Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Catalogs
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations
An OSCAL Catalog
Details
Profiles
Prose
922 controls organized in 18 groups
AC - Access Control
126 Controls
AC-1 - Access Control Policy and Procedures
AC-2 - Account Management
13 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Removal of Temporary / Emergency Accounts
AC-2.3 - Disable Inactive Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.6 - Dynamic Privilege Management
AC-2.7 - Role-based Schemes
AC-2.8 - Dynamic Account Creation
AC-2.9 - Restrictions On Use of Shared / Group Accounts
AC-2.10 - Shared / Group Account Credential Termination
AC-2.11 - Usage Conditions
AC-2.12 - Account Monitoring / Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
10 Subcontrols
AC-3.1 - Restricted Access to Privileged Functions
AC-3.2 - Dual Authorization
AC-3.3 - Mandatory Access Control
AC-3.4 - Discretionary Access Control
AC-3.5 - Security-relevant Information
AC-3.6 - Protection of User and System Information
AC-3.7 - Role-based Access Control
AC-3.8 - Revocation of Access Authorizations
AC-3.9 - Controlled Release
AC-3.10 - Audited Override of Access Control Mechanisms
AC-4 - Information Flow Enforcement
22 Subcontrols
AC-4.1 - Object Security Attributes
AC-4.2 - Processing Domains
AC-4.3 - Dynamic Information Flow Control
AC-4.4 - Content Check Encrypted Information
AC-4.5 - Embedded Data Types
AC-4.6 - Metadata
AC-4.7 - One-way Flow Mechanisms
AC-4.8 - Security Policy Filters
AC-4.9 - Human Reviews
AC-4.10 - Enable / Disable Security Policy Filters
AC-4.11 - Configuration of Security Policy Filters
AC-4.12 - Data Type Identifiers
AC-4.13 - Decomposition into Policy-relevant Subcomponents
AC-4.14 - Security Policy Filter Constraints
AC-4.15 - Detection of Unsanctioned Information
AC-4.16 - Information Transfers On Interconnected Systems
AC-4.17 - Domain Authentication
AC-4.18 - Security Attribute Binding
AC-4.19 - Validation of Metadata
AC-4.20 - Approved Solutions
AC-4.21 - Physical / Logical Separation of Information Flows
AC-4.22 - Access Only
AC-5 - Separation of Duties
AC-6 - Least Privilege
10 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.3 - Network Access to Privileged Commands
AC-6.4 - Separate Processing Domains
AC-6.5 - Privileged Accounts
AC-6.6 - Privileged Access by Non-organizational Users
AC-6.7 - Review of User Privileges
AC-6.8 - Privilege Levels for Code Execution
AC-6.9 - Auditing Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
2 Subcontrols
AC-7.1 - Automatic Account Lock
AC-7.2 - Purge / Wipe Mobile Device
AC-8 - System Use Notification
AC-9 - Previous Logon (access) Notification
4 Subcontrols
AC-9.1 - Unsuccessful Logons
AC-9.2 - Successful / Unsuccessful Logons
AC-9.3 - Notification of Account Changes
AC-9.4 - Additional Logon Information
AC-10 - Concurrent Session Control
AC-11 - Session Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
1 Subcontrol
AC-12.1 - User-initiated Logouts / Message Displays
AC-13 - Supervision and Review - Access Control
AC-14 - Permitted Actions Without Identification or Authentication
1 Subcontrol
AC-14.1 - Necessary Uses
AC-15 - Automated Marking
AC-16 - Security Attributes
10 Subcontrols
AC-16.1 - Dynamic Attribute Association
AC-16.2 - Attribute Value Changes by Authorized Individuals
AC-16.3 - Maintenance of Attribute Associations by Information System
AC-16.4 - Association of Attributes by Authorized Individuals
AC-16.5 - Attribute Displays for Output Devices
AC-16.6 - Maintenance of Attribute Association by Organization
AC-16.7 - Consistent Attribute Interpretation
AC-16.8 - Association Techniques / Technologies
AC-16.9 - Attribute Reassignment
AC-16.10 - Attribute Configuration by Authorized Individuals
AC-17 - Remote Access
9 Subcontrols
AC-17.1 - Automated Monitoring / Control
AC-17.2 - Protection of Confidentiality / Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands / Access
AC-17.5 - Monitoring for Unauthorized Connections
AC-17.6 - Protection of Information
AC-17.7 - Additional Protection for Security Function Access
AC-17.8 - Disable Nonsecure Network Protocols
AC-17.9 - Disconnect / Disable Access
AC-18 - Wireless Access
5 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.2 - Monitoring Unauthorized Connections
AC-18.3 - Disable Wireless Networking
AC-18.4 - Restrict Configurations by Users
AC-18.5 - Antennas / Transmission Power Levels
AC-19 - Access Control for Mobile Devices
5 Subcontrols
AC-19.1 - Use of Writable / Portable Storage Devices
AC-19.2 - Use of Personally Owned Portable Storage Devices
AC-19.3 - Use of Portable Storage Devices with No Identifiable Owner
AC-19.4 - Restrictions for Classified Information
AC-19.5 - Full Device / Container-based Encryption
AC-20 - Use of External Information Systems
4 Subcontrols
AC-20.1 - Limits On Authorized Use
AC-20.2 - Portable Storage Devices
AC-20.3 - Non-organizationally Owned Systems / Components / Devices
AC-20.4 - Network Accessible Storage Devices
AC-21 - Information Sharing
2 Subcontrols
AC-21.1 - Automated Decision Support
AC-21.2 - Information Search and Retrieval
AC-22 - Publicly Accessible Content
AC-23 - Data Mining Protection
AC-24 - Access Control Decisions
2 Subcontrols
AC-24.1 - Transmit Access Authorization Information
AC-24.2 - No User or Process Identity
AC-25 - Reference Monitor
AT - Awareness and Training
11 Controls
AT-1 - Security Awareness and Training Policy and Procedures
AT-2 - Security Awareness Training
2 Subcontrols
AT-2.1 - Practical Exercises
AT-2.2 - Insider Threat
AT-3 - Role-based Security Training
4 Subcontrols
AT-3.1 - Environmental Controls
AT-3.2 - Physical Security Controls
AT-3.3 - Practical Exercises
AT-3.4 - Suspicious Communications and Anomalous System Behavior
AT-4 - Security Training Records
AT-5 - Contacts with Security Groups and Associations
AU - Audit and Accountability
63 Controls
AU-1 - Audit and Accountability Policy and Procedures
AU-2 - Audit Events
4 Subcontrols
AU-2.1 - Compilation of Audit Records from Multiple Sources
AU-2.2 - Selection of Audit Events by Component
AU-2.3 - Reviews and Updates
AU-2.4 - Privileged Functions
AU-3 - Content of Audit Records
2 Subcontrols
AU-3.1 - Additional Audit Information
AU-3.2 - Centralized Management of Planned Audit Record Content
AU-4 - Audit Storage Capacity
1 Subcontrol
AU-4.1 - Transfer to Alternate Storage
AU-5 - Response to Audit Processing Failures
4 Subcontrols
AU-5.1 - Audit Storage Capacity
AU-5.2 - Real-time Alerts
AU-5.3 - Configurable Traffic Volume Thresholds
AU-5.4 - Shutdown On Failure
AU-6 - Audit Review, Analysis, and Reporting
10 Subcontrols
AU-6.1 - Process Integration
AU-6.2 - Automated Security Alerts
AU-6.3 - Correlate Audit Repositories
AU-6.4 - Central Review and Analysis
AU-6.5 - Integration / Scanning and Monitoring Capabilities
AU-6.6 - Correlation with Physical Monitoring
AU-6.7 - Permitted Actions
AU-6.8 - Full Text Analysis of Privileged Commands
AU-6.9 - Correlation with Information from Nontechnical Sources
AU-6.10 - Audit Level Adjustment
AU-7 - Audit Reduction and Report Generation
2 Subcontrols
AU-7.1 - Automatic Processing
AU-7.2 - Automatic Sort and Search
AU-8 - Time Stamps
2 Subcontrols
AU-8.1 - Synchronization with Authoritative Time Source
AU-8.2 - Secondary Authoritative Time Source
AU-9 - Protection of Audit Information
6 Subcontrols
AU-9.1 - Hardware Write-once Media
AU-9.2 - Audit Backup On Separate Physical Systems / Components
AU-9.3 - Cryptographic Protection
AU-9.4 - Access by Subset of Privileged Users
AU-9.5 - Dual Authorization
AU-9.6 - Read Only Access
AU-10 - Non-repudiation
5 Subcontrols
AU-10.1 - Association of Identities
AU-10.2 - Validate Binding of Information Producer Identity
AU-10.3 - Chain of Custody
AU-10.4 - Validate Binding of Information Reviewer Identity
AU-10.5 - Digital Signatures
AU-11 - Audit Record Retention
1 Subcontrol
AU-11.1 - Long-term Retrieval Capability
AU-12 - Audit Generation
3 Subcontrols
AU-12.1 - System-wide / Time-correlated Audit Trail
AU-12.2 - Standardized Formats
AU-12.3 - Changes by Authorized Individuals
AU-13 - Monitoring for Information Disclosure
2 Subcontrols
AU-13.1 - Use of Automated Tools
AU-13.2 - Review of Monitored Sites
AU-14 - Session Audit
3 Subcontrols
AU-14.1 - System Start-up
AU-14.2 - Capture/record and Log Content
AU-14.3 - Remote Viewing / Listening
AU-15 - Alternate Audit Capability
AU-16 - Cross-organizational Auditing
2 Subcontrols
AU-16.1 - Identity Preservation
AU-16.2 - Sharing of Audit Information
CA - Security Assessment and Authorization
24 Controls
CA-1 - Security Assessment and Authorization Policy and Procedures
CA-2 - Security Assessments
3 Subcontrols
CA-2.1 - Independent Assessors
CA-2.2 - Specialized Assessments
CA-2.3 - External Organizations
CA-3 - System Interconnections
5 Subcontrols
CA-3.1 - Unclassified National Security System Connections
CA-3.2 - Classified National Security System Connections
CA-3.3 - Unclassified Non-national Security System Connections
CA-3.4 - Connections to Public Networks
CA-3.5 - Restrictions On External System Connections
CA-4 - Security Certification
CA-5 - Plan of Action and Milestones
1 Subcontrol
CA-5.1 - Automation Support for Accuracy / Currency
CA-6 - Security Authorization
CA-7 - Continuous Monitoring
3 Subcontrols
CA-7.1 - Independent Assessment
CA-7.2 - Types of Assessments
CA-7.3 - Trend Analyses
CA-8 - Penetration Testing
2 Subcontrols
CA-8.1 - Independent Penetration Agent or Team
CA-8.2 - Red Team Exercises
CA-9 - Internal System Connections
1 Subcontrol
CA-9.1 - Security Compliance Checks
CM - Configuration Management
55 Controls
CM-1 - Configuration Management Policy and Procedures
CM-2 - Baseline Configuration
7 Subcontrols
CM-2.1 - Reviews and Updates
CM-2.2 - Automation Support for Accuracy / Currency
CM-2.3 - Retention of Previous Configurations
CM-2.4 - Unauthorized Software
CM-2.5 - Authorized Software
CM-2.6 - Development and Test Environments
CM-2.7 - Configure Systems, Components, or Devices for High-risk Areas
CM-3 - Configuration Change Control
6 Subcontrols
CM-3.1 - Automated Document / Notification / Prohibition of Changes
CM-3.2 - Test / Validate / Document Changes
CM-3.3 - Automated Change Implementation
CM-3.4 - Security Representative
CM-3.5 - Automated Security Response
CM-3.6 - Cryptography Management
CM-4 - Security Impact Analysis
2 Subcontrols
CM-4.1 - Separate Test Environments
CM-4.2 - Verification of Security Functions
CM-5 - Access Restrictions for Change
7 Subcontrols
CM-5.1 - Automated Access Enforcement / Auditing
CM-5.2 - Review System Changes
CM-5.3 - Signed Components
CM-5.4 - Dual Authorization
CM-5.5 - Limit Production / Operational Privileges
CM-5.6 - Limit Library Privileges
CM-5.7 - Automatic Implementation of Security Safeguards
CM-6 - Configuration Settings
4 Subcontrols
CM-6.1 - Automated Central Management / Application / Verification
CM-6.2 - Respond to Unauthorized Changes
CM-6.3 - Unauthorized Change Detection
CM-6.4 - Conformance Demonstration
CM-7 - Least Functionality
5 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.3 - Registration Compliance
CM-7.4 - Unauthorized Software / Blacklisting
CM-7.5 - Authorized Software / Whitelisting
CM-8 - Information System Component Inventory
9 Subcontrols
CM-8.1 - Updates During Installations / Removals
CM-8.2 - Automated Maintenance
CM-8.3 - Automated Unauthorized Component Detection
CM-8.4 - Accountability Information
CM-8.5 - No Duplicate Accounting of Components
CM-8.6 - Assessed Configurations / Approved Deviations
CM-8.7 - Centralized Repository
CM-8.8 - Automated Location Tracking
CM-8.9 - Assignment of Components to Systems
CM-9 - Configuration Management Plan
1 Subcontrol
CM-9.1 - Assignment of Responsibility
CM-10 - Software Usage Restrictions
1 Subcontrol
CM-10.1 - Open Source Software
CM-11 - User-installed Software
2 Subcontrols
CM-11.1 - Alerts for Unauthorized Installations
CM-11.2 - Prohibit Installation Without Privileged Status
CP - Contingency Planning
54 Controls
CP-1 - Contingency Planning Policy and Procedures
CP-2 - Contingency Plan
8 Subcontrols
CP-2.1 - Coordinate with Related Plans
CP-2.2 - Capacity Planning
CP-2.3 - Resume Essential Missions / Business Functions
CP-2.4 - Resume All Missions / Business Functions
CP-2.5 - Continue Essential Missions / Business Functions
CP-2.6 - Alternate Processing / Storage Site
CP-2.7 - Coordinate with External Service Providers
CP-2.8 - Identify Critical Assets
CP-3 - Contingency Training
2 Subcontrols
CP-3.1 - Simulated Events
CP-3.2 - Automated Training Environments
CP-4 - Contingency Plan Testing
4 Subcontrols
CP-4.1 - Coordinate with Related Plans
CP-4.2 - Alternate Processing Site
CP-4.3 - Automated Testing
CP-4.4 - Full Recovery / Reconstitution
CP-5 - Contingency Plan Update
CP-6 - Alternate Storage Site
3 Subcontrols
CP-6.1 - Separation from Primary Site
CP-6.2 - Recovery Time / Point Objectives
CP-6.3 - Accessibility
CP-7 - Alternate Processing Site
6 Subcontrols
CP-7.1 - Separation from Primary Site
CP-7.2 - Accessibility
CP-7.3 - Priority of Service
CP-7.4 - Preparation for Use
CP-7.5 - Equivalent Information Security Safeguards
CP-7.6 - Inability to Return to Primary Site
CP-8 - Telecommunications Services
5 Subcontrols
CP-8.1 - Priority of Service Provisions
CP-8.2 - Single Points of Failure
CP-8.3 - Separation of Primary / Alternate Providers
CP-8.4 - Provider Contingency Plan
CP-8.5 - Alternate Telecommunication Service Testing
CP-9 - Information System Backup
7 Subcontrols
CP-9.1 - Testing for Reliability / Integrity
CP-9.2 - Test Restoration Using Sampling
CP-9.3 - Separate Storage for Critical Information
CP-9.4 - Protection from Unauthorized Modification
CP-9.5 - Transfer to Alternate Storage Site
CP-9.6 - Redundant Secondary System
CP-9.7 - Dual Authorization
CP-10 - Information System Recovery and Reconstitution
6 Subcontrols
CP-10.1 - Contingency Plan Testing
CP-10.2 - Transaction Recovery
CP-10.3 - Compensating Security Controls
CP-10.4 - Restore Within Time Period
CP-10.5 - Failover Capability
CP-10.6 - Component Protection
CP-11 - Alternate Communications Protocols
CP-12 - Safe Mode
CP-13 - Alternative Security Mechanisms
IA - Identification and Authentication
57 Controls
IA-1 - Identification and Authentication Policy and Procedures
IA-2 - Identification and Authentication (organizational Users)
13 Subcontrols
IA-2.1 - Network Access to Privileged Accounts
IA-2.2 - Network Access to Non-privileged Accounts
IA-2.3 - Local Access to Privileged Accounts
IA-2.4 - Local Access to Non-privileged Accounts
IA-2.5 - Group Authentication
IA-2.6 - Network Access to Privileged Accounts - Separate Device
IA-2.7 - Network Access to Non-privileged Accounts - Separate Device
IA-2.8 - Network Access to Privileged Accounts - Replay Resistant
IA-2.9 - Network Access to Non-privileged Accounts - Replay Resistant
IA-2.10 - Single Sign-on
IA-2.11 - Remote Access - Separate Device
IA-2.12 - Acceptance of PIV Credentials
IA-2.13 - Out-of-band Authentication
IA-3 - Device Identification and Authentication
4 Subcontrols
IA-3.1 - Cryptographic Bidirectional Authentication
IA-3.2 - Cryptographic Bidirectional Network Authentication
IA-3.3 - Dynamic Address Allocation
IA-3.4 - Device Attestation
IA-4 - Identifier Management
7 Subcontrols
IA-4.1 - Prohibit Account Identifiers as Public Identifiers
IA-4.2 - Supervisor Authorization
IA-4.3 - Multiple Forms of Certification
IA-4.4 - Identify User Status
IA-4.5 - Dynamic Management
IA-4.6 - Cross-organization Management
IA-4.7 - In-person Registration
IA-5 - Authenticator Management
15 Subcontrols
IA-5.1 - Password-based Authentication
IA-5.2 - Pki-based Authentication
IA-5.3 - In-person or Trusted Third-party Registration
IA-5.4 - Automated Support for Password Strength Determination
IA-5.5 - Change Authenticators Prior to Delivery
IA-5.6 - Protection of Authenticators
IA-5.7 - No Embedded Unencrypted Static Authenticators
IA-5.8 - Multiple Information System Accounts
IA-5.9 - Cross-organization Credential Management
IA-5.10 - Dynamic Credential Association
IA-5.11 - Hardware Token-based Authentication
IA-5.12 - Biometric-based Authentication
IA-5.13 - Expiration of Cached Authenticators
IA-5.14 - Managing Content of PKI Trust Stores
IA-5.15 - Ficam-approved Products and Services
IA-6 - Authenticator Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (non-organizational Users)
5 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of Third-party Credentials
IA-8.3 - Use of Ficam-approved Products
IA-8.4 - Use of Ficam-issued Profiles
IA-8.5 - Acceptance of PIV-I Credentials
IA-9 - Service Identification and Authentication
2 Subcontrols
IA-9.1 - Information Exchange
IA-9.2 - Transmission of Decisions
IA-10 - Adaptive Identification and Authentication
IA-11 - Re-authentication
IR - Incident Response
34 Controls
IR-1 - Incident Response Policy and Procedures
IR-2 - Incident Response Training
2 Subcontrols
IR-2.1 - Simulated Events
IR-2.2 - Automated Training Environments
IR-3 - Incident Response Testing
2 Subcontrols
IR-3.1 - Automated Testing
IR-3.2 - Coordination with Related Plans
IR-4 - Incident Handling
10 Subcontrols
IR-4.1 - Automated Incident Handling Processes
IR-4.2 - Dynamic Reconfiguration
IR-4.3 - Continuity of Operations
IR-4.4 - Information Correlation
IR-4.5 - Automatic Disabling of Information System
IR-4.6 - Insider Threats - Specific Capabilities
IR-4.7 - Insider Threats - Intra-organization Coordination
IR-4.8 - Correlation with External Organizations
IR-4.9 - Dynamic Response Capability
IR-4.10 - Supply Chain Coordination
IR-5 - Incident Monitoring
1 Subcontrol
IR-5.1 - Automated Tracking / Data Collection / Analysis
IR-6 - Incident Reporting
3 Subcontrols
IR-6.1 - Automated Reporting
IR-6.2 - Vulnerabilities Related to Incidents
IR-6.3 - Coordination with Supply Chain
IR-7 - Incident Response Assistance
2 Subcontrols
IR-7.1 - Automation Support for Availability of Information / Support
IR-7.2 - Coordination with External Providers
IR-8 - Incident Response Plan
IR-9 - Information Spillage Response
4 Subcontrols
IR-9.1 - Responsible Personnel
IR-9.2 - Training
IR-9.3 - Post-spill Operations
IR-9.4 - Exposure to Unauthorized Personnel
IR-10 - Integrated Information Security Analysis Team
MA - Maintenance
27 Controls
MA-1 - System Maintenance Policy and Procedures
MA-2 - Controlled Maintenance
2 Subcontrols
MA-2.1 - Record Content
MA-2.2 - Automated Maintenance Activities
MA-3 - Maintenance Tools
4 Subcontrols
MA-3.1 - Inspect Tools
MA-3.2 - Inspect Media
MA-3.3 - Prevent Unauthorized Removal
MA-3.4 - Restricted Tool Use
MA-4 - Nonlocal Maintenance
7 Subcontrols
MA-4.1 - Auditing and Review
MA-4.2 - Document Nonlocal Maintenance
MA-4.3 - Comparable Security / Sanitization
MA-4.4 - Authentication / Separation of Maintenance Sessions
MA-4.5 - Approvals and Notifications
MA-4.6 - Cryptographic Protection
MA-4.7 - Remote Disconnect Verification
MA-5 - Maintenance Personnel
5 Subcontrols
MA-5.1 - Individuals Without Appropriate Access
MA-5.2 - Security Clearances for Classified Systems
MA-5.3 - Citizenship Requirements for Classified Systems
MA-5.4 - Foreign Nationals
MA-5.5 - Nonsystem-related Maintenance
MA-6 - Timely Maintenance
3 Subcontrols
MA-6.1 - Preventive Maintenance
MA-6.2 - Predictive Maintenance
MA-6.3 - Automated Support for Predictive Maintenance
MP - Media Protection
30 Controls
MP-1 - Media Protection Policy and Procedures
MP-2 - Media Access
2 Subcontrols
MP-2.1 - Automated Restricted Access
MP-2.2 - Cryptographic Protection
MP-3 - Media Marking
MP-4 - Media Storage
2 Subcontrols
MP-4.1 - Cryptographic Protection
MP-4.2 - Automated Restricted Access
MP-5 - Media Transport
4 Subcontrols
MP-5.1 - Protection Outside of Controlled Areas
MP-5.2 - Documentation of Activities
MP-5.3 - Custodians
MP-5.4 - Cryptographic Protection
MP-6 - Media Sanitization
8 Subcontrols
MP-6.1 - Review / Approve / Track / Document / Verify
MP-6.2 - Equipment Testing
MP-6.3 - Nondestructive Techniques
MP-6.4 - Controlled Unclassified Information
MP-6.5 - Classified Information
MP-6.6 - Media Destruction
MP-6.7 - Dual Authorization
MP-6.8 - Remote Purging / Wiping of Information
MP-7 - Media Use
2 Subcontrols
MP-7.1 - Prohibit Use Without Owner
MP-7.2 - Prohibit Use of Sanitization-resistant Media
MP-8 - Media Downgrading
4 Subcontrols
MP-8.1 - Documentation of Process
MP-8.2 - Equipment Testing
MP-8.3 - Controlled Unclassified Information
MP-8.4 - Classified Information
PE - Physical and Environmental Protection
53 Controls
PE-1 - Physical and Environmental Protection Policy and Procedures
PE-2 - Physical Access Authorizations
3 Subcontrols
PE-2.1 - Access by Position / Role
PE-2.2 - Two Forms of Identification
PE-2.3 - Restrict Unescorted Access
PE-3 - Physical Access Control
6 Subcontrols
PE-3.1 - Information System Access
PE-3.2 - Facility / Information System Boundaries
PE-3.3 - Continuous Guards / Alarms / Monitoring
PE-3.4 - Lockable Casings
PE-3.5 - Tamper Protection
PE-3.6 - Facility Penetration Testing
PE-4 - Access Control for Transmission Medium
PE-5 - Access Control for Output Devices
3 Subcontrols
PE-5.1 - Access to Output by Authorized Individuals
PE-5.2 - Access to Output by Individual Identity
PE-5.3 - Marking Output Devices
PE-6 - Monitoring Physical Access
4 Subcontrols
PE-6.1 - Intrusion Alarms / Surveillance Equipment
PE-6.2 - Automated Intrusion Recognition / Responses
PE-6.3 - Video Surveillance
PE-6.4 - Monitoring Physical Access to Information Systems
PE-7 - Visitor Control
PE-8 - Visitor Access Records
2 Subcontrols
PE-8.1 - Automated Records Maintenance / Review
PE-8.2 - Physical Access Records
PE-9 - Power Equipment and Cabling
2 Subcontrols
PE-9.1 - Redundant Cabling
PE-9.2 - Automatic Voltage Controls
PE-10 - Emergency Shutoff
1 Subcontrol
PE-10.1 - Accidental / Unauthorized Activation
PE-11 - Emergency Power
2 Subcontrols
PE-11.1 - Long-term Alternate Power Supply - Minimal Operational Capability
PE-11.2 - Long-term Alternate Power Supply - Self-contained
PE-12 - Emergency Lighting
1 Subcontrol
PE-12.1 - Essential Missions / Business Functions
PE-13 - Fire Protection
4 Subcontrols
PE-13.1 - Detection Devices / Systems
PE-13.2 - Suppression Devices / Systems
PE-13.3 - Automatic Fire Suppression
PE-13.4 - Inspections
PE-14 - Temperature and Humidity Controls
2 Subcontrols
PE-14.1 - Automatic Controls
PE-14.2 - Monitoring with Alarms / Notifications
PE-15 - Water Damage Protection
1 Subcontrol
PE-15.1 - Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of Information System Components
1 Subcontrol
PE-18.1 - Facility Site
PE-19 - Information Leakage
1 Subcontrol
PE-19.1 - National Emissions / Tempest Policies and Procedures
PE-20 - Asset Monitoring and Tracking
PL - Planning
15 Controls
PL-1 - Security Planning Policy and Procedures
PL-2 - System Security Plan
3 Subcontrols
PL-2.1 - Concept of Operations
PL-2.2 - Functional Architecture
PL-2.3 - Plan / Coordinate with Other Organizational Entities
PL-3 - System Security Plan Update
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and Networking Restrictions
PL-5 - Privacy Impact Assessment
PL-6 - Security-related Activity Planning
PL-7 - Security Concept of Operations
PL-8 - Information Security Architecture
2 Subcontrols
PL-8.1 - Defense-in-depth
PL-8.2 - Supplier Diversity
PL-9 - Central Management
PS - Personnel Security
16 Controls
PS-1 - Personnel Security Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
3 Subcontrols
PS-3.1 - Classified Information
PS-3.2 - Formal Indoctrination
PS-3.3 - Information with Special Protection Measures
PS-4 - Personnel Termination
2 Subcontrols
PS-4.1 - Post-employment Requirements
PS-4.2 - Automated Notification
PS-5 - Personnel Transfer
PS-6 - Access Agreements
3 Subcontrols
PS-6.1 - Information Requiring Special Protection
PS-6.2 - Classified Information Requiring Special Protection
PS-6.3 - Post-employment Requirements
PS-7 - Third-party Personnel Security
PS-8 - Personnel Sanctions
RA - Risk Assessment
16 Controls
RA-1 - Risk Assessment Policy and Procedures
RA-2 - Security Categorization
RA-3 - Risk Assessment
RA-4 - Risk Assessment Update
RA-5 - Vulnerability Scanning
10 Subcontrols
RA-5.1 - Update Tool Capability
RA-5.2 - Update by Frequency / Prior to New Scan / When Identified
RA-5.3 - Breadth / Depth of Coverage
RA-5.4 - Discoverable Information
RA-5.5 - Privileged Access
RA-5.6 - Automated Trend Analyses
RA-5.7 - Automated Detection and Notification of Unauthorized Components
RA-5.8 - Review Historic Audit Logs
RA-5.9 - Penetration Testing and Analyses
RA-5.10 - Correlate Scanning Information
RA-6 - Technical Surveillance Countermeasures Survey
SA - System and Services Acquisition
98 Controls
SA-1 - System and Services Acquisition Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
10 Subcontrols
SA-4.1 - Functional Properties of Security Controls
SA-4.2 - Design / Implementation Information for Security Controls
SA-4.3 - Development Methods / Techniques / Practices
SA-4.4 - Assignment of Components to Systems
SA-4.5 - System / Component / Service Configurations
SA-4.6 - Use of Information Assurance Products
SA-4.7 - Niap-approved Protection Profiles
SA-4.8 - Continuous Monitoring Plan
SA-4.9 - Functions / Ports / Protocols / Services in Use
SA-4.10 - Use of Approved PIV Products
SA-5 - Information System Documentation
5 Subcontrols
SA-5.1 - Functional Properties of Security Controls
SA-5.2 - Security-relevant External System Interfaces
SA-5.3 - High-level Design
SA-5.4 - Low-level Design
SA-5.5 - Source Code
SA-6 - Software Usage Restrictions
SA-7 - User-installed Software
SA-8 - Security Engineering Principles
SA-9 - External Information System Services
5 Subcontrols
SA-9.1 - Risk Assessments / Organizational Approvals
SA-9.2 - Identification of Functions / Ports / Protocols / Services
SA-9.3 - Establish / Maintain Trust Relationship with Providers
SA-9.4 - Consistent Interests of Consumers and Providers
SA-9.5 - Processing, Storage, and Service Location
SA-10 - Developer Configuration Management
6 Subcontrols
SA-10.1 - Software / Firmware Integrity Verification
SA-10.2 - Alternative Configuration Management Processes
SA-10.3 - Hardware Integrity Verification
SA-10.4 - Trusted Generation
SA-10.5 - Mapping Integrity for Version Control
SA-10.6 - Trusted Distribution
SA-11 - Developer Security Testing and Evaluation
8 Subcontrols
SA-11.1 - Static Code Analysis
SA-11.2 - Threat and Vulnerability Analyses
SA-11.3 - Independent Verification of Assessment Plans / Evidence
SA-11.4 - Manual Code Reviews
SA-11.5 - Penetration Testing
SA-11.6 - Attack Surface Reviews
SA-11.7 - Verify Scope of Testing / Evaluation
SA-11.8 - Dynamic Code Analysis
SA-12 - Supply Chain Protection
15 Subcontrols
SA-12.1 - Acquisition Strategies / Tools / Methods
SA-12.2 - Supplier Reviews
SA-12.3 - Trusted Shipping and Warehousing
SA-12.4 - Diversity of Suppliers
SA-12.5 - Limitation of Harm
SA-12.6 - Minimizing Procurement Time
SA-12.7 - Assessments Prior to Selection / Acceptance / Update
SA-12.8 - Use of All-source Intelligence
SA-12.9 - Operations Security
SA-12.10 - Validate as Genuine and Not Altered
SA-12.11 - Penetration Testing / Analysis of Elements, Processes, and Actors
SA-12.12 - Inter-organizational Agreements
SA-12.13 - Critical Information System Components
SA-12.14 - Identity and Traceability
SA-12.15 - Processes to Address Weaknesses or Deficiencies
SA-13 - Trustworthiness
SA-14 - Criticality Analysis
1 Subcontrol
SA-14.1 - Critical Components with No Viable Alternative Sourcing
SA-15 - Development Process, Standards, and Tools
11 Subcontrols
SA-15.1 - Quality Metrics
SA-15.2 - Security Tracking Tools
SA-15.3 - Criticality Analysis
SA-15.4 - Threat Modeling / Vulnerability Analysis
SA-15.5 - Attack Surface Reduction
SA-15.6 - Continuous Improvement
SA-15.7 - Automated Vulnerability Analysis
SA-15.8 - Reuse of Threat / Vulnerability Information
SA-15.9 - Use of Live Data
SA-15.10 - Incident Response Plan
SA-15.11 - Archive Information System / Component
SA-16 - Developer-provided Training
SA-17 - Developer Security Architecture and Design
7 Subcontrols
SA-17.1 - Formal Policy Model
SA-17.2 - Security-relevant Components
SA-17.3 - Formal Correspondence
SA-17.4 - Informal Correspondence
SA-17.5 - Conceptually Simple Design
SA-17.6 - Structure for Testing
SA-17.7 - Structure for Least Privilege
SA-18 - Tamper Resistance and Detection
2 Subcontrols
SA-18.1 - Multiple Phases of SDLC
SA-18.2 - Inspection of Information Systems, Components, or Devices
SA-19 - Component Authenticity
4 Subcontrols
SA-19.1 - Anti-counterfeit Training
SA-19.2 - Configuration Control for Component Service / Repair
SA-19.3 - Component Disposal
SA-19.4 - Anti-counterfeit Scanning
SA-20 - Customized Development of Critical Components
SA-21 - Developer Screening
1 Subcontrol
SA-21.1 - Validation of Screening
SA-22 - Unsupported System Components
1 Subcontrol
SA-22.1 - Alternative Sources for Continued Support
SC - System and Communications Protection
136 Controls
SC-1 - System and Communications Protection Policy and Procedures
SC-2 - Application Partitioning
1 Subcontrol
SC-2.1 - Interfaces for Non-privileged Users
SC-3 - Security Function Isolation
5 Subcontrols
SC-3.1 - Hardware Separation
SC-3.2 - Access / Flow Control Functions
SC-3.3 - Minimize Nonsecurity Functionality
SC-3.4 - Module Coupling and Cohesiveness
SC-3.5 - Layered Structures
SC-4 - Information in Shared Resources
2 Subcontrols
SC-4.1 - Security Levels
SC-4.2 - Periods Processing
SC-5 - Denial of Service Protection
3 Subcontrols
SC-5.1 - Restrict Internal Users
SC-5.2 - Excess Capacity / Bandwidth / Redundancy
SC-5.3 - Detection / Monitoring
SC-6 - Resource Availability
SC-7 - Boundary Protection
23 Subcontrols
SC-7.1 - Physically Separated Subnetworks
SC-7.2 - Public Access
SC-7.3 - Access Points
SC-7.4 - External Telecommunications Services
SC-7.5 - Deny by Default / Allow by Exception
SC-7.6 - Response to Recognized Failures
SC-7.7 - Prevent Split Tunneling for Remote Devices
SC-7.8 - Route Traffic to Authenticated Proxy Servers
SC-7.9 - Restrict Threatening Outgoing Communications Traffic
SC-7.10 - Prevent Unauthorized Exfiltration
SC-7.11 - Restrict Incoming Communications Traffic
SC-7.12 - Host-based Protection
SC-7.13 - Isolation of Security Tools / Mechanisms / Support Components
SC-7.14 - Protects Against Unauthorized Physical Connections
SC-7.15 - Route Privileged Network Accesses
SC-7.16 - Prevent Discovery of Components / Devices
SC-7.17 - Automated Enforcement of Protocol Formats
SC-7.18 - Fail Secure
SC-7.19 - Blocks Communication from Non-organizationally Configured Hosts
SC-7.20 - Dynamic Isolation / Segregation
SC-7.21 - Isolation of Information System Components
SC-7.22 - Separate Subnets for Connecting to Different Security Domains
SC-7.23 - Disable Sender Feedback On Protocol Validation Failure
SC-8 - Transmission Confidentiality and Integrity
4 Subcontrols
SC-8.1 - Cryptographic or Alternate Physical Protection
SC-8.2 - Pre / Post Transmission Handling
SC-8.3 - Cryptographic Protection for Message Externals
SC-8.4 - Conceal / Randomize Communications
SC-9 - Transmission Confidentiality
SC-10 - Network Disconnect
SC-11 - Trusted Path
1 Subcontrol
SC-11.1 - Logical Isolation
SC-12 - Cryptographic Key Establishment and Management
5 Subcontrols
SC-12.1 - Availability
SC-12.2 - Symmetric Keys
SC-12.3 - Asymmetric Keys
SC-12.4 - PKI Certificates
SC-12.5 - PKI Certificates / Hardware Tokens
SC-13 - Cryptographic Protection
4 Subcontrols
SC-13.1 - Fips-validated Cryptography
SC-13.2 - Nsa-approved Cryptography
SC-13.3 - Individuals Without Formal Access Approvals
SC-13.4 - Digital Signatures
SC-14 - Public Access Protections
SC-15 - Collaborative Computing Devices
4 Subcontrols
SC-15.1 - Physical Disconnect
SC-15.2 - Blocking Inbound / Outbound Communications Traffic
SC-15.3 - Disabling / Removal in Secure Work Areas
SC-15.4 - Explicitly Indicate Current Participants
SC-16 - Transmission of Security Attributes
1 Subcontrol
SC-16.1 - Integrity Validation
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
5 Subcontrols
SC-18.1 - Identify Unacceptable Code / Take Corrective Actions
SC-18.2 - Acquisition / Development / Use
SC-18.3 - Prevent Downloading / Execution
SC-18.4 - Prevent Automatic Execution
SC-18.5 - Allow Execution Only in Confined Environments
SC-19 - Voice Over Internet Protocol
SC-20 - Secure Name / Address Resolution Service (authoritative Source)
2 Subcontrols
SC-20.1 - Child Subspaces
SC-20.2 - Data Origin / Integrity
SC-21 - Secure Name / Address Resolution Service (recursive or Caching Resolver)
1 Subcontrol
SC-21.1 - Data Origin / Integrity
SC-22 - Architecture and Provisioning for Name / Address Resolution Service
SC-23 - Session Authenticity
5 Subcontrols
SC-23.1 - Invalidate Session Identifiers at Logout
SC-23.2 - User-initiated Logouts / Message Displays
SC-23.3 - Unique Session Identifiers with Randomization
SC-23.4 - Unique Session Identifiers with Randomization
SC-23.5 - Allowed Certificate Authorities
SC-24 - Fail in Known State
SC-25 - Thin Nodes
SC-26 - Honeypots
1 Subcontrol
SC-26.1 - Detection of Malicious Code
SC-27 - Platform-independent Applications
SC-28 - Protection of Information at Rest
2 Subcontrols
SC-28.1 - Cryptographic Protection
SC-28.2 - Off-line Storage
SC-29 - Heterogeneity
1 Subcontrol
SC-29.1 - Virtualization Techniques
SC-30 - Concealment and Misdirection
5 Subcontrols
SC-30.1 - Virtualization Techniques
SC-30.2 - Randomness
SC-30.3 - Change Processing / Storage Locations
SC-30.4 - Misleading Information
SC-30.5 - Concealment of System Components
SC-31 - Covert Channel Analysis
3 Subcontrols
SC-31.1 - Test Covert Channels for Exploitability
SC-31.2 - Maximum Bandwidth
SC-31.3 - Measure Bandwidth in Operational Environments
SC-32 - Information System Partitioning
SC-33 - Transmission Preparation Integrity
SC-34 - Non-modifiable Executable Programs
3 Subcontrols
SC-34.1 - No Writable Storage
SC-34.2 - Integrity Protection / Read-only Media
SC-34.3 - Hardware-based Protection
SC-35 - Honeyclients
SC-36 - Distributed Processing and Storage
1 Subcontrol
SC-36.1 - Polling Techniques
SC-37 - Out-of-band Channels
1 Subcontrol
SC-37.1 - Ensure Delivery / Transmission
SC-38 - Operations Security
SC-39 - Process Isolation
2 Subcontrols
SC-39.1 - Hardware Separation
SC-39.2 - Thread Isolation
SC-40 - Wireless Link Protection
4 Subcontrols
SC-40.1 - Electromagnetic Interference
SC-40.2 - Reduce Detection Potential
SC-40.3 - Imitative or Manipulative Communications Deception
SC-40.4 - Signal Parameter Identification
SC-41 - Port and I/O Device Access
SC-42 - Sensor Capability and Data
3 Subcontrols
SC-42.1 - Reporting to Authorized Individuals or Roles
SC-42.2 - Authorized Use
SC-42.3 - Prohibit Use of Devices
SC-43 - Usage Restrictions
SC-44 - Detonation Chambers
SI - System and Information Integrity
91 Controls
SI-1 - System and Information Integrity Policy and Procedures
SI-2 - Flaw Remediation
6 Subcontrols
SI-2.1 - Central Management
SI-2.2 - Automated Flaw Remediation Status
SI-2.3 - Time to Remediate Flaws / Benchmarks for Corrective Actions
SI-2.4 - Automated Patch Management Tools
SI-2.5 - Automatic Software / Firmware Updates
SI-2.6 - Removal of Previous Versions of Software / Firmware
SI-3 - Malicious Code Protection
10 Subcontrols
SI-3.1 - Central Management
SI-3.2 - Automatic Updates
SI-3.3 - Non-privileged Users
SI-3.4 - Updates Only by Privileged Users
SI-3.5 - Portable Storage Devices
SI-3.6 - Testing / Verification
SI-3.7 - Nonsignature-based Detection
SI-3.8 - Detect Unauthorized Commands
SI-3.9 - Authenticate Remote Commands
SI-3.10 - Malicious Code Analysis
SI-4 - Information System Monitoring
24 Subcontrols
SI-4.1 - System-wide Intrusion Detection System
SI-4.2 - Automated Tools for Real-time Analysis
SI-4.3 - Automated Tool Integration
SI-4.4 - Inbound and Outbound Communications Traffic
SI-4.5 - System-generated Alerts
SI-4.6 - Restrict Non-privileged Users
SI-4.7 - Automated Response to Suspicious Events
SI-4.8 - Protection of Monitoring Information
SI-4.9 - Testing of Monitoring Tools
SI-4.10 - Visibility of Encrypted Communications
SI-4.11 - Analyze Communications Traffic Anomalies
SI-4.12 - Automated Alerts
SI-4.13 - Analyze Traffic / Event Patterns
SI-4.14 - Wireless Intrusion Detection
SI-4.15 - Wireless to Wireline Communications
SI-4.16 - Correlate Monitoring Information
SI-4.17 - Integrated Situational Awareness
SI-4.18 - Analyze Traffic / Covert Exfiltration
SI-4.19 - Individuals Posing Greater Risk
SI-4.20 - Privileged Users
SI-4.21 - Probationary Periods
SI-4.22 - Unauthorized Network Services
SI-4.23 - Host-based Devices
SI-4.24 - Indicators of Compromise
SI-5 - Security Alerts, Advisories, and Directives
1 Subcontrol
SI-5.1 - Automated Alerts and Advisories
SI-6 - Security Function Verification
3 Subcontrols
SI-6.1 - Notification of Failed Security Tests
SI-6.2 - Automation Support for Distributed Testing
SI-6.3 - Report Verification Results
SI-7 - Software, Firmware, and Information Integrity
16 Subcontrols
SI-7.1 - Integrity Checks
SI-7.2 - Automated Notifications of Integrity Violations
SI-7.3 - Centrally-managed Integrity Tools
SI-7.4 - Tamper-evident Packaging
SI-7.5 - Automated Response to Integrity Violations
SI-7.6 - Cryptographic Protection
SI-7.7 - Integration of Detection and Response
SI-7.8 - Auditing Capability for Significant Events
SI-7.9 - Verify Boot Process
SI-7.10 - Protection of Boot Firmware
SI-7.11 - Confined Environments with Limited Privileges
SI-7.12 - Integrity Verification
SI-7.13 - Code Execution in Protected Environments
SI-7.14 - Binary or Machine Executable Code
SI-7.15 - Code Authentication
SI-7.16 - Time Limit On Process Execution w/o Supervision
SI-8 - Spam Protection
3 Subcontrols
SI-8.1 - Central Management
SI-8.2 - Automatic Updates
SI-8.3 - Continuous Learning Capability
SI-9 - Information Input Restrictions
SI-10 - Information Input Validation
5 Subcontrols
SI-10.1 - Manual Override Capability
SI-10.2 - Review / Resolution of Errors
SI-10.3 - Predictable Behavior
SI-10.4 - Review / Timing Interactions
SI-10.5 - Restrict Inputs to Trusted Sources and Approved Formats
SI-11 - Error Handling
SI-12 - Information Handling and Retention
SI-13 - Predictable Failure Prevention
5 Subcontrols
SI-13.1 - Transferring Component Responsibilities
SI-13.2 - Time Limit On Process Execution Without Supervision
SI-13.3 - Manual Transfer Between Components
SI-13.4 - Standby Component Installation / Notification
SI-13.5 - Failover Capability
SI-14 - Non-persistence
1 Subcontrol
SI-14.1 - Refresh from Trusted Sources
SI-15 - Information Output Filtering
SI-16 - Memory Protection
SI-17 - Fail-safe Procedures
PM - Program Management
16 Controls
PM-1 - Information Security Program Plan
PM-2 - Senior Information Security Officer
PM-3 - Information Security Resources
PM-4 - Plan of Action and Milestones Process
PM-5 - Information System Inventory
PM-6 - Information Security Measures of Performance
PM-7 - Enterprise Architecture
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Security Authorization Process
PM-11 - Mission/business Process Definition
PM-12 - Insider Threat Program
PM-13 - Information Security Workforce
PM-14 - Testing, Training, and Monitoring
PM-15 - Contacts with Security Groups and Associations
PM-16 - Threat Awareness Program