CM-3(4) - Reference

NIST References

SP 800-53 Revision 5

AC - Access Control

AC-1 - Policy and Procedures

AC-2 - Account Management

AC-2(1) - Account Management | Automated System Account Management

AC-2(2) - Account Management | Automated Temporary and Emergency Account Management

AC-2(3) - Account Management | Disable Accounts

AC-2(4) - Account Management | Automated Audit Actions

AC-2(5) - Account Management | Inactivity Logout

AC-2(6) - Account Management | Dynamic Privilege Management

AC-2(7) - Account Management | Privileged User Accounts

AC-2(8) - Account Management | Dynamic Account Management

AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts

AC-2(11) - Account Management | Usage Conditions

AC-2(12) - Account Management | Account Monitoring for Atypical Usage

AC-2(13) - Account Management | Disable Accounts for High-risk Individuals

AC-3 - Access Enforcement

AC-3(2) - Access Enforcement | Dual Authorization

AC-3(3) - Access Enforcement | Mandatory Access Control

AC-3(4) - Access Enforcement | Discretionary Access Control

AC-3(5) - Access Enforcement | Security-relevant Information

AC-3(7) - Access Enforcement | Role-based Access Control

AC-3(8) - Access Enforcement | Revocation of Access Authorizations

AC-3(9) - Access Enforcement | Controlled Release

AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms

AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types

AC-3(12) - Access Enforcement | Assert and Enforce Application Access

AC-3(13) - Access Enforcement | Attribute-based Access Control

AC-3(14) - Access Enforcement | Individual Access

AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control

AC-4 - Information Flow Enforcement

AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes

AC-4(2) - Information Flow Enforcement | Processing Domains

AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control

AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information

AC-4(5) - Information Flow Enforcement | Embedded Data Types

AC-4(6) - Information Flow Enforcement | Metadata

AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms

AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters

AC-4(9) - Information Flow Enforcement | Human Reviews

AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters

AC-4(12) - Information Flow Enforcement | Data Type Identifiers

AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents

AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints

AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information

AC-4(17) - Information Flow Enforcement | Domain Authentication

AC-4(19) - Information Flow Enforcement | Validation of Metadata

AC-4(20) - Information Flow Enforcement | Approved Solutions

AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows

AC-4(22) - Information Flow Enforcement | Access Only

AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information

AC-4(24) - Information Flow Enforcement | Internal Normalized Format

AC-4(25) - Information Flow Enforcement | Data Sanitization

AC-4(26) - Information Flow Enforcement | Audit Filtering Actions

AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms

AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines

AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines

AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes

AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention

AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer

AC-5 - Separation of Duties

AC-6 - Least Privilege

AC-6(1) - Least Privilege | Authorize Access to Security Functions

AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions

AC-6(3) - Least Privilege | Network Access to Privileged Commands

AC-6(4) - Least Privilege | Separate Processing Domains

AC-6(5) - Least Privilege | Privileged Accounts

AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users

AC-6(7) - Least Privilege | Review of User Privileges

AC-6(8) - Least Privilege | Privilege Levels for Code Execution

AC-6(9) - Least Privilege | Log Use of Privileged Functions

AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

AC-7 - Unsuccessful Logon Attempts

AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device

AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting

AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor

AC-8 - System Use Notification

AC-9 - Previous Logon Notification

AC-9(1) - Previous Logon Notification | Unsuccessful Logons

AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons

AC-9(3) - Previous Logon Notification | Notification of Account Changes

AC-9(4) - Previous Logon Notification | Additional Logon Information

AC-10 - Concurrent Session Control

AC-11 - Device Lock

AC-11(1) - Device Lock | Pattern-hiding Displays

AC-12 - Session Termination

AC-12(1) - Session Termination | User-initiated Logouts

AC-12(2) - Session Termination | Termination Message

AC-12(3) - Session Termination | Timeout Warning Message

AC-14 - Permitted Actions Without Identification or Authentication

AC-16 - Security and Privacy Attributes

AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association

AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals

AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System

AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals

AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output

AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association

AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation

AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies

AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms

AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals

AC-17 - Remote Access

AC-17(1) - Remote Access | Monitoring and Control

AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption

AC-17(3) - Remote Access | Managed Access Control Points

AC-17(4) - Remote Access | Privileged Commands and Access

AC-17(6) - Remote Access | Protection of Mechanism Information

AC-17(9) - Remote Access | Disconnect or Disable Access

AC-17(10) - Remote Access | Authenticate Remote Commands

AC-18 - Wireless Access

AC-18(1) - Wireless Access | Authentication and Encryption

AC-18(3) - Wireless Access | Disable Wireless Networking

AC-18(4) - Wireless Access | Restrict Configurations by Users

AC-18(5) - Wireless Access | Antennas and Transmission Power Levels

AC-19 - Access Control for Mobile Devices

AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information

AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption

AC-20 - Use of External Systems

AC-20(1) - Use of External Systems | Limits on Authorized Use

AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use

AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use

AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use

AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use

AC-21 - Information Sharing

AC-21(1) - Information Sharing | Automated Decision Support

AC-21(2) - Information Sharing | Information Search and Retrieval

AC-22 - Publicly Accessible Content

AC-23 - Data Mining Protection

AC-24 - Access Control Decisions

AC-24(1) - Access Control Decisions | Transmit Access Authorization Information

AC-24(2) - Access Control Decisions | No User or Process Identity

AC-25 - Reference Monitor

AT - Awareness and Training

AT-1 - Policy and Procedures

AT-2 - Literacy Training and Awareness

AT-2(1) - Literacy Training and Awareness | Practical Exercises

AT-2(2) - Literacy Training and Awareness | Insider Threat

AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining

AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior

AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat

AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment

AT-3 - Role-based Training

AT-3(1) - Role-based Training | Environmental Controls

AT-3(2) - Role-based Training | Physical Security Controls

AT-3(3) - Role-based Training | Practical Exercises

AT-3(5) - Role-based Training | Processing Personally Identifiable Information

AT-4 - Training Records

AT-6 - Training Feedback

AU - Audit and Accountability

AU-1 - Policy and Procedures

AU-2 - Event Logging

AU-3 - Content of Audit Records

AU-3(1) - Content of Audit Records | Additional Audit Information

AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements

AU-4 - Audit Log Storage Capacity

AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage

AU-5 - Response to Audit Logging Process Failures

AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning

AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts

AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds

AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure

AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability

AU-6 - Audit Record Review, Analysis, and Reporting

AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration

AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis

AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions

AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands

AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources

AU-7 - Audit Record Reduction and Report Generation

AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing

AU-8 - Time Stamps

AU-9 - Protection of Audit Information

AU-9(1) - Protection of Audit Information | Hardware Write-once Media

AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components

AU-9(3) - Protection of Audit Information | Cryptographic Protection

AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users

AU-9(5) - Protection of Audit Information | Dual Authorization

AU-9(6) - Protection of Audit Information | Read-only Access

AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System

AU-10 - Non-repudiation

AU-10(1) - Non-repudiation | Association of Identities

AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity

AU-10(3) - Non-repudiation | Chain of Custody

AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity

AU-11 - Audit Record Retention

AU-11(1) - Audit Record Retention | Long-term Retrieval Capability

AU-12 - Audit Record Generation

AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail

AU-12(2) - Audit Record Generation | Standardized Formats

AU-12(3) - Audit Record Generation | Changes by Authorized Individuals

AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information

AU-13 - Monitoring for Information Disclosure

AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools

AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites

AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information

AU-14 - Session Audit

AU-14(1) - Session Audit | System Start-up

AU-14(3) - Session Audit | Remote Viewing and Listening

AU-16 - Cross-organizational Audit Logging

AU-16(1) - Cross-organizational Audit Logging | Identity Preservation

AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information

AU-16(3) - Cross-organizational Audit Logging | Disassociability

CA - Assessment, Authorization, and Monitoring

CA-1 - Policy and Procedures

CA-2 - Control Assessments

CA-2(1) - Control Assessments | Independent Assessors

CA-2(2) - Control Assessments | Specialized Assessments

CA-2(3) - Control Assessments | Leveraging Results from External Organizations

CA-3 - Information Exchange

CA-3(6) - Information Exchange | Transfer Authorizations

CA-3(7) - Information Exchange | Transitive Information Exchanges

CA-5 - Plan of Action and Milestones

CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency

CA-6 - Authorization

CA-6(1) - Authorization | Joint Authorization — Intra-organization

CA-6(2) - Authorization | Joint Authorization — Inter-organization

CA-7 - Continuous Monitoring

CA-7(1) - Continuous Monitoring | Independent Assessment

CA-7(3) - Continuous Monitoring | Trend Analyses

CA-7(4) - Continuous Monitoring | Risk Monitoring

CA-7(5) - Continuous Monitoring | Consistency Analysis

CA-7(6) - Continuous Monitoring | Automation Support for Monitoring

CA-8 - Penetration Testing

CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team

CA-8(2) - Penetration Testing | Red Team Exercises

CA-8(3) - Penetration Testing | Facility Penetration Testing

CA-9 - Internal System Connections

CA-9(1) - Internal System Connections | Compliance Checks

CM - Configuration Management

CM-1 - Policy and Procedures

CM-2 - Baseline Configuration

CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency

CM-2(3) - Baseline Configuration | Retention of Previous Configurations

CM-2(6) - Baseline Configuration | Development and Test Environments

CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas

CM-3 - Configuration Change Control

CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes

CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes

CM-3(3) - Configuration Change Control | Automated Change Implementation

CM-3(4) - Configuration Change Control | Security and Privacy Representatives

CM-3(5) - Configuration Change Control | Automated Security Response

CM-3(6) - Configuration Change Control | Cryptography Management

CM-3(7) - Configuration Change Control | Review System Changes

CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes

CM-4 - Impact Analyses

CM-4(1) - Impact Analyses | Separate Test Environments

CM-4(2) - Impact Analyses | Verification of Controls

CM-5 - Access Restrictions for Change

CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records

CM-5(4) - Access Restrictions for Change | Dual Authorization

CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation

CM-5(6) - Access Restrictions for Change | Limit Library Privileges

CM-6 - Configuration Settings

CM-6(1) - Configuration Settings | Automated Management, Application, and Verification

CM-6(2) - Configuration Settings | Respond to Unauthorized Changes

CM-7 - Least Functionality

CM-7(1) - Least Functionality | Periodic Review

CM-7(2) - Least Functionality | Prevent Program Execution

CM-7(3) - Least Functionality | Registration Compliance

CM-7(4) - Least Functionality | Unauthorized Software

CM-7(5) - Least Functionality | Authorized Software

CM-7(6) - Least Functionality | Confined Environments with Limited Privileges

CM-7(7) - Least Functionality | Code Execution in Protected Environments

CM-7(8) - Least Functionality | Binary or Machine Executable Code

CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware

CM-8 - System Component Inventory

CM-8(1) - System Component Inventory | Updates During Installation and Removal

CM-8(2) - System Component Inventory | Automated Maintenance

CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection

CM-8(4) - System Component Inventory | Accountability Information

CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations

CM-8(7) - System Component Inventory | Centralized Repository

CM-8(8) - System Component Inventory | Automated Location Tracking

CM-8(9) - System Component Inventory | Assignment of Components to Systems

CM-9 - Configuration Management Plan

CM-9(1) - Configuration Management Plan | Assignment of Responsibility

CM-10 - Software Usage Restrictions

CM-10(1) - Software Usage Restrictions | Open-source Software

CM-11 - User-installed Software

CM-11(2) - User-installed Software | Software Installation with Privileged Status

CM-11(3) - User-installed Software | Automated Enforcement and Monitoring

CM-12 - Information Location

CM-12(1) - Information Location | Automated Tools to Support Information Location

CM-13 - Data Action Mapping

CM-14 - Signed Components

CP - Contingency Planning

CP-1 - Policy and Procedures

CP-2 - Contingency Plan

CP-2(1) - Contingency Plan | Coordinate with Related Plans

CP-2(2) - Contingency Plan | Capacity Planning

CP-2(3) - Contingency Plan | Resume Mission and Business Functions

CP-2(5) - Contingency Plan | Continue Mission and Business Functions

CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites

CP-2(7) - Contingency Plan | Coordinate with External Service Providers

CP-2(8) - Contingency Plan | Identify Critical Assets

CP-3 - Contingency Training

CP-3(1) - Contingency Training | Simulated Events

CP-3(2) - Contingency Training | Mechanisms Used in Training Environments

CP-4 - Contingency Plan Testing

CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans

CP-4(2) - Contingency Plan Testing | Alternate Processing Site

CP-4(3) - Contingency Plan Testing | Automated Testing

CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution

CP-4(5) - Contingency Plan Testing | Self-challenge

CP-6 - Alternate Storage Site

CP-6(1) - Alternate Storage Site | Separation from Primary Site

CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives

CP-6(3) - Alternate Storage Site | Accessibility

CP-7 - Alternate Processing Site

CP-7(1) - Alternate Processing Site | Separation from Primary Site

CP-7(2) - Alternate Processing Site | Accessibility

CP-7(3) - Alternate Processing Site | Priority of Service

CP-7(4) - Alternate Processing Site | Preparation for Use

CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site

CP-8 - Telecommunications Services

CP-8(1) - Telecommunications Services | Priority of Service Provisions

CP-8(2) - Telecommunications Services | Single Points of Failure

CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers

CP-8(4) - Telecommunications Services | Provider Contingency Plan

CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing

CP-9 - System Backup

CP-9(1) - System Backup | Testing for Reliability and Integrity

CP-9(2) - System Backup | Test Restoration Using Sampling

CP-9(3) - System Backup | Separate Storage for Critical Information

CP-9(5) - System Backup | Transfer to Alternate Storage Site

CP-9(6) - System Backup | Redundant Secondary System

CP-9(7) - System Backup | Dual Authorization

CP-9(8) - System Backup | Cryptographic Protection

CP-10 - System Recovery and Reconstitution

CP-10(2) - System Recovery and Reconstitution | Transaction Recovery

CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period

CP-10(6) - System Recovery and Reconstitution | Component Protection

CP-11 - Alternate Communications Protocols

CP-12 - Safe Mode

CP-13 - Alternative Security Mechanisms

IA - Identification and Authentication

IA-1 - Policy and Procedures

IA-2 - Identification and Authentication (organizational Users)

IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device

IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on

IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication

IA-3 - Device Identification and Authentication

IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication

IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation

IA-3(4) - Device Identification and Authentication | Device Attestation

IA-4 - Identifier Management

IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers

IA-4(4) - Identifier Management | Identify User Status

IA-4(5) - Identifier Management | Dynamic Management

IA-4(6) - Identifier Management | Cross-organization Management

IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers

IA-4(9) - Identifier Management | Attribute Maintenance and Protection

IA-5 - Authenticator Management

IA-5(1) - Authenticator Management | Password-based Authentication

IA-5(2) - Authenticator Management | Public Key-based Authentication

IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery

IA-5(6) - Authenticator Management | Protection of Authenticators

IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators

IA-5(8) - Authenticator Management | Multiple System Accounts

IA-5(9) - Authenticator Management | Federated Credential Management

IA-5(10) - Authenticator Management | Dynamic Credential Binding

IA-5(12) - Authenticator Management | Biometric Authentication Performance

IA-5(13) - Authenticator Management | Expiration of Cached Authenticators

IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores

IA-5(15) - Authenticator Management | Gsa-approved Products and Services

IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance

IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators

IA-5(18) - Authenticator Management | Password Managers

IA-6 - Authentication Feedback

IA-7 - Cryptographic Module Authentication

IA-8 - Identification and Authentication (non-organizational Users)

IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles

IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials

IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability

IA-9 - Service Identification and Authentication

IA-10 - Adaptive Authentication

IA-11 - Re-authentication

IA-12 - Identity Proofing

IA-12(1) - Identity Proofing | Supervisor Authorization

IA-12(2) - Identity Proofing | Identity Evidence

IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification

IA-12(4) - Identity Proofing | In-person Validation and Verification

IA-12(5) - Identity Proofing | Address Confirmation

IA-12(6) - Identity Proofing | Accept Externally-proofed Identities

IR - Incident Response

IR-1 - Policy and Procedures

IR-2 - Incident Response Training

IR-2(1) - Incident Response Training | Simulated Events

IR-2(2) - Incident Response Training | Automated Training Environments

IR-2(3) - Incident Response Training | Breach

IR-3 - Incident Response Testing

IR-3(1) - Incident Response Testing | Automated Testing

IR-3(2) - Incident Response Testing | Coordination with Related Plans

IR-3(3) - Incident Response Testing | Continuous Improvement

IR-4 - Incident Handling

IR-4(1) - Incident Handling | Automated Incident Handling Processes

IR-4(2) - Incident Handling | Dynamic Reconfiguration

IR-4(3) - Incident Handling | Continuity of Operations

IR-4(4) - Incident Handling | Information Correlation

IR-4(5) - Incident Handling | Automatic Disabling of System

IR-4(6) - Incident Handling | Insider Threats

IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination

IR-4(8) - Incident Handling | Correlation with External Organizations

IR-4(9) - Incident Handling | Dynamic Response Capability

IR-4(10) - Incident Handling | Supply Chain Coordination

IR-4(11) - Incident Handling | Integrated Incident Response Team

IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis

IR-4(13) - Incident Handling | Behavior Analysis

IR-4(14) - Incident Handling | Security Operations Center

IR-4(15) - Incident Handling | Public Relations and Reputation Repair

IR-5 - Incident Monitoring

IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis

IR-6 - Incident Reporting

IR-6(1) - Incident Reporting | Automated Reporting

IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents

IR-6(3) - Incident Reporting | Supply Chain Coordination

IR-7 - Incident Response Assistance

IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support

IR-7(2) - Incident Response Assistance | Coordination with External Providers

IR-8 - Incident Response Plan

IR-8(1) - Incident Response Plan | Breaches

IR-9 - Information Spillage Response

IR-9(2) - Information Spillage Response | Training

IR-9(3) - Information Spillage Response | Post-spill Operations

IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel

MA - Maintenance

MA-1 - Policy and Procedures

MA-2 - Controlled Maintenance

MA-2(2) - Controlled Maintenance | Automated Maintenance Activities

MA-3 - Maintenance Tools

MA-3(1) - Maintenance Tools | Inspect Tools

MA-3(2) - Maintenance Tools | Inspect Media

MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal

MA-3(4) - Maintenance Tools | Restricted Tool Use

MA-3(5) - Maintenance Tools | Execution with Privilege

MA-3(6) - Maintenance Tools | Software Updates and Patches

MA-4 - Nonlocal Maintenance

MA-4(1) - Nonlocal Maintenance | Logging and Review

MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization

MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions

MA-4(5) - Nonlocal Maintenance | Approvals and Notifications

MA-4(6) - Nonlocal Maintenance | Cryptographic Protection

MA-4(7) - Nonlocal Maintenance | Disconnect Verification

MA-5 - Maintenance Personnel

MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access

MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems

MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems

MA-5(4) - Maintenance Personnel | Foreign Nationals

MA-5(5) - Maintenance Personnel | Non-system Maintenance

MA-6 - Timely Maintenance

MA-6(1) - Timely Maintenance | Preventive Maintenance

MA-6(2) - Timely Maintenance | Predictive Maintenance

MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance

MA-7 - Field Maintenance

MP - Media Protection

MP-1 - Policy and Procedures

MP-2 - Media Access

MP-3 - Media Marking

MP-4 - Media Storage

MP-4(2) - Media Storage | Automated Restricted Access

MP-5 - Media Transport

MP-5(3) - Media Transport | Custodians

MP-6 - Media Sanitization

MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify

MP-6(2) - Media Sanitization | Equipment Testing

MP-6(3) - Media Sanitization | Nondestructive Techniques

MP-6(7) - Media Sanitization | Dual Authorization

MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information

MP-7 - Media Use

MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media

MP-8 - Media Downgrading

MP-8(1) - Media Downgrading | Documentation of Process

MP-8(2) - Media Downgrading | Equipment Testing

MP-8(3) - Media Downgrading | Controlled Unclassified Information

MP-8(4) - Media Downgrading | Classified Information

PE - Physical and Environmental Protection

PE-1 - Policy and Procedures

PE-2 - Physical Access Authorizations

PE-2(1) - Physical Access Authorizations | Access by Position or Role

PE-2(2) - Physical Access Authorizations | Two Forms of Identification

PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access

PE-3 - Physical Access Control

PE-3(1) - Physical Access Control | System Access

PE-3(2) - Physical Access Control | Facility and Systems

PE-3(3) - Physical Access Control | Continuous Guards

PE-3(4) - Physical Access Control | Lockable Casings

PE-3(5) - Physical Access Control | Tamper Protection

PE-3(7) - Physical Access Control | Physical Barriers

PE-3(8) - Physical Access Control | Access Control Vestibules

PE-4 - Access Control for Transmission

PE-5 - Access Control for Output Devices

PE-5(2) - Access Control for Output Devices | Link to Individual Identity

PE-6 - Monitoring Physical Access

PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses

PE-6(3) - Monitoring Physical Access | Video Surveillance

PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems

PE-8 - Visitor Access Records

PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review

PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements

PE-9 - Power Equipment and Cabling

PE-9(1) - Power Equipment and Cabling | Redundant Cabling

PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls

PE-10 - Emergency Shutoff

PE-11 - Emergency Power

PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability

PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained

PE-12 - Emergency Lighting

PE-12(1) - Emergency Lighting | Essential Mission and Business Functions

PE-13 - Fire Protection

PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification

PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification

PE-13(4) - Fire Protection | Inspections

PE-14 - Environmental Controls

PE-14(1) - Environmental Controls | Automatic Controls

PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications

PE-15 - Water Damage Protection

PE-15(1) - Water Damage Protection | Automation Support

PE-16 - Delivery and Removal

PE-17 - Alternate Work Site

PE-18 - Location of System Components

PE-19 - Information Leakage

PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures

PE-20 - Asset Monitoring and Tracking

PE-21 - Electromagnetic Pulse Protection

PE-22 - Component Marking

PE-23 - Facility Location

PL - Planning

PL-1 - Policy and Procedures

PL-2 - System Security and Privacy Plans

PL-4 - Rules of Behavior

PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions

PL-7 - Concept of Operations

PL-8 - Security and Privacy Architectures

PL-8(1) - Security and Privacy Architectures | Defense in Depth

PL-8(2) - Security and Privacy Architectures | Supplier Diversity

PL-9 - Central Management

PL-10 - Baseline Selection

PL-11 - Baseline Tailoring

PM - Program Management

PM-1 - Information Security Program Plan

PM-2 - Information Security Program Leadership Role

PM-3 - Information Security and Privacy Resources

PM-4 - Plan of Action and Milestones Process

PM-5 - System Inventory

PM-5(1) - System Inventory | Inventory of Personally Identifiable Information

PM-6 - Measures of Performance

PM-7 - Enterprise Architecture

PM-7(1) - Enterprise Architecture | Offloading

PM-8 - Critical Infrastructure Plan

PM-9 - Risk Management Strategy

PM-10 - Authorization Process

PM-11 - Mission and Business Process Definition

PM-12 - Insider Threat Program

PM-13 - Security and Privacy Workforce

PM-14 - Testing, Training, and Monitoring

PM-15 - Security and Privacy Groups and Associations

PM-16 - Threat Awareness Program

PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence

PM-17 - Protecting Controlled Unclassified Information on External Systems

PM-18 - Privacy Program Plan

PM-19 - Privacy Program Leadership Role

PM-20 - Dissemination of Privacy Program Information

PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services

PM-21 - Accounting of Disclosures

PM-22 - Personally Identifiable Information Quality Management

PM-23 - Data Governance Body

PM-24 - Data Integrity Board

PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research

PM-26 - Complaint Management

PM-27 - Privacy Reporting

PM-28 - Risk Framing

PM-29 - Risk Management Program Leadership Roles

PM-30 - Supply Chain Risk Management Strategy

PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items

PM-31 - Continuous Monitoring Strategy

PM-32 - Purposing

PS - Personnel Security

PS-1 - Policy and Procedures

PS-2 - Position Risk Designation

PS-3 - Personnel Screening

PS-3(1) - Personnel Screening | Classified Information

PS-3(2) - Personnel Screening | Formal Indoctrination

PS-3(3) - Personnel Screening | Information with Special Protective Measures

PS-3(4) - Personnel Screening | Citizenship Requirements

PS-4 - Personnel Termination

PS-4(1) - Personnel Termination | Post-employment Requirements

PS-4(2) - Personnel Termination | Automated Actions

PS-5 - Personnel Transfer

PS-6 - Access Agreements

PS-6(2) - Access Agreements | Classified Information Requiring Special Protection

PS-6(3) - Access Agreements | Post-employment Requirements

PS-7 - External Personnel Security

PS-8 - Personnel Sanctions

PS-9 - Position Descriptions

PT - Personally Identifiable Information Processing and Transparency

PT-1 - Policy and Procedures

PT-2 - Authority to Process Personally Identifiable Information

PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging

PT-2(2) - Authority to Process Personally Identifiable Information | Automation

PT-3 - Personally Identifiable Information Processing Purposes

PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging

PT-3(2) - Personally Identifiable Information Processing Purposes | Automation

PT-4 - Consent

PT-4(1) - Consent | Tailored Consent

PT-4(2) - Consent | Just-in-time Consent

PT-4(3) - Consent | Revocation

PT-5 - Privacy Notice

PT-5(1) - Privacy Notice | Just-in-time Notice

PT-5(2) - Privacy Notice | Privacy Act Statements

PT-6 - System of Records Notice

PT-6(1) - System of Records Notice | Routine Uses

PT-6(2) - System of Records Notice | Exemption Rules

PT-7 - Specific Categories of Personally Identifiable Information

PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers

PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information

PT-8 - Computer Matching Requirements

RA - Risk Assessment

RA-1 - Policy and Procedures

RA-2 - Security Categorization

RA-2(1) - Security Categorization | Impact-level Prioritization

RA-3 - Risk Assessment

RA-3(1) - Risk Assessment | Supply Chain Risk Assessment

RA-3(2) - Risk Assessment | Use of All-source Intelligence

RA-3(3) - Risk Assessment | Dynamic Threat Awareness

RA-3(4) - Risk Assessment | Predictive Cyber Analytics

RA-5 - Vulnerability Monitoring and Scanning

RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information

RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access

RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses

RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs

RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information

RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program

RA-6 - Technical Surveillance Countermeasures Survey

RA-7 - Risk Response

RA-8 - Privacy Impact Assessments

RA-9 - Criticality Analysis

RA-10 - Threat Hunting

SA - System and Services Acquisition

SA-1 - Policy and Procedures

SA-2 - Allocation of Resources

SA-3 - System Development Life Cycle

SA-3(1) - System Development Life Cycle | Manage Preproduction Environment

SA-3(2) - System Development Life Cycle | Use of Live or Operational Data

SA-3(3) - System Development Life Cycle | Technology Refresh

SA-4 - Acquisition Process

SA-4(1) - Acquisition Process | Functional Properties of Controls

SA-4(2) - Acquisition Process | Design and Implementation Information for Controls

SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices

SA-4(5) - Acquisition Process | System, Component, and Service Configurations

SA-4(6) - Acquisition Process | Use of Information Assurance Products

SA-4(7) - Acquisition Process | Niap-approved Protection Profiles

SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls

SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use

SA-4(10) - Acquisition Process | Use of Approved PIV Products

SA-4(11) - Acquisition Process | System of Records

SA-4(12) - Acquisition Process | Data Ownership

SA-5 - System Documentation

SA-8 - Security and Privacy Engineering Principles

SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions

SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism

SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering

SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies

SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access

SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing

SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity

SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability

SA-8(9) - Security and Privacy Engineering Principles | Trusted Components

SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust

SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold

SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection

SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements

SA-8(14) - Security and Privacy Engineering Principles | Least Privilege

SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission

SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness

SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition

SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels

SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection

SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management

SA-8(21) - Security and Privacy Engineering Principles | Self-analysis

SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability

SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults

SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery

SA-8(25) - Security and Privacy Engineering Principles | Economic Security

SA-8(26) - Security and Privacy Engineering Principles | Performance Security

SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security

SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security

SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures

SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor

SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification

SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation

SA-8(33) - Security and Privacy Engineering Principles | Minimization

SA-9 - External System Services

SA-9(1) - External System Services | Risk Assessments and Organizational Approvals

SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services

SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers

SA-9(4) - External System Services | Consistent Interests of Consumers and Providers

SA-9(5) - External System Services | Processing, Storage, and Service Location

SA-9(6) - External System Services | Organization-controlled Cryptographic Keys

SA-9(7) - External System Services | Organization-controlled Integrity Checking

SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction

SA-10 - Developer Configuration Management

SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification

SA-10(2) - Developer Configuration Management | Alternative Configuration Management

SA-10(3) - Developer Configuration Management | Hardware Integrity Verification

SA-10(4) - Developer Configuration Management | Trusted Generation

SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control

SA-10(6) - Developer Configuration Management | Trusted Distribution

SA-10(7) - Developer Configuration Management | Security and Privacy Representatives

SA-11 - Developer Testing and Evaluation

SA-11(1) - Developer Testing and Evaluation | Static Code Analysis

SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence

SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews

SA-11(5) - Developer Testing and Evaluation | Penetration Testing

SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews

SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation

SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis

SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing

SA-15 - Development Process, Standards, and Tools

SA-15(1) - Development Process, Standards, and Tools | Quality Metrics

SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools

SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis

SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction

SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement

SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis

SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information

SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan

SA-15(11) - Development Process, Standards, and Tools | Archive System or Component

SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information

SA-16 - Developer-provided Training

SA-17 - Developer Security and Privacy Architecture and Design

SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model

SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components

SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence

SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence

SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design

SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing

SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege

SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration

SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity

SA-20 - Customized Development of Critical Components

SA-21 - Developer Screening

SA-22 - Unsupported System Components

SA-23 - Specialization

SC - System and Communications Protection

SC-1 - Policy and Procedures

SC-2 - Separation of System and User Functionality

SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users

SC-2(2) - Separation of System and User Functionality | Disassociability

SC-3 - Security Function Isolation

SC-3(1) - Security Function Isolation | Hardware Separation

SC-3(2) - Security Function Isolation | Access and Flow Control Functions

SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality

SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness

SC-3(5) - Security Function Isolation | Layered Structures

SC-4 - Information in Shared System Resources

SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing

SC-5 - Denial-of-service Protection

SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems

SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy

SC-5(3) - Denial-of-service Protection | Detection and Monitoring

SC-6 - Resource Availability

SC-7 - Boundary Protection

SC-7(3) - Boundary Protection | Access Points

SC-7(4) - Boundary Protection | External Telecommunications Services

SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception

SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices

SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers

SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic

SC-7(10) - Boundary Protection | Prevent Exfiltration

SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic

SC-7(12) - Boundary Protection | Host-based Protection

SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components

SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections

SC-7(15) - Boundary Protection | Networked Privileged Accesses

SC-7(16) - Boundary Protection | Prevent Discovery of System Components

SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats

SC-7(18) - Boundary Protection | Fail Secure

SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts

SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation

SC-7(21) - Boundary Protection | Isolation of System Components

SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains

SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure

SC-7(24) - Boundary Protection | Personally Identifiable Information

SC-7(25) - Boundary Protection | Unclassified National Security System Connections

SC-7(26) - Boundary Protection | Classified National Security System Connections

SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections

SC-7(28) - Boundary Protection | Connections to Public Networks

SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions

SC-8 - Transmission Confidentiality and Integrity

SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection

SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals

SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications

SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System

SC-10 - Network Disconnect

SC-11 - Trusted Path

SC-11(1) - Trusted Path | Irrefutable Communications Path

SC-12 - Cryptographic Key Establishment and Management

SC-12(1) - Cryptographic Key Establishment and Management | Availability

SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys

SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys

SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys

SC-13 - Cryptographic Protection

SC-15 - Collaborative Computing Devices and Applications

SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect

SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas

SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants

SC-16 - Transmission of Security and Privacy Attributes

SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification

SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms

SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding

SC-17 - Public Key Infrastructure Certificates

SC-18 - Mobile Code

SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions

SC-18(2) - Mobile Code | Acquisition, Development, and Use

SC-18(3) - Mobile Code | Prevent Downloading and Execution

SC-18(4) - Mobile Code | Prevent Automatic Execution

SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments

SC-20 - Secure Name/address Resolution Service (authoritative Source)

SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity

SC-21 - Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22 - Architecture and Provisioning for Name/address Resolution Service

SC-23 - Session Authenticity

SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout

SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers

SC-23(5) - Session Authenticity | Allowed Certificate Authorities

SC-24 - Fail in Known State

SC-25 - Thin Nodes

SC-26 - Decoys

SC-27 - Platform-independent Applications

SC-28 - Protection of Information at Rest

SC-28(1) - Protection of Information at Rest | Cryptographic Protection

SC-28(2) - Protection of Information at Rest | Offline Storage

SC-28(3) - Protection of Information at Rest | Cryptographic Keys

SC-29 - Heterogeneity

SC-29(1) - Heterogeneity | Virtualization Techniques

SC-30 - Concealment and Misdirection

SC-30(2) - Concealment and Misdirection | Randomness

SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations

SC-30(4) - Concealment and Misdirection | Misleading Information

SC-30(5) - Concealment and Misdirection | Concealment of System Components

SC-31 - Covert Channel Analysis

SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability

SC-31(2) - Covert Channel Analysis | Maximum Bandwidth

SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments

SC-32 - System Partitioning

SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions

SC-34 - Non-modifiable Executable Programs

SC-34(1) - Non-modifiable Executable Programs | No Writable Storage

SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media

SC-35 - External Malicious Code Identification

SC-36 - Distributed Processing and Storage

SC-36(1) - Distributed Processing and Storage | Polling Techniques

SC-36(2) - Distributed Processing and Storage | Synchronization

SC-37 - Out-of-band Channels

SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission

SC-38 - Operations Security

SC-39 - Process Isolation

SC-39(1) - Process Isolation | Hardware Separation

SC-39(2) - Process Isolation | Separate Execution Domain Per Thread

SC-40 - Wireless Link Protection

SC-40(1) - Wireless Link Protection | Electromagnetic Interference

SC-40(2) - Wireless Link Protection | Reduce Detection Potential

SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception

SC-40(4) - Wireless Link Protection | Signal Parameter Identification

SC-41 - Port and I/O Device Access

SC-42 - Sensor Capability and Data

SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles

SC-42(2) - Sensor Capability and Data | Authorized Use

SC-42(4) - Sensor Capability and Data | Notice of Collection

SC-42(5) - Sensor Capability and Data | Collection Minimization

SC-43 - Usage Restrictions

SC-44 - Detonation Chambers

SC-45 - System Time Synchronization

SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source

SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source

SC-46 - Cross Domain Policy Enforcement

SC-47 - Alternate Communications Paths

SC-48 - Sensor Relocation

SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities

SC-49 - Hardware-enforced Separation and Policy Enforcement

SC-50 - Software-enforced Separation and Policy Enforcement

SC-51 - Hardware-based Protection

SI - System and Information Integrity

SI-1 - Policy and Procedures

SI-2 - Flaw Remediation

SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status

SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

SI-2(4) - Flaw Remediation | Automated Patch Management Tools

SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates

SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware

SI-3 - Malicious Code Protection

SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users

SI-3(6) - Malicious Code Protection | Testing and Verification

SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands

SI-3(10) - Malicious Code Protection | Malicious Code Analysis

SI-4 - System Monitoring

SI-4(1) - System Monitoring | System-wide Intrusion Detection System

SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration

SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic

SI-4(5) - System Monitoring | System-generated Alerts

SI-4(7) - System Monitoring | Automated Response to Suspicious Events

SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms

SI-4(10) - System Monitoring | Visibility of Encrypted Communications

SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies

SI-4(12) - System Monitoring | Automated Organization-generated Alerts

SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns

SI-4(14) - System Monitoring | Wireless Intrusion Detection

SI-4(15) - System Monitoring | Wireless to Wireline Communications

SI-4(16) - System Monitoring | Correlate Monitoring Information

SI-4(17) - System Monitoring | Integrated Situational Awareness

SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration

SI-4(19) - System Monitoring | Risk for Individuals

SI-4(20) - System Monitoring | Privileged Users

SI-4(21) - System Monitoring | Probationary Periods

SI-4(22) - System Monitoring | Unauthorized Network Services

SI-4(23) - System Monitoring | Host-based Devices

SI-4(24) - System Monitoring | Indicators of Compromise

SI-4(25) - System Monitoring | Optimize Network Traffic Analysis

SI-5 - Security Alerts, Advisories, and Directives

SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

SI-6 - Security and Privacy Function Verification

SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing

SI-6(3) - Security and Privacy Function Verification | Report Verification Results

SI-7 - Software, Firmware, and Information Integrity

SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks

SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools

SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection

SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response

SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events

SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process

SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware

SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification

SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication

SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision

SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection

SI-8 - Spam Protection

SI-8(2) - Spam Protection | Automatic Updates

SI-8(3) - Spam Protection | Continuous Learning Capability

SI-10 - Information Input Validation

SI-10(1) - Information Input Validation | Manual Override Capability

SI-10(2) - Information Input Validation | Review and Resolve Errors

SI-10(3) - Information Input Validation | Predictable Behavior

SI-10(4) - Information Input Validation | Timing Interactions

SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats

SI-10(6) - Information Input Validation | Injection Prevention

SI-11 - Error Handling

SI-12 - Information Management and Retention

SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements

SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research

SI-12(3) - Information Management and Retention | Information Disposal

SI-13 - Predictable Failure Prevention

SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities

SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components

SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification

SI-13(5) - Predictable Failure Prevention | Failover Capability

SI-14 - Non-persistence

SI-14(1) - Non-persistence | Refresh from Trusted Sources

SI-14(2) - Non-persistence | Non-persistent Information

SI-14(3) - Non-persistence | Non-persistent Connectivity

SI-15 - Information Output Filtering

SI-16 - Memory Protection

SI-17 - Fail-safe Procedures

SI-18 - Personally Identifiable Information Quality Operations

SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support

SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags

SI-18(3) - Personally Identifiable Information Quality Operations | Collection

SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests

SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion

SI-19 - De-identification

SI-19(1) - De-identification | Collection

SI-19(2) - De-identification | Archiving

SI-19(3) - De-identification | Release

SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers

SI-19(5) - De-identification | Statistical Disclosure Control

SI-19(6) - De-identification | Differential Privacy

SI-19(7) - De-identification | Validated Algorithms and Software

SI-19(8) - De-identification | Motivated Intruder

SI-20 - Tainting

SI-21 - Information Refresh

SI-22 - Information Diversity

SI-23 - Information Fragmentation

SR - Supply Chain Risk Management

SR-1 - Policy and Procedures

SR-2 - Supply Chain Risk Management Plan

SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team

SR-3 - Supply Chain Controls and Processes

SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base

SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm

SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down

SR-4 - Provenance

SR-4(1) - Provenance | Identity

SR-4(2) - Provenance | Track and Trace

SR-4(3) - Provenance | Validate as Genuine and Not Altered

SR-4(4) - Provenance | Supply Chain Integrity — Pedigree

SR-5 - Acquisition Strategies, Tools, and Methods

SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply

SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update

SR-6 - Supplier Assessments and Reviews

SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis

SR-7 - Supply Chain Operations Security

SR-8 - Notification Agreements

SR-9 - Tamper Resistance and Detection

SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

SR-10 - Inspection of Systems or Components

SR-11 - Component Authenticity

SR-11(1) - Component Authenticity | Anti-counterfeit Training

SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair

SR-11(3) - Component Authenticity | Anti-counterfeit Scanning

SR-12 - Component Disposal

CM-3(4) - Configuration Change Control | Security and Privacy Representatives

Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].

Informational References

https://csf.tools/reference/nist-sp-800-53/r4/cm/cm-3/cm-3-4/

ISO 27001

ID: CM-3(4)

Enhancement of : CM-3

Countermeasures Covered by Control

ID		Name	Description	D3FEND

Space Threats Tagged by Control

ID		Description

Sample Requirements

Requirement	Rationale/Additional Guidance/Notes
The [organization] shall ensure security representatives are included in all change control board reviews and decisions.{CM-3(4),SA-10(7)}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description