managing Content of PKI Trust Stores The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications. |
| IA-5(15) | Authenticator Management | Gsa-approved Products and Services Use only General Services Administration-approved products and services for identity, credential, and access management. | Authenticator Management | Ficam-approved Products and Services The organization uses only FICAM-approved path discovery and validation products and services. |
| IA-5(16) | Authenticator Management | In-person or Trusted External Party Authenticator Issuance Require that the issuance of ia-5.16_prm_1[Assignment: organization-defined types of and/or specific authenticators] be conducted ia-5.16_prm_2[Selection: in person or by a trusted external party] before ia-5.16_prm_3[Assignment: organization-defined registration authority] with authorization by ia-5.16_prm_4[Assignment: organization-defined personnel or roles]. | No predecessor |
| IA-5(17) | Authenticator Management | Presentation Attack Detection for Biometric Authenticators Employ presentation attack detection mechanisms for biometric-based authentication. | No predecessor |
| IA-5(18) | Authenticator Management | Password Managers (a) Employ ia-5.18_prm_1[Assignment: organization-defined password managers] to generate and manage passwords; and (b) Protect the passwords using ia-5.18_prm_2[Assignment: organization-defined controls]. | No predecessor |
| IA-6 | Authentication FeedbackⓁ Ⓜ Ⓗ Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. | Authenticator FeedbackⓁ Ⓜ Ⓗ The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
| IA-7 | Cryptographic Module AuthenticationⓁ Ⓜ Ⓗ Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. | Cryptographic Module AuthenticationⓁ Ⓜ Ⓗ The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| IA-8 | Identification and Authentication (non-organizational Users)Ⓛ Ⓜ Ⓗ Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. | Identification and Authentication (non-organizational Users)Ⓛ Ⓜ Ⓗ The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
| IA-8(1) | Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other AgenciesⓁ Ⓜ Ⓗ Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. | Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other AgenciesⓁ Ⓜ Ⓗ The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
| IA-8(2) | Identification and Authentication (non-organizational Users) | Acceptance of External AuthenticatorsⓁ Ⓜ Ⓗ (a) Accept only external authenticators that are NIST-compliant; and (b) Document and maintain a list of accepted external authenticators. | Identification and Authentication (non-organizational Users) | Acceptance of Third-party CredentialsⓁ Ⓜ Ⓗ The information system accepts only FICAM-approved third-party credentials. |
| IA-8(3) | Identification and Authentication (non-organizational Users) | Use of Ficam-approved Products Withdrawn — incorporated into IA-8(2). | Identification and Authentication (non-organizational Users) | Use of Ficam-approved ProductsⓁ Ⓜ Ⓗ The organization employs only FICAM-approved information system components in ia-8.3_prm_1[Assignment: organization-defined information systems] to accept third-party credentials. |
| IA-8(4) | Identification and Authentication (non-organizational Users) | Use of Defined ProfilesⓁ Ⓜ Ⓗ Conform to the following profiles for identity management ia-8.4_prm_1[Assignment: organization-defined identity management profiles]. | Identification and Authentication (non-organizational Users) | Use of Ficam-issued ProfilesⓁ Ⓜ Ⓗ The information system conforms to FICAM-issued profiles. |
| IA-8(5) | Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials Accept and verify federated or PKI credentials that meet ia-8.5_prm_1[Assignment: organization-defined policy]. | Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials. |
| IA-8(6) | Identification and Authentication (non-organizational Users) | Disassociability Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: ia-8.6_prm_1[Assignment: organization-defined measures]. | No predecessor |
| IA-9 | Service Identification and Authentication Uniquely identify and authenticate ia-9_prm_1[Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications. | Service Identification and Authentication The organization identifies and authenticates ia-9_prm_1[Assignment: organization-defined information system services] using ia-9_prm_2[Assignment: organization-defined security safeguards]. |
| IA-9(1) | Service Identification and Authentication | Information Exchange Withdrawn — incorporated into IA-9. | Service Identification and Authentication | Information Exchange The organization ensures that service providers receive, validate, and transmit identification and authentication information. |
| IA-9(2) | Service Identification and Authentication | Transmission of Decisions Withdrawn — incorporated into IA-9. | Service Identification and Authentication | Transmission of Decisions The organization ensures that identification and authentication decisions are transmitted between ia-9.2_prm_1[Assignment: organization-defined services] consistent with organizational policies. |
| IA-10 | Adaptive Authentication Require individuals accessing the system to employ ia-10_prm_1[Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific ia-10_prm_2[Assignment: organization-defined circumstances or situations]. | Adaptive Identification and Authentication The organization requires that individuals accessing the information system employ ia-10_prm_1[Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific ia-10_prm_2[Assignment: organization-defined circumstances or situations]. |
| IA-11 | Re-authenticationⓁ Ⓜ Ⓗ Require users to re-authenticate when ia-11_prm_1[Assignment: organization-defined circumstances or situations requiring re-authentication]. | Re-authentication The organization requires users and devices to re-authenticate when ia-11_prm_1[Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| IA-12 | Identity ProofingⓂ Ⓗ a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; b. Resolve user identities to a unique individual; and c. Collect, validate, and verify identity evidence. | No predecessor |
| IA-12(1) | Identity Proofing | Supervisor Authorization Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization. | No predecessor |
| IA-12(2) | Identity Proofing | Identity EvidenceⓂ Ⓗ Require evidence of individual identification be presented to the registration authority. | No predecessor |
| IA-12(3) | Identity Proofing | Identity Evidence Validation and VerificationⓂ Ⓗ Require that the presented identity evidence be validated and verified through ia-12.3_prm_1[Assignment: organizational defined methods of validation and verification]. | No predecessor |
| IA-12(4) | Identity Proofing | In-person Validation and VerificationⒽ Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. | No predecessor |
| IA-12(5) | Identity Proofing | Address ConfirmationⓂ Ⓗ Require that a ia-12.5_prm_1[Selection: registration code or notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. | No predecessor |
| IA-12(6) | Identity Proofing | Accept Externally-proofed Identities Accept externally-proofed identities at ia-12.6_prm_1[Assignment: organization-defined identity assurance level]. | No predecessor |
| IR-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to ir-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ir-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an ir-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response: 1. Policy ir-1_prm_4[Assignment: organization-defined frequency] and following ir-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ir-1_prm_6[Assignment: organization-defined frequency] and following ir-1_prm_7[Assignment: organization-defined events]. | Incident Response Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ir-1_prm_1[Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy ir-1_prm_2[Assignment: organization-defined frequency]; and 2. Incident response procedures ir-1_prm_3[Assignment: organization-defined frequency]. |
| IR-2 | Incident Response TrainingⓁ Ⓜ Ⓗ Ⓟ a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Within ir-2_prm_1[Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access; 2. When required by system changes; and 3. ir-2_prm_2[Assignment: organization-defined frequency] thereafter; and b. Review and update incident response training content ir-2_prm_3[Assignment: organization-defined frequency] and following ir-2_prm_4[Assignment: organization-defined events]. | Incident Response TrainingⓁ Ⓜ Ⓗ The organization provides incident response training to information system users consistent with assigned roles and responsibilities: a. Within ir-2_prm_1[Assignment: organization-defined time period] of assuming an incident response role or responsibility; b. When required by information system changes; and c. ir-2_prm_2[Assignment: organization-defined frequency] thereafter. |
| IR-2(1) | Incident Response Training | Simulated EventsⒽ Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. | Incident Response Training | Simulated EventsⒽ The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. |
| IR-2(2) | Incident Response Training | Automated Training EnvironmentsⒽ Provide an incident response training environment using ir-2.2_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Response Training | Automated Training EnvironmentsⒽ The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. |
| IR-2(3) | Incident Response Training | BreachⓅ Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. | No predecessor |
| IR-3 | Incident Response TestingⓂ Ⓗ Ⓟ Test the effectiveness of the incident response capability for the system ir-3_prm_1[Assignment: organization-defined frequency] using the following tests: ir-3_prm_2[Assignment: organization-defined tests]. | Incident Response TestingⓂ Ⓗ The organization tests the incident response capability for the information system ir-3_prm_1[Assignment: organization-defined frequency] using ir-3_prm_2[Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. |
| IR-3(1) | Incident Response Testing | Automated Testing Test the incident response capability using ir-3.1_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Response Testing | Automated Testing The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability. |
| IR-3(2) | Incident Response Testing | Coordination with Related PlansⓂ Ⓗ Coordinate incident response testing with organizational elements responsible for related plans. | Incident Response Testing | Coordination with Related PlansⓂ Ⓗ The organization coordinates incident response testing with organizational elements responsible for related plans. |
| IR-3(3) | Incident Response Testing | Continuous Improvement Use qualitative and quantitative data from testing to: (a) Determine the effectiveness of incident response processes; (b) Continuously improve incident response processes; and (c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. | No predecessor |
| IR-4 | Incident HandlingⓁ Ⓜ Ⓗ Ⓟ a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. | Incident HandlingⓁ Ⓜ Ⓗ The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. |
| IR-4(1) | Incident Handling | Automated Incident Handling ProcessesⓂ Ⓗ Support the incident handling process using ir-4.1_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Handling | Automated Incident Handling ProcessesⓂ Ⓗ The organization employs automated mechanisms to support the incident handling process. |
| IR-4(2) | Incident Handling | Dynamic Reconfiguration Include the following types of dynamic reconfiguration for ir-4.2_prm_1[Assignment: organization-defined system components] as part of the incident response capability: ir-4.2_prm_2[Assignment: organization-defined types of dynamic reconfiguration]. | Incident Handling | Dynamic Reconfiguration The organization includes dynamic reconfiguration of ir-4.2_prm_1[Assignment: organization-defined information system components] as part of the incident response capability. |
| IR-4(3) | Incident Handling | Continuity of Operations Identify ir-4.3_prm_1[Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: ir-4.3_prm_2[Assignment: organization-defined actions to take in response to classes of incidents]. | Incident Handling | Continuity of Operations The organization identifies ir-4.3_prm_1[Assignment: organization-defined classes of incidents] and ir-4.3_prm_2[Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. |
| IR-4(4) | Incident Handling | Information CorrelationⒽ Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. | Incident Handling | Information CorrelationⒽ The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
| IR-4(5) | Incident Handling | Automatic Disabling of System Implement a configurable capability to automatically disable the system if ir-4.5_prm_1[Assignment: organization-defined security violations] are detected. | Incident Handling | Automatic Disabling of Information System The organization implements a configurable capability to automatically disable the information system if ir-4.5_prm_1[Assignment: organization-defined security violations] are detected. |
| IR-4(6) | Incident Handling | Insider Threats Implement an incident handling capability for incidents involving insider threats. | Incident Handling | Insider Threats - Specific Capabilities The organization implements incident handling capability for insider threats. |
| IR-4(7) | Incident Handling | Insider Threats — Intra-organization Coordination Coordinate an incident handling capability for insider threats that includes the following organizational entities ir-4.7_prm_1[Assignment: organization-defined entities]. | Incident Handling | Insider Threats - Intra-organization Coordination The organization coordinates incident handling capability for insider threats across ir-4.7_prm_1[Assignment: organization-defined components or elements of the organization]. |
| IR-4(8) | Incident Handling | Correlation with External Organizations Coordinate with ir-4.8_prm_1[Assignment: organization-defined external organizations] to correlate and share ir-4.8_prm_2[Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses. | Incident Handling | Correlation with External Organizations The organization coordinates with ir-4.8_prm_1[Assignment: organization-defined external organizations] to correlate and share ir-4.8_prm_2[Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
| IR-4(9) | Incident Handling | Dynamic Response Capability Employ ir-4.9_prm_1[Assignment: organization-defined dynamic response capabilities] to respond to incidents. | Incident Handling | Dynamic Response Capability The organization employs ir-4.9_prm_1[Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents. |
| IR-4(10) | Incident Handling | Supply Chain Coordination Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. | Incident Handling | Supply Chain Coordination The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain. |
| IR-4(11) | Incident Handling | Integrated Incident Response TeamⒽ Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in ir-4.11_prm_1[Assignment: organization-defined time period]. | No predecessor |
| IR-4(12) | Incident Handling | Malicious Code and Forensic Analysis Analyze malicious code and/or other residual artifacts remaining in the system after the incident. | No predecessor |
| IR-4(13) | Incident Handling | Behavior Analysis Analyze anomalous or suspected adversarial behavior in or related to ir-4.13_prm_1[Assignment: organization-defined environments or resources]. | No predecessor |
| IR-4(14) | Incident Handling | Security Operations Center Establish and maintain a security operations center. | No predecessor |
| IR-4(15) | Incident Handling | Public Relations and Reputation Repair (a) Manage public relations associated with an incident; and (b) Employ measures to repair the reputation of the organization. | No predecessor |
| IR-5 | Incident MonitoringⓁ Ⓜ Ⓗ Ⓟ Track and document incidents. | Incident MonitoringⓁ Ⓜ Ⓗ The organization tracks and documents information system security incidents. |
| IR-5(1) | Incident Monitoring | Automated Tracking, Data Collection, and AnalysisⒽ Track incidents and collect and analyze incident information using ir-5.1_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Monitoring | Automated Tracking / Data Collection / AnalysisⒽ The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. |
| IR-6 | Incident ReportingⓁ Ⓜ Ⓗ Ⓟ a. Require personnel to report suspected incidents to the organizational incident response capability within ir-6_prm_1[Assignment: organization-defined time period]; and b. Report incident information to ir-6_prm_2[Assignment: organization-defined authorities]. | Incident ReportingⓁ Ⓜ Ⓗ The organization: a. Requires personnel to report suspected security incidents to the organizational incident response capability within ir-6_prm_1[Assignment: organization-defined time period]; and b. Reports security incident information to ir-6_prm_2[Assignment: organization-defined authorities]. |
| IR-6(1) | Incident Reporting | Automated ReportingⓂ Ⓗ Report incidents using ir-6.1_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Reporting | Automated ReportingⓂ Ⓗ The organization employs automated mechanisms to assist in the reporting of security incidents. |
| IR-6(2) | Incident Reporting | Vulnerabilities Related to Incidents Report system vulnerabilities associated with reported incidents to ir-6.2_prm_1[Assignment: organization-defined personnel or roles]. | Incident Reporting | Vulnerabilities Related to Incidents The organization reports information system vulnerabilities associated with reported security incidents to ir-6.2_prm_1[Assignment: organization-defined personnel or roles]. |
| IR-6(3) | Incident Reporting | Supply Chain CoordinationⓂ Ⓗ Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident. | Incident Reporting | Coordination with Supply Chain The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident. |
| IR-7 | Incident Response AssistanceⓁ Ⓜ Ⓗ Ⓟ Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. | Incident Response AssistanceⓁ Ⓜ Ⓗ The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. |
| IR-7(1) | Incident Response Assistance | Automation Support for Availability of Information and SupportⓂ Ⓗ Increase the availability of incident response information and support using ir-7.1_prm_1[Assignment: organization-defined automated mechanisms]. | Incident Response Assistance | Automation Support for Availability of Information / SupportⓂ Ⓗ The organization employs automated mechanisms to increase the availability of incident response-related information and support. |
| IR-7(2) | Incident Response Assistance | Coordination with External Providers (a) Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and (b) Identify organizational incident response team members to the external providers. | Incident Response Assistance | Coordination with External Providers The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (b) Identifies organizational incident response team members to the external providers. |
| IR-8 | Incident Response PlanⓁ Ⓜ Ⓗ Ⓟ a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by ir-8_prm_1[Assignment: organization-defined personnel or roles]ir-8_prm_2[Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to ir-8_prm_3[Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to ir-8_prm_4[Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to ir-8_prm_5[Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification. | Incident Response PlanⓁ Ⓜ Ⓗ The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by ir-8_prm_1[Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to ir-8_prm_2[Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan ir-8_prm_3[Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to ir-8_prm_4[Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. |
| IR-8(1) | Incident Response Plan | BreachesⓅ Include the following in the Incident Response Plan for breaches involving personally identifiable information: (a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; (b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and (c) Identification of applicable privacy requirements. | No predecessor |
| IR-9 | Information Spillage Response Respond to information spills by: a. Assigning ir-9_prm_1[Assignment: organization-defined personnel or roles] with responsibility for responding to information spills; b. Identifying the specific information involved in the system contamination; c. Alerting ir-9_prm_2[Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; d. Isolating the contaminated system or system component; e. Eradicating the information from the contaminated system or component; f. Identifying other systems or system components that may have been subsequently contaminated; and g. Performing the following additional actions: ir-9_prm_3[Assignment: organization-defined actions]. | Information Spillage Response The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting ir-9_prm_1[Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other ir-9_prm_2[Assignment: organization-defined actions]. |
| IR-9(1) | Information Spillage Response | Responsible Personnel Withdrawn — incorporated into IR-9. | Information Spillage Response | Responsible Personnel The organization assigns ir-9.1_prm_1[Assignment: organization-defined personnel or roles] with responsibility for responding to information spills. |
| IR-9(2) | Information Spillage Response | Training Provide information spillage response training ir-9.2_prm_1[Assignment: organization-defined frequency]. | Information Spillage Response | Training The organization provides information spillage response training ir-9.2_prm_1[Assignment: organization-defined frequency]. |
| IR-9(3) | Information Spillage Response | Post-spill Operations Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: ir-9.3_prm_1[Assignment: organization-defined procedures]. | Information Spillage Response | Post-spill Operations The organization implements ir-9.3_prm_1[Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. |
| IR-9(4) | Information Spillage Response | Exposure to Unauthorized Personnel Employ the following controls for personnel exposed to information not within assigned access authorizations: ir-9.4_prm_1[Assignment: organization-defined controls]. | Information Spillage Response | Exposure to Unauthorized Personnel The organization employs ir-9.4_prm_1[Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. |
| IR-10 | Integrated Information Security Analysis Team . | Integrated Information Security Analysis Team The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel. |
| MA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to ma-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ma-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] maintenance policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; b. Designate an ma-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and c. Review and update the current maintenance: 1. Policy ma-1_prm_4[Assignment: organization-defined frequency] and following ma-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ma-1_prm_6[Assignment: organization-defined frequency] and following ma-1_prm_7[Assignment: organization-defined events]. | System Maintenance Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ma-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and b. Reviews and updates the current: 1. System maintenance policy ma-1_prm_2[Assignment: organization-defined frequency]; and 2. System maintenance procedures ma-1_prm_3[Assignment: organization-defined frequency]. |
| MA-2 | Controlled MaintenanceⓁ Ⓜ Ⓗ a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that ma-2_prm_1[Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ma-2_prm_2[Assignment: organization-defined information]; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: ma-2_prm_3[Assignment: organization-defined information]. | Controlled MaintenanceⓁ Ⓜ Ⓗ The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that ma-2_prm_1[Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes ma-2_prm_2[Assignment: organization-defined maintenance-related information] in organizational maintenance records. |
| MA-2(1) | Controlled Maintenance | Record Content Withdrawn — incorporated into MA-2. | Controlled Maintenance | Record Content Withdrawn — incorporated into MA-2. |
| MA-2(2) | Controlled Maintenance | Automated Maintenance ActivitiesⒽ (a) Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ma-2.2_prm_1[Assignment: organization-defined automated mechanisms]; and (b) Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed. | Controlled Maintenance | Automated Maintenance ActivitiesⒽ The organization: (a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and (b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. |
| MA-3 | Maintenance ToolsⓂ Ⓗ a. Approve, control, and monitor the use of system maintenance tools; and b. Review previously approved system maintenance tools ma-3_prm_1[Assignment: organization-defined frequency]. | Maintenance ToolsⓂ Ⓗ The organization approves, controls, and monitors information system maintenance tools. |
| MA-3(1) | Maintenance Tools | Inspect ToolsⓂ Ⓗ Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. | Maintenance Tools | Inspect ToolsⓂ Ⓗ The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. |
| MA-3(2) | Maintenance Tools | Inspect MediaⓂ Ⓗ Check media containing diagnostic and test programs for malicious code before the media are used in the system. | Maintenance Tools | Inspect MediaⓂ Ⓗ The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. |
| MA-3(3) | Maintenance Tools | Prevent Unauthorized RemovalⓂ Ⓗ Prevent the removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from ma-3.3_prm_1[Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. | Maintenance Tools | Prevent Unauthorized RemovalⒽ The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from ma-3.3_prm_1[Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. |
| MA-3(4) | Maintenance Tools | Restricted Tool Use Restrict the use of maintenance tools to authorized personnel only. | Maintenance Tools | Restricted Tool Use The information system restricts the use of maintenance tools to authorized personnel only. |
| MA-3(5) | Maintenance Tools | Execution with Privilege Monitor the use of maintenance tools that execute with increased privilege. | No predecessor |
| MA-3(6) | Maintenance Tools | Software Updates and Patches Inspect maintenance tools to ensure the latest software updates and patches are installed. | No predecessor |
| MA-4 | Nonlocal MaintenanceⓁ Ⓜ Ⓗ a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. | Nonlocal MaintenanceⓁ Ⓜ Ⓗ The organization: a. Approves and monitors nonlocal maintenance and diagnostic activities; b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintains records for nonlocal maintenance and diagnostic activities; and e. Terminates session and network connections when nonlocal maintenance is completed. |
| MA-4(1) | Nonlocal Maintenance | Logging and Review (a) Log ma-4.1_prm_1[Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior. | Nonlocal Maintenance | Auditing and Review The organization: (a) Audits nonlocal maintenance and diagnostic sessions ma-4.1_prm_1[Assignment: organization-defined audit events]; and (b) Reviews the records of the maintenance and diagnostic sessions. |
| MA-4(2) | Nonlocal Maintenance | Document Nonlocal Maintenance | Nonlocal Maintenance | Document Nonlocal MaintenanceⓂ Ⓗ The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
| MA-4(3) | Nonlocal Maintenance | Comparable Security and SanitizationⒽ (a) Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or (b) Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system. | Nonlocal Maintenance | Comparable Security / SanitizationⒽ The organization: (a) Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or (b) Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. |
| MA-4(4) | Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions Protect nonlocal maintenance sessions by: (a) Employing ma-4.4_prm_1[Assignment: organization-defined authenticators that are replay resistant]; and (b) Separating the maintenance sessions from other network sessions with the system by either: (1) Physically separated communications paths; or (2) Logically separated communications paths. | Nonlocal Maintenance | Authentication / Separation of Maintenance Sessions The organization protects nonlocal maintenance sessions by: (a) Employing ma-4.4_prm_1[Assignment: organization-defined authenticators that are replay resistant]; and (b) Separating the maintenance sessions from other network sessions with the information system by either: (1) Physically separated communications paths; or (2) Logically separated communications paths based upon encryption. |
| MA-4(5) | Nonlocal Maintenance | Approvals and Notifications (a) Require the approval of each nonlocal maintenance session by ma-4.5_prm_1[Assignment: organization-defined personnel or roles]; and (b) Notify the following personnel or roles of the date and time of planned nonlocal maintenance: ma-4.5_prm_2[Assignment: organization-defined personnel or roles]. | Nonlocal Maintenance | Approvals and Notifications The organization: (a) Requires the approval of each nonlocal maintenance session by ma-4.5_prm_1[Assignment: organization-defined personnel or roles]; and (b) Notifies ma-4.5_prm_2[Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance. |
| MA-4(6) | Nonlocal Maintenance | Cryptographic Protection Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: ma-4.6_prm_1[Assignment: organization-defined cryptographic mechanisms]. | Nonlocal Maintenance | Cryptographic Protection The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. |
| MA-4(7) | Nonlocal Maintenance | Disconnect Verification Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions. | Nonlocal Maintenance | Remote Disconnect Verification The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions. |
| MA-5 | Maintenance PersonnelⓁ Ⓜ Ⓗ a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. | Maintenance PersonnelⓁ Ⓜ Ⓗ The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| MA-5(1) | Maintenance Personnel | Individuals Without Appropriate AccessⒽ (a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develop and implement ma-5.1_prm_1[Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. | Maintenance Personnel | Individuals Without Appropriate AccessⒽ The organization: (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. |
| MA-5(2) | Maintenance Personnel | Security Clearances for Classified Systems Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system. | Maintenance Personnel | Security Clearances for Classified Systems The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. |
| MA-5(3) | Maintenance Personnel | Citizenship Requirements for Classified Systems Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens. | Maintenance Personnel | Citizenship Requirements for Classified Systems The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens. |
| MA-5(4) | Maintenance Personnel | Foreign Nationals Ensure that: (a) Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. | Maintenance Personnel | Foreign Nationals The organization ensures that: (a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements. |
| MA-5(5) | Maintenance Personnel | Non-system Maintenance Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations. | Maintenance Personnel | Nonsystem-related Maintenance The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations. |
| MA-6 | Timely MaintenanceⓂ Ⓗ Obtain maintenance support and/or spare parts for ma-6_prm_1[Assignment: organization-defined system components] within ma-6_prm_2[Assignment: organization-defined time period] of failure. | Timely MaintenanceⓂ Ⓗ The organization obtains maintenance support and/or spare parts for ma-6_prm_1[Assignment: organization-defined information system components] within ma-6_prm_2[Assignment: organization-defined time period] of failure. |
| MA-6(1) | Timely Maintenance | Preventive Maintenance Perform preventive maintenance on ma-6.1_prm_1[Assignment: organization-defined system components] at ma-6.1_prm_2[Assignment: organization-defined time intervals]. | Timely Maintenance | Preventive Maintenance The organization performs preventive maintenance on ma-6.1_prm_1[Assignment: organization-defined information system components] at ma-6.1_prm_2[Assignment: organization-defined time intervals]. |
| MA-6(2) | Timely Maintenance | Predictive Maintenance Perform predictive maintenance on ma-6.2_prm_1[Assignment: organization-defined system components] at ma-6.2_prm_2[Assignment: organization-defined time intervals]. | Timely Maintenance | Predictive Maintenance The organization performs predictive maintenance on ma-6.2_prm_1[Assignment: organization-defined information system components] at ma-6.2_prm_2[Assignment: organization-defined time intervals]. |
| MA-6(3) | Timely Maintenance | Automated Support for Predictive Maintenance Transfer predictive maintenance data to a maintenance management system using ma-6.3_prm_1[Assignment: organization-defined automated mechanisms]. | Timely Maintenance | Automated Support for Predictive Maintenance The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system. |
| MA-7 | Field Maintenance Restrict or prohibit field maintenance on ma-7_prm_1[Assignment: organization-defined systems or system components] to ma-7_prm_2[Assignment: organization-defined trusted maintenance facilities]. | No predecessor |
| MP-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to mp-1_prm_1[Assignment: organization-defined personnel or roles]: 1. mp-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] media protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; b. Designate an mp-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and c. Review and update the current media protection: 1. Policy mp-1_prm_4[Assignment: organization-defined frequency] and following mp-1_prm_5[Assignment: organization-defined events]; and 2. Procedures mp-1_prm_6[Assignment: organization-defined frequency] and following mp-1_prm_7[Assignment: organization-defined events]. | Media Protection Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to mp-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and b. Reviews and updates the current: 1. Media protection policy mp-1_prm_2[Assignment: organization-defined frequency]; and 2. Media protection procedures mp-1_prm_3[Assignment: organization-defined frequency]. |
| MP-2 | Media AccessⓁ Ⓜ Ⓗ Restrict access to mp-2_prm_1[Assignment: organization-defined types of digital and/or non-digital media] to mp-2_prm_2[Assignment: organization-defined personnel or roles]. | Media AccessⓁ Ⓜ Ⓗ The organization restricts access to mp-2_prm_1[Assignment: organization-defined types of digital and/or non-digital media] to mp-2_prm_2[Assignment: organization-defined personnel or roles]. |
| MP-2(1) | Media Access | Automated Restricted Access Withdrawn — incorporated into MP-4(2). | Media Access | Automated Restricted Access Withdrawn — incorporated into MP-4(2). |
| MP-2(2) | Media Access | Cryptographic Protection Withdrawn — incorporated into SC-28(1). | Media Access | Cryptographic Protection Withdrawn — incorporated into SC-28(1). |
| MP-3 | Media MarkingⓂ Ⓗ a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempt mp-3_prm_1[Assignment: organization-defined types of system media] from marking if the media remain within mp-3_prm_2[Assignment: organization-defined controlled areas]. | Media MarkingⓂ Ⓗ The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts mp-3_prm_1[Assignment: organization-defined types of information system media] from marking as long as the media remain within mp-3_prm_2[Assignment: organization-defined controlled areas]. |
| MP-4 | Media StorageⓂ Ⓗ a. Physically control and securely store mp-4_prm_1[Assignment: organization-defined types of digital and/or non-digital media] within mp-4_prm_2[Assignment: organization-defined controlled areas]; and b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures. | Media StorageⓂ Ⓗ The organization: a. Physically controls and securely stores mp-4_prm_1[Assignment: organization-defined types of digital and/or non-digital media] within mp-4_prm_2[Assignment: organization-defined controlled areas]; and b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. |
| MP-4(1) | Media Storage | Cryptographic Protection Withdrawn — incorporated into SC-28(1). | Media Storage | Cryptographic Protection Withdrawn — incorporated into SC-28(1). |
| MP-4(2) | Media Storage | Automated Restricted Access Restrict access to media storage areas and log access attempts and access granted using mp-4.2_prm_1[Assignment: organization-defined automated mechanisms]. | Media Storage | Automated Restricted Access The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. |
| MP-5 | Media TransportⓂ Ⓗ a. Protect and control mp-5_prm_1[Assignment: organization-defined types of system media] during transport outside of controlled areas using mp-5_prm_2[Assignment: organization-defined controls]; b. Maintain accountability for system media during transport outside of controlled areas; c. Document activities associated with the transport of system media; and d. Restrict the activities associated with the transport of system media to authorized personnel. | Media TransportⓂ Ⓗ The organization: a. Protects and controls mp-5_prm_1[Assignment: organization-defined types of information system media] during transport outside of controlled areas using mp-5_prm_2[Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. |
| MP-5(1) | Media Transport | Protection Outside of Controlled Areas Withdrawn — incorporated into MP-5. | Media Transport | Protection Outside of Controlled Areas Withdrawn — incorporated into MP-5. |
| MP-5(2) | Media Transport | Documentation of Activities Withdrawn — incorporated into MP-5. | Media Transport | Documentation of Activities Withdrawn — incorporated into MP-5. |
| MP-5(3) | Media Transport | Custodians Employ an identified custodian during transport of system media outside of controlled areas. | Media Transport | Custodians The organization employs an identified custodian during transport of information system media outside of controlled areas. |
| MP-5(4) | Media Transport | Cryptographic Protection Withdrawn — incorporated into SC-28(1). | Media Transport | Cryptographic ProtectionⓂ Ⓗ The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. |
| MP-6 | Media SanitizationⓁ Ⓜ Ⓗ Ⓟ a. Sanitize mp-6_prm_1[Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using mp-6_prm_2[Assignment: organization-defined sanitization techniques and procedures]; and b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. | Media SanitizationⓁ Ⓜ Ⓗ The organization: a. Sanitizes mp-6_prm_1[Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using mp-6_prm_2[Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. |
| MP-6(1) | Media Sanitization | Review, Approve, Track, Document, and VerifyⒽ Review, approve, track, document, and verify media sanitization and disposal actions. | Media Sanitization | Review / Approve / Track / Document / VerifyⒽ The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. |
| MP-6(2) | Media Sanitization | Equipment TestingⒽ Test sanitization equipment and procedures mp-6.2_prm_1[Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved. | Media Sanitization | Equipment TestingⒽ The organization tests sanitization equipment and procedures mp-6.2_prm_1[Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. |
| MP-6(3) | Media Sanitization | Nondestructive TechniquesⒽ Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: mp-6.3_prm_1[Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. | Media Sanitization | Nondestructive TechniquesⒽ The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: mp-6.3_prm_1[Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
| MP-6(4) | Media Sanitization | Controlled Unclassified Information Withdrawn — incorporated into MP-6. | Media Sanitization | Controlled Unclassified Information Withdrawn — incorporated into MP-6. |
| MP-6(5) | Media Sanitization | Classified Information Withdrawn — incorporated into MP-6. | Media Sanitization | Classified Information Withdrawn — incorporated into MP-6. |
| MP-6(6) | Media Sanitization | Media Destruction Withdrawn — incorporated into MP-6. | Media Sanitization | Media Destruction Withdrawn — incorporated into MP-6. |
| MP-6(7) | Media Sanitization | Dual Authorization Enforce dual authorization for the sanitization of mp-6.7_prm_1[Assignment: organization-defined system media]. | Media Sanitization | Dual Authorization The organization enforces dual authorization for the sanitization of mp-6.7_prm_1[Assignment: organization-defined information system media]. |
| MP-6(8) | Media Sanitization | Remote Purging or Wiping of Information Provide the capability to purge or wipe information from mp-6.8_prm_1[Assignment: organization-defined systems or system components]mp-6.8_prm_2[Selection: remotely or under the following conditions: or mp-6.8_prm_3[Assignment: organization-defined conditions]]. | Media Sanitization | Remote Purging / Wiping of Information The organization provides the capability to purge/wipe information from mp-6.8_prm_1[Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: mp-6.8_prm_2[Assignment: organization-defined conditions]. |
| MP-7 | Media UseⓁ Ⓜ Ⓗ a. mp-7_prm_1[Selection: Restrict or Prohibit] the use of mp-7_prm_2[Assignment: organization-defined types of system media] on mp-7_prm_3[Assignment: organization-defined systems or system components] using mp-7_prm_4[Assignment: organization-defined controls]; and b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. | Media UseⓁ Ⓜ Ⓗ The organization mp-7_prm_1[Selection: restricts or prohibits] the use of mp-7_prm_2[Assignment: organization-defined types of information system media] on mp-7_prm_3[Assignment: organization-defined information systems or system components] using mp-7_prm_4[Assignment: organization-defined security safeguards]. |
| MP-7(1) | Media Use | Prohibit Use Without Owner Withdrawn — incorporated into MP-7. | Media Use | Prohibit Use Without OwnerⓂ Ⓗ The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. |
| MP-7(2) | Media Use | Prohibit Use of Sanitization-resistant Media Prohibit the use of sanitization-resistant media in organizational systems. | Media Use | Prohibit Use of Sanitization-resistant Media The organization prohibits the use of sanitization-resistant media in organizational information systems. |
| MP-8 | Media Downgrading a. Establish mp-8_prm_1[Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; b. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information; c. Identify mp-8_prm_2[Assignment: organization-defined system media requiring downgrading]; and d. Downgrade the identified system media using the established process. | Media Downgrading The organization: a. Establishes mp-8_prm_1[Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with mp-8_prm_2[Assignment: organization-defined strength and integrity]; b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information; c. Identifies mp-8_prm_3[Assignment: organization-defined information system media requiring downgrading]; and d. Downgrades the identified information system media using the established process. |
| MP-8(1) | Media Downgrading | Documentation of Process Document system media downgrading actions. | Media Downgrading | Documentation of Process The organization documents information system media downgrading actions. |
| MP-8(2) | Media Downgrading | Equipment Testing Test downgrading equipment and procedures mp-8.2_prm_1[Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved. | Media Downgrading | Equipment Testing The organization employs mp-8.2_prm_1[Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance mp-8.2_prm_2[Assignment: organization-defined frequency]. |
| MP-8(3) | Media Downgrading | Controlled Unclassified Information Downgrade system media containing controlled unclassified information prior to public release. | Media Downgrading | Controlled Unclassified Information The organization downgrades information system media containing mp-8.3_prm_1[Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies. |
| MP-8(4) | Media Downgrading | Classified Information Downgrade system media containing classified information prior to release to individuals without required access authorizations. | Media Downgrading | Classified Information The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. |
| PE-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to pe-1_prm_1[Assignment: organization-defined personnel or roles]: 1. pe-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] physical and environmental protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; b. Designate an pe-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and c. Review and update the current physical and environmental protection: 1. Policy pe-1_prm_4[Assignment: organization-defined frequency] and following pe-1_prm_5[Assignment: organization-defined events]; and 2. Procedures pe-1_prm_6[Assignment: organization-defined frequency] and following pe-1_prm_7[Assignment: organization-defined events]. | Physical and Environmental Protection Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to pe-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and b. Reviews and updates the current: 1. Physical and environmental protection policy pe-1_prm_2[Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures pe-1_prm_3[Assignment: organization-defined frequency]. |
| PE-2 | Physical Access AuthorizationsⓁ Ⓜ Ⓗ a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b. Issue authorization credentials for facility access; c. Review the access list detailing authorized facility access by individuals pe-2_prm_1[Assignment: organization-defined frequency]; and d. Remove individuals from the facility access list when access is no longer required. | Physical Access AuthorizationsⓁ Ⓜ Ⓗ The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals pe-2_prm_1[Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required. |
| PE-2(1) | Physical Access Authorizations | Access by Position or Role Authorize physical access to the facility where the system resides based on position or role. | Physical Access Authorizations | Access by Position / Role The organization authorizes physical access to the facility where the information system resides based on position or role. |
| PE-2(2) | Physical Access Authorizations | Two Forms of Identification Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: pe-2.2_prm_1[Assignment: organization-defined list of acceptable forms of identification]. | Physical Access Authorizations | Two Forms of Identification The organization requires two forms of identification from pe-2.2_prm_1[Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides. |
| PE-2(3) | Physical Access Authorizations | Restrict Unescorted Access Restrict unescorted access to the facility where the system resides to personnel with pe-2.3_prm_1[Selection: security clearances for all information contained within the system or formal access authorizations for all information contained within the system or need for access to all information contained within the system or pe-2.3_prm_2[Assignment: organization-defined physical access authorizations]]. | Physical Access Authorizations | Restrict Unescorted Access The organization restricts unescorted access to the facility where the information system resides to personnel with pe-2.3_prm_1[Selection: security clearances for all information contained within the system or formal access authorizations for all information contained within the system or need for access to all information contained within the system or pe-2.3_prm_2[Assignment: organization-defined credentials]]. |
| PE-3 | Physical Access ControlⓁ Ⓜ Ⓗ a. Enforce physical access authorizations at pe-3_prm_1[Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using pe-3_prm_2[Selection: pe-3_prm_3[Assignment: organization-defined physical access control systems or devices] or guards]; b. Maintain physical access audit logs for pe-3_prm_4[Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: pe-3_prm_5[Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity pe-3_prm_6[Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory pe-3_prm_7[Assignment: organization-defined physical access devices] every pe-3_prm_8[Assignment: organization-defined frequency]; and g. Change combinations and keys pe-3_prm_9[Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. | Physical Access ControlⓁ Ⓜ Ⓗ The organization: a. Enforces physical access authorizations at pe-3_prm_1[Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using pe-3_prm_2[Selection: pe-3_prm_3[Assignment: organization-defined physical access control systems/devices] or guards]; b. Maintains physical access audit logs for pe-3_prm_4[Assignment: organization-defined entry/exit points]; c. Provides pe-3_prm_5[Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity pe-3_prm_6[Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories pe-3_prm_7[Assignment: organization-defined physical access devices] every pe-3_prm_8[Assignment: organization-defined frequency]; and g. Changes combinations and keys pe-3_prm_9[Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. |
| PE-3(1) | Physical Access Control | System AccessⒽ Enforce physical access authorizations to the system in addition to the physical access controls for the facility at pe-3.1_prm_1[Assignment: organization-defined physical spaces containing one or more components of the system]. | Physical Access Control | Information System AccessⒽ The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at pe-3.1_prm_1[Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| PE-3(2) | Physical Access Control | Facility and Systems Perform security checks pe-3.2_prm_1[Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components. | Physical Access Control | Facility / Information System Boundaries The organization performs security checks pe-3.2_prm_1[Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components. |
| PE-3(3) | Physical Access Control | Continuous Guards Employ guards to control pe-3.3_prm_1[Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week. | Physical Access Control | Continuous Guards / Alarms / Monitoring The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week. |
| PE-3(4) | Physical Access Control | Lockable Casings Use lockable physical casings to protect pe-3.4_prm_1[Assignment: organization-defined system components] from unauthorized physical access. | Physical Access Control | Lockable Casings The organization uses lockable physical casings to protect pe-3.4_prm_1[Assignment: organization-defined information system components] from unauthorized physical access. |
| PE-3(5) | Physical Access Control | Tamper Protection Employ pe-3.5_prm_1[Assignment: organization-defined anti-tamper technologies] to pe-3.5_prm_2[Selection: detect or prevent] physical tampering or alteration of pe-3.5_prm_3[Assignment: organization-defined hardware components] within the system. | Physical Access Control | Tamper Protection The organization employs pe-3.5_prm_1[Assignment: organization-defined security safeguards] to pe-3.5_prm_2[Selection: detect or prevent] physical tampering or alteration of pe-3.5_prm_3[Assignment: organization-defined hardware components] within the information system. |
| PE-3(6) | Physical Access Control | Facility Penetration Testing Withdrawn — incorporated into CA-8. | Physical Access Control | Facility Penetration Testing The organization employs a penetration testing process that includes pe-3.6_prm_1[Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility. |
| PE-3(7) | Physical Access Control | Physical Barriers Limit access using physical barriers. | No predecessor |
| PE-3(8) | Physical Access Control | Access Control Vestibules Employ access control vestibules at pe-3.8_prm_1[Assignment: organization-defined locations within the facility]. | No predecessor |
| PE-4 | Access Control for TransmissionⓂ Ⓗ Control physical access to pe-4_prm_1[Assignment: organization-defined system distribution and transmission lines] within organizational facilities using pe-4_prm_2[Assignment: organization-defined security controls]. | Access Control for Transmission MediumⓂ Ⓗ The organization controls physical access to pe-4_prm_1[Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using pe-4_prm_2[Assignment: organization-defined security safeguards]. |
| PE-5 | Access Control for Output DevicesⓂ Ⓗ Control physical access to output from pe-5_prm_1[Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. | Access Control for Output DevicesⓂ Ⓗ The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. |
| PE-5(1) | Access Control for Output Devices | Access to Output by Authorized Individuals Withdrawn — incorporated into PE-5. | Access Control for Output Devices | Access to Output by Authorized Individuals The organization: (a) Controls physical access to output from pe-5.1_prm_1[Assignment: organization-defined output devices]; and (b) Ensures that only authorized individuals receive output from the device. |
| PE-5(2) | Access Control for Output Devices | Link to Individual Identity Link individual identity to receipt of output from output devices. | Access Control for Output Devices | Access to Output by Individual Identity The information system: (a) Controls physical access to output from pe-5.2_prm_1[Assignment: organization-defined output devices]; and (b) Links individual identity to receipt of the output from the device. |
| PE-5(3) | Access Control for Output Devices | Marking Output Devices Withdrawn — incorporated into PE-22. | Access Control for Output Devices | Marking Output Devices The organization marks pe-5.3_prm_1[Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device. |
| PE-6 | Monitoring Physical AccessⓁ Ⓜ Ⓗ a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs pe-6_prm_1[Assignment: organization-defined frequency] and upon occurrence of pe-6_prm_2[Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability. | Monitoring Physical AccessⓁ Ⓜ Ⓗ The organization: a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; b. Reviews physical access logs pe-6_prm_1[Assignment: organization-defined frequency] and upon occurrence of pe-6_prm_2[Assignment: organization-defined events or potential indications of events]; and c. Coordinates results of reviews and investigations with the organizational incident response capability. |
| PE-6(1) | Monitoring Physical Access | Intrusion Alarms and Surveillance EquipmentⓂ Ⓗ Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. | Monitoring Physical Access | Intrusion Alarms / Surveillance EquipmentⓂ Ⓗ The organization monitors physical intrusion alarms and surveillance equipment. |
| PE-6(2) | Monitoring Physical Access | Automated Intrusion Recognition and Responses Recognize pe-6.2_prm_1[Assignment: organization-defined classes or types of intrusions] and initiate pe-6.2_prm_2[Assignment: organization-defined response actions] using pe-6.2_prm_3[Assignment: organization-defined automated mechanisms]. | Monitoring Physical Access | Automated Intrusion Recognition / Responses The organization employs automated mechanisms to recognize pe-6.2_prm_1[Assignment: organization-defined classes/types of intrusions] and initiate pe-6.2_prm_2[Assignment: organization-defined response actions]. |
| PE-6(3) | Monitoring Physical Access | Video Surveillance (a) Employ video surveillance of pe-6.3_prm_1[Assignment: organization-defined operational areas]; (b) Review video recordings pe-6.3_prm_2[Assignment: organization-defined frequency]; and (c) Retain video recordings for pe-6.3_prm_3[Assignment: organization-defined time period]. | Monitoring Physical Access | Video Surveillance The organization employs video surveillance of pe-6.3_prm_1[Assignment: organization-defined operational areas] and retains video recordings for pe-6.3_prm_2[Assignment: organization-defined time period]. |
| PE-6(4) | Monitoring Physical Access | Monitoring Physical Access to SystemsⒽ Monitor physical access to the system in addition to the physical access monitoring of the facility at pe-6.4_prm_1[Assignment: organization-defined physical spaces containing one or more components of the system]. | Monitoring Physical Access | Monitoring Physical Access to Information SystemsⒽ The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as pe-6.4_prm_1[Assignment: organization-defined physical spaces containing one or more components of the information system]. |
| PE-7 | Visitor Control | |
| PE-8 | Visitor Access RecordsⓁ Ⓜ Ⓗ a. Maintain visitor access records to the facility where the system resides for pe-8_prm_1[Assignment: organization-defined time period]; b. Review visitor access records pe-8_prm_2[Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to pe-8_prm_3[Assignment: organization-defined personnel]. | Visitor Access RecordsⓁ Ⓜ Ⓗ The organization: a. Maintains visitor access records to the facility where the information system resides for pe-8_prm_1[Assignment: organization-defined time period]; and b. Reviews visitor access records pe-8_prm_2[Assignment: organization-defined frequency]. |
| PE-8(1) | Visitor Access Records | Automated Records Maintenance and ReviewⒽ Maintain and review visitor access records using pe-8.1_prm_1[Assignment: organization-defined automated mechanisms]. | Visitor Access Records | Automated Records Maintenance / ReviewⒽ The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. |
| PE-8(2) | Visitor Access Records | Physical Access Records Withdrawn — incorporated into PE-2. | Visitor Access Records | Physical Access Records Withdrawn — incorporated into PE-2. |
| PE-8(3) | Visitor Access Records | Limit Personally Identifiable Information ElementsⓅ Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: pe-8.3_prm_1[Assignment: organization-defined elements]. | No predecessor |
| PE-9 | Power Equipment and CablingⓂ Ⓗ Protect power equipment and power cabling for the system from damage and destruction. | Power Equipment and CablingⓂ Ⓗ The organization protects power equipment and power cabling for the information system from damage and destruction. |
| PE-9(1) | Power Equipment and Cabling | Redundant Cabling Employ redundant power cabling paths that are physically separated by pe-9.1_prm_1[Assignment: organization-defined distance]. | Power Equipment and Cabling | Redundant Cabling The organization employs redundant power cabling paths that are physically separated by pe-9.1_prm_1[Assignment: organization-defined distance]. |
| PE-9(2) | Power Equipment and Cabling | Automatic Voltage Controls Employ automatic voltage controls for pe-9.2_prm_1[Assignment: organization-defined critical system components]. | Power Equipment and Cabling | Automatic Voltage Controls The organization employs automatic voltage controls for pe-9.2_prm_1[Assignment: organization-defined critical information system components]. |
| PE-10 | Emergency ShutoffⓂ Ⓗ a. Provide the capability of shutting off power to pe-10_prm_1[Assignment: organization-defined system or individual system components] in emergency situations; b. Place emergency shutoff switches or devices in pe-10_prm_2[Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and c. Protect emergency power shutoff capability from unauthorized activation. | Emergency ShutoffⓂ Ⓗ The organization: a. Provides the capability of shutting off power to the information system or individual system components in emergency situations; b. Places emergency shutoff switches or devices in pe-10_prm_1[Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and c. Protects emergency power shutoff capability from unauthorized activation. |
| PE-10(1) | Emergency Shutoff | Accidental and Unauthorized Activation Withdrawn — incorporated into PE-10. | Emergency Shutoff | Accidental / Unauthorized Activation Withdrawn — incorporated into PE-10. |
| PE-11 | Emergency PowerⓂ Ⓗ Provide an uninterruptible power supply to facilitate pe-11_prm_1[Selection: an orderly shutdown of the system or transition of the system to long-term alternate power] in the event of a primary power source loss. | Emergency PowerⓂ Ⓗ The organization provides a short-term uninterruptible power supply to facilitate pe-11_prm_1[Selection: an orderly shutdown of the information system or transition of the information system to long-term alternate power] in the event of a primary power source loss. |
| PE-11(1) | Emergency Power | Alternate Power Supply — Minimal Operational CapabilityⒽ Provide an alternate power supply for the system that is activated pe-11.1_prm_1[Selection: manually or automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. | Emergency Power | Long-term Alternate Power Supply - Minimal Operational CapabilityⒽ The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. |
| PE-11(2) | Emergency Power | Alternate Power Supply — Self-contained Provide an alternate power supply for the system that is activated pe-11.2_prm_1[Selection: manually or automatically] and that is: (a) Self-contained; (b) Not reliant on external power generation; and (c) Capable of maintaining pe-11.2_prm_2[Selection: minimally required operational capability or full operational capability] in the event of an extended loss of the primary power source. | Emergency Power | Long-term Alternate Power Supply - Self-contained The organization provides a long-term alternate power supply for the information system that is: (a) Self-contained; (b) Not reliant on external power generation; and (c) Capable of maintaining pe-11.2_prm_1[Selection: minimally required operational capability or full operational capability] in the event of an extended loss of the primary power source. |
| PE-12 | Emergency LightingⓁ Ⓜ Ⓗ Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. | Emergency LightingⓁ Ⓜ Ⓗ The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
| PE-12(1) | Emergency Lighting | Essential Mission and Business Functions Provide emergency lighting for all areas within the facility supporting essential mission and business functions. | Emergency Lighting | Essential Missions / Business Functions The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions. |
| PE-13 | Fire ProtectionⓁ Ⓜ Ⓗ Employ and maintain fire detection and suppression systems that are supported by an independent energy source. | Fire ProtectionⓁ Ⓜ Ⓗ The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. |
| PE-13(1) | Fire Protection | Detection Systems — Automatic Activation and NotificationⓂ Ⓗ Employ fire detection systems that activate automatically and notify pe-13.1_prm_1[Assignment: organization-defined personnel or roles] and pe-13.1_prm_2[Assignment: organization-defined emergency responders] in the event of a fire. | Fire Protection | Detection Devices / SystemsⒽ The organization employs fire detection devices/systems for the information system that activate automatically and notify pe-13.1_prm_1[Assignment: organization-defined personnel or roles] and pe-13.1_prm_2[Assignment: organization-defined emergency responders] in the event of a fire. |
| PE-13(2) | Fire Protection | Suppression Systems — Automatic Activation and NotificationⒽ (a) Employ fire suppression systems that activate automatically and notify pe-13.2_prm_1[Assignment: organization-defined personnel or roles] and pe-13.2_prm_2[Assignment: organization-defined emergency responders]; and (b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. | Fire Protection | Suppression Devices / SystemsⒽ The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to pe-13.2_prm_1[Assignment: organization-defined personnel or roles] and pe-13.2_prm_2[Assignment: organization-defined emergency responders]. |
| PE-13(3) | Fire Protection | Automatic Fire Suppression Withdrawn — incorporated into PE-13(2). | Fire Protection | Automatic Fire SuppressionⓂ Ⓗ The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. |
| PE-13(4) | Fire Protection | Inspections Ensure that the facility undergoes pe-13.4_prm_1[Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within pe-13.4_prm_2[Assignment: organization-defined time period]. | Fire Protection | Inspections The organization ensures that the facility undergoes pe-13.4_prm_1[Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within pe-13.4_prm_2[Assignment: organization-defined time period]. |
| PE-14 | Environmental ControlsⓁ Ⓜ Ⓗ a. Maintain pe-14_prm_1[Selection: temperature or humidity or pressure or radiation or pe-14_prm_2[Assignment: organization-defined environmental control]] levels within the facility where the system resides at pe-14_prm_3[Assignment: organization-defined acceptable levels]; and b. Monitor environmental control levels pe-14_prm_4[Assignment: organization-defined frequency]. | Temperature and Humidity ControlsⓁ Ⓜ Ⓗ The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at pe-14_prm_1[Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels pe-14_prm_2[Assignment: organization-defined frequency]. |
| PE-14(1) | Environmental Controls | Automatic Controls Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: pe-14.1_prm_1[Assignment: organization-defined automatic environmental controls]. | Temperature and Humidity Controls | Automatic Controls The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system. |
| PE-14(2) | Environmental Controls | Monitoring with Alarms and Notifications Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to pe-14.2_prm_1[Assignment: organization-defined personnel or roles]. | Temperature and Humidity Controls | Monitoring with Alarms / Notifications The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. |
| PE-15 | Water Damage ProtectionⓁ Ⓜ Ⓗ Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. | Water Damage ProtectionⓁ Ⓜ Ⓗ The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. |
| PE-15(1) | Water Damage Protection | Automation SupportⒽ Detect the presence of water near the system and alert pe-15.1_prm_1[Assignment: organization-defined personnel or roles] using pe-15.1_prm_2[Assignment: organization-defined automated mechanisms]. | Water Damage Protection | Automation SupportⒽ The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts pe-15.1_prm_1[Assignment: organization-defined personnel or roles]. |
| PE-16 | Delivery and RemovalⓁ Ⓜ Ⓗ a. Authorize and control pe-16_prm_1[Assignment: organization-defined types of system components] entering and exiting the facility; and b. Maintain records of the system components. | Delivery and RemovalⓁ Ⓜ Ⓗ The organization authorizes, monitors, and controls pe-16_prm_1[Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. |
| PE-17 | Alternate Work SiteⓂ Ⓗ a. Determine and document the pe-17_prm_1[Assignment: organization-defined alternate work sites] allowed for use by employees; b. Employ the following controls at alternate work sites: pe-17_prm_2[Assignment: organization-defined controls]; c. Assess the effectiveness of controls at alternate work sites; and d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents. | Alternate Work SiteⓂ Ⓗ The organization: a. Employs pe-17_prm_1[Assignment: organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. |
| PE-18 | Location of System ComponentsⒽ Position system components within the facility to minimize potential damage from pe-18_prm_1[Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. | Location of Information System ComponentsⒽ The organization positions information system components within the facility to minimize potential damage from pe-18_prm_1[Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. |
| PE-18(1) | Location of System Components | Facility Site . | Location of Information System Components | Facility Site The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. |
| PE-19 | Information Leakage Protect the system from information leakage due to electromagnetic signals emanations. | Information Leakage The organization protects the information system from information leakage due to electromagnetic signals emanations. |
| PE-19(1) | Information Leakage | National Emissions Policies and Procedures Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information. | Information Leakage | National Emissions / Tempest Policies and Procedures The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information. |
| PE-20 | Asset Monitoring and Tracking Employ pe-20_prm_1[Assignment: organization-defined asset location technologies] to track and monitor the location and movement of pe-20_prm_2[Assignment: organization-defined assets] within pe-20_prm_3[Assignment: organization-defined controlled areas]. | Asset Monitoring and Tracking The organization: a. Employs pe-20_prm_1[Assignment: organization-defined asset location technologies] to track and monitor the location and movement of pe-20_prm_2[Assignment: organization-defined assets] within pe-20_prm_3[Assignment: organization-defined controlled areas]; and b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. |
| PE-21 | Electromagnetic Pulse Protection Employ pe-21_prm_1[Assignment: organization-defined protective measures] against electromagnetic pulse damage for pe-21_prm_2[Assignment: organization-defined systems and system components]. | No predecessor |
| PE-22 | Component Marking Mark pe-22_prm_1[Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. | No predecessor |
| PE-23 | Facility Location a. Plan the location or site of the facility where the system resides considering physical and environmental hazards; and b. For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy. | No predecessor |
| PL-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to pl-1_prm_1[Assignment: organization-defined personnel or roles]: 1. pl-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the planning policy and the associated planning controls; b. Designate an pl-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and c. Review and update the current planning: 1. Policy pl-1_prm_4[Assignment: organization-defined frequency] and following pl-1_prm_5[Assignment: organization-defined events]; and 2. Procedures pl-1_prm_6[Assignment: organization-defined frequency] and following pl-1_prm_7[Assignment: organization-defined events]. | Security Planning Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to pl-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy pl-1_prm_2[Assignment: organization-defined frequency]; and 2. Security planning procedures pl-1_prm_3[Assignment: organization-defined frequency]. |
| PL-2 | System Security and Privacy PlansⓁ Ⓜ Ⓗ Ⓟ a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with pl-2_prm_1[Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to pl-2_prm_2[Assignment: organization-defined personnel or roles]; c. Review the plans pl-2_prm_3[Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. | System Security PlanⓁ Ⓜ Ⓗ The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to pl-2_prm_1[Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system pl-2_prm_2[Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. |
| PL-2(1) | System Security and Privacy Plans | Concept of Operations Withdrawn — incorporated into PL-7. | System Security Plan | Concept of Operations Withdrawn — incorporated into PL-7. |
| PL-2(2) | System Security and Privacy Plans | Functional Architecture Withdrawn — incorporated into PL-8. | System Security Plan | Functional Architecture Withdrawn — incorporated into PL-8. |
| PL-2(3) | System Security and Privacy Plans | Plan and Coordinate with Other Organizational Entities Withdrawn — incorporated into PL-2. | System Security Plan | Plan / Coordinate with Other Organizational EntitiesⓂ Ⓗ The organization plans and coordinates security-related activities affecting the information system with pl-2.3_prm_1[Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. |
| PL-3 | System Security Plan Update Withdrawn — incorporated into PL-2. | System Security Plan Update Withdrawn — incorporated into PL-2. |
| PL-4 | Rules of BehaviorⓁ Ⓜ Ⓗ Ⓟ a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior pl-4_prm_1[Assignment: organization-defined frequency]; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge pl-4_prm_2[Selection: pl-4_prm_3[Assignment: organization-defined frequency] or when the rules are revised or updated]. | Rules of BehaviorⓁ Ⓜ Ⓗ The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior pl-4_prm_1[Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated. |
| PL-4(1) | Rules of Behavior | Social Media and External Site/application Usage RestrictionsⓁ Ⓜ Ⓗ Ⓟ Include in the rules of behavior, restrictions on: (a) Use of social media, social networking sites, and external sites/applications; (b) Posting organizational information on public websites; and (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. | Rules of Behavior | Social Media and Networking RestrictionsⓂ Ⓗ The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. |
| PL-5 | Privacy Impact Assessment Withdrawn — incorporated into RA-8. | Privacy Impact Assessment Withdrawn — incorporated into RA-8. |
| PL-6 | Security-related Activity Planning Withdrawn — incorporated into PL-2. | Security-related Activity Planning Withdrawn — incorporated into PL-2. |
| PL-7 | Concept of Operations a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and b. Review and update the CONOPS pl-7_prm_1[Assignment: organization-defined frequency]. | Security Concept of Operations The organization: a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and b. Reviews and updates the CONOPS pl-7_prm_1[Assignment: organization-defined frequency]. |
| PL-8 | Security and Privacy ArchitecturesⓂ Ⓗ Ⓟ a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. Describe how the architectures are integrated into and support the enterprise architecture; and 4. Describe any assumptions about, and dependencies on, external systems and services; b. Review and update the architectures pl-8_prm_1[Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. | Information Security ArchitectureⓂ Ⓗ The organization: a. Develops an information security architecture for the information system that: 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and 3. Describes any information security assumptions about, and dependencies on, external services; b. Reviews and updates the information security architecture pl-8_prm_1[Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. |
| PL-8(1) | Security and Privacy Architectures | Defense in Depth Design the security and privacy architectures for the system using a defense-in-depth approach that: (a) Allocates pl-8.1_prm_1[Assignment: organization-defined controls] to pl-8.1_prm_2[Assignment: organization-defined locations and architectural layers]; and (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner. | Information Security Architecture | Defense-in-depth The organization designs its security architecture using a defense-in-depth approach that: (a) Allocates pl-8.1_prm_1[Assignment: organization-defined security safeguards] to pl-8.1_prm_2[Assignment: organization-defined locations and architectural layers]; and (b) Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner. |
| PL-8(2) | Security and Privacy Architectures | Supplier Diversity Require that pl-8.2_prm_1[Assignment: organization-defined controls] allocated to pl-8.2_prm_2[Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. | Information Security Architecture | Supplier Diversity The organization requires that pl-8.2_prm_1[Assignment: organization-defined security safeguards] allocated to pl-8.2_prm_2[Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. |
| PL-9 | Central ManagementⓅ Centrally manage pl-9_prm_1[Assignment: organization-defined controls and related processes]. | Central Management The organization centrally manages pl-9_prm_1[Assignment: organization-defined security controls and related processes]. |
| PL-10 | Baseline SelectionⓁ Ⓜ Ⓗ Select a control baseline for the system. | No predecessor |
| PL-11 | Baseline TailoringⓁ Ⓜ Ⓗ Tailor the selected control baseline by applying specified tailoring actions. | No predecessor |
| PM-1 | Information Security Program Plan a. Develop and disseminate an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects the coordination among organizational entities responsible for information security; and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Review and update the organization-wide information security program plan pm-1_prm_1[Assignment: organization-defined frequency] and following pm-1_prm_2[Assignment: organization-defined events]; and c. Protect the information security program plan from unauthorized disclosure and modification. | Information Security Program Plan The organization: a. Develops and disseminates an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Reviews the organization-wide information security program plan pm-1_prm_1[Assignment: organization-defined frequency]; c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and d. Protects the information security program plan from unauthorized disclosure and modification. |
| PM-2 | Information Security Program Leadership Role Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. | Senior Information Security Officer The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
| PM-3 | Information Security and Privacy ResourcesⓅ a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and c. Make available for expenditure, the planned information security and privacy resources. | Information Security Resources The organization: a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and c. Ensures that information security resources are available for expenditure as planned. |
| PM-4 | Plan of Action and Milestones ProcessⓅ a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: 1. Are developed and maintained; 2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with established reporting requirements. b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. | Plan of Action and Milestones Process The organization: a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: 1. Are developed and maintained; 2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with OMB FISMA reporting requirements. b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| PM-5 | System Inventory Develop and update pm-5_prm_1[Assignment: organization-defined frequency] an inventory of organizational systems. | Information System Inventory The organization develops and maintains an inventory of its information systems. |
| PM-5(1) | System Inventory | Inventory of Personally Identifiable InformationⓅ Establish, maintain, and update pm-5.1_prm_1[Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. | No predecessor |
| PM-6 | Measures of PerformanceⓅ Develop, monitor, and report on the results of information security and privacy measures of performance. | Information Security Measures of Performance The organization develops, monitors, and reports on the results of information security measures of performance. |
| PM-7 | Enterprise ArchitectureⓅ Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. | Enterprise Architecture The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. |
| PM-7(1) | Enterprise Architecture | Offloading Offload pm-7.1_prm_1[Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. | No predecessor |
| PM-8 | Critical Infrastructure PlanⓅ Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. | Critical Infrastructure Plan The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
| PM-9 | Risk Management StrategyⓅ a. Develops a comprehensive strategy to manage: 1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy pm-9_prm_1[Assignment: organization-defined frequency] or as required, to address organizational changes. | Risk Management Strategy The organization: a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; b. Implements the risk management strategy consistently across the organization; and c. Reviews and updates the risk management strategy pm-9_prm_1[Assignment: organization-defined frequency] or as required, to address organizational changes. |
| PM-10 | Authorization ProcessⓅ a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Integrate the authorization processes into an organization-wide risk management program. | Security Authorization Process The organization: a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into an organization-wide risk management program. |
| PM-11 | Mission and Business Process DefinitionⓅ a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes pm-11_prm_1[Assignment: organization-defined frequency]. | Mission/business Process Definition The organization: a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. |
| PM-12 | Insider Threat Program Implement an insider threat program that includes a cross-discipline insider threat incident handling team. | Insider Threat Program The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team. |
| PM-13 | Security and Privacy WorkforceⓅ Establish a security and privacy workforce development and improvement program. | Information Security Workforce The organization establishes an information security workforce development and improvement program. |
| PM-14 | Testing, Training, and MonitoringⓅ a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. | Testing, Training, and Monitoring The organization: a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: 1. Are developed and maintained; and 2. Continue to be executed in a timely manner; b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
| PM-15 | Security and Privacy Groups and Associations Establish and institutionalize contact with selected groups and associations within the security and privacy communities: a. To facilitate ongoing security and privacy education and training for organizational personnel; b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and c. To share current security and privacy information, including threats, vulnerabilities, and incidents. | Contacts with Security Groups and Associations The organization establishes and institutionalizes contact with selected groups and associations within the security community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency with recommended security practices, techniques, and technologies; and c. To share current security-related information including threats, vulnerabilities, and incidents. |
| PM-16 | Threat Awareness Program Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. | Threat Awareness Program The organization implements a threat awareness program that includes a cross-organization information-sharing capability. |
| PM-16(1) | Threat Awareness Program | Automated Means for Sharing Threat Intelligence Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. | No predecessor |
| PM-17 | Protecting Controlled Unclassified Information on External SystemsⓅ a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures pm-17_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| PM-18 | Privacy Program PlanⓅ a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: 1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; 2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; 3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; 4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; 5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and 6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and b. Update the plan pm-18_prm_1[Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. | No predecessor |
| PM-19 | Privacy Program Leadership RoleⓅ Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. | No predecessor |
| PM-20 | Dissemination of Privacy Program InformationⓅ Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; b. Ensures that organizational privacy practices and reports are publicly available; and c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. | No predecessor |
| PM-20(1) | Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital ServicesⓅ Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: (a) Are written in plain language and organized in a way that is easy to understand and navigate; (b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. | No predecessor |
| PM-21 | Accounting of DisclosuresⓅ a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. | No predecessor |
| PM-22 | Personally Identifiable Information Quality ManagementⓅ Develop and document organization-wide policies and procedures for: a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; b. Correcting or deleting inaccurate or outdated personally identifiable information; c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and d. Appeals of adverse decisions on correction or deletion requests. | No predecessor |
| PM-23 | Data Governance Body Establish a Data Governance Body consisting of pm-23_prm_1[Assignment: organization-defined roles] with pm-23_prm_2[Assignment: organization-defined responsibilities]. | No predecessor |
| PM-24 | Data Integrity BoardⓅ Establish a Data Integrity Board to: a. Review proposals to conduct or participate in a matching program; and b. Conduct an annual review of all matching programs in which the agency has participated. | No predecessor |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchⓅ a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and d. Review and update policies and procedures pm-25_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| PM-26 | Complaint ManagementⓅ Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: a. Mechanisms that are easy to use and readily accessible by the public; b. All information necessary for successfully filing complaints; c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within pm-26_prm_1[Assignment: organization-defined time period]; d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within pm-26_prm_2[Assignment: organization-defined time period]; and e. Response to complaints, concerns, or questions from individuals within pm-26_prm_3[Assignment: organization-defined time period]. | No predecessor |
| PM-27 | Privacy ReportingⓅ a. Develop pm-27_prm_1[Assignment: organization-defined privacy reports] and disseminate to: 1. pm-27_prm_2[Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and 2. pm-27_prm_3[Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and b. Review and update privacy reports pm-27_prm_4[Assignment: organization-defined frequency]. | No predecessor |
| PM-28 | Risk FramingⓅ a. Identify and document: 1. Assumptions affecting risk assessments, risk responses, and risk monitoring; 2. Constraints affecting risk assessments, risk responses, and risk monitoring; 3. Priorities and trade-offs considered by the organization for managing risk; and 4. Organizational risk tolerance; b. Distribute the results of risk framing activities to pm-28_prm_1[Assignment: organization-defined personnel]; and c. Review and update risk framing considerations pm-28_prm_2[Assignment: organization-defined frequency]. | No predecessor |
| PM-29 | Risk Management Program Leadership Roles a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. | No predecessor |
| PM-30 | Supply Chain Risk Management Strategy a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; b. Implement the supply chain risk management strategy consistently across the organization; and c. Review and update the supply chain risk management strategy on pm-30_prm_1[Assignment: organization-defined frequency] or as required, to address organizational changes. | No predecessor |
| PM-30(1) | Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. | No predecessor |
| PM-31 | Continuous Monitoring StrategyⓅ Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: pm-31_prm_1[Assignment: organization-defined metrics]; b. Establishing pm-31_prm_2[Assignment: organization-defined frequencies] for monitoring and pm-31_prm_3[Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to pm-31_prm_4[Assignment: organization-defined personnel or roles]pm-31_prm_5[Assignment: organization-defined frequency]. | No predecessor |
| PM-32 | Purposing Analyze pm-32_prm_1[Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. | No predecessor |
| PS-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to ps-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ps-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate an ps-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security: 1. Policy ps-1_prm_4[Assignment: organization-defined frequency] and following ps-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ps-1_prm_6[Assignment: organization-defined frequency] and following ps-1_prm_7[Assignment: organization-defined events]. | Personnel Security Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ps-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and b. Reviews and updates the current: 1. Personnel security policy ps-1_prm_2[Assignment: organization-defined frequency]; and 2. Personnel security procedures ps-1_prm_3[Assignment: organization-defined frequency]. |
| PS-2 | Position Risk DesignationⓁ Ⓜ Ⓗ a. Assign a risk designation to all organizational positions; b. Establish screening criteria for individuals filling those positions; and c. Review and update position risk designations ps-2_prm_1[Assignment: organization-defined frequency]. | Position Risk DesignationⓁ Ⓜ Ⓗ The organization: a. Assigns a risk designation to all organizational positions; b. Establishes screening criteria for individuals filling those positions; and c. Reviews and updates position risk designations ps-2_prm_1[Assignment: organization-defined frequency]. |
| PS-3 | Personnel ScreeningⓁ Ⓜ Ⓗ a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with ps-3_prm_1[Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. | Personnel ScreeningⓁ Ⓜ Ⓗ The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to ps-3_prm_1[Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. |
| PS-3(1) | Personnel Screening | Classified Information Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. | Personnel Screening | Classified Information The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
| PS-3(2) | Personnel Screening | Formal Indoctrination Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. | Personnel Screening | Formal Indoctrination The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system. |
| PS-3(3) | Personnel Screening | Information Requiring Special Protective Measures Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy ps-3.3_prm_1[Assignment: organization-defined additional personnel screening criteria]. | Personnel Screening | Information with Special Protection Measures The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy ps-3.3_prm_1[Assignment: organization-defined additional personnel screening criteria]. |
| PS-3(4) | Personnel Screening | Citizenship Requirements Verify that individuals accessing a system processing, storing, or transmitting ps-3.4_prm_1[Assignment: organization-defined information types] meet ps-3.4_prm_2[Assignment: organization-defined citizenship requirements]. | No predecessor |
| PS-4 | Personnel TerminationⓁ Ⓜ Ⓗ Upon termination of individual employment: a. Disable system access within ps-4_prm_1[Assignment: organization-defined time period]; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of ps-4_prm_2[Assignment: organization-defined information security topics]; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual. | Personnel TerminationⓁ Ⓜ Ⓗ The organization, upon termination of individual employment: a. Disables information system access within ps-4_prm_1[Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of ps-4_prm_2[Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies ps-4_prm_3[Assignment: organization-defined personnel or roles] within ps-4_prm_4[Assignment: organization-defined time period]. |
| PS-4(1) | Personnel Termination | Post-employment Requirements (a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. | Personnel Termination | Post-employment Requirements The organization: (a) Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
| PS-4(2) | Personnel Termination | Automated ActionsⒽ Use ps-4.2_prm_1[Assignment: organization-defined automated mechanisms] to ps-4.2_prm_2[Selection: notify or ps-4.2_prm_3[Assignment: organization-defined personnel or roles] or of individual termination actions or disable access to system resources]. | Personnel Termination | Automated NotificationⒽ The organization employs automated mechanisms to notify ps-4.2_prm_1[Assignment: organization-defined personnel or roles] upon termination of an individual. |
| PS-5 | Personnel TransferⓁ Ⓜ Ⓗ a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiate ps-5_prm_1[Assignment: organization-defined transfer or reassignment actions] within ps-5_prm_2[Assignment: organization-defined time period following the formal transfer action]; c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notify ps-5_prm_3[Assignment: organization-defined personnel or roles] within ps-5_prm_4[Assignment: organization-defined time period]. | Personnel TransferⓁ Ⓜ Ⓗ The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates ps-5_prm_1[Assignment: organization-defined transfer or reassignment actions] within ps-5_prm_2[Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies ps-5_prm_3[Assignment: organization-defined personnel or roles] within ps-5_prm_4[Assignment: organization-defined time period]. |
| PS-6 | Access AgreementsⓁ Ⓜ Ⓗ Ⓟ a. Develop and document access agreements for organizational systems; b. Review and update the access agreements ps-6_prm_1[Assignment: organization-defined frequency]; and c. Verify that individuals requiring access to organizational information and systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or ps-6_prm_2[Assignment: organization-defined frequency]. | Access AgreementsⓁ Ⓜ Ⓗ The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements ps-6_prm_1[Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or ps-6_prm_2[Assignment: organization-defined frequency]. |
| PS-6(1) | Access Agreements | Information Requiring Special Protection Withdrawn — incorporated into PS-3. | Access Agreements | Information Requiring Special Protection Withdrawn — incorporated into PS-3. |
| PS-6(2) | Access Agreements | Classified Information Requiring Special Protection Verify that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official government duties; (b) Satisfy associated personnel security criteria; and (c) Have read, understood, and signed a nondisclosure agreement. | Access Agreements | Classified Information Requiring Special Protection The organization ensures that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official government duties; (b) Satisfy associated personnel security criteria; and (c) Have read, understood, and signed a nondisclosure agreement. |
| PS-6(3) | Access Agreements | Post-employment Requirements (a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. | Access Agreements | Post-employment Requirements The organization: (a) Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. |
| PS-7 | External Personnel SecurityⓁ Ⓜ Ⓗ a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify ps-7_prm_1[Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ps-7_prm_2[Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements. | Third-party Personnel SecurityⓁ Ⓜ Ⓗ The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify ps-7_prm_1[Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within ps-7_prm_2[Assignment: organization-defined time period]; and e. Monitors provider compliance. |
| PS-8 | Personnel SanctionsⓁ Ⓜ Ⓗ a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify ps-8_prm_1[Assignment: organization-defined personnel or roles] within ps-8_prm_2[Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. | Personnel SanctionsⓁ Ⓜ Ⓗ The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies ps-8_prm_1[Assignment: organization-defined personnel or roles] within ps-8_prm_2[Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
| PS-9 | Position DescriptionsⓁ Ⓜ Ⓗ Incorporate security and privacy roles and responsibilities into organizational position descriptions. | No predecessor |
| PT-1 | Policy and ProceduresⓅ a. Develop, document, and disseminate to pt-1_prm_1[Assignment: organization-defined personnel or roles]: 1. pt-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] personally identifiable information processing and transparency policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b. Designate an pt-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c. Review and update the current personally identifiable information processing and transparency: 1. Policy pt-1_prm_4[Assignment: organization-defined frequency] and following pt-1_prm_5[Assignment: organization-defined events]; and 2. Procedures pt-1_prm_6[Assignment: organization-defined frequency] and following pt-1_prm_7[Assignment: organization-defined events]. | No predecessor |
| PT-2 | Authority to Process Personally Identifiable InformationⓅ a. Determine and document the pt-2_prm_1[Assignment: organization-defined authority] that permits the pt-2_prm_2[Assignment: organization-defined processing] of personally identifiable information; and b. Restrict the pt-2_prm_3[Assignment: organization-defined processing] of personally identifiable information to only that which is authorized. | No predecessor |
| PT-2(1) | Authority to Process Personally Identifiable Information | Data Tagging Attach data tags containing pt-2.1_prm_1[Assignment: organization-defined authorized processing] to pt-2.1_prm_2[Assignment: organization-defined elements of personally identifiable information]. | No predecessor |
| PT-2(2) | Authority to Process Personally Identifiable Information | Automation Manage enforcement of the authorized processing of personally identifiable information using pt-2.2_prm_1[Assignment: organization-defined automated mechanisms]. | No predecessor |
| PT-3 | Personally Identifiable Information Processing PurposesⓅ a. Identify and document the pt-3_prm_1[Assignment: organization-defined purpose(s)] for processing personally identifiable information; b. Describe the purpose(s) in the public privacy notices and policies of the organization; c. Restrict the pt-3_prm_2[Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and d. Monitor changes in processing personally identifiable information and implement pt-3_prm_3[Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with pt-3_prm_4[Assignment: organization-defined requirements]. | No predecessor |
| PT-3(1) | Personally Identifiable Information Processing Purposes | Data Tagging Attach data tags containing the following purposes to pt-3.1_prm_1[Assignment: organization-defined elements of personally identifiable information]: pt-3.1_prm_2[Assignment: organization-defined processing purposes]. | No predecessor |
| PT-3(2) | Personally Identifiable Information Processing Purposes | Automation Track processing purposes of personally identifiable information using pt-3.2_prm_1[Assignment: organization-defined automated mechanisms]. | No predecessor |
| PT-4 | ConsentⓅ Implement pt-4_prm_1[Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. | No predecessor |
| PT-4(1) | Consent | Tailored Consent Provide pt-4.1_prm_1[Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. | No predecessor |
| PT-4(2) | Consent | Just-in-time Consent Present pt-4.2_prm_1[Assignment: organization-defined consent mechanisms] to individuals at pt-4.2_prm_2[Assignment: organization-defined frequency] and in conjunction with pt-4.2_prm_3[Assignment: organization-defined personally identifiable information processing]. | No predecessor |
| PT-4(3) | Consent | Revocation Implement pt-4.3_prm_1[Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processing of their personally identifiable information. | No predecessor |
| PT-5 | Privacy NoticeⓅ Provide notice to individuals about the processing of personally identifiable information that: a. Is available to individuals upon first interacting with an organization, and subsequently at pt-5_prm_1[Assignment: organization-defined frequency]; b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; c. Identifies the authority that authorizes the processing of personally identifiable information; d. Identifies the purposes for which personally identifiable information is to be processed; and e. Includes pt-5_prm_2[Assignment: organization-defined information]. | No predecessor |
| PT-5(1) | Privacy Notice | Just-in-time Notice Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or pt-5.1_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| PT-5(2) | Privacy Notice | Privacy Act StatementsⓅ Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. | No predecessor |
| PT-6 | System of Records NoticeⓅ For systems that process information that will be maintained in a Privacy Act system of records: a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; b. Publish system of records notices in the Federal Register; and c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy. | No predecessor |
| PT-6(1) | System of Records Notice | Routine UsesⓅ Review all routine uses published in the system of records notice at pt-6.1_prm_1[Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. | No predecessor |
| PT-6(2) | System of Records Notice | Exemption RulesⓅ Review all Privacy Act exemptions claimed for the system of records at pt-6.2_prm_1[Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. | No predecessor |
| PT-7 | Specific Categories of Personally Identifiable InformationⓅ Apply pt-7_prm_1[Assignment: organization-defined processing conditions] for specific categories of personally identifiable information. | No predecessor |
| PT-7(1) | Specific Categories of Personally Identifiable Information | Social Security NumbersⓅ When a system processes Social Security numbers: (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; (b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and (c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. | No predecessor |
| PT-7(2) | Specific Categories of Personally Identifiable Information | First Amendment InformationⓅ Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. | No predecessor |
| PT-8 | Computer Matching RequirementsⓅ When a system or organization processes information for the purpose of conducting a matching program: a. Obtain approval from the Data Integrity Board to conduct the matching program; b. Develop and enter into a computer matching agreement; c. Publish a matching notice in the Federal Register; d. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. | No predecessor |
| RA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to ra-1_prm_1[Assignment: organization-defined personnel or roles]: 1. ra-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate an ra-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment: 1. Policy ra-1_prm_4[Assignment: organization-defined frequency] and following ra-1_prm_5[Assignment: organization-defined events]; and 2. Procedures ra-1_prm_6[Assignment: organization-defined frequency] and following ra-1_prm_7[Assignment: organization-defined events]. | Risk Assessment Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to ra-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and b. Reviews and updates the current: 1. Risk assessment policy ra-1_prm_2[Assignment: organization-defined frequency]; and 2. Risk assessment procedures ra-1_prm_3[Assignment: organization-defined frequency]. |
| RA-2 | Security CategorizationⓁ Ⓜ Ⓗ a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. | Security CategorizationⓁ Ⓜ Ⓗ The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. |
| RA-2(1) | Security Categorization | Impact-level Prioritization Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. | No predecessor |
| RA-3 | Risk AssessmentⓁ Ⓜ Ⓗ Ⓟ a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in ra-3_prm_1[Selection: security and privacy plans or risk assessment report or ra-3_prm_2[Assignment: organization-defined document]]; d. Review risk assessment results ra-3_prm_3[Assignment: organization-defined frequency]; e. Disseminate risk assessment results to ra-3_prm_4[Assignment: organization-defined personnel or roles]; and f. Update the risk assessment ra-3_prm_5[Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. | Risk AssessmentⓁ Ⓜ Ⓗ The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in ra-3_prm_1[Selection: security plan or risk assessment report or ra-3_prm_2[Assignment: organization-defined document]]; c. Reviews risk assessment results ra-3_prm_3[Assignment: organization-defined frequency]; d. Disseminates risk assessment results to ra-3_prm_4[Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment ra-3_prm_5[Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. |
| RA-3(1) | Risk Assessment | Supply Chain Risk AssessmentⓁ Ⓜ Ⓗ (a) Assess supply chain risks associated with ra-3.1_prm_1[Assignment: organization-defined systems, system components, and system services]; and (b) Update the supply chain risk assessment ra-3.1_prm_2[Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. | No predecessor |
| RA-3(2) | Risk Assessment | Use of All-source Intelligence Use all-source intelligence to assist in the analysis of risk. | No predecessor |
| RA-3(3) | Risk Assessment | Dynamic Threat Awareness Determine the current cyber threat environment on an ongoing basis using ra-3.3_prm_1[Assignment: organization-defined means]. | No predecessor |
| RA-3(4) | Risk Assessment | Predictive Cyber Analytics Employ the following advanced automation and analytics capabilities to predict and identify risks to ra-3.4_prm_1[Assignment: organization-defined systems or system components]: ra-3.4_prm_2[Assignment: organization-defined advanced automation and analytics capabilities]. | No predecessor |
| RA-4 | Risk Assessment Update Withdrawn — incorporated into RA-3. | Risk Assessment Update Withdrawn — incorporated into RA-3. |
| RA-5 | Vulnerability Monitoring and ScanningⓁ Ⓜ Ⓗ a. Monitor and scan for vulnerabilities in the system and hosted applications ra-5_prm_1[Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities ra-5_prm_2[Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with ra-5_prm_3[Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. | Vulnerability ScanningⓁ Ⓜ Ⓗ The organization: a. Scans for vulnerabilities in the information system and hosted applications ra-5_prm_1[Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities ra-5_prm_2[Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with ra-5_prm_3[Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). |
| RA-5(1) | Vulnerability Monitoring and Scanning | Update Tool Capability Withdrawn — incorporated into RA-5. | Vulnerability Scanning | Update Tool CapabilityⓂ Ⓗ The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. |
| RA-5(2) | Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be ScannedⓁ Ⓜ Ⓗ Update the system vulnerabilities to be scanned ra-5.2_prm_1[Selection: ra-5.2_prm_2[Assignment: organization-defined frequency] or prior to a new scan or when new vulnerabilities are identified and reported]. | Vulnerability Scanning | Update by Frequency / Prior to New Scan / When IdentifiedⓂ Ⓗ The organization updates the information system vulnerabilities scanned ra-5.2_prm_1[Selection: ra-5.2_prm_2[Assignment: organization-defined frequency] or prior to a new scan or when new vulnerabilities are identified and reported]. |
| RA-5(3) | Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage Define the breadth and depth of vulnerability scanning coverage. | Vulnerability Scanning | Breadth / Depth of Coverage The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). |
| RA-5(4) | Vulnerability Monitoring and Scanning | Discoverable InformationⒽ Determine information about the system that is discoverable and take ra-5.4_prm_1[Assignment: organization-defined corrective actions]. | Vulnerability Scanning | Discoverable InformationⒽ The organization determines what information about the information system is discoverable by adversaries and subsequently takes ra-5.4_prm_1[Assignment: organization-defined corrective actions]. |
| RA-5(5) | Vulnerability Monitoring and Scanning | Privileged AccessⓂ Ⓗ Implement privileged access authorization to ra-5.5_prm_1[Assignment: organization-defined system components] for ra-5.5_prm_2[Assignment: organization-defined vulnerability scanning activities]. | Vulnerability Scanning | Privileged AccessⓂ Ⓗ The information system implements privileged access authorization to ra-5.5_prm_1[Assignment: organization-identified information system components] for selected ra-5.5_prm_2[Assignment: organization-defined vulnerability scanning activities]. |
| RA-5(6) | Vulnerability Monitoring and Scanning | Automated Trend Analyses Compare the results of multiple vulnerability scans using ra-5.6_prm_1[Assignment: organization-defined automated mechanisms]. | Vulnerability Scanning | Automated Trend Analyses The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. |
| RA-5(7) | Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components Withdrawn — incorporated into CM-8. | Vulnerability Scanning | Automated Detection and Notification of Unauthorized Components Withdrawn — incorporated into CM-8. |
| RA-5(8) | Vulnerability Monitoring and Scanning | Review Historic Audit Logs Review historic audit logs to determine if a vulnerability identified in a ra-5.8_prm_1[Assignment: organization-defined system] has been previously exploited within an ra-5.8_prm_2[Assignment: organization-defined time period]. | Vulnerability Scanning | Review Historic Audit Logs The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. |
| RA-5(9) | Vulnerability Monitoring and Scanning | Penetration Testing and Analyses Withdrawn — incorporated into CA-8. | Vulnerability Scanning | Penetration Testing and Analyses Withdrawn — incorporated into CA-8. |
| RA-5(10) | Vulnerability Monitoring and Scanning | Correlate Scanning Information Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. | Vulnerability Scanning | Correlate Scanning Information The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. |
| RA-5(11) | Vulnerability Monitoring and Scanning | Public Disclosure ProgramⓁ Ⓜ Ⓗ Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. | No predecessor |
| RA-6 | Technical Surveillance Countermeasures Survey Employ a technical surveillance countermeasures survey at ra-6_prm_1[Assignment: organization-defined locations]ra-6_prm_2[Selection: ra-6_prm_3[Assignment: organization-defined frequency] or when the following events or indicators occur: or ra-6_prm_4[Assignment: organization-defined events or indicators]]. | Technical Surveillance Countermeasures Survey The organization employs a technical surveillance countermeasures survey at ra-6_prm_1[Assignment: organization-defined locations]ra-6_prm_2[Selection: ra-6_prm_3[Assignment: organization-defined frequency] or ra-6_prm_4[Assignment: organization-defined events or indicators occur]]. |
| RA-7 | Risk ResponseⓁ Ⓜ Ⓗ Ⓟ Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. | No predecessor |
| RA-8 | Privacy Impact AssessmentsⓅ Conduct privacy impact assessments for systems, programs, or other activities before: a. Developing or procuring information technology that processes personally identifiable information; and b. Initiating a new collection of personally identifiable information that: 1. Will be processed using information technology; and 2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. | No predecessor |
| RA-9 | Criticality AnalysisⓂ Ⓗ Identify critical system components and functions by performing a criticality analysis for ra-9_prm_1[Assignment: organization-defined systems, system components, or system services] at ra-9_prm_2[Assignment: organization-defined decision points in the system development life cycle]. | No predecessor |
| RA-10 | Threat Hunting a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability ra-10_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| SA-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to sa-1_prm_1[Assignment: organization-defined personnel or roles]: 1. sa-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and services acquisition policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; b. Designate an sa-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and c. Review and update the current system and services acquisition: 1. Policy sa-1_prm_4[Assignment: organization-defined frequency] and following sa-1_prm_5[Assignment: organization-defined events]; and 2. Procedures sa-1_prm_6[Assignment: organization-defined frequency] and following sa-1_prm_7[Assignment: organization-defined events]. | System and Services Acquisition Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to sa-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and b. Reviews and updates the current: 1. System and services acquisition policy sa-1_prm_2[Assignment: organization-defined frequency]; and 2. System and services acquisition procedures sa-1_prm_3[Assignment: organization-defined frequency]. |
| SA-2 | Allocation of ResourcesⓁ Ⓜ Ⓗ Ⓟ a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. | Allocation of ResourcesⓁ Ⓜ Ⓗ The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. |
| SA-3 | System Development Life CycleⓁ Ⓜ Ⓗ Ⓟ a. Acquire, develop, and manage the system using sa-3_prm_1[Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. | System Development Life CycleⓁ Ⓜ Ⓗ The organization: a. Manages the information system using sa-3_prm_1[Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities. |
| SA-3(1) | System Development Life Cycle | Manage Preproduction Environment Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service. | No predecessor |
| SA-3(2) | System Development Life Cycle | Use of Live or Operational Data (a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (b) Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments. | No predecessor |
| SA-3(3) | System Development Life Cycle | Technology Refresh Plan for and implement a technology refresh schedule for the system throughout the system development life cycle. | No predecessor |
| SA-4 | Acquisition ProcessⓁ Ⓜ Ⓗ Ⓟ Include the following requirements, descriptions, and criteria, explicitly or by reference, using sa-4_prm_1[Selection: standardized contract language or sa-4_prm_2[Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria. | Acquisition ProcessⓁ Ⓜ Ⓗ The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria. |
| SA-4(1) | Acquisition Process | Functional Properties of ControlsⓂ Ⓗ Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. | Acquisition Process | Functional Properties of Security ControlsⓂ Ⓗ The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. |
| SA-4(2) | Acquisition Process | Design and Implementation Information for ControlsⓂ Ⓗ Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: sa-4.2_prm_1[Selection: security-relevant external system interfaces or high-level design or low-level design or source code or hardware schematics or sa-4.2_prm_2[Assignment: organization-defined design and implementation information]] at sa-4.2_prm_3[Assignment: organization-defined level of detail]. | Acquisition Process | Design / Implementation Information for Security ControlsⓂ Ⓗ The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: sa-4.2_prm_1[Selection: security-relevant external system interfaces or high-level design or low-level design or source code or hardware schematics or sa-4.2_prm_2[Assignment: organization-defined design/implementation information]] at sa-4.2_prm_3[Assignment: organization-defined level of detail]. |
| SA-4(3) | Acquisition Process | Development Methods, Techniques, and Practices Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (a) sa-4.3_prm_1[Assignment: organization-defined systems engineering methods]; (b) sa-4.3_prm_2[Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and (c) sa-4.3_prm_3[Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. | Acquisition Process | Development Methods / Techniques / Practices The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes sa-4.3_prm_1[Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes]. |
| SA-4(4) | Acquisition Process | Assignment of Components to Systems Withdrawn — incorporated into CM-8(9). | Acquisition Process | Assignment of Components to Systems Withdrawn — incorporated into CM-8(9). |
| SA-4(5) | Acquisition Process | System, Component, and Service ConfigurationsⒽ Require the developer of the system, system component, or system service to: (a) Deliver the system, component, or service with sa-4.5_prm_1[Assignment: organization-defined security configurations] implemented; and (b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. | Acquisition Process | System / Component / Service Configurations The organization requires the developer of the information system, system component, or information system service to: (a) Deliver the system, component, or service with sa-4.5_prm_1[Assignment: organization-defined security configurations] implemented; and (b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
| SA-4(6) | Acquisition Process | Use of Information Assurance Products (a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and (b) Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. | Acquisition Process | Use of Information Assurance Products The organization: (a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and (b) Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
| SA-4(7) | Acquisition Process | Niap-approved Protection Profiles (a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and (b) Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved. | Acquisition Process | Niap-approved Protection Profiles The organization: (a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and (b) Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated. |
| SA-4(8) | Acquisition Process | Continuous Monitoring Plan for Controls Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. | Acquisition Process | Continuous Monitoring Plan The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains sa-4.8_prm_1[Assignment: organization-defined level of detail]. |
| SA-4(9) | Acquisition Process | Functions, Ports, Protocols, and Services in UseⓂ Ⓗ Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. | Acquisition Process | Functions / Ports / Protocols / Services in UseⓂ Ⓗ The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. |
| SA-4(10) | Acquisition Process | Use of Approved PIV ProductsⓁ Ⓜ Ⓗ Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. | Acquisition Process | Use of Approved PIV ProductsⓁ Ⓜ Ⓗ The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. |
| SA-4(11) | Acquisition Process | System of Records Include sa-4.11_prm_1[Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. | No predecessor |
| SA-4(12) | Acquisition Process | Data Ownership (a) Include organizational data ownership requirements in the acquisition contract; and (b) Require all data to be removed from the contractor’s system and returned to the organization within sa-4.12_prm_1[Assignment: organization-defined time frame]. | No predecessor |
| SA-5 | System DocumentationⓁ Ⓜ Ⓗ a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security and privacy functions and mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; b. Obtain or develop user documentation for the system, system component, or system service that describes: 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take sa-5_prm_1[Assignment: organization-defined actions] in response; and d. Distribute documentation to sa-5_prm_2[Assignment: organization-defined personnel or roles]. | Information System DocumentationⓁ Ⓜ Ⓗ The organization: a. Obtains administrator documentation for the information system, system component, or information system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security functions/mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b. Obtains user documentation for the information system, system component, or information system service that describes: 1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and 3. User responsibilities in maintaining the security of the system, component, or service; c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes sa-5_prm_1[Assignment: organization-defined actions] in response; d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to sa-5_prm_2[Assignment: organization-defined personnel or roles]. |
| SA-5(1) | System Documentation | Functional Properties of Security Controls Withdrawn — incorporated into SA-4(1). | Information System Documentation | Functional Properties of Security Controls Withdrawn — incorporated into SA-4(1). |
| SA-5(2) | System Documentation | Security-relevant External System Interfaces Withdrawn — incorporated into SA-4(2). | Information System Documentation | Security-relevant External System Interfaces Withdrawn — incorporated into SA-4(2). |
| SA-5(3) | System Documentation | High-level Design Withdrawn — incorporated into SA-4(2). | Information System Documentation | High-level Design Withdrawn — incorporated into SA-4(2). |
| SA-5(4) | System Documentation | Low-level Design Withdrawn — incorporated into SA-4(2). | Information System Documentation | Low-level Design Withdrawn — incorporated into SA-4(2). |
| SA-5(5) | System Documentation | Source Code Withdrawn — incorporated into SA-4(2). | Information System Documentation | Source Code Withdrawn — incorporated into SA-4(2). |
| SA-6 | Software Usage Restrictions | |
| SA-7 | User-installed Software | |
| SA-8 | Security and Privacy Engineering PrinciplesⓁ Ⓜ Ⓗ Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: sa-8_prm_1[Assignment: organization-defined systems security and privacy engineering principles]. | Security Engineering PrinciplesⓂ Ⓗ The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. |
| SA-8(1) | Security and Privacy Engineering Principles | Clear Abstractions Implement the security design principle of clear abstractions. | No predecessor |
| SA-8(2) | Security and Privacy Engineering Principles | Least Common Mechanism Implement the security design principle of least common mechanism in sa-8.2_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(3) | Security and Privacy Engineering Principles | Modularity and Layering Implement the security design principles of modularity and layering in sa-8.3_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(4) | Security and Privacy Engineering Principles | Partially Ordered Dependencies Implement the security design principle of partially ordered dependencies in sa-8.4_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(5) | Security and Privacy Engineering Principles | Efficiently Mediated Access Implement the security design principle of efficiently mediated access in sa-8.5_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(6) | Security and Privacy Engineering Principles | Minimized Sharing Implement the security design principle of minimized sharing in sa-8.6_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(7) | Security and Privacy Engineering Principles | Reduced Complexity Implement the security design principle of reduced complexity in sa-8.7_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(8) | Security and Privacy Engineering Principles | Secure Evolvability Implement the security design principle of secure evolvability in sa-8.8_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(9) | Security and Privacy Engineering Principles | Trusted Components Implement the security design principle of trusted components in sa-8.9_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(10) | Security and Privacy Engineering Principles | Hierarchical Trust Implement the security design principle of hierarchical trust in sa-8.10_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(11) | Security and Privacy Engineering Principles | Inverse Modification Threshold Implement the security design principle of inverse modification threshold in sa-8.11_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(12) | Security and Privacy Engineering Principles | Hierarchical Protection Implement the security design principle of hierarchical protection in sa-8.12_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(13) | Security and Privacy Engineering Principles | Minimized Security Elements Implement the security design principle of minimized security elements in sa-8.13_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(14) | Security and Privacy Engineering Principles | Least Privilege Implement the security design principle of least privilege in sa-8.14_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(15) | Security and Privacy Engineering Principles | Predicate Permission Implement the security design principle of predicate permission in sa-8.15_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(16) | Security and Privacy Engineering Principles | Self-reliant Trustworthiness Implement the security design principle of self-reliant trustworthiness in sa-8.16_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(17) | Security and Privacy Engineering Principles | Secure Distributed Composition Implement the security design principle of secure distributed composition in sa-8.17_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(18) | Security and Privacy Engineering Principles | Trusted Communications Channels Implement the security design principle of trusted communications channels in sa-8.18_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(19) | Security and Privacy Engineering Principles | Continuous Protection Implement the security design principle of continuous protection in sa-8.19_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(20) | Security and Privacy Engineering Principles | Secure Metadata Management Implement the security design principle of secure metadata management in sa-8.20_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(21) | Security and Privacy Engineering Principles | Self-analysis Implement the security design principle of self-analysis in sa-8.21_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(22) | Security and Privacy Engineering Principles | Accountability and Traceability Implement the security design principle of accountability and traceability in sa-8.22_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(23) | Security and Privacy Engineering Principles | Secure Defaults Implement the security design principle of secure defaults in sa-8.23_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(24) | Security and Privacy Engineering Principles | Secure Failure and Recovery Implement the security design principle of secure failure and recovery in sa-8.24_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(25) | Security and Privacy Engineering Principles | Economic Security Implement the security design principle of economic security in sa-8.25_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(26) | Security and Privacy Engineering Principles | Performance Security Implement the security design principle of performance security in sa-8.26_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(27) | Security and Privacy Engineering Principles | Human Factored Security Implement the security design principle of human factored security in sa-8.27_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(28) | Security and Privacy Engineering Principles | Acceptable Security Implement the security design principle of acceptable security in sa-8.28_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(29) | Security and Privacy Engineering Principles | Repeatable and Documented Procedures Implement the security design principle of repeatable and documented procedures in sa-8.29_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(30) | Security and Privacy Engineering Principles | Procedural Rigor Implement the security design principle of procedural rigor in sa-8.30_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(31) | Security and Privacy Engineering Principles | Secure System Modification Implement the security design principle of secure system modification in sa-8.31_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(32) | Security and Privacy Engineering Principles | Sufficient Documentation Implement the security design principle of sufficient documentation in sa-8.32_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SA-8(33) | Security and Privacy Engineering Principles | MinimizationⓅ Implement the privacy principle of minimization using sa-8.33_prm_1[Assignment: organization-defined processes]. | No predecessor |
| SA-9 | External System ServicesⓁ Ⓜ Ⓗ Ⓟ a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: sa-9_prm_1[Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: sa-9_prm_2[Assignment: organization-defined processes, methods, and techniques]. | External Information System ServicesⓁ Ⓜ Ⓗ The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ sa-9_prm_1[Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs sa-9_prm_2[Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. |
| SA-9(1) | External System Services | Risk Assessments and Organizational Approvals (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by sa-9.1_prm_1[Assignment: organization-defined personnel or roles]. | External Information System Services | Risk Assessments / Organizational Approvals The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by sa-9.1_prm_1[Assignment: organization-defined personnel or roles]. |
| SA-9(2) | External System Services | Identification of Functions, Ports, Protocols, and ServicesⓂ Ⓗ Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: sa-9.2_prm_1[Assignment: organization-defined external system services]. | External Information System Services | Identification of Functions / Ports / Protocols / ServicesⓂ Ⓗ The organization requires providers of sa-9.2_prm_1[Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. |
| SA-9(3) | External System Services | Establish and Maintain Trust Relationship with Providers Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: sa-9.3_prm_1[Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships]. | External Information System Services | Establish / Maintain Trust Relationship with Providers The organization establishes, documents, and maintains trust relationships with external service providers based on sa-9.3_prm_1[Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships]. |
| SA-9(4) | External System Services | Consistent Interests of Consumers and Providers Take the following actions to verify that the interests of sa-9.4_prm_1[Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: sa-9.4_prm_2[Assignment: organization-defined actions]. | External Information System Services | Consistent Interests of Consumers and Providers The organization employs sa-9.4_prm_1[Assignment: organization-defined security safeguards] to ensure that the interests of sa-9.4_prm_2[Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. |
| SA-9(5) | External System Services | Processing, Storage, and Service Location Restrict the location of sa-9.5_prm_1[Selection: information processing or information or data or system services] to sa-9.5_prm_2[Assignment: organization-defined locations] based on sa-9.5_prm_3[Assignment: organization-defined requirements or conditions]. | External Information System Services | Processing, Storage, and Service Location The organization restricts the location of sa-9.5_prm_1[Selection: information processing or information/data or information system services] to sa-9.5_prm_2[Assignment: organization-defined locations] based on sa-9.5_prm_3[Assignment: organization-defined requirements or conditions]. |
| SA-9(6) | External System Services | Organization-controlled Cryptographic Keys Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. | No predecessor |
| SA-9(7) | External System Services | Organization-controlled Integrity Checking Provide the capability to check the integrity of information while it resides in the external system. | No predecessor |
| SA-9(8) | External System Services | Processing and Storage Location — U.s. Jurisdiction Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States. | No predecessor |
| SA-10 | Developer Configuration ManagementⓂ Ⓗ Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service sa-10_prm_1[Selection: design or development or implementation or operation or disposal]; b. Document, manage, and control the integrity of changes to sa-10_prm_2[Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to sa-10_prm_3[Assignment: organization-defined personnel]. | Developer Configuration ManagementⓂ Ⓗ The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service sa-10_prm_1[Selection: design or development or implementation or operation]; b. Document, manage, and control the integrity of changes to sa-10_prm_2[Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to sa-10_prm_3[Assignment: organization-defined personnel]. |
| SA-10(1) | Developer Configuration Management | Software and Firmware Integrity Verification Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. | Developer Configuration Management | Software / Firmware Integrity Verification The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. |
| SA-10(2) | Developer Configuration Management | Alternative Configuration Management Processes Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. | Developer Configuration Management | Alternative Configuration Management Processes The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
| SA-10(3) | Developer Configuration Management | Hardware Integrity Verification Require the developer of the system, system component, or system service to enable integrity verification of hardware components. | Developer Configuration Management | Hardware Integrity Verification The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components. |
| SA-10(4) | Developer Configuration Management | Trusted Generation Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions. | Developer Configuration Management | Trusted Generation The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions. |
| SA-10(5) | Developer Configuration Management | Mapping Integrity for Version Control Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. | Developer Configuration Management | Mapping Integrity for Version Control The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
| SA-10(6) | Developer Configuration Management | Trusted Distribution Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. | Developer Configuration Management | Trusted Distribution The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
| SA-10(7) | Developer Configuration Management | Security and Privacy Representatives Require sa-10.7_prm_1[Assignment: organization-defined security and privacy representatives] to be included in the sa-10.7_prm_2[Assignment: organization-defined configuration change management and control process]. | No predecessor |
| SA-11 | Developer Testing and EvaluationⓂ Ⓗ Ⓟ Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform sa-11_prm_1[Selection: unit or integration or system or regression] testing/evaluation sa-11_prm_2[Assignment: organization-defined frequency] at sa-11_prm_3[Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation. | Developer Security Testing and EvaluationⓂ Ⓗ The organization requires the developer of the information system, system component, or information system service to: a. Create and implement a security assessment plan; b. Perform sa-11_prm_1[Selection: unit or integration or system or regression] testing/evaluation at sa-11_prm_2[Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during security testing/evaluation. |
| SA-11(1) | Developer Testing and Evaluation | Static Code Analysis Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. | Developer Security Testing and Evaluation | Static Code Analysis The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
| SA-11(2) | Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (a) Uses the following contextual information: sa-11.2_prm_1[Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (b) Employs the following tools and methods: sa-11.2_prm_2[Assignment: organization-defined tools and methods]; (c) Conducts the modeling and analyses at the following level of rigor: sa-11.2_prm_3[Assignment: organization-defined breadth and depth of modeling and analyses]; and (d) Produces evidence that meets the following acceptance criteria: sa-11.2_prm_4[Assignment: organization-defined acceptance criteria]. | Developer Security Testing and Evaluation | Threat and Vulnerability Analyses The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. |
| SA-11(3) | Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence (a) Require an independent agent satisfying sa-11.3_prm_1[Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and (b) Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. | Developer Security Testing and Evaluation | Independent Verification of Assessment Plans / Evidence The organization: (a) Requires an independent agent satisfying sa-11.3_prm_1[Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and (b) Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information. |
| SA-11(4) | Developer Testing and Evaluation | Manual Code Reviews Require the developer of the system, system component, or system service to perform a manual code review of sa-11.4_prm_1[Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: sa-11.4_prm_2[Assignment: organization-defined processes, procedures, and/or techniques]. | Developer Security Testing and Evaluation | Manual Code Reviews The organization requires the developer of the information system, system component, or information system service to perform a manual code review of sa-11.4_prm_1[Assignment: organization-defined specific code] using sa-11.4_prm_2[Assignment: organization-defined processes, procedures, and/or techniques]. |
| SA-11(5) | Developer Testing and Evaluation | Penetration Testing Require the developer of the system, system component, or system service to perform penetration testing: (a) At the following level of rigor: sa-11.5_prm_1[Assignment: organization-defined breadth and depth of testing]; and (b) Under the following constraints: sa-11.5_prm_2[Assignment: organization-defined constraints]. | Developer Security Testing and Evaluation | Penetration Testing The organization requires the developer of the information system, system component, or information system service to perform penetration testing at sa-11.5_prm_1[Assignment: organization-defined breadth/depth] and with sa-11.5_prm_2[Assignment: organization-defined constraints]. |
| SA-11(6) | Developer Testing and Evaluation | Attack Surface Reviews Require the developer of the system, system component, or system service to perform attack surface reviews. | Developer Security Testing and Evaluation | Attack Surface Reviews The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews. |
| SA-11(7) | Developer Testing and Evaluation | Verify Scope of Testing and Evaluation Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: sa-11.7_prm_1[Assignment: organization-defined breadth and depth of testing and evaluation]. | Developer Security Testing and Evaluation | Verify Scope of Testing / Evaluation The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at sa-11.7_prm_1[Assignment: organization-defined depth of testing/evaluation]. |
| SA-11(8) | Developer Testing and Evaluation | Dynamic Code Analysis Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. | Developer Security Testing and Evaluation | Dynamic Code Analysis The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. |
| SA-11(9) | Developer Testing and Evaluation | Interactive Application Security Testing Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. | No predecessor |
| SA-12 | Supply Chain Protection | Supply Chain ProtectionⒽ The organization protects against supply chain threats to the information system, system component, or information system service by employing sa-12_prm_1[Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. |
| SA-12(1) | Supply Chain Protection | Acquisition Strategies / Tools / Methods . | Supply Chain Protection | Acquisition Strategies / Tools / Methods The organization employs sa-12.1_prm_1[Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers. |
| SA-12(2) | Supply Chain Protection | Supplier Reviews . | Supply Chain Protection | Supplier Reviews The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service. |
| SA-12(3) | Supply Chain Protection | Trusted Shipping and Warehousing Withdrawn — incorporated into SR-3. | Supply Chain Protection | Trusted Shipping and Warehousing Withdrawn — incorporated into SR-3. |
| SA-12(4) | Supply Chain Protection | Diversity of Suppliers . | Supply Chain Protection | Diversity of Suppliers . |
| SA-12(5) | Supply Chain Protection | Limitation of Harm . | Supply Chain Protection | Limitation of Harm The organization employs sa-12.5_prm_1[Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain. |
| SA-12(6) | Supply Chain Protection | Minimizing Procurement Time Withdrawn — incorporated into SR-5(1). | Supply Chain Protection | Minimizing Procurement Time Withdrawn — incorporated into SR-5(1). |
| SA-12(7) | Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update . | Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. |
| SA-12(8) | Supply Chain Protection | Use of All-source Intelligence Withdrawn — incorporated into RA-3(2). | Supply Chain Protection | Use of All-source Intelligence The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service. |
| SA-12(9) | Supply Chain Protection | Operations Security . | Supply Chain Protection | Operations Security The organization employs sa-12.9_prm_1[Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service. |
| SA-12(10) | Supply Chain Protection | Validate as Genuine and Not Altered . | Supply Chain Protection | Validate as Genuine and Not Altered The organization employs sa-12.10_prm_1[Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered. |
| SA-12(11) | Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors . | Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors The organization employs sa-12.11_prm_1[Selection: organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of sa-12.11_prm_2[Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service. |
| SA-12(12) | Supply Chain Protection | Inter-organizational Agreements . | Supply Chain Protection | Inter-organizational Agreements The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service. |
| SA-12(13) | Supply Chain Protection | Critical Information System Components | Supply Chain Protection | Critical Information System Components The organization employs sa-12.13_prm_1[Assignment: organization-defined security safeguards] to ensure an adequate supply of sa-12.13_prm_2[Assignment: organization-defined critical information system components]. |
| SA-12(14) | Supply Chain Protection | Identity and Traceability | Supply Chain Protection | Identity and Traceability The organization establishes and retains unique identification of sa-12.14_prm_1[Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service. |
| SA-12(15) | Supply Chain Protection | Processes to Address Weaknesses or Deficiencies Withdrawn — incorporated into SR-3. | Supply Chain Protection | Processes to Address Weaknesses or Deficiencies The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. |
| SA-13 | Trustworthiness Withdrawn — incorporated into SA-8. | Trustworthiness The organization: a. Describes the trustworthiness required in the sa-13_prm_1[Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and b. Implements sa-13_prm_2[Assignment: organization-defined assurance overlay] to achieve such trustworthiness. |
| SA-14 | Criticality Analysis Withdrawn — incorporated into RA-9. | Criticality Analysis The organization identifies critical information system components and functions by performing a criticality analysis for sa-14_prm_1[Assignment: organization-defined information systems, information system components, or information system services] at sa-14_prm_2[Assignment: organization-defined decision points in the system development life cycle]. |
| SA-14(1) | Criticality Analysis | Critical Components with No Viable Alternative Sourcing Withdrawn — incorporated into SA-20. | Criticality Analysis | Critical Components with No Viable Alternative Sourcing Withdrawn — incorporated into SA-20. |
| SA-15 | Development Process, Standards, and ToolsⓂ Ⓗ a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations sa-15_prm_1[Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: sa-15_prm_2[Assignment: organization-defined security and privacy requirements]. | Development Process, Standards, and ToolsⒽ The organization: a. Requires the developer of the information system, system component, or information system service to follow a documented development process that: 1. Explicitly addresses security requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Reviews the development process, standards, tools, and tool options/configurations sa-15_prm_1[Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy sa-15_prm_2[Assignment: organization-defined security requirements]. |
| SA-15(1) | Development Process, Standards, and Tools | Quality Metrics Require the developer of the system, system component, or system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics sa-15.1_prm_1[Selection: sa-15.1_prm_2[Assignment: organization-defined frequency] or sa-15.1_prm_3[Assignment: organization-defined program review milestones] or upon delivery]. | Development Process, Standards, and Tools | Quality Metrics The organization requires the developer of the information system, system component, or information system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics sa-15.1_prm_1[Selection: sa-15.1_prm_2[Assignment: organization-defined frequency] or sa-15.1_prm_3[Assignment: organization-defined program review milestones] or upon delivery]. |
| SA-15(2) | Development Process, Standards, and Tools | Security and Privacy Tracking Tools Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process. | Development Process, Standards, and Tools | Security Tracking Tools The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process. |
| SA-15(3) | Development Process, Standards, and Tools | Criticality AnalysisⓂ Ⓗ Require the developer of the system, system component, or system service to perform a criticality analysis: (a) At the following decision points in the system development life cycle: sa-15.3_prm_1[Assignment: organization-defined decision points in the system development life cycle]; and (b) At the following level of rigor: sa-15.3_prm_2[Assignment: organization-defined breadth and depth of criticality analysis]. | Development Process, Standards, and Tools | Criticality Analysis The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at sa-15.3_prm_1[Assignment: organization-defined breadth/depth] and at sa-15.3_prm_2[Assignment: organization-defined decision points in the system development life cycle]. |
| SA-15(4) | Development Process, Standards, and Tools | Threat Modeling and Vulnerability Analysis Withdrawn — incorporated into SA-11(2). | Development Process, Standards, and Tools | Threat Modeling / Vulnerability Analysis The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at sa-15.4_prm_1[Assignment: organization-defined breadth/depth] that: (a) Uses sa-15.4_prm_2[Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (b) Employs sa-15.4_prm_3[Assignment: organization-defined tools and methods]; and (c) Produces evidence that meets sa-15.4_prm_4[Assignment: organization-defined acceptance criteria]. |
| SA-15(5) | Development Process, Standards, and Tools | Attack Surface Reduction Require the developer of the system, system component, or system service to reduce attack surfaces to sa-15.5_prm_1[Assignment: organization-defined thresholds]. | Development Process, Standards, and Tools | Attack Surface Reduction The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to sa-15.5_prm_1[Assignment: organization-defined thresholds]. |
| SA-15(6) | Development Process, Standards, and Tools | Continuous Improvement Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process. | Development Process, Standards, and Tools | Continuous Improvement The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process. |
| SA-15(7) | Development Process, Standards, and Tools | Automated Vulnerability Analysis Require the developer of the system, system component, or system service sa-15.7_prm_1[Assignment: organization-defined frequency] to: (a) Perform an automated vulnerability analysis using sa-15.7_prm_2[Assignment: organization-defined tools]; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to sa-15.7_prm_3[Assignment: organization-defined personnel or roles]. | Development Process, Standards, and Tools | Automated Vulnerability Analysis The organization requires the developer of the information system, system component, or information system service to: (a) Perform an automated vulnerability analysis using sa-15.7_prm_1[Assignment: organization-defined tools]; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to sa-15.7_prm_2[Assignment: organization-defined personnel or roles]. |
| SA-15(8) | Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. | Development Process, Standards, and Tools | Reuse of Threat / Vulnerability Information The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. |
| SA-15(9) | Development Process, Standards, and Tools | Use of Live Data Withdrawn — incorporated into SA-3(2). | Development Process, Standards, and Tools | Use of Live Data The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service. |
| SA-15(10) | Development Process, Standards, and Tools | Incident Response Plan Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. | Development Process, Standards, and Tools | Incident Response Plan The organization requires the developer of the information system, system component, or information system service to provide an incident response plan. |
| SA-15(11) | Development Process, Standards, and Tools | Archive System or Component Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review. | Development Process, Standards, and Tools | Archive Information System / Component The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review. |
| SA-15(12) | Development Process, Standards, and Tools | Minimize Personally Identifiable Information Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments. | No predecessor |
| SA-16 | Developer-provided TrainingⒽ Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: sa-16_prm_1[Assignment: organization-defined training]. | Developer-provided TrainingⒽ The organization requires the developer of the information system, system component, or information system service to provide sa-16_prm_1[Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. |
| SA-17 | Developer Security and Privacy Architecture and DesignⒽ Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection. | Developer Security Architecture and DesignⒽ The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: a. Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture; b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. |
| SA-17(1) | Developer Security and Privacy Architecture and Design | Formal Policy Model Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal policy model describing the sa-17.1_prm_1[Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented. | Developer Security Architecture and Design | Formal Policy Model The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, a formal policy model describing the sa-17.1_prm_1[Assignment: organization-defined elements of organizational security policy] to be enforced; and (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented. |
| SA-17(2) | Developer Security and Privacy Architecture and Design | Security-relevant Components Require the developer of the system, system component, or system service to: (a) Define security-relevant hardware, software, and firmware; and (b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. | Developer Security Architecture and Design | Security-relevant Components The organization requires the developer of the information system, system component, or information system service to: (a) Define security-relevant hardware, software, and firmware; and (b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
| SA-17(3) | Developer Security and Privacy Architecture and Design | Formal Correspondence Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. | Developer Security Architecture and Design | Formal Correspondence The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| SA-17(4) | Developer Security and Privacy Architecture and Design | Informal Correspondence Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via sa-17.4_prm_1[Selection: informal demonstration or convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. | Developer Security Architecture and Design | Informal Correspondence The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via sa-17.4_prm_1[Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
| SA-17(5) | Developer Security and Privacy Architecture and Design | Conceptually Simple Design Require the developer of the system, system component, or system service to: (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and (b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. | Developer Security Architecture and Design | Conceptually Simple Design The organization requires the developer of the information system, system component, or information system service to: (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and (b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
| SA-17(6) | Developer Security and Privacy Architecture and Design | Structure for Testing Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing. | Developer Security Architecture and Design | Structure for Testing The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing. |
| SA-17(7) | Developer Security and Privacy Architecture and Design | Structure for Least Privilege Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege. | Developer Security Architecture and Design | Structure for Least Privilege The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege. |
| SA-17(8) | Developer Security and Privacy Architecture and Design | Orchestration Design sa-17.8_prm_1[Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: sa-17.8_prm_2[Assignment: organization-defined capabilities, by system or component]. | No predecessor |
| SA-17(9) | Developer Security and Privacy Architecture and Design | Design Diversity Use different designs for sa-17.9_prm_1[Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality. | No predecessor |
| SA-18 | Tamper Resistance and Detection . | Tamper Resistance and Detection The organization implements a tamper protection program for the information system, system component, or information system service. |
| SA-18(1) | Tamper Resistance and Detection | Multiple Phases of System Development Life Cycle . | Tamper Resistance and Detection | Multiple Phases of SDLC The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance. |
| SA-18(2) | Tamper Resistance and Detection | Inspection of Systems or Components . | Tamper Resistance and Detection | Inspection of Information Systems, Components, or Devices The organization inspects sa-18.2_prm_1[Assignment: organization-defined information systems, system components, or devices]sa-18.2_prm_2[Selection: at random or at or sa-18.2_prm_3[Assignment: organization-defined frequency] or , upon or sa-18.2_prm_4[Assignment: organization-defined indications of need for inspection]] to detect tampering. |
| SA-19 | Component Authenticity . | Component Authenticity The organization: a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and b. Reports counterfeit information system components to sa-19_prm_1[Selection: source of counterfeit component or sa-19_prm_2[Assignment: organization-defined external reporting organizations] or sa-19_prm_3[Assignment: organization-defined personnel or roles]]. |
| SA-19(1) | Component Authenticity | Anti-counterfeit Training . | Component Authenticity | Anti-counterfeit Training The organization trains sa-19.1_prm_1[Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware). |
| SA-19(2) | Component Authenticity | Configuration Control for Component Service and Repair . | Component Authenticity | Configuration Control for Component Service / Repair The organization maintains configuration control over sa-19.2_prm_1[Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. |
| SA-19(3) | Component Authenticity | Component Disposal . | Component Authenticity | Component Disposal The organization disposes of information system components using sa-19.3_prm_1[Assignment: organization-defined techniques and methods]. |
| SA-19(4) | Component Authenticity | Anti-counterfeit Scanning . | Component Authenticity | Anti-counterfeit Scanning The organization scans for counterfeit information system components sa-19.4_prm_1[Assignment: organization-defined frequency]. |
| SA-20 | Customized Development of Critical Components Reimplement or custom develop the following critical system components: sa-20_prm_1[Assignment: organization-defined critical system components]. | Customized Development of Critical Components The organization re-implements or custom develops sa-20_prm_1[Assignment: organization-defined critical information system components]. |
| SA-21 | Developer ScreeningⒽ Require that the developer of sa-21_prm_1[Assignment: organization-defined system, system component, or system service]: a. Has appropriate access authorizations as determined by assigned sa-21_prm_2[Assignment: organization-defined official government duties]; and b. Satisfies the following additional personnel screening criteria: sa-21_prm_3[Assignment: organization-defined additional personnel screening criteria]. | Developer Screening The organization requires that the developer of sa-21_prm_1[Assignment: organization-defined information system, system component, or information system service]: a. Have appropriate access authorizations as determined by assigned sa-21_prm_2[Assignment: organization-defined official government duties]; and b. Satisfy sa-21_prm_3[Assignment: organization-defined additional personnel screening criteria]. |
| SA-21(1) | Developer Screening | Validation of Screening Withdrawn — incorporated into SA-21. | Developer Screening | Validation of Screening The organization requires the developer of the information system, system component, or information system service take sa-21.1_prm_1[Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. |
| SA-22 | Unsupported System ComponentsⓁ Ⓜ Ⓗ a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or b. Provide the following options for alternative sources for continued support for unsupported components sa-22_prm_1[Selection: in-house support or sa-22_prm_2[Assignment: organization-defined support from external providers]]. | Unsupported System Components The organization: a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs. |
| SA-22(1) | Unsupported System Components | Alternative Sources for Continued Support Withdrawn — incorporated into SA-22. | Unsupported System Components | Alternative Sources for Continued Support The organization provides sa-22.1_prm_1[Selection: in-house support or sa-22.1_prm_2[Assignment: organization-defined support from external providers]] for unsupported information system components. |
| SA-23 | Specialization Employ sa-23_prm_1[Selection: design or modification or augmentation or reconfiguration] on sa-23_prm_2[Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. | No predecessor |
| SC-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to sc-1_prm_1[Assignment: organization-defined personnel or roles]: 1. sc-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and communications protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; b. Designate an sc-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and c. Review and update the current system and communications protection: 1. Policy sc-1_prm_4[Assignment: organization-defined frequency] and following sc-1_prm_5[Assignment: organization-defined events]; and 2. Procedures sc-1_prm_6[Assignment: organization-defined frequency] and following sc-1_prm_7[Assignment: organization-defined events]. | System and Communications Protection Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to sc-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and b. Reviews and updates the current: 1. System and communications protection policy sc-1_prm_2[Assignment: organization-defined frequency]; and 2. System and communications protection procedures sc-1_prm_3[Assignment: organization-defined frequency]. |
| SC-2 | Separation of System and User FunctionalityⓂ Ⓗ Separate user functionality, including user interface services, from system management functionality. | Application PartitioningⓂ Ⓗ The information system separates user functionality (including user interface services) from information system management functionality. |
| SC-2(1) | Separation of System and User Functionality | Interfaces for Non-privileged Users Prevent the presentation of system management functionality at interfaces to non-privileged users. | Application Partitioning | Interfaces for Non-privileged Users The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. |
| SC-2(2) | Separation of System and User Functionality | Disassociability Store state information from applications and software separately. | No predecessor |
| SC-3 | Security Function IsolationⒽ Isolate security functions from nonsecurity functions. | Security Function IsolationⒽ The information system isolates security functions from nonsecurity functions. |
| SC-3(1) | Security Function Isolation | Hardware Separation Employ hardware separation mechanisms to implement security function isolation. | Security Function Isolation | Hardware Separation The information system utilizes underlying hardware separation mechanisms to implement security function isolation. |
| SC-3(2) | Security Function Isolation | Access and Flow Control Functions Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions. | Security Function Isolation | Access / Flow Control Functions The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions. |
| SC-3(3) | Security Function Isolation | Minimize Nonsecurity Functionality Minimize the number of nonsecurity functions included within the isolation boundary containing security functions. | Security Function Isolation | Minimize Nonsecurity Functionality The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. |
| SC-3(4) | Security Function Isolation | Module Coupling and Cohesiveness Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. | Security Function Isolation | Module Coupling and Cohesiveness The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. |
| SC-3(5) | Security Function Isolation | Layered Structures Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | Security Function Isolation | Layered Structures The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
| SC-4 | Information in Shared System ResourcesⓂ Ⓗ Prevent unauthorized and unintended information transfer via shared system resources. | Information in Shared ResourcesⓂ Ⓗ The information system prevents unauthorized and unintended information transfer via shared system resources. |
| SC-4(1) | Information in Shared System Resources | Security Levels Withdrawn — incorporated into SC-4. | Information in Shared Resources | Security Levels Withdrawn — incorporated into SC-4. |
| SC-4(2) | Information in Shared System Resources | Multilevel or Periods Processing Prevent unauthorized information transfer via shared resources in accordance with sc-4.2_prm_1[Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. | Information in Shared Resources | Periods Processing The information system prevents unauthorized information transfer via shared resources in accordance with sc-4.2_prm_1[Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. |
| SC-5 | Denial-of-service ProtectionⓁ Ⓜ Ⓗ a. sc-5_prm_1[Selection: Protect against or Limit] the effects of the following types of denial-of-service events: sc-5_prm_2[Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: sc-5_prm_3[Assignment: organization-defined controls by type of denial-of-service event]. | Denial of Service ProtectionⓁ Ⓜ Ⓗ The information system protects against or limits the effects of the following types of denial of service attacks: sc-5_prm_1[Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing sc-5_prm_2[Assignment: organization-defined security safeguards]. |
| SC-5(1) | Denial-of-service Protection | Restrict Ability to Attack Other Systems Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: sc-5.1_prm_1[Assignment: organization-defined denial-of-service attacks]. | Denial of Service Protection | Restrict Internal Users The information system restricts the ability of individuals to launch sc-5.1_prm_1[Assignment: organization-defined denial of service attacks] against other information systems. |
| SC-5(2) | Denial-of-service Protection | Capacity, Bandwidth, and Redundancy Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. | Denial of Service Protection | Excess Capacity / Bandwidth / Redundancy The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks. |
| SC-5(3) | Denial-of-service Protection | Detection and Monitoring (a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: sc-5.3_prm_1[Assignment: organization-defined monitoring tools]; and (b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: sc-5.3_prm_2[Assignment: organization-defined system resources]. | Denial of Service Protection | Detection / Monitoring The organization: (a) Employs sc-5.3_prm_1[Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and (b) Monitors sc-5.3_prm_2[Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks. |
| SC-6 | Resource Availability Protect the availability of resources by allocating sc-6_prm_1[Assignment: organization-defined resources] by sc-6_prm_2[Selection: priority or quota or sc-6_prm_3[Assignment: organization-defined controls]]. | Resource Availability The information system protects the availability of resources by allocating sc-6_prm_1[Assignment: organization-defined resources] by sc-6_prm_2[Selection: priority or quota or sc-6_prm_3[Assignment: organization-defined security safeguards]]. |
| SC-7 | Boundary ProtectionⓁ Ⓜ Ⓗ a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are sc-7_prm_1[Selection: physically or logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. | Boundary ProtectionⓁ Ⓜ Ⓗ The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are sc-7_prm_1[Selection: physically or logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
| SC-7(1) | Boundary Protection | Physically Separated Subnetworks Withdrawn — incorporated into SC-7. | Boundary Protection | Physically Separated Subnetworks Withdrawn — incorporated into SC-7. |
| SC-7(2) | Boundary Protection | Public Access Withdrawn — incorporated into SC-7. | Boundary Protection | Public Access Withdrawn — incorporated into SC-7. |
| SC-7(3) | Boundary Protection | Access PointsⓂ Ⓗ Limit the number of external network connections to the system. | Boundary Protection | Access PointsⓂ Ⓗ The organization limits the number of external network connections to the information system. |
| SC-7(4) | Boundary Protection | External Telecommunications ServicesⓂ Ⓗ (a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy sc-7.4_prm_1[Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks. | Boundary Protection | External Telecommunications ServicesⓂ Ⓗ The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Protects the confidentiality and integrity of the information being transmitted across each interface; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and (e) Reviews exceptions to the traffic flow policy sc-7.4_prm_1[Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. |
| SC-7(5) | Boundary Protection | Deny by Default — Allow by ExceptionⓂ Ⓗ Deny network communications traffic by default and allow network communications traffic by exception sc-7.5_prm_1[Selection: at managed interfaces or for or sc-7.5_prm_2[Assignment: organization-defined systems]]. | Boundary Protection | Deny by Default / Allow by ExceptionⓂ Ⓗ The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |
| SC-7(6) | Boundary Protection | Response to Recognized Failures Withdrawn — incorporated into SC-7(18). | Boundary Protection | Response to Recognized Failures Withdrawn — incorporated into SC-7(18). |
| SC-7(7) | Boundary Protection | Split Tunneling for Remote DevicesⓂ Ⓗ Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using sc-7.7_prm_1[Assignment: organization-defined safeguards]. | Boundary Protection | Prevent Split Tunneling for Remote DevicesⓂ Ⓗ The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. |
| SC-7(8) | Boundary Protection | Route Traffic to Authenticated Proxy ServersⓂ Ⓗ Route sc-7.8_prm_1[Assignment: organization-defined internal communications traffic] to sc-7.8_prm_2[Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. | Boundary Protection | Route Traffic to Authenticated Proxy ServersⒽ The information system routes sc-7.8_prm_1[Assignment: organization-defined internal communications traffic] to sc-7.8_prm_2[Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
| SC-7(9) | Boundary Protection | Restrict Threatening Outgoing Communications Traffic (a) Detect and deny outgoing communications traffic posing a threat to external systems; and (b) Audit the identity of internal users associated with denied communications. | Boundary Protection | Restrict Threatening Outgoing Communications Traffic The information system: (a) Detects and denies outgoing communications traffic posing a threat to external information systems; and (b) Audits the identity of internal users associated with denied communications. |
| SC-7(10) | Boundary Protection | Prevent Exfiltration (a) Prevent the exfiltration of information; and (b) Conduct exfiltration tests sc-7.10_prm_1[Assignment: organization-defined frequency]. | Boundary Protection | Prevent Unauthorized Exfiltration The organization prevents the unauthorized exfiltration of information across managed interfaces. |
| SC-7(11) | Boundary Protection | Restrict Incoming Communications Traffic Only allow incoming communications from sc-7.11_prm_1[Assignment: organization-defined authorized sources] to be routed to sc-7.11_prm_2[Assignment: organization-defined authorized destinations]. | Boundary Protection | Restrict Incoming Communications Traffic The information system only allows incoming communications from sc-7.11_prm_1[Assignment: organization-defined authorized sources] to be routed to sc-7.11_prm_2[Assignment: organization-defined authorized destinations]. |
| SC-7(12) | Boundary Protection | Host-based Protection Implement sc-7.12_prm_1[Assignment: organization-defined host-based boundary protection mechanisms] at sc-7.12_prm_2[Assignment: organization-defined system components]. | Boundary Protection | Host-based Protection The organization implements sc-7.12_prm_1[Assignment: organization-defined host-based boundary protection mechanisms] at sc-7.12_prm_2[Assignment: organization-defined information system components]. |
| SC-7(13) | Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components Isolate sc-7.13_prm_1[Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. | Boundary Protection | Isolation of Security Tools / Mechanisms / Support Components The organization isolates sc-7.13_prm_1[Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
| SC-7(14) | Boundary Protection | Protect Against Unauthorized Physical Connections Protect against unauthorized physical connections at sc-7.14_prm_1[Assignment: organization-defined managed interfaces]. | Boundary Protection | Protects Against Unauthorized Physical Connections The organization protects against unauthorized physical connections at sc-7.14_prm_1[Assignment: organization-defined managed interfaces]. |
| SC-7(15) | Boundary Protection | Networked Privileged Accesses Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. | Boundary Protection | Route Privileged Network Accesses The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
| SC-7(16) | Boundary Protection | Prevent Discovery of System Components Prevent the discovery of specific system components that represent a managed interface. | Boundary Protection | Prevent Discovery of Components / Devices The information system prevents discovery of specific system components composing a managed interface. |
| SC-7(17) | Boundary Protection | Automated Enforcement of Protocol Formats Enforce adherence to protocol formats. | Boundary Protection | Automated Enforcement of Protocol Formats The information system enforces adherence to protocol formats. |
| SC-7(18) | Boundary Protection | Fail SecureⒽ Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. | Boundary Protection | Fail SecureⒽ The information system fails securely in the event of an operational failure of a boundary protection device. |
| SC-7(19) | Boundary Protection | Block Communication from Non-organizationally Configured Hosts Block inbound and outbound communications traffic between sc-7.19_prm_1[Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. | Boundary Protection | Blocks Communication from Non-organizationally Configured Hosts The information system blocks both inbound and outbound communications traffic between sc-7.19_prm_1[Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. |
| SC-7(20) | Boundary Protection | Dynamic Isolation and Segregation Provide the capability to dynamically isolate sc-7.20_prm_1[Assignment: organization-defined system components] from other system components. | Boundary Protection | Dynamic Isolation / Segregation The information system provides the capability to dynamically isolate/segregate sc-7.20_prm_1[Assignment: organization-defined information system components] from other components of the system. |
| SC-7(21) | Boundary Protection | Isolation of System ComponentsⒽ Employ boundary protection mechanisms to isolate sc-7.21_prm_1[Assignment: organization-defined system components] supporting sc-7.21_prm_2[Assignment: organization-defined missions and/or business functions]. | Boundary Protection | Isolation of Information System ComponentsⒽ The organization employs boundary protection mechanisms to separate sc-7.21_prm_1[Assignment: organization-defined information system components] supporting sc-7.21_prm_2[Assignment: organization-defined missions and/or business functions]. |
| SC-7(22) | Boundary Protection | Separate Subnets for Connecting to Different Security Domains Implement separate network addresses to connect to systems in different security domains. | Boundary Protection | Separate Subnets for Connecting to Different Security Domains The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains. |
| SC-7(23) | Boundary Protection | Disable Sender Feedback on Protocol Validation Failure Disable feedback to senders on protocol format validation failure. | Boundary Protection | Disable Sender Feedback On Protocol Validation Failure The information system disables feedback to senders on protocol format validation failure. |
| SC-7(24) | Boundary Protection | Personally Identifiable InformationⓅ For systems that process personally identifiable information: (a) Apply the following processing rules to data elements of personally identifiable information: sc-7.24_prm_1[Assignment: organization-defined processing rules]; (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; (c) Document each processing exception; and (d) Review and remove exceptions that are no longer supported. | No predecessor |
| SC-7(25) | Boundary Protection | Unclassified National Security System Connections Prohibit the direct connection of sc-7.25_prm_1[Assignment: organization-defined unclassified national security system] to an external network without the use of sc-7.25_prm_2[Assignment: organization-defined boundary protection device]. | No predecessor |
| SC-7(26) | Boundary Protection | Classified National Security System Connections Prohibit the direct connection of a classified national security system to an external network without the use of sc-7.26_prm_1[Assignment: organization-defined boundary protection device]. | No predecessor |
| SC-7(27) | Boundary Protection | Unclassified Non-national Security System Connections Prohibit the direct connection of sc-7.27_prm_1[Assignment: organization-defined unclassified non-national security system] to an external network without the use of sc-7.27_prm_2[Assignment: organization-defined boundary protection device]. | No predecessor |
| SC-7(28) | Boundary Protection | Connections to Public Networks Prohibit the direct connection of sc-7.28_prm_1[Assignment: organization-defined system] to a public network. | No predecessor |
| SC-7(29) | Boundary Protection | Separate Subnets to Isolate Functions Implement sc-7.29_prm_1[Selection: physically or logically] separate subnetworks to isolate the following critical system components and functions: sc-7.29_prm_2[Assignment: organization-defined critical system components and functions]. | No predecessor |
| SC-8 | Transmission Confidentiality and IntegrityⓂ Ⓗ Protect the sc-8_prm_1[Selection: confidentiality or integrity] of transmitted information. | Transmission Confidentiality and IntegrityⓂ Ⓗ The information system protects the sc-8_prm_1[Selection: confidentiality or integrity] of transmitted information. |
| SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic ProtectionⓂ Ⓗ Implement cryptographic mechanisms to sc-8.1_prm_1[Selection: prevent unauthorized disclosure of information or detect changes to information] during transmission. | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical ProtectionⓂ Ⓗ The information system implements cryptographic mechanisms to sc-8.1_prm_1[Selection: prevent unauthorized disclosure of information or detect changes to information] during transmission unless otherwise protected by sc-8.1_prm_2[Assignment: organization-defined alternative physical safeguards]. |
| SC-8(2) | Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling Maintain the sc-8.2_prm_1[Selection: confidentiality or integrity] of information during preparation for transmission and during reception. | Transmission Confidentiality and Integrity | Pre / Post Transmission Handling The information system maintains the sc-8.2_prm_1[Selection: confidentiality or integrity] of information during preparation for transmission and during reception. |
| SC-8(3) | Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals Implement cryptographic mechanisms to protect message externals unless otherwise protected by sc-8.3_prm_1[Assignment: organization-defined alternative physical controls]. | Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by sc-8.3_prm_1[Assignment: organization-defined alternative physical safeguards]. |
| SC-8(4) | Transmission Confidentiality and Integrity | Conceal or Randomize Communications Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by sc-8.4_prm_1[Assignment: organization-defined alternative physical controls]. | Transmission Confidentiality and Integrity | Conceal / Randomize Communications The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by sc-8.4_prm_1[Assignment: organization-defined alternative physical safeguards]. |
| SC-8(5) | Transmission Confidentiality and Integrity | Protected Distribution System Implement sc-8.5_prm_1[Assignment: organization-defined protected distribution system] to sc-8.5_prm_2[Selection: prevent unauthorized disclosure of information or detect changes to information] during transmission. | No predecessor |
| SC-9 | Transmission Confidentiality Withdrawn — incorporated into SC-8. | Transmission Confidentiality Withdrawn — incorporated into SC-8. |
| SC-10 | Network DisconnectⓂ Ⓗ Terminate the network connection associated with a communications session at the end of the session or after sc-10_prm_1[Assignment: organization-defined time period] of inactivity. | Network DisconnectⓂ Ⓗ The information system terminates the network connection associated with a communications session at the end of the session or after sc-10_prm_1[Assignment: organization-defined time period] of inactivity. |
| SC-11 | Trusted Path a. Provide a sc-11_prm_1[Selection: physically or logically] isolated trusted communications path for communications between the user and the trusted components of the system; and b. Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: sc-11_prm_2[Assignment: organization-defined security functions]. | Trusted Path The information system establishes a trusted communications path between the user and the following security functions of the system: sc-11_prm_1[Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
| SC-11(1) | Trusted Path | Irrefutable Communications Path (a) Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and (b) Initiate the trusted communications path for communications between the sc-11.1_prm_1[Assignment: organization-defined security functions] of the system and the user. | Trusted Path | Logical Isolation The information system provides a trusted communications path that is logically isolated and distinguishable from other paths. |
| SC-12 | Cryptographic Key Establishment and ManagementⓁ Ⓜ Ⓗ Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: sc-12_prm_1[Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. | Cryptographic Key Establishment and ManagementⓁ Ⓜ Ⓗ The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with sc-12_prm_1[Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| SC-12(1) | Cryptographic Key Establishment and Management | AvailabilityⒽ Maintain availability of information in the event of the loss of cryptographic keys by users. | Cryptographic Key Establishment and Management | AvailabilityⒽ The organization maintains availability of information in the event of the loss of cryptographic keys by users. |
| SC-12(2) | Cryptographic Key Establishment and Management | Symmetric Keys Produce, control, and distribute symmetric cryptographic keys using sc-12.2_prm_1[Selection: NIST FIPS-validated or NSA-approved] key management technology and processes. | Cryptographic Key Establishment and Management | Symmetric Keys The organization produces, controls, and distributes symmetric cryptographic keys using sc-12.2_prm_1[Selection: NIST FIPS-compliant or NSA-approved] key management technology and processes. |
| SC-12(3) | Cryptographic Key Establishment and Management | Asymmetric Keys Produce, control, and distribute asymmetric cryptographic keys using sc-12.3_prm_1[Selection: NSA-approved key management technology and processes or prepositioned keying material or DoD-approved or DoD-issued Medium Assurance PKI certificates or DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key or certificates issued in accordance with organization-defined requirements]. | Cryptographic Key Establishment and Management | Asymmetric Keys The organization produces, controls, and distributes asymmetric cryptographic keys using sc-12.3_prm_1[Selection: NSA-approved key management technology and processes or approved PKI Class 3 certificates or prepositioned keying material or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. |
| SC-12(4) | Cryptographic Key Establishment and Management | PKI Certificates Withdrawn — incorporated into SC-12(3). | Cryptographic Key Establishment and Management | PKI Certificates Withdrawn — incorporated into SC-12(3). |
| SC-12(5) | Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens Withdrawn — incorporated into SC-12(3). | Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens Withdrawn — incorporated into SC-12(3). |
| SC-12(6) | Cryptographic Key Establishment and Management | Physical Control of Keys Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. | No predecessor |
| SC-13 | Cryptographic ProtectionⓁ Ⓜ Ⓗ a. Determine the sc-13_prm_1[Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: sc-13_prm_2[Assignment: organization-defined types of cryptography for each specified cryptographic use]. | Cryptographic ProtectionⓁ Ⓜ Ⓗ The information system implements sc-13_prm_1[Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| SC-13(1) | Cryptographic Protection | Fips-validated Cryptography Withdrawn — incorporated into SC-13. | Cryptographic Protection | Fips-validated Cryptography Withdrawn — incorporated into SC-13. |
| SC-13(2) | Cryptographic Protection | Nsa-approved Cryptography Withdrawn — incorporated into SC-13. | Cryptographic Protection | Nsa-approved Cryptography Withdrawn — incorporated into SC-13. |
| SC-13(3) | Cryptographic Protection | Individuals Without Formal Access Approvals Withdrawn — incorporated into SC-13. | Cryptographic Protection | Individuals Without Formal Access Approvals Withdrawn — incorporated into SC-13. |
| SC-13(4) | Cryptographic Protection | Digital Signatures Withdrawn — incorporated into SC-13. | Cryptographic Protection | Digital Signatures Withdrawn — incorporated into SC-13. |
| SC-14 | Public Access Protections | |
| SC-15 | Collaborative Computing Devices and ApplicationsⓁ Ⓜ Ⓗ a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: sc-15_prm_1[Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provide an explicit indication of use to users physically present at the devices. | Collaborative Computing DevicesⓁ Ⓜ Ⓗ The information system: a. Prohibits remote activation of collaborative computing devices with the following exceptions: sc-15_prm_1[Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provides an explicit indication of use to users physically present at the devices. |
| SC-15(1) | Collaborative Computing Devices and Applications | Physical or Logical Disconnect Provide sc-15.1_prm_1[Selection: physical or logical] disconnect of collaborative computing devices in a manner that supports ease of use. | Collaborative Computing Devices | Physical Disconnect The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use. |
| SC-15(2) | Collaborative Computing Devices and Applications | Blocking Inbound and Outbound Communications Traffic Withdrawn — incorporated into SC-7. | Collaborative Computing Devices | Blocking Inbound / Outbound Communications Traffic Withdrawn — incorporated into SC-7. |
| SC-15(3) | Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas Disable or remove collaborative computing devices and applications from sc-15.3_prm_1[Assignment: organization-defined systems or system components] in sc-15.3_prm_2[Assignment: organization-defined secure work areas]. | Collaborative Computing Devices | Disabling / Removal in Secure Work Areas The organization disables or removes collaborative computing devices from sc-15.3_prm_1[Assignment: organization-defined information systems or information system components] in sc-15.3_prm_2[Assignment: organization-defined secure work areas]. |
| SC-15(4) | Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants Provide an explicit indication of current participants in sc-15.4_prm_1[Assignment: organization-defined online meetings and teleconferences]. | Collaborative Computing Devices | Explicitly Indicate Current Participants The information system provides an explicit indication of current participants in sc-15.4_prm_1[Assignment: organization-defined online meetings and teleconferences]. |
| SC-16 | Transmission of Security and Privacy Attributes Associate sc-16_prm_1[Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components. | Transmission of Security Attributes The information system associates sc-16_prm_1[Assignment: organization-defined security attributes] with information exchanged between information systems and between system components. |
| SC-16(1) | Transmission of Security and Privacy Attributes | Integrity Verification Verify the integrity of transmitted security and privacy attributes. | Transmission of Security Attributes | Integrity Validation The information system validates the integrity of transmitted security attributes. |
| SC-16(2) | Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process. | No predecessor |
| SC-16(3) | Transmission of Security and Privacy Attributes | Cryptographic Binding Implement sc-16.3_prm_1[Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information. | No predecessor |
| SC-17 | Public Key Infrastructure CertificatesⓂ Ⓗ a. Issue public key certificates under an sc-17_prm_1[Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust stores or certificate stores managed by the organization. | Public Key Infrastructure CertificatesⓂ Ⓗ The organization issues public key certificates under an sc-17_prm_1[Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider. |
| SC-18 | Mobile CodeⓂ Ⓗ a. Define acceptable and unacceptable mobile code and mobile code technologies; and b. Authorize, monitor, and control the use of mobile code within the system. | Mobile CodeⓂ Ⓗ The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. |
| SC-18(1) | Mobile Code | Identify Unacceptable Code and Take Corrective Actions Identify sc-18.1_prm_1[Assignment: organization-defined unacceptable mobile code] and take sc-18.1_prm_2[Assignment: organization-defined corrective actions]. | Mobile Code | Identify Unacceptable Code / Take Corrective Actions The information system identifies sc-18.1_prm_1[Assignment: organization-defined unacceptable mobile code] and takes sc-18.1_prm_2[Assignment: organization-defined corrective actions]. |
| SC-18(2) | Mobile Code | Acquisition, Development, and Use Verify that the acquisition, development, and use of mobile code to be deployed in the system meets sc-18.2_prm_1[Assignment: organization-defined mobile code requirements]. | Mobile Code | Acquisition / Development / Use The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets sc-18.2_prm_1[Assignment: organization-defined mobile code requirements]. |
| SC-18(3) | Mobile Code | Prevent Downloading and Execution Prevent the download and execution of sc-18.3_prm_1[Assignment: organization-defined unacceptable mobile code]. | Mobile Code | Prevent Downloading / Execution The information system prevents the download and execution of sc-18.3_prm_1[Assignment: organization-defined unacceptable mobile code]. |
| SC-18(4) | Mobile Code | Prevent Automatic Execution Prevent the automatic execution of mobile code in sc-18.4_prm_1[Assignment: organization-defined software applications] and enforce sc-18.4_prm_2[Assignment: organization-defined actions] prior to executing the code. | Mobile Code | Prevent Automatic Execution The information system prevents the automatic execution of mobile code in sc-18.4_prm_1[Assignment: organization-defined software applications] and enforces sc-18.4_prm_2[Assignment: organization-defined actions] prior to executing the code. |
| SC-18(5) | Mobile Code | Allow Execution Only in Confined Environments Allow execution of permitted mobile code only in confined virtual machine environments. | Mobile Code | Allow Execution Only in Confined Environments The organization allows execution of permitted mobile code only in confined virtual machine environments. |
| SC-19 | Voice Over Internet Protocol . | Voice Over Internet ProtocolⓂ Ⓗ The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. |
| SC-20 | Secure Name/address Resolution Service (authoritative Source)Ⓛ Ⓜ Ⓗ a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. | Secure Name / Address Resolution Service (authoritative Source)Ⓛ Ⓜ Ⓗ The information system: a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
| SC-20(1) | Secure Name/address Resolution Service (authoritative Source) | Child Subspaces Withdrawn — incorporated into SC-20. | Secure Name / Address Resolution Service (authoritative Source) | Child Subspaces Withdrawn — incorporated into SC-20. |
| SC-20(2) | Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity Provide data origin and integrity protection artifacts for internal name/address resolution queries. | Secure Name / Address Resolution Service (authoritative Source) | Data Origin / Integrity The information system provides data origin and integrity protection artifacts for internal name/address resolution queries. |
| SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver)Ⓛ Ⓜ Ⓗ Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. | Secure Name / Address Resolution Service (recursive or Caching Resolver)Ⓛ Ⓜ Ⓗ The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
| SC-21(1) | Secure Name/address Resolution Service (recursive or Caching Resolver) | Data Origin and Integrity Withdrawn — incorporated into SC-21. | Secure Name / Address Resolution Service (recursive or Caching Resolver) | Data Origin / Integrity Withdrawn — incorporated into SC-21. |
| SC-22 | Architecture and Provisioning for Name/address Resolution ServiceⓁ Ⓜ Ⓗ Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. | Architecture and Provisioning for Name / Address Resolution ServiceⓁ Ⓜ Ⓗ The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. |
| SC-23 | Session AuthenticityⓂ Ⓗ Protect the authenticity of communications sessions. | Session AuthenticityⓂ Ⓗ The information system protects the authenticity of communications sessions. |
| SC-23(1) | Session Authenticity | Invalidate Session Identifiers at Logout Invalidate session identifiers upon user logout or other session termination. | Session Authenticity | Invalidate Session Identifiers at Logout The information system invalidates session identifiers upon user logout or other session termination. |
| SC-23(2) | Session Authenticity | User-initiated Logouts and Message Displays Withdrawn — incorporated into AC-12(1). | Session Authenticity | User-initiated Logouts / Message Displays Withdrawn — incorporated into AC-12(1). |
| SC-23(3) | Session Authenticity | Unique System-generated Session Identifiers Generate a unique session identifier for each session with sc-23.3_prm_1[Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated. | Session Authenticity | Unique Session Identifiers with Randomization The information system generates a unique session identifier for each session with sc-23.3_prm_1[Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated. |
| SC-23(4) | Session Authenticity | Unique Session Identifiers with Randomization Withdrawn — incorporated into SC-23(3). | Session Authenticity | Unique Session Identifiers with Randomization Withdrawn — incorporated into SC-23(3). |
| SC-23(5) | Session Authenticity | Allowed Certificate Authorities Only allow the use of sc-23.5_prm_1[Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. | Session Authenticity | Allowed Certificate Authorities The information system only allows the use of sc-23.5_prm_1[Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. |
| SC-24 | Fail in Known StateⒽ Fail to a sc-24_prm_1[Assignment: organization-defined known system state] for the following failures on the indicated components while preserving sc-24_prm_2[Assignment: organization-defined system state information] in failure: sc-24_prm_3[Assignment: list of organization-defined types of system failures on organization-defined system components]. | Fail in Known StateⒽ The information system fails to a sc-24_prm_1[Assignment: organization-defined known-state] for sc-24_prm_2[Assignment: organization-defined types of failures] preserving sc-24_prm_3[Assignment: organization-defined system state information] in failure. |
| SC-25 | Thin Nodes Employ minimal functionality and information storage on the following system components: sc-25_prm_1[Assignment: organization-defined system components]. | Thin Nodes The organization employs sc-25_prm_1[Assignment: organization-defined information system components] with minimal functionality and information storage. |
| SC-26 | Decoys Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks. | Honeypots The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks. |
| SC-26(1) | Decoys | Detection of Malicious Code Withdrawn — incorporated into SC-35. | Honeypots | Detection of Malicious Code Withdrawn — incorporated into SC-35. |
| SC-27 | Platform-independent Applications Include within organizational systems the following platform independent applications: sc-27_prm_1[Assignment: organization-defined platform-independent applications]. | Platform-independent Applications The information system includes: sc-27_prm_1[Assignment: organization-defined platform-independent applications]. |
| SC-28 | Protection of Information at RestⓂ Ⓗ Protect the sc-28_prm_1[Selection: confidentiality or integrity] of the following information at rest: sc-28_prm_2[Assignment: organization-defined information at rest]. | Protection of Information at RestⓂ Ⓗ The information system protects the sc-28_prm_1[Selection: confidentiality or integrity] of sc-28_prm_2[Assignment: organization-defined information at rest]. |
| SC-28(1) | Protection of Information at Rest | Cryptographic ProtectionⓂ Ⓗ Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on sc-28.1_prm_1[Assignment: organization-defined system components or media]: sc-28.1_prm_2[Assignment: organization-defined information]. | Protection of Information at Rest | Cryptographic Protection The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of sc-28.1_prm_1[Assignment: organization-defined information] on sc-28.1_prm_2[Assignment: organization-defined information system components]. |
| SC-28(2) | Protection of Information at Rest | Offline Storage Remove the following information from online storage and store offline in a secure location: sc-28.2_prm_1[Assignment: organization-defined information]. | Protection of Information at Rest | Off-line Storage The organization removes from online storage and stores off-line in a secure location sc-28.2_prm_1[Assignment: organization-defined information]. |
| SC-28(3) | Protection of Information at Rest | Cryptographic Keys Provide protected storage for cryptographic keys sc-28.3_prm_1[Selection: sc-28.3_prm_2[Assignment: organization-defined safeguards] or hardware-protected key store]. | No predecessor |
| SC-29 | Heterogeneity Employ a diverse set of information technologies for the following system components in the implementation of the system: sc-29_prm_1[Assignment: organization-defined system components]. | Heterogeneity The organization employs a diverse set of information technologies for sc-29_prm_1[Assignment: organization-defined information system components] in the implementation of the information system. |
| SC-29(1) | Heterogeneity | Virtualization Techniques Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed sc-29.1_prm_1[Assignment: organization-defined frequency]. | Heterogeneity | Virtualization Techniques The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed sc-29.1_prm_1[Assignment: organization-defined frequency]. |
| SC-30 | Concealment and Misdirection Employ the following concealment and misdirection techniques for sc-30_prm_1[Assignment: organization-defined systems] at sc-30_prm_2[Assignment: organization-defined time periods] to confuse and mislead adversaries: sc-30_prm_3[Assignment: organization-defined concealment and misdirection techniques]. | Concealment and Misdirection The organization employs sc-30_prm_1[Assignment: organization-defined concealment and misdirection techniques] for sc-30_prm_2[Assignment: organization-defined information systems] at sc-30_prm_3[Assignment: organization-defined time periods] to confuse and mislead adversaries. |
| SC-30(1) | Concealment and Misdirection | Virtualization Techniques Withdrawn — incorporated into SC-29(1). | Concealment and Misdirection | Virtualization Techniques Withdrawn — incorporated into SC-29(1). |
| SC-30(2) | Concealment and Misdirection | Randomness Employ sc-30.2_prm_1[Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. | Concealment and Misdirection | Randomness The organization employs sc-30.2_prm_1[Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. |
| SC-30(3) | Concealment and Misdirection | Change Processing and Storage Locations Change the location of sc-30.3_prm_1[Assignment: organization-defined processing and/or storage]sc-30.3_prm_2[Selection: sc-30.3_prm_3[Assignment: organization-defined time frequency] or at random time intervals]]. | Concealment and Misdirection | Change Processing / Storage Locations The organization changes the location of sc-30.3_prm_1[Assignment: organization-defined processing and/or storage]sc-30.3_prm_2[Selection: sc-30.3_prm_3[Assignment: organization-defined time frequency] or at random time intervals]]. |
| SC-30(4) | Concealment and Misdirection | Misleading Information Employ realistic, but misleading information in sc-30.4_prm_1[Assignment: organization-defined system components] about its security state or posture. | Concealment and Misdirection | Misleading Information The organization employs realistic, but misleading information in sc-30.4_prm_1[Assignment: organization-defined information system components] with regard to its security state or posture. |
| SC-30(5) | Concealment and Misdirection | Concealment of System Components Employ the following techniques to hide or conceal sc-30.5_prm_1[Assignment: organization-defined system components]: sc-30.5_prm_2[Assignment: organization-defined techniques]. | Concealment and Misdirection | Concealment of System Components The organization employs sc-30.5_prm_1[Assignment: organization-defined techniques] to hide or conceal sc-30.5_prm_2[Assignment: organization-defined information system components]. |
| SC-31 | Covert Channel Analysis a. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert sc-31_prm_1[Selection: storage or timing] channels; and b. Estimate the maximum bandwidth of those channels. | Covert Channel Analysis The organization: a. Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert sc-31_prm_1[Selection: storage or timing] channels; and b. Estimates the maximum bandwidth of those channels. |
| SC-31(1) | Covert Channel Analysis | Test Covert Channels for Exploitability Test a subset of the identified covert channels to determine the channels that are exploitable. | Covert Channel Analysis | Test Covert Channels for Exploitability The organization tests a subset of the identified covert channels to determine which channels are exploitable. |
| SC-31(2) | Covert Channel Analysis | Maximum Bandwidth Reduce the maximum bandwidth for identified covert sc-31.2_prm_1[Selection: storage or timing] channels to sc-31.2_prm_2[Assignment: organization-defined values]. | Covert Channel Analysis | Maximum Bandwidth The organization reduces the maximum bandwidth for identified covert sc-31.2_prm_1[Selection: storage or timing] channels to sc-31.2_prm_2[Assignment: organization-defined values]. |
| SC-31(3) | Covert Channel Analysis | Measure Bandwidth in Operational Environments Measure the bandwidth of sc-31.3_prm_1[Assignment: organization-defined subset of identified covert channels] in the operational environment of the system. | Covert Channel Analysis | Measure Bandwidth in Operational Environments The organization measures the bandwidth of sc-31.3_prm_1[Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system. |
| SC-32 | System Partitioning Partition the system into sc-32_prm_1[Assignment: organization-defined system components] residing in separate sc-32_prm_2[Selection: physical or logical] domains or environments based on sc-32_prm_3[Assignment: organization-defined circumstances for physical or logical separation of components]. | Information System Partitioning The organization partitions the information system into sc-32_prm_1[Assignment: organization-defined information system components] residing in separate physical domains or environments based on sc-32_prm_2[Assignment: organization-defined circumstances for physical separation of components]. |
| SC-32(1) | System Partitioning | Separate Physical Domains for Privileged Functions Partition privileged functions into separate physical domains. | No predecessor |
| SC-33 | Transmission Preparation Integrity Withdrawn — incorporated into SC-8. | Transmission Preparation Integrity Withdrawn — incorporated into SC-8. |
| SC-34 | Non-modifiable Executable Programs For sc-34_prm_1[Assignment: organization-defined system components], load and execute: a. The operating environment from hardware-enforced, read-only media; and b. The following applications from hardware-enforced, read-only media: sc-34_prm_2[Assignment: organization-defined applications]. | Non-modifiable Executable Programs The information system at sc-34_prm_1[Assignment: organization-defined information system components]: a. Loads and executes the operating environment from hardware-enforced, read-only media; and b. Loads and executes sc-34_prm_2[Assignment: organization-defined applications] from hardware-enforced, read-only media. |
| SC-34(1) | Non-modifiable Executable Programs | No Writable Storage Employ sc-34.1_prm_1[Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off. | Non-modifiable Executable Programs | No Writable Storage The organization employs sc-34.1_prm_1[Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
| SC-34(2) | Non-modifiable Executable Programs | Integrity Protection on Read-only Media Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media. | Non-modifiable Executable Programs | Integrity Protection / Read-only Media The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media. |
| SC-34(3) | Non-modifiable Executable Programs | Hardware-based Protection . | Non-modifiable Executable Programs | Hardware-based Protection The organization: (a) Employs hardware-based, write-protect for sc-34.3_prm_1[Assignment: organization-defined information system firmware components]; and (b) Implements specific procedures for sc-34.3_prm_2[Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
| SC-35 | External Malicious Code Identification Include system components that proactively seek to identify network-based malicious code or malicious websites. | Honeyclients The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code. |
| SC-36 | Distributed Processing and Storage Distribute the following processing and storage components across multiple sc-36_prm_1[Selection: physical locations or logical domains]: sc-36_prm_2[Assignment: organization-defined processing and storage components]. | Distributed Processing and Storage The organization distributes sc-36_prm_1[Assignment: organization-defined processing and storage] across multiple physical locations. |
| SC-36(1) | Distributed Processing and Storage | Polling Techniques (a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: sc-36.1_prm_1[Assignment: organization-defined distributed processing and storage components]; and (b) Take the following actions in response to identified faults, errors, or compromises: sc-36.1_prm_2[Assignment: organization-defined actions]. | Distributed Processing and Storage | Polling Techniques The organization employs polling techniques to identify potential faults, errors, or compromises to sc-36.1_prm_1[Assignment: organization-defined distributed processing and storage components]. |
| SC-36(2) | Distributed Processing and Storage | Synchronization Synchronize the following duplicate systems or system components: sc-36.2_prm_1[Assignment: organization-defined duplicate systems or system components]. | No predecessor |
| SC-37 | Out-of-band Channels Employ the following out-of-band channels for the physical delivery or electronic transmission of sc-37_prm_1[Assignment: organization-defined information, system components, or devices] to sc-37_prm_2[Assignment: organization-defined individuals or systems]: sc-37_prm_3[Assignment: organization-defined out-of-band channels]. | Out-of-band Channels The organization employs sc-37_prm_1[Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of sc-37_prm_2[Assignment: organization-defined information, information system components, or devices] to sc-37_prm_3[Assignment: organization-defined individuals or information systems]. |
| SC-37(1) | Out-of-band Channels | Ensure Delivery and Transmission Employ sc-37.1_prm_1[Assignment: organization-defined controls] to ensure that only sc-37.1_prm_2[Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: sc-37.1_prm_3[Assignment: organization-defined information, system components, or devices]. | Out-of-band Channels | Ensure Delivery / Transmission The organization employs sc-37.1_prm_1[Assignment: organization-defined security safeguards] to ensure that only sc-37.1_prm_2[Assignment: organization-defined individuals or information systems] receive the sc-37.1_prm_3[Assignment: organization-defined information, information system components, or devices]. |
| SC-38 | Operations Security Employ the following operations security controls to protect key organizational information throughout the system development life cycle: sc-38_prm_1[Assignment: organization-defined operations security controls]. | Operations Security The organization employs sc-38_prm_1[Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle. |
| SC-39 | Process IsolationⓁ Ⓜ Ⓗ Maintain a separate execution domain for each executing system process. | Process IsolationⓁ Ⓜ Ⓗ The information system maintains a separate execution domain for each executing process. |
| SC-39(1) | Process Isolation | Hardware Separation Implement hardware separation mechanisms to facilitate process isolation. | Process Isolation | Hardware Separation The information system implements underlying hardware separation mechanisms to facilitate process separation. |
| SC-39(2) | Process Isolation | Separate Execution Domain Per Thread Maintain a separate execution domain for each thread in sc-39.2_prm_1[Assignment: organization-defined multi-threaded processing]. | Process Isolation | Thread Isolation The information system maintains a separate execution domain for each thread in sc-39.2_prm_1[Assignment: organization-defined multi-threaded processing]. |
| SC-40 | Wireless Link Protection Protect external and internal sc-40_prm_1[Assignment: organization-defined wireless links] from the following signal parameter attacks: sc-40_prm_2[Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. | Wireless Link Protection The information system protects external and internal sc-40_prm_1[Assignment: organization-defined wireless links] from sc-40_prm_2[Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. |
| SC-40(1) | Wireless Link Protection | Electromagnetic Interference Implement cryptographic mechanisms that achieve sc-40.1_prm_1[Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. | Wireless Link Protection | Electromagnetic Interference The information system implements cryptographic mechanisms that achieve sc-40.1_prm_1[Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. |
| SC-40(2) | Wireless Link Protection | Reduce Detection Potential Implement cryptographic mechanisms to reduce the detection potential of wireless links to sc-40.2_prm_1[Assignment: organization-defined level of reduction]. | Wireless Link Protection | Reduce Detection Potential The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to sc-40.2_prm_1[Assignment: organization-defined level of reduction]. |
| SC-40(3) | Wireless Link Protection | Imitative or Manipulative Communications Deception Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. | Wireless Link Protection | Imitative or Manipulative Communications Deception The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. |
| SC-40(4) | Wireless Link Protection | Signal Parameter Identification Implement cryptographic mechanisms to prevent the identification of sc-40.4_prm_1[Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. | Wireless Link Protection | Signal Parameter Identification The information system implements cryptographic mechanisms to prevent the identification of sc-40.4_prm_1[Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. |
| SC-41 | Port and I/O Device Access sc-41_prm_1[Selection: Physically or Logically] disable or remove sc-41_prm_2[Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: sc-41_prm_3[Assignment: organization-defined systems or system components]. | Port and I/O Device Access The organization physically disables or removes sc-41_prm_1[Assignment: organization-defined connection ports or input/output devices] on sc-41_prm_2[Assignment: organization-defined information systems or information system components]. |
| SC-42 | Sensor Capability and Data a. Prohibit sc-42_prm_1[Selection: the use of devices possessing or sc-42_prm_2[Assignment: organization-defined environmental sensing capabilities] or in or sc-42_prm_3[Assignment: organization-defined facilities, areas, or systems] or the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: or sc-42_prm_4[Assignment: organization-defined exceptions where remote activation of sensors is allowed]]; and b. Provide an explicit indication of sensor use to sc-42_prm_5[Assignment: organization-defined group of users]. | Sensor Capability and Data The information system: a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: sc-42_prm_1[Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and b. Provides an explicit indication of sensor use to sc-42_prm_2[Assignment: organization-defined class of users]. |
| SC-42(1) | Sensor Capability and Data | Reporting to Authorized Individuals or Roles Verify that the system is configured so that data or information collected by the sc-42.1_prm_1[Assignment: organization-defined sensors] is only reported to authorized individuals or roles. | Sensor Capability and Data | Reporting to Authorized Individuals or Roles The organization ensures that the information system is configured so that data or information collected by the sc-42.1_prm_1[Assignment: organization-defined sensors] is only reported to authorized individuals or roles. |
| SC-42(2) | Sensor Capability and Data | Authorized Use Employ the following measures so that data or information collected by sc-42.2_prm_1[Assignment: organization-defined sensors] is only used for authorized purposes: sc-42.2_prm_2[Assignment: organization-defined measures]. | Sensor Capability and Data | Authorized Use The organization employs the following measures: sc-42.2_prm_1[Assignment: organization-defined measures], so that data or information collected by sc-42.2_prm_2[Assignment: organization-defined sensors] is only used for authorized purposes. |
| SC-42(3) | Sensor Capability and Data | Prohibit Use of Devices Withdrawn — incorporated into SC-42. | Sensor Capability and Data | Prohibit Use of Devices The organization prohibits the use of devices possessing sc-42.3_prm_1[Assignment: organization-defined environmental sensing capabilities] in sc-42.3_prm_2[Assignment: organization-defined facilities, areas, or systems]. |
| SC-42(4) | Sensor Capability and Data | Notice of Collection Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by sc-42.4_prm_1[Assignment: organization-defined sensors]: sc-42.4_prm_2[Assignment: organization-defined measures]. | No predecessor |
| SC-42(5) | Sensor Capability and Data | Collection Minimization Employ sc-42.5_prm_1[Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed. | No predecessor |
| SC-43 | Usage Restrictions a. Establish usage restrictions and implementation guidelines for the following system components: sc-43_prm_1[Assignment: organization-defined system components]; and b. Authorize, monitor, and control the use of such components within the system. | Usage Restrictions The organization: a. Establishes usage restrictions and implementation guidance for sc-43_prm_1[Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of such components within the information system. |
| SC-44 | Detonation Chambers Employ a detonation chamber capability within sc-44_prm_1[Assignment: organization-defined system, system component, or location]. | Detonation Chambers The organization employs a detonation chamber capability within sc-44_prm_1[Assignment: organization-defined information system, system component, or location]. |
| SC-45 | System Time Synchronization Synchronize system clocks within and between systems and system components. | No predecessor |
| SC-45(1) | System Time Synchronization | Synchronization with Authoritative Time Source (a) Compare the internal system clocks sc-45.1_prm_1[Assignment: organization-defined frequency] with sc-45.1_prm_2[Assignment: organization-defined authoritative time source]; and (b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than sc-45.1_prm_3[Assignment: organization-defined time period]. | No predecessor |
| SC-45(2) | System Time Synchronization | Secondary Authoritative Time Source (a) Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and (b) Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable. | No predecessor |
| SC-46 | Cross Domain Policy Enforcement Implement a policy enforcement mechanism sc-46_prm_1[Selection: physically or logically] between the physical and/or network interfaces for the connecting security domains. | No predecessor |
| SC-47 | Alternate Communications Paths Establish sc-47_prm_1[Assignment: organization-defined alternate communications paths] for system operations organizational command and control. | No predecessor |
| SC-48 | Sensor Relocation Relocate sc-48_prm_1[Assignment: organization-defined sensors and monitoring capabilities] to sc-48_prm_2[Assignment: organization-defined locations] under the following conditions or circumstances: sc-48_prm_3[Assignment: organization-defined conditions or circumstances]. | No predecessor |
| SC-48(1) | Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities Dynamically relocate sc-48.1_prm_1[Assignment: organization-defined sensors and monitoring capabilities] to sc-48.1_prm_2[Assignment: organization-defined locations] under the following conditions or circumstances: sc-48.1_prm_3[Assignment: organization-defined conditions or circumstances]. | No predecessor |
| SC-49 | Hardware-enforced Separation and Policy Enforcement Implement hardware-enforced separation and policy enforcement mechanisms between sc-49_prm_1[Assignment: organization-defined security domains]. | No predecessor |
| SC-50 | Software-enforced Separation and Policy Enforcement Implement software-enforced separation and policy enforcement mechanisms between sc-50_prm_1[Assignment: organization-defined security domains]. | No predecessor |
| SC-51 | Hardware-based Protection a. Employ hardware-based, write-protect for sc-51_prm_1[Assignment: organization-defined system firmware components]; and b. Implement specific procedures for sc-51_prm_2[Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. | No predecessor |
| SI-1 | Policy and ProceduresⓁ Ⓜ Ⓗ Ⓟ a. Develop, document, and disseminate to si-1_prm_1[Assignment: organization-defined personnel or roles]: 1. si-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] system and information integrity policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an si-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy si-1_prm_4[Assignment: organization-defined frequency] and following si-1_prm_5[Assignment: organization-defined events]; and 2. Procedures si-1_prm_6[Assignment: organization-defined frequency] and following si-1_prm_7[Assignment: organization-defined events]. | System and Information Integrity Policy and ProceduresⓁ Ⓜ Ⓗ The organization: a. Develops, documents, and disseminates to si-1_prm_1[Assignment: organization-defined personnel or roles]: 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and b. Reviews and updates the current: 1. System and information integrity policy si-1_prm_2[Assignment: organization-defined frequency]; and 2. System and information integrity procedures si-1_prm_3[Assignment: organization-defined frequency]. |
| SI-2 | Flaw RemediationⓁ Ⓜ Ⓗ a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within si-2_prm_1[Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process. | Flaw RemediationⓁ Ⓜ Ⓗ The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within si-2_prm_1[Assignment: organization-defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process. |
| SI-2(1) | Flaw Remediation | Central Management Withdrawn — incorporated into PL-9. | Flaw Remediation | Central ManagementⒽ The organization centrally manages the flaw remediation process. |
| SI-2(2) | Flaw Remediation | Automated Flaw Remediation StatusⓂ Ⓗ Determine if system components have applicable security-relevant software and firmware updates installed using si-2.2_prm_1[Assignment: organization-defined automated mechanisms]si-2.2_prm_2[Assignment: organization-defined frequency]. | Flaw Remediation | Automated Flaw Remediation StatusⓂ Ⓗ The organization employs automated mechanisms si-2.2_prm_1[Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
| SI-2(3) | Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions (a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: si-2.3_prm_1[Assignment: organization-defined benchmarks]. | Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective Actions The organization: (a) Measures the time between flaw identification and flaw remediation; and (b) Establishes si-2.3_prm_1[Assignment: organization-defined benchmarks] for taking corrective actions. |
| SI-2(4) | Flaw Remediation | Automated Patch Management Tools Employ automated patch management tools to facilitate flaw remediation to the following system components: si-2.4_prm_1[Assignment: organization-defined system components]. | Flaw Remediation | Automated Patch Management Tools . |
| SI-2(5) | Flaw Remediation | Automatic Software and Firmware Updates Install si-2.5_prm_1[Assignment: organization-defined security-relevant software and firmware updates] automatically to si-2.5_prm_2[Assignment: organization-defined system components]. | Flaw Remediation | Automatic Software / Firmware Updates The organization installs si-2.5_prm_1[Assignment: organization-defined security-relevant software and firmware updates] automatically to si-2.5_prm_2[Assignment: organization-defined information system components]. |
| SI-2(6) | Flaw Remediation | Removal of Previous Versions of Software and Firmware Remove previous versions of si-2.6_prm_1[Assignment: organization-defined software and firmware components] after updated versions have been installed. | Flaw Remediation | Removal of Previous Versions of Software / Firmware The organization removes si-2.6_prm_1[Assignment: organization-defined software and firmware components] after updated versions have been installed. |
| SI-3 | Malicious Code ProtectionⓁ Ⓜ Ⓗ a. Implement si-3_prm_1[Selection: signature based or non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system si-3_prm_2[Assignment: organization-defined frequency] and real-time scans of files from external sources at si-3_prm_3[Selection: endpoint or network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. si-3_prm_4[Selection: block malicious code or quarantine malicious code or take or si-3_prm_5[Assignment: organization-defined action]]; and send alert to si-3_prm_6[Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | Malicious Code ProtectionⓁ Ⓜ Ⓗ The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system si-3_prm_1[Assignment: organization-defined frequency] and real-time scans of files from external sources at si-3_prm_2[Selection: endpoint or network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. si-3_prm_3[Selection: block malicious code or quarantine malicious code or send alert to administrator or si-3_prm_4[Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. |
| SI-3(1) | Malicious Code Protection | Central Management Withdrawn — incorporated into PL-9. | Malicious Code Protection | Central ManagementⓂ Ⓗ The organization centrally manages malicious code protection mechanisms. |
| SI-3(2) | Malicious Code Protection | Automatic Updates Withdrawn — incorporated into SI-3. | Malicious Code Protection | Automatic UpdatesⓂ Ⓗ The information system automatically updates malicious code protection mechanisms. |
| SI-3(3) | Malicious Code Protection | Non-privileged Users Withdrawn — incorporated into AC-6(10). | Malicious Code Protection | Non-privileged Users Withdrawn — incorporated into AC-6(10). |
| SI-3(4) | Malicious Code Protection | Updates Only by Privileged Users Update malicious code protection mechanisms only when directed by a privileged user. | Malicious Code Protection | Updates Only by Privileged Users The information system updates malicious code protection mechanisms only when directed by a privileged user. |
| SI-3(5) | Malicious Code Protection | Portable Storage Devices Withdrawn — incorporated into MP-7. | Malicious Code Protection | Portable Storage Devices Withdrawn — incorporated into MP-7. |
| SI-3(6) | Malicious Code Protection | Testing and Verification (a) Test malicious code protection mechanisms si-3.6_prm_1[Assignment: organization-defined frequency] by introducing known benign code into the system; and (b) Verify that the detection of the code and the associated incident reporting occur. | Malicious Code Protection | Testing / Verification The organization: (a) Tests malicious code protection mechanisms si-3.6_prm_1[Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and (b) Verifies that both detection of the test case and associated incident reporting occur. |
| SI-3(7) | Malicious Code Protection | Nonsignature-based Detection Withdrawn — incorporated into SI-3. | Malicious Code Protection | Nonsignature-based Detection The information system implements nonsignature-based malicious code detection mechanisms. |
| SI-3(8) | Malicious Code Protection | Detect Unauthorized Commands (a) Detect the following unauthorized operating system commands through the kernel application programming interface on si-3.8_prm_1[Assignment: organization-defined system hardware components]: si-3.8_prm_2[Assignment: organization-defined unauthorized operating system commands]; and (b) si-3.8_prm_3[Selection: issue a warning or audit the command execution or prevent the execution of the command]. | Malicious Code Protection | Detect Unauthorized Commands The information system detects si-3.8_prm_1[Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at si-3.8_prm_2[Assignment: organization-defined information system hardware components] and si-3.8_prm_3[Selection: issues a warning or audits the command execution or prevents the execution of the command]. |
| SI-3(9) | Malicious Code Protection | Authenticate Remote Commands . | Malicious Code Protection | Authenticate Remote Commands The information system implements si-3.9_prm_1[Assignment: organization-defined security safeguards] to authenticate si-3.9_prm_2[Assignment: organization-defined remote commands]. |
| SI-3(10) | Malicious Code Protection | Malicious Code Analysis (a) Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: si-3.10_prm_1[Assignment: organization-defined tools and techniques]; and (b) Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes. | Malicious Code Protection | Malicious Code Analysis The organization: (a) Employs si-3.10_prm_1[Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and (b) Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes. |
| SI-4 | System MonitoringⓁ Ⓜ Ⓗ a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: si-4_prm_1[Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: si-4_prm_2[Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide si-4_prm_3[Assignment: organization-defined system monitoring information] to si-4_prm_4[Assignment: organization-defined personnel or roles]si-4_prm_5[Selection: as needed or si-4_prm_6[Assignment: organization-defined frequency]]. | Information System MonitoringⓁ Ⓜ Ⓗ The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with si-4_prm_1[Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through si-4_prm_2[Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides si-4_prm_3[Assignment: organization-defined information system monitoring information] to si-4_prm_4[Assignment: organization-defined personnel or roles]si-4_prm_5[Selection: as needed or si-4_prm_6[Assignment: organization-defined frequency]]. |
| SI-4(1) | System Monitoring | System-wide Intrusion Detection System Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. | Information System Monitoring | System-wide Intrusion Detection System The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. |
| SI-4(2) | System Monitoring | Automated Tools and Mechanisms for Real-time AnalysisⓂ Ⓗ Employ automated tools and mechanisms to support near real-time analysis of events. | Information System Monitoring | Automated Tools for Real-time AnalysisⓂ Ⓗ The organization employs automated tools to support near real-time analysis of events. |
| SI-4(3) | System Monitoring | Automated Tool and Mechanism Integration Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. | Information System Monitoring | Automated Tool Integration The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
| SI-4(4) | System Monitoring | Inbound and Outbound Communications TrafficⓂ Ⓗ (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; (b) Monitor inbound and outbound communications traffic si-4.4_prm_1[Assignment: organization-defined frequency] for si-4.4_prm_2[Assignment: organization-defined unusual or unauthorized activities or conditions]. | Information System Monitoring | Inbound and Outbound Communications TrafficⓂ Ⓗ The information system monitors inbound and outbound communications traffic si-4.4_prm_1[Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. |
| SI-4(5) | System Monitoring | System-generated AlertsⓂ Ⓗ Alert si-4.5_prm_1[Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: si-4.5_prm_2[Assignment: organization-defined compromise indicators]. | Information System Monitoring | System-generated AlertsⓂ Ⓗ The information system alerts si-4.5_prm_1[Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: si-4.5_prm_2[Assignment: organization-defined compromise indicators]. |
| SI-4(6) | System Monitoring | Restrict Non-privileged Users Withdrawn — incorporated into AC-6(10). | Information System Monitoring | Restrict Non-privileged Users Withdrawn — incorporated into AC-6(10). |
| SI-4(7) | System Monitoring | Automated Response to Suspicious Events (a) Notify si-4.7_prm_1[Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and (b) Take the following actions upon detection: si-4.7_prm_2[Assignment: organization-defined least-disruptive actions to terminate suspicious events]. | Information System Monitoring | Automated Response to Suspicious Events The information system notifies si-4.7_prm_1[Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes si-4.7_prm_2[Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
| SI-4(8) | System Monitoring | Protection of Monitoring Information Withdrawn — incorporated into SI-4. | Information System Monitoring | Protection of Monitoring Information Withdrawn — incorporated into SI-4. |
| SI-4(9) | System Monitoring | Testing of Monitoring Tools and Mechanisms Test intrusion-monitoring tools and mechanisms si-4.9_prm_1[Assignment: organization-defined frequency]. | Information System Monitoring | Testing of Monitoring Tools The organization tests intrusion-monitoring tools si-4.9_prm_1[Assignment: organization-defined frequency]. |
| SI-4(10) | System Monitoring | Visibility of Encrypted CommunicationsⒽ Make provisions so that si-4.10_prm_1[Assignment: organization-defined encrypted communications traffic] is visible to si-4.10_prm_2[Assignment: organization-defined system monitoring tools and mechanisms]. | Information System Monitoring | Visibility of Encrypted Communications The organization makes provisions so that si-4.10_prm_1[Assignment: organization-defined encrypted communications traffic] is visible to si-4.10_prm_2[Assignment: organization-defined information system monitoring tools]. |
| SI-4(11) | System Monitoring | Analyze Communications Traffic Anomalies Analyze outbound communications traffic at the external interfaces to the system and selected si-4.11_prm_1[Assignment: organization-defined interior points within the system] to discover anomalies. | Information System Monitoring | Analyze Communications Traffic Anomalies The organization analyzes outbound communications traffic at the external boundary of the information system and selected si-4.11_prm_1[Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. |
| SI-4(12) | System Monitoring | Automated Organization-generated AlertsⒽ Alert si-4.12_prm_1[Assignment: organization-defined personnel or roles] using si-4.12_prm_2[Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: si-4.12_prm_3[Assignment: organization-defined activities that trigger alerts]. | Information System Monitoring | Automated Alerts The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: si-4.12_prm_1[Assignment: organization-defined activities that trigger alerts]. |
| SI-4(13) | System Monitoring | Analyze Traffic and Event Patterns (a) Analyze communications traffic and event patterns for the system; (b) Develop profiles representing common traffic and event patterns; and (c) Use the traffic and event profiles in tuning system-monitoring devices. | Information System Monitoring | Analyze Traffic / Event Patterns The organization: (a) Analyzes communications traffic/event patterns for the information system; (b) Develops profiles representing common traffic patterns and/or events; and (c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. |
| SI-4(14) | System Monitoring | Wireless Intrusion DetectionⒽ Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. | Information System Monitoring | Wireless Intrusion Detection The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
| SI-4(15) | System Monitoring | Wireless to Wireline Communications Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. | Information System Monitoring | Wireless to Wireline Communications The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
| SI-4(16) | System Monitoring | Correlate Monitoring Information Correlate information from monitoring tools and mechanisms employed throughout the system. | Information System Monitoring | Correlate Monitoring Information The organization correlates information from monitoring tools employed throughout the information system. |
| SI-4(17) | System Monitoring | Integrated Situational Awareness Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. | Information System Monitoring | Integrated Situational Awareness The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
| SI-4(18) | System Monitoring | Analyze Traffic and Covert Exfiltration Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: si-4.18_prm_1[Assignment: organization-defined interior points within the system]. | Information System Monitoring | Analyze Traffic / Covert Exfiltration The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at si-4.18_prm_1[Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. |
| SI-4(19) | System Monitoring | Risk for Individuals Implement si-4.19_prm_1[Assignment: organization-defined additional monitoring] of individuals who have been identified by si-4.19_prm_2[Assignment: organization-defined sources] as posing an increased level of risk. | Information System Monitoring | Individuals Posing Greater Risk The organization implements si-4.19_prm_1[Assignment: organization-defined additional monitoring] of individuals who have been identified by si-4.19_prm_2[Assignment: organization-defined sources] as posing an increased level of risk. |
| SI-4(20) | System Monitoring | Privileged UsersⒽ Implement the following additional monitoring of privileged users: si-4.20_prm_1[Assignment: organization-defined additional monitoring]. | Information System Monitoring | Privileged Users The organization implements si-4.20_prm_1[Assignment: organization-defined additional monitoring] of privileged users. |
| SI-4(21) | System Monitoring | Probationary Periods Implement the following additional monitoring of individuals during si-4.21_prm_1[Assignment: organization-defined probationary period]: si-4.21_prm_2[Assignment: organization-defined additional monitoring]. | Information System Monitoring | Probationary Periods The organization implements si-4.21_prm_1[Assignment: organization-defined additional monitoring] of individuals during si-4.21_prm_2[Assignment: organization-defined probationary period]. |
| SI-4(22) | System Monitoring | Unauthorized Network ServicesⒽ (a) Detect network services that have not been authorized or approved by si-4.22_prm_1[Assignment: organization-defined authorization or approval processes]; and (b) si-4.22_prm_2[Selection: Audit or Alert or si-4.22_prm_3[Assignment: organization-defined personnel or roles]] when detected. | Information System Monitoring | Unauthorized Network Services The information system detects network services that have not been authorized or approved by si-4.22_prm_1[Assignment: organization-defined authorization or approval processes] and si-4.22_prm_2[Selection: audits or alerts or si-4.22_prm_3[Assignment: organization-defined personnel or roles]]. |
| SI-4(23) | System Monitoring | Host-based Devices Implement the following host-based monitoring mechanisms at si-4.23_prm_1[Assignment: organization-defined system components]: si-4.23_prm_2[Assignment: organization-defined host-based monitoring mechanisms]. | Information System Monitoring | Host-based Devices The organization implements si-4.23_prm_1[Assignment: organization-defined host-based monitoring mechanisms] at si-4.23_prm_2[Assignment: organization-defined information system components]. |
| SI-4(24) | System Monitoring | Indicators of Compromise Discover, collect, and distribute to si-4.24_prm_1[Assignment: organization-defined personnel or roles], indicators of compromise provided by si-4.24_prm_2[Assignment: organization-defined sources]. | Information System Monitoring | Indicators of Compromise The information system discovers, collects, distributes, and uses indicators of compromise. |
| SI-4(25) | System Monitoring | Optimize Network Traffic Analysis Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. | No predecessor |
| SI-5 | Security Alerts, Advisories, and DirectivesⓁ Ⓜ Ⓗ a. Receive system security alerts, advisories, and directives from si-5_prm_1[Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: si-5_prm_2[Selection: si-5_prm_3[Assignment: organization-defined personnel or roles] or si-5_prm_4[Assignment: organization-defined elements within the organization] or si-5_prm_5[Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. | Security Alerts, Advisories, and DirectivesⓁ Ⓜ Ⓗ The organization: a. Receives information system security alerts, advisories, and directives from si-5_prm_1[Assignment: organization-defined external organizations] on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to: si-5_prm_2[Selection: si-5_prm_3[Assignment: organization-defined personnel or roles] or si-5_prm_4[Assignment: organization-defined elements within the organization] or si-5_prm_5[Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. |
| SI-5(1) | Security Alerts, Advisories, and Directives | Automated Alerts and AdvisoriesⒽ Broadcast security alert and advisory information throughout the organization using si-5.1_prm_1[Assignment: organization-defined automated mechanisms]. | Security Alerts, Advisories, and Directives | Automated Alerts and AdvisoriesⒽ The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. |
| SI-6 | Security and Privacy Function VerificationⒽ a. Verify the correct operation of si-6_prm_1[Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a si-6_prm_2[Selection: si-6_prm_3[Assignment: organization-defined system transitional states] or upon command by user with appropriate privilege or si-6_prm_4[Assignment: organization-defined frequency]]; c. Alert si-6_prm_5[Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and d. si-6_prm_6[Selection: Shut the system down or Restart the system or si-6_prm_7[Assignment: organization-defined alternative action(s)]] when anomalies are discovered. | Security Function VerificationⒽ The information system: a. Verifies the correct operation of si-6_prm_1[Assignment: organization-defined security functions]; b. Performs this verification si-6_prm_2[Selection: si-6_prm_3[Assignment: organization-defined system transitional states] or upon command by user with appropriate privilege or si-6_prm_4[Assignment: organization-defined frequency]]; c. Notifies si-6_prm_5[Assignment: organization-defined personnel or roles] of failed security verification tests; and d. si-6_prm_6[Selection: shuts the information system down or restarts the information system or si-6_prm_7[Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
| SI-6(1) | Security and Privacy Function Verification | Notification of Failed Security Tests Withdrawn — incorporated into SI-6. | Security Function Verification | Notification of Failed Security Tests Withdrawn — incorporated into SI-6. |
| SI-6(2) | Security and Privacy Function Verification | Automation Support for Distributed Testing Implement automated mechanisms to support the management of distributed security and privacy function testing. | Security Function Verification | Automation Support for Distributed Testing The information system implements automated mechanisms to support the management of distributed security testing. |
| SI-6(3) | Security and Privacy Function Verification | Report Verification Results Report the results of security and privacy function verification to si-6.3_prm_1[Assignment: organization-defined personnel or roles]. | Security Function Verification | Report Verification Results The organization reports the results of security function verification to si-6.3_prm_1[Assignment: organization-defined personnel or roles]. |
| SI-7 | Software, Firmware, and Information IntegrityⓂ Ⓗ a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: si-7_prm_1[Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: si-7_prm_2[Assignment: organization-defined actions]. | Software, Firmware, and Information IntegrityⓂ Ⓗ The organization employs integrity verification tools to detect unauthorized changes to si-7_prm_1[Assignment: organization-defined software, firmware, and information]. |
| SI-7(1) | Software, Firmware, and Information Integrity | Integrity ChecksⓂ Ⓗ Perform an integrity check of si-7.1_prm_1[Assignment: organization-defined software, firmware, and information]si-7.1_prm_2[Selection: at startup or at or si-7.1_prm_3[Assignment: organization-defined transitional states or security-relevant events] or si-7.1_prm_4[Assignment: organization-defined frequency]]. | Software, Firmware, and Information Integrity | Integrity ChecksⓂ Ⓗ The information system performs an integrity check of si-7.1_prm_1[Assignment: organization-defined software, firmware, and information]si-7.1_prm_2[Selection: at startup or at or si-7.1_prm_3[Assignment: organization-defined transitional states or security-relevant events] or si-7.1_prm_4[Assignment: organization-defined frequency]]. |
| SI-7(2) | Software, Firmware, and Information Integrity | Automated Notifications of Integrity ViolationsⒽ Employ automated tools that provide notification to si-7.2_prm_1[Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. | Software, Firmware, and Information Integrity | Automated Notifications of Integrity ViolationsⒽ The organization employs automated tools that provide notification to si-7.2_prm_1[Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. |
| SI-7(3) | Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools Employ centrally managed integrity verification tools. | Software, Firmware, and Information Integrity | Centrally-managed Integrity Tools The organization employs centrally managed integrity verification tools. |
| SI-7(4) | Software, Firmware, and Information Integrity | Tamper-evident Packaging Withdrawn — incorporated into SR-9. | Software, Firmware, and Information Integrity | Tamper-evident Packaging Withdrawn — incorporated into SR-9. |
| SI-7(5) | Software, Firmware, and Information Integrity | Automated Response to Integrity ViolationsⒽ Automatically si-7.5_prm_1[Selection: shut the system down or restart the system or implement or si-7.5_prm_2[Assignment: organization-defined controls]] when integrity violations are discovered. | Software, Firmware, and Information Integrity | Automated Response to Integrity ViolationsⒽ The information system automatically si-7.5_prm_1[Selection: shuts the information system down or restarts the information system or implements or si-7.5_prm_2[Assignment: organization-defined security safeguards]] when integrity violations are discovered. |
| SI-7(6) | Software, Firmware, and Information Integrity | Cryptographic Protection Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. | Software, Firmware, and Information Integrity | Cryptographic Protection The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. |
| SI-7(7) | Software, Firmware, and Information Integrity | Integration of Detection and ResponseⓂ Ⓗ Incorporate the detection of the following unauthorized changes into the organizational incident response capability: si-7.7_prm_1[Assignment: organization-defined security-relevant changes to the system]. | Software, Firmware, and Information Integrity | Integration of Detection and ResponseⓂ Ⓗ The organization incorporates the detection of unauthorized si-7.7_prm_1[Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. |
| SI-7(8) | Software, Firmware, and Information Integrity | Auditing Capability for Significant Events Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: si-7.8_prm_1[Selection: generate an audit record or alert current user or alert or si-7.8_prm_2[Assignment: organization-defined personnel or roles] or si-7.8_prm_3[Assignment: organization-defined other actions]]. | Software, Firmware, and Information Integrity | Auditing Capability for Significant Events The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: si-7.8_prm_1[Selection: generates an audit record or alerts current user or alerts or si-7.8_prm_2[Assignment: organization-defined personnel or roles] or si-7.8_prm_3[Assignment: organization-defined other actions]]. |
| SI-7(9) | Software, Firmware, and Information Integrity | Verify Boot Process Verify the integrity of the boot process of the following system components: si-7.9_prm_1[Assignment: organization-defined system components]. | Software, Firmware, and Information Integrity | Verify Boot Process The information system verifies the integrity of the boot process of si-7.9_prm_1[Assignment: organization-defined devices]. |
| SI-7(10) | Software, Firmware, and Information Integrity | Protection of Boot Firmware Implement the following mechanisms to protect the integrity of boot firmware in si-7.10_prm_1[Assignment: organization-defined system components]: si-7.10_prm_2[Assignment: organization-defined mechanisms]. | Software, Firmware, and Information Integrity | Protection of Boot Firmware The information system implements si-7.10_prm_1[Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in si-7.10_prm_2[Assignment: organization-defined devices]. |
| SI-7(11) | Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges . | Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges The organization requires that si-7.11_prm_1[Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges. |
| SI-7(12) | Software, Firmware, and Information Integrity | Integrity Verification Require that the integrity of the following user-installed software be verified prior to execution: si-7.12_prm_1[Assignment: organization-defined user-installed software]. | Software, Firmware, and Information Integrity | Integrity Verification The organization requires that the integrity of si-7.12_prm_1[Assignment: organization-defined user-installed software] be verified prior to execution. |
| SI-7(13) | Software, Firmware, and Information Integrity | Code Execution in Protected Environments . | Software, Firmware, and Information Integrity | Code Execution in Protected Environments The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of si-7.13_prm_1[Assignment: organization-defined personnel or roles]. |
| SI-7(14) | Software, Firmware, and Information Integrity | Binary or Machine Executable Code . | Software, Firmware, and Information Integrity | Binary or Machine Executable CodeⒽ The organization: (a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and (b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. |
| SI-7(15) | Software, Firmware, and Information Integrity | Code AuthenticationⒽ Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: si-7.15_prm_1[Assignment: organization-defined software or firmware components]. | Software, Firmware, and Information Integrity | Code Authentication The information system implements cryptographic mechanisms to authenticate si-7.15_prm_1[Assignment: organization-defined software or firmware components] prior to installation. |
| SI-7(16) | Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision Prohibit processes from executing without supervision for more than si-7.16_prm_1[Assignment: organization-defined time period]. | Software, Firmware, and Information Integrity | Time Limit On Process Execution w/o Supervision The organization does not allow processes to execute without supervision for more than si-7.16_prm_1[Assignment: organization-defined time period]. |
| SI-7(17) | Software, Firmware, and Information Integrity | Runtime Application Self-protection Implement si-7.17_prm_1[Assignment: organization-defined controls] for application self-protection at runtime. | No predecessor |
| SI-8 | Spam ProtectionⓂ Ⓗ a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. | Spam ProtectionⓂ Ⓗ The organization: a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
| SI-8(1) | Spam Protection | Central Management Withdrawn — incorporated into PL-9. | Spam Protection | Central ManagementⓂ Ⓗ The organization centrally manages spam protection mechanisms. |
| SI-8(2) | Spam Protection | Automatic UpdatesⓂ Ⓗ Automatically update spam protection mechanisms si-8.2_prm_1[Assignment: organization-defined frequency]. | Spam Protection | Automatic UpdatesⓂ Ⓗ The information system automatically updates spam protection mechanisms. |
| SI-8(3) | Spam Protection | Continuous Learning Capability Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. | Spam Protection | Continuous Learning Capability The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. |
| SI-9 | Information Input Restrictions | |
| SI-10 | Information Input ValidationⓂ Ⓗ Check the validity of the following information inputs: si-10_prm_1[Assignment: organization-defined information inputs to the system]. | Information Input ValidationⓂ Ⓗ The information system checks the validity of si-10_prm_1[Assignment: organization-defined information inputs]. |
| SI-10(1) | Information Input Validation | Manual Override Capability (a) Provide a manual override capability for input validation of the following information inputs: si-10.1_prm_1[Assignment: organization-defined inputs defined in the base control (SI-10)]; (b) Restrict the use of the manual override capability to only si-10.1_prm_2[Assignment: organization-defined authorized individuals]; and (c) Audit the use of the manual override capability. | Information Input Validation | Manual Override Capability The information system: (a) Provides a manual override capability for input validation of si-10.1_prm_1[Assignment: organization-defined inputs]; (b) Restricts the use of the manual override capability to only si-10.1_prm_2[Assignment: organization-defined authorized individuals]; and (c) Audits the use of the manual override capability. |
| SI-10(2) | Information Input Validation | Review and Resolve Errors Review and resolve input validation errors within si-10.2_prm_1[Assignment: organization-defined time period]. | Information Input Validation | Review / Resolution of Errors The organization ensures that input validation errors are reviewed and resolved within si-10.2_prm_1[Assignment: organization-defined time period]. |
| SI-10(3) | Information Input Validation | Predictable Behavior Verify that the system behaves in a predictable and documented manner when invalid inputs are received. | Information Input Validation | Predictable Behavior The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
| SI-10(4) | Information Input Validation | Timing Interactions Account for timing interactions among system components in determining appropriate responses for invalid inputs. | Information Input Validation | Review / Timing Interactions The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs. |
| SI-10(5) | Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats Restrict the use of information inputs to si-10.5_prm_1[Assignment: organization-defined trusted sources] and/or si-10.5_prm_2[Assignment: organization-defined formats]. | Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats The organization restricts the use of information inputs to si-10.5_prm_1[Assignment: organization-defined trusted sources] and/or si-10.5_prm_2[Assignment: organization-defined formats]. |
| SI-10(6) | Information Input Validation | Injection Prevention Prevent untrusted data injections. | No predecessor |
| SI-11 | Error HandlingⓂ Ⓗ a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to si-11_prm_1[Assignment: organization-defined personnel or roles]. | Error HandlingⓂ Ⓗ The information system: a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and b. Reveals error messages only to si-11_prm_1[Assignment: organization-defined personnel or roles]. |
| SI-12 | Information Management and RetentionⓁ Ⓜ Ⓗ Ⓟ Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. | Information Handling and RetentionⓁ Ⓜ Ⓗ The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. |
| SI-12(1) | Information Management and Retention | Limit Personally Identifiable Information ElementsⓅ Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: si-12.1_prm_1[Assignment: organization-defined elements of personally identifiable information]. | No predecessor |
| SI-12(2) | Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and ResearchⓅ Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: si-12.2_prm_1[Assignment: organization-defined techniques]. | No predecessor |
| SI-12(3) | Information Management and Retention | Information DisposalⓅ Use the following techniques to dispose of, destroy, or erase information following the retention period: si-12.3_prm_1[Assignment: organization-defined techniques]. | No predecessor |
| SI-13 | Predictable Failure Prevention a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: si-13_prm_1[Assignment: organization-defined system components]; and b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: si-13_prm_2[Assignment: organization-defined MTTF substitution criteria]. | Predictable Failure Prevention The organization: a. Determines mean time to failure (MTTF) for si-13_prm_1[Assignment: organization-defined information system components] in specific environments of operation; and b. Provides substitute information system components and a means to exchange active and standby components at si-13_prm_2[Assignment: organization-defined MTTF substitution criteria]. |
| SI-13(1) | Predictable Failure Prevention | Transferring Component Responsibilities Take system components out of service by transferring component responsibilities to substitute components no later than si-13.1_prm_1[Assignment: organization-defined fraction or percentage] of mean time to failure. | Predictable Failure Prevention | Transferring Component Responsibilities The organization takes information system components out of service by transferring component responsibilities to substitute components no later than si-13.1_prm_1[Assignment: organization-defined fraction or percentage] of mean time to failure. |
| SI-13(2) | Predictable Failure Prevention | Time Limit on Process Execution Without Supervision Withdrawn — incorporated into SI-7(16). | Predictable Failure Prevention | Time Limit On Process Execution Without Supervision Withdrawn — incorporated into SI-7(16). |
| SI-13(3) | Predictable Failure Prevention | Manual Transfer Between Components Manually initiate transfers between active and standby system components when the use of the active component reaches si-13.3_prm_1[Assignment: organization-defined percentage] of the mean time to failure. | Predictable Failure Prevention | Manual Transfer Between Components The organization manually initiates transfers between active and standby information system components si-13.3_prm_1[Assignment: organization-defined frequency] if the mean time to failure exceeds si-13.3_prm_2[Assignment: organization-defined time period]. |
| SI-13(4) | Predictable Failure Prevention | Standby Component Installation and Notification If system component failures are detected: (a) Ensure that the standby components are successfully and transparently installed within si-13.4_prm_1[Assignment: organization-defined time period]; and (b) si-13.4_prm_2[Selection: Activate or si-13.4_prm_3[Assignment: organization-defined alarm] or Automatically shut down the system or si-13.4_prm_4[Assignment: organization-defined action]]. | Predictable Failure Prevention | Standby Component Installation / Notification The organization, if information system component failures are detected: (a) Ensures that the standby components are successfully and transparently installed within si-13.4_prm_1[Assignment: organization-defined time period]; and (b) si-13.4_prm_2[Selection: activates or si-13.4_prm_3[Assignment: organization-defined alarm] or automatically shuts down the information system]. |
| SI-13(5) | Predictable Failure Prevention | Failover Capability Provide si-13.5_prm_1[Selection: real-time or near real-time]si-13.5_prm_2[Assignment: organization-defined failover capability] for the system. | Predictable Failure Prevention | Failover Capability The organization provides si-13.5_prm_1[Selection: real-time or near real-time]si-13.5_prm_2[Assignment: organization-defined failover capability] for the information system. |
| SI-14 | Non-persistence Implement non-persistent si-14_prm_1[Assignment: organization-defined system components and services] that are initiated in a known state and terminated si-14_prm_2[Selection: upon end of session of use or periodically at or si-14_prm_3[Assignment: organization-defined frequency]]. | Non-persistence The organization implements non-persistent si-14_prm_1[Assignment: organization-defined information system components and services] that are initiated in a known state and terminated si-14_prm_2[Selection: upon end of session of use or periodically at or si-14_prm_3[Assignment: organization-defined frequency]]. |
| SI-14(1) | Non-persistence | Refresh from Trusted Sources Obtain software and data employed during system component and service refreshes from the following trusted sources: si-14.1_prm_1[Assignment: organization-defined trusted sources]. | Non-persistence | Refresh from Trusted Sources The organization ensures that software and data employed during information system component and service refreshes are obtained from si-14.1_prm_1[Assignment: organization-defined trusted sources]. |
| SI-14(2) | Non-persistence | Non-persistent Information (a) si-14.2_prm_1[Selection: Refresh or si-14.2_prm_2[Assignment: organization-defined information] or si-14.2_prm_3[Assignment: organization-defined frequency] or Generate or si-14.2_prm_4[Assignment: organization-defined information] or on demand]; and (b) Delete information when no longer needed. | No predecessor |
| SI-14(3) | Non-persistence | Non-persistent Connectivity Establish connections to the system on demand and terminate connections after si-14.3_prm_1[Selection: completion of a request or a period of non-use]. | No predecessor |
| SI-15 | Information Output Filtering Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: si-15_prm_1[Assignment: organization-defined software programs and/or applications]. | Information Output Filtering The information system validates information output from si-15_prm_1[Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content. |
| SI-16 | Memory ProtectionⓂ Ⓗ Implement the following controls to protect the system memory from unauthorized code execution: si-16_prm_1[Assignment: organization-defined controls]. | Memory ProtectionⓂ Ⓗ The information system implements si-16_prm_1[Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. |
| SI-17 | Fail-safe Procedures Implement the indicated fail-safe procedures when the indicated failures occur: si-17_prm_1[Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. | Fail-safe Procedures The information system implements si-17_prm_1[Assignment: organization-defined fail-safe procedures] when si-17_prm_2[Assignment: organization-defined failure conditions occur]. |
| SI-18 | Personally Identifiable Information Quality OperationsⓅ a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle si-18_prm_1[Assignment: organization-defined frequency]; and b. Correct or delete inaccurate or outdated personally identifiable information. | No predecessor |
| SI-18(1) | Personally Identifiable Information Quality Operations | Automation Support Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using si-18.1_prm_1[Assignment: organization-defined automated mechanisms]. | No predecessor |
| SI-18(2) | Personally Identifiable Information Quality Operations | Data Tags Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems. | No predecessor |
| SI-18(3) | Personally Identifiable Information Quality Operations | Collection Collect personally identifiable information directly from the individual. | No predecessor |
| SI-18(4) | Personally Identifiable Information Quality Operations | Individual RequestsⓅ Correct or delete personally identifiable information upon request by individuals or their designated representatives. | No predecessor |
| SI-18(5) | Personally Identifiable Information Quality Operations | Notice of Correction or Deletion Notify si-18.5_prm_1[Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted. | No predecessor |
| SI-19 | De-identificationⓅ a. Remove the following elements of personally identifiable information from datasets: si-19_prm_1[Assignment: organization-defined elements of personally identifiable information]; and b. Evaluate si-19_prm_2[Assignment: organization-defined frequency] for effectiveness of de-identification. | No predecessor |
| SI-19(1) | De-identification | Collection De-identify the dataset upon collection by not collecting personally identifiable information. | No predecessor |
| SI-19(2) | De-identification | Archiving Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived. | No predecessor |
| SI-19(3) | De-identification | Release Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release. | No predecessor |
| SI-19(4) | De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. | No predecessor |
| SI-19(5) | De-identification | Statistical Disclosure Control Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis. | No predecessor |
| SI-19(6) | De-identification | Differential Privacy Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported. | No predecessor |
| SI-19(7) | De-identification | Validated Algorithms and Software Perform de-identification using validated algorithms and software that is validated to implement the algorithms. | No predecessor |
| SI-19(8) | De-identification | Motivated Intruder Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. | No predecessor |
| SI-20 | Tainting Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: si-20_prm_1[Assignment: organization-defined systems or system components]. | No predecessor |
| SI-21 | Information Refresh Refresh si-21_prm_1[Assignment: organization-defined information] at si-21_prm_2[Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed. | No predecessor |
| SI-22 | Information Diversity a. Identify the following alternative sources of information for si-22_prm_1[Assignment: organization-defined essential functions and services]: si-22_prm_2[Assignment: organization-defined alternative information sources]; and b. Use an alternative information source for the execution of essential functions or services on si-22_prm_3[Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable. | No predecessor |
| SI-23 | Information Fragmentation Based on si-23_prm_1[Assignment: organization-defined circumstances]: a. Fragment the following information: si-23_prm_2[Assignment: organization-defined information]; and b. Distribute the fragmented information across the following systems or system components: si-23_prm_3[Assignment: organization-defined systems or system components]. | No predecessor |
| SR-1 | Policy and ProceduresⓁ Ⓜ Ⓗ a. Develop, document, and disseminate to sr-1_prm_1[Assignment: organization-defined personnel or roles]: 1. sr-1_prm_2[Selection: Organization-level or Mission/business process-level or System-level] supply chain risk management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; b. Designate an sr-1_prm_3[Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and c. Review and update the current supply chain risk management: 1. Policy sr-1_prm_4[Assignment: organization-defined frequency] and following sr-1_prm_5[Assignment: organization-defined events]; and 2. Procedures sr-1_prm_6[Assignment: organization-defined frequency] and following sr-1_prm_7[Assignment: organization-defined events]. | No predecessor |
| SR-2 | Supply Chain Risk Management PlanⓁ Ⓜ Ⓗ a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: sr-2_prm_1[Assignment: organization-defined systems, system components, or system services]; b. Review and update the supply chain risk management plan sr-2_prm_2[Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and c. Protect the supply chain risk management plan from unauthorized disclosure and modification. | No predecessor |
| SR-2(1) | Supply Chain Risk Management Plan | Establish Scrm TeamⓁ Ⓜ Ⓗ Establish a supply chain risk management team consisting of sr-2.1_prm_1[Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: sr-2.1_prm_2[Assignment: organization-defined supply chain risk management activities]. | No predecessor |
| SR-3 | Supply Chain Controls and ProcessesⓁ Ⓜ Ⓗ a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of sr-3_prm_1[Assignment: organization-defined system or system component] in coordination with sr-3_prm_2[Assignment: organization-defined supply chain personnel]; b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: sr-3_prm_3[Assignment: organization-defined supply chain controls]; and c. Document the selected and implemented supply chain processes and controls in sr-3_prm_4[Selection: security and privacy plans or supply chain risk management plan or sr-3_prm_5[Assignment: organization-defined document]]. | No predecessor |
| SR-3(1) | Supply Chain Controls and Processes | Diverse Supply Base Employ a diverse set of sources for the following system components and services: sr-3.1_prm_1[Assignment: organization-defined system components and services]. | No predecessor |
| SR-3(2) | Supply Chain Controls and Processes | Limitation of Harm Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: sr-3.2_prm_1[Assignment: organization-defined controls]. | No predecessor |
| SR-3(3) | Supply Chain Controls and Processes | Sub-tier Flow Down Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. | No predecessor |
| SR-4 | Provenance Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: sr-4_prm_1[Assignment: organization-defined systems, system components, and associated data]. | No predecessor |
| SR-4(1) | Provenance | Identity Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: sr-4.1_prm_1[Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components]. | No predecessor |
| SR-4(2) | Provenance | Track and Trace Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: sr-4.2_prm_1[Assignment: organization-defined systems and critical system components]. | No predecessor |
| SR-4(3) | Provenance | Validate as Genuine and Not Altered Employ the following controls to validate that the system or system component received is genuine and has not been altered: sr-4.3_prm_1[Assignment: organization-defined controls]. | No predecessor |
| SR-4(4) | Provenance | Supply Chain Integrity — Pedigree Employ sr-4.4_prm_1[Assignment: organization-defined controls] and conduct sr-4.4_prm_2[Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. | No predecessor |
| SR-5 | Acquisition Strategies, Tools, and MethodsⓁ Ⓜ Ⓗ Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: sr-5_prm_1[Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. | No predecessor |
| SR-5(1) | Acquisition Strategies, Tools, and Methods | Adequate Supply Employ the following controls to ensure an adequate supply of sr-5.1_prm_1[Assignment: organization-defined critical system components]: sr-5.1_prm_2[Assignment: organization-defined controls]. | No predecessor |
| SR-5(2) | Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update Assess the system, system component, or system service prior to selection, acceptance, modification, or update. | No predecessor |
| SR-6 | Supplier Assessments and ReviewsⓂ Ⓗ Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide sr-6_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| SR-6(1) | Supplier Assessments and Reviews | Testing and Analysis Employ sr-6.1_prm_1[Selection: organizational analysis or independent third-party analysis or organizational testing or independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: sr-6.1_prm_2[Assignment: organization-defined supply chain elements, processes, and actors]. | No predecessor |
| SR-7 | Supply Chain Operations Security Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: sr-7_prm_1[Assignment: organization-defined Operations Security (OPSEC) controls]. | No predecessor |
| SR-8 | Notification AgreementsⓁ Ⓜ Ⓗ Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the sr-8_prm_1[Selection: notification of supply chain compromises or results of assessments or audits or sr-8_prm_2[Assignment: organization-defined information]]. | No predecessor |
| SR-9 | Tamper Resistance and DetectionⒽ Implement a tamper protection program for the system, system component, or system service. | No predecessor |
| SR-9(1) | Tamper Resistance and Detection | Multiple Stages of System Development Life CycleⒽ Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle. | No predecessor |
| SR-10 | Inspection of Systems or ComponentsⓁ Ⓜ Ⓗ Inspect the following systems or system components sr-10_prm_1[Selection: at random or at or sr-10_prm_2[Assignment: organization-defined frequency] or , upon or sr-10_prm_3[Assignment: organization-defined indications of need for inspection]] to detect tampering: sr-10_prm_4[Assignment: organization-defined systems or system components]. | No predecessor |
| SR-11 | Component AuthenticityⓁ Ⓜ Ⓗ a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and b. Report counterfeit system components to sr-11_prm_1[Selection: source of counterfeit component or sr-11_prm_2[Assignment: organization-defined external reporting organizations] or sr-11_prm_3[Assignment: organization-defined personnel or roles]]. | No predecessor |
| SR-11(1) | Component Authenticity | Anti-counterfeit TrainingⓁ Ⓜ Ⓗ Train sr-11.1_prm_1[Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). | No predecessor |
| SR-11(2) | Component Authenticity | Configuration Control for Component Service and RepairⓁ Ⓜ Ⓗ Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: sr-11.2_prm_1[Assignment: organization-defined system components]. | No predecessor |
| SR-11(3) | Component Authenticity | Anti-counterfeit Scanning Scan for counterfeit system components sr-11.3_prm_1[Assignment: organization-defined frequency]. | No predecessor |
| SR-12 | Component DisposalⓁ Ⓜ Ⓗ Dispose of sr-12_prm_1[Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: sr-12_prm_2[Assignment: organization-defined techniques and methods]. | No predecessor |
See OSCAL: the Open Security Controls Assessment Language for information about OSCAL. The Catalog and Profile layers will be of particular interest.
This report uses documents from https://github.com/usnistgov/oscal-content/tree/master/nist.gov/SP800-53.
NB: That repository might lag the most recently published SP 800-53r5. It appeared to match as of this commit.
https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline_profile.xmlhttps://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline_profile.xmlThe following table shows all (not just novel) 423 SP 800-53r5 controls which are selected by one or more SP 800-53B baselines. Thes controls have 1049 ODPs.
| Control | Title | Baselines | ODPs |
|---|---|---|---|
| AC-1 | Access Control | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| AC-2 | Access Control | Account Management | ⓁⓂⒽ | 10 |
| AC-2(1) | Access Control | Account Management | Automated System Account Management | ⓂⒽ | 1 |
| AC-2(2) | Access Control | Account Management | Automated Temporary and Emergency Account Management | ⓂⒽ | 2 |
| AC-2(3) | Access Control | Account Management | Disable Accounts | ⓂⒽ | 2 |
| AC-2(4) | Access Control | Account Management | Automated Audit Actions | ⓂⒽ | |
| AC-2(5) | Access Control | Account Management | Inactivity Logout | ⓂⒽ | 1 |
| AC-2(11) | Access Control | Account Management | Usage Conditions | Ⓗ | 2 |
| AC-2(12) | Access Control | Account Management | Account Monitoring for Atypical Usage | Ⓗ | 2 |
| AC-2(13) | Access Control | Account Management | Disable Accounts for High-risk Individuals | ⓂⒽ | 2 |
| AC-3 | Access Control | Access Enforcement | ⓁⓂⒽ | |
| AC-3(14) | Access Control | Access Enforcement | Individual Access | Ⓟ | 2 |
| AC-4 | Access Control | Information Flow Enforcement | ⓂⒽ | 1 |
| AC-4(4) | Access Control | Information Flow Enforcement | Flow Control of Encrypted Information | Ⓗ | 3 |
| AC-5 | Access Control | Separation of Duties | ⓂⒽ | 1 |
| AC-6 | Access Control | Least Privilege | ⓂⒽ | |
| AC-6(1) | Access Control | Least Privilege | Authorize Access to Security Functions | ⓂⒽ | 3 |
| AC-6(2) | Access Control | Least Privilege | Non-privileged Access for Nonsecurity Functions | ⓂⒽ | 1 |
| AC-6(3) | Access Control | Least Privilege | Network Access to Privileged Commands | Ⓗ | 2 |
| AC-6(5) | Access Control | Least Privilege | Privileged Accounts | ⓂⒽ | 1 |
| AC-6(7) | Access Control | Least Privilege | Review of User Privileges | ⓂⒽ | 2 |
| AC-6(9) | Access Control | Least Privilege | Log Use of Privileged Functions | ⓂⒽ | |
| AC-6(10) | Access Control | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | ⓂⒽ | |
| AC-7 | Access Control | Unsuccessful Logon Attempts | ⓁⓂⒽ | 6 |
| AC-8 | Access Control | System Use Notification | ⓁⓂⒽ | 2 |
| AC-10 | Access Control | Concurrent Session Control | Ⓗ | 2 |
| AC-11 | Access Control | Device Lock | ⓂⒽ | 2 |
| AC-11(1) | Access Control | Device Lock | Pattern-hiding Displays | ⓂⒽ | |
| AC-12 | Access Control | Session Termination | ⓂⒽ | 1 |
| AC-14 | Access Control | Permitted Actions Without Identification or Authentication | ⓁⓂⒽ | 1 |
| AC-17 | Access Control | Remote Access | ⓁⓂⒽ | |
| AC-17(1) | Access Control | Remote Access | Monitoring and Control | ⓂⒽ | |
| AC-17(2) | Access Control | Remote Access | Protection of Confidentiality and Integrity Using Encryption | ⓂⒽ | |
| AC-17(3) | Access Control | Remote Access | Managed Access Control Points | ⓂⒽ | |
| AC-17(4) | Access Control | Remote Access | Privileged Commands and Access | ⓂⒽ | 1 |
| AC-18 | Access Control | Wireless Access | ⓁⓂⒽ | |
| AC-18(1) | Access Control | Wireless Access | Authentication and Encryption | ⓂⒽ | 1 |
| AC-18(3) | Access Control | Wireless Access | Disable Wireless Networking | ⓂⒽ | |
| AC-18(4) | Access Control | Wireless Access | Restrict Configurations by Users | Ⓗ | |
| AC-18(5) | Access Control | Wireless Access | Antennas and Transmission Power Levels | Ⓗ | |
| AC-19 | Access Control | Access Control for Mobile Devices | ⓁⓂⒽ | |
| AC-19(5) | Access Control | Access Control for Mobile Devices | Full Device or Container-based Encryption | ⓂⒽ | 2 |
| AC-20 | Access Control | Use of External Systems | ⓁⓂⒽ | 4 |
| AC-20(1) | Access Control | Use of External Systems | Limits on Authorized Use | ⓂⒽ | |
| AC-20(2) | Access Control | Use of External Systems | Portable Storage Devices — Restricted Use | ⓂⒽ | 1 |
| AC-21 | Access Control | Information Sharing | ⓂⒽ | 2 |
| AC-22 | Access Control | Publicly Accessible Content | ⓁⓂⒽ | 1 |
| AT-1 | Awareness and Training | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| AT-2 | Awareness and Training | Literacy Training and Awareness | ⓁⓂⒽⓅ | 5 |
| AT-2(2) | Awareness and Training | Literacy Training and Awareness | Insider Threat | ⓁⓂⒽ | |
| AT-2(3) | Awareness and Training | Literacy Training and Awareness | Social Engineering and Mining | ⓂⒽ | |
| AT-3 | Awareness and Training | Role-based Training | ⓁⓂⒽⓅ | 4 |
| AT-3(5) | Awareness and Training | Role-based Training | Processing Personally Identifiable Information | Ⓟ | 2 |
| AT-4 | Awareness and Training | Training Records | ⓁⓂⒽⓅ | 1 |
| AU-1 | Audit and Accountability | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| AU-2 | Audit and Accountability | Event Logging | ⓁⓂⒽⓅ | 3 |
| AU-3 | Audit and Accountability | Content of Audit Records | ⓁⓂⒽ | |
| AU-3(1) | Audit and Accountability | Content of Audit Records | Additional Audit Information | ⓂⒽ | 1 |
| AU-3(3) | Audit and Accountability | Content of Audit Records | Limit Personally Identifiable Information Elements | Ⓟ | 1 |
| AU-4 | Audit and Accountability | Audit Log Storage Capacity | ⓁⓂⒽ | 1 |
| AU-5 | Audit and Accountability | Response to Audit Logging Process Failures | ⓁⓂⒽ | 3 |
| AU-5(1) | Audit and Accountability | Response to Audit Logging Process Failures | Storage Capacity Warning | Ⓗ | 3 |
| AU-5(2) | Audit and Accountability | Response to Audit Logging Process Failures | Real-time Alerts | Ⓗ | 3 |
| AU-6 | Audit and Accountability | Audit Record Review, Analysis, and Reporting | ⓁⓂⒽ | 3 |
| AU-6(1) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Automated Process Integration | ⓂⒽ | 1 |
| AU-6(3) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories | ⓂⒽ | |
| AU-6(5) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records | Ⓗ | 2 |
| AU-6(6) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring | Ⓗ | |
| AU-7 | Audit and Accountability | Audit Record Reduction and Report Generation | ⓂⒽ | |
| AU-7(1) | Audit and Accountability | Audit Record Reduction and Report Generation | Automatic Processing | ⓂⒽ | 1 |
| AU-8 | Audit and Accountability | Time Stamps | ⓁⓂⒽ | 1 |
| AU-9 | Audit and Accountability | Protection of Audit Information | ⓁⓂⒽ | 1 |
| AU-9(2) | Audit and Accountability | Protection of Audit Information | Store on Separate Physical Systems or Components | Ⓗ | 1 |
| AU-9(3) | Audit and Accountability | Protection of Audit Information | Cryptographic Protection | Ⓗ | |
| AU-9(4) | Audit and Accountability | Protection of Audit Information | Access by Subset of Privileged Users | ⓂⒽ | 1 |
| AU-10 | Audit and Accountability | Non-repudiation | Ⓗ | 1 |
| AU-11 | Audit and Accountability | Audit Record Retention | ⓁⓂⒽⓅ | 1 |
| AU-12 | Audit and Accountability | Audit Record Generation | ⓁⓂⒽ | 2 |
| AU-12(1) | Audit and Accountability | Audit Record Generation | System-wide and Time-correlated Audit Trail | Ⓗ | 2 |
| AU-12(3) | Audit and Accountability | Audit Record Generation | Changes by Authorized Individuals | Ⓗ | 4 |
| CA-1 | Assessment, Authorization, and Monitoring | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| CA-2 | Assessment, Authorization, and Monitoring | Control Assessments | ⓁⓂⒽⓅ | 2 |
| CA-2(1) | Assessment, Authorization, and Monitoring | Control Assessments | Independent Assessors | ⓂⒽ | |
| CA-2(2) | Assessment, Authorization, and Monitoring | Control Assessments | Specialized Assessments | Ⓗ | 4 |
| CA-3 | Assessment, Authorization, and Monitoring | Information Exchange | ⓁⓂⒽ | 3 |
| CA-3(6) | Assessment, Authorization, and Monitoring | Information Exchange | Transfer Authorizations | Ⓗ | |
| CA-5 | Assessment, Authorization, and Monitoring | Plan of Action and Milestones | ⓁⓂⒽⓅ | 1 |
| CA-6 | Assessment, Authorization, and Monitoring | Authorization | ⓁⓂⒽⓅ | 1 |
| CA-7 | Assessment, Authorization, and Monitoring | Continuous Monitoring | ⓁⓂⒽⓅ | 5 |
| CA-7(1) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Independent Assessment | ⓂⒽ | |
| CA-7(4) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Risk Monitoring | ⓁⓂⒽⓅ | |
| CA-8 | Assessment, Authorization, and Monitoring | Penetration Testing | Ⓗ | 2 |
| CA-8(1) | Assessment, Authorization, and Monitoring | Penetration Testing | Independent Penetration Testing Agent or Team | Ⓗ | |
| CA-9 | Assessment, Authorization, and Monitoring | Internal System Connections | ⓁⓂⒽ | 3 |
| CM-1 | Configuration Management | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| CM-2 | Configuration Management | Baseline Configuration | ⓁⓂⒽ | 2 |
| CM-2(2) | Configuration Management | Baseline Configuration | Automation Support for Accuracy and Currency | ⓂⒽ | 1 |
| CM-2(3) | Configuration Management | Baseline Configuration | Retention of Previous Configurations | ⓂⒽ | 1 |
| CM-2(7) | Configuration Management | Baseline Configuration | Configure Systems and Components for High-risk Areas | ⓂⒽ | 3 |
| CM-3 | Configuration Management | Configuration Change Control | ⓂⒽ | 5 |
| CM-3(1) | Configuration Management | Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes | Ⓗ | 4 |
| CM-3(2) | Configuration Management | Configuration Change Control | Testing, Validation, and Documentation of Changes | ⓂⒽ | |
| CM-3(4) | Configuration Management | Configuration Change Control | Security and Privacy Representatives | ⓂⒽ | 2 |
| CM-3(6) | Configuration Management | Configuration Change Control | Cryptography Management | Ⓗ | 1 |
| CM-4 | Configuration Management | Impact Analyses | ⓁⓂⒽⓅ | |
| CM-4(1) | Configuration Management | Impact Analyses | Separate Test Environments | Ⓗ | |
| CM-4(2) | Configuration Management | Impact Analyses | Verification of Controls | ⓂⒽ | |
| CM-5 | Configuration Management | Access Restrictions for Change | ⓁⓂⒽ | |
| CM-5(1) | Configuration Management | Access Restrictions for Change | Automated Access Enforcement and Audit Records | Ⓗ | 1 |
| CM-6 | Configuration Management | Configuration Settings | ⓁⓂⒽ | 3 |
| CM-6(1) | Configuration Management | Configuration Settings | Automated Management, Application, and Verification | Ⓗ | 2 |
| CM-6(2) | Configuration Management | Configuration Settings | Respond to Unauthorized Changes | Ⓗ | 2 |
| CM-7 | Configuration Management | Least Functionality | ⓁⓂⒽ | 2 |
| CM-7(1) | Configuration Management | Least Functionality | Periodic Review | ⓂⒽ | 2 |
| CM-7(2) | Configuration Management | Least Functionality | Prevent Program Execution | ⓂⒽ | 2 |
| CM-7(5) | Configuration Management | Least Functionality | Authorized Software — Allow-by-exception | ⓂⒽ | 2 |
| CM-8 | Configuration Management | System Component Inventory | ⓁⓂⒽ | 2 |
| CM-8(1) | Configuration Management | System Component Inventory | Updates During Installation and Removal | ⓂⒽ | |
| CM-8(2) | Configuration Management | System Component Inventory | Automated Maintenance | Ⓗ | 1 |
| CM-8(3) | Configuration Management | System Component Inventory | Automated Unauthorized Component Detection | ⓂⒽ | 4 |
| CM-8(4) | Configuration Management | System Component Inventory | Accountability Information | Ⓗ | 1 |
| CM-9 | Configuration Management | Configuration Management Plan | ⓂⒽ | 1 |
| CM-10 | Configuration Management | Software Usage Restrictions | ⓁⓂⒽ | |
| CM-11 | Configuration Management | User-installed Software | ⓁⓂⒽ | 3 |
| CM-12 | Configuration Management | Information Location | ⓂⒽ | 1 |
| CM-12(1) | Configuration Management | Information Location | Automated Tools to Support Information Location | ⓂⒽ | 2 |
| CP-1 | Contingency Planning | Policy and Procedures | ⓁⓂⒽ | 7 |
| CP-2 | Contingency Planning | Contingency Plan | ⓁⓂⒽ | 4 |
| CP-2(1) | Contingency Planning | Contingency Plan | Coordinate with Related Plans | ⓂⒽ | |
| CP-2(2) | Contingency Planning | Contingency Plan | Capacity Planning | Ⓗ | |
| CP-2(3) | Contingency Planning | Contingency Plan | Resume Mission and Business Functions | ⓂⒽ | 2 |
| CP-2(5) | Contingency Planning | Contingency Plan | Continue Mission and Business Functions | Ⓗ | 1 |
| CP-2(8) | Contingency Planning | Contingency Plan | Identify Critical Assets | ⓂⒽ | 1 |
| CP-3 | Contingency Planning | Contingency Training | ⓁⓂⒽ | 4 |
| CP-3(1) | Contingency Planning | Contingency Training | Simulated Events | Ⓗ | |
| CP-4 | Contingency Planning | Contingency Plan Testing | ⓁⓂⒽ | 2 |
| CP-4(1) | Contingency Planning | Contingency Plan Testing | Coordinate with Related Plans | ⓂⒽ | |
| CP-4(2) | Contingency Planning | Contingency Plan Testing | Alternate Processing Site | Ⓗ | |
| CP-6 | Contingency Planning | Alternate Storage Site | ⓂⒽ | |
| CP-6(1) | Contingency Planning | Alternate Storage Site | Separation from Primary Site | ⓂⒽ | |
| CP-6(2) | Contingency Planning | Alternate Storage Site | Recovery Time and Recovery Point Objectives | Ⓗ | |
| CP-6(3) | Contingency Planning | Alternate Storage Site | Accessibility | ⓂⒽ | |
| CP-7 | Contingency Planning | Alternate Processing Site | ⓂⒽ | 2 |
| CP-7(1) | Contingency Planning | Alternate Processing Site | Separation from Primary Site | ⓂⒽ | |
| CP-7(2) | Contingency Planning | Alternate Processing Site | Accessibility | ⓂⒽ | |
| CP-7(3) | Contingency Planning | Alternate Processing Site | Priority of Service | ⓂⒽ | |
| CP-7(4) | Contingency Planning | Alternate Processing Site | Preparation for Use | Ⓗ | |
| CP-8 | Contingency Planning | Telecommunications Services | ⓂⒽ | 2 |
| CP-8(1) | Contingency Planning | Telecommunications Services | Priority of Service Provisions | ⓂⒽ | |
| CP-8(2) | Contingency Planning | Telecommunications Services | Single Points of Failure | ⓂⒽ | |
| CP-8(3) | Contingency Planning | Telecommunications Services | Separation of Primary and Alternate Providers | Ⓗ | |
| CP-8(4) | Contingency Planning | Telecommunications Services | Provider Contingency Plan | Ⓗ | 1 |
| CP-9 | Contingency Planning | System Backup | ⓁⓂⒽ | 4 |
| CP-9(1) | Contingency Planning | System Backup | Testing for Reliability and Integrity | ⓂⒽ | 1 |
| CP-9(2) | Contingency Planning | System Backup | Test Restoration Using Sampling | Ⓗ | |
| CP-9(3) | Contingency Planning | System Backup | Separate Storage for Critical Information | Ⓗ | 1 |
| CP-9(5) | Contingency Planning | System Backup | Transfer to Alternate Storage Site | Ⓗ | 1 |
| CP-9(8) | Contingency Planning | System Backup | Cryptographic Protection | ⓂⒽ | 1 |
| CP-10 | Contingency Planning | System Recovery and Reconstitution | ⓁⓂⒽ | 1 |
| CP-10(2) | Contingency Planning | System Recovery and Reconstitution | Transaction Recovery | ⓂⒽ | |
| CP-10(4) | Contingency Planning | System Recovery and Reconstitution | Restore Within Time Period | Ⓗ | 1 |
| IA-1 | Identification and Authentication | Policy and Procedures | ⓁⓂⒽ | 7 |
| IA-2 | Identification and Authentication | Identification and Authentication (organizational Users) | ⓁⓂⒽ | |
| IA-2(1) | Identification and Authentication | Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts | ⓁⓂⒽ | |
| IA-2(2) | Identification and Authentication | Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts | ⓁⓂⒽ | |
| IA-2(5) | Identification and Authentication | Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication | Ⓗ | |
| IA-2(8) | Identification and Authentication | Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant | ⓁⓂⒽ | 1 |
| IA-2(12) | Identification and Authentication | Identification and Authentication (organizational Users) | Acceptance of PIV Credentials | ⓁⓂⒽ | |
| IA-3 | Identification and Authentication | Device Identification and Authentication | ⓂⒽ | 2 |
| IA-4 | Identification and Authentication | Identifier Management | ⓁⓂⒽ | 2 |
| IA-4(4) | Identification and Authentication | Identifier Management | Identify User Status | ⓂⒽ | 1 |
| IA-5 | Identification and Authentication | Authenticator Management | ⓁⓂⒽ | 2 |
| IA-5(1) | Identification and Authentication | Authenticator Management | Password-based Authentication | ⓁⓂⒽ | 2 |
| IA-5(2) | Identification and Authentication | Authenticator Management | Public Key-based Authentication | ⓂⒽ | |
| IA-5(6) | Identification and Authentication | Authenticator Management | Protection of Authenticators | ⓂⒽ | |
| IA-6 | Identification and Authentication | Authentication Feedback | ⓁⓂⒽ | |
| IA-7 | Identification and Authentication | Cryptographic Module Authentication | ⓁⓂⒽ | |
| IA-8 | Identification and Authentication | Identification and Authentication (non-organizational Users) | ⓁⓂⒽ | |
| IA-8(1) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies | ⓁⓂⒽ | |
| IA-8(2) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators | ⓁⓂⒽ | |
| IA-8(4) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Use of Defined Profiles | ⓁⓂⒽ | 1 |
| IA-11 | Identification and Authentication | Re-authentication | ⓁⓂⒽ | 1 |
| IA-12 | Identification and Authentication | Identity Proofing | ⓂⒽ | |
| IA-12(2) | Identification and Authentication | Identity Proofing | Identity Evidence | ⓂⒽ | |
| IA-12(3) | Identification and Authentication | Identity Proofing | Identity Evidence Validation and Verification | ⓂⒽ | 1 |
| IA-12(4) | Identification and Authentication | Identity Proofing | In-person Validation and Verification | Ⓗ | |
| IA-12(5) | Identification and Authentication | Identity Proofing | Address Confirmation | ⓂⒽ | 1 |
| IR-1 | Incident Response | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| IR-2 | Incident Response | Incident Response Training | ⓁⓂⒽⓅ | 4 |
| IR-2(1) | Incident Response | Incident Response Training | Simulated Events | Ⓗ | |
| IR-2(2) | Incident Response | Incident Response Training | Automated Training Environments | Ⓗ | 1 |
| IR-2(3) | Incident Response | Incident Response Training | Breach | Ⓟ | |
| IR-3 | Incident Response | Incident Response Testing | ⓂⒽⓅ | 2 |
| IR-3(2) | Incident Response | Incident Response Testing | Coordination with Related Plans | ⓂⒽ | |
| IR-4 | Incident Response | Incident Handling | ⓁⓂⒽⓅ | |
| IR-4(1) | Incident Response | Incident Handling | Automated Incident Handling Processes | ⓂⒽ | 1 |
| IR-4(4) | Incident Response | Incident Handling | Information Correlation | Ⓗ | |
| IR-4(11) | Incident Response | Incident Handling | Integrated Incident Response Team | Ⓗ | 1 |
| IR-5 | Incident Response | Incident Monitoring | ⓁⓂⒽⓅ | |
| IR-5(1) | Incident Response | Incident Monitoring | Automated Tracking, Data Collection, and Analysis | Ⓗ | 1 |
| IR-6 | Incident Response | Incident Reporting | ⓁⓂⒽⓅ | 2 |
| IR-6(1) | Incident Response | Incident Reporting | Automated Reporting | ⓂⒽ | 1 |
| IR-6(3) | Incident Response | Incident Reporting | Supply Chain Coordination | ⓂⒽ | |
| IR-7 | Incident Response | Incident Response Assistance | ⓁⓂⒽⓅ | |
| IR-7(1) | Incident Response | Incident Response Assistance | Automation Support for Availability of Information and Support | ⓂⒽ | 1 |
| IR-8 | Incident Response | Incident Response Plan | ⓁⓂⒽⓅ | 5 |
| IR-8(1) | Incident Response | Incident Response Plan | Breaches | Ⓟ | |
| MA-1 | Maintenance | Policy and Procedures | ⓁⓂⒽ | 7 |
| MA-2 | Maintenance | Controlled Maintenance | ⓁⓂⒽ | 3 |
| MA-2(2) | Maintenance | Controlled Maintenance | Automated Maintenance Activities | Ⓗ | 1 |
| MA-3 | Maintenance | Maintenance Tools | ⓂⒽ | 1 |
| MA-3(1) | Maintenance | Maintenance Tools | Inspect Tools | ⓂⒽ | |
| MA-3(2) | Maintenance | Maintenance Tools | Inspect Media | ⓂⒽ | |
| MA-3(3) | Maintenance | Maintenance Tools | Prevent Unauthorized Removal | ⓂⒽ | 1 |
| MA-4 | Maintenance | Nonlocal Maintenance | ⓁⓂⒽ | |
| MA-4(3) | Maintenance | Nonlocal Maintenance | Comparable Security and Sanitization | Ⓗ | |
| MA-5 | Maintenance | Maintenance Personnel | ⓁⓂⒽ | |
| MA-5(1) | Maintenance | Maintenance Personnel | Individuals Without Appropriate Access | Ⓗ | 1 |
| MA-6 | Maintenance | Timely Maintenance | ⓂⒽ | 2 |
| MP-1 | Media Protection | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| MP-2 | Media Protection | Media Access | ⓁⓂⒽ | 2 |
| MP-3 | Media Protection | Media Marking | ⓂⒽ | 2 |
| MP-4 | Media Protection | Media Storage | ⓂⒽ | 2 |
| MP-5 | Media Protection | Media Transport | ⓂⒽ | 2 |
| MP-6 | Media Protection | Media Sanitization | ⓁⓂⒽⓅ | 2 |
| MP-6(1) | Media Protection | Media Sanitization | Review, Approve, Track, Document, and Verify | Ⓗ | |
| MP-6(2) | Media Protection | Media Sanitization | Equipment Testing | Ⓗ | 1 |
| MP-6(3) | Media Protection | Media Sanitization | Nondestructive Techniques | Ⓗ | 1 |
| MP-7 | Media Protection | Media Use | ⓁⓂⒽ | 4 |
| PE-1 | Physical and Environmental Protection | Policy and Procedures | ⓁⓂⒽ | 7 |
| PE-2 | Physical and Environmental Protection | Physical Access Authorizations | ⓁⓂⒽ | 1 |
| PE-3 | Physical and Environmental Protection | Physical Access Control | ⓁⓂⒽ | 9 |
| PE-3(1) | Physical and Environmental Protection | Physical Access Control | System Access | Ⓗ | 1 |
| PE-4 | Physical and Environmental Protection | Access Control for Transmission | ⓂⒽ | 2 |
| PE-5 | Physical and Environmental Protection | Access Control for Output Devices | ⓂⒽ | 1 |
| PE-6 | Physical and Environmental Protection | Monitoring Physical Access | ⓁⓂⒽ | 2 |
| PE-6(1) | Physical and Environmental Protection | Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment | ⓂⒽ | |
| PE-6(4) | Physical and Environmental Protection | Monitoring Physical Access | Monitoring Physical Access to Systems | Ⓗ | 1 |
| PE-8 | Physical and Environmental Protection | Visitor Access Records | ⓁⓂⒽ | 3 |
| PE-8(1) | Physical and Environmental Protection | Visitor Access Records | Automated Records Maintenance and Review | Ⓗ | 1 |
| PE-8(3) | Physical and Environmental Protection | Visitor Access Records | Limit Personally Identifiable Information Elements | Ⓟ | 1 |
| PE-9 | Physical and Environmental Protection | Power Equipment and Cabling | ⓂⒽ | |
| PE-10 | Physical and Environmental Protection | Emergency Shutoff | ⓂⒽ | 2 |
| PE-11 | Physical and Environmental Protection | Emergency Power | ⓂⒽ | 1 |
| PE-11(1) | Physical and Environmental Protection | Emergency Power | Alternate Power Supply — Minimal Operational Capability | Ⓗ | 1 |
| PE-12 | Physical and Environmental Protection | Emergency Lighting | ⓁⓂⒽ | |
| PE-13 | Physical and Environmental Protection | Fire Protection | ⓁⓂⒽ | |
| PE-13(1) | Physical and Environmental Protection | Fire Protection | Detection Systems — Automatic Activation and Notification | ⓂⒽ | 2 |
| PE-13(2) | Physical and Environmental Protection | Fire Protection | Suppression Systems — Automatic Activation and Notification | Ⓗ | 2 |
| PE-14 | Physical and Environmental Protection | Environmental Controls | ⓁⓂⒽ | 4 |
| PE-15 | Physical and Environmental Protection | Water Damage Protection | ⓁⓂⒽ | |
| PE-15(1) | Physical and Environmental Protection | Water Damage Protection | Automation Support | Ⓗ | 2 |
| PE-16 | Physical and Environmental Protection | Delivery and Removal | ⓁⓂⒽ | 1 |
| PE-17 | Physical and Environmental Protection | Alternate Work Site | ⓂⒽ | 2 |
| PE-18 | Physical and Environmental Protection | Location of System Components | Ⓗ | 1 |
| PL-1 | Planning | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| PL-2 | Planning | System Security and Privacy Plans | ⓁⓂⒽⓅ | 3 |
| PL-4 | Planning | Rules of Behavior | ⓁⓂⒽⓅ | 3 |
| PL-4(1) | Planning | Rules of Behavior | Social Media and External Site/application Usage Restrictions | ⓁⓂⒽⓅ | |
| PL-8 | Planning | Security and Privacy Architectures | ⓂⒽⓅ | 1 |
| PL-9 | Planning | Central Management | Ⓟ | 1 |
| PL-10 | Planning | Baseline Selection | ⓁⓂⒽ | |
| PL-11 | Planning | Baseline Tailoring | ⓁⓂⒽ | |
| PM-3 | Program Management | Information Security and Privacy Resources | Ⓟ | |
| PM-4 | Program Management | Plan of Action and Milestones Process | Ⓟ | |
| PM-5(1) | Program Management | System Inventory | Inventory of Personally Identifiable Information | Ⓟ | 1 |
| PM-6 | Program Management | Measures of Performance | Ⓟ | |
| PM-7 | Program Management | Enterprise Architecture | Ⓟ | |
| PM-8 | Program Management | Critical Infrastructure Plan | Ⓟ | |
| PM-9 | Program Management | Risk Management Strategy | Ⓟ | 1 |
| PM-10 | Program Management | Authorization Process | Ⓟ | |
| PM-11 | Program Management | Mission and Business Process Definition | Ⓟ | 1 |
| PM-13 | Program Management | Security and Privacy Workforce | Ⓟ | |
| PM-14 | Program Management | Testing, Training, and Monitoring | Ⓟ | |
| PM-17 | Program Management | Protecting Controlled Unclassified Information on External Systems | Ⓟ | 1 |
| PM-18 | Program Management | Privacy Program Plan | Ⓟ | 1 |
| PM-19 | Program Management | Privacy Program Leadership Role | Ⓟ | |
| PM-20 | Program Management | Dissemination of Privacy Program Information | Ⓟ | |
| PM-20(1) | Program Management | Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services | Ⓟ | |
| PM-21 | Program Management | Accounting of Disclosures | Ⓟ | |
| PM-22 | Program Management | Personally Identifiable Information Quality Management | Ⓟ | |
| PM-24 | Program Management | Data Integrity Board | Ⓟ | |
| PM-25 | Program Management | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | Ⓟ | 1 |
| PM-26 | Program Management | Complaint Management | Ⓟ | 3 |
| PM-27 | Program Management | Privacy Reporting | Ⓟ | 4 |
| PM-28 | Program Management | Risk Framing | Ⓟ | 2 |
| PM-31 | Program Management | Continuous Monitoring Strategy | Ⓟ | 5 |
| PS-1 | Personnel Security | Policy and Procedures | ⓁⓂⒽ | 7 |
| PS-2 | Personnel Security | Position Risk Designation | ⓁⓂⒽ | 1 |
| PS-3 | Personnel Security | Personnel Screening | ⓁⓂⒽ | 1 |
| PS-4 | Personnel Security | Personnel Termination | ⓁⓂⒽ | 2 |
| PS-4(2) | Personnel Security | Personnel Termination | Automated Actions | Ⓗ | 3 |
| PS-5 | Personnel Security | Personnel Transfer | ⓁⓂⒽ | 4 |
| PS-6 | Personnel Security | Access Agreements | ⓁⓂⒽⓅ | 2 |
| PS-7 | Personnel Security | External Personnel Security | ⓁⓂⒽ | 2 |
| PS-8 | Personnel Security | Personnel Sanctions | ⓁⓂⒽ | 2 |
| PS-9 | Personnel Security | Position Descriptions | ⓁⓂⒽ | |
| PT-1 | Personally Identifiable Information Processing and Transparency | Policy and Procedures | Ⓟ | 7 |
| PT-2 | Personally Identifiable Information Processing and Transparency | Authority to Process Personally Identifiable Information | Ⓟ | 3 |
| PT-3 | Personally Identifiable Information Processing and Transparency | Personally Identifiable Information Processing Purposes | Ⓟ | 4 |
| PT-4 | Personally Identifiable Information Processing and Transparency | Consent | Ⓟ | 1 |
| PT-5 | Personally Identifiable Information Processing and Transparency | Privacy Notice | Ⓟ | 2 |
| PT-5(2) | Personally Identifiable Information Processing and Transparency | Privacy Notice | Privacy Act Statements | Ⓟ | |
| PT-6 | Personally Identifiable Information Processing and Transparency | System of Records Notice | Ⓟ | |
| PT-6(1) | Personally Identifiable Information Processing and Transparency | System of Records Notice | Routine Uses | Ⓟ | 1 |
| PT-6(2) | Personally Identifiable Information Processing and Transparency | System of Records Notice | Exemption Rules | Ⓟ | 1 |
| PT-7 | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable Information | Ⓟ | 1 |
| PT-7(1) | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable Information | Social Security Numbers | Ⓟ | |
| PT-7(2) | Personally Identifiable Information Processing and Transparency | Specific Categories of Personally Identifiable Information | First Amendment Information | Ⓟ | |
| PT-8 | Personally Identifiable Information Processing and Transparency | Computer Matching Requirements | Ⓟ | |
| RA-1 | Risk Assessment | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| RA-2 | Risk Assessment | Security Categorization | ⓁⓂⒽ | |
| RA-3 | Risk Assessment | Risk Assessment | ⓁⓂⒽⓅ | 5 |
| RA-3(1) | Risk Assessment | Risk Assessment | Supply Chain Risk Assessment | ⓁⓂⒽ | 2 |
| RA-5 | Risk Assessment | Vulnerability Monitoring and Scanning | ⓁⓂⒽ | 3 |
| RA-5(2) | Risk Assessment | Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned | ⓁⓂⒽ | 2 |
| RA-5(4) | Risk Assessment | Vulnerability Monitoring and Scanning | Discoverable Information | Ⓗ | 1 |
| RA-5(5) | Risk Assessment | Vulnerability Monitoring and Scanning | Privileged Access | ⓂⒽ | 2 |
| RA-5(11) | Risk Assessment | Vulnerability Monitoring and Scanning | Public Disclosure Program | ⓁⓂⒽ | |
| RA-7 | Risk Assessment | Risk Response | ⓁⓂⒽⓅ | |
| RA-8 | Risk Assessment | Privacy Impact Assessments | Ⓟ | |
| RA-9 | Risk Assessment | Criticality Analysis | ⓂⒽ | 2 |
| SA-1 | System and Services Acquisition | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| SA-2 | System and Services Acquisition | Allocation of Resources | ⓁⓂⒽⓅ | |
| SA-3 | System and Services Acquisition | System Development Life Cycle | ⓁⓂⒽⓅ | 1 |
| SA-4 | System and Services Acquisition | Acquisition Process | ⓁⓂⒽⓅ | 2 |
| SA-4(1) | System and Services Acquisition | Acquisition Process | Functional Properties of Controls | ⓂⒽ | |
| SA-4(2) | System and Services Acquisition | Acquisition Process | Design and Implementation Information for Controls | ⓂⒽ | 3 |
| SA-4(5) | System and Services Acquisition | Acquisition Process | System, Component, and Service Configurations | Ⓗ | 1 |
| SA-4(9) | System and Services Acquisition | Acquisition Process | Functions, Ports, Protocols, and Services in Use | ⓂⒽ | |
| SA-4(10) | System and Services Acquisition | Acquisition Process | Use of Approved PIV Products | ⓁⓂⒽ | |
| SA-5 | System and Services Acquisition | System Documentation | ⓁⓂⒽ | 2 |
| SA-8 | System and Services Acquisition | Security and Privacy Engineering Principles | ⓁⓂⒽ | 1 |
| SA-8(33) | System and Services Acquisition | Security and Privacy Engineering Principles | Minimization | Ⓟ | 1 |
| SA-9 | System and Services Acquisition | External System Services | ⓁⓂⒽⓅ | 2 |
| SA-9(2) | System and Services Acquisition | External System Services | Identification of Functions, Ports, Protocols, and Services | ⓂⒽ | 1 |
| SA-10 | System and Services Acquisition | Developer Configuration Management | ⓂⒽ | 3 |
| SA-11 | System and Services Acquisition | Developer Testing and Evaluation | ⓂⒽⓅ | 3 |
| SA-15 | System and Services Acquisition | Development Process, Standards, and Tools | ⓂⒽ | 2 |
| SA-15(3) | System and Services Acquisition | Development Process, Standards, and Tools | Criticality Analysis | ⓂⒽ | 2 |
| SA-16 | System and Services Acquisition | Developer-provided Training | Ⓗ | 1 |
| SA-17 | System and Services Acquisition | Developer Security and Privacy Architecture and Design | Ⓗ | |
| SA-21 | System and Services Acquisition | Developer Screening | Ⓗ | 3 |
| SA-22 | System and Services Acquisition | Unsupported System Components | ⓁⓂⒽ | 2 |
| SC-1 | System and Communications Protection | Policy and Procedures | ⓁⓂⒽ | 7 |
| SC-2 | System and Communications Protection | Separation of System and User Functionality | ⓂⒽ | |
| SC-3 | System and Communications Protection | Security Function Isolation | Ⓗ | |
| SC-4 | System and Communications Protection | Information in Shared System Resources | ⓂⒽ | |
| SC-5 | System and Communications Protection | Denial-of-service Protection | ⓁⓂⒽ | 3 |
| SC-7 | System and Communications Protection | Boundary Protection | ⓁⓂⒽ | 1 |
| SC-7(3) | System and Communications Protection | Boundary Protection | Access Points | ⓂⒽ | |
| SC-7(4) | System and Communications Protection | Boundary Protection | External Telecommunications Services | ⓂⒽ | 1 |
| SC-7(5) | System and Communications Protection | Boundary Protection | Deny by Default — Allow by Exception | ⓂⒽ | 2 |
| SC-7(7) | System and Communications Protection | Boundary Protection | Split Tunneling for Remote Devices | ⓂⒽ | 1 |
| SC-7(8) | System and Communications Protection | Boundary Protection | Route Traffic to Authenticated Proxy Servers | ⓂⒽ | 2 |
| SC-7(18) | System and Communications Protection | Boundary Protection | Fail Secure | Ⓗ | |
| SC-7(21) | System and Communications Protection | Boundary Protection | Isolation of System Components | Ⓗ | 2 |
| SC-7(24) | System and Communications Protection | Boundary Protection | Personally Identifiable Information | Ⓟ | 1 |
| SC-8 | System and Communications Protection | Transmission Confidentiality and Integrity | ⓂⒽ | 1 |
| SC-8(1) | System and Communications Protection | Transmission Confidentiality and Integrity | Cryptographic Protection | ⓂⒽ | 1 |
| SC-10 | System and Communications Protection | Network Disconnect | ⓂⒽ | 1 |
| SC-12 | System and Communications Protection | Cryptographic Key Establishment and Management | ⓁⓂⒽ | 1 |
| SC-12(1) | System and Communications Protection | Cryptographic Key Establishment and Management | Availability | Ⓗ | |
| SC-13 | System and Communications Protection | Cryptographic Protection | ⓁⓂⒽ | 2 |
| SC-15 | System and Communications Protection | Collaborative Computing Devices and Applications | ⓁⓂⒽ | 1 |
| SC-17 | System and Communications Protection | Public Key Infrastructure Certificates | ⓂⒽ | 1 |
| SC-18 | System and Communications Protection | Mobile Code | ⓂⒽ | |
| SC-20 | System and Communications Protection | Secure Name/address Resolution Service (authoritative Source) | ⓁⓂⒽ | |
| SC-21 | System and Communications Protection | Secure Name/address Resolution Service (recursive or Caching Resolver) | ⓁⓂⒽ | |
| SC-22 | System and Communications Protection | Architecture and Provisioning for Name/address Resolution Service | ⓁⓂⒽ | |
| SC-23 | System and Communications Protection | Session Authenticity | ⓂⒽ | |
| SC-24 | System and Communications Protection | Fail in Known State | Ⓗ | 3 |
| SC-28 | System and Communications Protection | Protection of Information at Rest | ⓂⒽ | 2 |
| SC-28(1) | System and Communications Protection | Protection of Information at Rest | Cryptographic Protection | ⓂⒽ | 2 |
| SC-39 | System and Communications Protection | Process Isolation | ⓁⓂⒽ | |
| SI-1 | System and Information Integrity | Policy and Procedures | ⓁⓂⒽⓅ | 7 |
| SI-2 | System and Information Integrity | Flaw Remediation | ⓁⓂⒽ | 1 |
| SI-2(2) | System and Information Integrity | Flaw Remediation | Automated Flaw Remediation Status | ⓂⒽ | 2 |
| SI-3 | System and Information Integrity | Malicious Code Protection | ⓁⓂⒽ | 6 |
| SI-4 | System and Information Integrity | System Monitoring | ⓁⓂⒽ | 6 |
| SI-4(2) | System and Information Integrity | System Monitoring | Automated Tools and Mechanisms for Real-time Analysis | ⓂⒽ | |
| SI-4(4) | System and Information Integrity | System Monitoring | Inbound and Outbound Communications Traffic | ⓂⒽ | 2 |
| SI-4(5) | System and Information Integrity | System Monitoring | System-generated Alerts | ⓂⒽ | 2 |
| SI-4(10) | System and Information Integrity | System Monitoring | Visibility of Encrypted Communications | Ⓗ | 2 |
| SI-4(12) | System and Information Integrity | System Monitoring | Automated Organization-generated Alerts | Ⓗ | 3 |
| SI-4(14) | System and Information Integrity | System Monitoring | Wireless Intrusion Detection | Ⓗ | |
| SI-4(20) | System and Information Integrity | System Monitoring | Privileged Users | Ⓗ | 1 |
| SI-4(22) | System and Information Integrity | System Monitoring | Unauthorized Network Services | Ⓗ | 3 |
| SI-5 | System and Information Integrity | Security Alerts, Advisories, and Directives | ⓁⓂⒽ | 5 |
| SI-5(1) | System and Information Integrity | Security Alerts, Advisories, and Directives | Automated Alerts and Advisories | Ⓗ | 1 |
| SI-6 | System and Information Integrity | Security and Privacy Function Verification | Ⓗ | 7 |
| SI-7 | System and Information Integrity | Software, Firmware, and Information Integrity | ⓂⒽ | 2 |
| SI-7(1) | System and Information Integrity | Software, Firmware, and Information Integrity | Integrity Checks | ⓂⒽ | 4 |
| SI-7(2) | System and Information Integrity | Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations | Ⓗ | 1 |
| SI-7(5) | System and Information Integrity | Software, Firmware, and Information Integrity | Automated Response to Integrity Violations | Ⓗ | 2 |
| SI-7(7) | System and Information Integrity | Software, Firmware, and Information Integrity | Integration of Detection and Response | ⓂⒽ | 1 |
| SI-7(15) | System and Information Integrity | Software, Firmware, and Information Integrity | Code Authentication | Ⓗ | 1 |
| SI-8 | System and Information Integrity | Spam Protection | ⓂⒽ | |
| SI-8(2) | System and Information Integrity | Spam Protection | Automatic Updates | ⓂⒽ | 1 |
| SI-10 | System and Information Integrity | Information Input Validation | ⓂⒽ | 1 |
| SI-11 | System and Information Integrity | Error Handling | ⓂⒽ | 1 |
| SI-12 | System and Information Integrity | Information Management and Retention | ⓁⓂⒽⓅ | |
| SI-12(1) | System and Information Integrity | Information Management and Retention | Limit Personally Identifiable Information Elements | Ⓟ | 1 |
| SI-12(2) | System and Information Integrity | Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research | Ⓟ | 1 |
| SI-12(3) | System and Information Integrity | Information Management and Retention | Information Disposal | Ⓟ | 1 |
| SI-16 | System and Information Integrity | Memory Protection | ⓂⒽ | 1 |
| SI-18 | System and Information Integrity | Personally Identifiable Information Quality Operations | Ⓟ | 1 |
| SI-18(4) | System and Information Integrity | Personally Identifiable Information Quality Operations | Individual Requests | Ⓟ | |
| SI-19 | System and Information Integrity | De-identification | Ⓟ | 2 |
| SR-1 | Supply Chain Risk Management | Policy and Procedures | ⓁⓂⒽ | 7 |
| SR-2 | Supply Chain Risk Management | Supply Chain Risk Management Plan | ⓁⓂⒽ | 2 |
| SR-2(1) | Supply Chain Risk Management | Supply Chain Risk Management Plan | Establish Scrm Team | ⓁⓂⒽ | 2 |
| SR-3 | Supply Chain Risk Management | Supply Chain Controls and Processes | ⓁⓂⒽ | 5 |
| SR-5 | Supply Chain Risk Management | Acquisition Strategies, Tools, and Methods | ⓁⓂⒽ | 1 |
| SR-6 | Supply Chain Risk Management | Supplier Assessments and Reviews | ⓂⒽ | 1 |
| SR-8 | Supply Chain Risk Management | Notification Agreements | ⓁⓂⒽ | 2 |
| SR-9 | Supply Chain Risk Management | Tamper Resistance and Detection | Ⓗ | |
| SR-9(1) | Supply Chain Risk Management | Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle | Ⓗ | |
| SR-10 | Supply Chain Risk Management | Inspection of Systems or Components | ⓁⓂⒽ | 4 |
| SR-11 | Supply Chain Risk Management | Component Authenticity | ⓁⓂⒽ | 3 |
| SR-11(1) | Supply Chain Risk Management | Component Authenticity | Anti-counterfeit Training | ⓁⓂⒽ | 1 |
| SR-11(2) | Supply Chain Risk Management | Component Authenticity | Configuration Control for Component Service and Repair | ⓁⓂⒽ | 1 |
| SR-12 | Supply Chain Risk Management | Component Disposal | ⓁⓂⒽ | 2 |
Revised 2021-07-30T10:59:02.014391Z