NIST SP 800-531196
NIST_SP_800_53
Requirements in this framework
- AC-1: Policy and Procedures
- AC-10: Concurrent Session Control
- AC-11: Device Lock
- AC-11(1): Pattern-hiding Displays
- AC-12: Session Termination
- AC-12(1): User-initiated Logouts
- AC-12(2): Termination Message
- AC-12(3): Timeout Warning Message
- AC-13: Supervision and Review — Access Control
- AC-14: Permitted Actions Without Identification or Authentication
- AC-14(1): Necessary Uses
- AC-15: Automated Marking
- AC-16: Security and Privacy Attributes
- AC-16(1): Dynamic Attribute Association
- AC-16(10): Attribute Configuration by Authorized Individuals
- AC-16(2): Attribute Value Changes by Authorized Individuals
- AC-16(3): Maintenance of Attribute Associations by System
- AC-16(4): Association of Attributes by Authorized Individuals
- AC-16(5): Attribute Displays on Objects to Be Output
- AC-16(6): Maintenance of Attribute Association
- AC-16(7): Consistent Attribute Interpretation
- AC-16(8): Association Techniques and Technologies
- AC-16(9): Attribute Reassignment — Regrading Mechanisms
- AC-17: Remote Access
- AC-17(1): Monitoring and Control
- AC-17(10): Authenticate Remote Commands
- AC-17(2): Protection of Confidentiality and Integrity Using Encryption
- AC-17(3): Managed Access Control Points
- AC-17(4): Privileged Commands and Access
- AC-17(5): Monitoring for Unauthorized Connections
- AC-17(6): Protection of Mechanism Information
- AC-17(7): Additional Protection for Security Function Access
- AC-17(8): Disable Nonsecure Network Protocols
- AC-17(9): Disconnect or Disable Access
- AC-18: Wireless Access
- AC-18(1): Authentication and Encryption
- AC-18(2): Monitoring Unauthorized Connections
- AC-18(3): Disable Wireless Networking
- AC-18(4): Restrict Configurations by Users
- AC-18(5): Antennas and Transmission Power Levels
- AC-19: Access Control for Mobile Devices
- AC-19(1): Use of Writable and Portable Storage Devices
- AC-19(2): Use of Personally Owned Portable Storage Devices
- AC-19(3): Use of Portable Storage Devices with No Identifiable Owner
- AC-19(4): Restrictions for Classified Information
- AC-19(5): Full Device or Container-based Encryption
- AC-2: Account Management
- AC-2(1): Automated System Account Management
- AC-2(10): Shared and Group Account Credential Change
- AC-2(11): Usage Conditions
- AC-2(12): Account Monitoring for Atypical Usage
- AC-2(13): Disable Accounts for High-risk Individuals
- AC-2(2): Automated Temporary and Emergency Account Management
- AC-2(3): Disable Accounts
- AC-2(4): Automated Audit Actions
- AC-2(5): Inactivity Logout
- AC-2(6): Dynamic Privilege Management
- AC-2(7): Privileged User Accounts
- AC-2(8): Dynamic Account Management
- AC-2(9): Restrictions on Use of Shared and Group Accounts
- AC-20: Use of External Systems
- AC-20(1): Limits on Authorized Use
- AC-20(2): Portable Storage Devices — Restricted Use
- AC-20(3): Non-organizationally Owned Systems — Restricted Use
- AC-20(4): Network Accessible Storage Devices — Prohibited Use
- AC-20(5): Portable Storage Devices — Prohibited Use
- AC-21: Information Sharing
- AC-21(1): Automated Decision Support
- AC-21(2): Information Search and Retrieval
- AC-22: Publicly Accessible Content
- AC-23: Data Mining Protection
- AC-24: Access Control Decisions
- AC-24(1): Transmit Access Authorization Information
- AC-24(2): No User or Process Identity
- AC-25: Reference Monitor
- AC-3: Access Enforcement
- AC-3(1): Restricted Access to Privileged Functions
- AC-3(10): Audited Override of Access Control Mechanisms
- AC-3(11): Restrict Access to Specific Information Types
- AC-3(12): Assert and Enforce Application Access
- AC-3(13): Attribute-based Access Control
- AC-3(14): Individual Access
- AC-3(15): Discretionary and Mandatory Access Control
- AC-3(2): Dual Authorization
- AC-3(3): Mandatory Access Control
- AC-3(4): Discretionary Access Control
- AC-3(5): Security-relevant Information
- AC-3(6): Protection of User and System Information
- AC-3(7): Role-based Access Control
- AC-3(8): Revocation of Access Authorizations
- AC-3(9): Controlled Release
- AC-4: Information Flow Enforcement
- AC-4(1): Object Security and Privacy Attributes
- AC-4(10): Enable and Disable Security or Privacy Policy Filters
- AC-4(11): Configuration of Security or Privacy Policy Filters
- AC-4(12): Data Type Identifiers
- AC-4(13): Decomposition into Policy-relevant Subcomponents
- AC-4(14): Security or Privacy Policy Filter Constraints
- AC-4(15): Detection of Unsanctioned Information
- AC-4(16): Information Transfers on Interconnected Systems
- AC-4(17): Domain Authentication
- AC-4(18): Security Attribute Binding
- AC-4(19): Validation of Metadata
- AC-4(2): Processing Domains
- AC-4(20): Approved Solutions
- AC-4(21): Physical or Logical Separation of Information Flows
- AC-4(22): Access Only
- AC-4(23): Modify Non-releasable Information
- AC-4(24): Internal Normalized Format
- AC-4(25): Data Sanitization
- AC-4(26): Audit Filtering Actions
- AC-4(27): Redundant/Independent Filtering Mechanisms
- AC-4(28): Linear Filter Pipelines
- AC-4(29): Filter Orchestration Engines
- AC-4(3): Dynamic Information Flow Control
- AC-4(30): Filter Mechanisms Using Multiple Processes
- AC-4(31): Failed Content Transfer Prevention
- AC-4(32): Process Requirements for Information Transfer
- AC-4(4): Flow Control of Encrypted Information
- AC-4(5): Embedded Data Types
- AC-4(6): Metadata
- AC-4(7): One-way Flow Mechanisms
- AC-4(8): Security and Privacy Policy Filters
- AC-4(9): Human Reviews
- AC-5: Separation of Duties
- AC-6: Least Privilege
- AC-6(1): Authorize Access to Security Functions
- AC-6(10): Prohibit Non-privileged Users from Executing Privileged Functions
- AC-6(2): Non-privileged Access for Nonsecurity Functions
- AC-6(3): Network Access to Privileged Commands
- AC-6(4): Separate Processing Domains
- AC-6(5): Privileged Accounts
- AC-6(6): Privileged Access by Non-organizational Users
- AC-6(7): Review of User Privileges
- AC-6(8): Privilege Levels for Code Execution
- AC-6(9): Log Use of Privileged Functions
- AC-7: Unsuccessful Logon Attempts
- AC-7(1): Automatic Account Lock
- AC-7(2): Purge or Wipe Mobile Device
- AC-7(3): Biometric Attempt Limiting
- AC-7(4): Use of Alternate Authentication Factor
- AC-8: System Use Notification
- AC-9: Previous Logon Notification
- AC-9(1): Unsuccessful Logons
- AC-9(2): Successful and Unsuccessful Logons
- AC-9(3): Notification of Account Changes
- AC-9(4): Additional Logon Information
- AT-1: Policy and Procedures
- AT-2: Literacy Training and Awareness
- AT-2(1): Practical Exercises
- AT-2(2): Insider Threat
- AT-2(3): Social Engineering and Mining
- AT-2(4): Suspicious Communications and Anomalous System Behavior
- AT-2(5): Advanced Persistent Threat
- AT-2(6): Cyber Threat Environment
- AT-3: Role-based Training
- AT-3(1): Environmental Controls
- AT-3(2): Physical Security Controls
- AT-3(3): Practical Exercises
- AT-3(4): Suspicious Communications and Anomalous System Behavior
- AT-3(5): Processing Personally Identifiable Information
- AT-4: Training Records
- AT-5: Contacts with Security Groups and Associations
- AT-6: Training Feedback
- AU-1: Policy and Procedures
- AU-10: Non-repudiation
- AU-10(1): Association of Identities
- AU-10(2): Validate Binding of Information Producer Identity
- AU-10(3): Chain of Custody
- AU-10(4): Validate Binding of Information Reviewer Identity
- AU-10(5): Digital Signatures
- AU-11: Audit Record Retention
- AU-11(1): Long-term Retrieval Capability
- AU-12: Audit Record Generation
- AU-12(1): System-wide and Time-correlated Audit Trail
- AU-12(2): Standardized Formats
- AU-12(3): Changes by Authorized Individuals
- AU-12(4): Query Parameter Audits of Personally Identifiable Information
- AU-13: Monitoring for Information Disclosure
- AU-13(1): Use of Automated Tools
- AU-13(2): Review of Monitored Sites
- AU-13(3): Unauthorized Replication of Information
- AU-14: Session Audit
- AU-14(1): System Start-up
- AU-14(2): Capture and Record Content
- AU-14(3): Remote Viewing and Listening
- AU-15: Alternate Audit Logging Capability
- AU-16: Cross-organizational Audit Logging
- AU-16(1): Identity Preservation
- AU-16(2): Sharing of Audit Information
- AU-16(3): Disassociability
- AU-2: Event Logging
- AU-2(1): Compilation of Audit Records from Multiple Sources
- AU-2(2): Selection of Audit Events by Component
- AU-2(3): Reviews and Updates
- AU-2(4): Privileged Functions
- AU-3: Content of Audit Records
- AU-3(1): Additional Audit Information
- AU-3(2): Centralized Management of Planned Audit Record Content
- AU-3(3): Limit Personally Identifiable Information Elements
- AU-4: Audit Log Storage Capacity
- AU-4(1): Transfer to Alternate Storage
- AU-5: Response to Audit Logging Process Failures
- AU-5(1): Storage Capacity Warning
- AU-5(2): Real-time Alerts
- AU-5(3): Configurable Traffic Volume Thresholds
- AU-5(4): Shutdown on Failure
- AU-5(5): Alternate Audit Logging Capability
- AU-6: Audit Record Review, Analysis, and Reporting
- AU-6(1): Automated Process Integration
- AU-6(10): Audit Level Adjustment
- AU-6(2): Automated Security Alerts
- AU-6(3): Correlate Audit Record Repositories
- AU-6(4): Central Review and Analysis
- AU-6(5): Integrated Analysis of Audit Records
- AU-6(6): Correlation with Physical Monitoring
- AU-6(7): Permitted Actions
- AU-6(8): Full Text Analysis of Privileged Commands
- AU-6(9): Correlation with Information from Nontechnical Sources
- AU-7: Audit Record Reduction and Report Generation
- AU-7(1): Automatic Processing
- AU-7(2): Automatic Sort and Search
- AU-8: Time Stamps
- AU-8(1): Synchronization with Authoritative Time Source
- AU-8(2): Secondary Authoritative Time Source
- AU-9: Protection of Audit Information
- AU-9(1): Hardware Write-once Media
- AU-9(2): Store on Separate Physical Systems or Components
- AU-9(3): Cryptographic Protection
- AU-9(4): Access by Subset of Privileged Users
- AU-9(5): Dual Authorization
- AU-9(6): Read-only Access
- AU-9(7): Store on Component with Different Operating System
- CA-1: Policy and Procedures
- CA-2: Control Assessments
- CA-2(1): Independent Assessors
- CA-2(2): Specialized Assessments
- CA-2(3): Leveraging Results from External Organizations
- CA-3: Information Exchange
- CA-3(1): Unclassified National Security System Connections
- CA-3(2): Classified National Security System Connections
- CA-3(3): Unclassified Non-national Security System Connections
- CA-3(4): Connections to Public Networks
- CA-3(5): Restrictions on External System Connections
- CA-3(6): Transfer Authorizations
- CA-3(7): Transitive Information Exchanges
- CA-4: Security Certification
- CA-5: Plan of Action and Milestones
- CA-5(1): Automation Support for Accuracy and Currency
- CA-6: Authorization
- CA-6(1): Joint Authorization — Intra-organization
- CA-6(2): Joint Authorization — Inter-organization
- CA-7: Continuous Monitoring
- CA-7(1): Independent Assessment
- CA-7(2): Types of Assessments
- CA-7(3): Trend Analyses
- CA-7(4): Risk Monitoring
- CA-7(5): Consistency Analysis
- CA-7(6): Automation Support for Monitoring
- CA-8: Penetration Testing
- CA-8(1): Independent Penetration Testing Agent or Team
- CA-8(2): Red Team Exercises
- CA-8(3): Facility Penetration Testing
- CA-9: Internal System Connections
- CA-9(1): Compliance Checks
- CM-1: Policy and Procedures
- CM-10: Software Usage Restrictions
- CM-10(1): Open-source Software
- CM-11: User-installed Software
- CM-11(1): Alerts for Unauthorized Installations
- CM-11(2): Software Installation with Privileged Status
- CM-11(3): Automated Enforcement and Monitoring
- CM-12: Information Location
- CM-12(1): Automated Tools to Support Information Location
- CM-13: Data Action Mapping
- CM-14: Signed Components
- CM-2: Baseline Configuration
- CM-2(1): Reviews and Updates
- CM-2(2): Automation Support for Accuracy and Currency
- CM-2(3): Retention of Previous Configurations
- CM-2(4): Unauthorized Software
- CM-2(5): Authorized Software
- CM-2(6): Development and Test Environments
- CM-2(7): Configure Systems and Components for High-risk Areas
- CM-3: Configuration Change Control
- CM-3(1): Automated Documentation, Notification, and Prohibition of Changes
- CM-3(2): Testing, Validation, and Documentation of Changes
- CM-3(3): Automated Change Implementation
- CM-3(4): Security and Privacy Representatives
- CM-3(5): Automated Security Response
- CM-3(6): Cryptography Management
- CM-3(7): Review System Changes
- CM-3(8): Prevent or Restrict Configuration Changes
- CM-4: Impact Analyses
- CM-4(1): Separate Test Environments
- CM-4(2): Verification of Controls
- CM-5: Access Restrictions for Change
- CM-5(1): Automated Access Enforcement and Audit Records
- CM-5(2): Review System Changes
- CM-5(3): Signed Components
- CM-5(4): Dual Authorization
- CM-5(5): Privilege Limitation for Production and Operation
- CM-5(6): Limit Library Privileges
- CM-5(7): Automatic Implementation of Security Safeguards
- CM-6: Configuration Settings
- CM-6(1): Automated Management, Application, and Verification
- CM-6(2): Respond to Unauthorized Changes
- CM-6(3): Unauthorized Change Detection
- CM-6(4): Conformance Demonstration
- CM-7: Least Functionality
- CM-7(1): Periodic Review
- CM-7(2): Prevent Program Execution
- CM-7(3): Registration Compliance
- CM-7(4): Unauthorized Software — Deny-by-exception
- CM-7(5): Authorized Software — Allow-by-exception
- CM-7(6): Confined Environments with Limited Privileges
- CM-7(7): Code Execution in Protected Environments
- CM-7(8): Binary or Machine Executable Code
- CM-7(9): Prohibiting The Use of Unauthorized Hardware
- CM-8: System Component Inventory
- CM-8(1): Updates During Installation and Removal
- CM-8(2): Automated Maintenance
- CM-8(3): Automated Unauthorized Component Detection
- CM-8(4): Accountability Information
- CM-8(5): No Duplicate Accounting of Components
- CM-8(6): Assessed Configurations and Approved Deviations
- CM-8(7): Centralized Repository
- CM-8(8): Automated Location Tracking
- CM-8(9): Assignment of Components to Systems
- CM-9: Configuration Management Plan
- CM-9(1): Assignment of Responsibility
- CP-1: Policy and Procedures
- CP-10: System Recovery and Reconstitution
- CP-10(1): Contingency Plan Testing
- CP-10(2): Transaction Recovery
- CP-10(3): Compensating Security Controls
- CP-10(4): Restore Within Time Period
- CP-10(5): Failover Capability
- CP-10(6): Component Protection
- CP-11: Alternate Communications Protocols
- CP-12: Safe Mode
- CP-13: Alternative Security Mechanisms
- CP-2: Contingency Plan
- CP-2(1): Coordinate with Related Plans
- CP-2(2): Capacity Planning
- CP-2(3): Resume Mission and Business Functions
- CP-2(4): Resume All Mission and Business Functions
- CP-2(5): Continue Mission and Business Functions
- CP-2(6): Alternate Processing and Storage Sites
- CP-2(7): Coordinate with External Service Providers
- CP-2(8): Identify Critical Assets
- CP-3: Contingency Training
- CP-3(1): Simulated Events
- CP-3(2): Mechanisms Used in Training Environments
- CP-4: Contingency Plan Testing
- CP-4(1): Coordinate with Related Plans
- CP-4(2): Alternate Processing Site
- CP-4(3): Automated Testing
- CP-4(4): Full Recovery and Reconstitution
- CP-4(5): Self-challenge
- CP-5: Contingency Plan Update
- CP-6: Alternate Storage Site
- CP-6(1): Separation from Primary Site
- CP-6(2): Recovery Time and Recovery Point Objectives
- CP-6(3): Accessibility
- CP-7: Alternate Processing Site
- CP-7(1): Separation from Primary Site
- CP-7(2): Accessibility
- CP-7(3): Priority of Service
- CP-7(4): Preparation for Use
- CP-7(5): Equivalent Information Security Safeguards
- CP-7(6): Inability to Return to Primary Site
- CP-8: Telecommunications Services
- CP-8(1): Priority of Service Provisions
- CP-8(2): Single Points of Failure
- CP-8(3): Separation of Primary and Alternate Providers
- CP-8(4): Provider Contingency Plan
- CP-8(5): Alternate Telecommunication Service Testing
- CP-9: System Backup
- CP-9(1): Testing for Reliability and Integrity
- CP-9(2): Test Restoration Using Sampling
- CP-9(3): Separate Storage for Critical Information
- CP-9(4): Protection from Unauthorized Modification
- CP-9(5): Transfer to Alternate Storage Site
- CP-9(6): Redundant Secondary System
- CP-9(7): Dual Authorization for Deletion or Destruction
- CP-9(8): Cryptographic Protection
- IA-1: Policy and Procedures
- IA-10: Adaptive Authentication
- IA-11: Re-authentication
- IA-12: Identity Proofing
- IA-12(1): Supervisor Authorization
- IA-12(2): Identity Evidence
- IA-12(3): Identity Evidence Validation and Verification
- IA-12(4): In-person Validation and Verification
- IA-12(5): Address Confirmation
- IA-12(6): Accept Externally-proofed Identities
- IA-13: Identity Providers and Authorization Servers
- IA-13(1): Protection of Cryptographic Keys
- IA-13(2): Verification of Identity Assertions and Access Tokens
- IA-13(3): Token Management
- IA-2: Identification and Authentication (Organizational Users)
- IA-2(1): Multi-factor Authentication to Privileged Accounts
- IA-2(10): Single Sign-on
- IA-2(11): Remote Access — Separate Device
- IA-2(12): Acceptance of PIV Credentials
- IA-2(13): Out-of-band Authentication
- IA-2(2): Multi-factor Authentication to Non-privileged Accounts
- IA-2(3): Local Access to Privileged Accounts
- IA-2(4): Local Access to Non-privileged Accounts
- IA-2(5): Individual Authentication with Group Authentication
- IA-2(6): Access to Accounts —separate Device
- IA-2(7): Network Access to Non-privileged Accounts — Separate Device
- IA-2(8): Access to Accounts — Replay Resistant
- IA-2(9): Network Access to Non-privileged Accounts — Replay Resistant
- IA-3: Device Identification and Authentication
- IA-3(1): Cryptographic Bidirectional Authentication
- IA-3(2): Cryptographic Bidirectional Network Authentication
- IA-3(3): Dynamic Address Allocation
- IA-3(4): Device Attestation
- IA-4: Identifier Management
- IA-4(1): Prohibit Account Identifiers as Public Identifiers
- IA-4(2): Supervisor Authorization
- IA-4(3): Multiple Forms of Certification
- IA-4(4): Identify User Status
- IA-4(5): Dynamic Management
- IA-4(6): Cross-organization Management
- IA-4(7): In-person Registration
- IA-4(8): Pairwise Pseudonymous Identifiers
- IA-4(9): Attribute Maintenance and Protection
- IA-5: Authenticator Management
- IA-5(1): Password-based Authentication
- IA-5(10): Dynamic Credential Binding
- IA-5(11): Hardware Token-based Authentication
- IA-5(12): Biometric Authentication Performance
- IA-5(13): Expiration of Cached Authenticators
- IA-5(14): Managing Content of PKI Trust Stores
- IA-5(15): GSA-approved Products and Services
- IA-5(16): In-person or Trusted External Party Authenticator Issuance
- IA-5(17): Presentation Attack Detection for Biometric Authenticators
- IA-5(18): Password Managers
- IA-5(2): Public Key-based Authentication
- IA-5(3): In-person or Trusted External Party Registration
- IA-5(4): Automated Support for Password Strength Determination
- IA-5(5): Change Authenticators Prior to Delivery
- IA-5(6): Protection of Authenticators
- IA-5(7): No Embedded Unencrypted Static Authenticators
- IA-5(8): Multiple System Accounts
- IA-5(9): Federated Credential Management
- IA-6: Authentication Feedback
- IA-7: Cryptographic Module Authentication
- IA-8: Identification and Authentication (Non-organizational Users)
- IA-8(1): Acceptance of PIV Credentials from Other Agencies
- IA-8(2): Acceptance of External Authenticators
- IA-8(3): Use of FICAM-approved Products
- IA-8(4): Use of Defined Profiles
- IA-8(5): Acceptance of PIV-I Credentials
- IA-8(6): Disassociability
- IA-9: Service Identification and Authentication
- IA-9(1): Information Exchange
- IA-9(2): Transmission of Decisions
- IR-1: Policy and Procedures
- IR-10: Integrated Information Security Analysis Team
- IR-2: Incident Response Training
- IR-2(1): Simulated Events
- IR-2(2): Automated Training Environments
- IR-2(3): Breach
- IR-3: Incident Response Testing
- IR-3(1): Automated Testing
- IR-3(2): Coordination with Related Plans
- IR-3(3): Continuous Improvement
- IR-4: Incident Handling
- IR-4(1): Automated Incident Handling Processes
- IR-4(10): Supply Chain Coordination
- IR-4(11): Integrated Incident Response Team
- IR-4(12): Malicious Code and Forensic Analysis
- IR-4(13): Behavior Analysis
- IR-4(14): Security Operations Center
- IR-4(15): Public Relations and Reputation Repair
- IR-4(2): Dynamic Reconfiguration
- IR-4(3): Continuity of Operations
- IR-4(4): Information Correlation
- IR-4(5): Automatic Disabling of System
- IR-4(6): Insider Threats
- IR-4(7): Insider Threats — Intra-organization Coordination
- IR-4(8): Correlation with External Organizations
- IR-4(9): Dynamic Response Capability
- IR-5: Incident Monitoring
- IR-5(1): Automated Tracking, Data Collection, and Analysis
- IR-6: Incident Reporting
- IR-6(1): Automated Reporting
- IR-6(2): Vulnerabilities Related to Incidents
- IR-6(3): Supply Chain Coordination
- IR-7: Incident Response Assistance
- IR-7(1): Automation Support for Availability of Information and Support
- IR-7(2): Coordination with External Providers
- IR-8: Incident Response Plan
- IR-8(1): Breaches
- IR-9: Information Spillage Response
- IR-9(1): Responsible Personnel
- IR-9(2): Training
- IR-9(3): Post-spill Operations
- IR-9(4): Exposure to Unauthorized Personnel
- MA-1: Policy and Procedures
- MA-2: Controlled Maintenance
- MA-2(1): Record Content
- MA-2(2): Automated Maintenance Activities
- MA-3: Maintenance Tools
- MA-3(1): Inspect Tools
- MA-3(2): Inspect Media
- MA-3(3): Prevent Unauthorized Removal
- MA-3(4): Restricted Tool Use
- MA-3(5): Execution with Privilege
- MA-3(6): Software Updates and Patches
- MA-4: Nonlocal Maintenance
- MA-4(1): Logging and Review
- MA-4(2): Document Nonlocal Maintenance
- MA-4(3): Comparable Security and Sanitization
- MA-4(4): Authentication and Separation of Maintenance Sessions
- MA-4(5): Approvals and Notifications
- MA-4(6): Cryptographic Protection
- MA-4(7): Disconnect Verification
- MA-5: Maintenance Personnel
- MA-5(1): Individuals Without Appropriate Access
- MA-5(2): Security Clearances for Classified Systems
- MA-5(3): Citizenship Requirements for Classified Systems
- MA-5(4): Foreign Nationals
- MA-5(5): Non-system Maintenance
- MA-6: Timely Maintenance
- MA-6(1): Preventive Maintenance
- MA-6(2): Predictive Maintenance
- MA-6(3): Automated Support for Predictive Maintenance
- MA-7: Field Maintenance
- MP-1: Policy and Procedures
- MP-2: Media Access
- MP-2(1): Automated Restricted Access
- MP-2(2): Cryptographic Protection
- MP-3: Media Marking
- MP-4: Media Storage
- MP-4(1): Cryptographic Protection
- MP-4(2): Automated Restricted Access
- MP-5: Media Transport
- MP-5(1): Protection Outside of Controlled Areas
- MP-5(2): Documentation of Activities
- MP-5(3): Custodians
- MP-5(4): Cryptographic Protection
- MP-6: Media Sanitization
- MP-6(1): Review, Approve, Track, Document, and Verify
- MP-6(2): Equipment Testing
- MP-6(3): Nondestructive Techniques
- MP-6(4): Controlled Unclassified Information
- MP-6(5): Classified Information
- MP-6(6): Media Destruction
- MP-6(7): Dual Authorization
- MP-6(8): Remote Purging or Wiping of Information
- MP-7: Media Use
- MP-7(1): Prohibit Use Without Owner
- MP-7(2): Prohibit Use of Sanitization-resistant Media
- MP-8: Media Downgrading
- MP-8(1): Documentation of Process
- MP-8(2): Equipment Testing
- MP-8(3): Controlled Unclassified Information
- MP-8(4): Classified Information
- PE-1: Policy and Procedures
- PE-10: Emergency Shutoff
- PE-10(1): Accidental and Unauthorized Activation
- PE-11: Emergency Power
- PE-11(1): Alternate Power Supply — Minimal Operational Capability
- PE-11(2): Alternate Power Supply — Self-contained
- PE-12: Emergency Lighting
- PE-12(1): Essential Mission and Business Functions
- PE-13: Fire Protection
- PE-13(1): Detection Systems — Automatic Activation and Notification
- PE-13(2): Suppression Systems — Automatic Activation and Notification
- PE-13(3): Automatic Fire Suppression
- PE-13(4): Inspections
- PE-14: Environmental Controls
- PE-14(1): Automatic Controls
- PE-14(2): Monitoring with Alarms and Notifications
- PE-15: Water Damage Protection
- PE-15(1): Automation Support
- PE-16: Delivery and Removal
- PE-17: Alternate Work Site
- PE-18: Location of System Components
- PE-18(1): Facility Site
- PE-19: Information Leakage
- PE-19(1): National Emissions Policies and Procedures
- PE-2: Physical Access Authorizations
- PE-2(1): Access by Position or Role
- PE-2(2): Two Forms of Identification
- PE-2(3): Restrict Unescorted Access
- PE-20: Asset Monitoring and Tracking
- PE-21: Electromagnetic Pulse Protection
- PE-22: Component Marking
- PE-23: Facility Location
- PE-3: Physical Access Control
- PE-3(1): System Access
- PE-3(2): Facility and Systems
- PE-3(3): Continuous Guards
- PE-3(4): Lockable Casings
- PE-3(5): Tamper Protection
- PE-3(6): Facility Penetration Testing
- PE-3(7): Physical Barriers
- PE-3(8): Access Control Vestibules
- PE-4: Access Control for Transmission
- PE-5: Access Control for Output Devices
- PE-5(1): Access to Output by Authorized Individuals
- PE-5(2): Link to Individual Identity
- PE-5(3): Marking Output Devices
- PE-6: Monitoring Physical Access
- PE-6(1): Intrusion Alarms and Surveillance Equipment
- PE-6(2): Automated Intrusion Recognition and Responses
- PE-6(3): Video Surveillance
- PE-6(4): Monitoring Physical Access to Systems
- PE-7: Visitor Control
- PE-8: Visitor Access Records
- PE-8(1): Automated Records Maintenance and Review
- PE-8(2): Physical Access Records
- PE-8(3): Limit Personally Identifiable Information Elements
- PE-9: Power Equipment and Cabling
- PE-9(1): Redundant Cabling
- PE-9(2): Automatic Voltage Controls
- PL-1: Policy and Procedures
- PL-10: Baseline Selection
- PL-11: Baseline Tailoring
- PL-2: System Security and Privacy Plans
- PL-2(1): Concept of Operations
- PL-2(2): Functional Architecture
- PL-2(3): Plan and Coordinate with Other Organizational Entities
- PL-3: System Security Plan Update
- PL-4: Rules of Behavior
- PL-4(1): Social Media and External Site/Application Usage Restrictions
- PL-5: Privacy Impact Assessment
- PL-6: Security-related Activity Planning
- PL-7: Concept of Operations
- PL-8: Security and Privacy Architectures
- PL-8(1): Defense in Depth
- PL-8(2): Supplier Diversity
- PL-9: Central Management
- PM-1: Information Security Program Plan
- PM-10: Authorization Process
- PM-11: Mission and Business Process Definition
- PM-12: Insider Threat Program
- PM-13: Security and Privacy Workforce
- PM-14: Testing, Training, and Monitoring
- PM-15: Security and Privacy Groups and Associations
- PM-16: Threat Awareness Program
- PM-16(1): Automated Means for Sharing Threat Intelligence
- PM-17: Protecting Controlled Unclassified Information on External Systems
- PM-18: Privacy Program Plan
- PM-19: Privacy Program Leadership Role
- PM-2: Information Security Program Leadership Role
- PM-20: Dissemination of Privacy Program Information
- PM-20(1): Privacy Policies on Websites, Applications, and Digital Services
- PM-21: Accounting of Disclosures
- PM-22: Personally Identifiable Information Quality Management
- PM-23: Data Governance Body
- PM-24: Data Integrity Board
- PM-25: Minimization of Personally Identifiable Information Used in Testing, Training, and Research
- PM-26: Complaint Management
- PM-27: Privacy Reporting
- PM-28: Risk Framing
- PM-29: Risk Management Program Leadership Roles
- PM-3: Information Security and Privacy Resources
- PM-30: Supply Chain Risk Management Strategy
- PM-30(1): Suppliers of Critical or Mission-essential Items
- PM-31: Continuous Monitoring Strategy
- PM-32: Purposing
- PM-4: Plan of Action and Milestones Process
- PM-5: System Inventory
- PM-5(1): Inventory of Personally Identifiable Information
- PM-6: Measures of Performance
- PM-7: Enterprise Architecture
- PM-7(1): Offloading
- PM-8: Critical Infrastructure Plan
- PM-9: Risk Management Strategy
- PS-1: Policy and Procedures
- PS-2: Position Risk Designation
- PS-3: Personnel Screening
- PS-3(1): Classified Information
- PS-3(2): Formal Indoctrination
- PS-3(3): Information Requiring Special Protective Measures
- PS-3(4): Citizenship Requirements
- PS-4: Personnel Termination
- PS-4(1): Post-employment Requirements
- PS-4(2): Automated Actions
- PS-5: Personnel Transfer
- PS-6: Access Agreements
- PS-6(1): Information Requiring Special Protection
- PS-6(2): Classified Information Requiring Special Protection
- PS-6(3): Post-employment Requirements
- PS-7: External Personnel Security
- PS-8: Personnel Sanctions
- PS-9: Position Descriptions
- PT-1: Policy and Procedures
- PT-2: Authority to Process Personally Identifiable Information
- PT-2(1): Data Tagging
- PT-2(2): Automation
- PT-3: Personally Identifiable Information Processing Purposes
- PT-3(1): Data Tagging
- PT-3(2): Automation
- PT-4: Consent
- PT-4(1): Tailored Consent
- PT-4(2): Just-in-time Consent
- PT-4(3): Revocation
- PT-5: Privacy Notice
- PT-5(1): Just-in-time Notice
- PT-5(2): Privacy Act Statements
- PT-6: System of Records Notice
- PT-6(1): Routine Uses
- PT-6(2): Exemption Rules
- PT-7: Specific Categories of Personally Identifiable Information
- PT-7(1): Social Security Numbers
- PT-7(2): First Amendment Information
- PT-8: Computer Matching Requirements
- RA-1: Policy and Procedures
- RA-10: Threat Hunting
- RA-2: Security Categorization
- RA-2(1): Impact-level Prioritization
- RA-3: Risk Assessment
- RA-3(1): Supply Chain Risk Assessment
- RA-3(2): Use of All-source Intelligence
- RA-3(3): Dynamic Threat Awareness
- RA-3(4): Predictive Cyber Analytics
- RA-4: Risk Assessment Update
- RA-5: Vulnerability Monitoring and Scanning
- RA-5(1): Update Tool Capability
- RA-5(10): Correlate Scanning Information
- RA-5(11): Public Disclosure Program
- RA-5(2): Update Vulnerabilities to Be Scanned
- RA-5(3): Breadth and Depth of Coverage
- RA-5(4): Discoverable Information
- RA-5(5): Privileged Access
- RA-5(6): Automated Trend Analyses
- RA-5(7): Automated Detection and Notification of Unauthorized Components
- RA-5(8): Review Historic Audit Logs
- RA-5(9): Penetration Testing and Analyses
- RA-6: Technical Surveillance Countermeasures Survey
- RA-7: Risk Response
- RA-8: Privacy Impact Assessments
- RA-9: Criticality Analysis
- SA-1: Policy and Procedures
- SA-10: Developer Configuration Management
- SA-10(1): Software and Firmware Integrity Verification
- SA-10(2): Alternative Configuration Management Processes
- SA-10(3): Hardware Integrity Verification
- SA-10(4): Trusted Generation
- SA-10(5): Mapping Integrity for Version Control
- SA-10(6): Trusted Distribution
- SA-10(7): Security and Privacy Representatives
- SA-11: Developer Testing and Evaluation
- SA-11(1): Static Code Analysis
- SA-11(2): Threat Modeling and Vulnerability Analyses
- SA-11(3): Independent Verification of Assessment Plans and Evidence
- SA-11(4): Manual Code Reviews
- SA-11(5): Penetration Testing
- SA-11(6): Attack Surface Reviews
- SA-11(7): Verify Scope of Testing and Evaluation
- SA-11(8): Dynamic Code Analysis
- SA-11(9): Interactive Application Security Testing
- SA-12: Supply Chain Protection
- SA-12(1): Acquisition Strategies / Tools / Methods
- SA-12(10): Validate as Genuine and Not Altered
- SA-12(11): Penetration Testing / Analysis of Elements, Processes, and Actors
- SA-12(12): Inter-organizational Agreements
- SA-12(13): Critical Information System Components
- SA-12(14): Identity and Traceability
- SA-12(15): Processes to Address Weaknesses or Deficiencies
- SA-12(2): Supplier Reviews
- SA-12(3): Trusted Shipping and Warehousing
- SA-12(4): Diversity of Suppliers
- SA-12(5): Limitation of Harm
- SA-12(6): Minimizing Procurement Time
- SA-12(7): Assessments Prior to Selection / Acceptance / Update
- SA-12(8): Use of All-source Intelligence
- SA-12(9): Operations Security
- SA-13: Trustworthiness
- SA-14: Criticality Analysis
- SA-14(1): Critical Components with No Viable Alternative Sourcing
- SA-15: Development Process, Standards, and Tools
- SA-15(1): Quality Metrics
- SA-15(10): Incident Response Plan
- SA-15(11): Archive System or Component
- SA-15(12): Minimize Personally Identifiable Information
- SA-15(13): Logging Syntax
- SA-15(2): Security and Privacy Tracking Tools
- SA-15(3): Criticality Analysis
- SA-15(4): Threat Modeling and Vulnerability Analysis
- SA-15(5): Attack Surface Reduction
- SA-15(6): Continuous Improvement
- SA-15(7): Automated Vulnerability Analysis
- SA-15(8): Reuse of Threat and Vulnerability Information
- SA-15(9): Use of Live Data
- SA-16: Developer-provided Training
- SA-17: Developer Security and Privacy Architecture and Design
- SA-17(1): Formal Policy Model
- SA-17(2): Security-relevant Components
- SA-17(3): Formal Correspondence
- SA-17(4): Informal Correspondence
- SA-17(5): Conceptually Simple Design
- SA-17(6): Structure for Testing
- SA-17(7): Structure for Least Privilege
- SA-17(8): Orchestration
- SA-17(9): Design Diversity
- SA-18: Tamper Resistance and Detection
- SA-18(1): Multiple Phases of System Development Life Cycle
- SA-18(2): Inspection of Systems or Components
- SA-19: Component Authenticity
- SA-19(1): Anti-counterfeit Training
- SA-19(2): Configuration Control for Component Service and Repair
- SA-19(3): Component Disposal
- SA-19(4): Anti-counterfeit Scanning
- SA-2: Allocation of Resources
- SA-20: Customized Development of Critical Components
- SA-21: Developer Screening
- SA-21(1): Validation of Screening
- SA-22: Unsupported System Components
- SA-22(1): Alternative Sources for Continued Support
- SA-23: Specialization
- SA-24: Design For Cyber Resiliency
- SA-3: System Development Life Cycle
- SA-3(1): Manage Preproduction Environment
- SA-3(2): Use of Live or Operational Data
- SA-3(3): Technology Refresh
- SA-4: Acquisition Process
- SA-4(1): Functional Properties of Controls
- SA-4(10): Use of Approved PIV Products
- SA-4(11): System of Records
- SA-4(12): Data Ownership
- SA-4(2): Design and Implementation Information for Controls
- SA-4(3): Development Methods, Techniques, and Practices
- SA-4(4): Assignment of Components to Systems
- SA-4(5): System, Component, and Service Configurations
- SA-4(6): Use of Information Assurance Products
- SA-4(7): NIAP-approved Protection Profiles
- SA-4(8): Continuous Monitoring Plan for Controls
- SA-4(9): Functions, Ports, Protocols, and Services in Use
- SA-5: System Documentation
- SA-5(1): Functional Properties of Security Controls
- SA-5(2): Security-relevant External System Interfaces
- SA-5(3): High-level Design
- SA-5(4): Low-level Design
- SA-5(5): Source Code
- SA-6: Software Usage Restrictions
- SA-7: User-installed Software
- SA-8: Security and Privacy Engineering Principles
- SA-8(1): Clear Abstractions
- SA-8(10): Hierarchical Trust
- SA-8(11): Inverse Modification Threshold
- SA-8(12): Hierarchical Protection
- SA-8(13): Minimized Security Elements
- SA-8(14): Least Privilege
- SA-8(15): Predicate Permission
- SA-8(16): Self-reliant Trustworthiness
- SA-8(17): Secure Distributed Composition
- SA-8(18): Trusted Communications Channels
- SA-8(19): Continuous Protection
- SA-8(2): Least Common Mechanism
- SA-8(20): Secure Metadata Management
- SA-8(21): Self-analysis
- SA-8(22): Accountability and Traceability
- SA-8(23): Secure Defaults
- SA-8(24): Secure Failure and Recovery
- SA-8(25): Economic Security
- SA-8(26): Performance Security
- SA-8(27): Human Factored Security
- SA-8(28): Acceptable Security
- SA-8(29): Repeatable and Documented Procedures
- SA-8(3): Modularity and Layering
- SA-8(30): Procedural Rigor
- SA-8(31): Secure System Modification
- SA-8(32): Sufficient Documentation
- SA-8(33): Minimization
- SA-8(4): Partially Ordered Dependencies
- SA-8(5): Efficiently Mediated Access
- SA-8(6): Minimized Sharing
- SA-8(7): Reduced Complexity
- SA-8(8): Secure Evolvability
- SA-8(9): Trusted Components
- SA-9: External System Services
- SA-9(1): Risk Assessments and Organizational Approvals
- SA-9(2): Identification of Functions, Ports, Protocols, and Services
- SA-9(3): Establish and Maintain Trust Relationship with Providers
- SA-9(4): Consistent Interests of Consumers and Providers
- SA-9(5): Processing, Storage, and Service Location
- SA-9(6): Organization-controlled Cryptographic Keys
- SA-9(7): Organization-controlled Integrity Checking
- SA-9(8): Processing and Storage Location — U.S. Jurisdiction
- SC-1: Policy and Procedures
- SC-10: Network Disconnect
- SC-11: Trusted Path
- SC-11(1): Irrefutable Communications Path
- SC-12: Cryptographic Key Establishment and Management
- SC-12(1): Availability
- SC-12(2): Symmetric Keys
- SC-12(3): Asymmetric Keys
- SC-12(4): PKI Certificates
- SC-12(5): PKI Certificates / Hardware Tokens
- SC-12(6): Physical Control of Keys
- SC-13: Cryptographic Protection
- SC-13(1): FIPS-validated Cryptography
- SC-13(2): NSA-approved Cryptography
- SC-13(3): Individuals Without Formal Access Approvals
- SC-13(4): Digital Signatures
- SC-14: Public Access Protections
- SC-15: Collaborative Computing Devices and Applications
- SC-15(1): Physical or Logical Disconnect
- SC-15(2): Blocking Inbound and Outbound Communications Traffic
- SC-15(3): Disabling and Removal in Secure Work Areas
- SC-15(4): Explicitly Indicate Current Participants
- SC-16: Transmission of Security and Privacy Attributes
- SC-16(1): Integrity Verification
- SC-16(2): Anti-spoofing Mechanisms
- SC-16(3): Cryptographic Binding
- SC-17: Public Key Infrastructure Certificates
- SC-18: Mobile Code
- SC-18(1): Identify Unacceptable Code and Take Corrective Actions
- SC-18(2): Acquisition, Development, and Use
- SC-18(3): Prevent Downloading and Execution
- SC-18(4): Prevent Automatic Execution
- SC-18(5): Allow Execution Only in Confined Environments
- SC-19: Voice Over Internet Protocol
- SC-2: Separation of System and User Functionality
- SC-2(1): Interfaces for Non-privileged Users
- SC-2(2): Disassociability
- SC-20: Secure Name/Address Resolution Service (Authoritative Source)
- SC-20(1): Child Subspaces
- SC-20(2): Data Origin and Integrity
- SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
- SC-21(1): Data Origin and Integrity
- SC-22: Architecture and Provisioning for Name/Address Resolution Service
- SC-23: Session Authenticity
- SC-23(1): Invalidate Session Identifiers at Logout
- SC-23(2): User-initiated Logouts and Message Displays
- SC-23(3): Unique System-generated Session Identifiers
- SC-23(4): Unique Session Identifiers with Randomization
- SC-23(5): Allowed Certificate Authorities
- SC-24: Fail in Known State
- SC-25: Thin Nodes
- SC-26: Decoys
- SC-26(1): Detection of Malicious Code
- SC-27: Platform-independent Applications
- SC-28: Protection of Information at Rest
- SC-28(1): Cryptographic Protection
- SC-28(2): Offline Storage
- SC-28(3): Cryptographic Keys
- SC-29: Heterogeneity
- SC-29(1): Virtualization Techniques
- SC-3: Security Function Isolation
- SC-3(1): Hardware Separation
- SC-3(2): Access and Flow Control Functions
- SC-3(3): Minimize Nonsecurity Functionality
- SC-3(4): Module Coupling and Cohesiveness
- SC-3(5): Layered Structures
- SC-30: Concealment and Misdirection
- SC-30(1): Virtualization Techniques
- SC-30(2): Randomness
- SC-30(3): Change Processing and Storage Locations
- SC-30(4): Misleading Information
- SC-30(5): Concealment of System Components
- SC-31: Covert Channel Analysis
- SC-31(1): Test Covert Channels for Exploitability
- SC-31(2): Maximum Bandwidth
- SC-31(3): Measure Bandwidth in Operational Environments
- SC-32: System Partitioning
- SC-32(1): Separate Physical Domains for Privileged Functions
- SC-33: Transmission Preparation Integrity
- SC-34: Non-modifiable Executable Programs
- SC-34(1): No Writable Storage
- SC-34(2): Integrity Protection on Read-only Media
- SC-34(3): Hardware-based Protection
- SC-35: External Malicious Code Identification
- SC-36: Distributed Processing and Storage
- SC-36(1): Polling Techniques
- SC-36(2): Synchronization
- SC-37: Out-of-band Channels
- SC-37(1): Ensure Delivery and Transmission
- SC-38: Operations Security
- SC-39: Process Isolation
- SC-39(1): Hardware Separation
- SC-39(2): Separate Execution Domain Per Thread
- SC-4: Information in Shared System Resources
- SC-4(1): Security Levels
- SC-4(2): Multilevel or Periods Processing
- SC-40: Wireless Link Protection
- SC-40(1): Electromagnetic Interference
- SC-40(2): Reduce Detection Potential
- SC-40(3): Imitative or Manipulative Communications Deception
- SC-40(4): Signal Parameter Identification
- SC-41: Port and I/O Device Access
- SC-42: Sensor Capability and Data
- SC-42(1): Reporting to Authorized Individuals or Roles
- SC-42(2): Authorized Use
- SC-42(3): Prohibit Use of Devices
- SC-42(4): Notice of Collection
- SC-42(5): Collection Minimization
- SC-43: Usage Restrictions
- SC-44: Detonation Chambers
- SC-45: System Time Synchronization
- SC-45(1): Synchronization with Authoritative Time Source
- SC-45(2): Secondary Authoritative Time Source
- SC-46: Cross Domain Policy Enforcement
- SC-47: Alternate Communications Paths
- SC-48: Sensor Relocation
- SC-48(1): Dynamic Relocation of Sensors or Monitoring Capabilities
- SC-49: Hardware-enforced Separation and Policy Enforcement
- SC-5: Denial-of-service Protection
- SC-5(1): Restrict Ability to Attack Other Systems
- SC-5(2): Capacity, Bandwidth, and Redundancy
- SC-5(3): Detection and Monitoring
- SC-50: Software-enforced Separation and Policy Enforcement
- SC-51: Hardware-based Protection
- SC-6: Resource Availability
- SC-7: Boundary Protection
- SC-7(1): Physically Separated Subnetworks
- SC-7(10): Prevent Exfiltration
- SC-7(11): Restrict Incoming Communications Traffic
- SC-7(12): Host-based Protection
- SC-7(13): Isolation of Security Tools, Mechanisms, and Support Components
- SC-7(14): Protect Against Unauthorized Physical Connections
- SC-7(15): Networked Privileged Accesses
- SC-7(16): Prevent Discovery of System Components
- SC-7(17): Automated Enforcement of Protocol Formats
- SC-7(18): Fail Secure
- SC-7(19): Block Communication from Non-organizationally Configured Hosts
- SC-7(2): Public Access
- SC-7(20): Dynamic Isolation and Segregation
- SC-7(21): Isolation of System Components
- SC-7(22): Separate Subnets for Connecting to Different Security Domains
- SC-7(23): Disable Sender Feedback on Protocol Validation Failure
- SC-7(24): Personally Identifiable Information
- SC-7(25): Unclassified National Security System Connections
- SC-7(26): Classified National Security System Connections
- SC-7(27): Unclassified Non-national Security System Connections
- SC-7(28): Connections to Public Networks
- SC-7(29): Separate Subnets to Isolate Functions
- SC-7(3): Access Points
- SC-7(4): External Telecommunications Services
- SC-7(5): Deny by Default — Allow by Exception
- SC-7(6): Response to Recognized Failures
- SC-7(7): Split Tunneling for Remote Devices
- SC-7(8): Route Traffic to Authenticated Proxy Servers
- SC-7(9): Restrict Threatening Outgoing Communications Traffic
- SC-8: Transmission Confidentiality and Integrity
- SC-8(1): Cryptographic Protection
- SC-8(2): Pre- and Post-transmission Handling
- SC-8(3): Cryptographic Protection for Message Externals
- SC-8(4): Conceal or Randomize Communications
- SC-8(5): Protected Distribution System
- SC-9: Transmission Confidentiality
- SI-1: Policy and Procedures
- SI-10: Information Input Validation
- SI-10(1): Manual Override Capability
- SI-10(2): Review and Resolve Errors
- SI-10(3): Predictable Behavior
- SI-10(4): Timing Interactions
- SI-10(5): Restrict Inputs to Trusted Sources and Approved Formats
- SI-10(6): Injection Prevention
- SI-11: Error Handling
- SI-12: Information Management and Retention
- SI-12(1): Limit Personally Identifiable Information Elements
- SI-12(2): Minimize Personally Identifiable Information in Testing, Training, and Research
- SI-12(3): Information Disposal
- SI-13: Predictable Failure Prevention
- SI-13(1): Transferring Component Responsibilities
- SI-13(2): Time Limit on Process Execution Without Supervision
- SI-13(3): Manual Transfer Between Components
- SI-13(4): Standby Component Installation and Notification
- SI-13(5): Failover Capability
- SI-14: Non-persistence
- SI-14(1): Refresh from Trusted Sources
- SI-14(2): Non-persistent Information
- SI-14(3): Non-persistent Connectivity
- SI-15: Information Output Filtering
- SI-16: Memory Protection
- SI-17: Fail-safe Procedures
- SI-18: Personally Identifiable Information Quality Operations
- SI-18(1): Automation Support
- SI-18(2): Data Tags
- SI-18(3): Collection
- SI-18(4): Individual Requests
- SI-18(5): Notice of Correction or Deletion
- SI-19: De-identification
- SI-19(1): Collection
- SI-19(2): Archiving
- SI-19(3): Release
- SI-19(4): Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
- SI-19(5): Statistical Disclosure Control
- SI-19(6): Differential Privacy
- SI-19(7): Validated Algorithms and Software
- SI-19(8): Motivated Intruder
- SI-2: Flaw Remediation
- SI-2(1): Central Management
- SI-2(2): Automated Flaw Remediation Status
- SI-2(3): Time to Remediate Flaws and Benchmarks for Corrective Actions
- SI-2(4): Automated Patch Management Tools
- SI-2(5): Automatic Software and Firmware Updates
- SI-2(6): Removal of Previous Versions of Software and Firmware
- SI-2(7): Root Cause Analysis
- SI-20: Tainting
- SI-21: Information Refresh
- SI-22: Information Diversity
- SI-23: Information Fragmentation
- SI-3: Malicious Code Protection
- SI-3(1): Central Management
- SI-3(10): Malicious Code Analysis
- SI-3(2): Automatic Updates
- SI-3(3): Non-privileged Users
- SI-3(4): Updates Only by Privileged Users
- SI-3(5): Portable Storage Devices
- SI-3(6): Testing and Verification
- SI-3(7): Nonsignature-based Detection
- SI-3(8): Detect Unauthorized Commands
- SI-3(9): Authenticate Remote Commands
- SI-4: System Monitoring
- SI-4(1): System-wide Intrusion Detection System
- SI-4(10): Visibility of Encrypted Communications
- SI-4(11): Analyze Communications Traffic Anomalies
- SI-4(12): Automated Organization-generated Alerts
- SI-4(13): Analyze Traffic and Event Patterns
- SI-4(14): Wireless Intrusion Detection
- SI-4(15): Wireless to Wireline Communications
- SI-4(16): Correlate Monitoring Information
- SI-4(17): Integrated Situational Awareness
- SI-4(18): Analyze Traffic and Covert Exfiltration
- SI-4(19): Risk for Individuals
- SI-4(2): Automated Tools and Mechanisms for Real-time Analysis
- SI-4(20): Privileged Users
- SI-4(21): Probationary Periods
- SI-4(22): Unauthorized Network Services
- SI-4(23): Host-based Devices
- SI-4(24): Indicators of Compromise
- SI-4(25): Optimize Network Traffic Analysis
- SI-4(3): Automated Tool and Mechanism Integration
- SI-4(4): Inbound and Outbound Communications Traffic
- SI-4(5): System-generated Alerts
- SI-4(6): Restrict Non-privileged Users
- SI-4(7): Automated Response to Suspicious Events
- SI-4(8): Protection of Monitoring Information
- SI-4(9): Testing of Monitoring Tools and Mechanisms
- SI-5: Security Alerts, Advisories, and Directives
- SI-5(1): Automated Alerts and Advisories
- SI-6: Security and Privacy Function Verification
- SI-6(1): Notification of Failed Security Tests
- SI-6(2): Automation Support for Distributed Testing
- SI-6(3): Report Verification Results
- SI-7: Software, Firmware, and Information Integrity
- SI-7(1): Integrity Checks
- SI-7(10): Protection of Boot Firmware
- SI-7(11): Confined Environments with Limited Privileges
- SI-7(12): Integrity Verification
- SI-7(13): Code Execution in Protected Environments
- SI-7(14): Binary or Machine Executable Code
- SI-7(15): Code Authentication
- SI-7(16): Time Limit on Process Execution Without Supervision
- SI-7(17): Runtime Application Self-protection
- SI-7(2): Automated Notifications of Integrity Violations
- SI-7(3): Centrally Managed Integrity Tools
- SI-7(4): Tamper-evident Packaging
- SI-7(5): Automated Response to Integrity Violations
- SI-7(6): Cryptographic Protection
- SI-7(7): Integration of Detection and Response
- SI-7(8): Auditing Capability for Significant Events
- SI-7(9): Verify Boot Process
- SI-8: Spam Protection
- SI-8(1): Central Management
- SI-8(2): Automatic Updates
- SI-8(3): Continuous Learning Capability
- SI-9: Information Input Restrictions
- SR-1: Policy and Procedures
- SR-10: Inspection of Systems or Components
- SR-11: Component Authenticity
- SR-11(1): Anti-counterfeit Training
- SR-11(2): Configuration Control for Component Service and Repair
- SR-11(3): Anti-counterfeit Scanning
- SR-12: Component Disposal
- SR-2: Supply Chain Risk Management Plan
- SR-2(1): Establish SCRM Team
- SR-3: Supply Chain Controls and Processes
- SR-3(1): Diverse Supply Base
- SR-3(2): Limitation of Harm
- SR-3(3): Sub-tier Flow Down
- SR-4: Provenance
- SR-4(1): Identity
- SR-4(2): Track and Trace
- SR-4(3): Validate as Genuine and Not Altered
- SR-4(4): Supply Chain Integrity — Pedigree
- SR-5: Acquisition Strategies, Tools, and Methods
- SR-5(1): Adequate Supply
- SR-5(2): Assessments Prior to Selection, Acceptance, Modification, or Update
- SR-6: Supplier Assessments and Reviews
- SR-6(1): Testing and Analysis
- SR-7: Supply Chain Operations Security
- SR-8: Notification Agreements
- SR-9: Tamper Resistance and Detection
- SR-9(1): Multiple Stages of System Development Life Cycle