IDENTIFY Asset Management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. Physical devices and systems within the organization are inventoried CM-8 PM-5 Software platforms and applications within the organization are inventoried CM-8 PM-5 Organizational communication and data flows are mapped AC-4 CA-3 CA-9 PL-8 External information systems are catalogued AC-20 SA-9 Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value CP-2 RA-2 SA-14 SC-6 Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established CP-2 PS-7 PM-11 Business Environment The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. The organization’s role in the supply chain is identified and communicated CP-2 SA-12 The organization’s place in critical infrastructure and its industry sector is identified and communicated PM-8 Priorities for organizational mission, objectives, and activities are established and communicated PM-11 SA-14 Dependencies and critical functions for delivery of critical services are established CP-8 PE-9 PE-11 PM-8 SA-14 Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) CP-2 CP-11 SA-13 SA-14 Governance The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Organizational cybersecurity policy is established and communicated AC-1 AU-1 AT-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PS-1 PE-1 PL-1 PM-1 RA-1 CA-1 SC-1 SI-1 SA-1 Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners PS-7 PM-1 PM-2 Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed AC-1 AU-1 AT-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PS-1 PE-1 PL-1 PM-1 RA-1 CA-1 SC-1 SI-1 SA-1 Governance and risk management processes address cybersecurity risks SA-2 PM-3 PM-7 PM-9 PM-10 PM-11 Risk Assessment The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Asset vulnerabilities are identified and documented CA-2 CA-7 CA-8 RA-3 RA-5 SA-5 SA-11 SI-2 SI-4 SI-5 Cyber threat intelligence is received from information sharing forums and sources SI-5 PM-15 PM-16 Threats, both internal and external, are identified and documented RA-3 SI-5 PM-12 PM-16 Potential business impacts and likelihoods are identified RA-2 RA-3 SA-14 PM-9 PM-11 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk RA-2 RA-3 PM-16 Risk responses are identified and prioritized PM-4 PM-9 Risk Management Strategy The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Risk management processes are established, managed, and agreed to by organizational stakeholders PM-9 Organizational risk tolerance is determined and clearly expressed PM-9 The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis SA-14 PM-8 PM-9 PM-11 Supply Chain Risk Management The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders SA-9 SA-12 PM-9 Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process RA-2 RA-3 SA-12 SA-14 SA-15 PM-9 Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. SA-9 SA-11 SA-12 PM-9 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. AU-2 AU-6 AU-12 AU-16 PS-7 SA-9 SA-12 Response and recovery planning and testing are conducted with suppliers and third-party providers CP-2 CP-4 IR-3 IR-4 IR-6 IR-8 IR-9 PROTECT Identity Management, Authentication and Access Control Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes AC-1 AC-2 IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 IA-9 IA-10 IA-11 Physical access to assets is managed and protected PE-2 PE-3 PE-4 PE-5 PE-6 PE-8 Remote access is managed AC-1 AC-17 AC-19 AC-20 SC-15 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties AC-1 AC-2 AC-3 AC-5 AC-6 AC-14 AC-16 AC-24 Network integrity is protected (e.g., network segregation, network segmentation) AC-4 AC-10 SC-7 Identities are proofed and bound to credentials and asserted in interactions AC-1 AC-2 AC-3 AC-16 AC-19 AC-24 IA-1 IA-2 IA-4 IA-5 IA-8 PE-2 PS-3 Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) AC-7 AC-8 AC-9 AC-11 AC-12 AC-14 IA-1 IA-2 IA-3 IA-4 IA-5 IA-8 IA-9 IA-10 IA-11 Awareness and Training The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. All users are informed and trained AT-2 PM-13 Privileged users understand their roles and responsibilities AT-3 PM-13 Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities PS-7 SA-9 SA-16 Senior executives understand their roles and responsibilities AT-3 PM-13 Physical and cybersecurity personnel understand their roles and responsibilities AT-3 IR-2 PM-13 Data Security Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Data-at-rest is protected MP-8 SC-12 SC-28 Data-in-transit is protected SC-8 SC-11 SC-12 Assets are formally managed throughout removal, transfers, and disposition CM-8 MP-6 PE-16 Adequate capacity to ensure availability is maintained AU-4 CP-2 SC-5 Protections against data leaks are implemented AC-4 AC-5 AC-6 PE-19 PS-3 PS-6 SC-7 SC-8 SC-13 SC-31 SI-4 Integrity checking mechanisms are used to verify software, firmware, and information integrity SC-16 SI-7 The development and testing environment(s) are separate from the production environment CM-2 Integrity checking mechanisms are used to verify hardware integrity SA-10 SI-7 Information Protection Processes and Procedures Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-9 SA-10 Response and recovery plans are tested CP-4 IR-3 PM-14 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 SA-21 A vulnerability management plan is developed and implemented RA-3 RA-5 SI-2 A System Development Life Cycle to manage systems is implemented PL-8 SA-3 SA-4 SA-8 SA-10 SA-11 SA-12 SA-15 SA-17 SI-12 SI-13 SI-14 SI-16 SI-17 Configuration change control processes are in place CM-3 CM-4 SA-10 Backups of information are conducted, maintained, and tested CP-4 CP-6 CP-9 Policy and regulations regarding the physical operating environment for organizational assets are met PE-10 PE-12 PE-13 PE-14 PE-15 PE-18 Data is destroyed according to policy MP-6 Protection processes are improved CA-2 CA-7 CP-2 IR-8 PL-2 PM-6 Effectiveness of protection technologies is shared AC-21 CA-7 SI-4 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed CP-2 CP-7 CP-12 CP-13 IR-7 IR-8 IR-9 PE-17 Maintenance Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools MA-2 MA-3 MA-5 MA-6 Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access MA-4 Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Audit/log records are determined, documented, implemented, and reviewed in accordance with policy AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 AU-12 AU-13 AU-14 AU-15 AU-16 Removable media is protected and its use restricted according to policy MP-2 MP-3 MP-4 MP-5 MP-7 MP-8 The principle of least functionality is incorporated by configuring systems to provide only essential capabilities AC-3 CM-7 Communications and control networks are protected AC-4 AC-17 AC-18 CP-8 SC-7 SC-19 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-29 SC-32 SC-36 SC-37 SC-38 SC-39 SC-40 SC-41 SC-43 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations CP-7 CP-8 CP-11 CP-13 PL-8 SA-14 SC-6 DETECT Anomalies and Events Anomalous activity is detected and the potential impact of events is understood. A baseline of network operations and expected data flows for users and systems is established and managed AC-4 CA-3 CM-2 SI-4 Detected events are analyzed to understand attack targets and methods AU-6 CA-7 IR-4 SI-4 Event data are collected and correlated from multiple sources and sensors AU-6 CA-7 IR-4 IR-5 IR-8 SI-4 Impact of events is determined CP-2 IR-4 RA-3 SI-4 Incident alert thresholds are established IR-4 IR-5 IR-8 Security Continuous Monitoring The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. The network is monitored to detect potential cybersecurity events AC-2 AU-12 CA-7 CM-3 SC-5 SC-7 SI-4 The physical environment is monitored to detect potential cybersecurity events CA-7 PE-3 PE-6 PE-20 Personnel activity is monitored to detect potential cybersecurity events AC-2 AU-12 AU-13 CA-7 CM-10 CM-11 Malicious code is detected SI-3 SI-8 Unauthorized mobile code is detected SC-18 SI-4 SC-44 External service provider activity is monitored to detect potential cybersecurity events CA-7 PS-7 SA-4 SA-9 SI-4 Monitoring for unauthorized personnel, connections, devices, and software is performed AU-12 CA-7 CM-3 CM-8 PE-3 PE-6 PE-20 SI-4 Vulnerability scans are performed RA-5 Detection Processes Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. Roles and responsibilities for detection are well defined to ensure accountability CA-2 CA-7 PM-14 Detection activities comply with all applicable requirements AC-25 CA-2 CA-7 SA-18 SI-4 PM-14 Detection processes are tested CA-2 CA-7 PE-3 SI-3 SI-4 PM-14 Event detection information is communicated AU-6 CA-2 CA-7 RA-5 SI-4 Detection processes are continuously improved CA-2 CA-7 PL-2 RA-5 SI-4 PM-14 RESPOND Response Planning Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. Response plan is executed during or after an incident CP-2 CP-10 IR-4 IR-8 Communications Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). Personnel know their roles and order of operations when a response is needed CP-2 CP-3 IR-3 IR-8 Incidents are reported consistent with established criteria AU-6 IR-6 IR-8 Information is shared consistent with response plans CA-2 CA-7 CP-2 IR-4 IR-8 PE-6 RA-5 SI-4 Coordination with stakeholders occurs consistent with response plans CP-2 IR-4 IR-8 Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness SI-5 PM-15 Analysis Analysis is conducted to ensure effective response and support recovery activities. Notifications from detection systems are investigated  AU-6 CA-7 IR-4 IR-5 PE-6 SI-4 The impact of the incident is understood CP-2 IR-4 Forensics are performed AU-7 IR-4 Incidents are categorized consistent with response plans CP-2 IR-4 IR-5 IR-8 Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) SI-5 PM-15 Mitigation Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. Incidents are contained IR-4 Incidents are mitigated IR-4 Newly identified vulnerabilities are mitigated or documented as accepted risks CA-7 RA-3 RA-5 Improvements Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Response plans incorporate lessons learned CP-2 IR-4 IR-8 Response strategies are updated CP-2 IR-4 IR-8 RECOVER Recovery Planning Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. Recovery plan is executed during or after a cybersecurity incident CP-10 IR-4 IR-8 Improvements Recovery planning and processes are improved by incorporating lessons learned into future activities. Recovery plans incorporate lessons learned CP-2 IR-4 IR-8 Recovery strategies are updated CP-2 IR-4 IR-8 Communications Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). Public relations are managed Reputation is repaired after an incident Recovery activities are communicated to internal and external stakeholders as well as executive and management teams CP-2 IR-4 ID.AM ID.BE ID.GV ID.RA ID.RM ID.SC PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO ACCESS CONTROL POLICY AND PROCEDURES 1 ACCOUNT MANAGEMENT 1 AUTOMATED SYSTEM ACCOUNT MANAGEMENT 2 REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS 2 DISABLE INACTIVE ACCOUNTS 2 AUTOMATED AUDIT ACTIONS 2 INACTIVITY LOGOUT 3 DYNAMIC PRIVILEGE MANAGEMENT 4 ROLE-BASED SCHEMES 4 DYNAMIC ACCOUNT CREATION 4 RESTRICTIONS ON USE OF SHARED / GROUP ACCOUNTS 4 SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION 4 USAGE CONDITIONS 3 ACCOUNT MONITORING / ATYPICAL USAGE 3 DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS 3 ACCESS ENFORCEMENT 1 DUAL AUTHORIZATION 4 MANDATORY ACCESS CONTROL 4 DISCRETIONARY ACCESS CONTROL 4 SECURITY-RELEVANT INFORMATION 4 ROLE-BASED ACCESS CONTROL 4 REVOCATION OF ACCESS AUTHORIZATIONS 4 CONTROLLED RELEASE 4 AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS 4 INFORMATION FLOW ENFORCEMENT 2 OBJECT SECURITY ATTRIBUTES 4 PROCESSING DOMAINS 4 DYNAMIC INFORMATION FLOW CONTROL 4 CONTENT CHECK ENCRYPTED INFORMATION 4 EMBEDDED DATA TYPES 4 METADATA 4 ONE-WAY FLOW MECHANISMS 4 SECURITY POLICY FILTERS 4 HUMAN REVIEWS 4 ENABLE / DISABLE SECURITY POLICY FILTERS 4 CONFIGURATION OF SECURITY POLICY FILTERS 4 DATA TYPE IDENTIFIERS 4 DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS 4 SECURITY POLICY FILTER CONSTRAINTS 4 DETECTION OF UNSANCTIONED INFORMATION 4 DOMAIN AUTHENTICATION 4 SECURITY ATTRIBUTE BINDING 4 VALIDATION OF METADATA 4 APPROVED SOLUTIONS 4 PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS 4 ACCESS ONLY 4 SEPARATION OF DUTIES 2 LEAST PRIVILEGE 2 AUTHORIZE ACCESS TO SECURITY FUNCTIONS 2 NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS 2 NETWORK ACCESS TO PRIVILEGED COMMANDS 3 SEPARATE PROCESSING DOMAINS 4 PRIVILEGED ACCOUNTS 2 PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS 4 REVIEW OF USER PRIVILEGES 4 PRIVILEGE LEVELS FOR CODE EXECUTION 4 AUDITING USE OF PRIVILEGED FUNCTIONS 2 PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS 2 UNSUCCESSFUL LOGON ATTEMPTS 1 PURGE / WIPE MOBILE DEVICE 4 SYSTEM USE NOTIFICATION 1 PREVIOUS LOGON (ACCESS) NOTIFICATION 4 UNSUCCESSFUL LOGONS 4 SUCCESSFUL / UNSUCCESSFUL LOGONS 4 NOTIFICATION OF ACCOUNT CHANGES 4 ADDITIONAL LOGON INFORMATION 4 CONCURRENT SESSION CONTROL 3 SESSION LOCK 2 PATTERN-HIDING DISPLAYS 2 SESSION TERMINATION 2 USER-INITIATED LOGOUTS / MESSAGE DISPLAYS 4 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 1 SECURITY ATTRIBUTES 4 DYNAMIC ATTRIBUTE ASSOCIATION 4 ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS 4 MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM 4 ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS 4 ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES 4 MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION 4 CONSISTENT ATTRIBUTE INTERPRETATION 4 ASSOCIATION TECHNIQUES / TECHNOLOGIES 4 ATTRIBUTE REASSIGNMENT 4 ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS 4 REMOTE ACCESS 1 AUTOMATED MONITORING / CONTROL 2 PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION 2 MANAGED ACCESS CONTROL POINTS 2 PRIVILEGED COMMANDS / ACCESS 2 PROTECTION OF INFORMATION 4 DISCONNECT / DISABLE ACCESS 4 WIRELESS ACCESS 1 AUTHENTICATION AND ENCRYPTION 2 DISABLE WIRELESS NETWORKING 4 RESTRICT CONFIGURATIONS BY USERS 3 ANTENNAS / TRANSMISSION POWER LEVELS 3 ACCESS CONTROL FOR MOBILE DEVICES 1 RESTRICTIONS FOR CLASSIFIED INFORMATION 4 FULL DEVICE / CONTAINER-BASED ENCRYPTION 2 USE OF EXTERNAL INFORMATION SYSTEMS 1 LIMITS ON AUTHORIZED USE 2 PORTABLE STORAGE DEVICES 2 NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES 4 NETWORK ACCESSIBLE STORAGE DEVICES 4 INFORMATION SHARING 2 AUTOMATED DECISION SUPPORT 4 INFORMATION SEARCH AND RETRIEVAL 4 PUBLICLY ACCESSIBLE CONTENT 1 DATA MINING PROTECTION 4 ACCESS CONTROL DECISIONS 4 TRANSMIT ACCESS AUTHORIZATION INFORMATION 4 NO USER OR PROCESS IDENTITY 4 REFERENCE MONITOR 4 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 1 SECURITY AWARENESS TRAINING 1 PRACTICAL EXERCISES 4 INSIDER THREAT 2 ROLE-BASED SECURITY TRAINING 1 ENVIRONMENTAL CONTROLS 4 PHYSICAL SECURITY CONTROLS 4 PRACTICAL EXERCISES 4 SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR 4 SECURITY TRAINING RECORDS 1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 1 AUDIT EVENTS 1 REVIEWS AND UPDATES 2 CONTENT OF AUDIT RECORDS 1 ADDITIONAL AUDIT INFORMATION 2 CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT 3 AUDIT STORAGE CAPACITY 1 TRANSFER TO ALTERNATE STORAGE 4 RESPONSE TO AUDIT PROCESSING FAILURES 1 AUDIT STORAGE CAPACITY 3 REAL-TIME ALERTS 3 CONFIGURABLE TRAFFIC VOLUME THRESHOLDS 4 SHUTDOWN ON FAILURE 4 AUDIT REVIEW, ANALYSIS, AND REPORTING 1 PROCESS INTEGRATION 2 CORRELATE AUDIT REPOSITORIES 2 CENTRAL REVIEW AND ANALYSIS 4 INTEGRATION / SCANNING AND MONITORING CAPABILITIES 3 CORRELATION WITH PHYSICAL MONITORING 3 PERMITTED ACTIONS 4 FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS 4 CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES 4 AUDIT LEVEL ADJUSTMENT 4 AUDIT REDUCTION AND REPORT GENERATION 2 AUTOMATIC PROCESSING 2 AUTOMATIC SORT AND SEARCH 4 TIME STAMPS 1 SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE 2 SECONDARY AUTHORITATIVE TIME SOURCE 4 PROTECTION OF AUDIT INFORMATION 1 HARDWARE WRITE-ONCE MEDIA 4 AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS 3 CRYPTOGRAPHIC PROTECTION 3 ACCESS BY SUBSET OF PRIVILEGED USERS 2 DUAL AUTHORIZATION 4 READ ONLY ACCESS 4 NON-REPUDIATION 3 ASSOCIATION OF IDENTITIES 4 VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY 4 CHAIN OF CUSTODY 4 VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY 4 AUDIT RECORD RETENTION 1 LONG-TERM RETRIEVAL CAPABILITY 4 AUDIT GENERATION 1 SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL 3 STANDARDIZED FORMATS 4 CHANGES BY AUTHORIZED INDIVIDUALS 3 MONITORING FOR INFORMATION DISCLOSURE 4 USE OF AUTOMATED TOOLS 4 REVIEW OF MONITORED SITES 4 SESSION AUDIT 4 SYSTEM START-UP 4 CAPTURE/RECORD AND LOG CONTENT 4 REMOTE VIEWING / LISTENING 4 ALTERNATE AUDIT CAPABILITY 4 CROSS-ORGANIZATIONAL AUDITING 4 IDENTITY PRESERVATION 4 SHARING OF AUDIT INFORMATION 4 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1 SECURITY ASSESSMENTS 1 INDEPENDENT ASSESSORS 2 SPECIALIZED ASSESSMENTS 3 EXTERNAL ORGANIZATIONS 4 SYSTEM INTERCONNECTIONS 1 UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS 4 CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS 4 UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS 4 CONNECTIONS TO PUBLIC NETWORKS 4 RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS 2 PLAN OF ACTION AND MILESTONES 1 AUTOMATION SUPPORT FOR ACCURACY / CURRENCY 4 SECURITY AUTHORIZATION 1 CONTINUOUS MONITORING 1 INDEPENDENT ASSESSMENT 2 TREND ANALYSES 4 PENETRATION TESTING 3 INDEPENDENT PENETRATION AGENT OR TEAM 4 RED TEAM EXERCISES 4 INTERNAL SYSTEM CONNECTIONS 1 SECURITY COMPLIANCE CHECKS 4 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1 BASELINE CONFIGURATION 1 REVIEWS AND UPDATES 2 AUTOMATION SUPPORT FOR ACCURACY / CURRENCY 3 RETENTION OF PREVIOUS CONFIGURATIONS 2 DEVELOPMENT AND TEST ENVIRONMENTS 4 CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS 2 CONFIGURATION CHANGE CONTROL 2 AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES 3 TEST / VALIDATE / DOCUMENT CHANGES 2 AUTOMATED CHANGE IMPLEMENTATION 4 SECURITY REPRESENTATIVE 4 AUTOMATED SECURITY RESPONSE 4 CRYPTOGRAPHY MANAGEMENT 4 SECURITY IMPACT ANALYSIS 1 SEPARATE TEST ENVIRONMENTS 3 VERIFICATION OF SECURITY FUNCTIONS 4 ACCESS RESTRICTIONS FOR CHANGE 2 AUTOMATED ACCESS ENFORCEMENT / AUDITING 3 REVIEW SYSTEM CHANGES 3 SIGNED COMPONENTS 3 DUAL AUTHORIZATION 4 LIMIT PRODUCTION / OPERATIONAL PRIVILEGES 4 LIMIT LIBRARY PRIVILEGES 4 CONFIGURATION SETTINGS 1 AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION 3 RESPOND TO UNAUTHORIZED CHANGES 3 LEAST FUNCTIONALITY 1 PERIODIC REVIEW 2 PREVENT PROGRAM EXECUTION 2 REGISTRATION COMPLIANCE 4 UNAUTHORIZED SOFTWARE / BLACKLISTING 2 AUTHORIZED SOFTWARE / WHITELISTING 3 INFORMATION SYSTEM COMPONENT INVENTORY 1 UPDATES DURING INSTALLATIONS / REMOVALS 2 AUTOMATED MAINTENANCE 3 AUTOMATED UNAUTHORIZED COMPONENT DETECTION 2 ACCOUNTABILITY INFORMATION 3 NO DUPLICATE ACCOUNTING OF COMPONENTS 2 ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS 4 CENTRALIZED REPOSITORY 4 AUTOMATED LOCATION TRACKING 4 ASSIGNMENT OF COMPONENTS TO SYSTEMS 4 CONFIGURATION MANAGEMENT PLAN 2 ASSIGNMENT OF RESPONSIBILITY 4 SOFTWARE USAGE RESTRICTIONS 1 OPEN SOURCE SOFTWARE 4 USER-INSTALLED SOFTWARE 1 ALERTS FOR UNAUTHORIZED INSTALLATIONS 4 PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 4 CONTINGENCY PLANNING POLICY AND PROCEDURES 1 CONTINGENCY PLAN 1 COORDINATE WITH RELATED PLANS 2 CAPACITY PLANNING 3 RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS 2 RESUME ALL MISSIONS / BUSINESS FUNCTIONS 3 CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS 3 ALTERNATE PROCESSING / STORAGE SITE 4 COORDINATE WITH EXTERNAL SERVICE PROVIDERS 4 IDENTIFY CRITICAL ASSETS 2 CONTINGENCY TRAINING 1 SIMULATED EVENTS 3 AUTOMATED TRAINING ENVIRONMENTS 4 CONTINGENCY PLAN TESTING 1 COORDINATE WITH RELATED PLANS 2 ALTERNATE PROCESSING SITE 3 AUTOMATED TESTING 4 FULL RECOVERY / RECONSTITUTION 4 ALTERNATE STORAGE SITE 2 SEPARATION FROM PRIMARY SITE 2 RECOVERY TIME / POINT OBJECTIVES 3 ACCESSIBILITY 2 ALTERNATE PROCESSING SITE 2 SEPARATION FROM PRIMARY SITE 2 ACCESSIBILITY 2 PRIORITY OF SERVICE 2 PREPARATION FOR USE 3 INABILITY TO RETURN TO PRIMARY SITE 4 TELECOMMUNICATIONS SERVICES 2 PRIORITY OF SERVICE PROVISIONS 2 SINGLE POINTS OF FAILURE 2 SEPARATION OF PRIMARY / ALTERNATE PROVIDERS 3 PROVIDER CONTINGENCY PLAN 3 ALTERNATE TELECOMMUNICATION SERVICE TESTING 4 INFORMATION SYSTEM BACKUP 1 TESTING FOR RELIABILITY / INTEGRITY 2 TEST RESTORATION USING SAMPLING 3 SEPARATE STORAGE FOR CRITICAL INFORMATION 3 TRANSFER TO ALTERNATE STORAGE SITE 3 REDUNDANT SECONDARY SYSTEM 4 DUAL AUTHORIZATION 4 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 1 TRANSACTION RECOVERY 2 RESTORE WITHIN TIME PERIOD 3 COMPONENT PROTECTION 4 ALTERNATE COMMUNICATIONS PROTOCOLS 4 SAFE MODE 4 ALTERNATIVE SECURITY MECHANISMS 4 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 1 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 1 NETWORK ACCESS TO PRIVILEGED ACCOUNTS 1 NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS 2 LOCAL ACCESS TO PRIVILEGED ACCOUNTS 2 LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS 3 GROUP AUTHENTICATION 4 NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE 4 NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE 4 NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT 2 NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT 3 SINGLE SIGN-ON 4 REMOTE ACCESS - SEPARATE DEVICE 2 ACCEPTANCE OF PIV CREDENTIALS 1 OUT-OF-BAND AUTHENTICATION 4 DEVICE IDENTIFICATION AND AUTHENTICATION 2 CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION 4 DYNAMIC ADDRESS ALLOCATION 4 DEVICE ATTESTATION 4 IDENTIFIER MANAGEMENT 1 PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS 4 SUPERVISOR AUTHORIZATION 4 MULTIPLE FORMS OF CERTIFICATION 4 IDENTIFY USER STATUS 4 DYNAMIC MANAGEMENT 4 CROSS-ORGANIZATION MANAGEMENT 4 IN-PERSON REGISTRATION 4 AUTHENTICATOR MANAGEMENT 1 PASSWORD-BASED AUTHENTICATION 1 PKI-BASED AUTHENTICATION 2 IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION 2 AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION 4 CHANGE AUTHENTICATORS PRIOR TO DELIVERY 4 PROTECTION OF AUTHENTICATORS 4 NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS 4 MULTIPLE INFORMATION SYSTEM ACCOUNTS 4 CROSS-ORGANIZATION CREDENTIAL MANAGEMENT 4 DYNAMIC CREDENTIAL ASSOCIATION 4 HARDWARE TOKEN-BASED AUTHENTICATION 1 BIOMETRIC-BASED AUTHENTICATION 4 EXPIRATION OF CACHED AUTHENTICATORS 4 MANAGING CONTENT OF PKI TRUST STORES 4 FICAM-APPROVED PRODUCTS AND SERVICES 4 AUTHENTICATOR FEEDBACK 1 CRYPTOGRAPHIC MODULE AUTHENTICATION 1 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 1 ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES 1 ACCEPTANCE OF THIRD-PARTY CREDENTIALS 1 USE OF FICAM-APPROVED PRODUCTS 1 USE OF FICAM-ISSUED PROFILES 1 ACCEPTANCE OF PIV-I CREDENTIALS 4 SERVICE IDENTIFICATION AND AUTHENTICATION 4 INFORMATION EXCHANGE 4 TRANSMISSION OF DECISIONS 4 ADAPTIVE IDENTIFICATION AND AUTHENTICATION 4 RE-AUTHENTICATION 4 INCIDENT RESPONSE POLICY AND PROCEDURES 1 INCIDENT RESPONSE TRAINING 1 SIMULATED EVENTS 3 AUTOMATED TRAINING ENVIRONMENTS 3 INCIDENT RESPONSE TESTING 2 AUTOMATED TESTING 4 COORDINATION WITH RELATED PLANS 2 INCIDENT HANDLING 1 AUTOMATED INCIDENT HANDLING PROCESSES 2 DYNAMIC RECONFIGURATION 4 CONTINUITY OF OPERATIONS 4 INFORMATION CORRELATION 3 AUTOMATIC DISABLING OF INFORMATION SYSTEM 4 INSIDER THREATS - SPECIFIC CAPABILITIES 4 INSIDER THREATS - INTRA-ORGANIZATION COORDINATION 4 CORRELATION WITH EXTERNAL ORGANIZATIONS 4 DYNAMIC RESPONSE CAPABILITY 4 SUPPLY CHAIN COORDINATION 4 INCIDENT MONITORING 1 AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS 3 INCIDENT REPORTING 1 AUTOMATED REPORTING 2 VULNERABILITIES RELATED TO INCIDENTS 4 COORDINATION WITH SUPPLY CHAIN 4 INCIDENT RESPONSE ASSISTANCE 1 AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT 2 COORDINATION WITH EXTERNAL PROVIDERS 4 INCIDENT RESPONSE PLAN 1 INFORMATION SPILLAGE RESPONSE 4 RESPONSIBLE PERSONNEL 4 TRAINING 4 POST-SPILL OPERATIONS 4 EXPOSURE TO UNAUTHORIZED PERSONNEL 4 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 4 SYSTEM MAINTENANCE POLICY AND PROCEDURES 1 CONTROLLED MAINTENANCE 1 AUTOMATED MAINTENANCE ACTIVITIES 3 MAINTENANCE TOOLS 2 INSPECT TOOLS 2 INSPECT MEDIA 2 PREVENT UNAUTHORIZED REMOVAL 3 RESTRICTED TOOL USE 4 NONLOCAL MAINTENANCE 1 AUDITING AND REVIEW 4 DOCUMENT NONLOCAL MAINTENANCE 2 COMPARABLE SECURITY / SANITIZATION 3 AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS 4 APPROVALS AND NOTIFICATIONS 4 CRYPTOGRAPHIC PROTECTION 4 REMOTE DISCONNECT VERIFICATION 4 MAINTENANCE PERSONNEL 1 INDIVIDUALS WITHOUT APPROPRIATE ACCESS 3 SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS 4 CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS 4 FOREIGN NATIONALS 4 NONSYSTEM-RELATED MAINTENANCE 4 TIMELY MAINTENANCE 2 PREVENTIVE MAINTENANCE 4 PREDICTIVE MAINTENANCE 4 AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE 4 MEDIA PROTECTION POLICY AND PROCEDURES 1 MEDIA ACCESS 1 MEDIA MARKING 2 MEDIA STORAGE 2 AUTOMATED RESTRICTED ACCESS 4 MEDIA TRANSPORT 2 CUSTODIANS 4 CRYPTOGRAPHIC PROTECTION 2 MEDIA SANITIZATION 1 REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY 3 EQUIPMENT TESTING 3 NONDESTRUCTIVE TECHNIQUES 3 DUAL AUTHORIZATION 4 REMOTE PURGING / WIPING OF INFORMATION 4 MEDIA USE 1 PROHIBIT USE WITHOUT OWNER 2 PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA 4 MEDIA DOWNGRADING 4 DOCUMENTATION OF PROCESS 4 EQUIPMENT TESTING 4 CONTROLLED UNCLASSIFIED INFORMATION 4 CLASSIFIED INFORMATION 4 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 1 PHYSICAL ACCESS AUTHORIZATIONS 1 ACCESS BY POSITION / ROLE 4 TWO FORMS OF IDENTIFICATION 4 RESTRICT UNESCORTED ACCESS 4 PHYSICAL ACCESS CONTROL 1 INFORMATION SYSTEM ACCESS 3 FACILITY / INFORMATION SYSTEM BOUNDARIES 4 CONTINUOUS GUARDS / ALARMS / MONITORING 4 LOCKABLE CASINGS 4 TAMPER PROTECTION 4 FACILITY PENETRATION TESTING 4 ACCESS CONTROL FOR TRANSMISSION MEDIUM 2 ACCESS CONTROL FOR OUTPUT DEVICES 2 ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS 4 ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY 4 MARKING OUTPUT DEVICES 4 MONITORING PHYSICAL ACCESS 1 INTRUSION ALARMS / SURVEILLANCE EQUIPMENT 2 AUTOMATED INTRUSION RECOGNITION / RESPONSES 4 VIDEO SURVEILLANCE 4 MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS 3 VISITOR ACCESS RECORDS 1 AUTOMATED RECORDS MAINTENANCE / REVIEW 3 POWER EQUIPMENT AND CABLING 2 REDUNDANT CABLING 4 AUTOMATIC VOLTAGE CONTROLS 4 EMERGENCY SHUTOFF 2 EMERGENCY POWER 2 LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY 3 LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED 4 EMERGENCY LIGHTING 1 ESSENTIAL MISSIONS / BUSINESS FUNCTIONS 4 FIRE PROTECTION 1 DETECTION DEVICES / SYSTEMS 3 SUPPRESSION DEVICES / SYSTEMS 3 AUTOMATIC FIRE SUPPRESSION 2 INSPECTIONS 4 TEMPERATURE AND HUMIDITY CONTROLS 1 AUTOMATIC CONTROLS 4 MONITORING WITH ALARMS / NOTIFICATIONS 4 WATER DAMAGE PROTECTION 1 AUTOMATION SUPPORT 3 DELIVERY AND REMOVAL 1 ALTERNATE WORK SITE 2 LOCATION OF INFORMATION SYSTEM COMPONENTS 3 FACILITY SITE 4 INFORMATION LEAKAGE 4 NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES 4 ASSET MONITORING AND TRACKING 4 SECURITY PLANNING POLICY AND PROCEDURES 1 SYSTEM SECURITY PLAN 1 PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES 2 RULES OF BEHAVIOR 1 SOCIAL MEDIA AND NETWORKING RESTRICTIONS 2 SECURITY CONCEPT OF OPERATIONS 4 INFORMATION SECURITY ARCHITECTURE 2 DEFENSE-IN-DEPTH 4 SUPPLIER DIVERSITY 4 CENTRAL MANAGEMENT 4 PERSONNEL SECURITY POLICY AND PROCEDURES 1 POSITION RISK DESIGNATION 1 PERSONNEL SCREENING 1 CLASSIFIED INFORMATION 4 FORMAL INDOCTRINATION 4 INFORMATION WITH SPECIAL PROTECTION MEASURES 4 PERSONNEL TERMINATION 1 POST-EMPLOYMENT REQUIREMENTS 4 AUTOMATED NOTIFICATION 3 PERSONNEL TRANSFER 1 ACCESS AGREEMENTS 1 CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION 4 POST-EMPLOYMENT REQUIREMENTS 4 THIRD-PARTY PERSONNEL SECURITY 1 PERSONNEL SANCTIONS 1 RISK ASSESSMENT POLICY AND PROCEDURES 1 SECURITY CATEGORIZATION 1 RISK ASSESSMENT 1 VULNERABILITY SCANNING 1 UPDATE TOOL CAPABILITY 2 UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED 2 BREADTH / DEPTH OF COVERAGE 4 DISCOVERABLE INFORMATION 3 PRIVILEGED ACCESS 2 AUTOMATED TREND ANALYSES 4 REVIEW HISTORIC AUDIT LOGS 4 CORRELATE SCANNING INFORMATION 4 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY 4 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES 1 ALLOCATION OF RESOURCES 1 SYSTEM DEVELOPMENT LIFE CYCLE 1 ACQUISITION PROCESS 1 FUNCTIONAL PROPERTIES OF SECURITY CONTROLS 2 DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS 2 DEVELOPMENT METHODS / TECHNIQUES / PRACTICES 4 SYSTEM / COMPONENT / SERVICE CONFIGURATIONS 4 USE OF INFORMATION ASSURANCE PRODUCTS 4 NIAP-APPROVED PROTECTION PROFILES 4 CONTINUOUS MONITORING PLAN 4 FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE 2 USE OF APPROVED PIV PRODUCTS 1 INFORMATION SYSTEM DOCUMENTATION 1 SECURITY ENGINEERING PRINCIPLES 2 EXTERNAL INFORMATION SYSTEM SERVICES 1 RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS 4 IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES 2 ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS 4 CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS 4 PROCESSING, STORAGE, AND SERVICE LOCATION 4 DEVELOPER CONFIGURATION MANAGEMENT 2 SOFTWARE / FIRMWARE INTEGRITY VERIFICATION 4 ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES 4 HARDWARE INTEGRITY VERIFICATION 4 TRUSTED GENERATION 4 MAPPING INTEGRITY FOR VERSION CONTROL 4 TRUSTED DISTRIBUTION 4 DEVELOPER SECURITY TESTING AND EVALUATION 2 STATIC CODE ANALYSIS 4 THREAT AND VULNERABILITY ANALYSES 4 INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE 4 MANUAL CODE REVIEWS 4 PENETRATION TESTING 4 ATTACK SURFACE REVIEWS 4 VERIFY SCOPE OF TESTING / EVALUATION 4 DYNAMIC CODE ANALYSIS 4 SUPPLY CHAIN PROTECTION 3 ACQUISITION STRATEGIES / TOOLS / METHODS 4 SUPPLIER REVIEWS 4 LIMITATION OF HARM 4 ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE 4 USE OF ALL-SOURCE INTELLIGENCE 4 OPERATIONS SECURITY 4 VALIDATE AS GENUINE AND NOT ALTERED 4 PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS 4 INTER-ORGANIZATIONAL AGREEMENTS 4 CRITICAL INFORMATION SYSTEM COMPONENTS 4 IDENTITY AND TRACEABILITY 4 PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES 4 TRUSTWORTHINESS 4 CRITICALITY ANALYSIS 4 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 3 QUALITY METRICS 4 SECURITY TRACKING TOOLS 4 CRITICALITY ANALYSIS 4 THREAT MODELING / VULNERABILITY ANALYSIS 4 ATTACK SURFACE REDUCTION 4 CONTINUOUS IMPROVEMENT 4 AUTOMATED VULNERABILITY ANALYSIS 4 REUSE OF THREAT / VULNERABILITY INFORMATION 4 USE OF LIVE DATA 4 INCIDENT RESPONSE PLAN 4 ARCHIVE INFORMATION SYSTEM / COMPONENT 4 DEVELOPER-PROVIDED TRAINING 3 DEVELOPER SECURITY ARCHITECTURE AND DESIGN 3 FORMAL POLICY MODEL 4 SECURITY-RELEVANT COMPONENTS 4 FORMAL CORRESPONDENCE 4 INFORMAL CORRESPONDENCE 4 CONCEPTUALLY SIMPLE DESIGN 4 STRUCTURE FOR TESTING 4 STRUCTURE FOR LEAST PRIVILEGE 4 TAMPER RESISTANCE AND DETECTION 4 MULTIPLE PHASES OF SDLC 4 INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES 4 COMPONENT AUTHENTICITY 4 ANTI-COUNTERFEIT TRAINING 4 CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR 4 COMPONENT DISPOSAL 4 ANTI-COUNTERFEIT SCANNING 4 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS 4 DEVELOPER SCREENING 4 VALIDATION OF SCREENING 4 UNSUPPORTED SYSTEM COMPONENTS 4 ALTERNATIVE SOURCES FOR CONTINUED SUPPORT 4 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 1 APPLICATION PARTITIONING 2 INTERFACES FOR NON-PRIVILEGED USERS 4 SECURITY FUNCTION ISOLATION 3 HARDWARE SEPARATION 4 ACCESS / FLOW CONTROL FUNCTIONS 4 MINIMIZE NONSECURITY FUNCTIONALITY 4 MODULE COUPLING AND COHESIVENESS 4 LAYERED STRUCTURES 4 INFORMATION IN SHARED RESOURCES 2 PERIODS PROCESSING 4 DENIAL OF SERVICE PROTECTION 1 RESTRICT INTERNAL USERS 4 EXCESS CAPACITY / BANDWIDTH / REDUNDANCY 4 DETECTION / MONITORING 4 RESOURCE AVAILABILITY 4 BOUNDARY PROTECTION 1 ACCESS POINTS 2 EXTERNAL TELECOMMUNICATIONS SERVICES 2 DENY BY DEFAULT / ALLOW BY EXCEPTION 2 PREVENT SPLIT TUNNELING FOR REMOTE DEVICES 2 ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS 3 RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC 4 PREVENT UNAUTHORIZED EXFILTRATION 4 RESTRICT INCOMING COMMUNICATIONS TRAFFIC 4 HOST-BASED PROTECTION 4 ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS 4 PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS 4 ROUTE PRIVILEGED NETWORK ACCESSES 4 PREVENT DISCOVERY OF COMPONENTS / DEVICES 4 AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS 4 FAIL SECURE 3 BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS 4 DYNAMIC ISOLATION / SEGREGATION 4 ISOLATION OF INFORMATION SYSTEM COMPONENTS 3 SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS 4 DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE 4 TRANSMISSION CONFIDENTIALITY AND INTEGRITY 2 CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION 2 PRE / POST TRANSMISSION HANDLING 4 CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS 4 CONCEAL / RANDOMIZE COMMUNICATIONS 4 NETWORK DISCONNECT 2 TRUSTED PATH 4 LOGICAL ISOLATION 4 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 1 AVAILABILITY 3 SYMMETRIC KEYS 4 ASYMMETRIC KEYS 4 CRYPTOGRAPHIC PROTECTION 1 COLLABORATIVE COMPUTING DEVICES 1 PHYSICAL DISCONNECT 4 DISABLING / REMOVAL IN SECURE WORK AREAS 4 EXPLICITLY INDICATE CURRENT PARTICIPANTS 4 TRANSMISSION OF SECURITY ATTRIBUTES 4 INTEGRITY VALIDATION 4 PUBLIC KEY INFRASTRUCTURE CERTIFICATES 2 MOBILE CODE 2 IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS 4 ACQUISITION / DEVELOPMENT / USE 4 PREVENT DOWNLOADING / EXECUTION 4 PREVENT AUTOMATIC EXECUTION 4 ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS 4 VOICE OVER INTERNET PROTOCOL 2 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) 1 DATA ORIGIN / INTEGRITY 4 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) 1 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 1 SESSION AUTHENTICITY 2 INVALIDATE SESSION IDENTIFIERS AT LOGOUT 4 UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION 4 ALLOWED CERTIFICATE AUTHORITIES 4 FAIL IN KNOWN STATE 3 THIN NODES 4 HONEYPOTS 4 PLATFORM-INDEPENDENT APPLICATIONS 4 PROTECTION OF INFORMATION AT REST 2 CRYPTOGRAPHIC PROTECTION 4 OFF-LINE STORAGE 4 HETEROGENEITY 4 VIRTUALIZATION TECHNIQUES 4 CONCEALMENT AND MISDIRECTION 4 RANDOMNESS 4 CHANGE PROCESSING / STORAGE LOCATIONS 4 MISLEADING INFORMATION 4 CONCEALMENT OF SYSTEM COMPONENTS 4 COVERT CHANNEL ANALYSIS 4 TEST COVERT CHANNELS FOR EXPLOITABILITY 4 MAXIMUM BANDWIDTH 4 MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS 4 INFORMATION SYSTEM PARTITIONING 4 NON-MODIFIABLE EXECUTABLE PROGRAMS 4 NO WRITABLE STORAGE 4 INTEGRITY PROTECTION / READ-ONLY MEDIA 4 HARDWARE-BASED PROTECTION 4 HONEYCLIENTS 4 DISTRIBUTED PROCESSING AND STORAGE 4 POLLING TECHNIQUES 4 OUT-OF-BAND CHANNELS 4 ENSURE DELIVERY / TRANSMISSION 4 OPERATIONS SECURITY 4 PROCESS ISOLATION 1 HARDWARE SEPARATION 4 THREAD ISOLATION 4 WIRELESS LINK PROTECTION 4 ELECTROMAGNETIC INTERFERENCE 4 REDUCE DETECTION POTENTIAL 4 IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION 4 SIGNAL PARAMETER IDENTIFICATION 4 PORT AND I/O DEVICE ACCESS 4 SENSOR CAPABILITY AND DATA 4 REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES 4 AUTHORIZED USE 4 PROHIBIT USE OF DEVICES 4 USAGE RESTRICTIONS 4 DETONATION CHAMBERS 4 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 1 FLAW REMEDIATION 1 CENTRAL MANAGEMENT 3 AUTOMATED FLAW REMEDIATION STATUS 2 TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS 4 AUTOMATIC SOFTWARE / FIRMWARE UPDATES 4 REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE 4 MALICIOUS CODE PROTECTION 1 CENTRAL MANAGEMENT 2 AUTOMATIC UPDATES 2 UPDATES ONLY BY PRIVILEGED USERS 4 TESTING / VERIFICATION 4 NONSIGNATURE-BASED DETECTION 4 DETECT UNAUTHORIZED COMMANDS 4 AUTHENTICATE REMOTE COMMANDS 4 MALICIOUS CODE ANALYSIS 4 INFORMATION SYSTEM MONITORING 1 SYSTEM-WIDE INTRUSION DETECTION SYSTEM 4 AUTOMATED TOOLS FOR REAL-TIME ANALYSIS 2 AUTOMATED TOOL INTEGRATION 4 INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC 2 SYSTEM-GENERATED ALERTS 2 AUTOMATED RESPONSE TO SUSPICIOUS EVENTS 4 TESTING OF MONITORING TOOLS 4 VISIBILITY OF ENCRYPTED COMMUNICATIONS 4 ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES 4 AUTOMATED ALERTS 4 ANALYZE TRAFFIC / EVENT PATTERNS 4 WIRELESS INTRUSION DETECTION 4 WIRELESS TO WIRELINE COMMUNICATIONS 4 CORRELATE MONITORING INFORMATION 4 INTEGRATED SITUATIONAL AWARENESS 4 ANALYZE TRAFFIC / COVERT EXFILTRATION 4 INDIVIDUALS POSING GREATER RISK 4 PRIVILEGED USERS 4 PROBATIONARY PERIODS 4 UNAUTHORIZED NETWORK SERVICES 4 HOST-BASED DEVICES 4 INDICATORS OF COMPROMISE 4 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 1 AUTOMATED ALERTS AND ADVISORIES 3 SECURITY FUNCTION VERIFICATION 3 AUTOMATION SUPPORT FOR DISTRIBUTED TESTING 4 REPORT VERIFICATION RESULTS 4 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY 2 INTEGRITY CHECKS 2 AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS 3 CENTRALLY-MANAGED INTEGRITY TOOLS 4 AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS 3 CRYPTOGRAPHIC PROTECTION 4 INTEGRATION OF DETECTION AND RESPONSE 2 AUDITING CAPABILITY FOR SIGNIFICANT EVENTS 4 VERIFY BOOT PROCESS 4 PROTECTION OF BOOT FIRMWARE 4 CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES 4 INTEGRITY VERIFICATION 4 CODE EXECUTION IN PROTECTED ENVIRONMENTS 4 BINARY OR MACHINE EXECUTABLE CODE 3 CODE AUTHENTICATION 4 TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION 4 SPAM PROTECTION 2 CENTRAL MANAGEMENT 2 AUTOMATIC UPDATES 2 CONTINUOUS LEARNING CAPABILITY 4 INFORMATION INPUT VALIDATION 2 MANUAL OVERRIDE CAPABILITY 4 REVIEW / RESOLUTION OF ERRORS 4 PREDICTABLE BEHAVIOR 4 REVIEW / TIMING INTERACTIONS 4 RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS 4 ERROR HANDLING 2 INFORMATION HANDLING AND RETENTION 1 PREDICTABLE FAILURE PREVENTION 4 TRANSFERRING COMPONENT RESPONSIBILITIES 4 MANUAL TRANSFER BETWEEN COMPONENTS 4 STANDBY COMPONENT INSTALLATION / NOTIFICATION 4 FAILOVER CAPABILITY 4 NON-PERSISTENCE 4 REFRESH FROM TRUSTED SOURCES 4 INFORMATION OUTPUT FILTERING 4 MEMORY PROTECTION 2 FAIL-SAFE PROCEDURES 4 INFORMATION SECURITY PROGRAM PLAN 4 SENIOR INFORMATION SECURITY OFFICER 4 INFORMATION SECURITY RESOURCES 4 PLAN OF ACTION AND MILESTONES PROCESS 4 INFORMATION SYSTEM INVENTORY 4 INFORMATION SECURITY MEASURES OF PERFORMANCE 4 ENTERPRISE ARCHITECTURE 4 CRITICAL INFRASTRUCTURE PLAN 4 RISK MANAGEMENT STRATEGY 4 SECURITY AUTHORIZATION PROCESS 4 MISSION/BUSINESS PROCESS DEFINITION 4 INSIDER THREAT PROGRAM 4 INFORMATION SECURITY WORKFORCE 4 TESTING, TRAINING, AND MONITORING 4 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS 4 THREAT AWARENESS PROGRAM 4 ACCESS CONTROL POLICY AND PROCEDURES AC-1 - ACCESS CONTROL POLICY AND PROCEDURES 1 1 ACCOUNT MANAGEMENT AC-2 - ACCOUNT MANAGEMENT 1 1 ACCESS ENFORCEMENT AC-3 - ACCESS ENFORCEMENT 1 1 INFORMATION FLOW ENFORCEMENT AC-4 - INFORMATION FLOW ENFORCEMENT 2 1 SEPARATION OF DUTIES AC-5 - SEPARATION OF DUTIES 2 1 LEAST PRIVILEGE AC-6 - LEAST PRIVILEGE 2 1 UNSUCCESSFUL LOGON ATTEMPTS AC-7 - UNSUCCESSFUL LOGON ATTEMPTS 1 2 SYSTEM USE NOTIFICATION AC-8 - SYSTEM USE NOTIFICATION 1 1 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-9 - PREVIOUS LOGON (ACCESS) NOTIFICATION 4 4 CONCURRENT SESSION CONTROL AC-10 - CONCURRENT SESSION CONTROL 3 3 SESSION LOCK AC-11 - SESSION LOCK 2 3 SESSION TERMINATION AC-12 - SESSION TERMINATION 2 2 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION AC-14 - PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 1 3 SECURITY ATTRIBUTES AC-16 - SECURITY ATTRIBUTES 4 4 REMOTE ACCESS AC-17 - REMOTE ACCESS 1 1 WIRELESS ACCESS AC-18 - WIRELESS ACCESS 1 1 ACCESS CONTROL FOR MOBILE DEVICES AC-19 - ACCESS CONTROL FOR MOBILE DEVICES 1 1 USE OF EXTERNAL INFORMATION SYSTEMS AC-20 - USE OF EXTERNAL INFORMATION SYSTEMS 1 1 INFORMATION SHARING AC-21 - INFORMATION SHARING 2 2 PUBLICLY ACCESSIBLE CONTENT AC-22 - PUBLICLY ACCESSIBLE CONTENT 1 3 DATA MINING PROTECTION AC-23 - DATA MINING PROTECTION 4 4 ACCESS CONTROL DECISIONS AC-24 - ACCESS CONTROL DECISIONS 4 4 REFERENCE MONITOR AC-25 - REFERENCE MONITOR 4 4 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES AT-1 - SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 1 1 SECURITY AWARENESS TRAINING AT-2 - SECURITY AWARENESS TRAINING 1 1 ROLE-BASED SECURITY TRAINING AT-3 - ROLE-BASED SECURITY TRAINING 1 1 SECURITY TRAINING RECORDS AT-4 - SECURITY TRAINING RECORDS 1 3 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES AU-1 - AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 1 1 AUDIT EVENTS AU-2 - AUDIT EVENTS 1 1 CONTENT OF AUDIT RECORDS AU-3 - CONTENT OF AUDIT RECORDS 1 1 AUDIT STORAGE CAPACITY AU-4 - AUDIT STORAGE CAPACITY 1 1 RESPONSE TO AUDIT PROCESSING FAILURES AU-5 - RESPONSE TO AUDIT PROCESSING FAILURES 1 1 AUDIT REVIEW, ANALYSIS, AND REPORTING AU-6 - AUDIT REVIEW, ANALYSIS, AND REPORTING 1 1 AUDIT REDUCTION AND REPORT GENERATION AU-7 - AUDIT REDUCTION AND REPORT GENERATION 2 2 TIME STAMPS AU-8 - TIME STAMPS 1 1 PROTECTION OF AUDIT INFORMATION AU-9 - PROTECTION OF AUDIT INFORMATION 1 1 NON-REPUDIATION AU-10 - NON-REPUDIATION 3 2 AUDIT RECORD RETENTION AU-11 - AUDIT RECORD RETENTION 1 3 AUDIT GENERATION AU-12 - AUDIT GENERATION 1 1 MONITORING FOR INFORMATION DISCLOSURE AU-13 - MONITORING FOR INFORMATION DISCLOSURE 4 4 SESSION AUDIT AU-14 - SESSION AUDIT 4 4 ALTERNATE AUDIT CAPABILITY AU-15 - ALTERNATE AUDIT CAPABILITY 4 4 CROSS-ORGANIZATIONAL AUDITING AU-16 - CROSS-ORGANIZATIONAL AUDITING 4 4 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES CA-1 - SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1 1 SECURITY ASSESSMENTS CA-2 - SECURITY ASSESSMENTS 1 2 SYSTEM INTERCONNECTIONS CA-3 - SYSTEM INTERCONNECTIONS 1 1 PLAN OF ACTION AND MILESTONES CA-5 - PLAN OF ACTION AND MILESTONES 1 3 SECURITY AUTHORIZATION CA-6 - SECURITY AUTHORIZATION 1 2 CONTINUOUS MONITORING CA-7 - CONTINUOUS MONITORING 1 2 PENETRATION TESTING CA-8 - PENETRATION TESTING 3 2 INTERNAL SYSTEM CONNECTIONS CA-9 - INTERNAL SYSTEM CONNECTIONS 1 2 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES CM-1 - CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1 1 BASELINE CONFIGURATION CM-2 - BASELINE CONFIGURATION 1 1 CONFIGURATION CHANGE CONTROL CM-3 - CONFIGURATION CHANGE CONTROL 2 1 SECURITY IMPACT ANALYSIS CM-4 - SECURITY IMPACT ANALYSIS 1 2 ACCESS RESTRICTIONS FOR CHANGE CM-5 - ACCESS RESTRICTIONS FOR CHANGE 2 1 CONFIGURATION SETTINGS CM-6 - CONFIGURATION SETTINGS 1 1 LEAST FUNCTIONALITY CM-7 - LEAST FUNCTIONALITY 1 1 INFORMATION SYSTEM COMPONENT INVENTORY CM-8 - INFORMATION SYSTEM COMPONENT INVENTORY 1 1 CONFIGURATION MANAGEMENT PLAN CM-9 - CONFIGURATION MANAGEMENT PLAN 2 1 SOFTWARE USAGE RESTRICTIONS CM-10 - SOFTWARE USAGE RESTRICTIONS 1 2 USER-INSTALLED SOFTWARE CM-11 - USER-INSTALLED SOFTWARE 1 1 CONTINGENCY PLANNING POLICY AND PROCEDURES CP-1 - CONTINGENCY PLANNING POLICY AND PROCEDURES 1 1 CONTINGENCY PLAN CP-2 - CONTINGENCY PLAN 1 1 CONTINGENCY TRAINING CP-3 - CONTINGENCY TRAINING 1 2 CONTINGENCY PLAN TESTING CP-4 - CONTINGENCY PLAN TESTING 1 2 ALTERNATE STORAGE SITE CP-6 - ALTERNATE STORAGE SITE 2 1 ALTERNATE PROCESSING SITE CP-7 - ALTERNATE PROCESSING SITE 2 1 TELECOMMUNICATIONS SERVICES CP-8 - TELECOMMUNICATIONS SERVICES 2 1 INFORMATION SYSTEM BACKUP CP-9 - INFORMATION SYSTEM BACKUP 1 1 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION CP-10 - INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 1 1 ALTERNATE COMMUNICATIONS PROTOCOLS CP-11 - ALTERNATE COMMUNICATIONS PROTOCOLS 4 4 SAFE MODE CP-12 - SAFE MODE 4 4 ALTERNATIVE SECURITY MECHANISMS CP-13 - ALTERNATIVE SECURITY MECHANISMS 4 4 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-1 - IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 1 1 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-2 - IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 1 1 DEVICE IDENTIFICATION AND AUTHENTICATION IA-3 - DEVICE IDENTIFICATION AND AUTHENTICATION 2 1 IDENTIFIER MANAGEMENT IA-4 - IDENTIFIER MANAGEMENT 1 1 AUTHENTICATOR MANAGEMENT IA-5 - AUTHENTICATOR MANAGEMENT 1 1 AUTHENTICATOR FEEDBACK IA-6 - AUTHENTICATOR FEEDBACK 1 2 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-7 - CRYPTOGRAPHIC MODULE AUTHENTICATION 1 1 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-8 - IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 1 1 SERVICE IDENTIFICATION AND AUTHENTICATION IA-9 - SERVICE IDENTIFICATION AND AUTHENTICATION 4 4 ADAPTIVE IDENTIFICATION AND AUTHENTICATION IA-10 - ADAPTIVE IDENTIFICATION AND AUTHENTICATION 4 4 RE-AUTHENTICATION IA-11 - RE-AUTHENTICATION 4 4 INCIDENT RESPONSE POLICY AND PROCEDURES IR-1 - INCIDENT RESPONSE POLICY AND PROCEDURES 1 1 INCIDENT RESPONSE TRAINING IR-2 - INCIDENT RESPONSE TRAINING 1 2 INCIDENT RESPONSE TESTING IR-3 - INCIDENT RESPONSE TESTING 2 2 INCIDENT HANDLING IR-4 - INCIDENT HANDLING 1 1 INCIDENT MONITORING IR-5 - INCIDENT MONITORING 1 1 INCIDENT REPORTING IR-6 - INCIDENT REPORTING 1 1 INCIDENT RESPONSE ASSISTANCE IR-7 - INCIDENT RESPONSE ASSISTANCE 1 2 INCIDENT RESPONSE PLAN IR-8 - INCIDENT RESPONSE PLAN 1 1 INFORMATION SPILLAGE RESPONSE IR-9 - INFORMATION SPILLAGE RESPONSE 4 4 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM IR-10 - INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 4 4 SYSTEM MAINTENANCE POLICY AND PROCEDURES MA-1 - SYSTEM MAINTENANCE POLICY AND PROCEDURES 1 1 CONTROLLED MAINTENANCE MA-2 - CONTROLLED MAINTENANCE 1 2 MAINTENANCE TOOLS MA-3 - MAINTENANCE TOOLS 2 3 NONLOCAL MAINTENANCE MA-4 - NONLOCAL MAINTENANCE 1 2 MAINTENANCE PERSONNEL MA-5 - MAINTENANCE PERSONNEL 1 2 TIMELY MAINTENANCE MA-6 - TIMELY MAINTENANCE 2 2 MEDIA PROTECTION POLICY AND PROCEDURES MP-1 - MEDIA PROTECTION POLICY AND PROCEDURES 1 1 MEDIA ACCESS MP-2 - MEDIA ACCESS 1 1 MEDIA MARKING MP-3 - MEDIA MARKING 2 2 MEDIA STORAGE MP-4 - MEDIA STORAGE 2 1 MEDIA TRANSPORT MP-5 - MEDIA TRANSPORT 2 1 MEDIA SANITIZATION MP-6 - MEDIA SANITIZATION 1 1 MEDIA USE MP-7 - MEDIA USE 1 1 MEDIA DOWNGRADING MP-8 - MEDIA DOWNGRADING 4 4 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES PE-1 - PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 1 1 PHYSICAL ACCESS AUTHORIZATIONS PE-2 - PHYSICAL ACCESS AUTHORIZATIONS 1 1 PHYSICAL ACCESS CONTROL PE-3 - PHYSICAL ACCESS CONTROL 1 1 ACCESS CONTROL FOR TRANSMISSION MEDIUM PE-4 - ACCESS CONTROL FOR TRANSMISSION MEDIUM 2 1 ACCESS CONTROL FOR OUTPUT DEVICES PE-5 - ACCESS CONTROL FOR OUTPUT DEVICES 2 2 MONITORING PHYSICAL ACCESS PE-6 - MONITORING PHYSICAL ACCESS 1 1 VISITOR ACCESS RECORDS PE-8 - VISITOR ACCESS RECORDS 1 3 POWER EQUIPMENT AND CABLING PE-9 - POWER EQUIPMENT AND CABLING 2 1 EMERGENCY SHUTOFF PE-10 - EMERGENCY SHUTOFF 2 1 EMERGENCY POWER PE-11 - EMERGENCY POWER 2 1 EMERGENCY LIGHTING PE-12 - EMERGENCY LIGHTING 1 1 FIRE PROTECTION PE-13 - FIRE PROTECTION 1 1 TEMPERATURE AND HUMIDITY CONTROLS PE-14 - TEMPERATURE AND HUMIDITY CONTROLS 1 1 WATER DAMAGE PROTECTION PE-15 - WATER DAMAGE PROTECTION 1 1 DELIVERY AND REMOVAL PE-16 - DELIVERY AND REMOVAL 1 2 ALTERNATE WORK SITE PE-17 - ALTERNATE WORK SITE 2 2 LOCATION OF INFORMATION SYSTEM COMPONENTS PE-18 - LOCATION OF INFORMATION SYSTEM COMPONENTS 3 3 INFORMATION LEAKAGE PE-19 - INFORMATION LEAKAGE 4 4 ASSET MONITORING AND TRACKING PE-20 - ASSET MONITORING AND TRACKING 4 4 SECURITY PLANNING POLICY AND PROCEDURES PL-1 - SECURITY PLANNING POLICY AND PROCEDURES 1 1 SYSTEM SECURITY PLAN PL-2 - SYSTEM SECURITY PLAN 1 1 RULES OF BEHAVIOR PL-4 - RULES OF BEHAVIOR 1 2 SECURITY CONCEPT OF OPERATIONS PL-7 - SECURITY CONCEPT OF OPERATIONS 4 4 INFORMATION SECURITY ARCHITECTURE PL-8 - INFORMATION SECURITY ARCHITECTURE 2 1 CENTRAL MANAGEMENT PL-9 - CENTRAL MANAGEMENT 4 4 PERSONNEL SECURITY POLICY AND PROCEDURES PS-1 - PERSONNEL SECURITY POLICY AND PROCEDURES 1 1 POSITION RISK DESIGNATION PS-2 - POSITION RISK DESIGNATION 1 1 PERSONNEL SCREENING PS-3 - PERSONNEL SCREENING 1 1 PERSONNEL TERMINATION PS-4 - PERSONNEL TERMINATION 1 1 PERSONNEL TRANSFER PS-5 - PERSONNEL TRANSFER 1 2 ACCESS AGREEMENTS PS-6 - ACCESS AGREEMENTS 1 3 THIRD-PARTY PERSONNEL SECURITY PS-7 - THIRD-PARTY PERSONNEL SECURITY 1 1 PERSONNEL SANCTIONS PS-8 - PERSONNEL SANCTIONS 1 3 RISK ASSESSMENT POLICY AND PROCEDURES RA-1 - RISK ASSESSMENT POLICY AND PROCEDURES 1 1 SECURITY CATEGORIZATION RA-2 - SECURITY CATEGORIZATION 1 1 RISK ASSESSMENT RA-3 - RISK ASSESSMENT 1 1 VULNERABILITY SCANNING RA-5 - VULNERABILITY SCANNING 1 1 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY RA-6 - TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY 4 4 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES SA-1 - SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES 1 1 ALLOCATION OF RESOURCES SA-2 - ALLOCATION OF RESOURCES 1 1 SYSTEM DEVELOPMENT LIFE CYCLE SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE 1 1 ACQUISITION PROCESS SA-4 - ACQUISITION PROCESS 1 1 INFORMATION SYSTEM DOCUMENTATION SA-5 - INFORMATION SYSTEM DOCUMENTATION 1 2 SECURITY ENGINEERING PRINCIPLES SA-8 - SECURITY ENGINEERING PRINCIPLES 2 1 EXTERNAL INFORMATION SYSTEM SERVICES SA-9 - EXTERNAL INFORMATION SYSTEM SERVICES 1 1 DEVELOPER CONFIGURATION MANAGEMENT SA-10 - DEVELOPER CONFIGURATION MANAGEMENT 2 1 DEVELOPER SECURITY TESTING AND EVALUATION SA-11 - DEVELOPER SECURITY TESTING AND EVALUATION 2 1 SUPPLY CHAIN PROTECTION SA-12 - SUPPLY CHAIN PROTECTION 3 1 TRUSTWORTHINESS SA-13 - TRUSTWORTHINESS 4 4 CRITICALITY ANALYSIS SA-14 - CRITICALITY ANALYSIS 4 4 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS SA-15 - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 3 2 DEVELOPER-PROVIDED TRAINING SA-16 - DEVELOPER-PROVIDED TRAINING 3 2 DEVELOPER SECURITY ARCHITECTURE AND DESIGN SA-17 - DEVELOPER SECURITY ARCHITECTURE AND DESIGN 3 1 TAMPER RESISTANCE AND DETECTION SA-18 - TAMPER RESISTANCE AND DETECTION 4 4 COMPONENT AUTHENTICITY SA-19 - COMPONENT AUTHENTICITY 4 4 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS SA-20 - CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS 4 4 DEVELOPER SCREENING SA-21 - DEVELOPER SCREENING 4 4 UNSUPPORTED SYSTEM COMPONENTS SA-22 - UNSUPPORTED SYSTEM COMPONENTS 4 4 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES SC-1 - SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 1 1 APPLICATION PARTITIONING SC-2 - APPLICATION PARTITIONING 2 1 SECURITY FUNCTION ISOLATION SC-3 - SECURITY FUNCTION ISOLATION 3 1 INFORMATION IN SHARED RESOURCES SC-4 - INFORMATION IN SHARED RESOURCES 2 1 DENIAL OF SERVICE PROTECTION SC-5 - DENIAL OF SERVICE PROTECTION 1 1 RESOURCE AVAILABILITY SC-6 - RESOURCE AVAILABILITY 4 4 BOUNDARY PROTECTION SC-7 - BOUNDARY PROTECTION 1 1 TRANSMISSION CONFIDENTIALITY AND INTEGRITY SC-8 - TRANSMISSION CONFIDENTIALITY AND INTEGRITY 2 1 NETWORK DISCONNECT SC-10 - NETWORK DISCONNECT 2 2 TRUSTED PATH SC-11 - TRUSTED PATH 4 4 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT SC-12 - CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 1 1 CRYPTOGRAPHIC PROTECTION SC-13 - CRYPTOGRAPHIC PROTECTION 1 1 COLLABORATIVE COMPUTING DEVICES SC-15 - COLLABORATIVE COMPUTING DEVICES 1 1 TRANSMISSION OF SECURITY ATTRIBUTES SC-16 - TRANSMISSION OF SECURITY ATTRIBUTES 4 4 PUBLIC KEY INFRASTRUCTURE CERTIFICATES SC-17 - PUBLIC KEY INFRASTRUCTURE CERTIFICATES 2 1 MOBILE CODE SC-18 - MOBILE CODE 2 2 VOICE OVER INTERNET PROTOCOL SC-19 - VOICE OVER INTERNET PROTOCOL 2 1 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) SC-20 - SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) 1 1 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) SC-21 - SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) 1 1 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE SC-22 - ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 1 1 SESSION AUTHENTICITY SC-23 - SESSION AUTHENTICITY 2 1 FAIL IN KNOWN STATE SC-24 - FAIL IN KNOWN STATE 3 1 THIN NODES SC-25 - THIN NODES 4 4 HONEYPOTS SC-26 - HONEYPOTS 4 4 PLATFORM-INDEPENDENT APPLICATIONS SC-27 - PLATFORM-INDEPENDENT APPLICATIONS 4 4 PROTECTION OF INFORMATION AT REST SC-28 - PROTECTION OF INFORMATION AT REST 2 1 HETEROGENEITY SC-29 - HETEROGENEITY 4 4 CONCEALMENT AND MISDIRECTION SC-30 - CONCEALMENT AND MISDIRECTION 4 4 COVERT CHANNEL ANALYSIS SC-31 - COVERT CHANNEL ANALYSIS 4 4 INFORMATION SYSTEM PARTITIONING SC-32 - INFORMATION SYSTEM PARTITIONING 4 4 NON-MODIFIABLE EXECUTABLE PROGRAMS SC-34 - NON-MODIFIABLE EXECUTABLE PROGRAMS 4 4 HONEYCLIENTS SC-35 - HONEYCLIENTS 4 4 DISTRIBUTED PROCESSING AND STORAGE SC-36 - DISTRIBUTED PROCESSING AND STORAGE 4 4 OUT-OF-BAND CHANNELS SC-37 - OUT-OF-BAND CHANNELS 4 4 OPERATIONS SECURITY SC-38 - OPERATIONS SECURITY 4 4 PROCESS ISOLATION SC-39 - PROCESS ISOLATION 1 1 WIRELESS LINK PROTECTION SC-40 - WIRELESS LINK PROTECTION 4 4 PORT AND I/O DEVICE ACCESS SC-41 - PORT AND I/O DEVICE ACCESS 4 4 SENSOR CAPABILITY AND DATA SC-42 - SENSOR CAPABILITY AND DATA 4 4 USAGE RESTRICTIONS SC-43 - USAGE RESTRICTIONS 4 4 DETONATION CHAMBERS SC-44 - DETONATION CHAMBERS 4 4 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES SI-1 - SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 1 1 FLAW REMEDIATION SI-2 - FLAW REMEDIATION 1 1 MALICIOUS CODE PROTECTION SI-3 - MALICIOUS CODE PROTECTION 1 1 INFORMATION SYSTEM MONITORING SI-4 - INFORMATION SYSTEM MONITORING 1 1 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES SI-5 - SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 1 1 SECURITY FUNCTION VERIFICATION SI-6 - SECURITY FUNCTION VERIFICATION 3 1 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY SI-7 - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY 2 1 SPAM PROTECTION SI-8 - SPAM PROTECTION 2 2 INFORMATION INPUT VALIDATION SI-10 - INFORMATION INPUT VALIDATION 2 1 ERROR HANDLING SI-11 - ERROR HANDLING 2 2 INFORMATION HANDLING AND RETENTION SI-12 - INFORMATION HANDLING AND RETENTION 1 2 PREDICTABLE FAILURE PREVENTION SI-13 - PREDICTABLE FAILURE PREVENTION 4 4 NON-PERSISTENCE SI-14 - NON-PERSISTENCE 4 4 INFORMATION OUTPUT FILTERING SI-15 - INFORMATION OUTPUT FILTERING 4 4 MEMORY PROTECTION SI-16 - MEMORY PROTECTION 2 1 FAIL-SAFE PROCEDURES SI-17 - FAIL-SAFE PROCEDURES 4 4 INFORMATION SECURITY PROGRAM PLAN PM-1 - INFORMATION SECURITY PROGRAM PLAN 4 SENIOR INFORMATION SECURITY OFFICER PM-2 - SENIOR INFORMATION SECURITY OFFICER 4 INFORMATION SECURITY RESOURCES PM-3 - INFORMATION SECURITY RESOURCES 4 PLAN OF ACTION AND MILESTONES PROCESS PM-4 - PLAN OF ACTION AND MILESTONES PROCESS 4 INFORMATION SYSTEM INVENTORY PM-5 - INFORMATION SYSTEM INVENTORY 4 INFORMATION SECURITY MEASURES OF PERFORMANCE PM-6 - INFORMATION SECURITY MEASURES OF PERFORMANCE 4 ENTERPRISE ARCHITECTURE PM-7 - ENTERPRISE ARCHITECTURE 4 CRITICAL INFRASTRUCTURE PLAN PM-8 - CRITICAL INFRASTRUCTURE PLAN 4 RISK MANAGEMENT STRATEGY PM-9 - RISK MANAGEMENT STRATEGY 4 SECURITY AUTHORIZATION PROCESS PM-10 - SECURITY AUTHORIZATION PROCESS 4 MISSION/BUSINESS PROCESS DEFINITION PM-11 - MISSION/BUSINESS PROCESS DEFINITION 4 INSIDER THREAT PROGRAM PM-12 - INSIDER THREAT PROGRAM 4 INFORMATION SECURITY WORKFORCE PM-13 - INFORMATION SECURITY WORKFORCE 4 TESTING, TRAINING, AND MONITORING PM-14 - TESTING, TRAINING, AND MONITORING 4 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS PM-15 - CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS 4 THREAT AWARENESS PROGRAM PM-16 - THREAT AWARENESS PROGRAM 4 ID.AM-1 ID.AM-2 ID.AM-3 ID.AM-4 ID.AM-5 ID.AM-6 ID.BE-1 ID.BE-2 ID.BE-3 ID.BE-4 ID.BE-5 ID.GV-1 ID.GV-2 ID.GV-3 ID.GV-4 ID.RA-1 ID.RA-2 ID.RA-3 ID.RA-4 ID.RA-5 ID.RA-6 ID.RM-1 ID.RM-2 ID.RM-3 ID.SC-1 ID.SC-2 ID.SC-3 ID.SC-4 ID.SC-5 PR.AC-1 PR.AC-2 PR.AC-3 PR.AC-4 PR.AC-5 PR.AC-6 PR.AC-7 PR.AT-1 PR.AT-2 PR.AT-3 PR.AT-4 PR.AT-5 PR.DS-1 PR.DS-2 PR.DS-3 PR.DS-4 PR.DS-5 PR.DS-6 PR.DS-7 PR.DS-8 PR.IP-1 PR.IP-10 PR.IP-11 PR.IP-12 PR.IP-2 PR.IP-3 PR.IP-4 PR.IP-5 PR.IP-6 PR.IP-7 PR.IP-8 PR.IP-9 PR.MA-1 PR.MA-2 PR.PT-1 PR.PT-2 PR.PT-3 PR.PT-4 PR.PT-5 DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.AE-5 DE.CM-1 DE.CM-2 DE.CM-3 DE.CM-4 DE.CM-5 DE.CM-6 DE.CM-7 DE.CM-8 DE.DP-1 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 RS.RP-1 RS.CO-1 RS.CO-2 RS.CO-3 RS.CO-4 RS.CO-5 RS.AN-1 RS.AN-2 RS.AN-3 RS.AN-4 RS.AN-5 RS.MI-1 RS.MI-2 RS.MI-3 RS.IM-1 RS.IM-2 RC.RP-1 RC.IM-1 RC.IM-2 RC.CO-1 RC.CO-2 RC.CO-3 =" " <rationale flag=" " > </rationale> /> <guidance flag=" " > </guidance> /> <default value=" "/> <enhancement > </enhancement > < /> < > </ > < > </ > <frameworkProfile> </frameworkProfile> <id> </id> Selected Selected Selected Removed Selected Selected Removed Removed Selected Removed Removed Removed Added Selected Selected Selected Selected Removed Selected Removed Removed Added Added Selected Added Selected Selected Removed Added Added Added Added Added Added AC-1 0.2.2 Baseline Tailor uses the security controls and baselines from NIST SP 800-53 Revision 4. An update to SP 800-53 Revision 5 and the SP 800-53B baselines is planned once the National Vulnerability Database supports SP 800-53 Revision 5 and SP 800-53B. 2021/03/10 false http://nvd.nist.gov/800-53/Rev4 true false Guidance here. 1 2 3 false Control impact higher than lowest control enhancement impact. Control Enhancement impact lower than control impact. CM-7(4) impact as high or higher than CM-7(5) impact. Blacklisting and whitelisting cannot be applied simultaneously, and whitelisting is more restrictive than blacklisting. Control Enhancement must have LOW, MODERATE, or HIGH impact if adding supplemental guidance. Cross-reference to Control Enhancement without added supplemental guidance. Controls from all families ACCESS CONTROL Rationale here. ACCESS CONTROL POLICY AND PROCEDURES 1 false Selected Selected Selected Guidance here.

needle and thread image Baseline Tailor Version User Guide (PDF) | License | Security Content and Tools

Note on SP 800-53 Revision 5 Planned support for SP 800-53r5 and SP 800-53B.

Hide note Hide note

Preferences Change user preferences.
needle and thread Security Control Editor tab:
factory NIST SP 800-82 (Revision 2) Industrial Control Systems overlay:
OK Accept selections.

Security Control Editor Cyber Framework Browser Cross References Framework Profile
Framework core function:
IDENTIFY (ID) ID PROTECT (PR) PR DETECT (DE) DE RESPOND (RS) RS RECOVER (RC) RC
Category:

:
Subcategory:

:
Remove subcategory from the Framework Profile. Add subcategory to the Framework Profile.

Informative References to NIST SP 800-53:

family Open security control family in a new browser tab.
Open security control definition in a new browser tab. factory Open NIST SP 800-82 ICS Overlay tailoring for security control definition in a new browser tab. link Show Framework Core subcategories referencing . needle and thread Tailor security control.
Open security control catalog in a new browser tab. (except )
Check/uncheck the subcategory box to add to or remove the subcategory from the profile. Click the subcategory button to show its Framework Core information.
XML representation:
Baselines: LOW 1 MOD 2 HIGH 3 N/A 4 Defaults Check LOW, MODERATE, and HIGH boxes. Restrict controls to Framework Profile informative references:

Control family:


Control:


Framework Core Subcategories Referencing Show Framework Core subcategories referencing .

CONTROL
NUMBER
CONTROL NAME
Control Enhancement Name
BASELINE
IMPACT
ADDED
SUPPLE-
MENTAL
GUIDANCE
CONTROL BASELINES
LOW MOD HIGH
Open security control definition in a new browser tab. factory Open NIST SP 800-82 ICS Overlay tailoring for security control definition in a new browser tab.
( )
LOW 1 MOD 2 HIGH 3 N/A 4
LOW 1 MOD 2 HIGH 3 N/A 4
NO false YES true
XML representation:
Additional Supplemental Guidance:
Control Enhancement ( ) Additional Supplemental Guidance:
Rationale for changing the baseline:

Framework Core subcategories referencing control :
Show Framework Core definition.

PLEASE NOTE: This is an experimental website. NIST does not endorse the views expressed, or necessarily concur with the information presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. All the material on this website is in the public domain and is intended for unrestricted use by interested parties, including any text, diagrams, or images, unless indicated explicitly.

This website represents components defined in the NIST Framework for Improving Critical Infrastructure Cybersecurity and security controls and associated assessment procedures defined in NIST SP 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies noted in the content between this website and the latest published NIST Cybersecurity Framework or Special Publication SP 800-53 Revision 4, please defer to the official published documents that are posted on http://csrc.nist.gov.

Certain commercial equipment, instruments, materials, systems, software, and trade names may be identified throughout this site in order to specify or identify technologies adequately. Such identification is not intended to imply recommendation or endorsement by NIST or any other party, nor is it intended to imply that the systems or products identified are necessarily the best available for the purpose. All data and other information posted on this site is provided as a public service and is provided 'AS IS.' NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY.

By selecting external links, you will be leaving NIST webspace. Links to other websites are provided because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose.


Privacy Policy | Security Notice | Accessibility Statement | Send feedback