Tactics
Techniques
Countermeasures
Countermeasures
Space Segment Cybersecurity Profile
NIST References
ISO IEC 27001
NASA Best Practice Guide
D3FEND
Tactics
Technqiues
Artifacts
Resources
General Information
Getting Started
FAQ
Working with SPARTA
Updates
SPARTA Versions
Contribute
Related Work
Spacecraft Functional Decomposition
Defense-in-Depth Space Systems
Threat Levels
Threats
Risk Assessment
Cybersecurity Protections for
Spacecraft: A Threat Based
Approach (pdf)
Tools
Navigator
Countermeasure Mapper
Control Mapper
Spacecraft Mapper
JSON Creator
Notional Risk Scores
Search
NIST References
SP 800-53 Revision 5
AC - Access Control
AC-1 - Policy and Procedures
AC-2 - Account Management
AC-2(1) - Account Management | Automated System Account Management
AC-2(2) - Account Management | Automated Temporary and Emergency Account Management
AC-2(3) - Account Management | Disable Accounts
AC-2(4) - Account Management | Automated Audit Actions
AC-2(5) - Account Management | Inactivity Logout
AC-2(6) - Account Management | Dynamic Privilege Management
AC-2(7) - Account Management | Privileged User Accounts
AC-2(8) - Account Management | Dynamic Account Management
AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts
AC-2(11) - Account Management | Usage Conditions
AC-2(12) - Account Management | Account Monitoring for Atypical Usage
AC-2(13) - Account Management | Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
AC-3(2) - Access Enforcement | Dual Authorization
AC-3(3) - Access Enforcement | Mandatory Access Control
AC-3(4) - Access Enforcement | Discretionary Access Control
AC-3(5) - Access Enforcement | Security-relevant Information
AC-3(7) - Access Enforcement | Role-based Access Control
AC-3(8) - Access Enforcement | Revocation of Access Authorizations
AC-3(9) - Access Enforcement | Controlled Release
AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms
AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types
AC-3(12) - Access Enforcement | Assert and Enforce Application Access
AC-3(13) - Access Enforcement | Attribute-based Access Control
AC-3(14) - Access Enforcement | Individual Access
AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control
AC-4 - Information Flow Enforcement
AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes
AC-4(2) - Information Flow Enforcement | Processing Domains
AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control
AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information
AC-4(5) - Information Flow Enforcement | Embedded Data Types
AC-4(6) - Information Flow Enforcement | Metadata
AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms
AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters
AC-4(9) - Information Flow Enforcement | Human Reviews
AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters
AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters
AC-4(12) - Information Flow Enforcement | Data Type Identifiers
AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents
AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints
AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information
AC-4(17) - Information Flow Enforcement | Domain Authentication
AC-4(19) - Information Flow Enforcement | Validation of Metadata
AC-4(20) - Information Flow Enforcement | Approved Solutions
AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows
AC-4(22) - Information Flow Enforcement | Access Only
AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information
AC-4(24) - Information Flow Enforcement | Internal Normalized Format
AC-4(25) - Information Flow Enforcement | Data Sanitization
AC-4(26) - Information Flow Enforcement | Audit Filtering Actions
AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms
AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines
AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines
AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes
AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention
AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer
AC-5 - Separation of Duties
AC-6 - Least Privilege
AC-6(1) - Least Privilege | Authorize Access to Security Functions
AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-6(3) - Least Privilege | Network Access to Privileged Commands
AC-6(4) - Least Privilege | Separate Processing Domains
AC-6(5) - Least Privilege | Privileged Accounts
AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users
AC-6(7) - Least Privilege | Review of User Privileges
AC-6(8) - Least Privilege | Privilege Levels for Code Execution
AC-6(9) - Least Privilege | Log Use of Privileged Functions
AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device
AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting
AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor
AC-8 - System Use Notification
AC-9 - Previous Logon Notification
AC-9(1) - Previous Logon Notification | Unsuccessful Logons
AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons
AC-9(3) - Previous Logon Notification | Notification of Account Changes
AC-9(4) - Previous Logon Notification | Additional Logon Information
AC-10 - Concurrent Session Control
AC-11 - Device Lock
AC-11(1) - Device Lock | Pattern-hiding Displays
AC-12 - Session Termination
AC-12(1) - Session Termination | User-initiated Logouts
AC-12(2) - Session Termination | Termination Message
AC-12(3) - Session Termination | Timeout Warning Message
AC-14 - Permitted Actions Without Identification or Authentication
AC-16 - Security and Privacy Attributes
AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association
AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals
AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System
AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals
AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output
AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association
AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation
AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies
AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms
AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals
AC-17 - Remote Access
AC-17(1) - Remote Access | Monitoring and Control
AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(3) - Remote Access | Managed Access Control Points
AC-17(4) - Remote Access | Privileged Commands and Access
AC-17(6) - Remote Access | Protection of Mechanism Information
AC-17(9) - Remote Access | Disconnect or Disable Access
AC-17(10) - Remote Access | Authenticate Remote Commands
AC-18 - Wireless Access
AC-18(1) - Wireless Access | Authentication and Encryption
AC-18(3) - Wireless Access | Disable Wireless Networking
AC-18(4) - Wireless Access | Restrict Configurations by Users
AC-18(5) - Wireless Access | Antennas and Transmission Power Levels
AC-19 - Access Control for Mobile Devices
AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information
AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20 - Use of External Systems
AC-20(1) - Use of External Systems | Limits on Authorized Use
AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use
AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use
AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use
AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use
AC-21 - Information Sharing
AC-21(1) - Information Sharing | Automated Decision Support
AC-21(2) - Information Sharing | Information Search and Retrieval
AC-22 - Publicly Accessible Content
AC-23 - Data Mining Protection
AC-24 - Access Control Decisions
AC-24(1) - Access Control Decisions | Transmit Access Authorization Information
AC-24(2) - Access Control Decisions | No User or Process Identity
AC-25 - Reference Monitor
AT - Awareness and Training
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
AT-2(1) - Literacy Training and Awareness | Practical Exercises
AT-2(2) - Literacy Training and Awareness | Insider Threat
AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining
AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior
AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat
AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment
AT-3 - Role-based Training
AT-3(1) - Role-based Training | Environmental Controls
AT-3(2) - Role-based Training | Physical Security Controls
AT-3(3) - Role-based Training | Practical Exercises
AT-3(5) - Role-based Training | Processing Personally Identifiable Information
AT-4 - Training Records
AT-6 - Training Feedback
AU - Audit and Accountability
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
AU-3(1) - Content of Audit Records | Additional Audit Information
AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements
AU-4 - Audit Log Storage Capacity
AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage
AU-5 - Response to Audit Logging Process Failures
AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning
AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts
AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds
AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure
AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability
AU-6 - Audit Record Review, Analysis, and Reporting
AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration
AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis
AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records
AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring
AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions
AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands
AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources
AU-7 - Audit Record Reduction and Report Generation
AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
AU-9(1) - Protection of Audit Information | Hardware Write-once Media
AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components
AU-9(3) - Protection of Audit Information | Cryptographic Protection
AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users
AU-9(5) - Protection of Audit Information | Dual Authorization
AU-9(6) - Protection of Audit Information | Read-only Access
AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System
AU-10 - Non-repudiation
AU-10(1) - Non-repudiation | Association of Identities
AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity
AU-10(3) - Non-repudiation | Chain of Custody
AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity
AU-11 - Audit Record Retention
AU-11(1) - Audit Record Retention | Long-term Retrieval Capability
AU-12 - Audit Record Generation
AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail
AU-12(2) - Audit Record Generation | Standardized Formats
AU-12(3) - Audit Record Generation | Changes by Authorized Individuals
AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information
AU-13 - Monitoring for Information Disclosure
AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools
AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites
AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information
AU-14 - Session Audit
AU-14(1) - Session Audit | System Start-up
AU-14(3) - Session Audit | Remote Viewing and Listening
AU-16 - Cross-organizational Audit Logging
AU-16(1) - Cross-organizational Audit Logging | Identity Preservation
AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information
AU-16(3) - Cross-organizational Audit Logging | Disassociability
CA - Assessment, Authorization, and Monitoring
CA-1 - Policy and Procedures
CA-2 - Control Assessments
CA-2(1) - Control Assessments | Independent Assessors
CA-2(2) - Control Assessments | Specialized Assessments
CA-2(3) - Control Assessments | Leveraging Results from External Organizations
CA-3 - Information Exchange
CA-3(6) - Information Exchange | Transfer Authorizations
CA-3(7) - Information Exchange | Transitive Information Exchanges
CA-5 - Plan of Action and Milestones
CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency
CA-6 - Authorization
CA-6(1) - Authorization | Joint Authorization — Intra-organization
CA-6(2) - Authorization | Joint Authorization — Inter-organization
CA-7 - Continuous Monitoring
CA-7(1) - Continuous Monitoring | Independent Assessment
CA-7(3) - Continuous Monitoring | Trend Analyses
CA-7(4) - Continuous Monitoring | Risk Monitoring
CA-7(5) - Continuous Monitoring | Consistency Analysis
CA-7(6) - Continuous Monitoring | Automation Support for Monitoring
CA-8 - Penetration Testing
CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team
CA-8(2) - Penetration Testing | Red Team Exercises
CA-8(3) - Penetration Testing | Facility Penetration Testing
CA-9 - Internal System Connections
CA-9(1) - Internal System Connections | Compliance Checks
CM - Configuration Management
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency
CM-2(3) - Baseline Configuration | Retention of Previous Configurations
CM-2(6) - Baseline Configuration | Development and Test Environments
CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes
CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-3(3) - Configuration Change Control | Automated Change Implementation
CM-3(4) - Configuration Change Control | Security and Privacy Representatives
CM-3(5) - Configuration Change Control | Automated Security Response
CM-3(6) - Configuration Change Control | Cryptography Management
CM-3(7) - Configuration Change Control | Review System Changes
CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes
CM-4 - Impact Analyses
CM-4(1) - Impact Analyses | Separate Test Environments
CM-4(2) - Impact Analyses | Verification of Controls
CM-5 - Access Restrictions for Change
CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records
CM-5(4) - Access Restrictions for Change | Dual Authorization
CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-5(6) - Access Restrictions for Change | Limit Library Privileges
CM-6 - Configuration Settings
CM-6(1) - Configuration Settings | Automated Management, Application, and Verification
CM-6(2) - Configuration Settings | Respond to Unauthorized Changes
CM-7 - Least Functionality
CM-7(1) - Least Functionality | Periodic Review
CM-7(2) - Least Functionality | Prevent Program Execution
CM-7(3) - Least Functionality | Registration Compliance
CM-7(4) - Least Functionality | Unauthorized Software
CM-7(5) - Least Functionality | Authorized Software
CM-7(6) - Least Functionality | Confined Environments with Limited Privileges
CM-7(7) - Least Functionality | Code Execution in Protected Environments
CM-7(8) - Least Functionality | Binary or Machine Executable Code
CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware
CM-8 - System Component Inventory
CM-8(1) - System Component Inventory | Updates During Installation and Removal
CM-8(2) - System Component Inventory | Automated Maintenance
CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection
CM-8(4) - System Component Inventory | Accountability Information
CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations
CM-8(7) - System Component Inventory | Centralized Repository
CM-8(8) - System Component Inventory | Automated Location Tracking
CM-8(9) - System Component Inventory | Assignment of Components to Systems
CM-9 - Configuration Management Plan
CM-9(1) - Configuration Management Plan | Assignment of Responsibility
CM-10 - Software Usage Restrictions
CM-10(1) - Software Usage Restrictions | Open-source Software
CM-11 - User-installed Software
CM-11(2) - User-installed Software | Software Installation with Privileged Status
CM-11(3) - User-installed Software | Automated Enforcement and Monitoring
CM-12 - Information Location
CM-12(1) - Information Location | Automated Tools to Support Information Location
CM-13 - Data Action Mapping
CM-14 - Signed Components
CP - Contingency Planning
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
CP-2(1) - Contingency Plan | Coordinate with Related Plans
CP-2(2) - Contingency Plan | Capacity Planning
CP-2(3) - Contingency Plan | Resume Mission and Business Functions
CP-2(5) - Contingency Plan | Continue Mission and Business Functions
CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites
CP-2(7) - Contingency Plan | Coordinate with External Service Providers
CP-2(8) - Contingency Plan | Identify Critical Assets
CP-3 - Contingency Training
CP-3(1) - Contingency Training | Simulated Events
CP-3(2) - Contingency Training | Mechanisms Used in Training Environments
CP-4 - Contingency Plan Testing
CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans
CP-4(2) - Contingency Plan Testing | Alternate Processing Site
CP-4(3) - Contingency Plan Testing | Automated Testing
CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution
CP-4(5) - Contingency Plan Testing | Self-challenge
CP-6 - Alternate Storage Site
CP-6(1) - Alternate Storage Site | Separation from Primary Site
CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives
CP-6(3) - Alternate Storage Site | Accessibility
CP-7 - Alternate Processing Site
CP-7(1) - Alternate Processing Site | Separation from Primary Site
CP-7(2) - Alternate Processing Site | Accessibility
CP-7(3) - Alternate Processing Site | Priority of Service
CP-7(4) - Alternate Processing Site | Preparation for Use
CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site
CP-8 - Telecommunications Services
CP-8(1) - Telecommunications Services | Priority of Service Provisions
CP-8(2) - Telecommunications Services | Single Points of Failure
CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers
CP-8(4) - Telecommunications Services | Provider Contingency Plan
CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing
CP-9 - System Backup
CP-9(1) - System Backup | Testing for Reliability and Integrity
CP-9(2) - System Backup | Test Restoration Using Sampling
CP-9(3) - System Backup | Separate Storage for Critical Information
CP-9(5) - System Backup | Transfer to Alternate Storage Site
CP-9(6) - System Backup | Redundant Secondary System
CP-9(7) - System Backup | Dual Authorization
CP-9(8) - System Backup | Cryptographic Protection
CP-10 - System Recovery and Reconstitution
CP-10(2) - System Recovery and Reconstitution | Transaction Recovery
CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period
CP-10(6) - System Recovery and Reconstitution | Component Protection
CP-11 - Alternate Communications Protocols
CP-12 - Safe Mode
CP-13 - Alternative Security Mechanisms
IA - Identification and Authentication
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (organizational Users)
IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device
IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on
IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials
IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication
IA-3 - Device Identification and Authentication
IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication
IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation
IA-3(4) - Device Identification and Authentication | Device Attestation
IA-4 - Identifier Management
IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers
IA-4(4) - Identifier Management | Identify User Status
IA-4(5) - Identifier Management | Dynamic Management
IA-4(6) - Identifier Management | Cross-organization Management
IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers
IA-4(9) - Identifier Management | Attribute Maintenance and Protection
IA-5 - Authenticator Management
IA-5(1) - Authenticator Management | Password-based Authentication
IA-5(2) - Authenticator Management | Public Key-based Authentication
IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery
IA-5(6) - Authenticator Management | Protection of Authenticators
IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-5(8) - Authenticator Management | Multiple System Accounts
IA-5(9) - Authenticator Management | Federated Credential Management
IA-5(10) - Authenticator Management | Dynamic Credential Binding
IA-5(12) - Authenticator Management | Biometric Authentication Performance
IA-5(13) - Authenticator Management | Expiration of Cached Authenticators
IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores
IA-5(15) - Authenticator Management | Gsa-approved Products and Services
IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance
IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators
IA-5(18) - Authenticator Management | Password Managers
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (non-organizational Users)
IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies
IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials
IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability
IA-9 - Service Identification and Authentication
IA-10 - Adaptive Authentication
IA-11 - Re-authentication
IA-12 - Identity Proofing
IA-12(1) - Identity Proofing | Supervisor Authorization
IA-12(2) - Identity Proofing | Identity Evidence
IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification
IA-12(4) - Identity Proofing | In-person Validation and Verification
IA-12(5) - Identity Proofing | Address Confirmation
IA-12(6) - Identity Proofing | Accept Externally-proofed Identities
IR - Incident Response
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
IR-2(1) - Incident Response Training | Simulated Events
IR-2(2) - Incident Response Training | Automated Training Environments
IR-2(3) - Incident Response Training | Breach
IR-3 - Incident Response Testing
IR-3(1) - Incident Response Testing | Automated Testing
IR-3(2) - Incident Response Testing | Coordination with Related Plans
IR-3(3) - Incident Response Testing | Continuous Improvement
IR-4 - Incident Handling
IR-4(1) - Incident Handling | Automated Incident Handling Processes
IR-4(2) - Incident Handling | Dynamic Reconfiguration
IR-4(3) - Incident Handling | Continuity of Operations
IR-4(4) - Incident Handling | Information Correlation
IR-4(5) - Incident Handling | Automatic Disabling of System
IR-4(6) - Incident Handling | Insider Threats
IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination
IR-4(8) - Incident Handling | Correlation with External Organizations
IR-4(9) - Incident Handling | Dynamic Response Capability
IR-4(10) - Incident Handling | Supply Chain Coordination
IR-4(11) - Incident Handling | Integrated Incident Response Team
IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis
IR-4(13) - Incident Handling | Behavior Analysis
IR-4(14) - Incident Handling | Security Operations Center
IR-4(15) - Incident Handling | Public Relations and Reputation Repair
IR-5 - Incident Monitoring
IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis
IR-6 - Incident Reporting
IR-6(1) - Incident Reporting | Automated Reporting
IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents
IR-6(3) - Incident Reporting | Supply Chain Coordination
IR-7 - Incident Response Assistance
IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support
IR-7(2) - Incident Response Assistance | Coordination with External Providers
IR-8 - Incident Response Plan
IR-8(1) - Incident Response Plan | Breaches
IR-9 - Information Spillage Response
IR-9(2) - Information Spillage Response | Training
IR-9(3) - Information Spillage Response | Post-spill Operations
IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel
MA - Maintenance
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
MA-2(2) - Controlled Maintenance | Automated Maintenance Activities
MA-3 - Maintenance Tools
MA-3(1) - Maintenance Tools | Inspect Tools
MA-3(2) - Maintenance Tools | Inspect Media
MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal
MA-3(4) - Maintenance Tools | Restricted Tool Use
MA-3(5) - Maintenance Tools | Execution with Privilege
MA-3(6) - Maintenance Tools | Software Updates and Patches
MA-4 - Nonlocal Maintenance
MA-4(1) - Nonlocal Maintenance | Logging and Review
MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization
MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions
MA-4(5) - Nonlocal Maintenance | Approvals and Notifications
MA-4(6) - Nonlocal Maintenance | Cryptographic Protection
MA-4(7) - Nonlocal Maintenance | Disconnect Verification
MA-5 - Maintenance Personnel
MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access
MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems
MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems
MA-5(4) - Maintenance Personnel | Foreign Nationals
MA-5(5) - Maintenance Personnel | Non-system Maintenance
MA-6 - Timely Maintenance
MA-6(1) - Timely Maintenance | Preventive Maintenance
MA-6(2) - Timely Maintenance | Predictive Maintenance
MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance
MA-7 - Field Maintenance
MP - Media Protection
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-3 - Media Marking
MP-4 - Media Storage
MP-4(2) - Media Storage | Automated Restricted Access
MP-5 - Media Transport
MP-5(3) - Media Transport | Custodians
MP-6 - Media Sanitization
MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify
MP-6(2) - Media Sanitization | Equipment Testing
MP-6(3) - Media Sanitization | Nondestructive Techniques
MP-6(7) - Media Sanitization | Dual Authorization
MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information
MP-7 - Media Use
MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media
MP-8 - Media Downgrading
MP-8(1) - Media Downgrading | Documentation of Process
MP-8(2) - Media Downgrading | Equipment Testing
MP-8(3) - Media Downgrading | Controlled Unclassified Information
MP-8(4) - Media Downgrading | Classified Information
PE - Physical and Environmental Protection
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-2(1) - Physical Access Authorizations | Access by Position or Role
PE-2(2) - Physical Access Authorizations | Two Forms of Identification
PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access
PE-3 - Physical Access Control
PE-3(1) - Physical Access Control | System Access
PE-3(2) - Physical Access Control | Facility and Systems
PE-3(3) - Physical Access Control | Continuous Guards
PE-3(4) - Physical Access Control | Lockable Casings
PE-3(5) - Physical Access Control | Tamper Protection
PE-3(7) - Physical Access Control | Physical Barriers
PE-3(8) - Physical Access Control | Access Control Vestibules
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
PE-5(2) - Access Control for Output Devices | Link to Individual Identity
PE-6 - Monitoring Physical Access
PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses
PE-6(3) - Monitoring Physical Access | Video Surveillance
PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems
PE-8 - Visitor Access Records
PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review
PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements
PE-9 - Power Equipment and Cabling
PE-9(1) - Power Equipment and Cabling | Redundant Cabling
PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls
PE-10 - Emergency Shutoff
PE-11 - Emergency Power
PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability
PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained
PE-12 - Emergency Lighting
PE-12(1) - Emergency Lighting | Essential Mission and Business Functions
PE-13 - Fire Protection
PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification
PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification
PE-13(4) - Fire Protection | Inspections
PE-14 - Environmental Controls
PE-14(1) - Environmental Controls | Automatic Controls
PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications
PE-15 - Water Damage Protection
PE-15(1) - Water Damage Protection | Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of System Components
PE-19 - Information Leakage
PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures
PE-20 - Asset Monitoring and Tracking
PE-21 - Electromagnetic Pulse Protection
PE-22 - Component Marking
PE-23 - Facility Location
PL - Planning
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions
PL-7 - Concept of Operations
PL-8 - Security and Privacy Architectures
PL-8(1) - Security and Privacy Architectures | Defense in Depth
PL-8(2) - Security and Privacy Architectures | Supplier Diversity
PL-9 - Central Management
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PM - Program Management
PM-1 - Information Security Program Plan
PM-2 - Information Security Program Leadership Role
PM-3 - Information Security and Privacy Resources
PM-4 - Plan of Action and Milestones Process
PM-5 - System Inventory
PM-5(1) - System Inventory | Inventory of Personally Identifiable Information
PM-6 - Measures of Performance
PM-7 - Enterprise Architecture
PM-7(1) - Enterprise Architecture | Offloading
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-11 - Mission and Business Process Definition
PM-12 - Insider Threat Program
PM-13 - Security and Privacy Workforce
PM-14 - Testing, Training, and Monitoring
PM-15 - Security and Privacy Groups and Associations
PM-16 - Threat Awareness Program
PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence
PM-17 - Protecting Controlled Unclassified Information on External Systems
PM-18 - Privacy Program Plan
PM-19 - Privacy Program Leadership Role
PM-20 - Dissemination of Privacy Program Information
PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services
PM-21 - Accounting of Disclosures
PM-22 - Personally Identifiable Information Quality Management
PM-23 - Data Governance Body
PM-24 - Data Integrity Board
PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-26 - Complaint Management
PM-27 - Privacy Reporting
PM-28 - Risk Framing
PM-29 - Risk Management Program Leadership Roles
PM-30 - Supply Chain Risk Management Strategy
PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items
PM-31 - Continuous Monitoring Strategy
PM-32 - Purposing
PS - Personnel Security
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
PS-3(1) - Personnel Screening | Classified Information
PS-3(2) - Personnel Screening | Formal Indoctrination
PS-3(3) - Personnel Screening | Information with Special Protective Measures
PS-3(4) - Personnel Screening | Citizenship Requirements
PS-4 - Personnel Termination
PS-4(1) - Personnel Termination | Post-employment Requirements
PS-4(2) - Personnel Termination | Automated Actions
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-6(2) - Access Agreements | Classified Information Requiring Special Protection
PS-6(3) - Access Agreements | Post-employment Requirements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
PT - Personally Identifiable Information Processing and Transparency
PT-1 - Policy and Procedures
PT-2 - Authority to Process Personally Identifiable Information
PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging
PT-2(2) - Authority to Process Personally Identifiable Information | Automation
PT-3 - Personally Identifiable Information Processing Purposes
PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging
PT-3(2) - Personally Identifiable Information Processing Purposes | Automation
PT-4 - Consent
PT-4(1) - Consent | Tailored Consent
PT-4(2) - Consent | Just-in-time Consent
PT-4(3) - Consent | Revocation
PT-5 - Privacy Notice
PT-5(1) - Privacy Notice | Just-in-time Notice
PT-5(2) - Privacy Notice | Privacy Act Statements
PT-6 - System of Records Notice
PT-6(1) - System of Records Notice | Routine Uses
PT-6(2) - System of Records Notice | Exemption Rules
PT-7 - Specific Categories of Personally Identifiable Information
PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers
PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information
PT-8 - Computer Matching Requirements
RA - Risk Assessment
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-2(1) - Security Categorization | Impact-level Prioritization
RA-3 - Risk Assessment
RA-3(1) - Risk Assessment | Supply Chain Risk Assessment
RA-3(2) - Risk Assessment | Use of All-source Intelligence
RA-3(3) - Risk Assessment | Dynamic Threat Awareness
RA-3(4) - Risk Assessment | Predictive Cyber Analytics
RA-5 - Vulnerability Monitoring and Scanning
RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information
RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access
RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses
RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs
RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information
RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program
RA-6 - Technical Surveillance Countermeasures Survey
RA-7 - Risk Response
RA-8 - Privacy Impact Assessments
RA-9 - Criticality Analysis
RA-10 - Threat Hunting
SA - System and Services Acquisition
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-3(1) - System Development Life Cycle | Manage Preproduction Environment
SA-3(2) - System Development Life Cycle | Use of Live or Operational Data
SA-3(3) - System Development Life Cycle | Technology Refresh
SA-4 - Acquisition Process
SA-4(1) - Acquisition Process | Functional Properties of Controls
SA-4(2) - Acquisition Process | Design and Implementation Information for Controls
SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices
SA-4(5) - Acquisition Process | System, Component, and Service Configurations
SA-4(6) - Acquisition Process | Use of Information Assurance Products
SA-4(7) - Acquisition Process | Niap-approved Protection Profiles
SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls
SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-4(10) - Acquisition Process | Use of Approved PIV Products
SA-4(11) - Acquisition Process | System of Records
SA-4(12) - Acquisition Process | Data Ownership
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions
SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism
SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering
SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies
SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access
SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing
SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity
SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability
SA-8(9) - Security and Privacy Engineering Principles | Trusted Components
SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust
SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold
SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection
SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements
SA-8(14) - Security and Privacy Engineering Principles | Least Privilege
SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission
SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness
SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition
SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels
SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection
SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management
SA-8(21) - Security and Privacy Engineering Principles | Self-analysis
SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability
SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults
SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery
SA-8(25) - Security and Privacy Engineering Principles | Economic Security
SA-8(26) - Security and Privacy Engineering Principles | Performance Security
SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security
SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security
SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures
SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor
SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification
SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation
SA-8(33) - Security and Privacy Engineering Principles | Minimization
SA-9 - External System Services
SA-9(1) - External System Services | Risk Assessments and Organizational Approvals
SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services
SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers
SA-9(4) - External System Services | Consistent Interests of Consumers and Providers
SA-9(5) - External System Services | Processing, Storage, and Service Location
SA-9(6) - External System Services | Organization-controlled Cryptographic Keys
SA-9(7) - External System Services | Organization-controlled Integrity Checking
SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction
SA-10 - Developer Configuration Management
SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification
SA-10(2) - Developer Configuration Management | Alternative Configuration Management
SA-10(3) - Developer Configuration Management | Hardware Integrity Verification
SA-10(4) - Developer Configuration Management | Trusted Generation
SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control
SA-10(6) - Developer Configuration Management | Trusted Distribution
SA-10(7) - Developer Configuration Management | Security and Privacy Representatives
SA-11 - Developer Testing and Evaluation
SA-11(1) - Developer Testing and Evaluation | Static Code Analysis
SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence
SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews
SA-11(5) - Developer Testing and Evaluation | Penetration Testing
SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews
SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation
SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis
SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing
SA-15 - Development Process, Standards, and Tools
SA-15(1) - Development Process, Standards, and Tools | Quality Metrics
SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools
SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis
SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction
SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement
SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis
SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information
SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan
SA-15(11) - Development Process, Standards, and Tools | Archive System or Component
SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model
SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components
SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence
SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence
SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design
SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing
SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege
SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration
SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity
SA-20 - Customized Development of Critical Components
SA-21 - Developer Screening
SA-22 - Unsupported System Components
SA-23 - Specialization
SC - System and Communications Protection
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users
SC-2(2) - Separation of System and User Functionality | Disassociability
SC-3 - Security Function Isolation
SC-3(1) - Security Function Isolation | Hardware Separation
SC-3(2) - Security Function Isolation | Access and Flow Control Functions
SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality
SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness
SC-3(5) - Security Function Isolation | Layered Structures
SC-4 - Information in Shared System Resources
SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing
SC-5 - Denial-of-service Protection
SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems
SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy
SC-5(3) - Denial-of-service Protection | Detection and Monitoring
SC-6 - Resource Availability
SC-7 - Boundary Protection
SC-7(3) - Boundary Protection | Access Points
SC-7(4) - Boundary Protection | External Telecommunications Services
SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception
SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices
SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers
SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic
SC-7(10) - Boundary Protection | Prevent Exfiltration
SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic
SC-7(12) - Boundary Protection | Host-based Protection
SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components
SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections
SC-7(15) - Boundary Protection | Networked Privileged Accesses
SC-7(16) - Boundary Protection | Prevent Discovery of System Components
SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats
SC-7(18) - Boundary Protection | Fail Secure
SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts
SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation
SC-7(21) - Boundary Protection | Isolation of System Components
SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains
SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure
SC-7(24) - Boundary Protection | Personally Identifiable Information
SC-7(25) - Boundary Protection | Unclassified National Security System Connections
SC-7(26) - Boundary Protection | Classified National Security System Connections
SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections
SC-7(28) - Boundary Protection | Connections to Public Networks
SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions
SC-8 - Transmission Confidentiality and Integrity
SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection
SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling
SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals
SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications
SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System
SC-10 - Network Disconnect
SC-11 - Trusted Path
SC-11(1) - Trusted Path | Irrefutable Communications Path
SC-12 - Cryptographic Key Establishment and Management
SC-12(1) - Cryptographic Key Establishment and Management | Availability
SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys
SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys
SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect
SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas
SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants
SC-16 - Transmission of Security and Privacy Attributes
SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification
SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms
SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions
SC-18(2) - Mobile Code | Acquisition, Development, and Use
SC-18(3) - Mobile Code | Prevent Downloading and Execution
SC-18(4) - Mobile Code | Prevent Automatic Execution
SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments
SC-20 - Secure Name/address Resolution Service (authoritative Source)
SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity
SC-21 - Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/address Resolution Service
SC-23 - Session Authenticity
SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout
SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers
SC-23(5) - Session Authenticity | Allowed Certificate Authorities
SC-24 - Fail in Known State
SC-25 - Thin Nodes
SC-26 - Decoys
SC-27 - Platform-independent Applications
SC-28 - Protection of Information at Rest
SC-28(1) - Protection of Information at Rest | Cryptographic Protection
SC-28(2) - Protection of Information at Rest | Offline Storage
SC-28(3) - Protection of Information at Rest | Cryptographic Keys
SC-29 - Heterogeneity
SC-29(1) - Heterogeneity | Virtualization Techniques
SC-30 - Concealment and Misdirection
SC-30(2) - Concealment and Misdirection | Randomness
SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations
SC-30(4) - Concealment and Misdirection | Misleading Information
SC-30(5) - Concealment and Misdirection | Concealment of System Components
SC-31 - Covert Channel Analysis
SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability
SC-31(2) - Covert Channel Analysis | Maximum Bandwidth
SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments
SC-32 - System Partitioning
SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions
SC-34 - Non-modifiable Executable Programs
SC-34(1) - Non-modifiable Executable Programs | No Writable Storage
SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media
SC-35 - External Malicious Code Identification
SC-36 - Distributed Processing and Storage
SC-36(1) - Distributed Processing and Storage | Polling Techniques
SC-36(2) - Distributed Processing and Storage | Synchronization
SC-37 - Out-of-band Channels
SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission
SC-38 - Operations Security
SC-39 - Process Isolation
SC-39(1) - Process Isolation | Hardware Separation
SC-39(2) - Process Isolation | Separate Execution Domain Per Thread
SC-40 - Wireless Link Protection
SC-40(1) - Wireless Link Protection | Electromagnetic Interference
SC-40(2) - Wireless Link Protection | Reduce Detection Potential
SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception
SC-40(4) - Wireless Link Protection | Signal Parameter Identification
SC-41 - Port and I/O Device Access
SC-42 - Sensor Capability and Data
SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles
SC-42(2) - Sensor Capability and Data | Authorized Use
SC-42(4) - Sensor Capability and Data | Notice of Collection
SC-42(5) - Sensor Capability and Data | Collection Minimization
SC-43 - Usage Restrictions
SC-44 - Detonation Chambers
SC-45 - System Time Synchronization
SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source
SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source
SC-46 - Cross Domain Policy Enforcement
SC-47 - Alternate Communications Paths
SC-48 - Sensor Relocation
SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities
SC-49 - Hardware-enforced Separation and Policy Enforcement
SC-50 - Software-enforced Separation and Policy Enforcement
SC-51 - Hardware-based Protection
SI - System and Information Integrity
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status
SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-2(4) - Flaw Remediation | Automated Patch Management Tools
SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates
SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware
SI-3 - Malicious Code Protection
SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users
SI-3(6) - Malicious Code Protection | Testing and Verification
SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands
SI-3(10) - Malicious Code Protection | Malicious Code Analysis
SI-4 - System Monitoring
SI-4(1) - System Monitoring | System-wide Intrusion Detection System
SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration
SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic
SI-4(5) - System Monitoring | System-generated Alerts
SI-4(7) - System Monitoring | Automated Response to Suspicious Events
SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms
SI-4(10) - System Monitoring | Visibility of Encrypted Communications
SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies
SI-4(12) - System Monitoring | Automated Organization-generated Alerts
SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns
SI-4(14) - System Monitoring | Wireless Intrusion Detection
SI-4(15) - System Monitoring | Wireless to Wireline Communications
SI-4(16) - System Monitoring | Correlate Monitoring Information
SI-4(17) - System Monitoring | Integrated Situational Awareness
SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration
SI-4(19) - System Monitoring | Risk for Individuals
SI-4(20) - System Monitoring | Privileged Users
SI-4(21) - System Monitoring | Probationary Periods
SI-4(22) - System Monitoring | Unauthorized Network Services
SI-4(23) - System Monitoring | Host-based Devices
SI-4(24) - System Monitoring | Indicators of Compromise
SI-4(25) - System Monitoring | Optimize Network Traffic Analysis
SI-5 - Security Alerts, Advisories, and Directives
SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories
SI-6 - Security and Privacy Function Verification
SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing
SI-6(3) - Security and Privacy Function Verification | Report Verification Results
SI-7 - Software, Firmware, and Information Integrity
SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks
SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations
SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools
SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations
SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection
SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events
SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process
SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware
SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification
SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication
SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision
SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection
SI-8 - Spam Protection
SI-8(2) - Spam Protection | Automatic Updates
SI-8(3) - Spam Protection | Continuous Learning Capability
SI-10 - Information Input Validation
SI-10(1) - Information Input Validation | Manual Override Capability
SI-10(2) - Information Input Validation | Review and Resolve Errors
SI-10(3) - Information Input Validation | Predictable Behavior
SI-10(4) - Information Input Validation | Timing Interactions
SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats
SI-10(6) - Information Input Validation | Injection Prevention
SI-11 - Error Handling
SI-12 - Information Management and Retention
SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements
SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12(3) - Information Management and Retention | Information Disposal
SI-13 - Predictable Failure Prevention
SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities
SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components
SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification
SI-13(5) - Predictable Failure Prevention | Failover Capability
SI-14 - Non-persistence
SI-14(1) - Non-persistence | Refresh from Trusted Sources
SI-14(2) - Non-persistence | Non-persistent Information
SI-14(3) - Non-persistence | Non-persistent Connectivity
SI-15 - Information Output Filtering
SI-16 - Memory Protection
SI-17 - Fail-safe Procedures
SI-18 - Personally Identifiable Information Quality Operations
SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support
SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags
SI-18(3) - Personally Identifiable Information Quality Operations | Collection
SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests
SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion
SI-19 - De-identification
SI-19(1) - De-identification | Collection
SI-19(2) - De-identification | Archiving
SI-19(3) - De-identification | Release
SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
SI-19(5) - De-identification | Statistical Disclosure Control
SI-19(6) - De-identification | Differential Privacy
SI-19(7) - De-identification | Validated Algorithms and Software
SI-19(8) - De-identification | Motivated Intruder
SI-20 - Tainting
SI-21 - Information Refresh
SI-22 - Information Diversity
SI-23 - Information Fragmentation
SR - Supply Chain Risk Management
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team
SR-3 - Supply Chain Controls and Processes
SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base
SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm
SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down
SR-4 - Provenance
SR-4(1) - Provenance | Identity
SR-4(2) - Provenance | Track and Trace
SR-4(3) - Provenance | Validate as Genuine and Not Altered
SR-4(4) - Provenance | Supply Chain Integrity — Pedigree
SR-5 - Acquisition Strategies, Tools, and Methods
SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply
SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update
SR-6 - Supplier Assessments and Reviews
SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis
SR-7 - Supply Chain Operations Security
SR-8 - Notification Agreements
SR-9 - Tamper Resistance and Detection
SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
SR-11(1) - Component Authenticity | Anti-counterfeit Training
SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair
SR-11(3) - Component Authenticity | Anti-counterfeit Scanning
SR-12 - Component Disposal
Home
NIST References
AU-16
1
AU-16(1) - Cross-organizational Audit Logging | Identity Preservation
Preserve the identity of individuals in cross-organizational audit trails.
Informational References
https://csf.tools/reference/nist-sp-800-53/r5/au/au-16/au-16-1/
ISO 27001
ID:
AU-16(1)
Enhancement of :
AU-16
Countermeasures Covered by Control
ID
Name
Description
D3FEND
Space Threats Tagged by Control
ID
Description
Sample Requirements
Requirement
Rationale/Additional Guidance/Notes
Related SPARTA Techniques and Sub-Techniques
ID
Name
Description
×