Full list of security controls and control enhancements

From SecWiki
Jump to: navigation, search
Identifier Name Priority Baseline Retired
AC-1 Access control policy and procedures P1 Low, Mod, High No
AC-2 Account management P1 Low, Mod, High No
AC-2 (1) Automated system account management Mod, High No
AC-2 (2) Removal of temporary / emergency accounts Mod, High No
AC-2 (3) Disable inactive accounts Mod, High No
AC-2 (4) Automated audit actions Mod, High No
AC-2 (5) Inactivity logout High No
AC-2 (6) Dynamic privilege management No
AC-2 (7) Role-based schemes No
AC-2 (8) Dynamic account creation No
AC-2 (9) Restrictions on use of shared / group accounts No
AC-2 (10) Shared / group account credential termination No
AC-2 (11) Usage conditions High No
AC-2 (12) Account monitoring / atypical usage High No
AC-2 (13) Disable accounts for high-risk individuals High No
AC-3 Access enforcement P1 Low, Mod, High No
AC-3 (1) Restricted access to privileged functions In the specification
AC-3 (2) Dual authorization No
AC-3 (3) Mandatory access control No
AC-3 (4) Discretionary access control No
AC-3 (5) Security-relevant information No
AC-3 (6) Protection of user and system information In the specification
AC-3 (7) Role-based access control No
AC-3 (8) Revocation of access authorizations No
AC-3 (9) Controlled release No
AC-3 (10) Audited override of access control mechanisms No
AC-4 Information flow enforcement P1 Mod, High No
AC-4 (1) Object security attributes No
AC-4 (2) Processing domains No
AC-4 (3) Dynamic information flow control No
AC-4 (4) Content check encrypted information No
AC-4 (5) Embedded data types No
AC-4 (6) Metadata No
AC-4 (7) One-way flow mechanisms No
AC-4 (8) Security policy filters No
AC-4 (9) Human reviews No
AC-4 (10) Enable / disable security policy filters No
AC-4 (11) Configuration of security policy filters No
AC-4 (12) Data type identifiers No
AC-4 (13) Decomposition into policy-relevant subcomponents No
AC-4 (14) Security policy filter constraints No
AC-4 (15) Detection of unsanctioned information No
AC-4 (16) Information transfers on interconnected systems In the specification
AC-4 (17) Domain authentication No
AC-4 (18) Security attribute binding No
AC-4 (19) Validation of metadata No
AC-4 (20) Approved solutions No
AC-4 (21) Physical / logical separation of information flows No
AC-4 (22) Access only No
AC-5 Separation of duties P1 Mod, High No
AC-6 Least privilege P1 Mod, High No
AC-6 (1) Authorize access to security functions Mod, High No
AC-6 (2) Non-privileged access for nonsecurity functions Mod, High No
AC-6 (3) Network access to privileged commands High No
AC-6 (4) Separate processing domains No
AC-6 (5) Privileged accounts Mod, High No
AC-6 (6) Privileged access by non-organizational users No
AC-6 (7) Review of user privileges No
AC-6 (8) Privilege levels for code execution No
AC-6 (9) Auditing use of privileged functions Mod, High No
AC-6 (10) Prohibit non-privileged users from executing privileged functions Mod, High No
AC-7 Unsuccessful logon attempts P2 Low, Mod, High No
AC-7 (1) Automatic account lock In the specification
AC-7 (2) Purge / wipe mobile device No
AC-8 System use notification P1 Low, Mod, High No
AC-9 Previous logon (access) notification P0 No
AC-9 (1) Unsuccessful logons No
AC-9 (2) Successful / unsuccessful logons No
AC-9 (3) Notification of account changes No
AC-9 (4) Additional logon information No
AC-10 Concurrent session control P3 High No
AC-11 Session lock P3 Mod, High No
AC-11 (1) Pattern-hiding displays Mod, High No
AC-12 Session termination P2 Mod, High No
AC-12 (1) User-initiated logouts / message displays No
AC-13 Supervision and review - access control In the specification
AC-14 Permitted actions without identification or authentication P3 Low, Mod, High No
AC-14 (1) Necessary uses In the specification
AC-15 Automated marking In the specification
AC-16 Security attributes P0 No
AC-16 (1) Dynamic attribute association No
AC-16 (2) Attribute value changes by authorized individuals No
AC-16 (3) Maintenance of attribute associations by information system No
AC-16 (4) Association of attributes by authorized individuals No
AC-16 (5) Attribute displays for output devices No
AC-16 (6) Maintenance of attribute association by organization No
AC-16 (7) Consistent attribute interpretation No
AC-16 (8) Association techniques / technologies No
AC-16 (9) Attribute reassignment No
AC-16 (10) Attribute configuration by authorized individuals No
AC-17 Remote access P1 Low, Mod, High No
AC-17 (1) Automated monitoring / control Mod, High No
AC-17 (2) Protection of confidentiality / integrity using encryption Mod, High No
AC-17 (3) Managed access control points Mod, High No
AC-17 (4) Privileged commands / access Mod, High No
AC-17 (5) Monitoring for unauthorized connections In the specification
AC-17 (6) Protection of information No
AC-17 (7) Additional protection for security function access In the specification
AC-17 (8) Disable nonsecure network protocols In the specification
AC-17 (9) Disconnect / disable access No
AC-18 Wireless access P1 Low, Mod, High No
AC-18 (1) Authentication and encryption Mod, High No
AC-18 (2) Monitoring unauthorized connections In the specification
AC-18 (3) Disable wireless networking No
AC-18 (4) Restrict configurations by users High No
AC-18 (5) Antennas / transmission power levels High No
AC-19 Access control for mobile devices P1 Low, Mod, High No
AC-19 (1) Use of writable / portable storage devices In the specification
AC-19 (2) Use of personally owned portable storage devices In the specification
AC-19 (3) Use of portable storage devices with no identifiable owner In the specification
AC-19 (4) Restrictions for classified information No
AC-19 (5) Full device / container-based encryption Mod, High No
AC-20 Use of external information systems P1 Low, Mod, High No
AC-20 (1) Limits on authorized use Mod, High No
AC-20 (2) Portable storage devices Mod, High No
AC-20 (3) Non-organizationally owned systems / components / devices No
AC-20 (4) Network accessible storage devices No
AC-21 Information sharing P2 Mod, High No
AC-21 (1) Automated decision support No
AC-21 (2) Information search and retrieval No
AC-22 Publicly accessible content P3 Low, Mod, High No
AC-23 Data mining protection P0 No
AC-24 Access control decisions P0 No
AC-24 (1) Transmit access authorization information No
AC-24 (2) No user or process identity No
AC-25 Reference monitor P0 No
AT-1 Security awareness and training policy and procedures P1 Low, Mod, High No
AT-2 Security awareness training P1 Low, Mod, High No
AT-2 (1) Practical exercises No
AT-2 (2) Insider threat Mod, High No
AT-3 Role-based security training P1 Low, Mod, High No
AT-3 (1) Environmental controls No
AT-3 (2) Physical security controls No
AT-3 (3) Practical exercises No
AT-3 (4) Suspicious communications and anomalous system behavior No
AT-4 Security training records P3 Low, Mod, High No
AT-5 Contacts with security groups and associations In the specification
AU-1 Audit and accountability policy and procedures P1 Low, Mod, High No
AU-2 Audit events P1 Low, Mod, High No
AU-2 (1) Compilation of audit records from multiple sources In the specification
AU-2 (2) Selection of audit events by component In the specification
AU-2 (3) Reviews and updates Mod, High No
AU-2 (4) Privileged functions In the specification
AU-3 Content of audit records P1 Low, Mod, High No
AU-3 (1) Additional audit information Mod, High No
AU-3 (2) Centralized management of planned audit record content High No
AU-4 Audit storage capacity P1 Low, Mod, High No
AU-4 (1) Transfer to alternate storage No
AU-5 Response to audit processing failures P1 Low, Mod, High No
AU-5 (1) Audit storage capacity High No
AU-5 (2) Real-time alerts High No
AU-5 (3) Configurable traffic volume thresholds No
AU-5 (4) Shutdown on failure No
AU-6 Audit review, analysis, and reporting P1 Low, Mod, High No
AU-6 (1) Process integration Mod, High No
AU-6 (2) Automated security alerts In the specification
AU-6 (3) Correlate audit repositories Mod, High No
AU-6 (4) Central review and analysis No
AU-6 (5) Integration / scanning and monitoring capabilities High No
AU-6 (6) Correlation with physical monitoring High No
AU-6 (7) Permitted actions No
AU-6 (8) Full text analysis of privileged commands No
AU-6 (9) Correlation with information from nontechnical sources No
AU-6 (10) Audit level adjustment No
AU-7 Audit reduction and report generation P2 Mod, High No
AU-7 (1) Automatic processing Mod, High No
AU-7 (2) Automatic sort and search No
AU-8 Time stamps P1 Low, Mod, High No
AU-8 (1) Synchronization with authoritative time source Mod, High No
AU-8 (2) Secondary authoritative time source No
AU-9 Protection of audit information P1 Low, Mod, High No
AU-9 (1) Hardware write-once media No
AU-9 (2) Audit backup on separate physical systems / components High No
AU-9 (3) Cryptographic protection High No
AU-9 (4) Access by subset of privileged users Mod, High No
AU-9 (5) Dual authorization No
AU-9 (6) Read only access No
AU-10 Non-repudiation P2 High No
AU-10 (1) Association of identities No
AU-10 (2) Validate binding of information producer identity No
AU-10 (3) Chain of custody No
AU-10 (4) Validate binding of information reviewer identity No
AU-10 (5) Digital signatures In the specification
AU-11 Audit record retention P3 Low, Mod, High No
AU-11 (1) Long-term retrieval capability No
AU-12 Audit generation P1 Low, Mod, High No
AU-12 (1) System-wide / time-correlated audit trail High No
AU-12 (2) Standardized formats No
AU-12 (3) Changes by authorized individuals High No
AU-13 Monitoring for information disclosure P0 No
AU-13 (1) Use of automated tools No
AU-13 (2) Review of monitored sites No
AU-14 Session audit P0 No
AU-14 (1) System start-up No
AU-14 (2) Capture/record and log content No
AU-14 (3) Remote viewing / listening No
AU-15 Alternate audit capability P0 No
AU-16 Cross-organizational auditing P0 No
AU-16 (1) Identity preservation No
AU-16 (2) Sharing of audit information No
CA-1 Security assessment and authorization policy and procedures P1 Low, Mod, High No
CA-2 Security assessments P2 Low, Mod, High No
CA-2 (1) Independent assessors Mod, High No
CA-2 (2) Specialized assessments High No
CA-2 (3) External organizations No
CA-3 System interconnections P1 Low, Mod, High No
CA-3 (1) Unclassified national security system connections No
CA-3 (2) Classified national security system connections No
CA-3 (3) Unclassified non-national security system connections No
CA-3 (4) Connections to public networks No
CA-3 (5) Restrictions on external system connections Mod, High No
CA-4 Security certification In the specification
CA-5 Plan of action and milestones P3 Low, Mod, High No
CA-5 (1) Automation support for accuracy / currency No
CA-6 Security authorization P2 Low, Mod, High No
CA-7 Continuous monitoring P2 Low, Mod, High No
CA-7 (1) Independent assessment Mod, High No
CA-7 (2) Types of assessments In the specification
CA-7 (3) Trend analyses No
CA-8 Penetration testing P2 High No
CA-8 (1) Independent penetration agent or team No
CA-8 (2) Red team exercises No
CA-9 Internal system connections P2 Low, Mod, High No
CA-9 (1) Security compliance checks No
CM-1 Configuration management policy and procedures P1 Low, Mod, High No
CM-2 Baseline configuration P1 Low, Mod, High No
CM-2 (1) Reviews and updates Mod, High No
CM-2 (2) Automation support for accuracy / currency High No
CM-2 (3) Retention of previous configurations Mod, High No
CM-2 (4) Unauthorized software In the specification
CM-2 (5) Authorized software In the specification
CM-2 (6) Development and test environments No
CM-2 (7) Configure systems, components, or devices for high-risk areas Mod, High No
CM-3 Configuration change control P1 Mod, High No
CM-3 (1) Automated document / notification / prohibition of changes High No
CM-3 (2) Test / validate / document changes Mod, High No
CM-3 (3) Automated change implementation No
CM-3 (4) Security representative No
CM-3 (5) Automated security response No
CM-3 (6) Cryptography management No
CM-4 Security impact analysis P2 Low, Mod, High No
CM-4 (1) Separate test environments High No
CM-4 (2) Verification of security functions No
CM-5 Access restrictions for change P1 Mod, High No
CM-5 (1) Automated access enforcement / auditing High No
CM-5 (2) Review system changes High No
CM-5 (3) Signed components High No
CM-5 (4) Dual authorization No
CM-5 (5) Limit production / operational privileges No
CM-5 (6) Limit library privileges No
CM-5 (7) Automatic implementation of security safeguards In the specification
CM-6 Configuration settings P1 Low, Mod, High No
CM-6 (1) Automated central management / application / verification High No
CM-6 (2) Respond to unauthorized changes High No
CM-6 (3) Unauthorized change detection In the specification
CM-6 (4) Conformance demonstration In the specification
CM-7 Least functionality P1 Low, Mod, High No
CM-7 (1) Periodic review Mod, High No
CM-7 (2) Prevent program execution Mod, High No
CM-7 (3) Registration compliance No
CM-7 (4) Unauthorized software / blacklisting Mod No
CM-7 (5) Authorized software / whitelisting High No
CM-8 Information system component inventory P1 Low, Mod, High No
CM-8 (1) Updates during installations / removals Mod, High No
CM-8 (2) Automated maintenance High No
CM-8 (3) Automated unauthorized component detection Mod, High No
CM-8 (4) Accountability information High No
CM-8 (5) No duplicate accounting of components Mod, High No
CM-8 (6) Assessed configurations / approved deviations No
CM-8 (7) Centralized repository No
CM-8 (8) Automated location tracking No
CM-8 (9) Assignment of components to systems No
CM-9 Configuration management plan P1 Mod, High No
CM-9 (1) Assignment of responsibility No
CM-10 Software usage restrictions P2 Low, Mod, High No
CM-10 (1) Open source software No
CM-11 User-installed software P1 Low, Mod, High No
CM-11 (1) Alerts for unauthorized installations No
CM-11 (2) Prohibit installation without privileged status No
CP-1 Contingency planning policy and procedures P1 Low, Mod, High No
CP-2 Contingency plan P1 Low, Mod, High No
CP-2 (1) Coordinate with related plans Mod, High No
CP-2 (2) Capacity planning High No
CP-2 (3) Resume essential missions / business functions Mod, High No
CP-2 (4) Resume all missions / business functions High No
CP-2 (5) Continue essential missions / business functions High No
CP-2 (6) Alternate processing / storage site No
CP-2 (7) Coordinate with external service providers No
CP-2 (8) Identify critical assets Mod, High No
CP-3 Contingency training P2 Low, Mod, High No
CP-3 (1) Simulated events High No
CP-3 (2) Automated training environments No
CP-4 Contingency plan testing P2 Low, Mod, High No
CP-4 (1) Coordinate with related plans Mod, High No
CP-4 (2) Alternate processing site High No
CP-4 (3) Automated testing No
CP-4 (4) Full recovery / reconstitution No
CP-5 Contingency plan update In the specification
CP-6 Alternate storage site P1 Mod, High No
CP-6 (1) Separation from primary site Mod, High No
CP-6 (2) Recovery time / point objectives High No
CP-6 (3) Accessibility Mod, High No
CP-7 Alternate processing site P1 Mod, High No
CP-7 (1) Separation from primary site Mod, High No
CP-7 (2) Accessibility Mod, High No
CP-7 (3) Priority of service Mod, High No
CP-7 (4) Preparation for use High No
CP-7 (5) Equivalent information security safeguards In the specification
CP-7 (6) Inability to return to primary site No
CP-8 Telecommunications services P1 Mod, High No
CP-8 (1) Priority of service provisions Mod, High No
CP-8 (2) Single points of failure Mod, High No
CP-8 (3) Separation of primary / alternate providers High No
CP-8 (4) Provider contingency plan High No
CP-8 (5) Alternate telecommunication service testing No
CP-9 Information system backup P1 Low, Mod, High No
CP-9 (1) Testing for reliability / integrity Mod, High No
CP-9 (2) Test restoration using sampling High No
CP-9 (3) Separate storage for critical information High No
CP-9 (4) Protection from unauthorized modification In the specification
CP-9 (5) Transfer to alternate storage site High No
CP-9 (6) Redundant secondary system No
CP-9 (7) Dual authorization No
CP-10 Information system recovery and reconstitution P1 Low, Mod, High No
CP-10 (1) Contingency plan testing In the specification
CP-10 (2) Transaction recovery Mod, High No
CP-10 (3) Compensating security controls In the specification
CP-10 (4) Restore within time period High No
CP-10 (5) Failover capability In the specification
CP-10 (6) Component protection No
CP-11 Alternate communications protocols P0 No
CP-12 Safe mode P0 No
CP-13 Alternative security mechanisms P0 No
IA-1 Identification and authentication policy and procedures P1 Low, Mod, High No
IA-2 Identification and authentication (organizational users) P1 Low, Mod, High No
IA-2 (1) Network access to privileged accounts Low, Mod, High No
IA-2 (2) Network access to non-privileged accounts Mod, High No
IA-2 (3) Local access to privileged accounts Mod, High No
IA-2 (4) Local access to non-privileged accounts High No
IA-2 (5) Group authentication No
IA-2 (6) Network access to privileged accounts - separate device No
IA-2 (7) Network access to non-privileged accounts - separate device No
IA-2 (8) Network access to privileged accounts - replay resistant Mod, High No
IA-2 (9) Network access to non-privileged accounts - replay resistant High No
IA-2 (10) Single sign-on No
IA-2 (11) Remote access - separate device Mod, High No
IA-2 (12) Acceptance of piv credentials Low, Mod, High No
IA-2 (13) Out-of-band authentication No
IA-3 Device identification and authentication P1 Mod, High No
IA-3 (1) Cryptographic bidirectional authentication No
IA-3 (2) Cryptographic bidirectional network authentication In the specification
IA-3 (3) Dynamic address allocation No
IA-3 (4) Device attestation No
IA-4 Identifier management P1 Low, Mod, High No
IA-4 (1) Prohibit account identifiers as public identifiers No
IA-4 (2) Supervisor authorization No
IA-4 (3) Multiple forms of certification No
IA-4 (4) Identify user status No
IA-4 (5) Dynamic management No
IA-4 (6) Cross-organization management No
IA-4 (7) In-person registration No
IA-5 Authenticator management P1 Low, Mod, High No
IA-5 (1) Password-based authentication Low, Mod, High No
IA-5 (2) Pki-based authentication Mod, High No
IA-5 (3) In-person or trusted third-party registration Mod, High No
IA-5 (4) Automated support for password strength determination No
IA-5 (5) Change authenticators prior to delivery No
IA-5 (6) Protection of authenticators No
IA-5 (7) No embedded unencrypted static authenticators No
IA-5 (8) Multiple information system accounts No
IA-5 (9) Cross-organization credential management No
IA-5 (10) Dynamic credential association No
IA-5 (11) Hardware token-based authentication Low, Mod, High No
IA-5 (12) Biometric-based authentication No
IA-5 (13) Expiration of cached authenticators No
IA-5 (14) Managing content of pki trust stores No
IA-5 (15) Ficam-approved products and services No
IA-6 Authenticator feedback P2 Low, Mod, High No
IA-7 Cryptographic module authentication P1 Low, Mod, High No
IA-8 Identification and authentication (non-organizational users) P1 Low, Mod, High No
IA-8 (1) Acceptance of piv credentials from other agencies Low, Mod, High No
IA-8 (2) Acceptance of third-party credentials Low, Mod, High No
IA-8 (3) Use of ficam-approved products Low, Mod, High No
IA-8 (4) Use of ficam-issued profiles Low, Mod, High No
IA-8 (5) Acceptance of piv-i credentials No
IA-9 Service identification and authentication P0 No
IA-9 (1) Information exchange No
IA-9 (2) Transmission of decisions No
IA-10 Adaptive identification and authentication P0 No
IA-11 Re-authentication P0 No
IR-1 Incident response policy and procedures P1 Low, Mod, High No
IR-2 Incident response training P2 Low, Mod, High No
IR-2 (1) Simulated events High No
IR-2 (2) Automated training environments High No
IR-3 Incident response testing P2 Mod, High No
IR-3 (1) Automated testing No
IR-3 (2) Coordination with related plans Mod, High No
IR-4 Incident handling P1 Low, Mod, High No
IR-4 (1) Automated incident handling processes Mod, High No
IR-4 (2) Dynamic reconfiguration No
IR-4 (3) Continuity of operations No
IR-4 (4) Information correlation High No
IR-4 (5) Automatic disabling of information system No
IR-4 (6) Insider threats - specific capabilities No
IR-4 (7) Insider threats - intra-organization coordination No
IR-4 (8) Correlation with external organizations No
IR-4 (9) Dynamic response capability No
IR-4 (10) Supply chain coordination No
IR-5 Incident monitoring P1 Low, Mod, High No
IR-5 (1) Automated tracking / data collection / analysis High No
IR-6 Incident reporting P1 Low, Mod, High No
IR-6 (1) Automated reporting Mod, High No
IR-6 (2) Vulnerabilities related to incidents No
IR-6 (3) Coordination with supply chain No
IR-7 Incident response assistance P2 Low, Mod, High No
IR-7 (1) Automation support for availability of information / support Mod, High No
IR-7 (2) Coordination with external providers No
IR-8 Incident response plan P1 Low, Mod, High No
IR-9 Information spillage response P0 No
IR-9 (1) Responsible personnel No
IR-9 (2) Training No
IR-9 (3) Post-spill operations No
IR-9 (4) Exposure to unauthorized personnel No
IR-10 Integrated information security analysis team P0 No
MA-1 System maintenance policy and procedures P1 Low, Mod, High No
MA-2 Controlled maintenance P2 Low, Mod, High No
MA-2 (1) Record content In the specification
MA-2 (2) Automated maintenance activities High No
MA-3 Maintenance tools P3 Mod, High No
MA-3 (1) Inspect tools Mod, High No
MA-3 (2) Inspect media Mod, High No
MA-3 (3) Prevent unauthorized removal High No
MA-3 (4) Restricted tool use No
MA-4 Nonlocal maintenance P2 Low, Mod, High No
MA-4 (1) Auditing and review No
MA-4 (2) Document nonlocal maintenance Mod, High No
MA-4 (3) Comparable security / sanitization High No
MA-4 (4) Authentication / separation of maintenance sessions No
MA-4 (5) Approvals and notifications No
MA-4 (6) Cryptographic protection No
MA-4 (7) Remote disconnect verification No
MA-5 Maintenance personnel P2 Low, Mod, High No
MA-5 (1) Individuals without appropriate access High No
MA-5 (2) Security clearances for classified systems No
MA-5 (3) Citizenship requirements for classified systems No
MA-5 (4) Foreign nationals No
MA-5 (5) Nonsystem-related maintenance No
MA-6 Timely maintenance P2 Mod, High No
MA-6 (1) Preventive maintenance No
MA-6 (2) Predictive maintenance No
MA-6 (3) Automated support for predictive maintenance No
MP-1 Media protection policy and procedures P1 Low, Mod, High No
MP-2 Media access P1 Low, Mod, High No
MP-2 (1) Automated restricted access In the specification
MP-2 (2) Cryptographic protection In the specification
MP-3 Media marking P2 Mod, High No
MP-4 Media storage P1 Mod, High No
MP-4 (1) Cryptographic protection In the specification
MP-4 (2) Automated restricted access No
MP-5 Media transport P1 Mod, High No
MP-5 (1) Protection outside of controlled areas In the specification
MP-5 (2) Documentation of activities In the specification
MP-5 (3) Custodians No
MP-5 (4) Cryptographic protection Mod, High No
MP-6 Media sanitization P1 Low, Mod, High No
MP-6 (1) Review / approve / track / document / verify High No
MP-6 (2) Equipment testing High No
MP-6 (3) Nondestructive techniques High No
MP-6 (4) Controlled unclassified information In the specification
MP-6 (5) Classified information In the specification
MP-6 (6) Media destruction In the specification
MP-6 (7) Dual authorization No
MP-6 (8) Remote purging / wiping of information No
MP-7 Media use P1 Low, Mod, High No
MP-7 (1) Prohibit use without owner Mod, High No
MP-7 (2) Prohibit use of sanitization-resistant media No
MP-8 Media downgrading P0 No
MP-8 (1) Documentation of process No
MP-8 (2) Equipment testing No
MP-8 (3) Controlled unclassified information No
MP-8 (4) Classified information No
PE-1 Physical and environmental protection policy and procedures P1 Low, Mod, High No
PE-2 Physical access authorizations P1 Low, Mod, High No
PE-2 (1) Access by position / role No
PE-2 (2) Two forms of identification No
PE-2 (3) Restrict unescorted access No
PE-3 Physical access control P1 Low, Mod, High No
PE-3 (1) Information system access High No
PE-3 (2) Facility / information system boundaries No
PE-3 (3) Continuous guards / alarms / monitoring No
PE-3 (4) Lockable casings No
PE-3 (5) Tamper protection No
PE-3 (6) Facility penetration testing No
PE-4 Access control for transmission medium P1 Mod, High No
PE-5 Access control for output devices P2 Mod, High No
PE-5 (1) Access to output by authorized individuals No
PE-5 (2) Access to output by individual identity No
PE-5 (3) Marking output devices No
PE-6 Monitoring physical access P1 Low, Mod, High No
PE-6 (1) Intrusion alarms / surveillance equipment Mod, High No
PE-6 (2) Automated intrusion recognition / responses No
PE-6 (3) Video surveillance No
PE-6 (4) Monitoring physical access to information systems High No
PE-7 Visitor control In the specification
PE-8 Visitor access records P3 Low, Mod, High No
PE-8 (1) Automated records maintenance / review High No
PE-8 (2) Physical access records In the specification
PE-9 Power equipment and cabling P1 Mod, High No
PE-9 (1) Redundant cabling No
PE-9 (2) Automatic voltage controls No
PE-10 Emergency shutoff P1 Mod, High No
PE-10 (1) Accidental / unauthorized activation In the specification
PE-11 Emergency power P1 Mod, High No
PE-11 (1) Long-term alternate power supply - minimal operational capability High No
PE-11 (2) Long-term alternate power supply - self-contained No
PE-12 Emergency lighting P1 Low, Mod, High No
PE-12 (1) Essential missions / business functions No
PE-13 Fire protection P1 Low, Mod, High No
PE-13 (1) Detection devices / systems High No
PE-13 (2) Suppression devices / systems High No
PE-13 (3) Automatic fire suppression Mod, High No
PE-13 (4) Inspections No
PE-14 Temperature and humidity controls P1 Low, Mod, High No
PE-14 (1) Automatic controls No
PE-14 (2) Monitoring with alarms / notifications No
PE-15 Water damage protection P1 Low, Mod, High No
PE-15 (1) Automation support High No
PE-16 Delivery and removal P2 Low, Mod, High No
PE-17 Alternate work site P2 Mod, High No
PE-18 Location of information system components P3 High No
PE-18 (1) Facility site No
PE-19 Information leakage P0 No
PE-19 (1) National emissions / tempest policies and procedures No
PE-20 Asset monitoring and tracking P0 No
PL-1 Security planning policy and procedures P1 Low, Mod, High No
PL-2 System security plan P1 Low, Mod, High No
PL-2 (1) Concept of operations In the specification
PL-2 (2) Functional architecture In the specification
PL-2 (3) Plan / coordinate with other organizational entities Mod, High No
PL-3 System security plan update In the specification
PL-4 Rules of behavior P2 Low, Mod, High No
PL-4 (1) Social media and networking restrictions Mod, High No
PL-5 Privacy impact assessment In the specification
PL-6 Security-related activity planning In the specification
PL-7 Security concept of operations P0 No
PL-8 Information security architecture P1 Mod, High No
PL-8 (1) Defense-in-depth No
PL-8 (2) Supplier diversity No
PL-9 Central management P0 No
PM-1 Information security program plan No
PM-2 Senior information security officer No
PM-3 Information security resources No
PM-4 Plan of action and milestones process No
PM-5 Information system inventory No
PM-6 Information security measures of performance No
PM-7 Enterprise architecture No
PM-8 Critical infrastructure plan No
PM-9 Risk management strategy No
PM-10 Security authorization process No
PM-11 Mission/business process definition No
PM-12 Insider threat program No
PM-13 Information security workforce No
PM-14 Testing, training, and monitoring No
PM-15 Contacts with security groups and associations No
PM-16 Threat awareness program No
PS-1 Personnel security policy and procedures P1 Low, Mod, High No
PS-2 Position risk designation P1 Low, Mod, High No
PS-3 Personnel screening P1 Low, Mod, High No
PS-3 (1) Classified information No
PS-3 (2) Formal indoctrination No
PS-3 (3) Information with special protection measures No
PS-4 Personnel termination P1 Low, Mod, High No
PS-4 (1) Post-employment requirements No
PS-4 (2) Automated notification High No
PS-5 Personnel transfer P2 Low, Mod, High No
PS-6 Access agreements P3 Low, Mod, High No
PS-6 (1) Information requiring special protection In the specification
PS-6 (2) Classified information requiring special protection No
PS-6 (3) Post-employment requirements No
PS-7 Third-party personnel security P1 Low, Mod, High No
PS-8 Personnel sanctions P3 Low, Mod, High No
RA-1 Risk assessment policy and procedures P1 Low, Mod, High No
RA-2 Security categorization P1 Low, Mod, High No
RA-3 Risk assessment P1 Low, Mod, High No
RA-4 Risk assessment update In the specification
RA-5 Vulnerability scanning P1 Low, Mod, High No
RA-5 (1) Update tool capability Mod, High No
RA-5 (2) Update by frequency / prior to new scan / when identified Mod, High No
RA-5 (3) Breadth / depth of coverage No
RA-5 (4) Discoverable information High No
RA-5 (5) Privileged access Mod, High No
RA-5 (6) Automated trend analyses No
RA-5 (7) Automated detection and notification of unauthorized components In the specification
RA-5 (8) Review historic audit logs No
RA-5 (9) Penetration testing and analyses In the specification
RA-5 (10) Correlate scanning information No
RA-6 Technical surveillance countermeasures survey P0 No
SA-1 System and services acquisition policy and procedures P1 Low, Mod, High No
SA-2 Allocation of resources P1 Low, Mod, High No
SA-3 System development life cycle P1 Low, Mod, High No
SA-4 Acquisition process P1 Low, Mod, High No
SA-4 (1) Functional properties of security controls Mod, High No
SA-4 (2) Design / implementation information for security controls Mod, High No
SA-4 (3) Development methods / techniques / practices No
SA-4 (4) Assignment of components to systems In the specification
SA-4 (5) System / component / service configurations No
SA-4 (6) Use of information assurance products No
SA-4 (7) Niap-approved protection profiles No
SA-4 (8) Continuous monitoring plan No
SA-4 (9) Functions / ports / protocols / services in use Mod, High No
SA-4 (10) Use of approved piv products Low, Mod, High No
SA-5 Information system documentation P2 Low, Mod, High No
SA-5 (1) Functional properties of security controls In the specification
SA-5 (2) Security-relevant external system interfaces In the specification
SA-5 (3) High-level design In the specification
SA-5 (4) Low-level design In the specification
SA-5 (5) Source code In the specification
SA-6 Software usage restrictions In the specification
SA-7 User-installed software In the specification
SA-8 Security engineering principles P1 Mod, High No
SA-9 External information system services P1 Low, Mod, High No
SA-9 (1) Risk assessments / organizational approvals No
SA-9 (2) Identification of functions / ports / protocols / services Mod, High No
SA-9 (3) Establish / maintain trust relationship with providers No
SA-9 (4) Consistent interests of consumers and providers No
SA-9 (5) Processing, storage, and service location No
SA-10 Developer configuration management P1 Mod, High No
SA-10 (1) Software / firmware integrity verification No
SA-10 (2) Alternative configuration management processes No
SA-10 (3) Hardware integrity verification No
SA-10 (4) Trusted generation No
SA-10 (5) Mapping integrity for version control No
SA-10 (6) Trusted distribution No
SA-11 Developer security testing and evaluation P1 Mod, High No
SA-11 (1) Static code analysis No
SA-11 (2) Threat and vulnerability analyses No
SA-11 (3) Independent verification of assessment plans / evidence No
SA-11 (4) Manual code reviews No
SA-11 (5) Penetration testing No
SA-11 (6) Attack surface reviews No
SA-11 (7) Verify scope of testing / evaluation No
SA-11 (8) Dynamic code analysis No
SA-12 Supply chain protection P1 High No
SA-12 (1) Acquisition strategies / tools / methods No
SA-12 (2) Supplier reviews No
SA-12 (3) Trusted shipping and warehousing In the specification
SA-12 (4) Diversity of suppliers In the specification
SA-12 (5) Limitation of harm No
SA-12 (6) Minimizing procurement time In the specification
SA-12 (7) Assessments prior to selection / acceptance / update No
SA-12 (8) Use of all-source intelligence No
SA-12 (9) Operations security No
SA-12 (10) Validate as genuine and not altered No
SA-12 (11) Penetration testing / analysis of elements, processes, and actors No
SA-12 (12) Inter-organizational agreements No
SA-12 (13) Critical information system components No
SA-12 (14) Identity and traceability No
SA-12 (15) Processes to address weaknesses or deficiencies No
SA-13 Trustworthiness P0 No
SA-14 Criticality analysis P0 No
SA-14 (1) Critical components with no viable alternative sourcing In the specification
SA-15 Development process, standards, and tools P2 High No
SA-15 (1) Quality metrics No
SA-15 (2) Security tracking tools No
SA-15 (3) Criticality analysis No
SA-15 (4) Threat modeling / vulnerability analysis No
SA-15 (5) Attack surface reduction No
SA-15 (6) Continuous improvement No
SA-15 (7) Automated vulnerability analysis No
SA-15 (8) Reuse of threat / vulnerability information No
SA-15 (9) Use of live data No
SA-15 (10) Incident response plan No
SA-15 (11) Archive information system / component No
SA-16 Developer-provided training P2 High No
SA-17 Developer security architecture and design P1 High No
SA-17 (1) Formal policy model No
SA-17 (2) Security-relevant components No
SA-17 (3) Formal correspondence No
SA-17 (4) Informal correspondence No
SA-17 (5) Conceptually simple design No
SA-17 (6) Structure for testing No
SA-17 (7) Structure for least privilege No
SA-18 Tamper resistance and detection P0 No
SA-18 (1) Multiple phases of sdlc No
SA-18 (2) Inspection of information systems, components, or devices No
SA-19 Component authenticity P0 No
SA-19 (1) Anti-counterfeit training No
SA-19 (2) Configuration control for component service / repair No
SA-19 (3) Component disposal No
SA-19 (4) Anti-counterfeit scanning No
SA-20 Customized development of critical components P0 No
SA-21 Developer screening P0 No
SA-21 (1) Validation of screening No
SA-22 Unsupported system components P0 No
SA-22 (1) Alternative sources for continued support No
SC-1 System and communications protection policy and procedures P1 Low, Mod, High No
SC-2 Application partitioning P1 Mod, High No
SC-2 (1) Interfaces for non-privileged users No
SC-3 Security function isolation P1 High No
SC-3 (1) Hardware separation No
SC-3 (2) Access / flow control functions No
SC-3 (3) Minimize nonsecurity functionality No
SC-3 (4) Module coupling and cohesiveness No
SC-3 (5) Layered structures No
SC-4 Information in shared resources P1 Mod, High No
SC-4 (1) Security levels In the specification
SC-4 (2) Periods processing No
SC-5 Denial of service protection P1 Low, Mod, High No
SC-5 (1) Restrict internal users No
SC-5 (2) Excess capacity / bandwidth / redundancy No
SC-5 (3) Detection / monitoring No
SC-6 Resource availability P0 No
SC-7 Boundary protection P1 Low, Mod, High No
SC-7 (1) Physically separated subnetworks In the specification
SC-7 (2) Public access In the specification
SC-7 (3) Access points Mod, High No
SC-7 (4) External telecommunications services Mod, High No
SC-7 (5) Deny by default / allow by exception Mod, High No
SC-7 (6) Response to recognized failures In the specification
SC-7 (7) Prevent split tunneling for remote devices Mod, High No
SC-7 (8) Route traffic to authenticated proxy servers High No
SC-7 (9) Restrict threatening outgoing communications traffic No
SC-7 (10) Prevent unauthorized exfiltration No
SC-7 (11) Restrict incoming communications traffic No
SC-7 (12) Host-based protection No
SC-7 (13) Isolation of security tools / mechanisms / support components No
SC-7 (14) Protects against unauthorized physical connections No
SC-7 (15) Route privileged network accesses No
SC-7 (16) Prevent discovery of components / devices No
SC-7 (17) Automated enforcement of protocol formats No
SC-7 (18) Fail secure High No
SC-7 (19) Blocks communication from non-organizationally configured hosts No
SC-7 (20) Dynamic isolation / segregation No
SC-7 (21) Isolation of information system components High No
SC-7 (22) Separate subnets for connecting to different security domains No
SC-7 (23) Disable sender feedback on protocol validation failure No
SC-8 Transmission confidentiality and integrity P1 Mod, High No
SC-8 (1) Cryptographic or alternate physical protection Mod, High No
SC-8 (2) Pre / post transmission handling No
SC-8 (3) Cryptographic protection for message externals No
SC-8 (4) Conceal / randomize communications No
SC-9 Transmission confidentiality In the specification
SC-10 Network disconnect P2 Mod, High No
SC-11 Trusted path P0 No
SC-11 (1) Logical isolation No
SC-12 Cryptographic key establishment and management P1 Low, Mod, High No
SC-12 (1) Availability High No
SC-12 (2) Symmetric keys No
SC-12 (3) Asymmetric keys No
SC-12 (4) Pki certificates In the specification
SC-12 (5) Pki certificates / hardware tokens In the specification
SC-13 Cryptographic protection P1 Low, Mod, High No
SC-13 (1) Fips-validated cryptography In the specification
SC-13 (2) Nsa-approved cryptography In the specification
SC-13 (3) Individuals without formal access approvals In the specification
SC-13 (4) Digital signatures In the specification
SC-14 Public access protections In the specification
SC-15 Collaborative computing devices P1 Low, Mod, High No
SC-15 (1) Physical disconnect No
SC-15 (2) Blocking inbound / outbound communications traffic In the specification
SC-15 (3) Disabling / removal in secure work areas No
SC-15 (4) Explicitly indicate current participants No
SC-16 Transmission of security attributes P0 No
SC-16 (1) Integrity validation No
SC-17 Public key infrastructure certificates P1 Mod, High No
SC-18 Mobile code P2 Mod, High No
SC-18 (1) Identify unacceptable code / take corrective actions No
SC-18 (2) Acquisition / development / use No
SC-18 (3) Prevent downloading / execution No
SC-18 (4) Prevent automatic execution No
SC-18 (5) Allow execution only in confined environments No
SC-19 Voice over internet protocol P1 Mod, High No
SC-20 Secure name / address resolution service (authoritative source) P1 Low, Mod, High No
SC-20 (1) Child subspaces In the specification
SC-20 (2) Data origin / integrity No
SC-21 Secure name / address resolution service (recursive or caching resolver) P1 Low, Mod, High No
SC-21 (1) Data origin / integrity In the specification
SC-22 Architecture and provisioning for name / address resolution service P1 Low, Mod, High No
SC-23 Session authenticity P1 Mod, High No
SC-23 (1) Invalidate session identifiers at logout No
SC-23 (2) User-initiated logouts / message displays In the specification
SC-23 (3) Unique session identifiers with randomization No
SC-23 (4) Unique session identifiers with randomization In the specification
SC-23 (5) Allowed certificate authorities No
SC-24 Fail in known state P1 High No
SC-25 Thin nodes P0 No
SC-26 Honeypots P0 No
SC-26 (1) Detection of malicious code In the specification
SC-27 Platform-independent applications P0 No
SC-28 Protection of information at rest P1 Mod, High No
SC-28 (1) Cryptographic protection No
SC-28 (2) Off-line storage No
SC-29 Heterogeneity P0 No
SC-29 (1) Virtualization techniques No
SC-30 Concealment and misdirection P0 No
SC-30 (1) Virtualization techniques In the specification
SC-30 (2) Randomness No
SC-30 (3) Change processing / storage locations No
SC-30 (4) Misleading information No
SC-30 (5) Concealment of system components No
SC-31 Covert channel analysis P0 No
SC-31 (1) Test covert channels for exploitability No
SC-31 (2) Maximum bandwidth No
SC-31 (3) Measure bandwidth in operational environments No
SC-32 Information system partitioning P0 No
SC-33 Transmission preparation integrity In the specification
SC-34 Non-modifiable executable programs P0 No
SC-34 (1) No writable storage No
SC-34 (2) Integrity protection / read-only media No
SC-34 (3) Hardware-based protection No
SC-35 Honeyclients P0 No
SC-36 Distributed processing and storage P0 No
SC-36 (1) Polling techniques No
SC-37 Out-of-band channels P0 No
SC-37 (1) Ensure delivery / transmission No
SC-38 Operations security P0 No
SC-39 Process isolation P1 Low, Mod, High No
SC-39 (1) Hardware separation No
SC-39 (2) Thread isolation No
SC-40 Wireless link protection P0 No
SC-40 (1) Electromagnetic interference No
SC-40 (2) Reduce detection potential No
SC-40 (3) Imitative or manipulative communications deception No
SC-40 (4) Signal parameter identification No
SC-41 Port and i/o device access P0 No
SC-42 Sensor capability and data P0 No
SC-42 (1) Reporting to authorized individuals or roles No
SC-42 (2) Authorized use No
SC-42 (3) Prohibit use of devices No
SC-43 Usage restrictions P0 No
SC-44 Detonation chambers P0 No
SI-1 System and information integrity policy and procedures P1 Low, Mod, High No
SI-2 Flaw remediation P1 Low, Mod, High No
SI-2 (1) Central management High No
SI-2 (2) Automated flaw remediation status Mod, High No
SI-2 (3) Time to remediate flaws / benchmarks for corrective actions No
SI-2 (4) Automated patch management tools In the specification
SI-2 (5) Automatic software / firmware updates No
SI-2 (6) Removal of previous versions of software / firmware No
SI-3 Malicious code protection P1 Low, Mod, High No
SI-3 (1) Central management Mod, High No
SI-3 (2) Automatic updates Mod, High No
SI-3 (3) Non-privileged users In the specification
SI-3 (4) Updates only by privileged users No
SI-3 (5) Portable storage devices In the specification
SI-3 (6) Testing / verification No
SI-3 (7) Nonsignature-based detection No
SI-3 (8) Detect unauthorized commands No
SI-3 (9) Authenticate remote commands No
SI-3 (10) Malicious code analysis No
SI-4 Information system monitoring P1 Low, Mod, High No
SI-4 (1) System-wide intrusion detection system No
SI-4 (2) Automated tools for real-time analysis Mod, High No
SI-4 (3) Automated tool integration No
SI-4 (4) Inbound and outbound communications traffic Mod, High No
SI-4 (5) System-generated alerts Mod, High No
SI-4 (6) Restrict non-privileged users In the specification
SI-4 (7) Automated response to suspicious events No
SI-4 (8) Protection of monitoring information In the specification
SI-4 (9) Testing of monitoring tools No
SI-4 (10) Visibility of encrypted communications No
SI-4 (11) Analyze communications traffic anomalies No
SI-4 (12) Automated alerts No
SI-4 (13) Analyze traffic / event patterns No
SI-4 (14) Wireless intrusion detection No
SI-4 (15) Wireless to wireline communications No
SI-4 (16) Correlate monitoring information No
SI-4 (17) Integrated situational awareness No
SI-4 (18) Analyze traffic / covert exfiltration No
SI-4 (19) Individuals posing greater risk No
SI-4 (20) Privileged users No
SI-4 (21) Probationary periods No
SI-4 (22) Unauthorized network services No
SI-4 (23) Host-based devices No
SI-4 (24) Indicators of compromise No
SI-5 Security alerts, advisories, and directives P1 Low, Mod, High No
SI-5 (1) Automated alerts and advisories High No
SI-6 Security function verification P1 High No
SI-6 (1) Notification of failed security tests In the specification
SI-6 (2) Automation support for distributed testing No
SI-6 (3) Report verification results No
SI-7 Software, firmware, and information integrity P1 Mod, High No
SI-7 (1) Integrity checks Mod, High No
SI-7 (2) Automated notifications of integrity violations High No
SI-7 (3) Centrally-managed integrity tools No
SI-7 (4) Tamper-evident packaging In the specification
SI-7 (5) Automated response to integrity violations High No
SI-7 (6) Cryptographic protection No
SI-7 (7) Integration of detection and response Mod, High No
SI-7 (8) Auditing capability for significant events No
SI-7 (9) Verify boot process No
SI-7 (10) Protection of boot firmware No
SI-7 (11) Confined environments with limited privileges No
SI-7 (12) Integrity verification No
SI-7 (13) Code execution in protected environments No
SI-7 (14) Binary or machine executable code High No
SI-7 (15) Code authentication No
SI-7 (16) Time limit on process execution w/o supervision No
SI-8 Spam protection P2 Mod, High No
SI-8 (1) Central management Mod, High No
SI-8 (2) Automatic updates Mod, High No
SI-8 (3) Continuous learning capability No
SI-9 Information input restrictions In the specification
SI-10 Information input validation P1 Mod, High No
SI-10 (1) Manual override capability No
SI-10 (2) Review / resolution of errors No
SI-10 (3) Predictable behavior No
SI-10 (4) Review / timing interactions No
SI-10 (5) Restrict inputs to trusted sources and approved formats No
SI-11 Error handling P2 Mod, High No
SI-12 Information handling and retention P2 Low, Mod, High No
SI-13 Predictable failure prevention P0 No
SI-13 (1) Transferring component responsibilities No
SI-13 (2) Time limit on process execution without supervision In the specification
SI-13 (3) Manual transfer between components No
SI-13 (4) Standby component installation / notification No
SI-13 (5) Failover capability No
SI-14 Non-persistence P0 No
SI-14 (1) Refresh from trusted sources No
SI-15 Information output filtering P0 No
SI-16 Memory protection P1 Mod, High No
SI-17 Fail-safe procedures P0 No