Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Catalogs
Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures
Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures
An OSCAL Catalog
Details
Profiles
Prose
1193 controls organized in 20 groups
AC - Access Control
147 Controls
AC-1 - Policy and Procedures
AC-2 - Account Management
13 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Automated Temporary and Emergency Account Management
AC-2.3 - Disable Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.6 - Dynamic Privilege Management
AC-2.7 - Privileged User Accounts
AC-2.8 - Dynamic Account Management
AC-2.9 - Restrictions on Use of Shared and Group Accounts
AC-2.10 - Shared and Group Account Credential Change
AC-2.11 - Usage Conditions
AC-2.12 - Account Monitoring for Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
15 Subcontrols
AC-3.1 - Restricted Access to Privileged Functions
AC-3.2 - Dual Authorization
AC-3.3 - Mandatory Access Control
AC-3.4 - Discretionary Access Control
AC-3.5 - Security-relevant Information
AC-3.6 - Protection of User and System Information
AC-3.7 - Role-based Access Control
AC-3.8 - Revocation of Access Authorizations
AC-3.9 - Controlled Release
AC-3.10 - Audited Override of Access Control Mechanisms
AC-3.11 - Restrict Access to Specific Information Types
AC-3.12 - Assert and Enforce Application Access
AC-3.13 - Attribute-based Access Control
AC-3.14 - Individual Access
AC-3.15 - Discretionary and Mandatory Access Control
AC-4 - Information Flow Enforcement
32 Subcontrols
AC-4.1 - Object Security and Privacy Attributes
AC-4.2 - Processing Domains
AC-4.3 - Dynamic Information Flow Control
AC-4.4 - Flow Control of Encrypted Information
AC-4.5 - Embedded Data Types
AC-4.6 - Metadata
AC-4.7 - One-way Flow Mechanisms
AC-4.8 - Security and Privacy Policy Filters
AC-4.9 - Human Reviews
AC-4.10 - Enable and Disable Security or Privacy Policy Filters
AC-4.11 - Configuration of Security or Privacy Policy Filters
AC-4.12 - Data Type Identifiers
AC-4.13 - Decomposition into Policy-relevant Subcomponents
AC-4.14 - Security or Privacy Policy Filter Constraints
AC-4.15 - Detection of Unsanctioned Information
AC-4.16 - Information Transfers on Interconnected Systems
AC-4.17 - Domain Authentication
AC-4.18 - Security Attribute Binding
AC-4.19 - Validation of Metadata
AC-4.20 - Approved Solutions
AC-4.21 - Physical or Logical Separation of Information Flows
AC-4.22 - Access Only
AC-4.23 - Modify Non-releasable Information
AC-4.24 - Internal Normalized Format
AC-4.25 - Data Sanitization
AC-4.26 - Audit Filtering Actions
AC-4.27 - Redundant/Independent Filtering Mechanisms
AC-4.28 - Linear Filter Pipelines
AC-4.29 - Filter Orchestration Engines
AC-4.30 - Filter Mechanisms Using Multiple Processes
AC-4.31 - Failed Content Transfer Prevention
AC-4.32 - Process Requirements for Information Transfer
AC-5 - Separation of Duties
AC-6 - Least Privilege
10 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.3 - Network Access to Privileged Commands
AC-6.4 - Separate Processing Domains
AC-6.5 - Privileged Accounts
AC-6.6 - Privileged Access by Non-organizational Users
AC-6.7 - Review of User Privileges
AC-6.8 - Privilege Levels for Code Execution
AC-6.9 - Log Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
4 Subcontrols
AC-7.1 - Automatic Account Lock
AC-7.2 - Purge or Wipe Mobile Device
AC-7.3 - Biometric Attempt Limiting
AC-7.4 - Use of Alternate Authentication Factor
AC-8 - System Use Notification
AC-9 - Previous Logon Notification
4 Subcontrols
AC-9.1 - Unsuccessful Logons
AC-9.2 - Successful and Unsuccessful Logons
AC-9.3 - Notification of Account Changes
AC-9.4 - Additional Logon Information
AC-10 - Concurrent Session Control
AC-11 - Device Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
3 Subcontrols
AC-12.1 - User-initiated Logouts
AC-12.2 - Termination Message
AC-12.3 - Timeout Warning Message
AC-13 - Supervision and Review — Access Control
AC-14 - Permitted Actions Without Identification or Authentication
1 Subcontrol
AC-14.1 - Necessary Uses
AC-15 - Automated Marking
AC-16 - Security and Privacy Attributes
10 Subcontrols
AC-16.1 - Dynamic Attribute Association
AC-16.2 - Attribute Value Changes by Authorized Individuals
AC-16.3 - Maintenance of Attribute Associations by System
AC-16.4 - Association of Attributes by Authorized Individuals
AC-16.5 - Attribute Displays on Objects to Be Output
AC-16.6 - Maintenance of Attribute Association
AC-16.7 - Consistent Attribute Interpretation
AC-16.8 - Association Techniques and Technologies
AC-16.9 - Attribute Reassignment — Regrading Mechanisms
AC-16.10 - Attribute Configuration by Authorized Individuals
AC-17 - Remote Access
10 Subcontrols
AC-17.1 - Monitoring and Control
AC-17.2 - Protection of Confidentiality and Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands and Access
AC-17.5 - Monitoring for Unauthorized Connections
AC-17.6 - Protection of Mechanism Information
AC-17.7 - Additional Protection for Security Function Access
AC-17.8 - Disable Nonsecure Network Protocols
AC-17.9 - Disconnect or Disable Access
AC-17.10 - Authenticate Remote Commands
AC-18 - Wireless Access
5 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.2 - Monitoring Unauthorized Connections
AC-18.3 - Disable Wireless Networking
AC-18.4 - Restrict Configurations by Users
AC-18.5 - Antennas and Transmission Power Levels
AC-19 - Access Control for Mobile Devices
5 Subcontrols
AC-19.1 - Use of Writable and Portable Storage Devices
AC-19.2 - Use of Personally Owned Portable Storage Devices
AC-19.3 - Use of Portable Storage Devices with No Identifiable Owner
AC-19.4 - Restrictions for Classified Information
AC-19.5 - Full Device or Container-based Encryption
AC-20 - Use of External Systems
5 Subcontrols
AC-20.1 - Limits on Authorized Use
AC-20.2 - Portable Storage Devices — Restricted Use
AC-20.3 - Non-organizationally Owned Systems — Restricted Use
AC-20.4 - Network Accessible Storage Devices — Prohibited Use
AC-20.5 - Portable Storage Devices — Prohibited Use
AC-21 - Information Sharing
2 Subcontrols
AC-21.1 - Automated Decision Support
AC-21.2 - Information Search and Retrieval
AC-22 - Publicly Accessible Content
AC-23 - Data Mining Protection
AC-24 - Access Control Decisions
2 Subcontrols
AC-24.1 - Transmit Access Authorization Information
AC-24.2 - No User or Process Identity
AC-25 - Reference Monitor
AT - Awareness and Training
17 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
6 Subcontrols
AT-2.1 - Practical Exercises
AT-2.2 - Insider Threat
AT-2.3 - Social Engineering and Mining
AT-2.4 - Suspicious Communications and Anomalous System Behavior
AT-2.5 - Advanced Persistent Threat
AT-2.6 - Cyber Threat Environment
AT-3 - Role-based Training
5 Subcontrols
AT-3.1 - Environmental Controls
AT-3.2 - Physical Security Controls
AT-3.3 - Practical Exercises
AT-3.4 - Suspicious Communications and Anomalous System Behavior
AT-3.5 - Processing Personally Identifiable Information
AT-4 - Training Records
AT-5 - Contacts with Security Groups and Associations
AT-6 - Training Feedback
AU - Audit and Accountability
69 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
4 Subcontrols
AU-2.1 - Compilation of Audit Records from Multiple Sources
AU-2.2 - Selection of Audit Events by Component
AU-2.3 - Reviews and Updates
AU-2.4 - Privileged Functions
AU-3 - Content of Audit Records
3 Subcontrols
AU-3.1 - Additional Audit Information
AU-3.2 - Centralized Management of Planned Audit Record Content
AU-3.3 - Limit Personally Identifiable Information Elements
AU-4 - Audit Log Storage Capacity
1 Subcontrol
AU-4.1 - Transfer to Alternate Storage
AU-5 - Response to Audit Logging Process Failures
5 Subcontrols
AU-5.1 - Storage Capacity Warning
AU-5.2 - Real-time Alerts
AU-5.3 - Configurable Traffic Volume Thresholds
AU-5.4 - Shutdown on Failure
AU-5.5 - Alternate Audit Logging Capability
AU-6 - Audit Record Review, Analysis, and Reporting
10 Subcontrols
AU-6.1 - Automated Process Integration
AU-6.2 - Automated Security Alerts
AU-6.3 - Correlate Audit Record Repositories
AU-6.4 - Central Review and Analysis
AU-6.5 - Integrated Analysis of Audit Records
AU-6.6 - Correlation with Physical Monitoring
AU-6.7 - Permitted Actions
AU-6.8 - Full Text Analysis of Privileged Commands
AU-6.9 - Correlation with Information from Nontechnical Sources
AU-6.10 - Audit Level Adjustment
AU-7 - Audit Record Reduction and Report Generation
2 Subcontrols
AU-7.1 - Automatic Processing
AU-7.2 - Automatic Sort and Search
AU-8 - Time Stamps
2 Subcontrols
AU-8.1 - Synchronization with Authoritative Time Source
AU-8.2 - Secondary Authoritative Time Source
AU-9 - Protection of Audit Information
7 Subcontrols
AU-9.1 - Hardware Write-once Media
AU-9.2 - Store on Separate Physical Systems or Components
AU-9.3 - Cryptographic Protection
AU-9.4 - Access by Subset of Privileged Users
AU-9.5 - Dual Authorization
AU-9.6 - Read-only Access
AU-9.7 - Store on Component with Different Operating System
AU-10 - Non-repudiation
5 Subcontrols
AU-10.1 - Association of Identities
AU-10.2 - Validate Binding of Information Producer Identity
AU-10.3 - Chain of Custody
AU-10.4 - Validate Binding of Information Reviewer Identity
AU-10.5 - Digital Signatures
AU-11 - Audit Record Retention
1 Subcontrol
AU-11.1 - Long-term Retrieval Capability
AU-12 - Audit Record Generation
4 Subcontrols
AU-12.1 - System-wide and Time-correlated Audit Trail
AU-12.2 - Standardized Formats
AU-12.3 - Changes by Authorized Individuals
AU-12.4 - Query Parameter Audits of Personally Identifiable Information
AU-13 - Monitoring for Information Disclosure
3 Subcontrols
AU-13.1 - Use of Automated Tools
AU-13.2 - Review of Monitored Sites
AU-13.3 - Unauthorized Replication of Information
AU-14 - Session Audit
3 Subcontrols
AU-14.1 - System Start-up
AU-14.2 - Capture and Record Content
AU-14.3 - Remote Viewing and Listening
AU-15 - Alternate Audit Logging Capability
AU-16 - Cross-organizational Audit Logging
3 Subcontrols
AU-16.1 - Identity Preservation
AU-16.2 - Sharing of Audit Information
AU-16.3 - Disassociability
CA - Assessment, Authorization, and Monitoring
32 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
3 Subcontrols
CA-2.1 - Independent Assessors
CA-2.2 - Specialized Assessments
CA-2.3 - Leveraging Results from External Organizations
CA-3 - Information Exchange
7 Subcontrols
CA-3.1 - Unclassified National Security System Connections
CA-3.2 - Classified National Security System Connections
CA-3.3 - Unclassified Non-national Security System Connections
CA-3.4 - Connections to Public Networks
CA-3.5 - Restrictions on External System Connections
CA-3.6 - Transfer Authorizations
CA-3.7 - Transitive Information Exchanges
CA-4 - Security Certification
CA-5 - Plan of Action and Milestones
1 Subcontrol
CA-5.1 - Automation Support for Accuracy and Currency
CA-6 - Authorization
2 Subcontrols
CA-6.1 - Joint Authorization — Intra-organization
CA-6.2 - Joint Authorization — Inter-organization
CA-7 - Continuous Monitoring
6 Subcontrols
CA-7.1 - Independent Assessment
CA-7.2 - Types of Assessments
CA-7.3 - Trend Analyses
CA-7.4 - Risk Monitoring
CA-7.5 - Consistency Analysis
CA-7.6 - Automation Support for Monitoring
CA-8 - Penetration Testing
3 Subcontrols
CA-8.1 - Independent Penetration Testing Agent or Team
CA-8.2 - Red Team Exercises
CA-8.3 - Facility Penetration Testing
CA-9 - Internal System Connections
1 Subcontrol
CA-9.1 - Compliance Checks
CM - Configuration Management
66 Controls
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
7 Subcontrols
CM-2.1 - Reviews and Updates
CM-2.2 - Automation Support for Accuracy and Currency
CM-2.3 - Retention of Previous Configurations
CM-2.4 - Unauthorized Software
CM-2.5 - Authorized Software
CM-2.6 - Development and Test Environments
CM-2.7 - Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
8 Subcontrols
CM-3.1 - Automated Documentation, Notification, and Prohibition of Changes
CM-3.2 - Testing, Validation, and Documentation of Changes
CM-3.3 - Automated Change Implementation
CM-3.4 - Security and Privacy Representatives
CM-3.5 - Automated Security Response
CM-3.6 - Cryptography Management
CM-3.7 - Review System Changes
CM-3.8 - Prevent or Restrict Configuration Changes
CM-4 - Impact Analyses
2 Subcontrols
CM-4.1 - Separate Test Environments
CM-4.2 - Verification of Controls
CM-5 - Access Restrictions for Change
7 Subcontrols
CM-5.1 - Automated Access Enforcement and Audit Records
CM-5.2 - Review System Changes
CM-5.3 - Signed Components
CM-5.4 - Dual Authorization
CM-5.5 - Privilege Limitation for Production and Operation
CM-5.6 - Limit Library Privileges
CM-5.7 - Automatic Implementation of Security Safeguards
CM-6 - Configuration Settings
4 Subcontrols
CM-6.1 - Automated Management, Application, and Verification
CM-6.2 - Respond to Unauthorized Changes
CM-6.3 - Unauthorized Change Detection
CM-6.4 - Conformance Demonstration
CM-7 - Least Functionality
9 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.3 - Registration Compliance
CM-7.4 - Unauthorized Software — Deny-by-exception
CM-7.5 - Authorized Software — Allow-by-exception
CM-7.6 - Confined Environments with Limited Privileges
CM-7.7 - Code Execution in Protected Environments
CM-7.8 - Binary or Machine Executable Code
CM-7.9 - Prohibiting The Use of Unauthorized Hardware
CM-8 - System Component Inventory
9 Subcontrols
CM-8.1 - Updates During Installation and Removal
CM-8.2 - Automated Maintenance
CM-8.3 - Automated Unauthorized Component Detection
CM-8.4 - Accountability Information
CM-8.5 - No Duplicate Accounting of Components
CM-8.6 - Assessed Configurations and Approved Deviations
CM-8.7 - Centralized Repository
CM-8.8 - Automated Location Tracking
CM-8.9 - Assignment of Components to Systems
CM-9 - Configuration Management Plan
1 Subcontrol
CM-9.1 - Assignment of Responsibility
CM-10 - Software Usage Restrictions
1 Subcontrol
CM-10.1 - Open-source Software
CM-11 - User-installed Software
3 Subcontrols
CM-11.1 - Alerts for Unauthorized Installations
CM-11.2 - Software Installation with Privileged Status
CM-11.3 - Automated Enforcement and Monitoring
CM-12 - Information Location
1 Subcontrol
CM-12.1 - Automated Tools to Support Information Location
CM-13 - Data Action Mapping
CM-14 - Signed Components
CP - Contingency Planning
56 Controls
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
8 Subcontrols
CP-2.1 - Coordinate with Related Plans
CP-2.2 - Capacity Planning
CP-2.3 - Resume Mission and Business Functions
CP-2.4 - Resume All Mission and Business Functions
CP-2.5 - Continue Mission and Business Functions
CP-2.6 - Alternate Processing and Storage Sites
CP-2.7 - Coordinate with External Service Providers
CP-2.8 - Identify Critical Assets
CP-3 - Contingency Training
2 Subcontrols
CP-3.1 - Simulated Events
CP-3.2 - Mechanisms Used in Training Environments
CP-4 - Contingency Plan Testing
5 Subcontrols
CP-4.1 - Coordinate with Related Plans
CP-4.2 - Alternate Processing Site
CP-4.3 - Automated Testing
CP-4.4 - Full Recovery and Reconstitution
CP-4.5 - Self-challenge
CP-5 - Contingency Plan Update
CP-6 - Alternate Storage Site
3 Subcontrols
CP-6.1 - Separation from Primary Site
CP-6.2 - Recovery Time and Recovery Point Objectives
CP-6.3 - Accessibility
CP-7 - Alternate Processing Site
6 Subcontrols
CP-7.1 - Separation from Primary Site
CP-7.2 - Accessibility
CP-7.3 - Priority of Service
CP-7.4 - Preparation for Use
CP-7.5 - Equivalent Information Security Safeguards
CP-7.6 - Inability to Return to Primary Site
CP-8 - Telecommunications Services
5 Subcontrols
CP-8.1 - Priority of Service Provisions
CP-8.2 - Single Points of Failure
CP-8.3 - Separation of Primary and Alternate Providers
CP-8.4 - Provider Contingency Plan
CP-8.5 - Alternate Telecommunication Service Testing
CP-9 - System Backup
8 Subcontrols
CP-9.1 - Testing for Reliability and Integrity
CP-9.2 - Test Restoration Using Sampling
CP-9.3 - Separate Storage for Critical Information
CP-9.4 - Protection from Unauthorized Modification
CP-9.5 - Transfer to Alternate Storage Site
CP-9.6 - Redundant Secondary System
CP-9.7 - Dual Authorization for Deletion or Destruction
CP-9.8 - Cryptographic Protection
CP-10 - System Recovery and Reconstitution
6 Subcontrols
CP-10.1 - Contingency Plan Testing
CP-10.2 - Transaction Recovery
CP-10.3 - Compensating Security Controls
CP-10.4 - Restore Within Time Period
CP-10.5 - Failover Capability
CP-10.6 - Component Protection
CP-11 - Alternate Communications Protocols
CP-12 - Safe Mode
CP-13 - Alternative Security Mechanisms
IA - Identification and Authentication
74 Controls
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (Organizational Users)
13 Subcontrols
IA-2.1 - Multi-factor Authentication to Privileged Accounts
IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
IA-2.3 - Local Access to Privileged Accounts
IA-2.4 - Local Access to Non-privileged Accounts
IA-2.5 - Individual Authentication with Group Authentication
IA-2.6 - Access to Accounts —separate Device
IA-2.7 - Network Access to Non-privileged Accounts — Separate Device
IA-2.8 - Access to Accounts — Replay Resistant
IA-2.9 - Network Access to Non-privileged Accounts — Replay Resistant
IA-2.10 - Single Sign-on
IA-2.11 - Remote Access — Separate Device
IA-2.12 - Acceptance of PIV Credentials
IA-2.13 - Out-of-band Authentication
IA-3 - Device Identification and Authentication
4 Subcontrols
IA-3.1 - Cryptographic Bidirectional Authentication
IA-3.2 - Cryptographic Bidirectional Network Authentication
IA-3.3 - Dynamic Address Allocation
IA-3.4 - Device Attestation
IA-4 - Identifier Management
9 Subcontrols
IA-4.1 - Prohibit Account Identifiers as Public Identifiers
IA-4.2 - Supervisor Authorization
IA-4.3 - Multiple Forms of Certification
IA-4.4 - Identify User Status
IA-4.5 - Dynamic Management
IA-4.6 - Cross-organization Management
IA-4.7 - In-person Registration
IA-4.8 - Pairwise Pseudonymous Identifiers
IA-4.9 - Attribute Maintenance and Protection
IA-5 - Authenticator Management
18 Subcontrols
IA-5.1 - Password-based Authentication
IA-5.2 - Public Key-based Authentication
IA-5.3 - In-person or Trusted External Party Registration
IA-5.4 - Automated Support for Password Strength Determination
IA-5.5 - Change Authenticators Prior to Delivery
IA-5.6 - Protection of Authenticators
IA-5.7 - No Embedded Unencrypted Static Authenticators
IA-5.8 - Multiple System Accounts
IA-5.9 - Federated Credential Management
IA-5.10 - Dynamic Credential Binding
IA-5.11 - Hardware Token-based Authentication
IA-5.12 - Biometric Authentication Performance
IA-5.13 - Expiration of Cached Authenticators
IA-5.14 - Managing Content of PKI Trust Stores
IA-5.15 - GSA-approved Products and Services
IA-5.16 - In-person or Trusted External Party Authenticator Issuance
IA-5.17 - Presentation Attack Detection for Biometric Authenticators
IA-5.18 - Password Managers
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (Non-organizational Users)
6 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of External Authenticators
IA-8.3 - Use of FICAM-approved Products
IA-8.4 - Use of Defined Profiles
IA-8.5 - Acceptance of PIV-I Credentials
IA-8.6 - Disassociability
IA-9 - Service Identification and Authentication
2 Subcontrols
IA-9.1 - Information Exchange
IA-9.2 - Transmission of Decisions
IA-10 - Adaptive Authentication
IA-11 - Re-authentication
IA-12 - Identity Proofing
6 Subcontrols
IA-12.1 - Supervisor Authorization
IA-12.2 - Identity Evidence
IA-12.3 - Identity Evidence Validation and Verification
IA-12.4 - In-person Validation and Verification
IA-12.5 - Address Confirmation
IA-12.6 - Accept Externally-proofed Identities
IA-13 - Identity Providers and Authorization Servers
3 Subcontrols
IA-13.1 - Protection of Cryptographic Keys
IA-13.2 - Verification of Identity Assertions and Access Tokens
IA-13.3 - Token Management
IR - Incident Response
42 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
3 Subcontrols
IR-2.1 - Simulated Events
IR-2.2 - Automated Training Environments
IR-2.3 - Breach
IR-3 - Incident Response Testing
3 Subcontrols
IR-3.1 - Automated Testing
IR-3.2 - Coordination with Related Plans
IR-3.3 - Continuous Improvement
IR-4 - Incident Handling
15 Subcontrols
IR-4.1 - Automated Incident Handling Processes
IR-4.2 - Dynamic Reconfiguration
IR-4.3 - Continuity of Operations
IR-4.4 - Information Correlation
IR-4.5 - Automatic Disabling of System
IR-4.6 - Insider Threats
IR-4.7 - Insider Threats — Intra-organization Coordination
IR-4.8 - Correlation with External Organizations
IR-4.9 - Dynamic Response Capability
IR-4.10 - Supply Chain Coordination
IR-4.11 - Integrated Incident Response Team
IR-4.12 - Malicious Code and Forensic Analysis
IR-4.13 - Behavior Analysis
IR-4.14 - Security Operations Center
IR-4.15 - Public Relations and Reputation Repair
IR-5 - Incident Monitoring
1 Subcontrol
IR-5.1 - Automated Tracking, Data Collection, and Analysis
IR-6 - Incident Reporting
3 Subcontrols
IR-6.1 - Automated Reporting
IR-6.2 - Vulnerabilities Related to Incidents
IR-6.3 - Supply Chain Coordination
IR-7 - Incident Response Assistance
2 Subcontrols
IR-7.1 - Automation Support for Availability of Information and Support
IR-7.2 - Coordination with External Providers
IR-8 - Incident Response Plan
1 Subcontrol
IR-8.1 - Breaches
IR-9 - Information Spillage Response
4 Subcontrols
IR-9.1 - Responsible Personnel
IR-9.2 - Training
IR-9.3 - Post-spill Operations
IR-9.4 - Exposure to Unauthorized Personnel
IR-10 - Integrated Information Security Analysis Team
MA - Maintenance
30 Controls
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
2 Subcontrols
MA-2.1 - Record Content
MA-2.2 - Automated Maintenance Activities
MA-3 - Maintenance Tools
6 Subcontrols
MA-3.1 - Inspect Tools
MA-3.2 - Inspect Media
MA-3.3 - Prevent Unauthorized Removal
MA-3.4 - Restricted Tool Use
MA-3.5 - Execution with Privilege
MA-3.6 - Software Updates and Patches
MA-4 - Nonlocal Maintenance
7 Subcontrols
MA-4.1 - Logging and Review
MA-4.2 - Document Nonlocal Maintenance
MA-4.3 - Comparable Security and Sanitization
MA-4.4 - Authentication and Separation of Maintenance Sessions
MA-4.5 - Approvals and Notifications
MA-4.6 - Cryptographic Protection
MA-4.7 - Disconnect Verification
MA-5 - Maintenance Personnel
5 Subcontrols
MA-5.1 - Individuals Without Appropriate Access
MA-5.2 - Security Clearances for Classified Systems
MA-5.3 - Citizenship Requirements for Classified Systems
MA-5.4 - Foreign Nationals
MA-5.5 - Non-system Maintenance
MA-6 - Timely Maintenance
3 Subcontrols
MA-6.1 - Preventive Maintenance
MA-6.2 - Predictive Maintenance
MA-6.3 - Automated Support for Predictive Maintenance
MA-7 - Field Maintenance
MP - Media Protection
30 Controls
MP-1 - Policy and Procedures
MP-2 - Media Access
2 Subcontrols
MP-2.1 - Automated Restricted Access
MP-2.2 - Cryptographic Protection
MP-3 - Media Marking
MP-4 - Media Storage
2 Subcontrols
MP-4.1 - Cryptographic Protection
MP-4.2 - Automated Restricted Access
MP-5 - Media Transport
4 Subcontrols
MP-5.1 - Protection Outside of Controlled Areas
MP-5.2 - Documentation of Activities
MP-5.3 - Custodians
MP-5.4 - Cryptographic Protection
MP-6 - Media Sanitization
8 Subcontrols
MP-6.1 - Review, Approve, Track, Document, and Verify
MP-6.2 - Equipment Testing
MP-6.3 - Nondestructive Techniques
MP-6.4 - Controlled Unclassified Information
MP-6.5 - Classified Information
MP-6.6 - Media Destruction
MP-6.7 - Dual Authorization
MP-6.8 - Remote Purging or Wiping of Information
MP-7 - Media Use
2 Subcontrols
MP-7.1 - Prohibit Use Without Owner
MP-7.2 - Prohibit Use of Sanitization-resistant Media
MP-8 - Media Downgrading
4 Subcontrols
MP-8.1 - Documentation of Process
MP-8.2 - Equipment Testing
MP-8.3 - Controlled Unclassified Information
MP-8.4 - Classified Information
PE - Physical and Environmental Protection
59 Controls
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
3 Subcontrols
PE-2.1 - Access by Position or Role
PE-2.2 - Two Forms of Identification
PE-2.3 - Restrict Unescorted Access
PE-3 - Physical Access Control
8 Subcontrols
PE-3.1 - System Access
PE-3.2 - Facility and Systems
PE-3.3 - Continuous Guards
PE-3.4 - Lockable Casings
PE-3.5 - Tamper Protection
PE-3.6 - Facility Penetration Testing
PE-3.7 - Physical Barriers
PE-3.8 - Access Control Vestibules
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
3 Subcontrols
PE-5.1 - Access to Output by Authorized Individuals
PE-5.2 - Link to Individual Identity
PE-5.3 - Marking Output Devices
PE-6 - Monitoring Physical Access
4 Subcontrols
PE-6.1 - Intrusion Alarms and Surveillance Equipment
PE-6.2 - Automated Intrusion Recognition and Responses
PE-6.3 - Video Surveillance
PE-6.4 - Monitoring Physical Access to Systems
PE-7 - Visitor Control
PE-8 - Visitor Access Records
3 Subcontrols
PE-8.1 - Automated Records Maintenance and Review
PE-8.2 - Physical Access Records
PE-8.3 - Limit Personally Identifiable Information Elements
PE-9 - Power Equipment and Cabling
2 Subcontrols
PE-9.1 - Redundant Cabling
PE-9.2 - Automatic Voltage Controls
PE-10 - Emergency Shutoff
1 Subcontrol
PE-10.1 - Accidental and Unauthorized Activation
PE-11 - Emergency Power
2 Subcontrols
PE-11.1 - Alternate Power Supply — Minimal Operational Capability
PE-11.2 - Alternate Power Supply — Self-contained
PE-12 - Emergency Lighting
1 Subcontrol
PE-12.1 - Essential Mission and Business Functions
PE-13 - Fire Protection
4 Subcontrols
PE-13.1 - Detection Systems — Automatic Activation and Notification
PE-13.2 - Suppression Systems — Automatic Activation and Notification
PE-13.3 - Automatic Fire Suppression
PE-13.4 - Inspections
PE-14 - Environmental Controls
2 Subcontrols
PE-14.1 - Automatic Controls
PE-14.2 - Monitoring with Alarms and Notifications
PE-15 - Water Damage Protection
1 Subcontrol
PE-15.1 - Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of System Components
1 Subcontrol
PE-18.1 - Facility Site
PE-19 - Information Leakage
1 Subcontrol
PE-19.1 - National Emissions Policies and Procedures
PE-20 - Asset Monitoring and Tracking
PE-21 - Electromagnetic Pulse Protection
PE-22 - Component Marking
PE-23 - Facility Location
PL - Planning
17 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
3 Subcontrols
PL-2.1 - Concept of Operations
PL-2.2 - Functional Architecture
PL-2.3 - Plan and Coordinate with Other Organizational Entities
PL-3 - System Security Plan Update
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-5 - Privacy Impact Assessment
PL-6 - Security-related Activity Planning
PL-7 - Concept of Operations
PL-8 - Security and Privacy Architectures
2 Subcontrols
PL-8.1 - Defense in Depth
PL-8.2 - Supplier Diversity
PL-9 - Central Management
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PM - Program Management
37 Controls
PM-1 - Information Security Program Plan
PM-2 - Information Security Program Leadership Role
PM-3 - Information Security and Privacy Resources
PM-4 - Plan of Action and Milestones Process
PM-5 - System Inventory
1 Subcontrol
PM-5.1 - Inventory of Personally Identifiable Information
PM-6 - Measures of Performance
PM-7 - Enterprise Architecture
1 Subcontrol
PM-7.1 - Offloading
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-11 - Mission and Business Process Definition
PM-12 - Insider Threat Program
PM-13 - Security and Privacy Workforce
PM-14 - Testing, Training, and Monitoring
PM-15 - Security and Privacy Groups and Associations
PM-16 - Threat Awareness Program
1 Subcontrol
PM-16.1 - Automated Means for Sharing Threat Intelligence
PM-17 - Protecting Controlled Unclassified Information on External Systems
PM-18 - Privacy Program Plan
PM-19 - Privacy Program Leadership Role
PM-20 - Dissemination of Privacy Program Information
1 Subcontrol
PM-20.1 - Privacy Policies on Websites, Applications, and Digital Services
PM-21 - Accounting of Disclosures
PM-22 - Personally Identifiable Information Quality Management
PM-23 - Data Governance Body
PM-24 - Data Integrity Board
PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-26 - Complaint Management
PM-27 - Privacy Reporting
PM-28 - Risk Framing
PM-29 - Risk Management Program Leadership Roles
PM-30 - Supply Chain Risk Management Strategy
1 Subcontrol
PM-30.1 - Suppliers of Critical or Mission-essential Items
PM-31 - Continuous Monitoring Strategy
PM-32 - Purposing
PS - Personnel Security
18 Controls
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
4 Subcontrols
PS-3.1 - Classified Information
PS-3.2 - Formal Indoctrination
PS-3.3 - Information Requiring Special Protective Measures
PS-3.4 - Citizenship Requirements
PS-4 - Personnel Termination
2 Subcontrols
PS-4.1 - Post-employment Requirements
PS-4.2 - Automated Actions
PS-5 - Personnel Transfer
PS-6 - Access Agreements
3 Subcontrols
PS-6.1 - Information Requiring Special Protection
PS-6.2 - Classified Information Requiring Special Protection
PS-6.3 - Post-employment Requirements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
PT - Personally Identifiable Information Processing and Transparency
21 Controls
PT-1 - Policy and Procedures
PT-2 - Authority to Process Personally Identifiable Information
2 Subcontrols
PT-2.1 - Data Tagging
PT-2.2 - Automation
PT-3 - Personally Identifiable Information Processing Purposes
2 Subcontrols
PT-3.1 - Data Tagging
PT-3.2 - Automation
PT-4 - Consent
3 Subcontrols
PT-4.1 - Tailored Consent
PT-4.2 - Just-in-time Consent
PT-4.3 - Revocation
PT-5 - Privacy Notice
2 Subcontrols
PT-5.1 - Just-in-time Notice
PT-5.2 - Privacy Act Statements
PT-6 - System of Records Notice
2 Subcontrols
PT-6.1 - Routine Uses
PT-6.2 - Exemption Rules
PT-7 - Specific Categories of Personally Identifiable Information
2 Subcontrols
PT-7.1 - Social Security Numbers
PT-7.2 - First Amendment Information
PT-8 - Computer Matching Requirements
RA - Risk Assessment
26 Controls
RA-1 - Policy and Procedures
RA-2 - Security Categorization
1 Subcontrol
RA-2.1 - Impact-level Prioritization
RA-3 - Risk Assessment
4 Subcontrols
RA-3.1 - Supply Chain Risk Assessment
RA-3.2 - Use of All-source Intelligence
RA-3.3 - Dynamic Threat Awareness
RA-3.4 - Predictive Cyber Analytics
RA-4 - Risk Assessment Update
RA-5 - Vulnerability Monitoring and Scanning
11 Subcontrols
RA-5.1 - Update Tool Capability
RA-5.2 - Update Vulnerabilities to Be Scanned
RA-5.3 - Breadth and Depth of Coverage
RA-5.4 - Discoverable Information
RA-5.5 - Privileged Access
RA-5.6 - Automated Trend Analyses
RA-5.7 - Automated Detection and Notification of Unauthorized Components
RA-5.8 - Review Historic Audit Logs
RA-5.9 - Penetration Testing and Analyses
RA-5.10 - Correlate Scanning Information
RA-5.11 - Public Disclosure Program
RA-6 - Technical Surveillance Countermeasures Survey
RA-7 - Risk Response
RA-8 - Privacy Impact Assessments
RA-9 - Criticality Analysis
RA-10 - Threat Hunting
SA - System and Services Acquisition
145 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
3 Subcontrols
SA-3.1 - Manage Preproduction Environment
SA-3.2 - Use of Live or Operational Data
SA-3.3 - Technology Refresh
SA-4 - Acquisition Process
12 Subcontrols
SA-4.1 - Functional Properties of Controls
SA-4.2 - Design and Implementation Information for Controls
SA-4.3 - Development Methods, Techniques, and Practices
SA-4.4 - Assignment of Components to Systems
SA-4.5 - System, Component, and Service Configurations
SA-4.6 - Use of Information Assurance Products
SA-4.7 - NIAP-approved Protection Profiles
SA-4.8 - Continuous Monitoring Plan for Controls
SA-4.9 - Functions, Ports, Protocols, and Services in Use
SA-4.10 - Use of Approved PIV Products
SA-4.11 - System of Records
SA-4.12 - Data Ownership
SA-5 - System Documentation
5 Subcontrols
SA-5.1 - Functional Properties of Security Controls
SA-5.2 - Security-relevant External System Interfaces
SA-5.3 - High-level Design
SA-5.4 - Low-level Design
SA-5.5 - Source Code
SA-6 - Software Usage Restrictions
SA-7 - User-installed Software
SA-8 - Security and Privacy Engineering Principles
33 Subcontrols
SA-8.1 - Clear Abstractions
SA-8.2 - Least Common Mechanism
SA-8.3 - Modularity and Layering
SA-8.4 - Partially Ordered Dependencies
SA-8.5 - Efficiently Mediated Access
SA-8.6 - Minimized Sharing
SA-8.7 - Reduced Complexity
SA-8.8 - Secure Evolvability
SA-8.9 - Trusted Components
SA-8.10 - Hierarchical Trust
SA-8.11 - Inverse Modification Threshold
SA-8.12 - Hierarchical Protection
SA-8.13 - Minimized Security Elements
SA-8.14 - Least Privilege
SA-8.15 - Predicate Permission
SA-8.16 - Self-reliant Trustworthiness
SA-8.17 - Secure Distributed Composition
SA-8.18 - Trusted Communications Channels
SA-8.19 - Continuous Protection
SA-8.20 - Secure Metadata Management
SA-8.21 - Self-analysis
SA-8.22 - Accountability and Traceability
SA-8.23 - Secure Defaults
SA-8.24 - Secure Failure and Recovery
SA-8.25 - Economic Security
SA-8.26 - Performance Security
SA-8.27 - Human Factored Security
SA-8.28 - Acceptable Security
SA-8.29 - Repeatable and Documented Procedures
SA-8.30 - Procedural Rigor
SA-8.31 - Secure System Modification
SA-8.32 - Sufficient Documentation
SA-8.33 - Minimization
SA-9 - External System Services
8 Subcontrols
SA-9.1 - Risk Assessments and Organizational Approvals
SA-9.2 - Identification of Functions, Ports, Protocols, and Services
SA-9.3 - Establish and Maintain Trust Relationship with Providers
SA-9.4 - Consistent Interests of Consumers and Providers
SA-9.5 - Processing, Storage, and Service Location
SA-9.6 - Organization-controlled Cryptographic Keys
SA-9.7 - Organization-controlled Integrity Checking
SA-9.8 - Processing and Storage Location — U.S. Jurisdiction
SA-10 - Developer Configuration Management
7 Subcontrols
SA-10.1 - Software and Firmware Integrity Verification
SA-10.2 - Alternative Configuration Management Processes
SA-10.3 - Hardware Integrity Verification
SA-10.4 - Trusted Generation
SA-10.5 - Mapping Integrity for Version Control
SA-10.6 - Trusted Distribution
SA-10.7 - Security and Privacy Representatives
SA-11 - Developer Testing and Evaluation
9 Subcontrols
SA-11.1 - Static Code Analysis
SA-11.2 - Threat Modeling and Vulnerability Analyses
SA-11.3 - Independent Verification of Assessment Plans and Evidence
SA-11.4 - Manual Code Reviews
SA-11.5 - Penetration Testing
SA-11.6 - Attack Surface Reviews
SA-11.7 - Verify Scope of Testing and Evaluation
SA-11.8 - Dynamic Code Analysis
SA-11.9 - Interactive Application Security Testing
SA-12 - Supply Chain Protection
15 Subcontrols
SA-12.1 - Acquisition Strategies / Tools / Methods
SA-12.2 - Supplier Reviews
SA-12.3 - Trusted Shipping and Warehousing
SA-12.4 - Diversity of Suppliers
SA-12.5 - Limitation of Harm
SA-12.6 - Minimizing Procurement Time
SA-12.7 - Assessments Prior to Selection / Acceptance / Update
SA-12.8 - Use of All-source Intelligence
SA-12.9 - Operations Security
SA-12.10 - Validate as Genuine and Not Altered
SA-12.11 - Penetration Testing / Analysis of Elements, Processes, and Actors
SA-12.12 - Inter-organizational Agreements
SA-12.13 - Critical Information System Components
SA-12.14 - Identity and Traceability
SA-12.15 - Processes to Address Weaknesses or Deficiencies
SA-13 - Trustworthiness
SA-14 - Criticality Analysis
1 Subcontrol
SA-14.1 - Critical Components with No Viable Alternative Sourcing
SA-15 - Development Process, Standards, and Tools
12 Subcontrols
SA-15.1 - Quality Metrics
SA-15.2 - Security and Privacy Tracking Tools
SA-15.3 - Criticality Analysis
SA-15.4 - Threat Modeling and Vulnerability Analysis
SA-15.5 - Attack Surface Reduction
SA-15.6 - Continuous Improvement
SA-15.7 - Automated Vulnerability Analysis
SA-15.8 - Reuse of Threat and Vulnerability Information
SA-15.9 - Use of Live Data
SA-15.10 - Incident Response Plan
SA-15.11 - Archive System or Component
SA-15.12 - Minimize Personally Identifiable Information
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
9 Subcontrols
SA-17.1 - Formal Policy Model
SA-17.2 - Security-relevant Components
SA-17.3 - Formal Correspondence
SA-17.4 - Informal Correspondence
SA-17.5 - Conceptually Simple Design
SA-17.6 - Structure for Testing
SA-17.7 - Structure for Least Privilege
SA-17.8 - Orchestration
SA-17.9 - Design Diversity
SA-18 - Tamper Resistance and Detection
2 Subcontrols
SA-18.1 - Multiple Phases of System Development Life Cycle
SA-18.2 - Inspection of Systems or Components
SA-19 - Component Authenticity
4 Subcontrols
SA-19.1 - Anti-counterfeit Training
SA-19.2 - Configuration Control for Component Service and Repair
SA-19.3 - Component Disposal
SA-19.4 - Anti-counterfeit Scanning
SA-20 - Customized Development of Critical Components
SA-21 - Developer Screening
1 Subcontrol
SA-21.1 - Validation of Screening
SA-22 - Unsupported System Components
1 Subcontrol
SA-22.1 - Alternative Sources for Continued Support
SA-23 - Specialization
SC - System and Communications Protection
162 Controls
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
2 Subcontrols
SC-2.1 - Interfaces for Non-privileged Users
SC-2.2 - Disassociability
SC-3 - Security Function Isolation
5 Subcontrols
SC-3.1 - Hardware Separation
SC-3.2 - Access and Flow Control Functions
SC-3.3 - Minimize Nonsecurity Functionality
SC-3.4 - Module Coupling and Cohesiveness
SC-3.5 - Layered Structures
SC-4 - Information in Shared System Resources
2 Subcontrols
SC-4.1 - Security Levels
SC-4.2 - Multilevel or Periods Processing
SC-5 - Denial-of-service Protection
3 Subcontrols
SC-5.1 - Restrict Ability to Attack Other Systems
SC-5.2 - Capacity, Bandwidth, and Redundancy
SC-5.3 - Detection and Monitoring
SC-6 - Resource Availability
SC-7 - Boundary Protection
29 Subcontrols
SC-7.1 - Physically Separated Subnetworks
SC-7.2 - Public Access
SC-7.3 - Access Points
SC-7.4 - External Telecommunications Services
SC-7.5 - Deny by Default — Allow by Exception
SC-7.6 - Response to Recognized Failures
SC-7.7 - Split Tunneling for Remote Devices
SC-7.8 - Route Traffic to Authenticated Proxy Servers
SC-7.9 - Restrict Threatening Outgoing Communications Traffic
SC-7.10 - Prevent Exfiltration
SC-7.11 - Restrict Incoming Communications Traffic
SC-7.12 - Host-based Protection
SC-7.13 - Isolation of Security Tools, Mechanisms, and Support Components
SC-7.14 - Protect Against Unauthorized Physical Connections
SC-7.15 - Networked Privileged Accesses
SC-7.16 - Prevent Discovery of System Components
SC-7.17 - Automated Enforcement of Protocol Formats
SC-7.18 - Fail Secure
SC-7.19 - Block Communication from Non-organizationally Configured Hosts
SC-7.20 - Dynamic Isolation and Segregation
SC-7.21 - Isolation of System Components
SC-7.22 - Separate Subnets for Connecting to Different Security Domains
SC-7.23 - Disable Sender Feedback on Protocol Validation Failure
SC-7.24 - Personally Identifiable Information
SC-7.25 - Unclassified National Security System Connections
SC-7.26 - Classified National Security System Connections
SC-7.27 - Unclassified Non-national Security System Connections
SC-7.28 - Connections to Public Networks
SC-7.29 - Separate Subnets to Isolate Functions
SC-8 - Transmission Confidentiality and Integrity
5 Subcontrols
SC-8.1 - Cryptographic Protection
SC-8.2 - Pre- and Post-transmission Handling
SC-8.3 - Cryptographic Protection for Message Externals
SC-8.4 - Conceal or Randomize Communications
SC-8.5 - Protected Distribution System
SC-9 - Transmission Confidentiality
SC-10 - Network Disconnect
SC-11 - Trusted Path
1 Subcontrol
SC-11.1 - Irrefutable Communications Path
SC-12 - Cryptographic Key Establishment and Management
6 Subcontrols
SC-12.1 - Availability
SC-12.2 - Symmetric Keys
SC-12.3 - Asymmetric Keys
SC-12.4 - PKI Certificates
SC-12.5 - PKI Certificates / Hardware Tokens
SC-12.6 - Physical Control of Keys
SC-13 - Cryptographic Protection
4 Subcontrols
SC-13.1 - FIPS-validated Cryptography
SC-13.2 - NSA-approved Cryptography
SC-13.3 - Individuals Without Formal Access Approvals
SC-13.4 - Digital Signatures
SC-14 - Public Access Protections
SC-15 - Collaborative Computing Devices and Applications
4 Subcontrols
SC-15.1 - Physical or Logical Disconnect
SC-15.2 - Blocking Inbound and Outbound Communications Traffic
SC-15.3 - Disabling and Removal in Secure Work Areas
SC-15.4 - Explicitly Indicate Current Participants
SC-16 - Transmission of Security and Privacy Attributes
3 Subcontrols
SC-16.1 - Integrity Verification
SC-16.2 - Anti-spoofing Mechanisms
SC-16.3 - Cryptographic Binding
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
5 Subcontrols
SC-18.1 - Identify Unacceptable Code and Take Corrective Actions
SC-18.2 - Acquisition, Development, and Use
SC-18.3 - Prevent Downloading and Execution
SC-18.4 - Prevent Automatic Execution
SC-18.5 - Allow Execution Only in Confined Environments
SC-19 - Voice Over Internet Protocol
SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
2 Subcontrols
SC-20.1 - Child Subspaces
SC-20.2 - Data Origin and Integrity
SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
1 Subcontrol
SC-21.1 - Data Origin and Integrity
SC-22 - Architecture and Provisioning for Name/Address Resolution Service
SC-23 - Session Authenticity
5 Subcontrols
SC-23.1 - Invalidate Session Identifiers at Logout
SC-23.2 - User-initiated Logouts and Message Displays
SC-23.3 - Unique System-generated Session Identifiers
SC-23.4 - Unique Session Identifiers with Randomization
SC-23.5 - Allowed Certificate Authorities
SC-24 - Fail in Known State
SC-25 - Thin Nodes
SC-26 - Decoys
1 Subcontrol
SC-26.1 - Detection of Malicious Code
SC-27 - Platform-independent Applications
SC-28 - Protection of Information at Rest
3 Subcontrols
SC-28.1 - Cryptographic Protection
SC-28.2 - Offline Storage
SC-28.3 - Cryptographic Keys
SC-29 - Heterogeneity
1 Subcontrol
SC-29.1 - Virtualization Techniques
SC-30 - Concealment and Misdirection
5 Subcontrols
SC-30.1 - Virtualization Techniques
SC-30.2 - Randomness
SC-30.3 - Change Processing and Storage Locations
SC-30.4 - Misleading Information
SC-30.5 - Concealment of System Components
SC-31 - Covert Channel Analysis
3 Subcontrols
SC-31.1 - Test Covert Channels for Exploitability
SC-31.2 - Maximum Bandwidth
SC-31.3 - Measure Bandwidth in Operational Environments
SC-32 - System Partitioning
1 Subcontrol
SC-32.1 - Separate Physical Domains for Privileged Functions
SC-33 - Transmission Preparation Integrity
SC-34 - Non-modifiable Executable Programs
3 Subcontrols
SC-34.1 - No Writable Storage
SC-34.2 - Integrity Protection on Read-only Media
SC-34.3 - Hardware-based Protection
SC-35 - External Malicious Code Identification
SC-36 - Distributed Processing and Storage
2 Subcontrols
SC-36.1 - Polling Techniques
SC-36.2 - Synchronization
SC-37 - Out-of-band Channels
1 Subcontrol
SC-37.1 - Ensure Delivery and Transmission
SC-38 - Operations Security
SC-39 - Process Isolation
2 Subcontrols
SC-39.1 - Hardware Separation
SC-39.2 - Separate Execution Domain Per Thread
SC-40 - Wireless Link Protection
4 Subcontrols
SC-40.1 - Electromagnetic Interference
SC-40.2 - Reduce Detection Potential
SC-40.3 - Imitative or Manipulative Communications Deception
SC-40.4 - Signal Parameter Identification
SC-41 - Port and I/O Device Access
SC-42 - Sensor Capability and Data
5 Subcontrols
SC-42.1 - Reporting to Authorized Individuals or Roles
SC-42.2 - Authorized Use
SC-42.3 - Prohibit Use of Devices
SC-42.4 - Notice of Collection
SC-42.5 - Collection Minimization
SC-43 - Usage Restrictions
SC-44 - Detonation Chambers
SC-45 - System Time Synchronization
2 Subcontrols
SC-45.1 - Synchronization with Authoritative Time Source
SC-45.2 - Secondary Authoritative Time Source
SC-46 - Cross Domain Policy Enforcement
SC-47 - Alternate Communications Paths
SC-48 - Sensor Relocation
1 Subcontrol
SC-48.1 - Dynamic Relocation of Sensors or Monitoring Capabilities
SC-49 - Hardware-enforced Separation and Policy Enforcement
SC-50 - Software-enforced Separation and Policy Enforcement
SC-51 - Hardware-based Protection
SI - System and Information Integrity
118 Controls
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
6 Subcontrols
SI-2.1 - Central Management
SI-2.2 - Automated Flaw Remediation Status
SI-2.3 - Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-2.4 - Automated Patch Management Tools
SI-2.5 - Automatic Software and Firmware Updates
SI-2.6 - Removal of Previous Versions of Software and Firmware
SI-3 - Malicious Code Protection
10 Subcontrols
SI-3.1 - Central Management
SI-3.2 - Automatic Updates
SI-3.3 - Non-privileged Users
SI-3.4 - Updates Only by Privileged Users
SI-3.5 - Portable Storage Devices
SI-3.6 - Testing and Verification
SI-3.7 - Nonsignature-based Detection
SI-3.8 - Detect Unauthorized Commands
SI-3.9 - Authenticate Remote Commands
SI-3.10 - Malicious Code Analysis
SI-4 - System Monitoring
25 Subcontrols
SI-4.1 - System-wide Intrusion Detection System
SI-4.2 - Automated Tools and Mechanisms for Real-time Analysis
SI-4.3 - Automated Tool and Mechanism Integration
SI-4.4 - Inbound and Outbound Communications Traffic
SI-4.5 - System-generated Alerts
SI-4.6 - Restrict Non-privileged Users
SI-4.7 - Automated Response to Suspicious Events
SI-4.8 - Protection of Monitoring Information
SI-4.9 - Testing of Monitoring Tools and Mechanisms
SI-4.10 - Visibility of Encrypted Communications
SI-4.11 - Analyze Communications Traffic Anomalies
SI-4.12 - Automated Organization-generated Alerts
SI-4.13 - Analyze Traffic and Event Patterns
SI-4.14 - Wireless Intrusion Detection
SI-4.15 - Wireless to Wireline Communications
SI-4.16 - Correlate Monitoring Information
SI-4.17 - Integrated Situational Awareness
SI-4.18 - Analyze Traffic and Covert Exfiltration
SI-4.19 - Risk for Individuals
SI-4.20 - Privileged Users
SI-4.21 - Probationary Periods
SI-4.22 - Unauthorized Network Services
SI-4.23 - Host-based Devices
SI-4.24 - Indicators of Compromise
SI-4.25 - Optimize Network Traffic Analysis
SI-5 - Security Alerts, Advisories, and Directives
1 Subcontrol
SI-5.1 - Automated Alerts and Advisories
SI-6 - Security and Privacy Function Verification
3 Subcontrols
SI-6.1 - Notification of Failed Security Tests
SI-6.2 - Automation Support for Distributed Testing
SI-6.3 - Report Verification Results
SI-7 - Software, Firmware, and Information Integrity
17 Subcontrols
SI-7.1 - Integrity Checks
SI-7.2 - Automated Notifications of Integrity Violations
SI-7.3 - Centrally Managed Integrity Tools
SI-7.4 - Tamper-evident Packaging
SI-7.5 - Automated Response to Integrity Violations
SI-7.6 - Cryptographic Protection
SI-7.7 - Integration of Detection and Response
SI-7.8 - Auditing Capability for Significant Events
SI-7.9 - Verify Boot Process
SI-7.10 - Protection of Boot Firmware
SI-7.11 - Confined Environments with Limited Privileges
SI-7.12 - Integrity Verification
SI-7.13 - Code Execution in Protected Environments
SI-7.14 - Binary or Machine Executable Code
SI-7.15 - Code Authentication
SI-7.16 - Time Limit on Process Execution Without Supervision
SI-7.17 - Runtime Application Self-protection
SI-8 - Spam Protection
3 Subcontrols
SI-8.1 - Central Management
SI-8.2 - Automatic Updates
SI-8.3 - Continuous Learning Capability
SI-9 - Information Input Restrictions
SI-10 - Information Input Validation
6 Subcontrols
SI-10.1 - Manual Override Capability
SI-10.2 - Review and Resolve Errors
SI-10.3 - Predictable Behavior
SI-10.4 - Timing Interactions
SI-10.5 - Restrict Inputs to Trusted Sources and Approved Formats
SI-10.6 - Injection Prevention
SI-11 - Error Handling
SI-12 - Information Management and Retention
3 Subcontrols
SI-12.1 - Limit Personally Identifiable Information Elements
SI-12.2 - Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12.3 - Information Disposal
SI-13 - Predictable Failure Prevention
5 Subcontrols
SI-13.1 - Transferring Component Responsibilities
SI-13.2 - Time Limit on Process Execution Without Supervision
SI-13.3 - Manual Transfer Between Components
SI-13.4 - Standby Component Installation and Notification
SI-13.5 - Failover Capability
SI-14 - Non-persistence
3 Subcontrols
SI-14.1 - Refresh from Trusted Sources
SI-14.2 - Non-persistent Information
SI-14.3 - Non-persistent Connectivity
SI-15 - Information Output Filtering
SI-16 - Memory Protection
SI-17 - Fail-safe Procedures
SI-18 - Personally Identifiable Information Quality Operations
5 Subcontrols
SI-18.1 - Automation Support
SI-18.2 - Data Tags
SI-18.3 - Collection
SI-18.4 - Individual Requests
SI-18.5 - Notice of Correction or Deletion
SI-19 - De-identification
8 Subcontrols
SI-19.1 - Collection
SI-19.2 - Archiving
SI-19.3 - Release
SI-19.4 - Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
SI-19.5 - Statistical Disclosure Control
SI-19.6 - Differential Privacy
SI-19.7 - Validated Algorithms and Software
SI-19.8 - Motivated Intruder
SI-20 - Tainting
SI-21 - Information Refresh
SI-22 - Information Diversity
SI-23 - Information Fragmentation
SR - Supply Chain Risk Management
27 Controls
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
1 Subcontrol
SR-2.1 - Establish SCRM Team
SR-3 - Supply Chain Controls and Processes
3 Subcontrols
SR-3.1 - Diverse Supply Base
SR-3.2 - Limitation of Harm
SR-3.3 - Sub-tier Flow Down
SR-4 - Provenance
4 Subcontrols
SR-4.1 - Identity
SR-4.2 - Track and Trace
SR-4.3 - Validate as Genuine and Not Altered
SR-4.4 - Supply Chain Integrity — Pedigree
SR-5 - Acquisition Strategies, Tools, and Methods
2 Subcontrols
SR-5.1 - Adequate Supply
SR-5.2 - Assessments Prior to Selection, Acceptance, Modification, or Update
SR-6 - Supplier Assessments and Reviews
1 Subcontrol
SR-6.1 - Testing and Analysis
SR-7 - Supply Chain Operations Security
SR-8 - Notification Agreements
SR-9 - Tamper Resistance and Detection
1 Subcontrol
SR-9.1 - Multiple Stages of System Development Life Cycle
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
3 Subcontrols
SR-11.1 - Anti-counterfeit Training
SR-11.2 - Configuration Control for Component Service and Repair
SR-11.3 - Anti-counterfeit Scanning
SR-12 - Component Disposal