diff --git a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml index 8886c2b410..7b6db83db8 100644 --- a/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml +++ b/src/content/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_catalog.xml @@ -1,9 +1,9 @@ - + + id="uuid-164e503d-1a64-4373-8926-7c51b8ba2913"> NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations @@ -486,7 +486,7 @@

automated mechanisms for implementing account management

- + Automated System Account Management AC-2(1) @@ -524,8 +524,8 @@

Automated mechanisms implementing account management functions

 - - + + Removal of Temporary / Emergency Accounts @@ -2279,8 +2279,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Embedded Data Types @@ -2329,8 +2329,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Metadata @@ -2382,8 +2382,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + One-way Flow Mechanisms @@ -2430,8 +2430,8 @@

Hardware mechanisms implementing information flow enforcement policy

- - + + Security Policy Filters @@ -2488,8 +2488,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Human Reviews @@ -2548,8 +2548,8 @@

Automated mechanisms enforcing the use of human reviews

- - + + Enable / Disable Security Policy Filters @@ -2607,8 +2607,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Configuration of Security Policy Filters @@ -2659,8 +2659,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Data Type Identifiers @@ -2710,8 +2710,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Decomposition into Policy-relevant Subcomponents @@ -2760,8 +2760,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Security Policy Filter Constraints @@ -2812,8 +2812,8 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Detection of Unsanctioned Information @@ -2870,14 +2870,14 @@

Automated mechanisms implementing information flow enforcement policy

- - + + Information Transfers On Interconnected Systems AC-4(16) Withdrawn AC-4 - - + + Domain Authentication @@ -4338,8 +4338,8 @@

Automated mechanisms implementing access control policy for previous logon notification

- - + + Notification of Account Changes @@ -4391,8 +4391,8 @@

Automated mechanisms implementing access control policy for previous logon notification

- - + + Additional Logon Information @@ -4440,7 +4440,7 @@

Automated mechanisms implementing access control policy for previous logon notification

- + Concurrent Session Control @@ -4564,7 +4564,7 @@

Automated mechanisms implementing access control policy for session lock

- + Pattern-hiding Displays AC-11(1) @@ -4601,7 +4601,7 @@

Information system session lock mechanisms

 - + Session Termination @@ -4654,7 +4654,7 @@

Automated mechanisms implementing user session termination

- + User-initiated Logouts / Message Displays @@ -4720,7 +4720,7 @@

Information system session lock mechanisms

- + Supervision and Review - Access Control @@ -4788,12 +4788,12 @@

organizational personnel with information security responsibilities

- + Necessary Uses AC-14(1) Withdrawn AC-14 - + Automated Marking @@ -4946,7 +4946,7 @@

Organizational capability supporting and maintaining the association of security attributes to information in storage, in process, and in transmission

- + Dynamic Attribute Association @@ -5002,8 +5002,8 @@

Automated mechanisms implementing dynamic association of security attributes to information

- - + + Attribute Value Changes by Authorized Individuals AC-16(2) @@ -5043,8 +5043,8 @@

Automated mechanisms permitting changes to values of security attributes

 - - + + Maintenance of Attribute Associations by Information System @@ -5097,8 +5097,8 @@

Automated mechanisms maintaining association and integrity of security attributes to information

- - + + Association of Attributes by Authorized Individuals @@ -5154,8 +5154,8 @@

Automated mechanisms supporting user associations of security attributes to information

- - + + Attribute Displays for Output Devices @@ -5211,8 +5211,8 @@

System output devices displaying security attributes in human-readable form on each object

- - + + Maintenance of Attribute Association by Organization @@ -5271,8 +5271,8 @@

Automated mechanisms supporting associations of security attributes to subjects and objects

- - + + Consistent Attribute Interpretation AC-16(7) @@ -5311,8 +5311,8 @@

Automated mechanisms implementing access enforcement and information flow enforcement functions

 - - + + Association Techniques / Technologies @@ -5367,8 +5367,8 @@

Automated mechanisms implementing techniques or technologies associating security attributes to information

- - + + Attribute Reassignment @@ -5416,8 +5416,8 @@

Automated mechanisms implementing techniques or procedures for reassigning association of security attributes to information

- - + + Attribute Configuration by Authorized Individuals AC-16(10) @@ -5454,7 +5454,7 @@

Automated mechanisms implementing capability for defining or changing security attributes

 - + Remote Access @@ -5567,7 +5567,7 @@

Remote access management capability for the information system

- + Automated Monitoring / Control AC-17(1) @@ -5607,8 +5607,8 @@

Automated mechanisms monitoring and controlling remote access methods

 - - + + Protection of Confidentiality / Integrity Using Encryption AC-17(2) @@ -5649,8 +5649,8 @@

Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions

 - - + + Managed Access Control Points @@ -5699,8 +5699,8 @@

Automated mechanisms routing all remote accesses through managed network access control points

- - + + Privileged Commands / Access @@ -5764,14 +5764,14 @@

Automated mechanisms implementing remote access management

- - + + Monitoring for Unauthorized Connections AC-17(5) Withdrawn SI-4 - - + + Protection of Information AC-17(6) @@ -5801,20 +5801,20 @@

organizational personnel with information security responsibilities

 - - + + Additional Protection for Security Function Access AC-17(7) Withdrawn AC-3 (10) - - + + Disable Nonsecure Network Protocols AC-17(8) Withdrawn CM-7 - - + + Disconnect / Disable Access @@ -5862,7 +5862,7 @@

Automated mechanisms implementing capability to disconnect or disable remote access to information system

- + Wireless Access @@ -5946,7 +5946,7 @@

Wireless access management capability for the information system

- + Authentication and Encryption @@ -6430,7 +6430,7 @@

Encryption mechanisms protecting confidentiality and integrity of information on mobile devices

- + Use of External Information Systems @@ -6493,7 +6493,7 @@

Automated mechanisms implementing terms and conditions on use of external information systems

- + Limits On Authorized Use AC-20(1) @@ -6548,8 +6548,8 @@

Automated mechanisms implementing limits on use of external information systems

 - - + + Portable Storage Devices @@ -6639,8 +6639,8 @@

Automated mechanisms implementing restrictions on the use of non-organizationally owned systems/components/devices

- - + + Network Accessible Storage Devices @@ -6690,7 +6690,7 @@

Automated mechanisms prohibiting the use of network accessible storage devices in external information systems

- + Information Sharing @@ -6767,7 +6767,7 @@

Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions

- + Automated Decision Support AC-21(1) @@ -6811,8 +6811,8 @@

Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions

 - - + + Information Search and Retrieval @@ -6860,7 +6860,7 @@

Information system search and retrieval services enforcing information sharing restrictions

- + Publicly Accessible Content @@ -7058,7 +7058,7 @@

Automated mechanisms applying established access control decisions and procedures

- + Transmit Access Authorization Information @@ -7121,8 +7121,8 @@

Automated mechanisms implementing access enforcement functions

- - + + No User or Process Identity @@ -7171,7 +7171,7 @@

Automated mechanisms implementing access enforcement functions

- + Reference Monitor @@ -7460,7 +7460,7 @@

Automated mechanisms managing security awareness training

- + Practical Exercises AT-2(1) @@ -7501,8 +7501,8 @@

Automated mechanisms implementing cyber attack simulations in practical exercises

 - - + + Insider Threat AT-2(2) @@ -7537,7 +7537,7 @@

organizational personnel with information security responsibilities

 - + Role-based Security Training @@ -7621,7 +7621,7 @@

Automated mechanisms managing role-based security training

- + Environmental Controls @@ -7678,8 +7678,8 @@

organizational personnel with responsibilities for employing and operating environmental controls

- - + + Physical Security Controls @@ -7736,8 +7736,8 @@

organizational personnel with responsibilities for employing and operating physical security controls

- - + + Practical Exercises AT-3(3) @@ -7767,8 +7767,8 @@

organizational personnel that participate in security awareness training

 - - + + Suspicious Communications and Anomalous System Behavior @@ -7810,7 +7810,7 @@

organizational personnel that participate in security awareness training

- + Security Training Records @@ -8162,19 +8162,19 @@

Automated mechanisms implementing information system auditing

- + Compilation of Audit Records from Multiple Sources AU-2(1) Withdrawn AU-12 - - + + Selection of Audit Events by Component AU-2(2) Withdrawn AU-12 - - + + Reviews and Updates @@ -8223,13 +8223,13 @@

Automated mechanisms supporting review and update of auditable events

- - + + Privileged Functions AU-2(4) Withdrawn AC-6 (9) - + Content of Audit Records @@ -8298,7 +8298,7 @@

Automated mechanisms implementing information system auditing of auditable events

- + Additional Audit Information @@ -8348,8 +8348,8 @@

Information system audit capability

- - + + Centralized Management of Planned Audit Record Content @@ -8401,7 +8401,7 @@

Information system capability implementing centralized management and configuration of audit record content

- + Audit Storage Capacity @@ -8460,7 +8460,7 @@

Audit record storage capacity and related configuration settings

- + Transfer to Alternate Storage @@ -8510,7 +8510,7 @@

Automated mechanisms supporting transfer of audit records onto a different system

- + Response to Audit Processing Failures @@ -8590,7 +8590,7 @@

Automated mechanisms implementing information system response to audit processing failures

- + Audit Storage Capacity @@ -8666,8 +8666,8 @@

Automated mechanisms implementing audit storage limit warnings

- - + + Real-time Alerts @@ -8744,8 +8744,8 @@

Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur

- - + + Configurable Traffic Volume Thresholds @@ -8886,7 +8886,7 @@

Information system capability invoking system shutdown or degraded operational mode in the event of an audit processing failure

- + Audit Review, Analysis, and Reporting @@ -8988,7 +8988,7 @@

organizational personnel with information security responsibilities

- + Process Integration AU-6(1) @@ -9055,14 +9055,14 @@

Automated mechanisms integrating audit review, analysis, and reporting processes

 - - + + Automated Security Alerts AU-6(2) Withdrawn SI-4 - - + + Correlate Audit Repositories AU-6(3) @@ -9100,8 +9100,8 @@

Automated mechanisms supporting analysis and correlation of audit records

 - - + + Central Review and Analysis AU-6(4) @@ -9141,8 +9141,8 @@

Information system capability to centralize review and analysis of audit records

 - - + + Integration / Scanning and Monitoring Capabilities @@ -9314,8 +9314,8 @@

Automated mechanisms supporting permitted actions for review, analysis, and reporting of audit information

- - + + Full Text Analysis of Privileged Commands AU-6(8) @@ -9365,8 +9365,8 @@

Automated mechanisms implementing capability to perform a full text analysis of audited privilege commands

 - - + + Correlation with Information from Nontechnical Sources AU-6(9) @@ -9404,8 +9404,8 @@

Automated mechanisms implementing capability to correlate information from non-technical sources

 - - + + Audit Level Adjustment AU-6(10) @@ -9454,7 +9454,7 @@

Automated mechanisms supporting review, analysis, and reporting of audit information

 - + Audit Reduction and Report Generation @@ -9525,7 +9525,7 @@

Audit reduction and report generation capability

- + Automatic Processing @@ -9577,8 +9577,8 @@

Audit reduction and report generation capability

- - + + Automatic Sort and Search @@ -9628,7 +9628,7 @@

Audit reduction and report generation capability

- + Time Stamps @@ -9699,7 +9699,7 @@

Automated mechanisms implementing time stamp generation

- + Synchronization with Authoritative Time Source @@ -9781,8 +9781,8 @@

Automated mechanisms implementing internal information system clock synchronization

- - + + Secondary Authoritative Time Source AU-8(2) @@ -9816,7 +9816,7 @@

Automated mechanisms implementing internal information system clock authoritative time sources

 - + Protection of Audit Information @@ -9896,7 +9896,7 @@

Automated mechanisms implementing audit information protection

- + Hardware Write-once Media AU-9(1) @@ -9939,8 +9939,8 @@

Information system media storing audit trails

 - - + + Audit Backup On Separate Physical Systems / Components @@ -9992,8 +9992,8 @@

Automated mechanisms implementing the backing up of audit records

- - + + Cryptographic Protection AU-9(3) @@ -10043,8 +10043,8 @@

Cryptographic mechanisms protecting integrity of audit information and tools

 - - + + Access by Subset of Privileged Users @@ -10096,8 +10096,8 @@

Automated mechanisms managing access to audit functionality

- - + + Dual Authorization @@ -12323,7 +12323,7 @@

Automated mechanisms implementing restrictions on external system connections

- + Security Certification @@ -12421,7 +12421,7 @@

Automated mechanisms for developing, implementing, and maintaining plan of action and milestones

- + Automation Support for Accuracy / Currency CA-5(1) @@ -12466,7 +12466,7 @@

Automated mechanisms for developing, implementing and maintaining plan of action and milestones

 - + Security Authorization @@ -12749,7 +12749,7 @@

Mechanisms implementing continuous monitoring

- + Independent Assessment @@ -12793,14 +12793,14 @@

organizational personnel with information security responsibilities

- - + + Types of Assessments CA-7(2) Withdrawn CA-2 - - + + Trend Analyses CA-7(3) @@ -12846,7 +12846,7 @@

organizational personnel with information security responsibilities

 - + Penetration Testing @@ -12905,7 +12905,7 @@

Automated mechanisms supporting penetration testing

- + Independent Penetration Agent or Team CA-8(1) @@ -12938,8 +12938,8 @@

organizational personnel with information security responsibilities

 - - + + Red Team Exercises @@ -12999,7 +12999,7 @@

Automated mechanisms supporting employment of red team exercises

- + Internal System Connections @@ -13084,7 +13084,7 @@

organizational personnel with information security responsibilities

- + Security Compliance Checks CA-9(1) @@ -13125,7 +13125,7 @@

Automated mechanisms supporting compliance checks

 - + @@ -13337,7 +13337,7 @@

automated mechanisms supporting configuration control of the baseline configuration

- + Reviews and Updates @@ -13426,8 +13426,8 @@

automated mechanisms supporting review and update of the baseline configuration

- - + + Automation Support for Accuracy / Currency CM-2(2) @@ -13485,8 +13485,8 @@

automated mechanisms implementing baseline configuration maintenance

 - - + + Retention of Previous Configurations @@ -13535,20 +13535,20 @@

Organizational processes for managing baseline configurations

- - + + Unauthorized Software CM-2(4) Withdrawn CM-7 - - + + Authorized Software CM-2(5) Withdrawn CM-7 - - + + Development and Test Environments CM-2(6) @@ -13590,8 +13590,8 @@

automated mechanisms implementing separate baseline configurations for development, test, and operational environments

 - - + + Configure Systems, Components, or Devices for High-risk Areas @@ -13677,7 +13677,7 @@

Organizational processes for managing baseline configurations

- + Configuration Change Control @@ -13828,7 +13828,7 @@

automated mechanisms that implement configuration change control

- + Automated Document / Notification / Prohibition of Changes @@ -13954,8 +13954,8 @@

automated mechanisms implementing configuration change control activities

- - + + Test / Validate / Document Changes CM-3(2) @@ -14010,8 +14010,8 @@

automated mechanisms supporting and/or implementing testing, validating, and documenting information system changes

 - - + + Automated Change Implementation CM-3(3) @@ -14058,8 +14058,8 @@

automated mechanisms implementing changes to current information system baseline

 - - + + Security Representative @@ -14105,8 +14105,8 @@

Organizational processes for configuration change control

- - + + Automated Security Response @@ -14160,8 +14160,8 @@

automated mechanisms implementing security responses to changes to the baseline configurations

- - + + Cryptography Management @@ -14213,7 +14213,7 @@

cryptographic mechanisms implementing organizational security safeguards

- + Security Impact Analysis @@ -14263,7 +14263,7 @@

Organizational processes for security impact analysis

- + Separate Test Environments CM-4(1) @@ -14332,8 +14332,8 @@

automated mechanisms supporting and/or implementing security impact analysis of changes

 - - + + Verification of Security Functions CM-4(2) @@ -14386,7 +14386,7 @@

automated mechanisms supporting and/or implementing verification of security functions

 - + Access Restrictions for Change @@ -14468,7 +14468,7 @@

automated mechanisms supporting/implementing/enforcing access restrictions associated with changes to the information system

- + Automated Access Enforcement / Auditing CM-5(1) @@ -14521,8 +14521,8 @@

automated mechanisms supporting auditing of enforcement actions

 - - + + Review System Changes @@ -14590,8 +14590,8 @@

automated mechanisms supporting/implementing information system reviews to determine whether unauthorized changes have occurred

- - + + Signed Components @@ -14648,8 +14648,8 @@

automated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate

- - + + Dual Authorization @@ -14704,8 +14704,8 @@

automated mechanisms implementing dual authorization enforcement

- - + + Limit Production / Operational Privileges @@ -14777,8 +14777,8 @@

automated mechanisms supporting and/or implementing access restrictions for change

- - + + Limit Library Privileges CM-5(6) @@ -14819,13 +14819,13 @@

automated mechanisms supporting and/or implementing access restrictions for change

 - - + + Automatic Implementation of Security Safeguards CM-5(7) Withdrawn SI-7 - + Configuration Settings @@ -14986,7 +14986,7 @@

automated mechanisms that identify and/or document deviations from established configuration settings

- + Automated Central Management / Application / Verification @@ -15064,8 +15064,8 @@

automated mechanisms implemented to centrally manage, apply, and verify information system configuration settings

- - + + Respond to Unauthorized Changes @@ -15128,19 +15128,19 @@

automated mechanisms supporting and/or implementing security safeguards for response to unauthorized changes

- - + + Unauthorized Change Detection CM-6(3) Withdrawn SI-7 - - + + Conformance Demonstration CM-6(4) Withdrawn CM-4 - + Least Functionality @@ -15246,7 +15246,7 @@

automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and/or services

- + Periodic Review @@ -15394,8 +15394,8 @@

automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services

- - + + Prevent Program Execution @@ -16144,8 +16144,8 @@

automated mechanisms implementing the information system component inventory

- - + + No Duplicate Accounting of Components CM-8(5) @@ -16184,8 +16184,8 @@

automated mechanisms implementing the information system component inventory

 - - + + Assessed Configurations / Approved Deviations CM-8(6) @@ -16235,8 +16235,8 @@

automated mechanisms implementing the information system component inventory

 - - + + Centralized Repository CM-8(7) @@ -16273,8 +16273,8 @@

Automated mechanisms implementing the information system component inventory in a centralized repository

 - - + + Automated Location Tracking CM-8(8) @@ -16315,8 +16315,8 @@

automated mechanisms supporting tracking of information system components by geographic location

 - - + + Assignment of Components to Systems @@ -16388,7 +16388,7 @@

automated mechanisms implementing acknowledgment of assignment of acquired components to the information system

- + Configuration Management Plan @@ -16506,7 +16506,7 @@

automated mechanisms for protecting the configuration management plan

- + Assignment of Responsibility CM-9(1) @@ -16535,7 +16535,7 @@

organizational personnel with information security responsibilities

 - + Software Usage Restrictions @@ -16608,7 +16608,7 @@

automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology

- + Open Source Software @@ -16656,7 +16656,7 @@

automated mechanisms implementing restrictions on the use of open source software

- + User-installed Software @@ -16765,7 +16765,7 @@

automated mechanisms monitoring policy compliance

- + Alerts for Unauthorized Installations @@ -16819,8 +16819,8 @@

automated mechanisms for alerting personnel/roles when unauthorized installation of software is detected

- - + + Prohibit Installation Without Privileged Status CM-11(2) @@ -16861,7 +16861,7 @@

automated mechanisms for prohibiting installation of software without privileged status (e.g., access controls)

 - + @@ -17244,7 +17244,7 @@

automated mechanisms for developing, reviewing, updating and/or protecting the contingency plan

- + Coordinate with Related Plans CP-2(1) @@ -17282,8 +17282,8 @@

personnel with responsibility for related plans

 - - + + Capacity Planning CP-2(2) @@ -17324,8 +17324,8 @@

organizational personnel with information security responsibilities

 - - + + Resume Essential Missions / Business Functions @@ -17374,8 +17374,8 @@

Organizational processes for resumption of missions and business functions

- - + + Resume All Missions / Business Functions @@ -17424,8 +17424,8 @@

Organizational processes for resumption of missions and business functions

- - + + Continue Essential Missions / Business Functions CP-2(5) @@ -17475,8 +17475,8 @@

Organizational processes for continuing missions and business functions

 - - + + Alternate Processing / Storage Site CP-2(6) @@ -17524,8 +17524,8 @@

Organizational processes for transfer of essential missions and business functions to alternate processing/storage sites

 - - + + Coordinate with External Service Providers CP-2(7) @@ -17560,8 +17560,8 @@

organizational personnel with information security responsibilities

 - - + + Identify Critical Assets CP-2(8) @@ -17593,7 +17593,7 @@

organizational personnel with information security responsibilities

 - + Contingency Training @@ -17684,7 +17684,7 @@

Organizational processes for contingency training

- + Simulated Events CP-3(1) @@ -17718,8 +17718,8 @@

automated mechanisms for simulating contingency events

 - - + + Automated Training Environments CP-3(2) @@ -17753,7 +17753,7 @@

automated mechanisms for providing contingency training environments

 - + Contingency Plan Testing @@ -17841,7 +17841,7 @@

automated mechanisms supporting the contingency plan and/or contingency plan testing

- + Coordinate with Related Plans CP-4(1) @@ -17883,8 +17883,8 @@

organizational personnel with information security responsibilities

 - - + + Alternate Processing Site CP-4(2) @@ -17941,8 +17941,8 @@

automated mechanisms supporting the contingency plan and/or contingency plan testing

 - - + + Automated Testing CP-4(3) @@ -17980,8 +17980,8 @@

automated mechanisms supporting contingency plan testing

 - - + + Full Recovery / Reconstitution CP-4(4) @@ -18029,7 +18029,7 @@

automated mechanisms supporting recovery and reconstitution of the information system

 - + Contingency Plan Update @@ -18097,7 +18097,7 @@

automated mechanisms supporting and/or implementing storage and retrieval of information system backup information at the alternate storage site

- + Separation from Primary Site CP-6(1) @@ -18130,8 +18130,8 @@

organizational personnel with information security responsibilities

 - - + + Recovery Time / Point Objectives CP-6(2) @@ -18167,8 +18167,8 @@

automated mechanisms supporting recovery time/point objectives

 - - + + Accessibility CP-6(3) @@ -18210,7 +18210,7 @@

organizational personnel with information security responsibilities

 - + Alternate Processing Site @@ -18307,7 +18307,7 @@

automated mechanisms supporting and/or implementing recovery at the alternate processing site

- + Separation from Primary Site CP-7(1) @@ -18340,8 +18340,8 @@

organizational personnel with information security responsibilities

 - - + + Accessibility CP-7(2) @@ -18382,8 +18382,8 @@

organizational personnel with information security responsibilities

 - - + + Priority of Service CP-7(3) @@ -18415,8 +18415,8 @@

organizational personnel with responsibility for acquisitions/contractual agreements

 - - + + Preparation for Use CP-7(4) @@ -18456,14 +18456,14 @@

Automated mechanisms supporting and/or implementing recovery at the alternate processing site

 - - + + Equivalent Information Security Safeguards CP-7(5) Withdrawn CP-7 - - + + Inability to Return to Primary Site CP-7(6) @@ -18491,7 +18491,7 @@

organizational personnel with information security responsibilities

 - + Telecommunications Services @@ -18554,7 +18554,7 @@

Automated mechanisms supporting telecommunications

- + Priority of Service Provisions CP-8(1) @@ -18608,8 +18608,8 @@

Automated mechanisms supporting telecommunications

 - - + + Single Points of Failure CP-8(2) @@ -18637,8 +18637,8 @@

organizational personnel with information security responsibilities

 - - + + Separation of Primary / Alternate Providers CP-8(3) @@ -18671,8 +18671,8 @@

organizational personnel with information security responsibilities

 - - + + Provider Contingency Plan @@ -18749,8 +18749,8 @@

organizational personnel with responsibility for acquisitions/contractual agreements

- - + + Alternate Telecommunication Service Testing @@ -18795,7 +18795,7 @@

Automated mechanisms supporting testing alternate telecommunications services

- + Information System Backup @@ -18902,7 +18902,7 @@

automated mechanisms supporting and/or implementing information system backups

- + Testing for Reliability / Integrity @@ -18951,8 +18951,8 @@

automated mechanisms supporting and/or implementing information system backups

- - + + Test Restoration Using Sampling CP-9(2) @@ -18991,8 +18991,8 @@

automated mechanisms supporting and/or implementing information system backups

 - - + + Separate Storage for Critical Information @@ -19044,14 +19044,14 @@

organizational personnel with information security responsibilities

- - + + Protection from Unauthorized Modification CP-9(4) Withdrawn CP-9 - - + + Transfer to Alternate Storage Site @@ -19105,8 +19105,8 @@

automated mechanisms supporting and/or implementing information transfer to the alternate storage site

- - + + Redundant Secondary System CP-9(6) @@ -19157,8 +19157,8 @@

automated mechanisms supporting and/or implementing information transfer to a redundant secondary system

 - - + + Dual Authorization @@ -19210,7 +19210,7 @@

automated mechanisms supporting and/or implementing deletion/destruction of backup information

- + Information System Recovery and Reconstitution @@ -19294,13 +19294,13 @@

automated mechanisms supporting and/or implementing information system recovery and reconstitution operations

- + Contingency Plan Testing CP-10(1) Withdrawn CP-4 - - + + Transaction Recovery CP-10(2) @@ -19340,14 +19340,14 @@

Automated mechanisms supporting and/or implementing transaction recovery capability

 - - + + Compensating Security Controls CP-10(3) Withdrawn Chapter 3 - - + + Restore Within Time Period @@ -19398,14 +19398,14 @@

Automated mechanisms supporting and/or implementing recovery/reconstitution of information system information

- - + + Failover Capability CP-10(5) Withdrawn SI-13 - - + + Component Protection CP-10(6) @@ -19461,7 +19461,7 @@

automated mechanisms supporting and/or implementing protection of backup and restoration hardware, firmware, and software

 - + Alternate Communications Protocols @@ -19855,7 +19855,7 @@

automated mechanisms supporting and/or implementing identification and authentication capability

- + Network Access to Privileged Accounts IA-2(1) @@ -19895,8 +19895,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

 - - + + Network Access to Non-privileged Accounts IA-2(2) @@ -19933,8 +19933,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

 - - + + Local Access to Privileged Accounts IA-2(3) @@ -19974,8 +19974,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

 - - + + Local Access to Non-privileged Accounts IA-2(4) @@ -20012,8 +20012,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

 - - + + Group Authentication IA-2(5) @@ -20053,8 +20053,8 @@

Automated mechanisms supporting and/or implementing authentication capability for group accounts

 - - + + Network Access to Privileged Accounts - Separate Device @@ -20109,8 +20109,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

- - + + Network Access to Non-privileged Accounts - Separate Device @@ -20162,8 +20162,8 @@

Automated mechanisms supporting and/or implementing multifactor authentication capability

- - + + Network Access to Privileged Accounts - Replay Resistant IA-2(8) @@ -20204,8 +20204,8 @@

automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

 - - + + Network Access to Non-privileged Accounts - Replay Resistant IA-2(9) @@ -20246,8 +20246,8 @@

automated mechanisms supporting and/or implementing replay resistant authentication mechanisms

 - - + + Single Sign-on @@ -20300,8 +20300,8 @@

automated mechanisms supporting and/or implementing single sign-on capability for information system accounts and services

- - + + Remote Access - Separate Device @@ -20369,8 +20369,8 @@

Automated mechanisms supporting and/or implementing identification and authentication capability

- - + + Acceptance of PIV Credentials IA-2(12) @@ -20423,8 +20423,8 @@

Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials

 - - + + Out-of-band Authentication @@ -20485,7 +20485,7 @@

Automated mechanisms supporting and/or implementing out-of-band authentication capability

- + Device Identification and Authentication @@ -20574,7 +20574,7 @@

Automated mechanisms supporting and/or implementing device identification and authentication capability

- + Cryptographic Bidirectional Authentication @@ -20659,14 +20659,14 @@

cryptographically based bidirectional authentication mechanisms

- - + + Cryptographic Bidirectional Network Authentication IA-3(2) Withdrawn IA-3 (1) - - + + Dynamic Address Allocation @@ -20748,8 +20748,8 @@

automated mechanisms supporting and/or implanting auditing of lease information

- - + + Device Attestation @@ -20802,7 +20802,7 @@

cryptographic mechanisms supporting device attestation

- + Identifier Management @@ -20989,7 +20989,7 @@

Automated mechanisms supporting and/or implementing identifier management

- + Prohibit Account Identifiers as Public Identifiers IA-4(1) @@ -21028,8 +21028,8 @@

Automated mechanisms supporting and/or implementing identifier management

 - - + + Supervisor Authorization IA-4(2) @@ -21065,8 +21065,8 @@

Automated mechanisms supporting and/or implementing identifier management

 - - + + Multiple Forms of Certification IA-4(3) @@ -21103,8 +21103,8 @@

Automated mechanisms supporting and/or implementing identifier management

 - - + + Identify User Status @@ -21152,8 +21152,8 @@

Automated mechanisms supporting and/or implementing identifier management

- - + + Dynamic Management IA-4(5) @@ -21193,8 +21193,8 @@

Automated mechanisms supporting and/or implementing dynamic identifier management

 - - + + Cross-organization Management @@ -21240,8 +21240,8 @@

Automated mechanisms supporting and/or implementing identifier management

- - + + In-person Registration IA-4(7) @@ -21272,7 +21272,7 @@

organizational personnel with information security responsibilities

 - + Authenticator Management @@ -21479,7 +21479,7 @@

Automated mechanisms supporting and/or implementing authenticator management capability

- + Password-based Authentication @@ -21634,8 +21634,8 @@

Automated mechanisms supporting and/or implementing password-based authenticator management capability

- - + + Pki-based Authentication IA-5(2) @@ -21723,8 +21723,8 @@

Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability

 - - + + In-person or Trusted Third-party Registration @@ -21796,8 +21796,8 @@

organizational personnel with information security responsibilities

- - + + Automated Support for Password Strength Determination @@ -21850,8 +21850,8 @@

automated tools for determining password strength

- - + + Change Authenticators Prior to Delivery IA-5(5) @@ -21897,8 +21897,8 @@

Automated mechanisms supporting and/or implementing authenticator management capability

 - - + + Protection of Authenticators IA-5(6) @@ -21938,8 +21938,8 @@

automated mechanisms protecting authenticators

 - - + + No Embedded Unencrypted Static Authenticators IA-5(7) @@ -21991,8 +21991,8 @@

automated mechanisms implementing authentication in applications

 - - + + Multiple Information System Accounts @@ -22040,8 +22040,8 @@

Automated mechanisms supporting and/or implementing safeguards for authenticator management

- - + + Cross-organization Credential Management @@ -22089,8 +22089,8 @@

Automated mechanisms supporting and/or implementing safeguards for authenticator management

- - + + Dynamic Credential Association IA-5(10) @@ -22130,8 +22130,8 @@

automated mechanisms implementing dynamic provisioning of identifiers

 - - + + Hardware Token-based Authentication @@ -22183,8 +22183,8 @@

Automated mechanisms supporting and/or implementing hardware token-based authenticator management capability

- - + + Biometric-based Authentication @@ -22236,8 +22236,8 @@

Automated mechanisms supporting and/or implementing biometric-based authenticator management capability

- - + + Expiration of Cached Authenticators @@ -22284,8 +22284,8 @@

Automated mechanisms supporting and/or implementing authenticator management capability

- - + + Managing Content of PKI Trust Stores IA-5(14) @@ -22340,8 +22340,8 @@

automated mechanisms supporting and/or implementing the PKI trust store capability

 - - + + Ficam-approved Products and Services IA-5(15) @@ -22381,7 +22381,7 @@

automated mechanisms supporting and/or implementing identification and authentication management capability for the information system

 - + Authenticator Feedback @@ -22524,7 +22524,7 @@

Automated mechanisms supporting and/or implementing identification and authentication capability

- + Acceptance of PIV Credentials from Other Agencies IA-8(1) @@ -22578,8 +22578,8 @@

automated mechanisms that accept and verify PIV credentials

 - - + + Acceptance of Third-party Credentials IA-8(2) @@ -22624,8 +22624,8 @@

automated mechanisms that accept FICAM-approved credentials

 - - + + Use of Ficam-approved Products @@ -22683,8 +22683,8 @@

Automated mechanisms supporting and/or implementing identification and authentication capability

- - + + Use of Ficam-issued Profiles IA-8(4) @@ -22730,8 +22730,8 @@

automated mechanisms supporting and/or implementing conformance with FICAM-issued profiles

 - - + + Acceptance of PIV-I Credentials IA-8(5) @@ -22783,7 +22783,7 @@

automated mechanisms that accept and verify PIV-I credentials

 - + Service Identification and Authentication @@ -22844,7 +22844,7 @@

Security safeguards implementing service identification and authentication capability

- + Information Exchange IA-9(1) @@ -22892,8 +22892,8 @@

Automated mechanisms implementing service identification and authentication capabilities

 - - + + Transmission of Decisions @@ -22946,7 +22946,7 @@

Automated mechanisms implementing service identification and authentication capabilities

- + Adaptive Identification and Authentication @@ -23304,7 +23304,7 @@

organizational personnel with information security responsibilities

- + Simulated Events IR-2(1) @@ -23338,8 +23338,8 @@

Automated mechanisms that support and/or implement simulated events for incident response training

 - - + + Automated Training Environments IR-2(2) @@ -23374,7 +23374,7 @@

Automated mechanisms that provide a thorough and realistic incident response training environment

 - + Incident Response Testing @@ -23433,7 +23433,7 @@

organizational personnel with information security responsibilities

- + Automated Testing IR-3(1) @@ -23476,8 +23476,8 @@

Automated mechanisms that more thoroughly and effectively test the incident response capability

 - - + + Coordination with Related Plans IR-3(2) @@ -23516,7 +23516,7 @@

organizational personnel with information security responsibilities

 - + Incident Handling @@ -23646,7 +23646,7 @@

Incident handling capability for the organization

- + Automated Incident Handling Processes IR-4(1) @@ -23685,8 +23685,8 @@

Automated mechanisms that support and/or implement the incident handling process

 - - + + Dynamic Reconfiguration @@ -23743,8 +23743,8 @@

Automated mechanisms that support and/or implement dynamic reconfiguration of components as part of incident response

- - + + Continuity of Operations @@ -23799,8 +23799,8 @@

Automated mechanisms that support and/or implement continuity of operations

- - + + Information Correlation IR-4(4) @@ -23847,8 +23847,8 @@

automated mechanisms that support and or implement correlation of incident response information with individual incident responses

 - - + + Automatic Disabling of Information System @@ -23896,8 +23896,8 @@

automated mechanisms supporting and/or implementing automatic disabling of the information system

- - + + Insider Threats - Specific Capabilities IR-4(6) @@ -23936,8 +23936,8 @@

Incident handling capability for the organization

 - - + + Insider Threats - Intra-organization Coordination @@ -23984,8 +23984,8 @@

Organizational processes for coordinating incident handling

- - + + Correlation with External Organizations @@ -24041,8 +24041,8 @@

Organizational processes for coordinating incident handling information with external organizations

- - + + Dynamic Response Capability @@ -24094,8 +24094,8 @@

automated mechanisms supporting and/or implementing the dynamic response capability for the organization

- - + + Supply Chain Coordination IR-4(10) @@ -24128,7 +24128,7 @@

organizational personnel with supply chain responsibilities

 - + Incident Monitoring @@ -24184,7 +24184,7 @@

automated mechanisms supporting and/or implementing tracking and documenting of system security incidents

- + Automated Tracking / Data Collection / Analysis IR-5(1) @@ -24237,7 +24237,7 @@

Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information

 - + Incident Reporting @@ -24319,7 +24319,7 @@

automated mechanisms supporting and/or implementing incident reporting

- + Automated Reporting IR-6(1) @@ -24358,8 +24358,8 @@

automated mechanisms supporting and/or implementing reporting of security incidents

 - - + + Vulnerabilities Related to Incidents @@ -24406,8 +24406,8 @@

automated mechanisms supporting and/or implementing reporting of vulnerabilities associated with security incidents

- - + + Coordination with Supply Chain IR-6(3) @@ -24447,7 +24447,7 @@

automated mechanisms supporting and/or implementing reporting of incident information involved in the supply chain

 - + Incident Response Assistance @@ -24499,7 +24499,7 @@

automated mechanisms supporting and/or implementing incident response assistance

- + Automation Support for Availability of Information / Support IR-7(1) @@ -24539,8 +24539,8 @@

automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support

 - - + + Coordination with External Providers IR-7(2) @@ -24588,7 +24588,7 @@

organizational personnel with information security responsibilities

 - + Incident Response Plan @@ -24933,7 +24933,7 @@

automated mechanisms supporting and/or implementing information spillage response actions and related communications

- + Responsible Personnel @@ -24970,8 +24970,8 @@

organizational personnel with information security responsibilities

- - + + Training @@ -25010,8 +25010,8 @@

organizational personnel with information security responsibilities

- - + + Post-spill Operations @@ -25057,8 +25057,8 @@

Organizational processes for post-spill operations

- - + + Exposure to Unauthorized Personnel @@ -25106,7 +25106,7 @@

automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations

- + Integrated Information Security Analysis Team @@ -25461,13 +25461,13 @@

automated mechanisms implementing sanitization of information system components

- + Record Content MA-2(1) Withdrawn MA-2 - - + + Automated Maintenance Activities MA-2(2) @@ -25552,7 +25552,7 @@

automated mechanisms supporting and/or implementing production of records of maintenance and repair actions

 - + Maintenance Tools @@ -25606,7 +25606,7 @@

automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools

- + Inspect Tools MA-3(1) @@ -25644,8 +25644,8 @@

automated mechanisms supporting and/or implementing inspection of maintenance tools

 - - + + Inspect Media MA-3(2) @@ -25682,8 +25682,8 @@

automated mechanisms supporting and/or implementing inspection of media used for maintenance

 - - + + Prevent Unauthorized Removal @@ -25770,8 +25770,8 @@

automated mechanisms supporting verification of media sanitization

- - + + Restricted Tool Use MA-3(4) @@ -25813,7 +25813,7 @@

automated mechanisms supporting and/or implementing restricted use of maintenance tools

 - + Nonlocal Maintenance @@ -25942,7 +25942,7 @@

automated mechanisms for terminating nonlocal maintenance sessions and network connections

- + Auditing and Review @@ -26014,8 +26014,8 @@

automated mechanisms supporting and/or implementing audit and review of nonlocal maintenance

- - + + Document Nonlocal Maintenance MA-4(2) @@ -26051,8 +26051,8 @@

organizational personnel with information security responsibilities

 - - + + Comparable Security / Sanitization MA-4(3) @@ -26129,8 +26129,8 @@

automated mechanisms supporting and/or implementing component sanitization and inspection

 - - + + Authentication / Separation of Maintenance Sessions @@ -26217,8 +26217,8 @@

automated mechanisms implementing logically separated/encrypted communications paths

- - + + Approvals and Notifications @@ -26296,8 +26296,8 @@

automated mechanisms supporting notification and approval of nonlocal maintenance

- - + + Cryptographic Protection MA-4(6) @@ -26339,8 +26339,8 @@

Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications

 - - + + Remote Disconnect Verification MA-4(7) @@ -26382,7 +26382,7 @@

Automated mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions

 - + Maintenance Personnel @@ -26461,7 +26461,7 @@

automated mechanisms supporting and/or implementing authorization of maintenance personnel

- + Individuals Without Appropriate Access MA-5(1) @@ -26568,8 +26568,8 @@

automated mechanisms supporting and/or implementing information storage component sanitization

 - - + + Security Clearances for Classified Systems MA-5(2) @@ -26625,8 +26625,8 @@

Organizational processes for managing security clearances for maintenance personnel

 - - + + Citizenship Requirements for Classified Systems MA-5(3) @@ -26659,8 +26659,8 @@

organizational personnel with information security responsibilities

 - - + + Foreign Nationals MA-5(4) @@ -26728,8 +26728,8 @@

Organizational processes for managing foreign national maintenance personnel

 - - + + Nonsystem-related Maintenance MA-5(5) @@ -26764,7 +26764,7 @@

organizational personnel with information security responsibilities

 - + Timely Maintenance @@ -26835,7 +26835,7 @@

Organizational processes for ensuring timely maintenance

- + Preventive Maintenance @@ -26893,8 +26893,8 @@

automated mechanisms supporting and/or implementing preventive maintenance

- - + + Predictive Maintenance @@ -26952,8 +26952,8 @@

automated mechanisms supporting and/or implementing predictive maintenance

- - + + Automated Support for Predictive Maintenance MA-6(3) @@ -26993,7 +26993,7 @@

operations of the computer maintenance management system

 - + @@ -27212,18 +27212,18 @@

automated mechanisms supporting and/or implementing media access restrictions

- + Automated Restricted Access MP-2(1) Withdrawn MP-4 (2) - - + + Cryptographic Protection MP-2(2) Withdrawn SC-28 (1) - + Media Marking @@ -27398,13 +27398,13 @@

automated mechanisms supporting and/or implementing secure media storage/media protection

- + Cryptographic Protection MP-4(1) Withdrawn SC-28 (1) - - + + Automated Restricted Access MP-4(2) @@ -27463,7 +27463,7 @@

automated mechanisms auditing access attempts and access granted to media storage areas

 - + Media Transport @@ -27564,19 +27564,19 @@

automated mechanisms supporting and/or implementing media storage/media protection

- + Protection Outside of Controlled Areas MP-5(1) Withdrawn MP-5 - - + + Documentation of Activities MP-5(2) Withdrawn MP-5 - - + + Custodians MP-5(3) @@ -27606,8 +27606,8 @@

organizational personnel with information security responsibilities

 - - + + Cryptographic Protection MP-5(4) @@ -27645,7 +27645,7 @@

Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas

 - + Media Sanitization @@ -27752,7 +27752,7 @@

automated mechanisms supporting and/or implementing media sanitization

- + Review / Approve / Track / Document / Verify MP-6(1) @@ -27814,8 +27814,8 @@

automated mechanisms supporting and/or implementing media sanitization

 - - + + Equipment Testing @@ -27863,8 +27863,8 @@

automated mechanisms supporting and/or implementing media sanitization

- - + + Nondestructive Techniques @@ -27913,26 +27913,26 @@

automated mechanisms supporting and/or implementing media sanitization

- - + + Controlled Unclassified Information MP-6(4) Withdrawn MP-6 - - + + Classified Information MP-6(5) Withdrawn MP-6 - - + + Media Destruction MP-6(6) Withdrawn MP-6 - - + + Dual Authorization @@ -27985,8 +27985,8 @@

automated mechanisms supporting and/or implementing dual authorization

- - + + Remote Purging / Wiping of Information @@ -28051,7 +28051,7 @@

automated mechanisms supporting and/or implementing purge/wipe capabilities

- + Media Use @@ -28145,7 +28145,7 @@

automated mechanisms restricting or prohibiting use of information system media on information systems or system components

- + Prohibit Use Without Owner MP-7(1) @@ -28187,8 +28187,8 @@

automated mechanisms prohibiting use of media on information systems or system components

 - - + + Prohibit Use of Sanitization-resistant Media MP-7(2) @@ -28226,7 +28226,7 @@

automated mechanisms prohibiting use of media on information systems or system components

 - + Media Downgrading @@ -28327,7 +28327,7 @@

automated mechanisms supporting and/or implementing media downgrading

- + Documentation of Process MP-8(1) @@ -28364,8 +28364,8 @@

automated mechanisms supporting and/or implementing media downgrading

 - - + + Equipment Testing @@ -28424,8 +28424,8 @@

automated mechanisms supporting and/or implementing tests for downgrading equipment

- - + + Controlled Unclassified Information @@ -28470,8 +28470,8 @@

automated mechanisms supporting and/or implementing media downgrading

- - + + Classified Information MP-8(4) @@ -28509,7 +28509,7 @@

automated mechanisms supporting and/or implementing media downgrading

 - + @@ -28759,7 +28759,7 @@

automated mechanisms supporting and/or implementing physical access authorizations

- + Access by Position / Role PE-2(1) @@ -28799,8 +28799,8 @@

automated mechanisms supporting and/or implementing physical access authorizations

 - - + + Two Forms of Identification @@ -28853,8 +28853,8 @@

automated mechanisms supporting and/or implementing physical access authorizations

- - + + Restrict Unescorted Access @@ -30617,7 +30617,7 @@

the alternate power supply

- + Emergency Lighting @@ -30665,7 +30665,7 @@

Automated mechanisms supporting and/or implementing emergency lighting capability

- + Essential Missions / Business Functions PE-12(1) @@ -30699,7 +30699,7 @@

Automated mechanisms supporting and/or implementing emergency lighting capability

 - + Fire Protection @@ -30745,7 +30745,7 @@

Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems

- + Detection Devices / Systems @@ -30816,8 +30816,8 @@

automated notifications

- - + + Suppression Devices / Systems @@ -30883,8 +30883,8 @@

automated notifications

- - + + Automatic Fire Suppression PE-13(3) @@ -30920,8 +30920,8 @@

activation of fire suppression devices/systems (simulated)

 - - + + Inspections @@ -30973,7 +30973,7 @@

organizational personnel with information security responsibilities

- + Temperature and Humidity Controls @@ -31066,7 +31066,7 @@

Automated mechanisms supporting and/or implementing maintenance and monitoring of temperature and humidity levels

- + Automatic Controls PE-14(1) @@ -31108,8 +31108,8 @@

Automated mechanisms supporting and/or implementing temperature and humidity levels

 - - + + Monitoring with Alarms / Notifications PE-14(2) @@ -31158,7 +31158,7 @@

Automated mechanisms supporting and/or implementing temperature and humidity monitoring

 - + Water Damage Protection @@ -31211,7 +31211,7 @@

organizational process for activating master water-shutoff

- + Automation Support @@ -31263,7 +31263,7 @@

Automated mechanisms supporting and/or implementing water detection capability and alerts for the information system

- + Delivery and Removal @@ -31484,7 +31484,7 @@

Organizational processes for positioning information system components

- + Facility Site PE-18(1) @@ -31536,7 +31536,7 @@

Organizational processes for site planning

 - + Information Leakage @@ -31575,7 +31575,7 @@

Automated mechanisms supporting and/or implementing protection from information leakage due to electromagnetic signals emanations

- + National Emissions / Tempest Policies and Procedures PE-19(1) @@ -31618,7 +31618,7 @@

Information system components for compliance with national emissions and TEMPEST policies and procedures

 - + Asset Monitoring and Tracking @@ -32067,19 +32067,19 @@

automated mechanisms supporting the information system security plan

- + Concept of Operations PL-2(1) Withdrawn PL-7 - - + + Functional Architecture PL-2(2) Withdrawn PL-8 - - + + Plan / Coordinate with Other Organizational Entities @@ -32125,7 +32125,7 @@

organizational personnel with information security responsibilities

- + System Security Plan Update @@ -32239,7 +32239,7 @@

automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior

- + Social Media and Networking Restrictions PL-4(1) @@ -32283,7 +32283,7 @@

automated mechanisms supporting and/or implementing the establishment of rules of behavior

 - + Privacy Impact Assessment @@ -32482,7 +32482,7 @@

automated mechanisms supporting and/or implementing the development, review, and update of the information security architecture

- + Defense-in-depth @@ -32558,8 +32558,8 @@

automated mechanisms supporting and/or implementing the design of the information security architecture

- - + + Supplier Diversity @@ -32617,7 +32617,7 @@

Organizational processes for obtaining information security safeguards from different suppliers

- + Central Management @@ -32974,7 +32974,7 @@

Organizational processes for personnel screening

- + Classified Information PS-3(1) @@ -33017,8 +33017,8 @@

Organizational processes for clearing and indoctrinating personnel for access to classified information

 - - + + Formal Indoctrination PS-3(2) @@ -33054,8 +33054,8 @@

Organizational processes for formal indoctrination for all relevant types of information to which personnel have access

 - - + + Information with Special Protection Measures @@ -33120,7 +33120,7 @@

organizational process for additional personnel screening for information requiring special protection

- + Personnel Termination @@ -33253,7 +33253,7 @@

automated mechanisms for disabling information system access/revoking authenticators

- + Post-employment Requirements PS-4(1) @@ -33306,8 +33306,8 @@

Organizational processes for post-employment requirements

 - - + + Automated Notification @@ -33356,7 +33356,7 @@

automated mechanisms supporting and/or implementing personnel termination notifications

- + Personnel Transfer @@ -33578,13 +33578,13 @@

automated mechanisms supporting access agreements

- + Information Requiring Special Protection PS-6(1) Withdrawn PS-3 - - + + Classified Information Requiring Special Protection PS-6(2) @@ -33649,8 +33649,8 @@

Organizational processes for access to classified information requiring special protection

 - - + + Post-employment Requirements PS-6(3) @@ -33706,7 +33706,7 @@

automated mechanisms supporting notifications and individual acknowledgements of post-employment requirements

 - + Third-party Personnel Security @@ -34487,7 +34487,7 @@

automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing

- + Update Tool Capability RA-5(1) @@ -34527,8 +34527,8 @@

automated mechanisms/tools supporting and/or implementing vulnerability scanning

 - - + + Update by Frequency / Prior to New Scan / When Identified @@ -35570,8 +35570,8 @@

automated mechanisms supporting and/or implementing development of system design details

- - + + Development Methods / Techniques / Practices @@ -35653,14 +35653,14 @@

Organizational processes for development methods, techniques, and processes

- - + + Assignment of Components to Systems SA-4(4) Withdrawn CM-8 (9) - - + + System / Component / Service Configurations @@ -35729,8 +35729,8 @@

Automated mechanisms used to verify that the configuration of the information system, component, or service, as delivered, is as specified

- - + + Use of Information Assurance Products SA-4(6) @@ -35791,8 +35791,8 @@

Organizational processes for selecting and employing evaluated and/or validated information assurance products and services that compose an NSA-approved solution to protect classified information

 - - + + Niap-approved Protection Profiles SA-4(7) @@ -35851,8 +35851,8 @@

Organizational processes for selecting and employing products/services evaluated against a NIAP-approved protection profile or FIPS-validated products

 - - + + Continuous Monitoring Plan @@ -35907,8 +35907,8 @@

automated mechanisms supporting and/or implementing developer continuous monitoring

- - + + Functions / Ports / Protocols / Services in Use SA-4(9) @@ -35964,8 +35964,8 @@

organizational personnel with information security responsibilities

 - - + + Use of Approved PIV Products SA-4(10) @@ -36005,7 +36005,7 @@

Organizational processes for selecting and employing FIPS 201-approved products

 - + Information System Documentation @@ -36192,36 +36192,36 @@

Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation

- + Functional Properties of Security Controls SA-5(1) Withdrawn SA-4 (1) - - + + Security-relevant External System Interfaces SA-5(2) Withdrawn SA-4 (2) - - + + High-level Design SA-5(3) Withdrawn SA-4 (2) - - + + Low-level Design SA-5(4) Withdrawn SA-4 (2) - - + + Source Code SA-5(5) Withdrawn SA-4 (2) - + Software Usage Restrictions @@ -36402,7 +36402,7 @@

automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis

- + Risk Assessments / Organizational Approvals @@ -36474,8 +36474,8 @@

automated mechanisms supporting and/or implementing approval processes

- - + + Identification of Functions / Ports / Protocols / Services @@ -36537,8 +36537,8 @@

external providers of information system services

- - + + Establish / Maintain Trust Relationship with Providers @@ -36595,8 +36595,8 @@

external providers of information system services

- - + + Consistent Interests of Consumers and Providers @@ -36656,8 +36656,8 @@

automated mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers

- - + + Processing, Storage, and Service Location @@ -38357,8 +38357,8 @@

automated mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors

- - + + Inter-organizational Agreements SA-12(12) @@ -38404,8 +38404,8 @@

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

 - - + + Critical Information System Components @@ -38461,8 +38461,8 @@

automated mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical information system components

- - + + Identity and Traceability @@ -38523,8 +38523,8 @@

automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors

- - + + Processes to Address Weaknesses or Deficiencies SA-12(15) @@ -38562,7 +38562,7 @@

automated mechanisms supporting and/or implementing the addressing of weaknesses or deficiencies in supply chain elements

 - + Trustworthiness @@ -38706,12 +38706,12 @@

organizational personnel with responsibilities for performing criticality analysis for the information system

- + Critical Components with No Viable Alternative Sourcing SA-14(1) Withdrawn SA-20 - + Development Process, Standards, and Tools @@ -38850,7 +38850,7 @@

system developer

- + Quality Metrics @@ -39970,8 +39970,8 @@

organizational personnel with security architecture and design responsibilities

- - + + Conceptually Simple Design SA-17(5) @@ -40027,8 +40027,8 @@

organizational personnel with security architecture and design responsibilities

 - - + + Structure for Testing SA-17(6) @@ -40066,8 +40066,8 @@

organizational personnel with security architecture and design responsibilities

 - - + + Structure for Least Privilege SA-17(7) @@ -40106,7 +40106,7 @@

organizational personnel with security architecture and design responsibilities

 - + Tamper Resistance and Detection @@ -40149,7 +40149,7 @@

automated mechanisms supporting and/or implementing the tamper protection program

- + Multiple Phases of SDLC SA-18(1) @@ -40210,8 +40210,8 @@

automated mechanisms supporting and/or implementing anti-tamper technologies

 - - + + Inspection of Information Systems, Components, or Devices @@ -40293,7 +40293,7 @@

automated mechanisms supporting and/or implementing tampering detection

- + Component Authenticity @@ -40391,7 +40391,7 @@

automated mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

- + Anti-counterfeit Training @@ -40438,8 +40438,8 @@

Organizational processes for anti-counterfeit training

- - + + Configuration Control for Component Service / Repair @@ -40496,8 +40496,8 @@

automated mechanisms supporting and/or implementing configuration management

- - + + Component Disposal @@ -40548,8 +40548,8 @@

automated mechanisms supporting and/or implementing system component disposal

- - + + Anti-counterfeit Scanning @@ -40597,7 +40597,7 @@

automated mechanisms supporting and/or implementing anti-counterfeit scanning

- + Customized Development of Critical Components @@ -40736,7 +40736,7 @@

automated mechanisms supporting developer screening

- + Validation of Screening @@ -40789,7 +40789,7 @@

automated mechanisms supporting developer screening

- + Unsupported System Components @@ -40854,7 +40854,7 @@

automated mechanisms supporting and/or implementing replacement of unsupported system components

- + Alternative Sources for Continued Support @@ -43168,8 +43168,8 @@

organizational processes for defining and implementing alternative physical safeguards

- - + + Pre / Post Transmission Handling @@ -43665,8 +43665,8 @@

Automated mechanisms supporting and/or implementing symmetric cryptographic key establishment and management

- - + + Asymmetric Keys @@ -46145,8 +46145,8 @@

automated mechanisms supporting and/or implementing the capability to reduce the bandwidth of covert channels

- - + + Measure Bandwidth in Operational Environments @@ -46198,7 +46198,7 @@

automated mechanisms supporting and/or implementing the capability to measure the bandwidth of covert channels

- + Information System Partitioning @@ -46353,7 +46353,7 @@

automated mechanisms supporting and/or implementing loading and executing applications from hardware-enforced, read-only media

- + No Writable Storage @@ -46407,8 +46407,8 @@

automated mechanisms supporting and/or implementing persistent non-writeable storage across component restart and power on/off

- - + + Integrity Protection / Read-only Media SC-34(2) @@ -46465,8 +46465,8 @@

Automated mechanisms supporting and/or implementing capability for protecting information integrity on read-only media prior to storage and after information has been recorded onto the media

 - - + + Hardware-based Protection @@ -46541,7 +46541,7 @@

automated mechanisms supporting and/or implementing hardware-based, write-protection for firmware

- + Honeyclients @@ -46646,7 +46646,7 @@

automated mechanisms supporting and/or implementing capability for distributing processing and storage across multiple physical locations

- + Polling Techniques @@ -46698,7 +46698,7 @@

Automated mechanisms supporting and/or implementing polling techniques

- + Out-of-band Channels @@ -46783,7 +46783,7 @@

automated mechanisms supporting and/or implementing use of out-of-band channels

- + Ensure Delivery / Transmission @@ -46855,7 +46855,7 @@

automated mechanisms supporting/implementing safeguards to ensure delivery of designated information, system components, or devices

- + Operations Security @@ -46957,7 +46957,7 @@

Automated mechanisms supporting and/or implementing separate execution domains for each executing process

- + Hardware Separation SC-39(1) @@ -46998,8 +46998,8 @@

Information system capability implementing underlying hardware separation mechanisms for process separation

 - - + + Thread Isolation @@ -47049,7 +47049,7 @@

Information system capability implementing a separate execution domain for each thread in multi-threaded processing

- + Wireless Link Protection @@ -47123,7 +47123,7 @@

Automated mechanisms supporting and/or implementing protection of wireless links

- + Electromagnetic Interference @@ -47180,8 +47180,8 @@

Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference

- - + + Reduce Detection Potential @@ -47238,8 +47238,8 @@

Cryptographic mechanisms enforcing protections to reduce detection of wireless links

- - + + Imitative or Manipulative Communications Deception SC-40(3) @@ -47291,8 +47291,8 @@

Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception

 - - + + Signal Parameter Identification @@ -47347,7 +47347,7 @@

Cryptographic mechanisms preventing the identification of wireless transmitters

- + Port and I/O Device Access @@ -47484,7 +47484,7 @@

automated mechanisms implementing capability to indicate sensor use

- + Reporting to Authorized Individuals or Roles @@ -47537,8 +47537,8 @@

sensor data collection and reporting capability for the information system

- - + + Authorized Use @@ -47598,8 +47598,8 @@

sensor information collection capability for the information system

- - + + Prohibit Use of Devices @@ -47653,7 +47653,7 @@

organizational personnel with responsibility for sensor capability

- + Usage Restrictions @@ -48073,7 +48073,7 @@

automated mechanisms supporting and/or implementing testing software and firmware updates

- + Central Management SI-2(1) @@ -48113,8 +48113,8 @@

automated mechanisms supporting and/or implementing central management of the flaw remediation process

 - - + + Automated Flaw Remediation Status @@ -48165,8 +48165,8 @@

Automated mechanisms used to determine the state of information system components with regard to flaw remediation

- - + + Time to Remediate Flaws / Benchmarks for Corrective Actions @@ -48234,14 +48234,14 @@

automated mechanisms used to measure the time between flaw identification and flaw remediation

- - + + Automated Patch Management Tools SI-2(4) Withdrawn SI-2 - - + + Automatic Software / Firmware Updates @@ -48320,8 +48320,8 @@

Automated mechanisms implementing automatic software/firmware updates

- - + + Removal of Previous Versions of Software / Firmware @@ -48386,7 +48386,7 @@

Automated mechanisms supporting and/or implementing removal of previous versions of software/firmware

- + Malicious Code Protection @@ -48565,7 +48565,7 @@

automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions

- + Central Management SI-3(1) @@ -48607,8 +48607,8 @@

automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms

 - - + + Automatic Updates SI-3(2) @@ -48649,14 +48649,14 @@

Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability

 - - + + Non-privileged Users SI-3(3) Withdrawn AC-6 (10) - - + + Updates Only by Privileged Users SI-3(4) @@ -48699,14 +48699,14 @@

Automated mechanisms supporting and/or implementing malicious code protection capability

 - - + + Portable Storage Devices SI-3(5) Withdrawn MP-7 - - + + Testing / Verification @@ -48783,8 +48783,8 @@

Automated mechanisms supporting and/or implementing testing and verification of malicious code protection capability

- - + + Nonsignature-based Detection SI-3(7) @@ -48825,8 +48825,8 @@

Automated mechanisms supporting and/or implementing nonsignature-based malicious code protection capability

 - - + + Detect Unauthorized Commands @@ -48906,8 +48906,8 @@

automated mechanisms supporting and/or implementing detection of unauthorized operating system commands through the kernel application programming interface

- - + + Authenticate Remote Commands @@ -48971,8 +48971,8 @@

automated mechanisms supporting and/or implementing security safeguards to authenticate remote commands

- - + + Malicious Code Analysis @@ -49048,7 +49048,7 @@

tools and techniques for analysis of malicious code characteristics and behavior

- + Information System Monitoring @@ -49292,7 +49292,7 @@

automated mechanisms supporting and/or implementing information system monitoring capability

- + System-wide Intrusion Detection System SI-4(1) @@ -49338,8 +49338,8 @@

automated mechanisms supporting and/or implementing intrusion detection capability

 - - + + Automated Tools for Real-time Analysis SI-4(2) @@ -49382,8 +49382,8 @@

automated mechanisms/tools supporting and/or implementing analysis of events

 - - + + Automated Tool Integration SI-4(3) @@ -49432,8 +49432,8 @@

automated mechanisms/tools supporting and/or implementing integration of intrusion detection tools into access/flow control mechanisms

 - - + + Inbound and Outbound Communications Traffic @@ -49503,8 +49503,8 @@

automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic

- - + + System-generated Alerts @@ -49567,14 +49567,14 @@

automated mechanisms supporting and/or implementing alerts for compromise indicators

- - + + Restrict Non-privileged Users SI-4(6) Withdrawn AC-6 (10) - - + + Automated Response to Suspicious Events @@ -49642,14 +49642,14 @@

automated mechanisms supporting and/or implementing actions to terminate suspicious events

- - + + Protection of Monitoring Information SI-4(8) Withdrawn SI-4 - - + + Testing of Monitoring Tools @@ -49700,8 +49700,8 @@

automated mechanisms supporting and/or implementing testing of intrusion-monitoring tools

- - + + Visibility of Encrypted Communications @@ -49761,8 +49761,8 @@

automated mechanisms supporting and/or implementing visibility of encrypted communications traffic to monitoring tools

- - + + Analyze Communications Traffic Anomalies @@ -49825,8 +49825,8 @@

automated mechanisms supporting and/or implementing analysis of communications traffic

- - + + Automated Alerts @@ -49885,8 +49885,8 @@

automated mechanisms supporting and/or implementing automated alerts to security personnel

- - + + Analyze Traffic / Event Patterns SI-4(13) @@ -49954,8 +49954,8 @@

automated mechanisms supporting and/or implementing analysis of communications traffic/event patterns

 - - + + Wireless Intrusion Detection SI-4(14) @@ -50011,8 +50011,8 @@

automated mechanisms supporting and/or implementing wireless intrusion detection capability

 - - + + Wireless to Wireline Communications SI-4(15) @@ -50055,8 +50055,8 @@

automated mechanisms supporting and/or implementing wireless intrusion detection capability

 - - + + Correlate Monitoring Information SI-4(16) @@ -50100,8 +50100,8 @@

automated mechanisms supporting and/or implementing correlation of information from monitoring tools

 - - + + Integrated Situational Awareness SI-4(17) @@ -50157,8 +50157,8 @@

automated mechanisms supporting and/or implementing correlation of information from monitoring tools

 - - + + Analyze Traffic / Covert Exfiltration @@ -50221,8 +50221,8 @@

automated mechanisms supporting and/or implementing analysis of outbound communications traffic

- - + + Individuals Posing Greater Risk @@ -50281,8 +50281,8 @@

automated mechanisms supporting and/or implementing system monitoring capability

- - + + Privileged Users @@ -50332,8 +50332,8 @@

automated mechanisms supporting and/or implementing system monitoring capability

- - + + Probationary Periods @@ -50389,8 +50389,8 @@

automated mechanisms supporting and/or implementing system monitoring capability

- - + + Unauthorized Network Services @@ -50472,8 +50472,8 @@

automated mechanisms for providing alerts

- - + + Host-based Devices @@ -50534,8 +50534,8 @@

automated mechanisms supporting and/or implementing host-based monitoring capability

- - + + Indicators of Compromise SI-4(24) @@ -50595,7 +50595,7 @@

automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise

 - + Security Alerts, Advisories, and Directives @@ -50730,7 +50730,7 @@

automated mechanisms supporting and/or implementing security directives

- + Automated Alerts and Advisories SI-5(1) @@ -50772,7 +50772,7 @@

automated mechanisms supporting and/or implementing dissemination of security alerts and advisories

 - + Security Function Verification @@ -50935,13 +50935,13 @@

automated mechanisms supporting and/or implementing security function verification capability

- + Notification of Failed Security Tests SI-6(1) Withdrawn SI-6 - - + + Automation Support for Distributed Testing SI-6(2) @@ -50980,8 +50980,8 @@

automated mechanisms supporting and/or implementing the management of distributed security testing

 - - + + Report Verification Results @@ -51033,7 +51033,7 @@

automated mechanisms supporting and/or implementing the reporting of security function verification results

- + Software, Firmware, and Information Integrity @@ -51114,7 +51114,7 @@

Software, firmware, and information integrity verification tools

- + Integrity Checks @@ -51233,8 +51233,8 @@

Software, firmware, and information integrity verification tools

- - + + Automated Notifications of Integrity Violations @@ -51286,8 +51286,8 @@

automated mechanisms providing integrity discrepancy notifications

- - + + Centrally-managed Integrity Tools SI-7(3) @@ -51326,14 +51326,14 @@

Automated mechanisms supporting and/or implementing central management of integrity verification tools

 - - + + Tamper-evident Packaging SI-7(4) Withdrawn SA-12 - - + + Automated Response to Integrity Violations @@ -51614,8 +51614,8 @@

automated mechanisms supporting and/or implementing alerts about potential integrity violations

- - + + Verify Boot Process @@ -51667,8 +51667,8 @@

automated mechanisms supporting and/or implementing integrity verification of the boot process

- - + + Protection of Boot Firmware @@ -51728,8 +51728,8 @@

safeguards implementing protection of the integrity of boot firmware

- - + + Confined Environments with Limited Privileges @@ -51778,8 +51778,8 @@

automated mechanisms supporting and/or implementing limited privileges in the confined environment

- - + + Integrity Verification @@ -51828,8 +51828,8 @@

automated mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution

- - + + Code Execution in Protected Environments @@ -51888,8 +51888,8 @@

automated mechanisms supporting and/or implementing approvals for execution of binary or machine-executable code

- - + + Binary or Machine Executable Code SI-7(14) @@ -51962,8 +51962,8 @@

Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code

 - - + + Code Authentication @@ -52027,8 +52027,8 @@

Cryptographic mechanisms authenticating software/firmware prior to installation

- - + + Time Limit On Process Execution w/o Supervision @@ -52078,7 +52078,7 @@

automated mechanisms supporting and/or implementing time limits on process execution without supervision

- + Spam Protection @@ -52160,7 +52160,7 @@

automated mechanisms supporting and/or implementing spam protection

- + Central Management SI-8(1) @@ -52202,8 +52202,8 @@

automated mechanisms supporting and/or implementing central management of spam protection

 - - + + Automatic Updates SI-8(2) @@ -52241,8 +52241,8 @@

automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

 - - + + Continuous Learning Capability SI-8(3) @@ -52282,7 +52282,7 @@

automated mechanisms supporting and/or implementing spam protection mechanisms with a learning capability

 - + Information Input Restrictions @@ -52346,7 +52346,7 @@

Automated mechanisms supporting and/or implementing validity checks on information inputs

- + Manual Override Capability @@ -52436,8 +52436,8 @@

automated mechanisms supporting and/or implementing auditing of the use of manual override capability

- - + + Review / Resolution of Errors @@ -52490,8 +52490,8 @@

automated mechanisms supporting and/or implementing review and resolution of input validation errors

- - + + Predictable Behavior SI-10(3) @@ -52529,8 +52529,8 @@

Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received

 - - + + Review / Timing Interactions SI-10(4) @@ -52569,8 +52569,8 @@

automated mechanisms supporting and/or implementing responses to invalid inputs

 - - + + Restrict Inputs to Trusted Sources and Approved Formats @@ -52637,7 +52637,7 @@

automated mechanisms supporting and/or implementing restriction of information inputs

- + Error Handling @@ -52850,7 +52850,7 @@

Organizational processes for managing MTTF

- + Transferring Component Responsibilities @@ -52897,14 +52897,14 @@

automated mechanisms supporting and/or implementing transfer of component responsibilities to substitute components

- - + + Time Limit On Process Execution Without Supervision SI-13(2) Withdrawn SI-7 (16) - - + + Manual Transfer Between Components @@ -52957,8 +52957,8 @@

Organizational processes for managing MTTF and conducting the manual transfer between active and standby components

- - + + Standby Component Installation / Notification @@ -53051,8 +53051,8 @@

automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected

- - + + Failover Capability