Retired controls are excluded from the list.
Identifier |
Name |
Priority |
Referring |
Referred
|
AC-1 |
Access control policy and procedures |
P1 |
1 |
0
|
AC-2 |
Account management |
P1 |
21 |
19
|
AC-3 |
Access enforcement |
P1 |
19 |
33
|
AC-4 |
Information flow enforcement |
P1 |
11 |
13
|
AC-5 |
Separation of duties |
P1 |
5 |
3
|
AC-6 |
Least privilege |
P1 |
6 |
17
|
AC-7 |
Unsuccessful logon attempts |
P2 |
4 |
4
|
AC-8 |
System use notification |
P1 |
0 |
2
|
AC-9 |
Previous logon (access) notification |
P0 |
2 |
2
|
AC-10 |
Concurrent session control |
P3 |
0 |
1
|
AC-11 |
Session lock |
P3 |
1 |
1
|
AC-12 |
Session termination |
P2 |
2 |
0
|
AC-14 |
Permitted actions without identification or authentication |
P3 |
2 |
5
|
AC-16 |
Security attributes |
P0 |
8 |
6
|
AC-17 |
Remote access |
P1 |
16 |
19
|
AC-18 |
Wireless access |
P1 |
12 |
10
|
AC-19 |
Access control for mobile devices |
P1 |
16 |
12
|
AC-20 |
Use of external information systems |
P1 |
6 |
7
|
AC-21 |
Information sharing |
P2 |
1 |
4
|
AC-22 |
Publicly accessible content |
P3 |
5 |
1
|
AC-23 |
Data mining protection |
P0 |
0 |
0
|
AC-24 |
Access control decisions |
P0 |
0 |
0
|
AC-25 |
Reference monitor |
P0 |
4 |
2
|
AU-1 |
Audit and accountability policy and procedures |
P1 |
1 |
0
|
AU-2 |
Audit events |
P1 |
8 |
11
|
AU-3 |
Content of audit records |
P1 |
4 |
5
|
AU-4 |
Audit storage capacity |
P1 |
6 |
3
|
AU-5 |
Response to audit processing failures |
P1 |
2 |
5
|
AU-6 |
Audit review, analysis, and reporting |
P1 |
28 |
10
|
AU-7 |
Audit reduction and report generation |
P2 |
1 |
5
|
AU-8 |
Time stamps |
P1 |
2 |
1
|
AU-9 |
Protection of audit information |
P1 |
7 |
6
|
AU-10 |
Non-repudiation |
P2 |
6 |
4
|
AU-11 |
Audit record retention |
P3 |
4 |
3
|
AU-12 |
Audit generation |
P1 |
5 |
8
|
AU-13 |
Monitoring for information disclosure |
P0 |
2 |
2
|
AU-14 |
Session audit |
P0 |
5 |
0
|
AU-15 |
Alternate audit capability |
P0 |
1 |
0
|
AU-16 |
Cross-organizational auditing |
P0 |
1 |
2
|
AT-1 |
Security awareness and training policy and procedures |
P1 |
1 |
0
|
AT-2 |
Security awareness training |
P1 |
3 |
10
|
AT-3 |
Role-based security training |
P1 |
7 |
17
|
AT-4 |
Security training records |
P3 |
3 |
2
|
CM-1 |
Configuration management policy and procedures |
P1 |
1 |
0
|
CM-2 |
Baseline configuration |
P1 |
7 |
10
|
CM-3 |
Configuration change control |
P1 |
9 |
13
|
CM-4 |
Security impact analysis |
P2 |
8 |
8
|
CM-5 |
Access restrictions for change |
P1 |
3 |
9
|
CM-6 |
Configuration settings |
P1 |
5 |
19
|
CM-7 |
Least functionality |
P1 |
5 |
6
|
CM-8 |
Information system component inventory |
P1 |
3 |
11
|
CM-9 |
Configuration management plan |
P1 |
6 |
5
|
CM-10 |
Software usage restrictions |
P2 |
3 |
1
|
CM-11 |
User-installed software |
P1 |
7 |
5
|
CP-1 |
Contingency planning policy and procedures |
P1 |
1 |
0
|
CP-2 |
Contingency plan |
P1 |
13 |
19
|
CP-3 |
Contingency training |
P2 |
4 |
2
|
CP-4 |
Contingency plan testing |
P2 |
3 |
3
|
CP-6 |
Alternate storage site |
P1 |
5 |
7
|
CP-7 |
Alternate processing site |
P1 |
6 |
9
|
CP-8 |
Telecommunications services |
P1 |
3 |
3
|
CP-9 |
Information system backup |
P1 |
5 |
7
|
CP-10 |
Information system recovery and reconstitution |
P1 |
8 |
5
|
CP-11 |
Alternate communications protocols |
P0 |
0 |
0
|
CP-12 |
Safe mode |
P0 |
0 |
2
|
CP-13 |
Alternative security mechanisms |
P0 |
1 |
1
|
IA-1 |
Identification and authentication policy and procedures |
P1 |
1 |
0
|
IA-2 |
Identification and authentication (organizational users) |
P1 |
8 |
11
|
IA-3 |
Device identification and authentication |
P1 |
6 |
8
|
IA-4 |
Identifier management |
P1 |
6 |
12
|
IA-5 |
Authenticator management |
P1 |
14 |
10
|
IA-6 |
Authenticator feedback |
P2 |
1 |
0
|
IA-7 |
Cryptographic module authentication |
P1 |
2 |
1
|
IA-8 |
Identification and authentication (non-organizational users) |
P1 |
11 |
8
|
IA-9 |
Service identification and authentication |
P0 |
0 |
0
|
IA-10 |
Adaptive identification and authentication |
P0 |
2 |
0
|
IA-11 |
Re-authentication |
P0 |
1 |
0
|
IR-1 |
Incident response policy and procedures |
P1 |
1 |
0
|
IR-2 |
Incident response training |
P2 |
3 |
2
|
IR-3 |
Incident response testing |
P2 |
2 |
3
|
IR-4 |
Incident handling |
P1 |
13 |
9
|
IR-5 |
Incident monitoring |
P1 |
8 |
2
|
IR-6 |
Incident reporting |
P1 |
3 |
2
|
IR-7 |
Incident response assistance |
P2 |
5 |
1
|
IR-8 |
Incident response plan |
P1 |
3 |
9
|
IR-9 |
Information spillage response |
P0 |
0 |
0
|
IR-10 |
Integrated information security analysis team |
P0 |
0 |
0
|
MA-1 |
System maintenance policy and procedures |
P1 |
1 |
0
|
MA-2 |
Controlled maintenance |
P2 |
7 |
5
|
MA-3 |
Maintenance tools |
P3 |
3 |
3
|
MA-4 |
Nonlocal maintenance |
P2 |
17 |
11
|
MA-5 |
Maintenance personnel |
P2 |
7 |
5
|
MA-6 |
Timely maintenance |
P2 |
5 |
2
|
MP-1 |
Media protection policy and procedures |
P1 |
1 |
0
|
MP-2 |
Media access |
P1 |
6 |
13
|
MP-3 |
Media marking |
P2 |
3 |
2
|
MP-4 |
Media storage |
P1 |
5 |
16
|
MP-5 |
Media transport |
P1 |
8 |
7
|
MP-6 |
Media sanitization |
P1 |
4 |
5
|
MP-7 |
Media use |
P1 |
2 |
3
|
MP-8 |
Media downgrading |
P0 |
0 |
0
|
PS-1 |
Personnel security policy and procedures |
P1 |
1 |
0
|
PS-2 |
Position risk designation |
P1 |
3 |
5
|
PS-3 |
Personnel screening |
P1 |
4 |
7
|
PS-4 |
Personnel termination |
P1 |
5 |
4
|
PS-5 |
Personnel transfer |
P2 |
4 |
4
|
PS-6 |
Access agreements |
P3 |
5 |
5
|
PS-7 |
Third-party personnel security |
P1 |
7 |
4
|
PS-8 |
Personnel sanctions |
P3 |
2 |
3
|
PE-1 |
Physical and environmental protection policy and procedures |
P1 |
1 |
0
|
PE-2 |
Physical access authorizations |
P1 |
3 |
10
|
PE-3 |
Physical access control |
P1 |
9 |
16
|
PE-4 |
Access control for transmission medium |
P1 |
7 |
7
|
PE-5 |
Access control for output devices |
P2 |
4 |
2
|
PE-6 |
Monitoring physical access |
P1 |
3 |
4
|
PE-8 |
Visitor access records |
P3 |
0 |
0
|
PE-9 |
Power equipment and cabling |
P1 |
1 |
0
|
PE-10 |
Emergency shutoff |
P1 |
1 |
0
|
PE-11 |
Emergency power |
P1 |
3 |
0
|
PE-12 |
Emergency lighting |
P1 |
2 |
0
|
PE-13 |
Fire protection |
P1 |
0 |
0
|
PE-14 |
Temperature and humidity controls |
P1 |
1 |
1
|
PE-15 |
Water damage protection |
P1 |
1 |
1
|
PE-16 |
Delivery and removal |
P2 |
5 |
3
|
PE-17 |
Alternate work site |
P2 |
2 |
1
|
PE-18 |
Location of information system components |
P3 |
3 |
2
|
PE-19 |
Information leakage |
P0 |
0 |
1
|
PE-20 |
Asset monitoring and tracking |
P0 |
1 |
0
|
PL-1 |
Security planning policy and procedures |
P1 |
1 |
0
|
PL-2 |
System security plan |
P1 |
24 |
13
|
PL-4 |
Rules of behavior |
P2 |
18 |
14
|
PL-7 |
Security concept of operations |
P0 |
1 |
1
|
PL-8 |
Information security architecture |
P1 |
7 |
4
|
PL-9 |
Central management |
P0 |
0 |
0
|
PM-1 |
Information security program plan |
|
1 |
4
|
PM-2 |
Senior information security officer |
|
0 |
0
|
PM-3 |
Information security resources |
|
2 |
1
|
PM-4 |
Plan of action and milestones process |
|
1 |
2
|
PM-5 |
Information system inventory |
|
0 |
2
|
PM-6 |
Information security measures of performance |
|
0 |
1
|
PM-7 |
Enterprise architecture |
|
5 |
7
|
PM-8 |
Critical infrastructure plan |
|
4 |
4
|
PM-9 |
Risk management strategy |
|
1 |
23
|
PM-10 |
Security authorization process |
|
1 |
1
|
PM-11 |
Mission/business process definition |
|
3 |
5
|
PM-12 |
Insider threat program |
|
21 |
1
|
PM-13 |
Information security workforce |
|
2 |
0
|
PM-14 |
Testing, training, and monitoring |
|
5 |
2
|
PM-15 |
Contacts with security groups and associations |
|
1 |
0
|
PM-16 |
Threat awareness program |
|
2 |
1
|
RA-1 |
Risk assessment policy and procedures |
P1 |
1 |
0
|
RA-2 |
Security categorization |
P1 |
4 |
6
|
RA-3 |
Risk assessment |
P1 |
2 |
12
|
RA-5 |
Vulnerability scanning |
P1 |
8 |
7
|
RA-6 |
Technical surveillance countermeasures survey |
P0 |
0 |
0
|
CA-1 |
Security assessment and authorization policy and procedures |
P1 |
1 |
0
|
CA-2 |
Security assessments |
P2 |
8 |
9
|
CA-3 |
System interconnections |
P1 |
11 |
7
|
CA-5 |
Plan of action and milestones |
P3 |
4 |
3
|
CA-6 |
Security authorization |
P2 |
4 |
4
|
CA-7 |
Continuous monitoring |
P2 |
12 |
20
|
CA-8 |
Penetration testing |
P2 |
1 |
0
|
CA-9 |
Internal system connections |
P2 |
11 |
1
|
SC-1 |
System and communications protection policy and procedures |
P1 |
1 |
0
|
SC-2 |
Application partitioning |
P1 |
3 |
6
|
SC-3 |
Security function isolation |
P1 |
9 |
7
|
SC-4 |
Information in shared resources |
P1 |
3 |
1
|
SC-5 |
Denial of service protection |
P1 |
2 |
6
|
SC-6 |
Resource availability |
P0 |
0 |
1
|
SC-7 |
Boundary protection |
P1 |
9 |
24
|
SC-8 |
Transmission confidentiality and integrity |
P1 |
2 |
9
|
SC-10 |
Network disconnect |
P2 |
0 |
4
|
SC-11 |
Trusted path |
P0 |
2 |
1
|
SC-12 |
Cryptographic key establishment and management |
P1 |
2 |
7
|
SC-13 |
Cryptographic protection |
P1 |
20 |
11
|
SC-15 |
Collaborative computing devices |
P1 |
1 |
1
|
SC-16 |
Transmission of security attributes |
P0 |
3 |
2
|
SC-17 |
Public key infrastructure certificates |
P1 |
1 |
4
|
SC-18 |
Mobile code |
P2 |
5 |
2
|
SC-19 |
Voice over internet protocol |
P1 |
3 |
1
|
SC-20 |
Secure name / address resolution service (authoritative source) |
P1 |
6 |
2
|
SC-21 |
Secure name / address resolution service (recursive or caching resolver) |
P1 |
2 |
2
|
SC-22 |
Architecture and provisioning for name / address resolution service |
P1 |
4 |
3
|
SC-23 |
Session authenticity |
P1 |
3 |
2
|
SC-24 |
Fail in known state |
P1 |
5 |
3
|
SC-25 |
Thin nodes |
P0 |
1 |
1
|
SC-26 |
Honeypots |
P0 |
4 |
5
|
SC-27 |
Platform-independent applications |
P0 |
1 |
1
|
SC-28 |
Protection of information at rest |
P1 |
11 |
3
|
SC-29 |
Heterogeneity |
P0 |
3 |
3
|
SC-30 |
Concealment and misdirection |
P0 |
3 |
5
|
SC-31 |
Covert channel analysis |
P0 |
3 |
1
|
SC-32 |
Information system partitioning |
P0 |
5 |
0
|
SC-34 |
Non-modifiable executable programs |
P0 |
2 |
1
|
SC-35 |
Honeyclients |
P0 |
4 |
1
|
SC-36 |
Distributed processing and storage |
P0 |
2 |
0
|
SC-37 |
Out-of-band channels |
P0 |
11 |
1
|
SC-38 |
Operations security |
P0 |
3 |
2
|
SC-39 |
Process isolation |
P1 |
8 |
2
|
SC-40 |
Wireless link protection |
P0 |
2 |
0
|
SC-41 |
Port and i/o device access |
P0 |
0 |
0
|
SC-42 |
Sensor capability and data |
P0 |
0 |
0
|
SC-43 |
Usage restrictions |
P0 |
2 |
1
|
SC-44 |
Detonation chambers |
P0 |
4 |
3
|
SI-1 |
System and information integrity policy and procedures |
P1 |
1 |
0
|
SI-2 |
Flaw remediation |
P1 |
11 |
9
|
SI-3 |
Malicious code protection |
P1 |
12 |
13
|
SI-4 |
Information system monitoring |
P1 |
18 |
21
|
SI-5 |
Security alerts, advisories, and directives |
P1 |
1 |
1
|
SI-6 |
Security function verification |
P1 |
2 |
0
|
SI-7 |
Software, firmware, and information integrity |
P1 |
4 |
12
|
SI-8 |
Spam protection |
P2 |
5 |
0
|
SI-10 |
Information input validation |
P1 |
0 |
0
|
SI-11 |
Error handling |
P2 |
3 |
2
|
SI-12 |
Information handling and retention |
P2 |
5 |
2
|
SI-13 |
Predictable failure prevention |
P0 |
3 |
1
|
SI-14 |
Non-persistence |
P0 |
2 |
1
|
SI-15 |
Information output filtering |
P0 |
2 |
0
|
SI-16 |
Memory protection |
P1 |
2 |
0
|
SI-17 |
Fail-safe procedures |
P0 |
4 |
0
|
SA-1 |
System and services acquisition policy and procedures |
P1 |
1 |
0
|
SA-2 |
Allocation of resources |
P1 |
2 |
1
|
SA-3 |
System development life cycle |
P1 |
3 |
10
|
SA-4 |
Acquisition process |
P1 |
8 |
11
|
SA-5 |
Information system documentation |
P2 |
7 |
10
|
SA-8 |
Security engineering principles |
P1 |
6 |
14
|
SA-9 |
External information system services |
P1 |
3 |
4
|
SA-10 |
Developer configuration management |
P1 |
5 |
6
|
SA-11 |
Developer security testing and evaluation |
P1 |
6 |
5
|
SA-12 |
Supply chain protection |
P1 |
17 |
16
|
SA-13 |
Trustworthiness |
P0 |
5 |
3
|
SA-14 |
Criticality analysis |
P0 |
9 |
5
|
SA-15 |
Development process, standards, and tools |
P2 |
2 |
3
|
SA-16 |
Developer-provided training |
P2 |
3 |
1
|
SA-17 |
Developer security architecture and design |
P1 |
4 |
3
|
SA-18 |
Tamper resistance and detection |
P0 |
3 |
1
|
SA-19 |
Component authenticity |
P0 |
3 |
1
|
SA-20 |
Customized development of critical components |
P0 |
3 |
1
|
SA-21 |
Developer screening |
P0 |
2 |
1
|
SA-22 |
Unsupported system components |
P0 |
2 |
0
|