In TOR-2023-02161 Rev A, The Aerospace Corporation presents a cybersecurity profile approach to defining and performing threat-focused space segment risk assessment. The described cybersecurity profile significantly leverages SPARTA to show tailoring rationale of the Committee on National Security Systems Instruction (CNSSI) No. 1253F space platform overlay and the High-High-High baseline. This threat-focused analysis creates unique tailoring that provides a notional maximum control baseline from which system security engineering can more efficiently define cybersecurity requirements before development begins. Aerospace also presents a notional minimum control baseline that is based on SPARTA notional risk scores. While these notional min/max baselines were created in the context of National Security Systems (NSS), these baselines in general provide a more accurate starting point for any space systems engineer developing a cybersecurity control baseline. Since many governmental agencies and commercial space entities are leveraging NIST SP 800-53B or CNSSI No. 1253 control baselines, the below table has been provided to for controls in the context of SPARTA. Furthermore, within SPARTA there are published requirements that align with each of the selected space segment controls. In the event an organization does not have resident space systems engineering, these notional min/max baselines from TOR-2023-02161 Rev A with the accompanying requirements should provide a robust approach for spacecraft acquisitions. The approach includes example acquisition requirements for a contract, control selection rationale for implementation, and threat-based rationale for accurate security control assessment.
| ID | Name | Description | SPARTA Countermeasures | MIN | MAX | |
| AC-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 CM0005 | NA | YES | |
| AC-2 | Account Management | a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. | CM0039 CM0005 | NA | NA | |
| 1 | Account Management | Automated System Account Management | Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0002 CM0055 | NA | NA | |
| 2 | Account Management | Automated Temporary and Emergency Account Management | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. | CM0005 CM0002 CM0055 | NA | NA | |
| 3 | Account Management | Disable Accounts | Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]. | CM0005 CM0002 CM0055 | NA | NA | |
| 4 | Account Management | Automated Audit Actions | Automatically audit account creation, modification, enabling, disabling, and removal actions. | CM0005 CM0002 CM0055 | NA | NA | |
| 5 | Account Management | Inactivity Logout | Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. | CM0005 CM0002 CM0055 | NA | NA | |
| 6 | Account Management | Dynamic Privilege Management | Implement [Assignment: organization-defined dynamic privilege management capabilities]. | CM0005 CM0002 CM0055 | NA | NA | |
| 7 | Account Management | Privileged User Accounts | (a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme]; (b) Monitor privileged role or attribute assignments; (c) Monitor changes to roles or attributes; and (d) Revoke access when privileged role or attribute assignments are no longer appropriate. | CM0005 CM0002 CM0055 | NA | NA | |
| 8 | Account Management | Dynamic Account Management | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. | CM0005 CM0002 CM0055 | NA | NA | |
| 9 | Account Management | Restrictions on Use of Shared and Group Accounts | Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. | CM0005 CM0002 CM0055 | NA | NA | |
| 11 | Account Management | Usage Conditions | Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. | CM0005 CM0002 CM0055 | NA | NA | |
| 12 | Account Management | Account Monitoring for Atypical Usage | (a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and (b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. | CM0005 CM0002 CM0055 | NA | NA | |
| 13 | Account Management | Disable Accounts for High-risk Individuals | Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. | CM0005 CM0002 CM0055 | NA | NA | |
| AC-3 | Access Enforcement | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | CM0055 CM0005 | NA | YES | |
| 2 | Access Enforcement | Dual Authorization | Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | YES | YES | |
| 3 | Access Enforcement | Mandatory Access Control | Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | YES | |
| 4 | Access Enforcement | Discretionary Access Control | Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | YES | |
| 5 | Access Enforcement | Security-relevant Information | Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| 7 | Access Enforcement | Role-based Access Control | Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| 8 | Access Enforcement | Revocation of Access Authorizations | Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | YES | |
| 9 | Access Enforcement | Controlled Release | Release information outside of the system only if: (a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and (b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| 10 | Access Enforcement | Audited Override of Access Control Mechanisms | Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | YES | YES | |
| 11 | Access Enforcement | Restrict Access to Specific Information Types | Restrict access to data repositories containing [Assignment: organization-defined information types]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | YES | YES | |
| 12 | Access Enforcement | Assert and Enforce Application Access | (a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; (b) Provide an enforcement mechanism to prevent unauthorized access; and (c) Approve access changes after initial installation of the application. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| 13 | Access Enforcement | Attribute-based Access Control | Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | YES | YES | |
| 14 | Access Enforcement | Individual Access | Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| 15 | Access Enforcement | Discretionary and Mandatory Access Control | (a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and (b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. | CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 | NA | NA | |
| AC-4 | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. | CM0050 CM0005 CM0038 | YES | YES | |
| 1 | Information Flow Enforcement | Object Security and Privacy Attributes | Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 2 | Information Flow Enforcement | Processing Domains | Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | YES | YES | |
| 3 | Information Flow Enforcement | Dynamic Information Flow Control | Enforce [Assignment: organization-defined information flow control policies]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 4 | Information Flow Enforcement | Flow Control of Encrypted Information | Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method] ]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 5 | Information Flow Enforcement | Embedded Data Types | Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 6 | Information Flow Enforcement | Metadata | Enforce information flow control based on [Assignment: organization-defined metadata]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 7 | Information Flow Enforcement | One-way Flow Mechanisms | Enforce one-way information flows through hardware-based flow control mechanisms. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 8 | Information Flow Enforcement | Security and Privacy Policy Filters | (a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 9 | Information Flow Enforcement | Human Reviews | Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 10 | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters | Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 11 | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters | Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 12 | Information Flow Enforcement | Data Type Identifiers | When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 13 | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents | When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 14 | Information Flow Enforcement | Security or Privacy Policy Filter Constraints | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | YES | YES | |
| 15 | Information Flow Enforcement | Detection of Unsanctioned Information | When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 17 | Information Flow Enforcement | Domain Authentication | Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 19 | Information Flow Enforcement | Validation of Metadata | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 20 | Information Flow Enforcement | Approved Solutions | Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 21 | Information Flow Enforcement | Physical or Logical Separation of Information Flows | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 22 | Information Flow Enforcement | Access Only | Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 23 | Information Flow Enforcement | Modify Non-releasable Information | When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 24 | Information Flow Enforcement | Internal Normalized Format | When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 25 | Information Flow Enforcement | Data Sanitization | When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 26 | Information Flow Enforcement | Audit Filtering Actions | When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 27 | Information Flow Enforcement | Redundant/independent Filtering Mechanisms | When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 28 | Information Flow Enforcement | Linear Filter Pipelines | When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 29 | Information Flow Enforcement | Filter Orchestration Engines | When transferring information between different security domains, employ content filter orchestration engines to ensure that: (a) Content filtering mechanisms successfully complete execution without errors; and (b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 30 | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes | When transferring information between different security domains, implement content filtering mechanisms using multiple processes. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 31 | Information Flow Enforcement | Failed Content Transfer Prevention | When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| 32 | Information Flow Enforcement | Process Requirements for Information Transfer | When transferring information between different security domains, the process that transfers information between filter pipelines: (a) Does not filter message content; (b) Validates filtering metadata; (c) Ensures the content associated with the filtering metadata has successfully completed filtering; and (d) Transfers the content to the destination filter pipeline. | CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 | NA | NA | |
| AC-5 | Separation of Duties | a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. | NA | NA | ||
| AC-6 | Least Privilege | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. | CM0052 CM0039 CM0005 CM0038 | YES | YES | |
| 1 | Least Privilege | Authorize Access to Security Functions | Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and (b) [Assignment: organization-defined security-relevant information]. | CM0005 | NA | NA | |
| 2 | Least Privilege | Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. | CM0005 | NA | NA | |
| 3 | Least Privilege | Network Access to Privileged Commands | Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. | CM0005 | NA | NA | |
| 4 | Least Privilege | Separate Processing Domains | Provide separate processing domains to enable finer-grained allocation of user privileges. | CM0005 | NA | NA | |
| 5 | Least Privilege | Privileged Accounts | Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. | CM0005 | NA | NA | |
| 6 | Least Privilege | Privileged Access by Non-organizational Users | Prohibit privileged access to the system by non-organizational users. | CM0005 | NA | NA | |
| 7 | Least Privilege | Review of User Privileges | (a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and (b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. | CM0005 | NA | NA | |
| 8 | Least Privilege | Privilege Levels for Code Execution | Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. | CM0005 | NA | NA | |
| 9 | Least Privilege | Log Use of Privileged Functions | Log the execution of privileged functions. | CM0005 | NA | YES | |
| 10 | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. | CM0005 | NA | NA | |
| AC-7 | Unsuccessful Logon Attempts | a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period] ; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm] ; notify system administrator; take other [Assignment: organization-defined action] ] when the maximum number of unsuccessful attempts is exceeded. | CM0005 | NA | NA | |
| 2 | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device | Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. | NA | NA | ||
| 3 | Unsuccessful Logon Attempts | Biometric Attempt Limiting | Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. | NA | NA | ||
| 4 | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor | (a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. | NA | NA | ||
| AC-8 | System Use Notification | a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a U.S. Government system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system. | CM0005 | NA | NA | |
| AC-9 | Previous Logon Notification | Notify the user, upon successful logon to the system, of the date and time of the last logon. | NA | NA | ||
| 1 | Previous Logon Notification | Unsuccessful Logons | Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. | NA | NA | ||
| 2 | Previous Logon Notification | Successful and Unsuccessful Logons | Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. | NA | NA | ||
| 3 | Previous Logon Notification | Notification of Account Changes | Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. | NA | NA | ||
| 4 | Previous Logon Notification | Additional Logon Information | Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. | NA | NA | ||
| AC-10 | Concurrent Session Control | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. | CM0005 | NA | NA | |
| AC-11 | Device Lock | a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. | CM0005 | NA | NA | |
| 1 | Device Lock | Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. | CM0005 | NA | NA | |
| AC-12 | Session Termination | Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect]. | CM0036 CM0005 | YES | YES | |
| 1 | Session Termination | User-initiated Logouts | Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. | CM0005 CM0036 | NA | YES | |
| 2 | Session Termination | Termination Message | Display an explicit logout message to users indicating the termination of authenticated communications sessions. | CM0005 CM0036 | NA | YES | |
| 3 | Session Termination | Timeout Warning Message | Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. | CM0005 CM0036 | NA | NA | |
| AC-14 | Permitted Actions Without Identification or Authentication | a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. | CM0024 CM0027 CM0028 CM0052 CM0054 CM0031 CM0021 CM0005 CM0053 CM0014 CM0037 CM0043 | YES | YES | |
| AC-16 | Security and Privacy Attributes | a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]; d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; e. Audit changes to attributes; and f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]. | CM0005 | NA | NA | |
| 1 | Security and Privacy Attributes | Dynamic Attribute Association | Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. | CM0005 | NA | NA | |
| 2 | Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals | Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. | CM0005 | NA | NA | |
| 3 | Security and Privacy Attributes | Maintenance of Attribute Associations by System | Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. | CM0005 | NA | NA | |
| 4 | Security and Privacy Attributes | Association of Attributes by Authorized Individuals | Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). | CM0005 | NA | NA | |
| 5 | Security and Privacy Attributes | Attribute Displays on Objects to Be Output | Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. | CM0005 | NA | NA | |
| 6 | Security and Privacy Attributes | Maintenance of Attribute Association | Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. | CM0005 | NA | NA | |
| 7 | Security and Privacy Attributes | Consistent Attribute Interpretation | Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. | CM0005 | NA | NA | |
| 8 | Security and Privacy Attributes | Association Techniques and Technologies | Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. | CM0005 | NA | NA | |
| 9 | Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms | Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. | CM0005 | NA | NA | |
| 10 | Security and Privacy Attributes | Attribute Configuration by Authorized Individuals | Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. | CM0005 | NA | NA | |
| AC-17 | Remote Access | a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. | CM0002 CM0031 CM0004 CM0005 CM0070 CM0029 | YES | YES | |
| 1 | Remote Access | Monitoring and Control | Employ automated mechanisms to monitor and control remote access methods. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | YES | YES | |
| 2 | Remote Access | Protection of Confidentiality and Integrity Using Encryption | Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | YES | YES | |
| 3 | Remote Access | Managed Access Control Points | Route remote accesses through authorized and managed network access control points. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | NA | NA | |
| 4 | Remote Access | Privileged Commands and Access | (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | NA | YES | |
| 6 | Remote Access | Protection of Mechanism Information | Protect information about remote access mechanisms from unauthorized use and disclosure. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | NA | YES | |
| 9 | Remote Access | Disconnect or Disable Access | Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | NA | NA | |
| 10 | Remote Access | Authenticate Remote Commands | Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. | CM0002 CM0055 CM0005 CM0034 CM0031 CM0035 CM0033 | YES | YES | |
| AC-18 | Wireless Access | a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections. | CM0002 CM0031 CM0004 CM0005 CM0029 | NA | NA | |
| 1 | Wireless Access | Authentication and Encryption | Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. | CM0002 CM0031 CM0005 CM0029 | NA | NA | |
| 3 | Wireless Access | Disable Wireless Networking | Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. | CM0002 CM0031 CM0005 CM0029 | NA | NA | |
| 4 | Wireless Access | Restrict Configurations by Users | Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. | CM0002 CM0031 CM0005 CM0029 | NA | NA | |
| 5 | Wireless Access | Antennas and Transmission Power Levels | Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. | CM0002 CM0031 CM0005 CM0029 | NA | NA | |
| AC-19 | Access Control for Mobile Devices | a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. | CM0005 | NA | NA | |
| 4 | Access Control for Mobile Devices | Restrictions for Classified Information | (a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and (b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information: (1) Connection of unclassified mobile devices to classified systems is prohibited; (2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official; (3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and (4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed. (c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]. | CM0005 | NA | NA | |
| 5 | Access Control for Mobile Devices | Full Device or Container-based Encryption | Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. | CM0005 | NA | NA | |
| AC-20 | Use of External Systems | a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions] ; Identify [Assignment: organization-defined controls asserted to be implemented on external systems] ], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. | CM0005 | NA | YES | |
| 1 | Use of External Systems | Limits on Authorized Use | Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. | CM0005 CM0024 CM0026 CM0004 | NA | YES | |
| 2 | Use of External Systems | Portable Storage Devices — Restricted Use | Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. | CM0005 CM0024 CM0026 CM0004 | NA | NA | |
| 3 | Use of External Systems | Non-organizationally Owned Systems — Restricted Use | Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. | CM0005 CM0024 CM0026 CM0004 | NA | YES | |
| 4 | Use of External Systems | Network Accessible Storage Devices — Prohibited Use | Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. | CM0005 CM0024 CM0026 CM0004 | NA | NA | |
| 5 | Use of External Systems | Portable Storage Devices — Prohibited Use | Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. | CM0005 CM0024 CM0026 CM0004 | NA | NA | |
| AC-21 | Information Sharing | a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. | CM0005 | NA | NA | |
| 1 | Information Sharing | Automated Decision Support | Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. | NA | NA | ||
| 2 | Information Sharing | Information Search and Retrieval | Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. | NA | NA | ||
| AC-22 | Publicly Accessible Content | a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. | CM0005 | NA | NA | |
| AC-23 | Data Mining Protection | Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. | NA | NA | ||
| AC-24 | Access Control Decisions | [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. | NA | NA | ||
| 1 | Access Control Decisions | Transmit Access Authorization Information | Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. | NA | NA | ||
| 2 | Access Control Decisions | No User or Process Identity | Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. | NA | NA | ||
| AC-25 | Reference Monitor | Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. | CM0001 CM0028 | NA | YES | |
| AT-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | NA | |
| AT-2 | Literacy Training and Awareness | a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following [Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security or privacy incidents into literacy training and awareness techniques. | CM0041 CM0052 | NA | NA | |
| 1 | Literacy Training and Awareness | Practical Exercises | Provide practical exercises in literacy training that simulate events and incidents. | CM0041 CM0052 CM0005 | NA | NA | |
| 2 | Literacy Training and Awareness | Insider Threat | Provide literacy training on recognizing and reporting potential indicators of insider threat. | CM0041 CM0052 CM0005 | NA | NA | |
| 3 | Literacy Training and Awareness | Social Engineering and Mining | Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. | CM0041 CM0052 CM0005 | NA | NA | |
| 4 | Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior | Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. | CM0041 CM0052 CM0005 | NA | NA | |
| 5 | Literacy Training and Awareness | Advanced Persistent Threat | Provide literacy training on the advanced persistent threat. | CM0041 CM0052 CM0005 | NA | NA | |
| 6 | Literacy Training and Awareness | Cyber Threat Environment | (a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations. | CM0041 CM0052 CM0005 | NA | NA | |
| AT-3 | Role-based Training | a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security or privacy incidents into role-based training. | CM0041 CM0005 | NA | NA | |
| 1 | Role-based Training | Environmental Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. | CM0005 CM0041 | NA | NA | |
| 2 | Role-based Training | Physical Security Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. | CM0005 CM0041 | NA | NA | |
| 3 | Role-based Training | Practical Exercises | Provide practical exercises in security and privacy training that reinforce training objectives. | CM0005 CM0041 | NA | NA | |
| 5 | Role-based Training | Processing Personally Identifiable Information | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. | CM0005 CM0041 | NA | NA | |
| AT-4 | Training Records | a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. | CM0005 | NA | NA | |
| AT-6 | Training Feedback | Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. | NA | NA | ||
| AU-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| AU-2 | Event Logging | a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. | CM0005 CM0032 | YES | YES | |
| AU-3 | Content of Audit Records | Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event. | CM0005 CM0032 | YES | YES | |
| 1 | Content of Audit Records | Additional Audit Information | Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. | CM0005 CM0034 CM0032 | YES | YES | |
| 3 | Content of Audit Records | Limit Personally Identifiable Information Elements | Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. | CM0005 CM0034 CM0032 | NA | NA | |
| AU-4 | Audit Log Storage Capacity | Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. | CM0005 CM0032 | YES | YES | |
| 1 | Audit Log Storage Capacity | Transfer to Alternate Storage | Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. | CM0005 CM0032 | YES | YES | |
| AU-5 | Response to Audit Logging Process Failures | a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and b. Take the following additional actions: [Assignment: organization-defined additional actions]. | CM0005 CM0032 | YES | YES | |
| 1 | Response to Audit Logging Process Failures | Storage Capacity Warning | Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. | CM0005 CM0032 | NA | YES | |
| 2 | Response to Audit Logging Process Failures | Real-time Alerts | Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. | CM0005 CM0032 | YES | YES | |
| 3 | Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds | Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. | CM0005 CM0032 | NA | NA | |
| 4 | Response to Audit Logging Process Failures | Shutdown on Failure | Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. | CM0005 CM0032 | NA | NA | |
| 5 | Response to Audit Logging Process Failures | Alternate Audit Logging Capability | Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. | CM0005 CM0032 | YES | YES | |
| AU-6 | Audit Record Review, Analysis, and Reporting | a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. | CM0052 CM0005 | YES | YES | |
| 1 | Audit Record Review, Analysis, and Reporting | Automated Process Integration | Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0032 | YES | YES | |
| 3 | Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories | Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. | CM0005 CM0032 | NA | NA | |
| 4 | Audit Record Review, Analysis, and Reporting | Central Review and Analysis | Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. | CM0005 CM0032 | YES | YES | |
| 5 | Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records | Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity. | CM0005 CM0032 | NA | NA | |
| 6 | Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring | Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. | CM0005 CM0032 | NA | NA | |
| 7 | Audit Record Review, Analysis, and Reporting | Permitted Actions | Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. | CM0005 CM0032 | NA | NA | |
| 8 | Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands | Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. | CM0005 CM0032 | NA | NA | |
| 9 | Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources | Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. | CM0005 CM0032 | NA | NA | |
| AU-7 | Audit Record Reduction and Report Generation | Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. | CM0052 CM0005 | NA | NA | |
| 1 | Audit Record Reduction and Report Generation | Automatic Processing | Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. | CM0005 | NA | NA | |
| AU-8 | Time Stamps | a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. | CM0005 CM0032 | YES | YES | |
| AU-9 | Protection of Audit Information | a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. | CM0005 CM0032 | YES | YES | |
| 1 | Protection of Audit Information | Hardware Write-once Media | Write audit trails to hardware-enforced, write-once media. | CM0005 CM0032 CM0054 | NA | NA | |
| 2 | Protection of Audit Information | Store on Separate Physical Systems or Components | Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. | CM0005 CM0032 CM0054 | YES | YES | |
| 3 | Protection of Audit Information | Cryptographic Protection | Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. | CM0005 CM0032 CM0054 | YES | YES | |
| 4 | Protection of Audit Information | Access by Subset of Privileged Users | Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. | CM0005 CM0032 CM0054 | NA | NA | |
| 5 | Protection of Audit Information | Dual Authorization | Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. | CM0005 CM0032 CM0054 | NA | YES | |
| 6 | Protection of Audit Information | Read-only Access | Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. | CM0005 CM0032 CM0054 | NA | NA | |
| 7 | Protection of Audit Information | Store on Component with Different Operating System | Store audit information on a component running a different operating system than the system or component being audited. | CM0005 CM0032 CM0054 | NA | NA | |
| AU-10 | Non-repudiation | Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. | CM0052 CM0005 | NA | NA | |
| 1 | Non-repudiation | Association of Identities | (a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (b) Provide the means for authorized individuals to determine the identity of the producer of the information. | NA | NA | ||
| 2 | Non-repudiation | Validate Binding of Information Producer Identity | (a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. | NA | NA | ||
| 3 | Non-repudiation | Chain of Custody | Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. | NA | NA | ||
| 4 | Non-repudiation | Validate Binding of Information Reviewer Identity | (a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and (b) Perform [Assignment: organization-defined actions] in the event of a validation error. | NA | NA | ||
| AU-11 | Audit Record Retention | Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. | CM0005 | NA | NA | |
| 1 | Audit Record Retention | Long-term Retrieval Capability | Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. | NA | NA | ||
| AU-12 | Audit Record Generation | a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. | CM0052 CM0005 | YES | YES | |
| 1 | Audit Record Generation | System-wide and Time-correlated Audit Trail | Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. | CM0005 | NA | NA | |
| 2 | Audit Record Generation | Standardized Formats | Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. | CM0005 | NA | NA | |
| 3 | Audit Record Generation | Changes by Authorized Individuals | Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. | CM0005 | NA | YES | |
| 4 | Audit Record Generation | Query Parameter Audits of Personally Identifiable Information | Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. | CM0005 | NA | NA | |
| AU-13 | Monitoring for Information Disclosure | a. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and b. If an information disclosure is discovered: 1. Notify [Assignment: organization-defined personnel or roles]; and 2. Take the following additional actions: [Assignment: organization-defined additional actions]. | CM0052 | NA | NA | |
| 1 | Monitoring for Information Disclosure | Use of Automated Tools | Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| 2 | Monitoring for Information Disclosure | Review of Monitored Sites | Review the list of open-source information sites being monitored [Assignment: organization-defined frequency]. | NA | NA | ||
| 3 | Monitoring for Information Disclosure | Unauthorized Replication of Information | Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner. | NA | NA | ||
| AU-14 | Session Audit | a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. | CM0005 CM0032 | NA | NA | |
| 1 | Session Audit | System Start-up | Initiate session audits automatically at system start-up. | CM0005 | NA | NA | |
| 3 | Session Audit | Remote Viewing and Listening | Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. | CM0005 | NA | NA | |
| AU-16 | Cross-organizational Audit Logging | Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. | NA | NA | ||
| 1 | Cross-organizational Audit Logging | Identity Preservation | Preserve the identity of individuals in cross-organizational audit trails. | NA | NA | ||
| 2 | Cross-organizational Audit Logging | Sharing of Audit Information | Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. | NA | NA | ||
| 3 | Cross-organizational Audit Logging | Disassociability | Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries. | NA | NA | ||
| CA-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| CA-2 | Control Assessments | a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. | CM0089 | NA | YES | |
| 1 | Control Assessments | Independent Assessors | Employ independent assessors or assessment teams to conduct control assessments. | CM0089 | NA | YES | |
| 2 | Control Assessments | Specialized Assessments | Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment] ]. | CM0089 | NA | YES | |
| 3 | Control Assessments | Leveraging Results from External Organizations | Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. | CM0089 | NA | NA | |
| CA-3 | Information Exchange | a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement] ]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency]. | CM0001 CM0020 CM0002 CM0005 CM0038 CM0029 | YES | YES | |
| 6 | Information Exchange | Transfer Authorizations | Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. | CM0039 CM0005 CM0053 CM0065 CM0055 CM0038 | YES | YES | |
| 7 | Information Exchange | Transitive Information Exchanges | (a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and (b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. | CM0039 CM0005 CM0053 CM0065 CM0055 CM0038 | YES | YES | |
| CA-5 | Plan of Action and Milestones | a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. | CM0089 | NA | YES | |
| 1 | Plan of Action and Milestones | Automation Support for Accuracy and Currency | Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| CA-6 | Authorization | a. Assign a senior official as the authorizing official for the system; b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; c. Ensure that the authorizing official for the system, before commencing operations: 1. Accepts the use of common controls inherited by the system; and 2. Authorizes the system to operate; d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; e. Update the authorizations [Assignment: organization-defined frequency]. | CM0089 | NA | YES | |
| 1 | Authorization | Joint Authorization — Intra-organization | Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. | NA | NA | ||
| 2 | Authorization | Joint Authorization — Inter-organization | Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. | NA | NA | ||
| CA-7 | Continuous Monitoring | Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. | CM0052 CM0090 CM0005 | YES | YES | |
| 1 | Continuous Monitoring | Independent Assessment | Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. | CM0090 CM0005 CM0034 CM0032 | NA | YES | |
| 3 | Continuous Monitoring | Trend Analyses | Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. | CM0090 CM0005 CM0034 CM0032 | NA | YES | |
| 4 | Continuous Monitoring | Risk Monitoring | Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (a) Effectiveness monitoring; (b) Compliance monitoring; and (c) Change monitoring. | CM0090 CM0005 CM0034 CM0032 | NA | YES | |
| 5 | Continuous Monitoring | Consistency Analysis | Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. | CM0090 CM0005 CM0034 CM0032 | NA | YES | |
| 6 | Continuous Monitoring | Automation Support for Monitoring | Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. | CM0090 CM0005 CM0034 CM0032 | YES | YES | |
| CA-8 | Penetration Testing | Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. | CM0008 CM0004 CM0018 CM0005 CM0053 | YES | YES | |
| 1 | Penetration Testing | Independent Penetration Testing Agent or Team | Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. | CM0008 CM0028 CM0004 CM0018 CM0005 CM0053 | NA | YES | |
| 2 | Penetration Testing | Red Team Exercises | Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. | CM0008 CM0028 CM0004 CM0018 CM0005 CM0053 | NA | NA | |
| 3 | Penetration Testing | Facility Penetration Testing | Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. | CM0008 CM0028 CM0004 CM0018 CM0005 CM0053 | NA | NA | |
| CA-9 | Internal System Connections | a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. | CM0005 | NA | YES | |
| 1 | Internal System Connections | Compliance Checks | Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. | NA | NA | ||
| CM-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] configuration management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c. Review and update the current configuration management: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| CM-2 | Baseline Configuration | a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: Assignment organization-defined circumstances]; and 3. When system components are installed or upgraded. | CM0007 CM0012 CM0013 CM0015 CM0023 CM0005 | YES | YES | |
| 2 | Baseline Configuration | Automation Support for Accuracy and Currency | Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. | CM0004 CM0005 | NA | YES | |
| 3 | Baseline Configuration | Retention of Previous Configurations | Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. | CM0004 CM0005 | NA | NA | |
| 6 | Baseline Configuration | Development and Test Environments | Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. | CM0004 CM0005 | NA | NA | |
| 7 | Baseline Configuration | Configure Systems and Components for High-risk Areas | (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. | CM0004 CM0005 | NA | NA | |
| CM-3 | Configuration Change Control | a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency] ; when [Assignment: organization-defined configuration change conditions] ]. | CM0005 CM0072 | NA | YES | |
| 1 | Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes | Use [Assignment: organization-defined automated mechanisms] to: (a) Document proposed changes to the system; (b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval; (c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period]; (d) Prohibit changes to the system until designated approvals are received; (e) Document all changes to the system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | NA | YES | |
| 2 | Configuration Change Control | Testing, Validation, and Documentation of Changes | Test, validate, and document changes to the system before finalizing the implementation of the changes. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | YES | YES | |
| 3 | Configuration Change Control | Automated Change Implementation | Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | NA | NA | |
| 4 | Configuration Change Control | Security and Privacy Representatives | Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | NA | YES | |
| 5 | Configuration Change Control | Automated Security Response | Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | NA | YES | |
| 6 | Configuration Change Control | Cryptography Management | Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | NA | YES | |
| 7 | Configuration Change Control | Review System Changes | Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | YES | YES | |
| 8 | Configuration Change Control | Prevent or Restrict Configuration Changes | Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. | CM0005 CM0004 CM0010 CM0023 CM0030 CM0035 | YES | YES | |
| CM-4 | Impact Analyses | Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. | CM0008 CM0020 CM0022 CM0010 CM0015 CM0023 CM0005 | YES | YES | |
| 1 | Impact Analyses | Separate Test Environments | Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. | CM0004 CM0010 CM0018 CM0019 | YES | YES | |
| 2 | Impact Analyses | Verification of Controls | After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. | CM0004 CM0010 CM0018 CM0019 | NA | YES | |
| CM-5 | Access Restrictions for Change | Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. | CM0023 | YES | YES | |
| 1 | Access Restrictions for Change | Automated Access Enforcement and Audit Records | (a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and (b) Automatically generate audit records of the enforcement actions. | CM0005 CM0004 CM0010 CM0012 CM0013 CM0015 CM0021 CM0023 | NA | YES | |
| 4 | Access Restrictions for Change | Dual Authorization | Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information]. | CM0005 CM0004 CM0010 CM0012 CM0013 CM0015 CM0021 CM0023 | NA | NA | |
| 5 | Access Restrictions for Change | Privilege Limitation for Production and Operation | (a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges [Assignment: organization-defined frequency]. | CM0005 CM0004 CM0010 CM0012 CM0013 CM0015 CM0021 CM0023 | NA | YES | |
| 6 | Access Restrictions for Change | Limit Library Privileges | Limit privileges to change software resident within software libraries. | CM0005 CM0004 CM0010 CM0012 CM0013 CM0015 CM0021 CM0023 | NA | YES | |
| CM-6 | Configuration Settings | a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. | CM0005 | NA | YES | |
| 1 | Configuration Settings | Automated Management, Application, and Verification | Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. | CM0005 | NA | NA | |
| 2 | Configuration Settings | Respond to Unauthorized Changes | Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. | CM0005 | NA | NA | |
| CM-7 | Least Functionality | a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. | CM0039 CM0047 CM0005 | YES | YES | |
| 1 | Least Functionality | Periodic Review | (a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | YES | |
| 2 | Least Functionality | Prevent Program Execution | Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions] ; rules authorizing the terms and conditions of software program usage]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | YES | |
| 3 | Least Functionality | Registration Compliance | Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | NA | |
| 4 | Least Functionality | Unauthorized Software | (a) Identify [Assignment: organization-defined software programs not authorized to execute on the system]; (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | NA | |
| 5 | Least Functionality | Authorized Software | (a) Identify [Assignment: organization-defined software programs authorized to execute on the system]; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | YES | YES | |
| 6 | Least Functionality | Confined Environments with Limited Privileges | Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | NA | |
| 7 | Least Functionality | Code Execution in Protected Environments | Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is: (a) Obtained from sources with limited or no warranty; and/or (b) Without the provision of source code. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | NA | NA | |
| 8 | Least Functionality | Binary or Machine Executable Code | (a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and (b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | YES | YES | |
| 9 | Least Functionality | Prohibiting The Use of Unauthorized Hardware | (a) Identify [Assignment: organization-defined hardware components authorized for system use]; (b) Prohibit the use or connection of unauthorized hardware components; (c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency]. | CM0005 CM0012 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 | YES | YES | |
| CM-8 | System Component Inventory | a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. | CM0012 CM0005 | YES | YES | |
| 1 | System Component Inventory | Updates During Installation and Removal | Update the inventory of system components as part of component installations, removals, and system updates. | CM0005 CM0012 | NA | YES | |
| 2 | System Component Inventory | Automated Maintenance | Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0012 | NA | YES | |
| 3 | System Component Inventory | Automated Unauthorized Component Detection | (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles] ]. | CM0005 CM0012 | NA | YES | |
| 4 | System Component Inventory | Accountability Information | Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. | CM0005 CM0012 | NA | YES | |
| 6 | System Component Inventory | Assessed Configurations and Approved Deviations | Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. | CM0005 CM0012 | NA | NA | |
| 7 | System Component Inventory | Centralized Repository | Provide a centralized repository for the inventory of system components. | CM0005 CM0012 | NA | NA | |
| 8 | System Component Inventory | Automated Location Tracking | Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0012 | NA | NA | |
| 9 | System Component Inventory | Assignment of Components to Systems | (a) Assign system components to a system; and (b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment. | CM0005 CM0012 | NA | NA | |
| CM-9 | Configuration Management Plan | Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification. | CM0005 | NA | YES | |
| 1 | Configuration Management Plan | Assignment of Responsibility | Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. | NA | NA | ||
| CM-10 | Software Usage Restrictions | a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. | CM0012 | YES | YES | |
| 1 | Software Usage Restrictions | Open-source Software | Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. | CM0011 CM0012 CM0013 CM0005 | YES | YES | |
| CM-11 | User-installed Software | a. Establish [Assignment: organization-defined policies] governing the installation of software by users; b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and c. Monitor policy compliance [Assignment: organization-defined frequency]. | CM0004 CM0012 CM0013 CM0015 CM0021 CM0069 CM0005 | NA | NA | |
| 2 | User-installed Software | Software Installation with Privileged Status | Allow user installation of software only with explicit privileged status. | CM0005 CM0012 CM0021 CM0023 CM0047 CM0032 | NA | NA | |
| 3 | User-installed Software | Automated Enforcement and Monitoring | Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0012 CM0021 CM0023 CM0047 CM0032 | NA | NA | |
| CM-12 | Information Location | a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored. | CM0001 CM0005 | NA | YES | |
| 1 | Information Location | Automated Tools to Support Information Location | Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. | CM0001 CM0005 | NA | YES | |
| CM-13 | Data Action Mapping | Develop and document a map of system data actions. | NA | NA | ||
| CM-14 | Signed Components | Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. | CM0004 CM0015 CM0021 CM0005 | YES | YES | |
| CP-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| CP-2 | Contingency Plan | a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification. | CM0020 CM0022 CM0041 CM0052 CM0054 CM0074 CM0075 CM0076 CM0079 CM0081 CM0087 CM0005 CM0070 CM0006 CM0042 CM0044 CM0043 CM0045 CM0048 | YES | YES | |
| 1 | Contingency Plan | Coordinate with Related Plans | Coordinate contingency plan development with organizational elements responsible for related plans. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | YES | YES | |
| 2 | Contingency Plan | Capacity Planning | Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | NA | YES | |
| 3 | Contingency Plan | Resume Mission and Business Functions | Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | YES | YES | |
| 5 | Contingency Plan | Continue Mission and Business Functions | Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | YES | YES | |
| 6 | Contingency Plan | Alternate Processing and Storage Sites | Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | NA | YES | |
| 7 | Contingency Plan | Coordinate with External Service Providers | Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | YES | YES | |
| 8 | Contingency Plan | Identify Critical Assets | Identify critical system assets supporting [Selection: all; essential] mission and business functions. | CM0079 CM0081 CM0087 CM0074 CM0075 CM0076 CM0005 CM0077 CM0044 CM0022 CM0004 | YES | YES | |
| CP-3 | Contingency Training | a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | NA | NA | ||
| 1 | Contingency Training | Simulated Events | Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. | CM0005 | NA | NA | |
| 2 | Contingency Training | Mechanisms Used in Training Environments | Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. | CM0005 | NA | NA | |
| CP-4 | Contingency Plan Testing | a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. b. Review the contingency plan test results; and c. Initiate corrective actions, if needed. | CM0008 | NA | YES | |
| 1 | Contingency Plan Testing | Coordinate with Related Plans | Coordinate contingency plan testing with organizational elements responsible for related plans. | CM0041 CM0005 CM0070 CM0018 CM0042 CM0051 | NA | YES | |
| 2 | Contingency Plan Testing | Alternate Processing Site | Test the contingency plan at the alternate processing site: (a) To familiarize contingency personnel with the facility and available resources; and (b) To evaluate the capabilities of the alternate processing site to support contingency operations. | CM0041 CM0005 CM0070 CM0018 CM0042 CM0051 | NA | YES | |
| 3 | Contingency Plan Testing | Automated Testing | Test the contingency plan using [Assignment: organization-defined automated mechanisms]. | CM0041 CM0005 CM0070 CM0018 CM0042 CM0051 | NA | NA | |
| 4 | Contingency Plan Testing | Full Recovery and Reconstitution | Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. | CM0041 CM0005 CM0070 CM0018 CM0042 CM0051 | NA | YES | |
| 5 | Contingency Plan Testing | Self-challenge | Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. | CM0041 CM0005 CM0070 CM0018 CM0042 CM0051 | YES | YES | |
| CP-6 | Alternate Storage Site | a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. | NA | NA | ||
| 1 | Alternate Storage Site | Separation from Primary Site | Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. | NA | NA | ||
| 2 | Alternate Storage Site | Recovery Time and Recovery Point Objectives | Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. | NA | NA | ||
| 3 | Alternate Storage Site | Accessibility | Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. | NA | NA | ||
| CP-7 | Alternate Processing Site | a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. | NA | NA | ||
| 1 | Alternate Processing Site | Separation from Primary Site | Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. | NA | NA | ||
| 2 | Alternate Processing Site | Accessibility | Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. | NA | NA | ||
| 3 | Alternate Processing Site | Priority of Service | Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). | NA | NA | ||
| 4 | Alternate Processing Site | Preparation for Use | Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. | NA | NA | ||
| 6 | Alternate Processing Site | Inability to Return to Primary Site | Plan and prepare for circumstances that preclude returning to the primary processing site. | NA | NA | ||
| CP-8 | Telecommunications Services | Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. | CM0005 CM0029 | NA | NA | |
| 1 | Telecommunications Services | Priority of Service Provisions | (a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. | CM0005 CM0070 | NA | NA | |
| 2 | Telecommunications Services | Single Points of Failure | Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. | CM0005 CM0070 | NA | NA | |
| 3 | Telecommunications Services | Separation of Primary and Alternate Providers | Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. | CM0005 CM0070 | NA | NA | |
| 4 | Telecommunications Services | Provider Contingency Plan | (a) Require primary and alternate telecommunications service providers to have contingency plans; (b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and (c) Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. | CM0005 CM0070 | NA | NA | |
| 5 | Telecommunications Services | Alternate Telecommunication Service Testing | Test alternate telecommunication services [Assignment: organization-defined frequency]. | CM0005 CM0070 | NA | NA | |
| CP-9 | System Backup | a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information. | CM0005 CM0056 | NA | NA | |
| 1 | System Backup | Testing for Reliability and Integrity | Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. | CM0005 | NA | NA | |
| 2 | System Backup | Test Restoration Using Sampling | Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. | CM0005 | NA | NA | |
| 3 | System Backup | Separate Storage for Critical Information | Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. | CM0005 | NA | NA | |
| 5 | System Backup | Transfer to Alternate Storage Site | Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. | CM0005 | NA | NA | |
| 6 | System Backup | Redundant Secondary System | Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. | CM0005 | NA | NA | |
| 7 | System Backup | Dual Authorization | Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. | CM0005 | NA | NA | |
| 8 | System Backup | Cryptographic Protection | Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. | CM0005 | NA | NA | |
| CP-10 | System Recovery and Reconstitution | Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. | CM0005 CM0032 CM0044 | YES | YES | |
| 2 | System Recovery and Reconstitution | Transaction Recovery | Implement transaction recovery for systems that are transaction-based. | CM0005 CM0032 CM0044 CM0074 CM0075 CM0079 CM0080 CM0081 CM0087 | NA | NA | |
| 4 | System Recovery and Reconstitution | Restore Within Time Period | Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. | CM0005 CM0032 CM0044 CM0074 CM0075 CM0079 CM0080 CM0081 CM0087 | YES | YES | |
| 6 | System Recovery and Reconstitution | Component Protection | Protect system components used for recovery and reconstitution. | CM0005 CM0032 CM0044 CM0074 CM0075 CM0079 CM0080 CM0081 CM0087 | YES | YES | |
| CP-11 | Alternate Communications Protocols | Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. | CM0074 CM0075 CM0076 CM0072 | NA | NA | |
| CP-12 | Safe Mode | When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. | CM0006 CM0044 | YES | YES | |
| CP-13 | Alternative Security Mechanisms | Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. | CM0074 CM0075 CM0076 CM0077 CM0079 CM0080 CM0081 CM0084 CM0085 CM0086 CM0087 | YES | YES | |
| IA-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] identification and authentication policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c. Review and update the current identification and authentication: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| IA-2 | Identification and Authentication (organizational Users) | Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. | CM0031 CM0021 CM0005 | NA | NA | |
| 1 | Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts | Implement multi-factor authentication for access to privileged accounts. | CM0005 CM0065 CM0033 | NA | NA | |
| 2 | Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts | Implement multi-factor authentication for access to non-privileged accounts. | CM0005 CM0065 CM0033 | NA | NA | |
| 5 | Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication | When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. | CM0005 CM0065 CM0033 | NA | NA | |
| 6 | Identification and Authentication (organizational Users) | Access to Accounts — Separate Device | Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]. | CM0005 CM0065 CM0033 | NA | NA | |
| 8 | Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant | Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. | CM0005 CM0065 CM0033 | NA | NA | |
| 10 | Identification and Authentication (organizational Users) | Single Sign-on | Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. | CM0005 CM0065 CM0033 | NA | NA | |
| 12 | Identification and Authentication (organizational Users) | Acceptance of PIV Credentials | Accept and electronically verify Personal Identity Verification-compliant credentials. | CM0005 CM0065 CM0033 | NA | NA | |
| 13 | Identification and Authentication (organizational Users) | Out-of-band Authentication | Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. | CM0005 CM0065 CM0033 | NA | NA | |
| IA-3 | Device Identification and Authentication | Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. | CM0033 CM0005 | YES | YES | |
| 1 | Device Identification and Authentication | Cryptographic Bidirectional Authentication | Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. | CM0031 CM0033 CM0005 | YES | YES | |
| 3 | Device Identification and Authentication | Dynamic Address Allocation | (a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and (b) Audit lease information when assigned to a device. | CM0031 CM0033 CM0005 | NA | NA | |
| 4 | Device Identification and Authentication | Device Attestation | Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. | CM0031 CM0033 CM0005 | NA | NA | |
| IA-4 | Identifier Management | Manage system identifiers by: a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier; b. Selecting an identifier that identifies an individual, group, role, service, or device; c. Assigning the identifier to the intended individual, group, role, service, or device; and d. Preventing reuse of identifiers for [Assignment: organization-defined time period]. | CM0052 CM0031 CM0033 CM0005 | YES | YES | |
| 1 | Identifier Management | Prohibit Account Identifiers as Public Identifiers | Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. | CM0002 CM0031 CM0005 CM0035 | NA | NA | |
| 4 | Identifier Management | Identify User Status | Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. | CM0002 CM0031 CM0005 CM0035 | NA | NA | |
| 5 | Identifier Management | Dynamic Management | Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy]. | CM0002 CM0031 CM0005 CM0035 | NA | NA | |
| 6 | Identifier Management | Cross-organization Management | Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. | CM0002 CM0031 CM0005 CM0035 | NA | NA | |
| 8 | Identifier Management | Pairwise Pseudonymous Identifiers | Generate pairwise pseudonymous identifiers. | CM0002 CM0031 CM0005 CM0035 | NA | NA | |
| 9 | Identifier Management | Attribute Maintenance and Protection | Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage]. | CM0002 CM0031 CM0005 CM0035 | YES | YES | |
| IA-5 | Authenticator Management | Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes. | CM0002 CM0005 CM0035 | YES | YES | |
| 1 | Authenticator Management | Password-based Authentication | For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. | CM0005 CM0035 CM0002 | NA | NA | |
| 2 | Authenticator Management | Public Key-based Authentication | (a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; and (b) When public key infrastructure (PKI) is used: (1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) Implement a local cache of revocation data to support path discovery and validation. | CM0005 CM0035 CM0002 | NA | NA | |
| 5 | Authenticator Management | Change Authenticators Prior to Delivery | Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. | CM0005 CM0035 CM0002 | NA | NA | |
| 6 | Authenticator Management | Protection of Authenticators | Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. | CM0005 CM0035 CM0002 | NA | YES | |
| 7 | Authenticator Management | No Embedded Unencrypted Static Authenticators | Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. | CM0005 CM0035 CM0002 | YES | YES | |
| 8 | Authenticator Management | Multiple System Accounts | Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. | CM0005 CM0035 CM0002 | NA | NA | |
| 9 | Authenticator Management | Federated Credential Management | Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. | CM0005 CM0035 CM0002 | NA | NA | |
| 10 | Authenticator Management | Dynamic Credential Binding | Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules]. | CM0005 CM0035 CM0002 | NA | NA | |
| 12 | Authenticator Management | Biometric Authentication Performance | For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. | CM0005 CM0035 CM0002 | NA | NA | |
| 13 | Authenticator Management | Expiration of Cached Authenticators | Prohibit the use of cached authenticators after [Assignment: organization-defined time period]. | CM0005 CM0035 CM0002 | NA | NA | |
| 14 | Authenticator Management | Managing Content of PKI Trust Stores | For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. | CM0005 CM0035 CM0002 | NA | NA | |
| 15 | Authenticator Management | Gsa-approved Products and Services | Use only General Services Administration-approved products and services for identity, credential, and access management. | CM0005 CM0035 CM0002 | NA | NA | |
| 16 | Authenticator Management | In-person or Trusted External Party Authenticator Issuance | Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. | CM0005 CM0035 CM0002 | NA | NA | |
| 17 | Authenticator Management | Presentation Attack Detection for Biometric Authenticators | Employ presentation attack detection mechanisms for biometric-based authentication. | CM0005 CM0035 CM0002 | NA | NA | |
| 18 | Authenticator Management | Password Managers | (a) Employ [Assignment: organization-defined password managers] to generate and manage passwords; and (b) Protect the passwords using [Assignment: organization-defined controls]. | CM0005 CM0035 CM0002 | NA | NA | |
| IA-6 | Authentication Feedback | Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. | CM0005 | NA | NA | |
| IA-7 | Cryptographic Module Authentication | Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. | CM0002 CM0031 CM0033 CM0005 | YES | YES | |
| IA-8 | Identification and Authentication (non-organizational Users) | Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. | CM0005 | NA | NA | |
| 1 | Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies | Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. | NA | NA | ||
| 2 | Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators | (a) Accept only external authenticators that are NIST-compliant; and (b) Document and maintain a list of accepted external authenticators. | NA | NA | ||
| 4 | Identification and Authentication (non-organizational Users) | Use of Defined Profiles | Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. | NA | NA | ||
| 5 | Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials | Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. | NA | NA | ||
| 6 | Identification and Authentication (non-organizational Users) | Disassociability | Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. | NA | NA | ||
| IA-9 | Service Identification and Authentication | Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications. | CM0031 CM0067 | NA | YES | |
| IA-10 | Adaptive Authentication | Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. | CM0055 | NA | YES | |
| IA-11 | Re-authentication | Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. | CM0005 | NA | NA | |
| IA-12 | Identity Proofing | a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; b. Resolve user identities to a unique individual; and c. Collect, validate, and verify identity evidence. | CM0052 CM0054 CM0005 | NA | NA | |
| 1 | Identity Proofing | Supervisor Authorization | Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization. | CM0052 CM0054 CM0005 | NA | NA | |
| 2 | Identity Proofing | Identity Evidence | Require evidence of individual identification be presented to the registration authority. | CM0052 CM0054 CM0005 | NA | NA | |
| 3 | Identity Proofing | Identity Evidence Validation and Verification | Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification]. | CM0052 CM0054 CM0005 | NA | NA | |
| 4 | Identity Proofing | In-person Validation and Verification | Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. | CM0052 CM0054 CM0005 | NA | NA | |
| 5 | Identity Proofing | Address Confirmation | Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. | CM0052 CM0054 CM0005 | NA | NA | |
| 6 | Identity Proofing | Accept Externally-proofed Identities | Accept externally-proofed identities at [Assignment: organization-defined identity assurance level]. | CM0052 CM0054 CM0005 | NA | NA | |
| IR-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| IR-2 | Incident Response Training | a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0005 | NA | NA | |
| 1 | Incident Response Training | Simulated Events | Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. | CM0005 CM0041 CM0052 | NA | NA | |
| 2 | Incident Response Training | Automated Training Environments | Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0041 CM0052 | NA | NA | |
| 3 | Incident Response Training | Breach | Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. | CM0005 CM0041 CM0052 | NA | NA | |
| IR-3 | Incident Response Testing | Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. | CM0008 CM0005 CM0042 CM0044 | NA | YES | |
| 1 | Incident Response Testing | Automated Testing | Test the incident response capability using [Assignment: organization-defined automated mechanisms]. | CM0008 CM0005 CM0042 CM0044 CM0041 | NA | NA | |
| 2 | Incident Response Testing | Coordination with Related Plans | Coordinate incident response testing with organizational elements responsible for related plans. | CM0008 CM0005 CM0042 CM0044 CM0041 | NA | YES | |
| 3 | Incident Response Testing | Continuous Improvement | Use qualitative and quantitative data from testing to: (a) Determine the effectiveness of incident response processes; (b) Continuously improve incident response processes; and (c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. | CM0008 CM0005 CM0042 CM0044 CM0041 | NA | NA | |
| IR-4 | Incident Handling | a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. | CM0052 CM0005 CM0032 CM0044 | YES | YES | |
| 1 | Incident Handling | Automated Incident Handling Processes | Support the incident handling process using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | YES | |
| 2 | Incident Handling | Dynamic Reconfiguration | Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration]. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 3 | Incident Handling | Continuity of Operations | Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents]. | CM0005 CM0044 CM0032 CM0052 CM0034 | YES | YES | |
| 4 | Incident Handling | Information Correlation | Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 5 | Incident Handling | Automatic Disabling of System | Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 6 | Incident Handling | Insider Threats | Implement an incident handling capability for incidents involving insider threats. | CM0005 CM0044 CM0032 CM0052 CM0034 | YES | YES | |
| 7 | Incident Handling | Insider Threats — Intra-organization Coordination | Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities]. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 8 | Incident Handling | Correlation with External Organizations | Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 9 | Incident Handling | Dynamic Response Capability | Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 10 | Incident Handling | Supply Chain Coordination | Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | YES | |
| 11 | Incident Handling | Integrated Incident Response Team | Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 12 | Incident Handling | Malicious Code and Forensic Analysis | Analyze malicious code and/or other residual artifacts remaining in the system after the incident. | CM0005 CM0044 CM0032 CM0052 CM0034 | YES | YES | |
| 13 | Incident Handling | Behavior Analysis | Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources]. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | YES | |
| 14 | Incident Handling | Security Operations Center | Establish and maintain a security operations center. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| 15 | Incident Handling | Public Relations and Reputation Repair | (a) Manage public relations associated with an incident; and (b) Employ measures to repair the reputation of the organization. | CM0005 CM0044 CM0032 CM0052 CM0034 | NA | NA | |
| IR-5 | Incident Monitoring | Track and document incidents. | CM0005 CM0032 CM0068 | YES | YES | |
| 1 | Incident Monitoring | Automated Tracking, Data Collection, and Analysis | Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0032 CM0068 | YES | YES | |
| IR-6 | Incident Reporting | a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and b. Report incident information to [Assignment: organization-defined authorities]. | CM0005 | NA | YES | |
| 1 | Incident Reporting | Automated Reporting | Report incidents using [Assignment: organization-defined automated mechanisms]. | CM0005 CM0008 | NA | NA | |
| 2 | Incident Reporting | Vulnerabilities Related to Incidents | Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles]. | CM0005 CM0008 | NA | YES | |
| 3 | Incident Reporting | Supply Chain Coordination | Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident. | CM0005 CM0008 | NA | NA | |
| IR-7 | Incident Response Assistance | Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. | CM0005 | NA | NA | |
| 1 | Incident Response Assistance | Automation Support for Availability of Information and Support | Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms]. | CM0005 | NA | NA | |
| 2 | Incident Response Assistance | Coordination with External Providers | (a) Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and (b) Identify organizational incident response team members to the external providers. | CM0005 | NA | NA | |
| IR-8 | Incident Response Plan | a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification. | CM0041 CM0005 | NA | YES | |
| 1 | Incident Response Plan | Breaches | Include the following in the Incident Response Plan for breaches involving personally identifiable information: (a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed; (b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and (c) Identification of applicable privacy requirements. | NA | NA | ||
| IR-9 | Information Spillage Response | Respond to information spills by: a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills; b. Identifying the specific information involved in the system contamination; c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; d. Isolating the contaminated system or system component; e. Eradicating the information from the contaminated system or component; f. Identifying other systems or system components that may have been subsequently contaminated; and g. Performing the following additional actions: [Assignment: organization-defined actions]. | NA | NA | ||
| 2 | Information Spillage Response | Training | Provide information spillage response training [Assignment: organization-defined frequency]. | NA | NA | ||
| 3 | Information Spillage Response | Post-spill Operations | Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures]. | NA | NA | ||
| 4 | Information Spillage Response | Exposure to Unauthorized Personnel | Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls]. | NA | NA | ||
| MA-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and c. Review and update the current maintenance: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | NA | |
| MA-2 | Controlled Maintenance | a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information]; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: [Assignment: organization-defined information]. | CM0005 | NA | NA | |
| 2 | Controlled Maintenance | Automated Maintenance Activities | (a) Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and (b) Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed. | NA | NA | ||
| MA-3 | Maintenance Tools | a. Approve, control, and monitor the use of system maintenance tools; and b. Review previously approved system maintenance tools [Assignment: organization-defined frequency]. | CM0005 | NA | NA | |
| 1 | Maintenance Tools | Inspect Tools | Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. | CM0005 | NA | NA | |
| 2 | Maintenance Tools | Inspect Media | Check media containing diagnostic and test programs for malicious code before the media are used in the system. | CM0005 | NA | NA | |
| 3 | Maintenance Tools | Prevent Unauthorized Removal | Prevent the removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. | CM0005 | NA | NA | |
| 4 | Maintenance Tools | Restricted Tool Use | Restrict the use of maintenance tools to authorized personnel only. | CM0005 | NA | NA | |
| 5 | Maintenance Tools | Execution with Privilege | Monitor the use of maintenance tools that execute with increased privilege. | CM0005 | NA | NA | |
| 6 | Maintenance Tools | Software Updates and Patches | Inspect maintenance tools to ensure the latest software updates and patches are installed. | CM0005 | NA | NA | |
| MA-4 | Nonlocal Maintenance | a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. | CM0005 | NA | NA | |
| 1 | Nonlocal Maintenance | Logging and Review | (a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior. | CM0005 | NA | NA | |
| 3 | Nonlocal Maintenance | Comparable Security and Sanitization | (a) Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or (b) Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system. | CM0005 | NA | NA | |
| 4 | Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions | Protect nonlocal maintenance sessions by: (a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and (b) Separating the maintenance sessions from other network sessions with the system by either: (1) Physically separated communications paths; or (2) Logically separated communications paths. | CM0005 | NA | NA | |
| 5 | Nonlocal Maintenance | Approvals and Notifications | (a) Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and (b) Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel or roles]. | CM0005 | NA | NA | |
| 6 | Nonlocal Maintenance | Cryptographic Protection | Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms]. | CM0005 | NA | NA | |
| 7 | Nonlocal Maintenance | Disconnect Verification | Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions. | CM0005 | NA | NA | |
| MA-5 | Maintenance Personnel | a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. | NA | NA | ||
| 1 | Maintenance Personnel | Individuals Without Appropriate Access | (a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. | CM0005 | NA | NA | |
| 2 | Maintenance Personnel | Security Clearances for Classified Systems | Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system. | CM0005 | NA | NA | |
| 3 | Maintenance Personnel | Citizenship Requirements for Classified Systems | Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens. | CM0005 | NA | NA | |
| 4 | Maintenance Personnel | Foreign Nationals | Ensure that: (a) Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. | CM0005 | NA | NA | |
| 5 | Maintenance Personnel | Non-system Maintenance | Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations. | CM0005 | NA | NA | |
| MA-6 | Timely Maintenance | Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure. | CM0005 | NA | NA | |
| 1 | Timely Maintenance | Preventive Maintenance | Perform preventive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals]. | NA | NA | ||
| 2 | Timely Maintenance | Predictive Maintenance | Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals]. | NA | NA | ||
| 3 | Timely Maintenance | Automated Support for Predictive Maintenance | Transfer predictive maintenance data to a maintenance management system using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| MA-7 | Field Maintenance | Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities]. | CM0028 CM0052 CM0004 CM0023 CM0005 CM0037 | NA | NA | |
| MP-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] media protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and c. Review and update the current media protection: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | NA | |
| MP-2 | Media Access | Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. | CM0005 | NA | NA | |
| MP-3 | Media Marking | a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas]. | CM0005 | NA | NA | |
| MP-4 | Media Storage | a. Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures. | CM0005 | NA | NA | |
| 2 | Media Storage | Automated Restricted Access | Restrict access to media storage areas and log access attempts and access granted using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| MP-5 | Media Transport | a. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; b. Maintain accountability for system media during transport outside of controlled areas; c. Document activities associated with the transport of system media; and d. Restrict the activities associated with the transport of system media to authorized personnel. | CM0005 | NA | NA | |
| 3 | Media Transport | Custodians | Employ an identified custodian during transport of system media outside of controlled areas. | NA | NA | ||
| MP-6 | Media Sanitization | a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. | CM0005 | NA | NA | |
| 1 | Media Sanitization | Review, Approve, Track, Document, and Verify | Review, approve, track, document, and verify media sanitization and disposal actions. | CM0005 | NA | NA | |
| 2 | Media Sanitization | Equipment Testing | Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved. | CM0005 | NA | NA | |
| 3 | Media Sanitization | Nondestructive Techniques | Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. | CM0005 | NA | NA | |
| 7 | Media Sanitization | Dual Authorization | Enforce dual authorization for the sanitization of [Assignment: organization-defined system media]. | CM0005 | NA | NA | |
| 8 | Media Sanitization | Remote Purging or Wiping of Information | Provide the capability to purge or wipe information from [Assignment: organization-defined systems or system components] [Selection: remotely; under the following conditions: [Assignment: organization-defined conditions] ]. | CM0005 | NA | NA | |
| MP-7 | Media Use | a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. | CM0052 CM0005 | NA | NA | |
| 2 | Media Use | Prohibit Use of Sanitization-resistant Media | Prohibit the use of sanitization-resistant media in organizational systems. | NA | NA | ||
| MP-8 | Media Downgrading | a. Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; b. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information; c. Identify [Assignment: organization-defined system media requiring downgrading]; and d. Downgrade the identified system media using the established process. | NA | NA | ||
| 1 | Media Downgrading | Documentation of Process | Document system media downgrading actions. | NA | NA | ||
| 2 | Media Downgrading | Equipment Testing | Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved. | NA | NA | ||
| 3 | Media Downgrading | Controlled Unclassified Information | Downgrade system media containing controlled unclassified information prior to public release. | NA | NA | ||
| 4 | Media Downgrading | Classified Information | Downgrade system media containing classified information prior to release to individuals without required access authorizations. | NA | NA | ||
| PE-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] physical and environmental protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and c. Review and update the current physical and environmental protection: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| PE-2 | Physical Access Authorizations | a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b. Issue authorization credentials for facility access; c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Remove individuals from the facility access list when access is no longer required. | CM0052 CM0053 | NA | NA | |
| 1 | Physical Access Authorizations | Access by Position or Role | Authorize physical access to the facility where the system resides based on position or role. | CM0053 | NA | NA | |
| 2 | Physical Access Authorizations | Two Forms of Identification | Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification]. | CM0053 | NA | NA | |
| 3 | Physical Access Authorizations | Restrict Unescorted Access | Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations] ]. | CM0053 | NA | NA | |
| PE-3 | Physical Access Control | a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices] ; guards]; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. | CM0054 CM0053 | NA | NA | |
| 1 | Physical Access Control | System Access | Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. | CM0053 CM0005 | NA | NA | |
| 2 | Physical Access Control | Facility and Systems | Perform security checks [Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components. | CM0053 CM0005 | NA | NA | |
| 3 | Physical Access Control | Continuous Guards | Employ guards to control [Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week. | CM0053 CM0005 | NA | NA | |
| 4 | Physical Access Control | Lockable Casings | Use lockable physical casings to protect [Assignment: organization-defined system components] from unauthorized physical access. | CM0053 CM0005 | NA | NA | |
| 5 | Physical Access Control | Tamper Protection | Employ [Assignment: organization-defined anti-tamper technologies] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the system. | CM0053 CM0005 | NA | NA | |
| 7 | Physical Access Control | Physical Barriers | Limit access using physical barriers. | CM0053 CM0005 | NA | NA | |
| 8 | Physical Access Control | Access Control Vestibules | Employ access control vestibules at [Assignment: organization-defined locations within the facility]. | CM0053 CM0005 | NA | NA | |
| PE-4 | Access Control for Transmission | Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls]. | CM0071 | NA | NA | |
| PE-5 | Access Control for Output Devices | Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. | NA | NA | ||
| 2 | Access Control for Output Devices | Link to Individual Identity | Link individual identity to receipt of output from output devices. | NA | NA | ||
| PE-6 | Monitoring Physical Access | a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability. | CM0077 | YES | YES | |
| 1 | Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment | Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. | CM0077 | NA | YES | |
| 2 | Monitoring Physical Access | Automated Intrusion Recognition and Responses | Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]. | CM0077 | NA | YES | |
| 3 | Monitoring Physical Access | Video Surveillance | (a) Employ video surveillance of [Assignment: organization-defined operational areas]; (b) Review video recordings [Assignment: organization-defined frequency]; and (c) Retain video recordings for [Assignment: organization-defined time period]. | CM0077 | NA | NA | |
| 4 | Monitoring Physical Access | Monitoring Physical Access to Systems | Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. | CM0077 | NA | YES | |
| PE-8 | Visitor Access Records | a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; b. Review visitor access records [Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to [Assignment: organization-defined personnel]. | NA | NA | ||
| 1 | Visitor Access Records | Automated Records Maintenance and Review | Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| 3 | Visitor Access Records | Limit Personally Identifiable Information Elements | Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. | NA | NA | ||
| PE-9 | Power Equipment and Cabling | Protect power equipment and power cabling for the system from damage and destruction. | CM0085 | NA | YES | |
| 1 | Power Equipment and Cabling | Redundant Cabling | Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]. | NA | NA | ||
| 2 | Power Equipment and Cabling | Automatic Voltage Controls | Employ automatic voltage controls for [Assignment: organization-defined critical system components]. | NA | NA | ||
| PE-10 | Emergency Shutoff | a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations; b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and c. Protect emergency power shutoff capability from unauthorized activation. | CM0042 CM0044 | YES | YES | |
| PE-11 | Emergency Power | Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. | CM0042 | NA | YES | |
| 1 | Emergency Power | Alternate Power Supply — Minimal Operational Capability | Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. | CM0042 | NA | YES | |
| 2 | Emergency Power | Alternate Power Supply — Self-contained | Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: (a) Self-contained; (b) Not reliant on external power generation; and (c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. | CM0042 | NA | NA | |
| PE-12 | Emergency Lighting | Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. | NA | NA | ||
| 1 | Emergency Lighting | Essential Mission and Business Functions | Provide emergency lighting for all areas within the facility supporting essential mission and business functions. | NA | NA | ||
| PE-13 | Fire Protection | Employ and maintain fire detection and suppression systems that are supported by an independent energy source. | NA | NA | ||
| 1 | Fire Protection | Detection Systems – Automatic Activation and Notification | Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. | NA | NA | ||
| 2 | Fire Protection | Suppression Systems – Automatic Activation and Notification | (a) Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and (b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. | NA | NA | ||
| 4 | Fire Protection | Inspections | Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period]. | NA | NA | ||
| PE-14 | Environmental Controls | a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control] ] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and b. Monitor environmental control levels [Assignment: organization-defined frequency]. | CM0042 | NA | YES | |
| 1 | Environmental Controls | Automatic Controls | Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls]. | NA | NA | ||
| 2 | Environmental Controls | Monitoring with Alarms and Notifications | Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. | NA | NA | ||
| PE-15 | Water Damage Protection | Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. | NA | NA | ||
| 1 | Water Damage Protection | Automation Support | Detect the presence of water near the system and alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| PE-16 | Delivery and Removal | a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and b. Maintain records of the system components. | NA | NA | ||
| PE-17 | Alternate Work Site | a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees; b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; c. Assess the effectiveness of controls at alternate work sites; and d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents. | NA | NA | ||
| PE-18 | Location of System Components | Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. | CM0085 CM0086 | NA | YES | |
| PE-19 | Information Leakage | Protect the system from information leakage due to electromagnetic signals emanations. | CM0085 CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 | NA | YES | |
| 1 | Information Leakage | National Emissions and Tempest Policies and Procedures | Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information. | CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 | NA | YES | |
| PE-20 | Asset Monitoring and Tracking | Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]. | CM0077 CM0078 CM0079 CM0081 CM0084 CM0087 CM0048 | YES | YES | |
| PE-21 | Electromagnetic Pulse Protection | Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damage for [Assignment: organization-defined systems and system components]. | CM0074 CM0075 CM0079 CM0085 CM0003 | YES | YES | |
| PE-22 | Component Marking | Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. | NA | NA | ||
| PE-23 | Facility Location | a. Plan the location or site of the facility where the system resides considering physical and environmental hazards; and b. For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy. | NA | NA | ||
| PL-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the planning policy and the associated planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and c. Review and update the current planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| PL-2 | System Security and Privacy Plans | a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; c. Review the plans [Assignment: organization-defined frequency]; d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and e. Protect the plans from unauthorized disclosure and modification. | NA | YES | ||
| PL-4 | Rules of Behavior | a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency] ; when the rules are revised or updated]. | NA | NA | ||
| 1 | Rules of Behavior | Social Media and External Site/application Usage Restrictions | Include in the rules of behavior, restrictions on: (a) Use of social media, social networking sites, and external sites/applications; (b) Posting organizational information on public websites; and (c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. | NA | NA | ||
| PL-7 | Concept of Operations | a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and b. Review and update the CONOPS [Assignment: organization-defined frequency]. | CM0022 | NA | YES | |
| PL-8 | Security and Privacy Architectures | a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. Describe how the architectures are integrated into and support the enterprise architecture; and 4. Describe any assumptions about, and dependencies on, external systems and services; b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. | CM0001 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0052 CM0002 CM0030 CM0031 CM0050 CM0004 CM0017 CM0039 CM0046 CM0047 CM0055 CM0069 CM0005 CM0034 CM0035 CM0070 CM0006 CM0032 CM0042 CM0044 CM0051 CM0014 CM0037 CM0038 CM0048 CM0057 CM0029 | YES | YES | |
| 1 | Security and Privacy Architectures | Defense in Depth | Design the security and privacy architectures for the system using a defense-in-depth approach that: (a) Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner. | CM0001 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0052 CM0002 CM0030 CM0031 CM0050 CM0004 CM0017 CM0039 CM0046 CM0047 CM0055 CM0069 CM0005 CM0034 CM0035 CM0070 CM0006 CM0032 CM0042 CM0044 CM0051 CM0014 CM0037 CM0038 CM0048 CM0057 CM0029 | YES | YES | |
| 2 | Security and Privacy Architectures | Supplier Diversity | Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. | CM0001 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0052 CM0002 CM0030 CM0031 CM0050 CM0004 CM0017 CM0039 CM0046 CM0047 CM0055 CM0069 CM0005 CM0034 CM0035 CM0070 CM0006 CM0032 CM0042 CM0044 CM0051 CM0014 CM0037 CM0038 CM0048 CM0057 CM0029 | YES | YES | |
| PL-9 | Central Management | Centrally manage [Assignment: organization-defined controls and related processes]. | CM0005 | NA | NA | |
| PL-10 | Baseline Selection | Select a control baseline for the system. | CM0005 | NA | YES | |
| PL-11 | Baseline Tailoring | Tailor the selected control baseline by applying specified tailoring actions. | CM0005 | NA | YES | |
| PM-1 | Information Security Program Plan | a. Develop and disseminate an organization-wide information security program plan that: 1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; 2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; 3. Reflects the coordination among organizational entities responsible for information security; and 4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Protect the information security program plan from unauthorized disclosure and modification. | CM0088 | NA | YES | |
| PM-2 | Information Security Program Leadership Role | Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. | NA | NA | ||
| PM-3 | Information Security and Privacy Resources | a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and c. Make available for expenditure, the planned information security and privacy resources. | NA | NA | ||
| PM-4 | Plan of Action and Milestones Process | a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: 1. Are developed and maintained; 2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with established reporting requirements. b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. | NA | NA | ||
| PM-5 | System Inventory | Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. | CM0012 | NA | NA | |
| 1 | System Inventory | Inventory of Personally Identifiable Information | Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. | NA | NA | ||
| PM-6 | Measures of Performance | Develop, monitor, and report on the results of information security and privacy measures of performance. | NA | NA | ||
| PM-7 | Enterprise Architecture | Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. | NA | NA | ||
| 1 | Enterprise Architecture | Offloading | Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. | NA | NA | ||
| PM-8 | Critical Infrastructure Plan | Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. | NA | NA | ||
| PM-9 | Risk Management Strategy | a. Develops a comprehensive strategy to manage: 1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and 2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information; b. Implement the risk management strategy consistently across the organization; and c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. | NA | NA | ||
| PM-10 | Authorization Process | a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Integrate the authorization processes into an organization-wide risk management program. | NA | NA | ||
| PM-11 | Mission and Business Process Definition | a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency]. | CM0001 CM0022 CM0005 | YES | YES | |
| PM-12 | Insider Threat Program | Implement an insider threat program that includes a cross-discipline insider threat incident handling team. | CM0052 | YES | YES | |
| PM-13 | Security and Privacy Workforce | Establish a security and privacy workforce development and improvement program. | NA | NA | ||
| PM-14 | Testing, Training, and Monitoring | a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. | CM0052 | YES | YES | |
| PM-15 | Security and Privacy Groups and Associations | Establish and institutionalize contact with selected groups and associations within the security and privacy communities: a. To facilitate ongoing security and privacy education and training for organizational personnel; b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and c. To share current security and privacy information, including threats, vulnerabilities, and incidents. | NA | NA | ||
| PM-16 | Threat Awareness Program | Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. | CM0009 | YES | YES | |
| 1 | Threat Awareness Program | Automated Means for Sharing Threat Intelligence | Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. | CM0009 CM0005 | YES | YES | |
| PM-17 | Protecting Controlled Unclassified Information on External Systems | a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency]. | CM0001 CM0022 CM0005 | YES | YES | |
| PM-18 | Privacy Program Plan | a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: 1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; 2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; 3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; 4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; 5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and 6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. | NA | NA | ||
| PM-19 | Privacy Program Leadership Role | Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. | NA | NA | ||
| PM-20 | Dissemination of Privacy Program Information | Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; b. Ensures that organizational privacy practices and reports are publicly available; and c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. | NA | NA | ||
| 1 | Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services | Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: (a) Are written in plain language and organized in a way that is easy to understand and navigate; (b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. | NA | NA | ||
| PM-21 | Accounting of Disclosures | a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. | NA | NA | ||
| PM-22 | Personally Identifiable Information Quality Management | Develop and document organization-wide policies and procedures for: a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; b. Correcting or deleting inaccurate or outdated personally identifiable information; c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and d. Appeals of adverse decisions on correction or deletion requests. | NA | NA | ||
| PM-23 | Data Governance Body | Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]. | NA | NA | ||
| PM-24 | Data Integrity Board | Establish a Data Integrity Board to: a. Review proposals to conduct or participate in a matching program; and b. Conduct an annual review of all matching programs in which the agency has participated. | NA | NA | ||
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and d. Review and update policies and procedures [Assignment: organization-defined frequency]. | NA | NA | ||
| PM-26 | Complaint Management | Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: a. Mechanisms that are easy to use and readily accessible by the public; b. All information necessary for successfully filing complaints; c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. | NA | NA | ||
| PM-27 | Privacy Reporting | a. Develop [Assignment: organization-defined privacy reports] and disseminate to: 1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and 2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and b. Review and update privacy reports [Assignment: organization-defined frequency]. | NA | NA | ||
| PM-28 | Risk Framing | a. Identify and document: 1. Assumptions affecting risk assessments, risk responses, and risk monitoring; 2. Constraints affecting risk assessments, risk responses, and risk monitoring; 3. Priorities and trade-offs considered by the organization for managing risk; and 4. Organizational risk tolerance; b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and c. Review and update risk framing considerations [Assignment: organization-defined frequency]. | NA | NA | ||
| PM-29 | Risk Management Program Leadership Roles | a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. | NA | NA | ||
| PM-30 | Supply Chain Risk Management Strategy | a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; b. Implement the supply chain risk management strategy consistently across the organization; and c. Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| 1 | Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items | Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| PM-31 | Continuous Monitoring Strategy | Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. | CM0005 | NA | YES | |
| PM-32 | Purposing | Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. | CM0022 CM0005 | YES | YES | |
| PS-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | NA | |
| PS-2 | Position Risk Designation | a. Assign a risk designation to all organizational positions; b. Establish screening criteria for individuals filling those positions; and c. Review and update position risk designations [Assignment: organization-defined frequency]. | NA | NA | ||
| PS-3 | Personnel Screening | a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. | CM0052 | NA | NA | |
| 1 | Personnel Screening | Classified Information | Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. | NA | NA | ||
| 2 | Personnel Screening | Formal Indoctrination | Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. | NA | NA | ||
| 3 | Personnel Screening | Information with Special Protective Measures | Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. | NA | NA | ||
| 4 | Personnel Screening | Citizenship Requirements | Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements]. | NA | NA | ||
| PS-4 | Personnel Termination | Upon termination of individual employment: a. Disable system access within [Assignment: organization-defined time period]; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual. | CM0052 | NA | NA | |
| 1 | Personnel Termination | Post-employment Requirements | (a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. | NA | NA | ||
| 2 | Personnel Termination | Automated Actions | Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. | NA | NA | ||
| PS-5 | Personnel Transfer | a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. | CM0052 | NA | NA | |
| PS-6 | Access Agreements | a. Develop and document access agreements for organizational systems; b. Review and update the access agreements [Assignment: organization-defined frequency]; and c. Verify that individuals requiring access to organizational information and systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. | NA | NA | ||
| 2 | Access Agreements | Classified Information Requiring Special Protection | Verify that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official government duties; (b) Satisfy associated personnel security criteria; and (c) Have read, understood, and signed a nondisclosure agreement. | NA | NA | ||
| 3 | Access Agreements | Post-employment Requirements | (a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. | NA | NA | ||
| PS-7 | External Personnel Security | a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements. | NA | NA | ||
| PS-8 | Personnel Sanctions | a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. | CM0052 | NA | NA | |
| PS-9 | Position Descriptions | Incorporate security and privacy roles and responsibilities into organizational position descriptions. | NA | NA | ||
| PT-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c. Review and update the current personally identifiable information processing and transparency: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | NA | |
| PT-2 | Authority to Process Personally Identifiable Information | a. Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined processing] of personally identifiable information; and b. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is authorized. | NA | NA | ||
| 1 | Authority to Process Personally Identifiable Information | Data Tagging | Attach data tags containing [Assignment: organization-defined permissible processing] to [Assignment: organization-defined elements of personally identifiable information]. | NA | NA | ||
| 2 | Authority to Process Personally Identifiable Information | Automation | Manage enforcement of the authorized processing of personally identifiable information using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| PT-3 | Personally Identifiable Information Processing Purposes | a. Identify and document the [Assignment: Assignment organization-defined purpose(s)] for processing personally identifiable information; b. Describe the purpose(s) in the public privacy notices and policies of the organization; c. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and d. Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements]. | NA | NA | ||
| 1 | Personally Identifiable Information Processing Purposes | Data Tagging | Attach data tags containing the following purposes to [Assignment: organization-defined elements of personally identifiable information]: [Assignment: organization-defined processing purposes]. | NA | NA | ||
| 2 | Personally Identifiable Information Processing Purposes | Automation | Track processing purposes of personally identifiable information using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| PT-4 | Consent | Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. | NA | NA | ||
| 1 | Consent | Tailored Consent | Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. | NA | NA | ||
| 2 | Consent | Just-in-time Consent | Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined frequency] and in conjunction with [Assignment: organization-defined personally identifiable information processing]. | NA | NA | ||
| 3 | Consent | Revocation | Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processing of their personally identifiable information. | NA | NA | ||
| PT-5 | Privacy Notice | Provide notice to individuals about the processing of personally identifiable information that: a. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency]; b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; c. Identifies the authority that authorizes the processing of personally identifiable information; d. Identifies the purposes for which personally identifiable information is to be processed; and e. Includes [Assignment: organization-defined information]. | NA | NA | ||
| 1 | Privacy Notice | Just-in-time Notice | Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined frequency]. | NA | NA | ||
| 2 | Privacy Notice | Privacy Act Statements | Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. | NA | NA | ||
| PT-6 | System of Records Notice | For systems that process information that will be maintained in a Privacy Act system of records: a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; b. Publish system of records notices in the Federal Register; and c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy. | NA | NA | ||
| 1 | System of Records Notice | Routine Uses | Review all routine uses published in the system of records notice at [Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. | NA | NA | ||
| 2 | System of Records Notice | Exemption Rules | Review all Privacy Act exemptions claimed for the system of records at [Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. | NA | NA | ||
| PT-7 | Specific Categories of Personally Identifiable Information | Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information. | NA | NA | ||
| 1 | Specific Categories of Personally Identifiable Information | Social Security Numbers | When a system processes Social Security numbers: (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; (b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and (c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. | NA | NA | ||
| 2 | Specific Categories of Personally Identifiable Information | First Amendment Information | Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. | NA | NA | ||
| PT-8 | Computer Matching Requirements | When a system or organization processes information for the purpose of conducting a matching program: a. Obtain approval from the Data Integrity Board to conduct the matching program; b. Develop and enter into a computer matching agreement; c. Publish a matching notice in the Federal Register; d. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. | NA | NA | ||
| RA-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| RA-2 | Security Categorization | a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. | CM0089 | NA | YES | |
| 1 | Security Categorization | Impact-level Prioritization | Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. | NA | NA | ||
| RA-3 | Risk Assessment | a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document] ]; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. | CM0009 CM0020 CM0022 CM0011 CM0018 CM0019 | YES | YES | |
| 1 | Risk Assessment | Supply Chain Risk Assessment | (a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and (b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 | YES | YES | |
| 2 | Risk Assessment | Use of All-source Intelligence | Use all-source intelligence to assist in the analysis of risk. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 | YES | YES | |
| 3 | Risk Assessment | Dynamic Threat Awareness | Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 | YES | YES | |
| 4 | Risk Assessment | Predictive Cyber Analytics | Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]. | CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 | YES | YES | |
| RA-5 | Vulnerability Monitoring and Scanning | a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. | CM0008 CM0004 CM0011 CM0012 CM0013 CM0016 CM0019 CM0005 | YES | YES | |
| 2 | Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned | Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency] ; prior to a new scan; when new vulnerabilities are identified and reported]. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | YES | |
| 3 | Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage | Define the breadth and depth of vulnerability scanning coverage. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | YES | YES | |
| 4 | Vulnerability Monitoring and Scanning | Discoverable Information | Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | YES | |
| 5 | Vulnerability Monitoring and Scanning | Privileged Access | Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities]. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | YES | |
| 6 | Vulnerability Monitoring and Scanning | Automated Trend Analyses | Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | NA | |
| 8 | Vulnerability Monitoring and Scanning | Review Historic Audit Logs | Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | NA | |
| 10 | Vulnerability Monitoring and Scanning | Correlate Scanning Information | Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | NA | |
| 11 | Vulnerability Monitoring and Scanning | Public Disclosure Program | Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. | CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 | NA | NA | |
| RA-6 | Technical Surveillance Countermeasures Survey | Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency] ; when the following events or indicators occur; [Assignment: organization-defined events or indicators] ]. | CM0077 CM0078 | YES | YES | |
| RA-7 | Risk Response | Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. | CM0011 CM0018 CM0019 CM0005 | NA | YES | |
| RA-8 | Privacy Impact Assessments | Conduct privacy impact assessments for systems, programs, or other activities before: a. Developing or procuring information technology that processes personally identifiable information; and b. Initiating a new collection of personally identifiable information that: 1. Will be processed using information technology; and 2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. | NA | NA | ||
| RA-9 | Criticality Analysis | Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. | CM0022 CM0004 CM0005 | YES | YES | |
| RA-10 | Threat Hunting | a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency]. | CM0009 CM0052 CM0005 CM0032 | YES | YES | |
| SA-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and c. Review and update the current system and services acquisition: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| SA-2 | Allocation of Resources | a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. | CM0020 CM0022 CM0025 CM0005 | YES | YES | |
| SA-3 | System Development Life Cycle | a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. | CM0001 CM0009 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0052 CM0030 CM0031 CM0050 CM0004 CM0010 CM0011 CM0012 CM0013 CM0015 CM0017 CM0018 CM0019 CM0023 CM0039 CM0046 CM0047 CM0055 CM0005 CM0035 CM0053 CM0056 CM0042 CM0044 CM0051 CM0037 CM0038 CM0043 CM0045 CM0057 | YES | YES | |
| 1 | System Development Life Cycle | Manage Preproduction Environment | Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service. | CM0001 CM0004 CM0005 | NA | YES | |
| 2 | System Development Life Cycle | Use of Live or Operational Data | (a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (b) Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments. | CM0001 CM0004 CM0005 | NA | YES | |
| 3 | System Development Life Cycle | Technology Refresh | Plan for and implement a technology refresh schedule for the system throughout the system development life cycle. | CM0001 CM0004 CM0005 | NA | NA | |
| SA-4 | Acquisition Process | Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria. | CM0005 | NA | YES | |
| 1 | Acquisition Process | Functional Properties of Controls | Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | YES | |
| 2 | Acquisition Process | Design and Implementation Information for Controls | Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and implementation information] ] at [Assignment: organization-defined level of detail]. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | YES | |
| 3 | Acquisition Process | Development Methods, Techniques, and Practices | Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (a) [Assignment: organization-defined systems engineering methods]; (b) [Assignment: organization-defined Selection (one or more): systems security; privacy] engineering methods]; and (c) [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | YES | |
| 5 | Acquisition Process | System, Component, and Service Configurations | Require the developer of the system, system component, or system service to: (a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | YES | YES | |
| 6 | Acquisition Process | Use of Information Assurance Products | (a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and (b) Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | NA | |
| 7 | Acquisition Process | Niap-approved Protection Profiles | (a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and (b) Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | NA | |
| 8 | Acquisition Process | Continuous Monitoring Plan for Controls | Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | NA | |
| 9 | Acquisition Process | Functions, Ports, Protocols, and Services in Use | Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | YES | YES | |
| 10 | Acquisition Process | Use of Approved PIV Products | Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | NA | |
| 11 | Acquisition Process | System of Records | Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | NA | |
| 12 | Acquisition Process | Data Ownership | (a) Include organizational data ownership requirements in the acquisition contract; and (b) Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame]. | CM0005 CM0004 CM0008 CM0022 CM0024 CM0028 CM0030 CM0031 CM0011 CM0012 CM0015 CM0021 CM0023 CM0047 CM0035 CM0042 CM0037 CM0043 CM0057 CM0020 CM0017 CM0039 CM0001 | NA | YES | |
| SA-5 | System Documentation | a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security and privacy functions and mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; b. Obtain or develop user documentation for the system, system component, or system service that describes: 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and d. Distribute documentation to [Assignment: organization-defined personnel or roles]. | CM0001 CM0008 CM0007 CM0005 | YES | YES | |
| SA-8 | Security and Privacy Engineering Principles | Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles]. | CM0001 CM0009 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0052 CM0030 CM0031 CM0050 CM0004 CM0010 CM0011 CM0012 CM0013 CM0015 CM0017 CM0018 CM0019 CM0023 CM0039 CM0046 CM0047 CM0055 CM0005 CM0035 CM0053 CM0056 CM0042 CM0044 CM0051 CM0037 CM0038 CM0043 CM0045 CM0057 | YES | YES | |
| 1 | Security and Privacy Engineering Principles | Clear Abstractions | Implement the security design principle of clear abstractions. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 2 | Security and Privacy Engineering Principles | Least Common Mechanism | Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 3 | Security and Privacy Engineering Principles | Modularity and Layering | Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 4 | Security and Privacy Engineering Principles | Partially Ordered Dependencies | Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 5 | Security and Privacy Engineering Principles | Efficiently Mediated Access | Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 6 | Security and Privacy Engineering Principles | Minimized Sharing | Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 7 | Security and Privacy Engineering Principles | Reduced Complexity | Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 8 | Security and Privacy Engineering Principles | Secure Evolvability | Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 9 | Security and Privacy Engineering Principles | Trusted Components | Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 10 | Security and Privacy Engineering Principles | Hierarchical Trust | Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 11 | Security and Privacy Engineering Principles | Inverse Modification Threshold | Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 12 | Security and Privacy Engineering Principles | Hierarchical Protection | Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 13 | Security and Privacy Engineering Principles | Minimized Security Elements | Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 14 | Security and Privacy Engineering Principles | Least Privilege | Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 15 | Security and Privacy Engineering Principles | Predicate Permission | Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 16 | Security and Privacy Engineering Principles | Self-reliant Trustworthiness | Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 17 | Security and Privacy Engineering Principles | Secure Distributed Composition | Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| 18 | Security and Privacy Engineering Principles | Trusted Communications Channels | Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 19 | Security and Privacy Engineering Principles | Continuous Protection | Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 20 | Security and Privacy Engineering Principles | Secure Metadata Management | Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| 21 | Security and Privacy Engineering Principles | Self-analysis | Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 22 | Security and Privacy Engineering Principles | Accountability and Traceability | Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 23 | Security and Privacy Engineering Principles | Secure Defaults | Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 24 | Security and Privacy Engineering Principles | Secure Failure and Recovery | Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | YES | YES | |
| 25 | Security and Privacy Engineering Principles | Economic Security | Implement the security design principle of economic security in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 26 | Security and Privacy Engineering Principles | Performance Security | Implement the security design principle of performance security in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 27 | Security and Privacy Engineering Principles | Human Factored Security | Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| 28 | Security and Privacy Engineering Principles | Acceptable Security | Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| 29 | Security and Privacy Engineering Principles | Repeatable and Documented Procedures | Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 30 | Security and Privacy Engineering Principles | Procedural Rigor | Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 31 | Security and Privacy Engineering Principles | Secure System Modification | Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | YES | |
| 32 | Security and Privacy Engineering Principles | Sufficient Documentation | Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| 33 | Security and Privacy Engineering Principles | Minimization | Implement the privacy principle of minimization using [Assignment: organization-defined processes]. | CM0040 CM0022 CM0039 CM0042 CM0044 CM0014 CM0038 CM0012 CM0013 CM0015 CM0017 CM0010 CM0031 CM0050 CM0005 CM0024 CM0027 CM0028 CM0034 CM0035 CM0054 CM0002 CM0001 CM0004 CM0047 CM0029 CM0032 CM0020 CM0007 CM0021 CM0023 CM0056 CM0011 CM0018 CM0019 CM0046 CM0051 | NA | NA | |
| SA-9 | External System Services | a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. | CM0024 CM0025 CM0026 CM0027 CM0028 CM0041 CM0004 CM0010 CM0012 CM0013 CM0015 CM0021 CM0005 CM0048 | YES | YES | |
| 1 | External System Services | Risk Assessments and Organizational Approvals | (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| 2 | External System Services | Identification of Functions, Ports, Protocols, and Services | Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | YES | |
| 3 | External System Services | Establish and Maintain Trust Relationship with Providers | Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships]. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| 4 | External System Services | Consistent Interests of Consumers and Providers | Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions]. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| 5 | External System Services | Processing, Storage, and Service Location | Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| 6 | External System Services | Organization-controlled Cryptographic Keys | Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. | CM0005 CM0002 CM0030 CM0050 CM0001 | YES | YES | |
| 7 | External System Services | Organization-controlled Integrity Checking | Provide the capability to check the integrity of information while it resides in the external system. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| 8 | External System Services | Processing and Storage Location — U.s. Jurisdiction | Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States. | CM0005 CM0002 CM0030 CM0050 CM0001 | NA | NA | |
| SA-10 | Developer Configuration Management | Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. | CM0004 CM0023 CM0005 | YES | YES | |
| 1 | Developer Configuration Management | Software and Firmware Integrity Verification | Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | YES | YES | |
| 2 | Developer Configuration Management | Alternative Configuration Management | Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | NA | YES | |
| 3 | Developer Configuration Management | Hardware Integrity Verification | Require the developer of the system, system component, or system service to enable integrity verification of hardware components. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | YES | YES | |
| 4 | Developer Configuration Management | Trusted Generation | Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | YES | YES | |
| 5 | Developer Configuration Management | Mapping Integrity for Version Control | Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | NA | NA | |
| 6 | Developer Configuration Management | Trusted Distribution | Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | NA | NA | |
| 7 | Developer Configuration Management | Security and Privacy Representatives | Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. | CM0021 CM0005 CM0012 CM0015 CM0023 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 | YES | YES | |
| SA-11 | Developer Testing and Evaluation | Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation. | CM0008 CM0020 CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0007 CM0010 CM0011 CM0012 CM0013 CM0015 CM0016 CM0017 CM0018 CM0019 CM0021 CM0023 CM0005 | YES | YES | |
| 1 | Developer Testing and Evaluation | Static Code Analysis | Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 2 | Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses | Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: (a) Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; (b) Employs the following tools and methods: [Assignment: organization-defined tools and methods]; (c) Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and (d) Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 3 | Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence | (a) Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and (b) Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | NA | YES | |
| 4 | Developer Testing and Evaluation | Manual Code Reviews | Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques]. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 5 | Developer Testing and Evaluation | Penetration Testing | Require the developer of the system, system component, or system service to perform penetration testing: (a) At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and (b) Under the following constraints: [Assignment: organization-defined constraints]. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 6 | Developer Testing and Evaluation | Attack Surface Reviews | Require the developer of the system, system component, or system service to perform attack surface reviews. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 7 | Developer Testing and Evaluation | Verify Scope of Testing and Evaluation | Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | NA | YES | |
| 8 | Developer Testing and Evaluation | Dynamic Code Analysis | Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| 9 | Developer Testing and Evaluation | Interactive Application Security Testing | Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. | CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0022 CM0025 CM0011 CM0012 CM0017 CM0018 | YES | YES | |
| SA-15 | Development Process, Standards, and Tools | a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]. | CM0004 CM0017 CM0005 | YES | YES | |
| 1 | Development Process, Standards, and Tools | Quality Metrics | Require the developer of the system, system component, or system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency] ; [Assignment: organization-defined program review milestones] ; upon delivery]. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| 2 | Development Process, Standards, and Tools | Security and Privacy Tracking Tools | Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| 3 | Development Process, Standards, and Tools | Criticality Analysis | Require the developer of the system, system component, or system service to perform a criticality analysis: (a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis]. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | YES | YES | |
| 5 | Development Process, Standards, and Tools | Attack Surface Reduction | Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds]. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | YES | |
| 6 | Development Process, Standards, and Tools | Continuous Improvement | Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| 7 | Development Process, Standards, and Tools | Automated Vulnerability Analysis | Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: (a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | YES | YES | |
| 8 | Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information | Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | YES | YES | |
| 10 | Development Process, Standards, and Tools | Incident Response Plan | Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| 11 | Development Process, Standards, and Tools | Archive System or Component | Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| 12 | Development Process, Standards, and Tools | Minimize Personally Identifiable Information | Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments. | CM0022 CM0004 CM0005 CM0020 CM0047 CM0011 CM0016 CM0019 | NA | NA | |
| SA-16 | Developer-provided Training | Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training]. | NA | NA | ||
| SA-17 | Developer Security and Privacy Architecture and Design | Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection. | CM0025 CM0004 CM0005 | YES | YES | |
| 1 | Developer Security and Privacy Architecture and Design | Formal Policy Model | Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented. | CM0039 | NA | NA | |
| 2 | Developer Security and Privacy Architecture and Design | Security-relevant Components | Require the developer of the system, system component, or system service to: (a) Define security-relevant hardware, software, and firmware; and (b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. | CM0039 | NA | NA | |
| 3 | Developer Security and Privacy Architecture and Design | Formal Correspondence | Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. | CM0039 | NA | NA | |
| 4 | Developer Security and Privacy Architecture and Design | Informal Correspondence | Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b) Show via [Selection: informal demonstration; convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model; (c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. | CM0039 | NA | NA | |
| 5 | Developer Security and Privacy Architecture and Design | Conceptually Simple Design | Require the developer of the system, system component, or system service to: (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and (b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. | CM0039 | NA | NA | |
| 6 | Developer Security and Privacy Architecture and Design | Structure for Testing | Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing. | CM0039 | NA | NA | |
| 7 | Developer Security and Privacy Architecture and Design | Structure for Least Privilege | Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege. | CM0039 | YES | YES | |
| 8 | Developer Security and Privacy Architecture and Design | Orchestration | Design [Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities, by system or component]. | CM0039 | NA | NA | |
| 9 | Developer Security and Privacy Architecture and Design | Design Diversity | Use different designs for [Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality. | CM0039 | NA | NA | |
| SA-20 | Customized Development of Critical Components | Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. | NA | NA | ||
| SA-21 | Developer Screening | Require that the developer of [Assignment: organization-defined system, system component, or system service]: a. Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and b. Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria]. | NA | NA | ||
| SA-22 | Unsupported System Components | a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or b. Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers] ]. | CM0005 | NA | NA | |
| SA-23 | Specialization | Employ [Selection (one or more): design modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. | NA | NA | ||
| SC-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] system and communications protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and c. Review and update the current system and communications protection: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| SC-2 | Separation of System and User Functionality | Separate user functionality, including user interface services, from system management functionality. | CM0005 | NA | YES | |
| 1 | Separation of System and User Functionality | Interfaces for Non-privileged Users | Prevent the presentation of system management functionality at interfaces to non-privileged users. | CM0040 CM0018 CM0039 CM0005 CM0038 | NA | NA | |
| 2 | Separation of System and User Functionality | Disassociability | Store state information from applications and software separately. | CM0040 CM0018 CM0039 CM0005 CM0038 | YES | YES | |
| SC-3 | Security Function Isolation | Isolate security functions from nonsecurity functions. | CM0005 CM0038 | YES | YES | |
| 1 | Security Function Isolation | Hardware Separation | Employ hardware separation mechanisms to implement security function isolation. | CM0040 CM0038 | NA | NA | |
| 2 | Security Function Isolation | Access and Flow Control Functions | Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions. | CM0040 CM0038 | NA | NA | |
| 3 | Security Function Isolation | Minimize Nonsecurity Functionality | Minimize the number of nonsecurity functions included within the isolation boundary containing security functions. | CM0040 CM0038 | NA | NA | |
| 4 | Security Function Isolation | Module Coupling and Cohesiveness | Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. | CM0040 CM0038 | NA | YES | |
| 5 | Security Function Isolation | Layered Structures | Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | CM0040 CM0038 | NA | NA | |
| SC-4 | Information in Shared System Resources | Prevent unauthorized and unintended information transfer via shared system resources. | CM0040 CM0005 CM0038 | YES | YES | |
| 2 | Information in Shared System Resources | Multilevel or Periods Processing | Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. | NA | NA | ||
| SC-5 | Denial-of-service Protection | a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. | CM0086 CM0005 CM0032 CM0042 CM0044 CM0029 | YES | YES | |
| 1 | Denial-of-service Protection | Restrict Ability to Attack Other Systems | Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]. | CM0005 CM0086 CM0032 | NA | YES | |
| 2 | Denial-of-service Protection | Capacity, Bandwidth, and Redundancy | Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. | CM0005 CM0086 CM0032 | NA | YES | |
| 3 | Denial-of-service Protection | Detection and Monitoring | (a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and (b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]. | CM0005 CM0086 CM0032 | YES | YES | |
| SC-6 | Resource Availability | Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls] ]. | CM0038 | YES | YES | |
| SC-7 | Boundary Protection | a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. | CM0052 CM0002 CM0033 CM0055 CM0005 CM0034 | YES | YES | |
| 3 | Boundary Protection | Access Points | Limit the number of external network connections to the system. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 4 | Boundary Protection | External Telecommunications Services | (a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 5 | Boundary Protection | Deny by Default — Allow by Exception | Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems] ]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 7 | Boundary Protection | Split Tunneling for Remote Devices | Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 8 | Boundary Protection | Route Traffic to Authenticated Proxy Servers | Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 9 | Boundary Protection | Restrict Threatening Outgoing Communications Traffic | (a) Detect and deny outgoing communications traffic posing a threat to external systems; and (b) Audit the identity of internal users associated with denied communications. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 10 | Boundary Protection | Prevent Exfiltration | (a) Prevent the exfiltration of information; and (b) Conduct exfiltration tests [Assignment: organization-defined frequency]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 11 | Boundary Protection | Restrict Incoming Communications Traffic | Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 12 | Boundary Protection | Host-based Protection | Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 13 | Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components | Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | YES | |
| 14 | Boundary Protection | Protect Against Unauthorized Physical Connections | Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | YES | |
| 15 | Boundary Protection | Networked Privileged Accesses | Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 16 | Boundary Protection | Prevent Discovery of System Components | Prevent the discovery of specific system components that represent a managed interface. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 17 | Boundary Protection | Automated Enforcement of Protocol Formats | Enforce adherence to protocol formats. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 18 | Boundary Protection | Fail Secure | Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 19 | Boundary Protection | Block Communication from Non-organizationally Configured Hosts | Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 20 | Boundary Protection | Dynamic Isolation and Segregation | Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 21 | Boundary Protection | Isolation of System Components | Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| 22 | Boundary Protection | Separate Subnets for Connecting to Different Security Domains | Implement separate network addresses to connect to systems in different security domains. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 23 | Boundary Protection | Disable Sender Feedback on Protocol Validation Failure | Disable feedback to senders on protocol format validation failure. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 24 | Boundary Protection | Personally Identifiable Information | For systems that process personally identifiable information: (a) Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules]; (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; (c) Document each processing exception; and (d) Review and remove exceptions that are no longer supported. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 25 | Boundary Protection | Unclassified National Security System Connections | Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 26 | Boundary Protection | Classified National Security System Connections | Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 27 | Boundary Protection | Unclassified Non-national Security System Connections | Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 28 | Boundary Protection | Connections to Public Networks | Prohibit the direct connection of [Assignment: organization-defined system] to a public network. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | NA | NA | |
| 29 | Boundary Protection | Separate Subnets to Isolate Functions | Implement [Selection: physically; logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions]. | CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 | YES | YES | |
| SC-8 | Transmission Confidentiality and Integrity | Protect the [Selection (one or more): confidentiality; integrity] of transmitted information. | CM0073 CM0049 CM0005 CM0006 CM0071 | YES | YES | |
| 1 | Transmission Confidentiality and Integrity | Cryptographic Protection | Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission. | CM0001 CM0002 CM0030 CM0031 CM0050 CM0005 CM0035 CM0071 CM0029 CM0049 CM0003 CM0053 | YES | YES | |
| 2 | Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling | Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. | CM0001 CM0002 CM0030 CM0031 CM0050 CM0005 CM0035 CM0071 CM0029 CM0049 CM0003 CM0053 | NA | YES | |
| 3 | Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals | Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]. | CM0001 CM0002 CM0030 CM0031 CM0050 CM0005 CM0035 CM0071 CM0029 CM0049 CM0003 CM0053 | YES | YES | |
| 4 | Transmission Confidentiality and Integrity | Conceal or Randomize Communications | Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]. | CM0001 CM0002 CM0030 CM0031 CM0050 CM0005 CM0035 CM0071 CM0029 CM0049 CM0003 CM0053 | YES | YES | |
| 5 | Transmission Confidentiality and Integrity | Protected Distribution System | Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission. | CM0001 CM0002 CM0030 CM0031 CM0050 CM0005 CM0035 CM0071 CM0029 CM0049 CM0003 CM0053 | NA | NA | |
| SC-10 | Network Disconnect | Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. | CM0002 CM0036 CM0005 | YES | YES | |
| SC-11 | Trusted Path | a. Provide a [Selection: physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system; and b. Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions]. | NA | NA | ||
| 1 | Trusted Path | Irrefutable Communications Path | (a) Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and (b) Initiate the trusted communications path for communications between the [Assignment: organization-defined security functions] of the system and the user. | NA | NA | ||
| SC-12 | Cryptographic Key Establishment and Management | Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. | CM0002 CM0030 CM0005 | YES | YES | |
| 1 | Cryptographic Key Establishment and Management | Availability | Maintain availability of information in the event of the loss of cryptographic keys by users. | CM0002 CM0030 CM0005 CM0053 | YES | YES | |
| 2 | Cryptographic Key Establishment and Management | Symmetric Keys | Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes. | CM0002 CM0030 CM0005 CM0053 | NA | NA | |
| 3 | Cryptographic Key Establishment and Management | Asymmetric Keys | Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements]. | CM0002 CM0030 CM0005 CM0053 | YES | YES | |
| 6 | Cryptographic Key Establishment and Management | Physical Control of Keys | Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. | CM0002 CM0030 CM0005 CM0053 | NA | NA | |
| SC-13 | Cryptographic Protection | a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. | CM0002 CM0033 CM0050 CM0005 CM0006 | YES | YES | |
| SC-15 | Collaborative Computing Devices and Applications | a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provide an explicit indication of use to users physically present at the devices. | CM0005 | NA | NA | |
| 1 | Collaborative Computing Devices and Applications | Physical or Logical Disconnect | Provide [Selection (one or more): physical; logical] disconnect of collaborative computing devices in a manner that supports ease of use. | NA | NA | ||
| 3 | Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas | Disable or remove collaborative computing devices and applications from [Assignment: organization-defined systems or system components] in [Assignment: organization-defined secure work areas]. | NA | NA | ||
| 4 | Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants | Provide an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]. | NA | NA | ||
| SC-16 | Transmission of Security and Privacy Attributes | Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components. | CM0001 CM0031 CM0050 CM0034 CM0035 CM0006 CM0029 | YES | YES | |
| 1 | Transmission of Security and Privacy Attributes | Integrity Verification | Verify the integrity of transmitted security and privacy attributes. | CM0001 CM0031 CM0033 CM0050 CM0034 CM0035 CM0029 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 | NA | YES | |
| 2 | Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms | Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process. | CM0001 CM0031 CM0033 CM0050 CM0034 CM0035 CM0029 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 | YES | YES | |
| 3 | Transmission of Security and Privacy Attributes | Cryptographic Binding | Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information. | CM0001 CM0031 CM0033 CM0050 CM0034 CM0035 CM0029 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 | YES | YES | |
| SC-17 | Public Key Infrastructure Certificates | a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust stores or certificate stores managed by the organization. | NA | NA | ||
| SC-18 | Mobile Code | a. Define acceptable and unacceptable mobile code and mobile code technologies; and b. Authorize, monitor, and control the use of mobile code within the system. | NA | NA | ||
| 1 | Mobile Code | Identify Unacceptable Code and Take Corrective Actions | Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions]. | CM0005 | NA | NA | |
| 2 | Mobile Code | Acquisition, Development, and Use | Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. | CM0005 | NA | NA | |
| 3 | Mobile Code | Prevent Downloading and Execution | Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code]. | CM0005 | NA | NA | |
| 4 | Mobile Code | Prevent Automatic Execution | Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code. | CM0005 | NA | NA | |
| 5 | Mobile Code | Allow Execution Only in Confined Environments | Allow execution of permitted mobile code only in confined virtual machine environments. | CM0005 | NA | NA | |
| SC-20 | Secure Name/address Resolution Service (authoritative Source) | a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. | CM0005 | NA | NA | |
| 2 | Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity | Provide data origin and integrity protection artifacts for internal name/address resolution queries. | NA | NA | ||
| SC-21 | Secure Name/address Resolution Service (recursive or Caching Resolver) | Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. | CM0005 | NA | NA | |
| SC-22 | Architecture and Provisioning for Name/address Resolution Service | Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. | CM0005 | NA | NA | |
| SC-23 | Session Authenticity | Protect the authenticity of communications sessions. | CM0033 CM0005 | YES | YES | |
| 1 | Session Authenticity | Invalidate Session Identifiers at Logout | Invalidate session identifiers upon user logout or other session termination. | CM0033 CM0005 | NA | YES | |
| 3 | Session Authenticity | Unique System-generated Session Identifiers | Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated. | CM0033 CM0005 | NA | YES | |
| 5 | Session Authenticity | Allowed Certificate Authorities | Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. | CM0033 CM0005 | NA | NA | |
| SC-24 | Fail in Known State | Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components]. | CM0005 CM0006 CM0042 CM0044 | YES | YES | |
| SC-25 | Thin Nodes | Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. | NA | NA | ||
| SC-26 | Decoys | Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks. | CM0082 | NA | NA | |
| SC-27 | Platform-independent Applications | Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications]. | NA | NA | ||
| SC-28 | Protection of Information at Rest | Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. | CM0049 CM0005 | NA | YES | |
| 1 | Protection of Information at Rest | Cryptographic Protection | Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. | CM0002 CM0049 CM0005 CM0030 | YES | YES | |
| 2 | Protection of Information at Rest | Offline Storage | Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]. | CM0002 CM0049 CM0005 CM0030 | NA | NA | |
| 3 | Protection of Information at Rest | Cryptographic Keys | Provide protected storage for cryptographic keys [Selection: [Assignment: organization-defined safeguards] ; hardware-protected key store]. | CM0002 CM0049 CM0005 CM0030 | YES | YES | |
| SC-29 | Heterogeneity | Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. | NA | NA | ||
| 1 | Heterogeneity | Virtualization Techniques | Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. | NA | NA | ||
| SC-30 | Concealment and Misdirection | Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. | CM0080 CM0082 | NA | YES | |
| 2 | Concealment and Misdirection | Randomness | Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. | CM0080 CM0086 CM0087 | NA | NA | |
| 3 | Concealment and Misdirection | Change Processing and Storage Locations | Change the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency] ; at random time intervals]]. | CM0080 CM0086 CM0087 | NA | NA | |
| 4 | Concealment and Misdirection | Misleading Information | Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture. | CM0080 CM0086 CM0087 | NA | NA | |
| 5 | Concealment and Misdirection | Concealment of System Components | Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. | CM0080 CM0086 CM0087 | NA | YES | |
| SC-31 | Covert Channel Analysis | a. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and b. Estimate the maximum bandwidth of those channels. | NA | NA | ||
| 1 | Covert Channel Analysis | Test Covert Channels for Exploitability | Test a subset of the identified covert channels to determine the channels that are exploitable. | NA | NA | ||
| 2 | Covert Channel Analysis | Maximum Bandwidth | Reduce the maximum bandwidth for identified covert [Selection (one or more): storage; timing] channels to [Assignment: organization-defined values]. | NA | NA | ||
| 3 | Covert Channel Analysis | Measure Bandwidth in Operational Environments | Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system. | NA | NA | ||
| SC-32 | System Partitioning | Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components]. | CM0038 | NA | YES | |
| 1 | System Partitioning | Separate Physical Domains for Privileged Functions | Partition privileged functions into separate physical domains. | CM0022 CM0031 CM0040 CM0039 CM0032 CM0038 | YES | YES | |
| SC-34 | Non-modifiable Executable Programs | For [Assignment: organization-defined system components], load and execute: a. The operating environment from hardware-enforced, read-only media; and b. The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications]. | NA | NA | ||
| 1 | Non-modifiable Executable Programs | No Writable Storage | Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off. | NA | NA | ||
| 2 | Non-modifiable Executable Programs | Integrity Protection on Read-only Media | Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media. | NA | NA | ||
| SC-35 | External Malicious Code Identification | Include system components that proactively seek to identify network-based malicious code or malicious websites. | NA | NA | ||
| SC-36 | Distributed Processing and Storage | Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. | NA | NA | ||
| 1 | Distributed Processing and Storage | Polling Techniques | (a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]; and (b) Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]. | NA | NA | ||
| 2 | Distributed Processing and Storage | Synchronization | Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. | NA | NA | ||
| SC-37 | Out-of-band Channels | Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. | NA | NA | ||
| 1 | Out-of-band Channels | Ensure Delivery and Transmission | Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: [Assignment: organization-defined information, system components, or devices]. | NA | NA | ||
| SC-38 | Operations Security | Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls]. | CM0052 CM0004 CM0005 | YES | YES | |
| SC-39 | Process Isolation | Maintain a separate execution domain for each executing system process. | CM0005 CM0038 | YES | YES | |
| 1 | Process Isolation | Hardware Separation | Implement hardware separation mechanisms to facilitate process isolation. | NA | NA | ||
| 2 | Process Isolation | Separate Execution Domain Per Thread | Maintain a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]. | NA | NA | ||
| SC-40 | Wireless Link Protection | Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. | CM0083 CM0029 | YES | YES | |
| 1 | Wireless Link Protection | Electromagnetic Interference | Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. | CM0029 | YES | YES | |
| 2 | Wireless Link Protection | Reduce Detection Potential | Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]. | CM0029 | NA | NA | |
| 3 | Wireless Link Protection | Imitative or Manipulative Communications Deception | Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. | CM0029 | YES | YES | |
| 4 | Wireless Link Protection | Signal Parameter Identification | Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. | CM0029 | YES | YES | |
| SC-41 | Port and I/O Device Access | [Selection: Physically; Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components]. | CM0037 | NA | YES | |
| SC-42 | Sensor Capability and Data | a. Prohibit [Selection (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems] ; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions; [Assignment: organization-defined exceptions where remote activation of sensors is allowed] ]; and b. Provide an explicit indication of sensor use to [Assignment: organization-defined class of users]. | NA | NA | ||
| 1 | Sensor Capability and Data | Reporting to Authorized Individuals or Roles | Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles. | NA | NA | ||
| 2 | Sensor Capability and Data | Authorized Use | Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes: [Assignment: organization-defined measures]. | NA | NA | ||
| 4 | Sensor Capability and Data | Notice of Collection | Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures]. | NA | NA | ||
| 5 | Sensor Capability and Data | Collection Minimization | Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed. | NA | NA | ||
| SC-43 | Usage Restrictions | a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b. Authorize, monitor, and control the use of such components within the system. | NA | NA | ||
| SC-44 | Detonation Chambers | Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location]. | NA | NA | ||
| SC-45 | System Time Synchronization | Synchronize system clocks within and between systems and system components. | CM0005 CM0048 | YES | YES | |
| 1 | System Time Synchronization | Synchronization with Authoritative Time Source | (a) Compare the internal system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. | CM0005 CM0048 | YES | YES | |
| 2 | System Time Synchronization | Secondary Authoritative Time Source | (a) Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and (b) Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable. | CM0005 CM0048 | YES | YES | |
| SC-46 | Cross Domain Policy Enforcement | Implement a policy enforcement mechanism [Selection: physically; logically] between the physical and/or network interfaces for the connecting security domains. | NA | NA | ||
| SC-47 | Alternate Communications Paths | Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control. | CM0070 | NA | YES | |
| SC-48 | Sensor Relocation | Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances]. | NA | NA | ||
| 1 | Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities | Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances]. | NA | NA | ||
| SC-49 | Hardware-enforced Separation and Policy Enforcement | Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. | CM0040 CM0039 CM0005 CM0038 | NA | NA | |
| SC-50 | Software-enforced Separation and Policy Enforcement | Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. | CM0040 CM0039 CM0005 CM0038 | NA | NA | |
| SC-51 | Hardware-based Protection | a. Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and b. Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. | CM0028 CM0005 CM0053 CM0014 CM0057 | YES | YES | |
| SI-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0088 | NA | YES | |
| SI-2 | Flaw Remediation | a. Identify, report, and correct system flaws; b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporate flaw remediation into the organizational configuration management process. | CM0004 CM0010 CM0005 CM0072 | YES | YES | |
| 2 | Flaw Remediation | Automated Flaw Remediation Status | Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. | CM0005 CM0004 CM0010 | NA | NA | |
| 3 | Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions | (a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]. | CM0005 CM0004 CM0010 | NA | NA | |
| 4 | Flaw Remediation | Automated Patch Management Tools | Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components]. | CM0005 CM0004 CM0010 | NA | NA | |
| 5 | Flaw Remediation | Automatic Software and Firmware Updates | Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]. | CM0005 CM0004 CM0010 | NA | NA | |
| 6 | Flaw Remediation | Removal of Previous Versions of Software and Firmware | Remove previous versions of [Assignment: organization-defined software and firmware components] after updated versions have been installed. | CM0005 CM0004 CM0010 | YES | YES | |
| SI-3 | Malicious Code Protection | a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action] ]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. | CM0027 CM0011 CM0018 CM0005 CM0032 | YES | YES | |
| 4 | Malicious Code Protection | Updates Only by Privileged Users | Update malicious code protection mechanisms only when directed by a privileged user. | CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0027 CM0011 CM0018 CM0005 | NA | NA | |
| 6 | Malicious Code Protection | Testing and Verification | (a) Test malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing known benign code into the system; and (b) Verify that the detection of the code and the associated incident reporting occur. | CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0027 CM0011 CM0018 CM0005 | NA | NA | |
| 8 | Malicious Code Protection | Detect Unauthorized Commands | (a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and (b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]. | CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0027 CM0011 CM0018 CM0005 | YES | YES | |
| 10 | Malicious Code Protection | Malicious Code Analysis | (a) Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [Assignment: organization-defined tools and techniques]; and (b) Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes. | CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0027 CM0011 CM0018 CM0005 | NA | YES | |
| SI-4 | System Monitoring | a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency] ]. | CM0052 CM0005 CM0032 CM0066 CM0067 CM0068 | YES | YES | |
| 1 | System Monitoring | System-wide Intrusion Detection System | Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 2 | System Monitoring | Automated Tools and Mechanisms for Real-time Analysis | Employ automated tools and mechanisms to support near real-time analysis of events. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 3 | System Monitoring | Automated Tool and Mechanism Integration | Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 4 | System Monitoring | Inbound and Outbound Communications Traffic | (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; (b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 5 | System Monitoring | System-generated Alerts | Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 7 | System Monitoring | Automated Response to Suspicious Events | (a) Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and (b) Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | YES | |
| 9 | System Monitoring | Testing of Monitoring Tools and Mechanisms | Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 10 | System Monitoring | Visibility of Encrypted Communications | Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 11 | System Monitoring | Analyze Communications Traffic Anomalies | Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 12 | System Monitoring | Automated Organization-generated Alerts | Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | YES | |
| 13 | System Monitoring | Analyze Traffic and Event Patterns | (a) Analyze communications traffic and event patterns for the system; (b) Develop profiles representing common traffic and event patterns; and (c) Use the traffic and event profiles in tuning system-monitoring devices. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 14 | System Monitoring | Wireless Intrusion Detection | Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 15 | System Monitoring | Wireless to Wireline Communications | Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 16 | System Monitoring | Correlate Monitoring Information | Correlate information from monitoring tools and mechanisms employed throughout the system. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 17 | System Monitoring | Integrated Situational Awareness | Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 18 | System Monitoring | Analyze Traffic and Covert Exfiltration | Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 19 | System Monitoring | Risk for Individuals | Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 20 | System Monitoring | Privileged Users | Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 21 | System Monitoring | Probationary Periods | Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 22 | System Monitoring | Unauthorized Network Services | (a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and (b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles] ] when detected. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 23 | System Monitoring | Host-based Devices | Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | NA | NA | |
| 24 | System Monitoring | Indicators of Compromise | Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| 25 | System Monitoring | Optimize Network Traffic Analysis | Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. | CM0005 CM0032 CM0066 CM0067 CM0068 CM0036 CM0034 CM0042 CM0044 CM0038 CM0050 CM0078 CM0083 CM0073 CM0077 CM0009 CM0051 | YES | YES | |
| SI-5 | Security Alerts, Advisories, and Directives | a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles] ; [Assignment: organization-defined elements within the organization] ; [Assignment: organization-defined external organizations] ]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. | CM0005 | NA | NA | |
| 1 | Security Alerts, Advisories, and Directives | Automated Alerts and Advisories | Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. | CM0005 | NA | NA | |
| SI-6 | Security and Privacy Function Verification | a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states] ; upon command by user with appropriate privilege; [Assignment: organization-defined frequency] ]; c. Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action(s)] ] when anomalies are discovered. | CM0005 CM0032 | YES | YES | |
| 2 | Security and Privacy Function Verification | Automation Support for Distributed Testing | Implement automated mechanisms to support the management of distributed security and privacy function testing. | NA | NA | ||
| 3 | Security and Privacy Function Verification | Report Verification Results | Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. | NA | NA | ||
| SI-7 | Software, Firmware, and Information Integrity | a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]. | CM0049 CM0004 CM0010 CM0011 CM0012 CM0013 CM0015 CM0016 CM0017 CM0018 CM0019 CM0021 CM0023 CM0005 CM0014 | YES | YES | |
| 1 | Software, Firmware, and Information Integrity | Integrity Checks | Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events] ; [Assignment: organization-defined frequency] ]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 2 | Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations | Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 3 | Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools | Employ centrally managed integrity verification tools. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | NA | |
| 5 | Software, Firmware, and Information Integrity | Automated Response to Integrity Violations | Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls] ] when integrity violations are discovered. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 6 | Software, Firmware, and Information Integrity | Cryptographic Protection | Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 7 | Software, Firmware, and Information Integrity | Integration of Detection and Response | Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 8 | Software, Firmware, and Information Integrity | Auditing Capability for Significant Events | Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles] ; [Assignment: organization-defined other actions] ]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | YES | YES | |
| 9 | Software, Firmware, and Information Integrity | Verify Boot Process | Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | YES | YES | |
| 10 | Software, Firmware, and Information Integrity | Protection of Boot Firmware | Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization-defined mechanisms]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | YES | |
| 12 | Software, Firmware, and Information Integrity | Integrity Verification | Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | YES | YES | |
| 15 | Software, Firmware, and Information Integrity | Code Authentication | Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | YES | YES | |
| 16 | Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision | Prohibit processes from executing without supervision for more than [Assignment: organization-defined time period]. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | NA | NA | |
| 17 | Software, Firmware, and Information Integrity | Runtime Application Self-protection | Implement [Assignment: organization-defined controls] for application self-protection at runtime. | CM0049 CM0021 CM0005 CM0014 CM0042 CM0044 CM0031 CM0032 | YES | YES | |
| SI-8 | Spam Protection | a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. | NA | NA | ||
| 2 | Spam Protection | Automatic Updates | Automatically update spam protection mechanisms [Assignment: organization-defined frequency]. | NA | NA | ||
| 3 | Spam Protection | Continuous Learning Capability | Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. | NA | NA | ||
| SI-10 | Information Input Validation | Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. | CM0002 CM0033 CM0005 CM0043 | YES | YES | |
| 1 | Information Input Validation | Manual Override Capability | (a) Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; (b) Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and (c) Audit the use of the manual override capability. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | NA | NA | |
| 2 | Information Input Validation | Review and Resolve Errors | Review and resolve input validation errors within [Assignment: organization-defined time period]. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | NA | NA | |
| 3 | Information Input Validation | Predictable Behavior | Verify that the system behaves in a predictable and documented manner when invalid inputs are received. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | YES | YES | |
| 4 | Information Input Validation | Timing Interactions | Account for timing interactions among system components in determining appropriate responses for invalid inputs. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | NA | NA | |
| 5 | Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats | Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | YES | YES | |
| 6 | Information Input Validation | Injection Prevention | Prevent untrusted data injections. | CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 | YES | YES | |
| SI-11 | Error Handling | a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]. | CM0005 CM0044 | YES | YES | |
| SI-12 | Information Management and Retention | Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. | CM0001 CM0005 CM0056 | NA | YES | |
| 1 | Information Management and Retention | Limit Personally Identifiable Information Elements | Limit personally identifiable information being processed in the information life cycle to the following elements of PII: [Assignment: organization-defined elements of personally identifiable information]. | NA | NA | ||
| 2 | Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research | Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques]. | NA | NA | ||
| 3 | Information Management and Retention | Information Disposal | Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques]. | NA | NA | ||
| SI-13 | Predictable Failure Prevention | a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. | CM0042 CM0051 | YES | YES | |
| 1 | Predictable Failure Prevention | Transferring Component Responsibilities | Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. | CM0042 | NA | NA | |
| 3 | Predictable Failure Prevention | Manual Transfer Between Components | Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure. | CM0042 | NA | NA | |
| 4 | Predictable Failure Prevention | Standby Component Installation and Notification | If system component failures are detected: (a) Ensure that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and (b) [Selection (one or more): Activate [Assignment: organization-defined alarm] ; Automatically shut down the system; [Assignment: organization-defined action] ]. | CM0042 | NA | YES | |
| 5 | Predictable Failure Prevention | Failover Capability | Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system. | CM0042 | NA | NA | |
| SI-14 | Non-persistence | Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency] ]. | NA | YES | ||
| 1 | Non-persistence | Refresh from Trusted Sources | Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. | CM0031 CM0036 CM0005 | NA | YES | |
| 2 | Non-persistence | Non-persistent Information | (a) [Selection: Refresh [Assignment: organization-defined information] [Assignment: organization-defined frequency] ; Generate [Assignment: organization-defined information] on demand]; and (b) Delete information when no longer needed. | CM0031 CM0036 CM0005 | NA | NA | |
| 3 | Non-persistence | Non-persistent Connectivity | Establish connections to the system on demand and terminate connections after [Selection: completion of a request; a period of non-use]. | CM0031 CM0036 CM0005 | YES | YES | |
| SI-15 | Information Output Filtering | Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [Assignment: organization-defined software programs and/or applications]. | NA | NA | ||
| SI-16 | Memory Protection | Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. | CM0005 CM0032 CM0045 | YES | YES | |
| SI-17 | Fail-safe Procedures | Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. | CM0032 CM0042 CM0044 CM0038 | YES | YES | |
| SI-18 | Personally Identifiable Information Quality Operations | a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and b. Correct or delete inaccurate or outdated personally identifiable information. | NA | NA | ||
| 1 | Personally Identifiable Information Quality Operations | Automation Support | Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [Assignment: organization-defined automated mechanisms]. | NA | NA | ||
| 2 | Personally Identifiable Information Quality Operations | Data Tags | Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems. | NA | NA | ||
| 3 | Personally Identifiable Information Quality Operations | Collection | Collect personally identifiable information directly from the individual. | NA | NA | ||
| 4 | Personally Identifiable Information Quality Operations | Individual Requests | Correct or delete personally identifiable information upon request by individuals or their designated representatives. | NA | NA | ||
| 5 | Personally Identifiable Information Quality Operations | Notice of Correction or Deletion | Notify [Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted. | NA | NA | ||
| SI-19 | De-identification | a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification. | NA | NA | ||
| 1 | De-identification | Collection | De-identify the dataset upon collection by not collecting personally identifiable information. | CM0002 CM0050 CM0005 | NA | NA | |
| 2 | De-identification | Archiving | Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived. | CM0002 CM0050 CM0005 | NA | NA | |
| 3 | De-identification | Release | Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release. | CM0002 CM0050 CM0005 | NA | NA | |
| 4 | De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers | Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. | CM0002 CM0050 CM0005 | NA | NA | |
| 5 | De-identification | Statistical Disclosure Control | Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis. | CM0002 CM0050 CM0005 | NA | NA | |
| 6 | De-identification | Differential Privacy | Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported. | CM0002 CM0050 CM0005 | NA | NA | |
| 7 | De-identification | Validated Algorithms and Software | Perform de-identification using validated algorithms and software that is validated to implement the algorithms. | CM0002 CM0050 CM0005 | NA | NA | |
| 8 | De-identification | Motivated Intruder | Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. | CM0002 CM0050 CM0005 | NA | NA | |
| SI-20 | Tainting | Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [Assignment: organization-defined systems or system components]. | NA | NA | ||
| SI-21 | Information Refresh | Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed. | CM0001 CM0005 | NA | YES | |
| SI-22 | Information Diversity | a. Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and b. Use an alternative information source for the execution of essential functions or services on [Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable. | NA | NA | ||
| SI-23 | Information Fragmentation | Based on [Assignment: organization-defined circumstances]: a. Fragment the following information: [Assignment: organization-defined information]; and b. Distribute the fragmented information across the following systems or system components: [Assignment: Assignment organization-defined systems or system components]. | CM0001 | NA | NA | |
| SR-1 | Policy and Procedures | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and c. Review and update the current supply chain risk management: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. | CM0022 CM0024 CM0026 CM0027 CM0028 CM0088 CM0004 CM0005 | YES | YES | |
| SR-2 | Supply Chain Risk Management Plan | a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and c. Protect the supply chain risk management plan from unauthorized disclosure and modification. | CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| 1 | Supply Chain Risk Management Plan | Establish Scrm Team | Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. | CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| SR-3 | Supply Chain Controls and Processes | a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document] ]. | CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| 1 | Supply Chain Controls and Processes | Diverse Supply Base | Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. | CM0025 CM0026 CM0005 CM0022 CM0004 | YES | YES | |
| 2 | Supply Chain Controls and Processes | Limitation of Harm | Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls]. | CM0025 CM0026 CM0005 CM0022 CM0004 | YES | YES | |
| 3 | Supply Chain Controls and Processes | Sub-tier Flow Down | Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. | CM0025 CM0026 CM0005 CM0022 CM0004 | YES | YES | |
| SR-4 | Provenance | Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. | CM0024 CM0025 CM0026 CM0004 CM0005 | YES | YES | |
| 1 | Provenance | Identity | Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components]. | CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 | YES | YES | |
| 2 | Provenance | Track and Trace | Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components]. | CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 | YES | YES | |
| 3 | Provenance | Validate as Genuine and Not Altered | Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls]. | CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 | YES | YES | |
| 4 | Provenance | Supply Chain Integrity — Pedigree | Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. | CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 | YES | YES | |
| SR-5 | Acquisition Strategies, Tools, and Methods | Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. | CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| 1 | Acquisition Strategies, Tools, and Methods | Adequate Supply | Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls]. | CM0022 CM0025 CM0026 CM0005 CM0024 CM0027 CM0028 CM0004 | YES | YES | |
| 2 | Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update | Assess the system, system component, or system service prior to selection, acceptance, modification, or update. | CM0022 CM0025 CM0026 CM0005 CM0024 CM0027 CM0028 CM0004 | YES | YES | |
| SR-6 | Supplier Assessments and Reviews | Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency]. | CM0025 CM0004 CM0005 | YES | YES | |
| 1 | Supplier Assessments and Reviews | Testing and Analysis | Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors]. | CM0024 CM0027 CM0028 CM0004 CM0018 CM0005 | YES | YES | |
| SR-7 | Supply Chain Operations Security | Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. | CM0001 CM0022 CM0004 CM0005 | YES | YES | |
| SR-8 | Notification Agreements | Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information] ]. | CM0009 CM0005 | NA | NA | |
| SR-9 | Tamper Resistance and Detection | Implement a tamper protection program for the system, system component, or system service. | CM0024 CM0028 CM0005 | YES | YES | |
| 1 | Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle | Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle. | CM0024 CM0028 CM0005 | YES | YES | |
| SR-10 | Inspection of Systems or Components | Inspect the following systems or system components [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection] ] to detect tampering: [Assignment: organization-defined systems or system components]. | CM0024 CM0028 CM0005 | YES | YES | |
| SR-11 | Component Authenticity | a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations] ; [Assignment: organization-defined personnel or roles] ]. | CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 | YES | YES | |
| 1 | Component Authenticity | Anti-counterfeit Training | Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). | CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 | NA | NA | |
| 2 | Component Authenticity | Configuration Control for Component Service and Repair | Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. | CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 | NA | NA | |
| 3 | Component Authenticity | Anti-counterfeit Scanning | Scan for counterfeit system components [Assignment: organization-defined frequency]. | CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 | YES | YES | |
| SR-12 | Component Disposal | Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. | CM0001 CM0005 | NA | YES | |