| Identifier |
Name |
Priority |
Referring |
Referred
|
| AC-1 |
Access control policy and procedures |
P1 |
1 |
0
|
| AC-2 |
Account management |
P1 |
21 |
19
|
| AC-3 |
Access enforcement |
P1 |
19 |
33
|
| AC-4 |
Information flow enforcement |
P1 |
11 |
13
|
| AC-5 |
Separation of duties |
P1 |
5 |
3
|
| AC-6 |
Least privilege |
P1 |
6 |
17
|
| AC-7 |
Unsuccessful logon attempts |
P2 |
4 |
4
|
| AC-8 |
System use notification |
P1 |
0 |
2
|
| AC-9 |
Previous logon (access) notification |
P0 |
2 |
2
|
| AC-10 |
Concurrent session control |
P3 |
0 |
1
|
| AC-11 |
Session lock |
P3 |
1 |
1
|
| AC-12 |
Session termination |
P2 |
2 |
0
|
| AC-14 |
Permitted actions without identification or authentication |
P3 |
2 |
5
|
| AC-16 |
Security attributes |
P0 |
8 |
6
|
| AC-17 |
Remote access |
P1 |
16 |
19
|
| AC-18 |
Wireless access |
P1 |
12 |
10
|
| AC-19 |
Access control for mobile devices |
P1 |
16 |
12
|
| AC-20 |
Use of external information systems |
P1 |
6 |
7
|
| AC-21 |
Information sharing |
P2 |
1 |
4
|
| AC-22 |
Publicly accessible content |
P3 |
5 |
1
|
| AC-23 |
Data mining protection |
P0 |
0 |
0
|
| AC-24 |
Access control decisions |
P0 |
0 |
0
|
| AC-25 |
Reference monitor |
P0 |
4 |
2
|
| AU-1 |
Audit and accountability policy and procedures |
P1 |
1 |
0
|
| AU-2 |
Audit events |
P1 |
8 |
11
|
| AU-3 |
Content of audit records |
P1 |
4 |
5
|
| AU-4 |
Audit storage capacity |
P1 |
6 |
3
|
| AU-5 |
Response to audit processing failures |
P1 |
2 |
5
|
| AU-6 |
Audit review, analysis, and reporting |
P1 |
28 |
10
|
| AU-7 |
Audit reduction and report generation |
P2 |
1 |
5
|
| AU-8 |
Time stamps |
P1 |
2 |
1
|
| AU-9 |
Protection of audit information |
P1 |
7 |
6
|
| AU-10 |
Non-repudiation |
P2 |
6 |
4
|
| AU-11 |
Audit record retention |
P3 |
4 |
3
|
| AU-12 |
Audit generation |
P1 |
5 |
8
|
| AU-13 |
Monitoring for information disclosure |
P0 |
2 |
2
|
| AU-14 |
Session audit |
P0 |
5 |
0
|
| AU-15 |
Alternate audit capability |
P0 |
1 |
0
|
| AU-16 |
Cross-organizational auditing |
P0 |
1 |
2
|
| AT-1 |
Security awareness and training policy and procedures |
P1 |
1 |
0
|
| AT-2 |
Security awareness training |
P1 |
3 |
10
|
| AT-3 |
Role-based security training |
P1 |
7 |
17
|
| AT-4 |
Security training records |
P3 |
3 |
2
|
| CM-1 |
Configuration management policy and procedures |
P1 |
1 |
0
|
| CM-2 |
Baseline configuration |
P1 |
7 |
10
|
| CM-3 |
Configuration change control |
P1 |
9 |
13
|
| CM-4 |
Security impact analysis |
P2 |
8 |
8
|
| CM-5 |
Access restrictions for change |
P1 |
3 |
9
|
| CM-6 |
Configuration settings |
P1 |
5 |
19
|
| CM-7 |
Least functionality |
P1 |
5 |
6
|
| CM-8 |
Information system component inventory |
P1 |
3 |
11
|
| CM-9 |
Configuration management plan |
P1 |
6 |
5
|
| CM-10 |
Software usage restrictions |
P2 |
3 |
1
|
| CM-11 |
User-installed software |
P1 |
7 |
5
|
| CP-1 |
Contingency planning policy and procedures |
P1 |
1 |
0
|
| CP-2 |
Contingency plan |
P1 |
13 |
19
|
| CP-3 |
Contingency training |
P2 |
4 |
2
|
| CP-4 |
Contingency plan testing |
P2 |
3 |
3
|
| CP-6 |
Alternate storage site |
P1 |
5 |
7
|
| CP-7 |
Alternate processing site |
P1 |
6 |
9
|
| CP-8 |
Telecommunications services |
P1 |
3 |
3
|
| CP-9 |
Information system backup |
P1 |
5 |
7
|
| CP-10 |
Information system recovery and reconstitution |
P1 |
8 |
5
|
| CP-11 |
Alternate communications protocols |
P0 |
0 |
0
|
| CP-12 |
Safe mode |
P0 |
0 |
2
|
| CP-13 |
Alternative security mechanisms |
P0 |
1 |
1
|
| IA-1 |
Identification and authentication policy and procedures |
P1 |
1 |
0
|
| IA-2 |
Identification and authentication (organizational users) |
P1 |
8 |
11
|
| IA-3 |
Device identification and authentication |
P1 |
6 |
8
|
| IA-4 |
Identifier management |
P1 |
6 |
12
|
| IA-5 |
Authenticator management |
P1 |
14 |
10
|
| IA-6 |
Authenticator feedback |
P2 |
1 |
0
|
| IA-7 |
Cryptographic module authentication |
P1 |
2 |
1
|
| IA-8 |
Identification and authentication (non-organizational users) |
P1 |
11 |
8
|
| IA-9 |
Service identification and authentication |
P0 |
0 |
0
|
| IA-10 |
Adaptive identification and authentication |
P0 |
2 |
0
|
| IA-11 |
Re-authentication |
P0 |
1 |
0
|
| IR-1 |
Incident response policy and procedures |
P1 |
1 |
0
|
| IR-2 |
Incident response training |
P2 |
3 |
2
|
| IR-3 |
Incident response testing |
P2 |
2 |
3
|
| IR-4 |
Incident handling |
P1 |
13 |
9
|
| IR-5 |
Incident monitoring |
P1 |
8 |
2
|
| IR-6 |
Incident reporting |
P1 |
3 |
2
|
| IR-7 |
Incident response assistance |
P2 |
5 |
1
|
| IR-8 |
Incident response plan |
P1 |
3 |
9
|
| IR-9 |
Information spillage response |
P0 |
0 |
0
|
| IR-10 |
Integrated information security analysis team |
P0 |
0 |
0
|
| MA-1 |
System maintenance policy and procedures |
P1 |
1 |
0
|
| MA-2 |
Controlled maintenance |
P2 |
7 |
5
|
| MA-3 |
Maintenance tools |
P3 |
3 |
3
|
| MA-4 |
Nonlocal maintenance |
P2 |
17 |
11
|
| MA-5 |
Maintenance personnel |
P2 |
7 |
5
|
| MA-6 |
Timely maintenance |
P2 |
5 |
2
|
| MP-1 |
Media protection policy and procedures |
P1 |
1 |
0
|
| MP-2 |
Media access |
P1 |
6 |
13
|
| MP-3 |
Media marking |
P2 |
3 |
2
|
| MP-4 |
Media storage |
P1 |
5 |
16
|
| MP-5 |
Media transport |
P1 |
8 |
7
|
| MP-6 |
Media sanitization |
P1 |
4 |
5
|
| MP-7 |
Media use |
P1 |
2 |
3
|
| MP-8 |
Media downgrading |
P0 |
0 |
0
|
| PS-1 |
Personnel security policy and procedures |
P1 |
1 |
0
|
| PS-2 |
Position risk designation |
P1 |
3 |
5
|
| PS-3 |
Personnel screening |
P1 |
4 |
7
|
| PS-4 |
Personnel termination |
P1 |
5 |
4
|
| PS-5 |
Personnel transfer |
P2 |
4 |
4
|
| PS-6 |
Access agreements |
P3 |
5 |
5
|
| PS-7 |
Third-party personnel security |
P1 |
7 |
4
|
| PS-8 |
Personnel sanctions |
P3 |
2 |
3
|
| PE-1 |
Physical and environmental protection policy and procedures |
P1 |
1 |
0
|
| PE-2 |
Physical access authorizations |
P1 |
3 |
10
|
| PE-3 |
Physical access control |
P1 |
9 |
16
|
| PE-4 |
Access control for transmission medium |
P1 |
7 |
7
|
| PE-5 |
Access control for output devices |
P2 |
4 |
2
|
| PE-6 |
Monitoring physical access |
P1 |
3 |
4
|
| PE-8 |
Visitor access records |
P3 |
0 |
0
|
| PE-9 |
Power equipment and cabling |
P1 |
1 |
0
|
| PE-10 |
Emergency shutoff |
P1 |
1 |
0
|
| PE-11 |
Emergency power |
P1 |
3 |
0
|
| PE-12 |
Emergency lighting |
P1 |
2 |
0
|
| PE-13 |
Fire protection |
P1 |
0 |
0
|
| PE-14 |
Temperature and humidity controls |
P1 |
1 |
1
|
| PE-15 |
Water damage protection |
P1 |
1 |
1
|
| PE-16 |
Delivery and removal |
P2 |
5 |
3
|
| PE-17 |
Alternate work site |
P2 |
2 |
1
|
| PE-18 |
Location of information system components |
P3 |
3 |
2
|
| PE-19 |
Information leakage |
P0 |
0 |
1
|
| PE-20 |
Asset monitoring and tracking |
P0 |
1 |
0
|
| PL-1 |
Security planning policy and procedures |
P1 |
1 |
0
|
| PL-2 |
System security plan |
P1 |
24 |
13
|
| PL-4 |
Rules of behavior |
P2 |
18 |
14
|
| PL-7 |
Security concept of operations |
P0 |
1 |
1
|
| PL-8 |
Information security architecture |
P1 |
7 |
4
|
| PL-9 |
Central management |
P0 |
0 |
0
|
| PM-1 |
Information security program plan |
|
1 |
4
|
| PM-2 |
Senior information security officer |
|
0 |
0
|
| PM-3 |
Information security resources |
|
2 |
1
|
| PM-4 |
Plan of action and milestones process |
|
1 |
2
|
| PM-5 |
Information system inventory |
|
0 |
2
|
| PM-6 |
Information security measures of performance |
|
0 |
1
|
| PM-7 |
Enterprise architecture |
|
5 |
7
|
| PM-8 |
Critical infrastructure plan |
|
4 |
4
|
| PM-9 |
Risk management strategy |
|
1 |
23
|
| PM-10 |
Security authorization process |
|
1 |
1
|
| PM-11 |
Mission/business process definition |
|
3 |
5
|
| PM-12 |
Insider threat program |
|
21 |
1
|
| PM-13 |
Information security workforce |
|
2 |
0
|
| PM-14 |
Testing, training, and monitoring |
|
5 |
2
|
| PM-15 |
Contacts with security groups and associations |
|
1 |
0
|
| PM-16 |
Threat awareness program |
|
2 |
1
|
| RA-1 |
Risk assessment policy and procedures |
P1 |
1 |
0
|
| RA-2 |
Security categorization |
P1 |
4 |
6
|
| RA-3 |
Risk assessment |
P1 |
2 |
12
|
| RA-5 |
Vulnerability scanning |
P1 |
8 |
7
|
| RA-6 |
Technical surveillance countermeasures survey |
P0 |
0 |
0
|
| CA-1 |
Security assessment and authorization policy and procedures |
P1 |
1 |
0
|
| CA-2 |
Security assessments |
P2 |
8 |
9
|
| CA-3 |
System interconnections |
P1 |
11 |
7
|
| CA-5 |
Plan of action and milestones |
P3 |
4 |
3
|
| CA-6 |
Security authorization |
P2 |
4 |
4
|
| CA-7 |
Continuous monitoring |
P2 |
12 |
20
|
| CA-8 |
Penetration testing |
P2 |
1 |
0
|
| CA-9 |
Internal system connections |
P2 |
11 |
1
|
| SC-1 |
System and communications protection policy and procedures |
P1 |
1 |
0
|
| SC-2 |
Application partitioning |
P1 |
3 |
6
|
| SC-3 |
Security function isolation |
P1 |
9 |
7
|
| SC-4 |
Information in shared resources |
P1 |
3 |
1
|
| SC-5 |
Denial of service protection |
P1 |
2 |
6
|
| SC-6 |
Resource availability |
P0 |
0 |
1
|
| SC-7 |
Boundary protection |
P1 |
9 |
24
|
| SC-8 |
Transmission confidentiality and integrity |
P1 |
2 |
9
|
| SC-10 |
Network disconnect |
P2 |
0 |
4
|
| SC-11 |
Trusted path |
P0 |
2 |
1
|
| SC-12 |
Cryptographic key establishment and management |
P1 |
2 |
7
|
| SC-13 |
Cryptographic protection |
P1 |
20 |
11
|
| SC-15 |
Collaborative computing devices |
P1 |
1 |
1
|
| SC-16 |
Transmission of security attributes |
P0 |
3 |
2
|
| SC-17 |
Public key infrastructure certificates |
P1 |
1 |
4
|
| SC-18 |
Mobile code |
P2 |
5 |
2
|
| SC-19 |
Voice over internet protocol |
P1 |
3 |
1
|
| SC-20 |
Secure name / address resolution service (authoritative source) |
P1 |
6 |
2
|
| SC-21 |
Secure name / address resolution service (recursive or caching resolver) |
P1 |
2 |
2
|
| SC-22 |
Architecture and provisioning for name / address resolution service |
P1 |
4 |
3
|
| SC-23 |
Session authenticity |
P1 |
3 |
2
|
| SC-24 |
Fail in known state |
P1 |
5 |
3
|
| SC-25 |
Thin nodes |
P0 |
1 |
1
|
| SC-26 |
Honeypots |
P0 |
4 |
5
|
| SC-27 |
Platform-independent applications |
P0 |
1 |
1
|
| SC-28 |
Protection of information at rest |
P1 |
11 |
3
|
| SC-29 |
Heterogeneity |
P0 |
3 |
3
|
| SC-30 |
Concealment and misdirection |
P0 |
3 |
5
|
| SC-31 |
Covert channel analysis |
P0 |
3 |
1
|
| SC-32 |
Information system partitioning |
P0 |
5 |
0
|
| SC-34 |
Non-modifiable executable programs |
P0 |
2 |
1
|
| SC-35 |
Honeyclients |
P0 |
4 |
1
|
| SC-36 |
Distributed processing and storage |
P0 |
2 |
0
|
| SC-37 |
Out-of-band channels |
P0 |
11 |
1
|
| SC-38 |
Operations security |
P0 |
3 |
2
|
| SC-39 |
Process isolation |
P1 |
8 |
2
|
| SC-40 |
Wireless link protection |
P0 |
2 |
0
|
| SC-41 |
Port and i/o device access |
P0 |
0 |
0
|
| SC-42 |
Sensor capability and data |
P0 |
0 |
0
|
| SC-43 |
Usage restrictions |
P0 |
2 |
1
|
| SC-44 |
Detonation chambers |
P0 |
4 |
3
|
| SI-1 |
System and information integrity policy and procedures |
P1 |
1 |
0
|
| SI-2 |
Flaw remediation |
P1 |
11 |
9
|
| SI-3 |
Malicious code protection |
P1 |
12 |
13
|
| SI-4 |
Information system monitoring |
P1 |
18 |
21
|
| SI-5 |
Security alerts, advisories, and directives |
P1 |
1 |
1
|
| SI-6 |
Security function verification |
P1 |
2 |
0
|
| SI-7 |
Software, firmware, and information integrity |
P1 |
4 |
12
|
| SI-8 |
Spam protection |
P2 |
5 |
0
|
| SI-10 |
Information input validation |
P1 |
0 |
0
|
| SI-11 |
Error handling |
P2 |
3 |
2
|
| SI-12 |
Information handling and retention |
P2 |
5 |
2
|
| SI-13 |
Predictable failure prevention |
P0 |
3 |
1
|
| SI-14 |
Non-persistence |
P0 |
2 |
1
|
| SI-15 |
Information output filtering |
P0 |
2 |
0
|
| SI-16 |
Memory protection |
P1 |
2 |
0
|
| SI-17 |
Fail-safe procedures |
P0 |
4 |
0
|
| SA-1 |
System and services acquisition policy and procedures |
P1 |
1 |
0
|
| SA-2 |
Allocation of resources |
P1 |
2 |
1
|
| SA-3 |
System development life cycle |
P1 |
3 |
10
|
| SA-4 |
Acquisition process |
P1 |
8 |
11
|
| SA-5 |
Information system documentation |
P2 |
7 |
10
|
| SA-8 |
Security engineering principles |
P1 |
6 |
14
|
| SA-9 |
External information system services |
P1 |
3 |
4
|
| SA-10 |
Developer configuration management |
P1 |
5 |
6
|
| SA-11 |
Developer security testing and evaluation |
P1 |
6 |
5
|
| SA-12 |
Supply chain protection |
P1 |
17 |
16
|
| SA-13 |
Trustworthiness |
P0 |
5 |
3
|
| SA-14 |
Criticality analysis |
P0 |
9 |
5
|
| SA-15 |
Development process, standards, and tools |
P2 |
2 |
3
|
| SA-16 |
Developer-provided training |
P2 |
3 |
1
|
| SA-17 |
Developer security architecture and design |
P1 |
4 |
3
|
| SA-18 |
Tamper resistance and detection |
P0 |
3 |
1
|
| SA-19 |
Component authenticity |
P0 |
3 |
1
|
| SA-20 |
Customized development of critical components |
P0 |
3 |
1
|
| SA-21 |
Developer screening |
P0 |
2 |
1
|
| SA-22 |
Unsupported system components |
P0 |
2 |
0
|
