Counts of related controls

From SecWiki
Jump to: navigation, search

Retired controls are excluded from the list.


Identifier Name Priority Referring Referred
AC-1 Access control policy and procedures P1 1 0
AC-2 Account management P1 21 19
AC-3 Access enforcement P1 19 33
AC-4 Information flow enforcement P1 11 13
AC-5 Separation of duties P1 5 3
AC-6 Least privilege P1 6 17
AC-7 Unsuccessful logon attempts P2 4 4
AC-8 System use notification P1 0 2
AC-9 Previous logon (access) notification P0 2 2
AC-10 Concurrent session control P3 0 1
AC-11 Session lock P3 1 1
AC-12 Session termination P2 2 0
AC-14 Permitted actions without identification or authentication P3 2 5
AC-16 Security attributes P0 8 6
AC-17 Remote access P1 16 19
AC-18 Wireless access P1 12 10
AC-19 Access control for mobile devices P1 16 12
AC-20 Use of external information systems P1 6 7
AC-21 Information sharing P2 1 4
AC-22 Publicly accessible content P3 5 1
AC-23 Data mining protection P0 0 0
AC-24 Access control decisions P0 0 0
AC-25 Reference monitor P0 4 2
AU-1 Audit and accountability policy and procedures P1 1 0
AU-2 Audit events P1 8 11
AU-3 Content of audit records P1 4 5
AU-4 Audit storage capacity P1 6 3
AU-5 Response to audit processing failures P1 2 5
AU-6 Audit review, analysis, and reporting P1 28 10
AU-7 Audit reduction and report generation P2 1 5
AU-8 Time stamps P1 2 1
AU-9 Protection of audit information P1 7 6
AU-10 Non-repudiation P2 6 4
AU-11 Audit record retention P3 4 3
AU-12 Audit generation P1 5 8
AU-13 Monitoring for information disclosure P0 2 2
AU-14 Session audit P0 5 0
AU-15 Alternate audit capability P0 1 0
AU-16 Cross-organizational auditing P0 1 2
AT-1 Security awareness and training policy and procedures P1 1 0
AT-2 Security awareness training P1 3 10
AT-3 Role-based security training P1 7 17
AT-4 Security training records P3 3 2
CM-1 Configuration management policy and procedures P1 1 0
CM-2 Baseline configuration P1 7 10
CM-3 Configuration change control P1 9 13
CM-4 Security impact analysis P2 8 8
CM-5 Access restrictions for change P1 3 9
CM-6 Configuration settings P1 5 19
CM-7 Least functionality P1 5 6
CM-8 Information system component inventory P1 3 11
CM-9 Configuration management plan P1 6 5
CM-10 Software usage restrictions P2 3 1
CM-11 User-installed software P1 7 5
CP-1 Contingency planning policy and procedures P1 1 0
CP-2 Contingency plan P1 13 19
CP-3 Contingency training P2 4 2
CP-4 Contingency plan testing P2 3 3
CP-6 Alternate storage site P1 5 7
CP-7 Alternate processing site P1 6 9
CP-8 Telecommunications services P1 3 3
CP-9 Information system backup P1 5 7
CP-10 Information system recovery and reconstitution P1 8 5
CP-11 Alternate communications protocols P0 0 0
CP-12 Safe mode P0 0 2
CP-13 Alternative security mechanisms P0 1 1
IA-1 Identification and authentication policy and procedures P1 1 0
IA-2 Identification and authentication (organizational users) P1 8 11
IA-3 Device identification and authentication P1 6 8
IA-4 Identifier management P1 6 12
IA-5 Authenticator management P1 14 10
IA-6 Authenticator feedback P2 1 0
IA-7 Cryptographic module authentication P1 2 1
IA-8 Identification and authentication (non-organizational users) P1 11 8
IA-9 Service identification and authentication P0 0 0
IA-10 Adaptive identification and authentication P0 2 0
IA-11 Re-authentication P0 1 0
IR-1 Incident response policy and procedures P1 1 0
IR-2 Incident response training P2 3 2
IR-3 Incident response testing P2 2 3
IR-4 Incident handling P1 13 9
IR-5 Incident monitoring P1 8 2
IR-6 Incident reporting P1 3 2
IR-7 Incident response assistance P2 5 1
IR-8 Incident response plan P1 3 9
IR-9 Information spillage response P0 0 0
IR-10 Integrated information security analysis team P0 0 0
MA-1 System maintenance policy and procedures P1 1 0
MA-2 Controlled maintenance P2 7 5
MA-3 Maintenance tools P3 3 3
MA-4 Nonlocal maintenance P2 17 11
MA-5 Maintenance personnel P2 7 5
MA-6 Timely maintenance P2 5 2
MP-1 Media protection policy and procedures P1 1 0
MP-2 Media access P1 6 13
MP-3 Media marking P2 3 2
MP-4 Media storage P1 5 16
MP-5 Media transport P1 8 7
MP-6 Media sanitization P1 4 5
MP-7 Media use P1 2 3
MP-8 Media downgrading P0 0 0
PS-1 Personnel security policy and procedures P1 1 0
PS-2 Position risk designation P1 3 5
PS-3 Personnel screening P1 4 7
PS-4 Personnel termination P1 5 4
PS-5 Personnel transfer P2 4 4
PS-6 Access agreements P3 5 5
PS-7 Third-party personnel security P1 7 4
PS-8 Personnel sanctions P3 2 3
PE-1 Physical and environmental protection policy and procedures P1 1 0
PE-2 Physical access authorizations P1 3 10
PE-3 Physical access control P1 9 16
PE-4 Access control for transmission medium P1 7 7
PE-5 Access control for output devices P2 4 2
PE-6 Monitoring physical access P1 3 4
PE-8 Visitor access records P3 0 0
PE-9 Power equipment and cabling P1 1 0
PE-10 Emergency shutoff P1 1 0
PE-11 Emergency power P1 3 0
PE-12 Emergency lighting P1 2 0
PE-13 Fire protection P1 0 0
PE-14 Temperature and humidity controls P1 1 1
PE-15 Water damage protection P1 1 1
PE-16 Delivery and removal P2 5 3
PE-17 Alternate work site P2 2 1
PE-18 Location of information system components P3 3 2
PE-19 Information leakage P0 0 1
PE-20 Asset monitoring and tracking P0 1 0
PL-1 Security planning policy and procedures P1 1 0
PL-2 System security plan P1 24 13
PL-4 Rules of behavior P2 18 14
PL-7 Security concept of operations P0 1 1
PL-8 Information security architecture P1 7 4
PL-9 Central management P0 0 0
PM-1 Information security program plan 1 4
PM-2 Senior information security officer 0 0
PM-3 Information security resources 2 1
PM-4 Plan of action and milestones process 1 2
PM-5 Information system inventory 0 2
PM-6 Information security measures of performance 0 1
PM-7 Enterprise architecture 5 7
PM-8 Critical infrastructure plan 4 4
PM-9 Risk management strategy 1 23
PM-10 Security authorization process 1 1
PM-11 Mission/business process definition 3 5
PM-12 Insider threat program 21 1
PM-13 Information security workforce 2 0
PM-14 Testing, training, and monitoring 5 2
PM-15 Contacts with security groups and associations 1 0
PM-16 Threat awareness program 2 1
RA-1 Risk assessment policy and procedures P1 1 0
RA-2 Security categorization P1 4 6
RA-3 Risk assessment P1 2 12
RA-5 Vulnerability scanning P1 8 7
RA-6 Technical surveillance countermeasures survey P0 0 0
CA-1 Security assessment and authorization policy and procedures P1 1 0
CA-2 Security assessments P2 8 9
CA-3 System interconnections P1 11 7
CA-5 Plan of action and milestones P3 4 3
CA-6 Security authorization P2 4 4
CA-7 Continuous monitoring P2 12 20
CA-8 Penetration testing P2 1 0
CA-9 Internal system connections P2 11 1
SC-1 System and communications protection policy and procedures P1 1 0
SC-2 Application partitioning P1 3 6
SC-3 Security function isolation P1 9 7
SC-4 Information in shared resources P1 3 1
SC-5 Denial of service protection P1 2 6
SC-6 Resource availability P0 0 1
SC-7 Boundary protection P1 9 24
SC-8 Transmission confidentiality and integrity P1 2 9
SC-10 Network disconnect P2 0 4
SC-11 Trusted path P0 2 1
SC-12 Cryptographic key establishment and management P1 2 7
SC-13 Cryptographic protection P1 20 11
SC-15 Collaborative computing devices P1 1 1
SC-16 Transmission of security attributes P0 3 2
SC-17 Public key infrastructure certificates P1 1 4
SC-18 Mobile code P2 5 2
SC-19 Voice over internet protocol P1 3 1
SC-20 Secure name / address resolution service (authoritative source) P1 6 2
SC-21 Secure name / address resolution service (recursive or caching resolver) P1 2 2
SC-22 Architecture and provisioning for name / address resolution service P1 4 3
SC-23 Session authenticity P1 3 2
SC-24 Fail in known state P1 5 3
SC-25 Thin nodes P0 1 1
SC-26 Honeypots P0 4 5
SC-27 Platform-independent applications P0 1 1
SC-28 Protection of information at rest P1 11 3
SC-29 Heterogeneity P0 3 3
SC-30 Concealment and misdirection P0 3 5
SC-31 Covert channel analysis P0 3 1
SC-32 Information system partitioning P0 5 0
SC-34 Non-modifiable executable programs P0 2 1
SC-35 Honeyclients P0 4 1
SC-36 Distributed processing and storage P0 2 0
SC-37 Out-of-band channels P0 11 1
SC-38 Operations security P0 3 2
SC-39 Process isolation P1 8 2
SC-40 Wireless link protection P0 2 0
SC-41 Port and i/o device access P0 0 0
SC-42 Sensor capability and data P0 0 0
SC-43 Usage restrictions P0 2 1
SC-44 Detonation chambers P0 4 3
SI-1 System and information integrity policy and procedures P1 1 0
SI-2 Flaw remediation P1 11 9
SI-3 Malicious code protection P1 12 13
SI-4 Information system monitoring P1 18 21
SI-5 Security alerts, advisories, and directives P1 1 1
SI-6 Security function verification P1 2 0
SI-7 Software, firmware, and information integrity P1 4 12
SI-8 Spam protection P2 5 0
SI-10 Information input validation P1 0 0
SI-11 Error handling P2 3 2
SI-12 Information handling and retention P2 5 2
SI-13 Predictable failure prevention P0 3 1
SI-14 Non-persistence P0 2 1
SI-15 Information output filtering P0 2 0
SI-16 Memory protection P1 2 0
SI-17 Fail-safe procedures P0 4 0
SA-1 System and services acquisition policy and procedures P1 1 0
SA-2 Allocation of resources P1 2 1
SA-3 System development life cycle P1 3 10
SA-4 Acquisition process P1 8 11
SA-5 Information system documentation P2 7 10
SA-8 Security engineering principles P1 6 14
SA-9 External information system services P1 3 4
SA-10 Developer configuration management P1 5 6
SA-11 Developer security testing and evaluation P1 6 5
SA-12 Supply chain protection P1 17 16
SA-13 Trustworthiness P0 5 3
SA-14 Criticality analysis P0 9 5
SA-15 Development process, standards, and tools P2 2 3
SA-16 Developer-provided training P2 3 1
SA-17 Developer security architecture and design P1 4 3
SA-18 Tamper resistance and detection P0 3 1
SA-19 Component authenticity P0 3 1
SA-20 Customized development of critical components P0 3 1
SA-21 Developer screening P0 2 1
SA-22 Unsupported system components P0 2 0