Tactics
Techniques
Countermeasures
Countermeasures
NIST References
ISO IEC 27001
D3FEND
Tactics
Technqiues
Artifacts
Resources
General Information
Getting Started
FAQ
Working with SPARTA
Updates
SPARTA Versions
Contribute
Related Work
Defense-in-Depth Space Systems
Threat Levels
Threats
Risk Assessment
Cybersecurity Protections for
Spacecraft: A Threat Based
Approach (pdf)
Tools
Navigator
Countermeasure Mapper
Notional Risk Scores
Search
NIST References
SP 800-53 Revision 5
AC - Access Control
AC-1 - Policy and Procedures
AC-2 - Account Management
AC-2(1) - Account Management | Automated System Account Management
AC-2(2) - Account Management | Automated Temporary and Emergency Account Management
AC-2(3) - Account Management | Disable Accounts
AC-2(4) - Account Management | Automated Audit Actions
AC-2(5) - Account Management | Inactivity Logout
AC-2(6) - Account Management | Dynamic Privilege Management
AC-2(7) - Account Management | Privileged User Accounts
AC-2(8) - Account Management | Dynamic Account Management
AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts
AC-2(11) - Account Management | Usage Conditions
AC-2(12) - Account Management | Account Monitoring for Atypical Usage
AC-2(13) - Account Management | Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
AC-3(2) - Access Enforcement | Dual Authorization
AC-3(3) - Access Enforcement | Mandatory Access Control
AC-3(4) - Access Enforcement | Discretionary Access Control
AC-3(5) - Access Enforcement | Security-relevant Information
AC-3(7) - Access Enforcement | Role-based Access Control
AC-3(8) - Access Enforcement | Revocation of Access Authorizations
AC-3(9) - Access Enforcement | Controlled Release
AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms
AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types
AC-3(12) - Access Enforcement | Assert and Enforce Application Access
AC-3(13) - Access Enforcement | Attribute-based Access Control
AC-3(14) - Access Enforcement | Individual Access
AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control
AC-4 - Information Flow Enforcement
AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes
AC-4(2) - Information Flow Enforcement | Processing Domains
AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control
AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information
AC-4(5) - Information Flow Enforcement | Embedded Data Types
AC-4(6) - Information Flow Enforcement | Metadata
AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms
AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters
AC-4(9) - Information Flow Enforcement | Human Reviews
AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters
AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters
AC-4(12) - Information Flow Enforcement | Data Type Identifiers
AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents
AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints
AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information
AC-4(17) - Information Flow Enforcement | Domain Authentication
AC-4(19) - Information Flow Enforcement | Validation of Metadata
AC-4(20) - Information Flow Enforcement | Approved Solutions
AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows
AC-4(22) - Information Flow Enforcement | Access Only
AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information
AC-4(24) - Information Flow Enforcement | Internal Normalized Format
AC-4(25) - Information Flow Enforcement | Data Sanitization
AC-4(26) - Information Flow Enforcement | Audit Filtering Actions
AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms
AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines
AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines
AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes
AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention
AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer
AC-5 - Separation of Duties
AC-6 - Least Privilege
AC-6(1) - Least Privilege | Authorize Access to Security Functions
AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-6(3) - Least Privilege | Network Access to Privileged Commands
AC-6(4) - Least Privilege | Separate Processing Domains
AC-6(5) - Least Privilege | Privileged Accounts
AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users
AC-6(7) - Least Privilege | Review of User Privileges
AC-6(8) - Least Privilege | Privilege Levels for Code Execution
AC-6(9) - Least Privilege | Log Use of Privileged Functions
AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device
AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting
AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor
AC-8 - System Use Notification
AC-9 - Previous Logon Notification
AC-9(1) - Previous Logon Notification | Unsuccessful Logons
AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons
AC-9(3) - Previous Logon Notification | Notification of Account Changes
AC-9(4) - Previous Logon Notification | Additional Logon Information
AC-10 - Concurrent Session Control
AC-11 - Device Lock
AC-11(1) - Device Lock | Pattern-hiding Displays
AC-12 - Session Termination
AC-12(1) - Session Termination | User-initiated Logouts
AC-12(2) - Session Termination | Termination Message
AC-12(3) - Session Termination | Timeout Warning Message
AC-14 - Permitted Actions Without Identification or Authentication
AC-16 - Security and Privacy Attributes
AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association
AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals
AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System
AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals
AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output
AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association
AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation
AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies
AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms
AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals
AC-17 - Remote Access
AC-17(1) - Remote Access | Monitoring and Control
AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(3) - Remote Access | Managed Access Control Points
AC-17(4) - Remote Access | Privileged Commands and Access
AC-17(6) - Remote Access | Protection of Mechanism Information
AC-17(9) - Remote Access | Disconnect or Disable Access
AC-17(10) - Remote Access | Authenticate Remote Commands
AC-18 - Wireless Access
AC-18(1) - Wireless Access | Authentication and Encryption
AC-18(3) - Wireless Access | Disable Wireless Networking
AC-18(4) - Wireless Access | Restrict Configurations by Users
AC-18(5) - Wireless Access | Antennas and Transmission Power Levels
AC-19 - Access Control for Mobile Devices
AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information
AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20 - Use of External Systems
AC-20(1) - Use of External Systems | Limits on Authorized Use
AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use
AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use
AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use
AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use
AC-21 - Information Sharing
AC-21(1) - Information Sharing | Automated Decision Support
AC-21(2) - Information Sharing | Information Search and Retrieval
AC-22 - Publicly Accessible Content
AC-23 - Data Mining Protection
AC-24 - Access Control Decisions
AC-24(1) - Access Control Decisions | Transmit Access Authorization Information
AC-24(2) - Access Control Decisions | No User or Process Identity
AC-25 - Reference Monitor
AT - Awareness and Training
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
AT-2(1) - Literacy Training and Awareness | Practical Exercises
AT-2(2) - Literacy Training and Awareness | Insider Threat
AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining
AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior
AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat
AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment
AT-3 - Role-based Training
AT-3(1) - Role-based Training | Environmental Controls
AT-3(2) - Role-based Training | Physical Security Controls
AT-3(3) - Role-based Training | Practical Exercises
AT-3(5) - Role-based Training | Processing Personally Identifiable Information
AT-4 - Training Records
AT-6 - Training Feedback
AU - Audit and Accountability
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
AU-3(1) - Content of Audit Records | Additional Audit Information
AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements
AU-4 - Audit Log Storage Capacity
AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage
AU-5 - Response to Audit Logging Process Failures
AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning
AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts
AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds
AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure
AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability
AU-6 - Audit Record Review, Analysis, and Reporting
AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration
AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis
AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records
AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring
AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions
AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands
AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources
AU-7 - Audit Record Reduction and Report Generation
AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
AU-9(1) - Protection of Audit Information | Hardware Write-once Media
AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components
AU-9(3) - Protection of Audit Information | Cryptographic Protection
AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users
AU-9(5) - Protection of Audit Information | Dual Authorization
AU-9(6) - Protection of Audit Information | Read-only Access
AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System
AU-10 - Non-repudiation
AU-10(1) - Non-repudiation | Association of Identities
AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity
AU-10(3) - Non-repudiation | Chain of Custody
AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity
AU-11 - Audit Record Retention
AU-11(1) - Audit Record Retention | Long-term Retrieval Capability
AU-12 - Audit Record Generation
AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail
AU-12(2) - Audit Record Generation | Standardized Formats
AU-12(3) - Audit Record Generation | Changes by Authorized Individuals
AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information
AU-13 - Monitoring for Information Disclosure
AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools
AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites
AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information
AU-14 - Session Audit
AU-14(1) - Session Audit | System Start-up
AU-14(3) - Session Audit | Remote Viewing and Listening
AU-16 - Cross-organizational Audit Logging
AU-16(1) - Cross-organizational Audit Logging | Identity Preservation
AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information
AU-16(3) - Cross-organizational Audit Logging | Disassociability
CA - Assessment, Authorization, and Monitoring
CA-1 - Policy and Procedures
CA-2 - Control Assessments
CA-2(1) - Control Assessments | Independent Assessors
CA-2(2) - Control Assessments | Specialized Assessments
CA-2(3) - Control Assessments | Leveraging Results from External Organizations
CA-3 - Information Exchange
CA-3(6) - Information Exchange | Transfer Authorizations
CA-3(7) - Information Exchange | Transitive Information Exchanges
CA-5 - Plan of Action and Milestones
CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency
CA-6 - Authorization
CA-6(1) - Authorization | Joint Authorization — Intra-organization
CA-6(2) - Authorization | Joint Authorization — Inter-organization
CA-7 - Continuous Monitoring
CA-7(1) - Continuous Monitoring | Independent Assessment
CA-7(3) - Continuous Monitoring | Trend Analyses
CA-7(4) - Continuous Monitoring | Risk Monitoring
CA-7(5) - Continuous Monitoring | Consistency Analysis
CA-7(6) - Continuous Monitoring | Automation Support for Monitoring
CA-8 - Penetration Testing
CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team
CA-8(2) - Penetration Testing | Red Team Exercises
CA-8(3) - Penetration Testing | Facility Penetration Testing
CA-9 - Internal System Connections
CA-9(1) - Internal System Connections | Compliance Checks
CM - Configuration Management
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency
CM-2(3) - Baseline Configuration | Retention of Previous Configurations
CM-2(6) - Baseline Configuration | Development and Test Environments
CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes
CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-3(3) - Configuration Change Control | Automated Change Implementation
CM-3(4) - Configuration Change Control | Security and Privacy Representatives
CM-3(5) - Configuration Change Control | Automated Security Response
CM-3(6) - Configuration Change Control | Cryptography Management
CM-3(7) - Configuration Change Control | Review System Changes
CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes
CM-4 - Impact Analyses
CM-4(1) - Impact Analyses | Separate Test Environments
CM-4(2) - Impact Analyses | Verification of Controls
CM-5 - Access Restrictions for Change
CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records
CM-5(4) - Access Restrictions for Change | Dual Authorization
CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-5(6) - Access Restrictions for Change | Limit Library Privileges
CM-6 - Configuration Settings
CM-6(1) - Configuration Settings | Automated Management, Application, and Verification
CM-6(2) - Configuration Settings | Respond to Unauthorized Changes
CM-7 - Least Functionality
CM-7(1) - Least Functionality | Periodic Review
CM-7(2) - Least Functionality | Prevent Program Execution
CM-7(3) - Least Functionality | Registration Compliance
CM-7(4) - Least Functionality | Unauthorized Software
CM-7(5) - Least Functionality | Authorized Software
CM-7(6) - Least Functionality | Confined Environments with Limited Privileges
CM-7(7) - Least Functionality | Code Execution in Protected Environments
CM-7(8) - Least Functionality | Binary or Machine Executable Code
CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware
CM-8 - System Component Inventory
CM-8(1) - System Component Inventory | Updates During Installation and Removal
CM-8(2) - System Component Inventory | Automated Maintenance
CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection
CM-8(4) - System Component Inventory | Accountability Information
CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations
CM-8(7) - System Component Inventory | Centralized Repository
CM-8(8) - System Component Inventory | Automated Location Tracking
CM-8(9) - System Component Inventory | Assignment of Components to Systems
CM-9 - Configuration Management Plan
CM-9(1) - Configuration Management Plan | Assignment of Responsibility
CM-10 - Software Usage Restrictions
CM-10(1) - Software Usage Restrictions | Open-source Software
CM-11 - User-installed Software
CM-11(2) - User-installed Software | Software Installation with Privileged Status
CM-11(3) - User-installed Software | Automated Enforcement and Monitoring
CM-12 - Information Location
CM-12(1) - Information Location | Automated Tools to Support Information Location
CM-13 - Data Action Mapping
CM-14 - Signed Components
CP - Contingency Planning
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
CP-2(1) - Contingency Plan | Coordinate with Related Plans
CP-2(2) - Contingency Plan | Capacity Planning
CP-2(3) - Contingency Plan | Resume Mission and Business Functions
CP-2(5) - Contingency Plan | Continue Mission and Business Functions
CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites
CP-2(7) - Contingency Plan | Coordinate with External Service Providers
CP-2(8) - Contingency Plan | Identify Critical Assets
CP-3 - Contingency Training
CP-3(1) - Contingency Training | Simulated Events
CP-3(2) - Contingency Training | Mechanisms Used in Training Environments
CP-4 - Contingency Plan Testing
CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans
CP-4(2) - Contingency Plan Testing | Alternate Processing Site
CP-4(3) - Contingency Plan Testing | Automated Testing
CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution
CP-4(5) - Contingency Plan Testing | Self-challenge
CP-6 - Alternate Storage Site
CP-6(1) - Alternate Storage Site | Separation from Primary Site
CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives
CP-6(3) - Alternate Storage Site | Accessibility
CP-7 - Alternate Processing Site
CP-7(1) - Alternate Processing Site | Separation from Primary Site
CP-7(2) - Alternate Processing Site | Accessibility
CP-7(3) - Alternate Processing Site | Priority of Service
CP-7(4) - Alternate Processing Site | Preparation for Use
CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site
CP-8 - Telecommunications Services
CP-8(1) - Telecommunications Services | Priority of Service Provisions
CP-8(2) - Telecommunications Services | Single Points of Failure
CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers
CP-8(4) - Telecommunications Services | Provider Contingency Plan
CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing
CP-9 - System Backup
CP-9(1) - System Backup | Testing for Reliability and Integrity
CP-9(2) - System Backup | Test Restoration Using Sampling
CP-9(3) - System Backup | Separate Storage for Critical Information
CP-9(5) - System Backup | Transfer to Alternate Storage Site
CP-9(6) - System Backup | Redundant Secondary System
CP-9(7) - System Backup | Dual Authorization
CP-9(8) - System Backup | Cryptographic Protection
CP-10 - System Recovery and Reconstitution
CP-10(2) - System Recovery and Reconstitution | Transaction Recovery
CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period
CP-10(6) - System Recovery and Reconstitution | Component Protection
CP-11 - Alternate Communications Protocols
CP-12 - Safe Mode
CP-13 - Alternative Security Mechanisms
IA - Identification and Authentication
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (organizational Users)
IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device
IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on
IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials
IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication
IA-3 - Device Identification and Authentication
IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication
IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation
IA-3(4) - Device Identification and Authentication | Device Attestation
IA-4 - Identifier Management
IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers
IA-4(4) - Identifier Management | Identify User Status
IA-4(5) - Identifier Management | Dynamic Management
IA-4(6) - Identifier Management | Cross-organization Management
IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers
IA-4(9) - Identifier Management | Attribute Maintenance and Protection
IA-5 - Authenticator Management
IA-5(1) - Authenticator Management | Password-based Authentication
IA-5(2) - Authenticator Management | Public Key-based Authentication
IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery
IA-5(6) - Authenticator Management | Protection of Authenticators
IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-5(8) - Authenticator Management | Multiple System Accounts
IA-5(9) - Authenticator Management | Federated Credential Management
IA-5(10) - Authenticator Management | Dynamic Credential Binding
IA-5(12) - Authenticator Management | Biometric Authentication Performance
IA-5(13) - Authenticator Management | Expiration of Cached Authenticators
IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores
IA-5(15) - Authenticator Management | Gsa-approved Products and Services
IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance
IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators
IA-5(18) - Authenticator Management | Password Managers
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (non-organizational Users)
IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies
IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials
IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability
IA-9 - Service Identification and Authentication
IA-10 - Adaptive Authentication
IA-11 - Re-authentication
IA-12 - Identity Proofing
IA-12(1) - Identity Proofing | Supervisor Authorization
IA-12(2) - Identity Proofing | Identity Evidence
IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification
IA-12(4) - Identity Proofing | In-person Validation and Verification
IA-12(5) - Identity Proofing | Address Confirmation
IA-12(6) - Identity Proofing | Accept Externally-proofed Identities
IR - Incident Response
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
IR-2(1) - Incident Response Training | Simulated Events
IR-2(2) - Incident Response Training | Automated Training Environments
IR-2(3) - Incident Response Training | Breach
IR-3 - Incident Response Testing
IR-3(1) - Incident Response Testing | Automated Testing
IR-3(2) - Incident Response Testing | Coordination with Related Plans
IR-3(3) - Incident Response Testing | Continuous Improvement
IR-4 - Incident Handling
IR-4(1) - Incident Handling | Automated Incident Handling Processes
IR-4(2) - Incident Handling | Dynamic Reconfiguration
IR-4(3) - Incident Handling | Continuity of Operations
IR-4(4) - Incident Handling | Information Correlation
IR-4(5) - Incident Handling | Automatic Disabling of System
IR-4(6) - Incident Handling | Insider Threats
IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination
IR-4(8) - Incident Handling | Correlation with External Organizations
IR-4(9) - Incident Handling | Dynamic Response Capability
IR-4(10) - Incident Handling | Supply Chain Coordination
IR-4(11) - Incident Handling | Integrated Incident Response Team
IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis
IR-4(13) - Incident Handling | Behavior Analysis
IR-4(14) - Incident Handling | Security Operations Center
IR-4(15) - Incident Handling | Public Relations and Reputation Repair
IR-5 - Incident Monitoring
IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis
IR-6 - Incident Reporting
IR-6(1) - Incident Reporting | Automated Reporting
IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents
IR-6(3) - Incident Reporting | Supply Chain Coordination
IR-7 - Incident Response Assistance
IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support
IR-7(2) - Incident Response Assistance | Coordination with External Providers
IR-8 - Incident Response Plan
IR-8(1) - Incident Response Plan | Breaches
IR-9 - Information Spillage Response
IR-9(2) - Information Spillage Response | Training
IR-9(3) - Information Spillage Response | Post-spill Operations
IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel
MA - Maintenance
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
MA-2(2) - Controlled Maintenance | Automated Maintenance Activities
MA-3 - Maintenance Tools
MA-3(1) - Maintenance Tools | Inspect Tools
MA-3(2) - Maintenance Tools | Inspect Media
MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal
MA-3(4) - Maintenance Tools | Restricted Tool Use
MA-3(5) - Maintenance Tools | Execution with Privilege
MA-3(6) - Maintenance Tools | Software Updates and Patches
MA-4 - Nonlocal Maintenance
MA-4(1) - Nonlocal Maintenance | Logging and Review
MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization
MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions
MA-4(5) - Nonlocal Maintenance | Approvals and Notifications
MA-4(6) - Nonlocal Maintenance | Cryptographic Protection
MA-4(7) - Nonlocal Maintenance | Disconnect Verification
MA-5 - Maintenance Personnel
MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access
MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems
MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems
MA-5(4) - Maintenance Personnel | Foreign Nationals
MA-5(5) - Maintenance Personnel | Non-system Maintenance
MA-6 - Timely Maintenance
MA-6(1) - Timely Maintenance | Preventive Maintenance
MA-6(2) - Timely Maintenance | Predictive Maintenance
MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance
MA-7 - Field Maintenance
MP - Media Protection
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-3 - Media Marking
MP-4 - Media Storage
MP-4(2) - Media Storage | Automated Restricted Access
MP-5 - Media Transport
MP-5(3) - Media Transport | Custodians
MP-6 - Media Sanitization
MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify
MP-6(2) - Media Sanitization | Equipment Testing
MP-6(3) - Media Sanitization | Nondestructive Techniques
MP-6(7) - Media Sanitization | Dual Authorization
MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information
MP-7 - Media Use
MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media
MP-8 - Media Downgrading
MP-8(1) - Media Downgrading | Documentation of Process
MP-8(2) - Media Downgrading | Equipment Testing
MP-8(3) - Media Downgrading | Controlled Unclassified Information
MP-8(4) - Media Downgrading | Classified Information
PE - Physical and Environmental Protection
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-2(1) - Physical Access Authorizations | Access by Position or Role
PE-2(2) - Physical Access Authorizations | Two Forms of Identification
PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access
PE-3 - Physical Access Control
PE-3(1) - Physical Access Control | System Access
PE-3(2) - Physical Access Control | Facility and Systems
PE-3(3) - Physical Access Control | Continuous Guards
PE-3(4) - Physical Access Control | Lockable Casings
PE-3(5) - Physical Access Control | Tamper Protection
PE-3(7) - Physical Access Control | Physical Barriers
PE-3(8) - Physical Access Control | Access Control Vestibules
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
PE-5(2) - Access Control for Output Devices | Link to Individual Identity
PE-6 - Monitoring Physical Access
PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses
PE-6(3) - Monitoring Physical Access | Video Surveillance
PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems
PE-8 - Visitor Access Records
PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review
PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements
PE-9 - Power Equipment and Cabling
PE-9(1) - Power Equipment and Cabling | Redundant Cabling
PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls
PE-10 - Emergency Shutoff
PE-11 - Emergency Power
PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability
PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained
PE-12 - Emergency Lighting
PE-12(1) - Emergency Lighting | Essential Mission and Business Functions
PE-13 - Fire Protection
PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification
PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification
PE-13(4) - Fire Protection | Inspections
PE-14 - Environmental Controls
PE-14(1) - Environmental Controls | Automatic Controls
PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications
PE-15 - Water Damage Protection
PE-15(1) - Water Damage Protection | Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of System Components
PE-19 - Information Leakage
PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures
PE-20 - Asset Monitoring and Tracking
PE-21 - Electromagnetic Pulse Protection
PE-22 - Component Marking
PE-23 - Facility Location
PL - Planning
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions
PL-7 - Concept of Operations
PL-8 - Security and Privacy Architectures
PL-8(1) - Security and Privacy Architectures | Defense in Depth
PL-8(2) - Security and Privacy Architectures | Supplier Diversity
PL-9 - Central Management
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PM - Program Management
PM-1 - Information Security Program Plan
PM-2 - Information Security Program Leadership Role
PM-3 - Information Security and Privacy Resources
PM-4 - Plan of Action and Milestones Process
PM-5 - System Inventory
PM-5(1) - System Inventory | Inventory of Personally Identifiable Information
PM-6 - Measures of Performance
PM-7 - Enterprise Architecture
PM-7(1) - Enterprise Architecture | Offloading
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-11 - Mission and Business Process Definition
PM-12 - Insider Threat Program
PM-13 - Security and Privacy Workforce
PM-14 - Testing, Training, and Monitoring
PM-15 - Security and Privacy Groups and Associations
PM-16 - Threat Awareness Program
PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence
PM-17 - Protecting Controlled Unclassified Information on External Systems
PM-18 - Privacy Program Plan
PM-19 - Privacy Program Leadership Role
PM-20 - Dissemination of Privacy Program Information
PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services
PM-21 - Accounting of Disclosures
PM-22 - Personally Identifiable Information Quality Management
PM-23 - Data Governance Body
PM-24 - Data Integrity Board
PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-26 - Complaint Management
PM-27 - Privacy Reporting
PM-28 - Risk Framing
PM-29 - Risk Management Program Leadership Roles
PM-30 - Supply Chain Risk Management Strategy
PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items
PM-31 - Continuous Monitoring Strategy
PM-32 - Purposing
PS - Personnel Security
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
PS-3(1) - Personnel Screening | Classified Information
PS-3(2) - Personnel Screening | Formal Indoctrination
PS-3(3) - Personnel Screening | Information with Special Protective Measures
PS-3(4) - Personnel Screening | Citizenship Requirements
PS-4 - Personnel Termination
PS-4(1) - Personnel Termination | Post-employment Requirements
PS-4(2) - Personnel Termination | Automated Actions
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-6(2) - Access Agreements | Classified Information Requiring Special Protection
PS-6(3) - Access Agreements | Post-employment Requirements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
PT - Personally Identifiable Information Processing and Transparency
PT-1 - Policy and Procedures
PT-2 - Authority to Process Personally Identifiable Information
PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging
PT-2(2) - Authority to Process Personally Identifiable Information | Automation
PT-3 - Personally Identifiable Information Processing Purposes
PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging
PT-3(2) - Personally Identifiable Information Processing Purposes | Automation
PT-4 - Consent
PT-4(1) - Consent | Tailored Consent
PT-4(2) - Consent | Just-in-time Consent
PT-4(3) - Consent | Revocation
PT-5 - Privacy Notice
PT-5(1) - Privacy Notice | Just-in-time Notice
PT-5(2) - Privacy Notice | Privacy Act Statements
PT-6 - System of Records Notice
PT-6(1) - System of Records Notice | Routine Uses
PT-6(2) - System of Records Notice | Exemption Rules
PT-7 - Specific Categories of Personally Identifiable Information
PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers
PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information
PT-8 - Computer Matching Requirements
RA - Risk Assessment
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-2(1) - Security Categorization | Impact-level Prioritization
RA-3 - Risk Assessment
RA-3(1) - Risk Assessment | Supply Chain Risk Assessment
RA-3(2) - Risk Assessment | Use of All-source Intelligence
RA-3(3) - Risk Assessment | Dynamic Threat Awareness
RA-3(4) - Risk Assessment | Predictive Cyber Analytics
RA-5 - Vulnerability Monitoring and Scanning
RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information
RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access
RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses
RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs
RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information
RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program
RA-6 - Technical Surveillance Countermeasures Survey
RA-7 - Risk Response
RA-8 - Privacy Impact Assessments
RA-9 - Criticality Analysis
RA-10 - Threat Hunting
SA - System and Services Acquisition
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-3(1) - System Development Life Cycle | Manage Preproduction Environment
SA-3(2) - System Development Life Cycle | Use of Live or Operational Data
SA-3(3) - System Development Life Cycle | Technology Refresh
SA-4 - Acquisition Process
SA-4(1) - Acquisition Process | Functional Properties of Controls
SA-4(2) - Acquisition Process | Design and Implementation Information for Controls
SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices
SA-4(5) - Acquisition Process | System, Component, and Service Configurations
SA-4(6) - Acquisition Process | Use of Information Assurance Products
SA-4(7) - Acquisition Process | Niap-approved Protection Profiles
SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls
SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-4(10) - Acquisition Process | Use of Approved PIV Products
SA-4(11) - Acquisition Process | System of Records
SA-4(12) - Acquisition Process | Data Ownership
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions
SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism
SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering
SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies
SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access
SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing
SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity
SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability
SA-8(9) - Security and Privacy Engineering Principles | Trusted Components
SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust
SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold
SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection
SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements
SA-8(14) - Security and Privacy Engineering Principles | Least Privilege
SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission
SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness
SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition
SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels
SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection
SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management
SA-8(21) - Security and Privacy Engineering Principles | Self-analysis
SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability
SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults
SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery
SA-8(25) - Security and Privacy Engineering Principles | Economic Security
SA-8(26) - Security and Privacy Engineering Principles | Performance Security
SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security
SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security
SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures
SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor
SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification
SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation
SA-8(33) - Security and Privacy Engineering Principles | Minimization
SA-9 - External System Services
SA-9(1) - External System Services | Risk Assessments and Organizational Approvals
SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services
SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers
SA-9(4) - External System Services | Consistent Interests of Consumers and Providers
SA-9(5) - External System Services | Processing, Storage, and Service Location
SA-9(6) - External System Services | Organization-controlled Cryptographic Keys
SA-9(7) - External System Services | Organization-controlled Integrity Checking
SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction
SA-10 - Developer Configuration Management
SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification
SA-10(2) - Developer Configuration Management | Alternative Configuration Management
SA-10(3) - Developer Configuration Management | Hardware Integrity Verification
SA-10(4) - Developer Configuration Management | Trusted Generation
SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control
SA-10(6) - Developer Configuration Management | Trusted Distribution
SA-10(7) - Developer Configuration Management | Security and Privacy Representatives
SA-11 - Developer Testing and Evaluation
SA-11(1) - Developer Testing and Evaluation | Static Code Analysis
SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence
SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews
SA-11(5) - Developer Testing and Evaluation | Penetration Testing
SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews
SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation
SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis
SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing
SA-15 - Development Process, Standards, and Tools
SA-15(1) - Development Process, Standards, and Tools | Quality Metrics
SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools
SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis
SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction
SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement
SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis
SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information
SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan
SA-15(11) - Development Process, Standards, and Tools | Archive System or Component
SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model
SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components
SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence
SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence
SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design
SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing
SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege
SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration
SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity
SA-20 - Customized Development of Critical Components
SA-21 - Developer Screening
SA-22 - Unsupported System Components
SA-23 - Specialization
SC - System and Communications Protection
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users
SC-2(2) - Separation of System and User Functionality | Disassociability
SC-3 - Security Function Isolation
SC-3(1) - Security Function Isolation | Hardware Separation
SC-3(2) - Security Function Isolation | Access and Flow Control Functions
SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality
SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness
SC-3(5) - Security Function Isolation | Layered Structures
SC-4 - Information in Shared System Resources
SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing
SC-5 - Denial-of-service Protection
SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems
SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy
SC-5(3) - Denial-of-service Protection | Detection and Monitoring
SC-6 - Resource Availability
SC-7 - Boundary Protection
SC-7(3) - Boundary Protection | Access Points
SC-7(4) - Boundary Protection | External Telecommunications Services
SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception
SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices
SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers
SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic
SC-7(10) - Boundary Protection | Prevent Exfiltration
SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic
SC-7(12) - Boundary Protection | Host-based Protection
SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components
SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections
SC-7(15) - Boundary Protection | Networked Privileged Accesses
SC-7(16) - Boundary Protection | Prevent Discovery of System Components
SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats
SC-7(18) - Boundary Protection | Fail Secure
SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts
SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation
SC-7(21) - Boundary Protection | Isolation of System Components
SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains
SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure
SC-7(24) - Boundary Protection | Personally Identifiable Information
SC-7(25) - Boundary Protection | Unclassified National Security System Connections
SC-7(26) - Boundary Protection | Classified National Security System Connections
SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections
SC-7(28) - Boundary Protection | Connections to Public Networks
SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions
SC-8 - Transmission Confidentiality and Integrity
SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection
SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling
SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals
SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications
SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System
SC-10 - Network Disconnect
SC-11 - Trusted Path
SC-11(1) - Trusted Path | Irrefutable Communications Path
SC-12 - Cryptographic Key Establishment and Management
SC-12(1) - Cryptographic Key Establishment and Management | Availability
SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys
SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys
SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect
SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas
SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants
SC-16 - Transmission of Security and Privacy Attributes
SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification
SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms
SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions
SC-18(2) - Mobile Code | Acquisition, Development, and Use
SC-18(3) - Mobile Code | Prevent Downloading and Execution
SC-18(4) - Mobile Code | Prevent Automatic Execution
SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments
SC-20 - Secure Name/address Resolution Service (authoritative Source)
SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity
SC-21 - Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/address Resolution Service
SC-23 - Session Authenticity
SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout
SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers
SC-23(5) - Session Authenticity | Allowed Certificate Authorities
SC-24 - Fail in Known State
SC-25 - Thin Nodes
SC-26 - Decoys
SC-27 - Platform-independent Applications
SC-28 - Protection of Information at Rest
SC-28(1) - Protection of Information at Rest | Cryptographic Protection
SC-28(2) - Protection of Information at Rest | Offline Storage
SC-28(3) - Protection of Information at Rest | Cryptographic Keys
SC-29 - Heterogeneity
SC-29(1) - Heterogeneity | Virtualization Techniques
SC-30 - Concealment and Misdirection
SC-30(2) - Concealment and Misdirection | Randomness
SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations
SC-30(4) - Concealment and Misdirection | Misleading Information
SC-30(5) - Concealment and Misdirection | Concealment of System Components
SC-31 - Covert Channel Analysis
SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability
SC-31(2) - Covert Channel Analysis | Maximum Bandwidth
SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments
SC-32 - System Partitioning
SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions
SC-34 - Non-modifiable Executable Programs
SC-34(1) - Non-modifiable Executable Programs | No Writable Storage
SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media
SC-35 - External Malicious Code Identification
SC-36 - Distributed Processing and Storage
SC-36(1) - Distributed Processing and Storage | Polling Techniques
SC-36(2) - Distributed Processing and Storage | Synchronization
SC-37 - Out-of-band Channels
SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission
SC-38 - Operations Security
SC-39 - Process Isolation
SC-39(1) - Process Isolation | Hardware Separation
SC-39(2) - Process Isolation | Separate Execution Domain Per Thread
SC-40 - Wireless Link Protection
SC-40(1) - Wireless Link Protection | Electromagnetic Interference
SC-40(2) - Wireless Link Protection | Reduce Detection Potential
SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception
SC-40(4) - Wireless Link Protection | Signal Parameter Identification
SC-41 - Port and I/O Device Access
SC-42 - Sensor Capability and Data
SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles
SC-42(2) - Sensor Capability and Data | Authorized Use
SC-42(4) - Sensor Capability and Data | Notice of Collection
SC-42(5) - Sensor Capability and Data | Collection Minimization
SC-43 - Usage Restrictions
SC-44 - Detonation Chambers
SC-45 - System Time Synchronization
SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source
SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source
SC-46 - Cross Domain Policy Enforcement
SC-47 - Alternate Communications Paths
SC-48 - Sensor Relocation
SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities
SC-49 - Hardware-enforced Separation and Policy Enforcement
SC-50 - Software-enforced Separation and Policy Enforcement
SC-51 - Hardware-based Protection
SI - System and Information Integrity
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status
SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-2(4) - Flaw Remediation | Automated Patch Management Tools
SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates
SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware
SI-3 - Malicious Code Protection
SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users
SI-3(6) - Malicious Code Protection | Testing and Verification
SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands
SI-3(10) - Malicious Code Protection | Malicious Code Analysis
SI-4 - System Monitoring
SI-4(1) - System Monitoring | System-wide Intrusion Detection System
SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration
SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic
SI-4(5) - System Monitoring | System-generated Alerts
SI-4(7) - System Monitoring | Automated Response to Suspicious Events
SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms
SI-4(10) - System Monitoring | Visibility of Encrypted Communications
SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies
SI-4(12) - System Monitoring | Automated Organization-generated Alerts
SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns
SI-4(14) - System Monitoring | Wireless Intrusion Detection
SI-4(15) - System Monitoring | Wireless to Wireline Communications
SI-4(16) - System Monitoring | Correlate Monitoring Information
SI-4(17) - System Monitoring | Integrated Situational Awareness
SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration
SI-4(19) - System Monitoring | Risk for Individuals
SI-4(20) - System Monitoring | Privileged Users
SI-4(21) - System Monitoring | Probationary Periods
SI-4(22) - System Monitoring | Unauthorized Network Services
SI-4(23) - System Monitoring | Host-based Devices
SI-4(24) - System Monitoring | Indicators of Compromise
SI-4(25) - System Monitoring | Optimize Network Traffic Analysis
SI-5 - Security Alerts, Advisories, and Directives
SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories
SI-6 - Security and Privacy Function Verification
SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing
SI-6(3) - Security and Privacy Function Verification | Report Verification Results
SI-7 - Software, Firmware, and Information Integrity
SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks
SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations
SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools
SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations
SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection
SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events
SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process
SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware
SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification
SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication
SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision
SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection
SI-8 - Spam Protection
SI-8(2) - Spam Protection | Automatic Updates
SI-8(3) - Spam Protection | Continuous Learning Capability
SI-10 - Information Input Validation
SI-10(1) - Information Input Validation | Manual Override Capability
SI-10(2) - Information Input Validation | Review and Resolve Errors
SI-10(3) - Information Input Validation | Predictable Behavior
SI-10(4) - Information Input Validation | Timing Interactions
SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats
SI-10(6) - Information Input Validation | Injection Prevention
SI-11 - Error Handling
SI-12 - Information Management and Retention
SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements
SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12(3) - Information Management and Retention | Information Disposal
SI-13 - Predictable Failure Prevention
SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities
SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components
SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification
SI-13(5) - Predictable Failure Prevention | Failover Capability
SI-14 - Non-persistence
SI-14(1) - Non-persistence | Refresh from Trusted Sources
SI-14(2) - Non-persistence | Non-persistent Information
SI-14(3) - Non-persistence | Non-persistent Connectivity
SI-15 - Information Output Filtering
SI-16 - Memory Protection
SI-17 - Fail-safe Procedures
SI-18 - Personally Identifiable Information Quality Operations
SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support
SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags
SI-18(3) - Personally Identifiable Information Quality Operations | Collection
SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests
SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion
SI-19 - De-identification
SI-19(1) - De-identification | Collection
SI-19(2) - De-identification | Archiving
SI-19(3) - De-identification | Release
SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
SI-19(5) - De-identification | Statistical Disclosure Control
SI-19(6) - De-identification | Differential Privacy
SI-19(7) - De-identification | Validated Algorithms and Software
SI-19(8) - De-identification | Motivated Intruder
SI-20 - Tainting
SI-21 - Information Refresh
SI-22 - Information Diversity
SI-23 - Information Fragmentation
SR - Supply Chain Risk Management
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team
SR-3 - Supply Chain Controls and Processes
SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base
SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm
SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down
SR-4 - Provenance
SR-4(1) - Provenance | Identity
SR-4(2) - Provenance | Track and Trace
SR-4(3) - Provenance | Validate as Genuine and Not Altered
SR-4(4) - Provenance | Supply Chain Integrity — Pedigree
SR-5 - Acquisition Strategies, Tools, and Methods
SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply
SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update
SR-6 - Supplier Assessments and Reviews
SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis
SR-7 - Supply Chain Operations Security
SR-8 - Notification Agreements
SR-9 - Tamper Resistance and Detection
SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
SR-11(1) - Component Authenticity | Anti-counterfeit Training
SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair
SR-11(3) - Component Authenticity | Anti-counterfeit Scanning
SR-12 - Component Disposal
Home
NIST References
CM-5
6
CM-5(6) - Access Restrictions for Change | Limit Library Privileges
Limit privileges to change software resident within software libraries.
Informational References
https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-5/cm-5-6/
ISO 27001
ID:
CM-5(6)
Enhancement of :
CM-5
Countermeasures Covered by Control
ID
Name
Description
D3FEND
Space Threats Tagged by Control
ID
Description
Sample Requirements
Requirement
Related SPARTA Techniques and Sub-Techniques
ID
Name
Description
×