NIST References

SP 800-53 Revision 5

AC - Access Control

AC-1 - Policy and Procedures

AC-2 - Account Management

AC-2(1) - Account Management | Automated System Account Management

AC-2(2) - Account Management | Automated Temporary and Emergency Account Management

AC-2(3) - Account Management | Disable Accounts

AC-2(4) - Account Management | Automated Audit Actions

AC-2(5) - Account Management | Inactivity Logout

AC-2(6) - Account Management | Dynamic Privilege Management

AC-2(7) - Account Management | Privileged User Accounts

AC-2(8) - Account Management | Dynamic Account Management

AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts

AC-2(11) - Account Management | Usage Conditions

AC-2(12) - Account Management | Account Monitoring for Atypical Usage

AC-2(13) - Account Management | Disable Accounts for High-risk Individuals

AC-3 - Access Enforcement

AC-3(2) - Access Enforcement | Dual Authorization

AC-3(3) - Access Enforcement | Mandatory Access Control

AC-3(4) - Access Enforcement | Discretionary Access Control

AC-3(5) - Access Enforcement | Security-relevant Information

AC-3(7) - Access Enforcement | Role-based Access Control

AC-3(8) - Access Enforcement | Revocation of Access Authorizations

AC-3(9) - Access Enforcement | Controlled Release

AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms

AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types

AC-3(12) - Access Enforcement | Assert and Enforce Application Access

AC-3(13) - Access Enforcement | Attribute-based Access Control

AC-3(14) - Access Enforcement | Individual Access

AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control

AC-4 - Information Flow Enforcement

AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes

AC-4(2) - Information Flow Enforcement | Processing Domains

AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control

AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information

AC-4(5) - Information Flow Enforcement | Embedded Data Types

AC-4(6) - Information Flow Enforcement | Metadata

AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms

AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters

AC-4(9) - Information Flow Enforcement | Human Reviews

AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters

AC-4(12) - Information Flow Enforcement | Data Type Identifiers

AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents

AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints

AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information

AC-4(17) - Information Flow Enforcement | Domain Authentication

AC-4(19) - Information Flow Enforcement | Validation of Metadata

AC-4(20) - Information Flow Enforcement | Approved Solutions

AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows

AC-4(22) - Information Flow Enforcement | Access Only

AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information

AC-4(24) - Information Flow Enforcement | Internal Normalized Format

AC-4(25) - Information Flow Enforcement | Data Sanitization

AC-4(26) - Information Flow Enforcement | Audit Filtering Actions

AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms

AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines

AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines

AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes

AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention

AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer

AC-5 - Separation of Duties

AC-6 - Least Privilege

AC-6(1) - Least Privilege | Authorize Access to Security Functions

AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions

AC-6(3) - Least Privilege | Network Access to Privileged Commands

AC-6(4) - Least Privilege | Separate Processing Domains

AC-6(5) - Least Privilege | Privileged Accounts

AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users

AC-6(7) - Least Privilege | Review of User Privileges

AC-6(8) - Least Privilege | Privilege Levels for Code Execution

AC-6(9) - Least Privilege | Log Use of Privileged Functions

AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

AC-7 - Unsuccessful Logon Attempts

AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device

AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting

AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor

AC-8 - System Use Notification

AC-9 - Previous Logon Notification

AC-9(1) - Previous Logon Notification | Unsuccessful Logons

AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons

AC-9(3) - Previous Logon Notification | Notification of Account Changes

AC-9(4) - Previous Logon Notification | Additional Logon Information

AC-10 - Concurrent Session Control

AC-11 - Device Lock

AC-11(1) - Device Lock | Pattern-hiding Displays

AC-12 - Session Termination

AC-12(1) - Session Termination | User-initiated Logouts

AC-12(2) - Session Termination | Termination Message

AC-12(3) - Session Termination | Timeout Warning Message

AC-14 - Permitted Actions Without Identification or Authentication

AC-16 - Security and Privacy Attributes

AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association

AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals

AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System

AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals

AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output

AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association

AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation

AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies

AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms

AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals

AC-17 - Remote Access

AC-17(1) - Remote Access | Monitoring and Control

AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption

AC-17(3) - Remote Access | Managed Access Control Points

AC-17(4) - Remote Access | Privileged Commands and Access

AC-17(6) - Remote Access | Protection of Mechanism Information

AC-17(9) - Remote Access | Disconnect or Disable Access

AC-17(10) - Remote Access | Authenticate Remote Commands

AC-18 - Wireless Access

AC-18(1) - Wireless Access | Authentication and Encryption

AC-18(3) - Wireless Access | Disable Wireless Networking

AC-18(4) - Wireless Access | Restrict Configurations by Users

AC-18(5) - Wireless Access | Antennas and Transmission Power Levels

AC-19 - Access Control for Mobile Devices

AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information

AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption

AC-20 - Use of External Systems

AC-20(1) - Use of External Systems | Limits on Authorized Use

AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use

AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use

AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use

AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use

AC-21 - Information Sharing

AC-21(1) - Information Sharing | Automated Decision Support

AC-21(2) - Information Sharing | Information Search and Retrieval

AC-22 - Publicly Accessible Content

AC-23 - Data Mining Protection

AC-24 - Access Control Decisions

AC-24(1) - Access Control Decisions | Transmit Access Authorization Information

AC-24(2) - Access Control Decisions | No User or Process Identity

AC-25 - Reference Monitor

AT - Awareness and Training

AT-1 - Policy and Procedures

AT-2 - Literacy Training and Awareness

AT-2(1) - Literacy Training and Awareness | Practical Exercises

AT-2(2) - Literacy Training and Awareness | Insider Threat

AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining

AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior

AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat

AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment

AT-3 - Role-based Training

AT-3(1) - Role-based Training | Environmental Controls

AT-3(2) - Role-based Training | Physical Security Controls

AT-3(3) - Role-based Training | Practical Exercises

AT-3(5) - Role-based Training | Processing Personally Identifiable Information

AT-4 - Training Records

AT-6 - Training Feedback

AU - Audit and Accountability

AU-1 - Policy and Procedures

AU-2 - Event Logging

AU-3 - Content of Audit Records

AU-3(1) - Content of Audit Records | Additional Audit Information

AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements

AU-4 - Audit Log Storage Capacity

AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage

AU-5 - Response to Audit Logging Process Failures

AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning

AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts

AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds

AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure

AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability

AU-6 - Audit Record Review, Analysis, and Reporting

AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration

AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis

AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions

AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands

AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources

AU-7 - Audit Record Reduction and Report Generation

AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing

AU-8 - Time Stamps

AU-9 - Protection of Audit Information

AU-9(1) - Protection of Audit Information | Hardware Write-once Media

AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components

AU-9(3) - Protection of Audit Information | Cryptographic Protection

AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users

AU-9(5) - Protection of Audit Information | Dual Authorization

AU-9(6) - Protection of Audit Information | Read-only Access

AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System

AU-10 - Non-repudiation

AU-10(1) - Non-repudiation | Association of Identities

AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity

AU-10(3) - Non-repudiation | Chain of Custody

AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity

AU-11 - Audit Record Retention

AU-11(1) - Audit Record Retention | Long-term Retrieval Capability

AU-12 - Audit Record Generation

AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail

AU-12(2) - Audit Record Generation | Standardized Formats

AU-12(3) - Audit Record Generation | Changes by Authorized Individuals

AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information

AU-13 - Monitoring for Information Disclosure

AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools

AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites

AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information

AU-14 - Session Audit

AU-14(1) - Session Audit | System Start-up

AU-14(3) - Session Audit | Remote Viewing and Listening

AU-16 - Cross-organizational Audit Logging

AU-16(1) - Cross-organizational Audit Logging | Identity Preservation

AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information

AU-16(3) - Cross-organizational Audit Logging | Disassociability

CA - Assessment, Authorization, and Monitoring

CA-1 - Policy and Procedures

CA-2 - Control Assessments

CA-2(1) - Control Assessments | Independent Assessors

CA-2(2) - Control Assessments | Specialized Assessments

CA-2(3) - Control Assessments | Leveraging Results from External Organizations

CA-3 - Information Exchange

CA-3(6) - Information Exchange | Transfer Authorizations

CA-3(7) - Information Exchange | Transitive Information Exchanges

CA-5 - Plan of Action and Milestones

CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency

CA-6 - Authorization

CA-6(1) - Authorization | Joint Authorization — Intra-organization

CA-6(2) - Authorization | Joint Authorization — Inter-organization

CA-7 - Continuous Monitoring

CA-7(1) - Continuous Monitoring | Independent Assessment

CA-7(3) - Continuous Monitoring | Trend Analyses

CA-7(4) - Continuous Monitoring | Risk Monitoring

CA-7(5) - Continuous Monitoring | Consistency Analysis

CA-7(6) - Continuous Monitoring | Automation Support for Monitoring

CA-8 - Penetration Testing

CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team

CA-8(2) - Penetration Testing | Red Team Exercises

CA-8(3) - Penetration Testing | Facility Penetration Testing

CA-9 - Internal System Connections

CA-9(1) - Internal System Connections | Compliance Checks

CM - Configuration Management

CM-1 - Policy and Procedures

CM-2 - Baseline Configuration

CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency

CM-2(3) - Baseline Configuration | Retention of Previous Configurations

CM-2(6) - Baseline Configuration | Development and Test Environments

CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas

CM-3 - Configuration Change Control

CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes

CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes

CM-3(3) - Configuration Change Control | Automated Change Implementation

CM-3(4) - Configuration Change Control | Security and Privacy Representatives

CM-3(5) - Configuration Change Control | Automated Security Response

CM-3(6) - Configuration Change Control | Cryptography Management

CM-3(7) - Configuration Change Control | Review System Changes

CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes

CM-4 - Impact Analyses

CM-4(1) - Impact Analyses | Separate Test Environments

CM-4(2) - Impact Analyses | Verification of Controls

CM-5 - Access Restrictions for Change

CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records

CM-5(4) - Access Restrictions for Change | Dual Authorization

CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation

CM-5(6) - Access Restrictions for Change | Limit Library Privileges

CM-6 - Configuration Settings

CM-6(1) - Configuration Settings | Automated Management, Application, and Verification

CM-6(2) - Configuration Settings | Respond to Unauthorized Changes

CM-7 - Least Functionality

CM-7(1) - Least Functionality | Periodic Review

CM-7(2) - Least Functionality | Prevent Program Execution

CM-7(3) - Least Functionality | Registration Compliance

CM-7(4) - Least Functionality | Unauthorized Software

CM-7(5) - Least Functionality | Authorized Software

CM-7(6) - Least Functionality | Confined Environments with Limited Privileges

CM-7(7) - Least Functionality | Code Execution in Protected Environments

CM-7(8) - Least Functionality | Binary or Machine Executable Code

CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware

CM-8 - System Component Inventory

CM-8(1) - System Component Inventory | Updates During Installation and Removal

CM-8(2) - System Component Inventory | Automated Maintenance

CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection

CM-8(4) - System Component Inventory | Accountability Information

CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations

CM-8(7) - System Component Inventory | Centralized Repository

CM-8(8) - System Component Inventory | Automated Location Tracking

CM-8(9) - System Component Inventory | Assignment of Components to Systems

CM-9 - Configuration Management Plan

CM-9(1) - Configuration Management Plan | Assignment of Responsibility

CM-10 - Software Usage Restrictions

CM-10(1) - Software Usage Restrictions | Open-source Software

CM-11 - User-installed Software

CM-11(2) - User-installed Software | Software Installation with Privileged Status

CM-11(3) - User-installed Software | Automated Enforcement and Monitoring

CM-12 - Information Location

CM-12(1) - Information Location | Automated Tools to Support Information Location

CM-13 - Data Action Mapping

CM-14 - Signed Components

CP - Contingency Planning

CP-1 - Policy and Procedures

CP-2 - Contingency Plan

CP-2(1) - Contingency Plan | Coordinate with Related Plans

CP-2(2) - Contingency Plan | Capacity Planning

CP-2(3) - Contingency Plan | Resume Mission and Business Functions

CP-2(5) - Contingency Plan | Continue Mission and Business Functions

CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites

CP-2(7) - Contingency Plan | Coordinate with External Service Providers

CP-2(8) - Contingency Plan | Identify Critical Assets

CP-3 - Contingency Training

CP-3(1) - Contingency Training | Simulated Events

CP-3(2) - Contingency Training | Mechanisms Used in Training Environments

CP-4 - Contingency Plan Testing

CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans

CP-4(2) - Contingency Plan Testing | Alternate Processing Site

CP-4(3) - Contingency Plan Testing | Automated Testing

CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution

CP-4(5) - Contingency Plan Testing | Self-challenge

CP-6 - Alternate Storage Site

CP-6(1) - Alternate Storage Site | Separation from Primary Site

CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives

CP-6(3) - Alternate Storage Site | Accessibility

CP-7 - Alternate Processing Site

CP-7(1) - Alternate Processing Site | Separation from Primary Site

CP-7(2) - Alternate Processing Site | Accessibility

CP-7(3) - Alternate Processing Site | Priority of Service

CP-7(4) - Alternate Processing Site | Preparation for Use

CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site

CP-8 - Telecommunications Services

CP-8(1) - Telecommunications Services | Priority of Service Provisions

CP-8(2) - Telecommunications Services | Single Points of Failure

CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers

CP-8(4) - Telecommunications Services | Provider Contingency Plan

CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing

CP-9 - System Backup

CP-9(1) - System Backup | Testing for Reliability and Integrity

CP-9(2) - System Backup | Test Restoration Using Sampling

CP-9(3) - System Backup | Separate Storage for Critical Information

CP-9(5) - System Backup | Transfer to Alternate Storage Site

CP-9(6) - System Backup | Redundant Secondary System

CP-9(7) - System Backup | Dual Authorization

CP-9(8) - System Backup | Cryptographic Protection

CP-10 - System Recovery and Reconstitution

CP-10(2) - System Recovery and Reconstitution | Transaction Recovery

CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period

CP-10(6) - System Recovery and Reconstitution | Component Protection

CP-11 - Alternate Communications Protocols

CP-12 - Safe Mode

CP-13 - Alternative Security Mechanisms

IA - Identification and Authentication

IA-1 - Policy and Procedures

IA-2 - Identification and Authentication (organizational Users)

IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device

IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on

IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication

IA-3 - Device Identification and Authentication

IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication

IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation

IA-3(4) - Device Identification and Authentication | Device Attestation

IA-4 - Identifier Management

IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers

IA-4(4) - Identifier Management | Identify User Status

IA-4(5) - Identifier Management | Dynamic Management

IA-4(6) - Identifier Management | Cross-organization Management

IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers

IA-4(9) - Identifier Management | Attribute Maintenance and Protection

IA-5 - Authenticator Management

IA-5(1) - Authenticator Management | Password-based Authentication

IA-5(2) - Authenticator Management | Public Key-based Authentication

IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery

IA-5(6) - Authenticator Management | Protection of Authenticators

IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators

IA-5(8) - Authenticator Management | Multiple System Accounts

IA-5(9) - Authenticator Management | Federated Credential Management

IA-5(10) - Authenticator Management | Dynamic Credential Binding

IA-5(12) - Authenticator Management | Biometric Authentication Performance

IA-5(13) - Authenticator Management | Expiration of Cached Authenticators

IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores

IA-5(15) - Authenticator Management | Gsa-approved Products and Services

IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance

IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators

IA-5(18) - Authenticator Management | Password Managers

IA-6 - Authentication Feedback

IA-7 - Cryptographic Module Authentication

IA-8 - Identification and Authentication (non-organizational Users)

IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles

IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials

IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability

IA-9 - Service Identification and Authentication

IA-10 - Adaptive Authentication

IA-11 - Re-authentication

IA-12 - Identity Proofing

IA-12(1) - Identity Proofing | Supervisor Authorization

IA-12(2) - Identity Proofing | Identity Evidence

IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification

IA-12(4) - Identity Proofing | In-person Validation and Verification

IA-12(5) - Identity Proofing | Address Confirmation

IA-12(6) - Identity Proofing | Accept Externally-proofed Identities

IR - Incident Response

IR-1 - Policy and Procedures

IR-2 - Incident Response Training

IR-2(1) - Incident Response Training | Simulated Events

IR-2(2) - Incident Response Training | Automated Training Environments

IR-2(3) - Incident Response Training | Breach

IR-3 - Incident Response Testing

IR-3(1) - Incident Response Testing | Automated Testing

IR-3(2) - Incident Response Testing | Coordination with Related Plans

IR-3(3) - Incident Response Testing | Continuous Improvement

IR-4 - Incident Handling

IR-4(1) - Incident Handling | Automated Incident Handling Processes

IR-4(2) - Incident Handling | Dynamic Reconfiguration

IR-4(3) - Incident Handling | Continuity of Operations

IR-4(4) - Incident Handling | Information Correlation

IR-4(5) - Incident Handling | Automatic Disabling of System

IR-4(6) - Incident Handling | Insider Threats

IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination

IR-4(8) - Incident Handling | Correlation with External Organizations

IR-4(9) - Incident Handling | Dynamic Response Capability

IR-4(10) - Incident Handling | Supply Chain Coordination

IR-4(11) - Incident Handling | Integrated Incident Response Team

IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis

IR-4(13) - Incident Handling | Behavior Analysis

IR-4(14) - Incident Handling | Security Operations Center

IR-4(15) - Incident Handling | Public Relations and Reputation Repair

IR-5 - Incident Monitoring

IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis

IR-6 - Incident Reporting

IR-6(1) - Incident Reporting | Automated Reporting

IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents

IR-6(3) - Incident Reporting | Supply Chain Coordination

IR-7 - Incident Response Assistance

IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support

IR-7(2) - Incident Response Assistance | Coordination with External Providers

IR-8 - Incident Response Plan

IR-8(1) - Incident Response Plan | Breaches

IR-9 - Information Spillage Response

IR-9(2) - Information Spillage Response | Training

IR-9(3) - Information Spillage Response | Post-spill Operations

IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel

MA - Maintenance

MA-1 - Policy and Procedures

MA-2 - Controlled Maintenance

MA-2(2) - Controlled Maintenance | Automated Maintenance Activities

MA-3 - Maintenance Tools

MA-3(1) - Maintenance Tools | Inspect Tools

MA-3(2) - Maintenance Tools | Inspect Media

MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal

MA-3(4) - Maintenance Tools | Restricted Tool Use

MA-3(5) - Maintenance Tools | Execution with Privilege

MA-3(6) - Maintenance Tools | Software Updates and Patches

MA-4 - Nonlocal Maintenance

MA-4(1) - Nonlocal Maintenance | Logging and Review

MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization

MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions

MA-4(5) - Nonlocal Maintenance | Approvals and Notifications

MA-4(6) - Nonlocal Maintenance | Cryptographic Protection

MA-4(7) - Nonlocal Maintenance | Disconnect Verification

MA-5 - Maintenance Personnel

MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access

MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems

MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems

MA-5(4) - Maintenance Personnel | Foreign Nationals

MA-5(5) - Maintenance Personnel | Non-system Maintenance

MA-6 - Timely Maintenance

MA-6(1) - Timely Maintenance | Preventive Maintenance

MA-6(2) - Timely Maintenance | Predictive Maintenance

MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance

MA-7 - Field Maintenance

MP - Media Protection

MP-1 - Policy and Procedures

MP-2 - Media Access

MP-3 - Media Marking

MP-4 - Media Storage

MP-4(2) - Media Storage | Automated Restricted Access

MP-5 - Media Transport

MP-5(3) - Media Transport | Custodians

MP-6 - Media Sanitization

MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify

MP-6(2) - Media Sanitization | Equipment Testing

MP-6(3) - Media Sanitization | Nondestructive Techniques

MP-6(7) - Media Sanitization | Dual Authorization

MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information

MP-7 - Media Use

MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media

MP-8 - Media Downgrading

MP-8(1) - Media Downgrading | Documentation of Process

MP-8(2) - Media Downgrading | Equipment Testing

MP-8(3) - Media Downgrading | Controlled Unclassified Information

MP-8(4) - Media Downgrading | Classified Information

PE - Physical and Environmental Protection

PE-1 - Policy and Procedures

PE-2 - Physical Access Authorizations

PE-2(1) - Physical Access Authorizations | Access by Position or Role

PE-2(2) - Physical Access Authorizations | Two Forms of Identification

PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access

PE-3 - Physical Access Control

PE-3(1) - Physical Access Control | System Access

PE-3(2) - Physical Access Control | Facility and Systems

PE-3(3) - Physical Access Control | Continuous Guards

PE-3(4) - Physical Access Control | Lockable Casings

PE-3(5) - Physical Access Control | Tamper Protection

PE-3(7) - Physical Access Control | Physical Barriers

PE-3(8) - Physical Access Control | Access Control Vestibules

PE-4 - Access Control for Transmission

PE-5 - Access Control for Output Devices

PE-5(2) - Access Control for Output Devices | Link to Individual Identity

PE-6 - Monitoring Physical Access

PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses

PE-6(3) - Monitoring Physical Access | Video Surveillance

PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems

PE-8 - Visitor Access Records

PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review

PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements

PE-9 - Power Equipment and Cabling

PE-9(1) - Power Equipment and Cabling | Redundant Cabling

PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls

PE-10 - Emergency Shutoff

PE-11 - Emergency Power

PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability

PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained

PE-12 - Emergency Lighting

PE-12(1) - Emergency Lighting | Essential Mission and Business Functions

PE-13 - Fire Protection

PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification

PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification

PE-13(4) - Fire Protection | Inspections

PE-14 - Environmental Controls

PE-14(1) - Environmental Controls | Automatic Controls

PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications

PE-15 - Water Damage Protection

PE-15(1) - Water Damage Protection | Automation Support

PE-16 - Delivery and Removal

PE-17 - Alternate Work Site

PE-18 - Location of System Components

PE-19 - Information Leakage

PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures

PE-20 - Asset Monitoring and Tracking

PE-21 - Electromagnetic Pulse Protection

PE-22 - Component Marking

PE-23 - Facility Location

PL - Planning

PL-1 - Policy and Procedures

PL-2 - System Security and Privacy Plans

PL-4 - Rules of Behavior

PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions

PL-7 - Concept of Operations

PL-8 - Security and Privacy Architectures

PL-8(1) - Security and Privacy Architectures | Defense in Depth

PL-8(2) - Security and Privacy Architectures | Supplier Diversity

PL-9 - Central Management

PL-10 - Baseline Selection

PL-11 - Baseline Tailoring

PM - Program Management

PM-1 - Information Security Program Plan

PM-2 - Information Security Program Leadership Role

PM-3 - Information Security and Privacy Resources

PM-4 - Plan of Action and Milestones Process

PM-5 - System Inventory

PM-5(1) - System Inventory | Inventory of Personally Identifiable Information

PM-6 - Measures of Performance

PM-7 - Enterprise Architecture

PM-7(1) - Enterprise Architecture | Offloading

PM-8 - Critical Infrastructure Plan

PM-9 - Risk Management Strategy

PM-10 - Authorization Process

PM-11 - Mission and Business Process Definition

PM-12 - Insider Threat Program

PM-13 - Security and Privacy Workforce

PM-14 - Testing, Training, and Monitoring

PM-15 - Security and Privacy Groups and Associations

PM-16 - Threat Awareness Program

PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence

PM-17 - Protecting Controlled Unclassified Information on External Systems

PM-18 - Privacy Program Plan

PM-19 - Privacy Program Leadership Role

PM-20 - Dissemination of Privacy Program Information

PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services

PM-21 - Accounting of Disclosures

PM-22 - Personally Identifiable Information Quality Management

PM-23 - Data Governance Body

PM-24 - Data Integrity Board

PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research

PM-26 - Complaint Management

PM-27 - Privacy Reporting

PM-28 - Risk Framing

PM-29 - Risk Management Program Leadership Roles

PM-30 - Supply Chain Risk Management Strategy

PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items

PM-31 - Continuous Monitoring Strategy

PM-32 - Purposing

PS - Personnel Security

PS-1 - Policy and Procedures

PS-2 - Position Risk Designation

PS-3 - Personnel Screening

PS-3(1) - Personnel Screening | Classified Information

PS-3(2) - Personnel Screening | Formal Indoctrination

PS-3(3) - Personnel Screening | Information with Special Protective Measures

PS-3(4) - Personnel Screening | Citizenship Requirements

PS-4 - Personnel Termination

PS-4(1) - Personnel Termination | Post-employment Requirements

PS-4(2) - Personnel Termination | Automated Actions

PS-5 - Personnel Transfer

PS-6 - Access Agreements

PS-6(2) - Access Agreements | Classified Information Requiring Special Protection

PS-6(3) - Access Agreements | Post-employment Requirements

PS-7 - External Personnel Security

PS-8 - Personnel Sanctions

PS-9 - Position Descriptions

PT - Personally Identifiable Information Processing and Transparency

PT-1 - Policy and Procedures

PT-2 - Authority to Process Personally Identifiable Information

PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging

PT-2(2) - Authority to Process Personally Identifiable Information | Automation

PT-3 - Personally Identifiable Information Processing Purposes

PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging

PT-3(2) - Personally Identifiable Information Processing Purposes | Automation

PT-4 - Consent

PT-4(1) - Consent | Tailored Consent

PT-4(2) - Consent | Just-in-time Consent

PT-4(3) - Consent | Revocation

PT-5 - Privacy Notice

PT-5(1) - Privacy Notice | Just-in-time Notice

PT-5(2) - Privacy Notice | Privacy Act Statements

PT-6 - System of Records Notice

PT-6(1) - System of Records Notice | Routine Uses

PT-6(2) - System of Records Notice | Exemption Rules

PT-7 - Specific Categories of Personally Identifiable Information

PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers

PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information

PT-8 - Computer Matching Requirements

RA - Risk Assessment

RA-1 - Policy and Procedures

RA-2 - Security Categorization

RA-2(1) - Security Categorization | Impact-level Prioritization

RA-3 - Risk Assessment

RA-3(1) - Risk Assessment | Supply Chain Risk Assessment

RA-3(2) - Risk Assessment | Use of All-source Intelligence

RA-3(3) - Risk Assessment | Dynamic Threat Awareness

RA-3(4) - Risk Assessment | Predictive Cyber Analytics

RA-5 - Vulnerability Monitoring and Scanning

RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information

RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access

RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses

RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs

RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information

RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program

RA-6 - Technical Surveillance Countermeasures Survey

RA-7 - Risk Response

RA-8 - Privacy Impact Assessments

RA-9 - Criticality Analysis

RA-10 - Threat Hunting

SA - System and Services Acquisition

SA-1 - Policy and Procedures

SA-2 - Allocation of Resources

SA-3 - System Development Life Cycle

SA-3(1) - System Development Life Cycle | Manage Preproduction Environment

SA-3(2) - System Development Life Cycle | Use of Live or Operational Data

SA-3(3) - System Development Life Cycle | Technology Refresh

SA-4 - Acquisition Process

SA-4(1) - Acquisition Process | Functional Properties of Controls

SA-4(2) - Acquisition Process | Design and Implementation Information for Controls

SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices

SA-4(5) - Acquisition Process | System, Component, and Service Configurations

SA-4(6) - Acquisition Process | Use of Information Assurance Products

SA-4(7) - Acquisition Process | Niap-approved Protection Profiles

SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls

SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use

SA-4(10) - Acquisition Process | Use of Approved PIV Products

SA-4(11) - Acquisition Process | System of Records

SA-4(12) - Acquisition Process | Data Ownership

SA-5 - System Documentation

SA-8 - Security and Privacy Engineering Principles

SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions

SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism

SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering

SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies

SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access

SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing

SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity

SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability

SA-8(9) - Security and Privacy Engineering Principles | Trusted Components

SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust

SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold

SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection

SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements

SA-8(14) - Security and Privacy Engineering Principles | Least Privilege

SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission

SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness

SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition

SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels

SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection

SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management

SA-8(21) - Security and Privacy Engineering Principles | Self-analysis

SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability

SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults

SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery

SA-8(25) - Security and Privacy Engineering Principles | Economic Security

SA-8(26) - Security and Privacy Engineering Principles | Performance Security

SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security

SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security

SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures

SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor

SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification

SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation

SA-8(33) - Security and Privacy Engineering Principles | Minimization

SA-9 - External System Services

SA-9(1) - External System Services | Risk Assessments and Organizational Approvals

SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services

SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers

SA-9(4) - External System Services | Consistent Interests of Consumers and Providers

SA-9(5) - External System Services | Processing, Storage, and Service Location

SA-9(6) - External System Services | Organization-controlled Cryptographic Keys

SA-9(7) - External System Services | Organization-controlled Integrity Checking

SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction

SA-10 - Developer Configuration Management

SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification

SA-10(2) - Developer Configuration Management | Alternative Configuration Management

SA-10(3) - Developer Configuration Management | Hardware Integrity Verification

SA-10(4) - Developer Configuration Management | Trusted Generation

SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control

SA-10(6) - Developer Configuration Management | Trusted Distribution

SA-10(7) - Developer Configuration Management | Security and Privacy Representatives

SA-11 - Developer Testing and Evaluation

SA-11(1) - Developer Testing and Evaluation | Static Code Analysis

SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence

SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews

SA-11(5) - Developer Testing and Evaluation | Penetration Testing

SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews

SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation

SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis

SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing

SA-15 - Development Process, Standards, and Tools

SA-15(1) - Development Process, Standards, and Tools | Quality Metrics

SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools

SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis

SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction

SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement

SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis

SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information

SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan

SA-15(11) - Development Process, Standards, and Tools | Archive System or Component

SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information

SA-16 - Developer-provided Training

SA-17 - Developer Security and Privacy Architecture and Design

SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model

SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components

SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence

SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence

SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design

SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing

SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege

SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration

SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity

SA-20 - Customized Development of Critical Components

SA-21 - Developer Screening

SA-22 - Unsupported System Components

SA-23 - Specialization

SC - System and Communications Protection

SC-1 - Policy and Procedures

SC-2 - Separation of System and User Functionality

SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users

SC-2(2) - Separation of System and User Functionality | Disassociability

SC-3 - Security Function Isolation

SC-3(1) - Security Function Isolation | Hardware Separation

SC-3(2) - Security Function Isolation | Access and Flow Control Functions

SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality

SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness

SC-3(5) - Security Function Isolation | Layered Structures

SC-4 - Information in Shared System Resources

SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing

SC-5 - Denial-of-service Protection

SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems

SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy

SC-5(3) - Denial-of-service Protection | Detection and Monitoring

SC-6 - Resource Availability

SC-7 - Boundary Protection

SC-7(3) - Boundary Protection | Access Points

SC-7(4) - Boundary Protection | External Telecommunications Services

SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception

SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices

SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers

SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic

SC-7(10) - Boundary Protection | Prevent Exfiltration

SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic

SC-7(12) - Boundary Protection | Host-based Protection

SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components

SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections

SC-7(15) - Boundary Protection | Networked Privileged Accesses

SC-7(16) - Boundary Protection | Prevent Discovery of System Components

SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats

SC-7(18) - Boundary Protection | Fail Secure

SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts

SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation

SC-7(21) - Boundary Protection | Isolation of System Components

SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains

SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure

SC-7(24) - Boundary Protection | Personally Identifiable Information

SC-7(25) - Boundary Protection | Unclassified National Security System Connections

SC-7(26) - Boundary Protection | Classified National Security System Connections

SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections

SC-7(28) - Boundary Protection | Connections to Public Networks

SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions

SC-8 - Transmission Confidentiality and Integrity

SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection

SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals

SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications

SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System

SC-10 - Network Disconnect

SC-11 - Trusted Path

SC-11(1) - Trusted Path | Irrefutable Communications Path

SC-12 - Cryptographic Key Establishment and Management

SC-12(1) - Cryptographic Key Establishment and Management | Availability

SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys

SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys

SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys

SC-13 - Cryptographic Protection

SC-15 - Collaborative Computing Devices and Applications

SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect

SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas

SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants

SC-16 - Transmission of Security and Privacy Attributes

SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification

SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms

SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding

SC-17 - Public Key Infrastructure Certificates

SC-18 - Mobile Code

SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions

SC-18(2) - Mobile Code | Acquisition, Development, and Use

SC-18(3) - Mobile Code | Prevent Downloading and Execution

SC-18(4) - Mobile Code | Prevent Automatic Execution

SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments

SC-20 - Secure Name/address Resolution Service (authoritative Source)

SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity

SC-21 - Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22 - Architecture and Provisioning for Name/address Resolution Service

SC-23 - Session Authenticity

SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout

SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers

SC-23(5) - Session Authenticity | Allowed Certificate Authorities

SC-24 - Fail in Known State

SC-25 - Thin Nodes

SC-26 - Decoys

SC-27 - Platform-independent Applications

SC-28 - Protection of Information at Rest

SC-28(1) - Protection of Information at Rest | Cryptographic Protection

SC-28(2) - Protection of Information at Rest | Offline Storage

SC-28(3) - Protection of Information at Rest | Cryptographic Keys

SC-29 - Heterogeneity

SC-29(1) - Heterogeneity | Virtualization Techniques

SC-30 - Concealment and Misdirection

SC-30(2) - Concealment and Misdirection | Randomness

SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations

SC-30(4) - Concealment and Misdirection | Misleading Information

SC-30(5) - Concealment and Misdirection | Concealment of System Components

SC-31 - Covert Channel Analysis

SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability

SC-31(2) - Covert Channel Analysis | Maximum Bandwidth

SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments

SC-32 - System Partitioning

SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions

SC-34 - Non-modifiable Executable Programs

SC-34(1) - Non-modifiable Executable Programs | No Writable Storage

SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media

SC-35 - External Malicious Code Identification

SC-36 - Distributed Processing and Storage

SC-36(1) - Distributed Processing and Storage | Polling Techniques

SC-36(2) - Distributed Processing and Storage | Synchronization

SC-37 - Out-of-band Channels

SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission

SC-38 - Operations Security

SC-39 - Process Isolation

SC-39(1) - Process Isolation | Hardware Separation

SC-39(2) - Process Isolation | Separate Execution Domain Per Thread

SC-40 - Wireless Link Protection

SC-40(1) - Wireless Link Protection | Electromagnetic Interference

SC-40(2) - Wireless Link Protection | Reduce Detection Potential

SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception

SC-40(4) - Wireless Link Protection | Signal Parameter Identification

SC-41 - Port and I/O Device Access

SC-42 - Sensor Capability and Data

SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles

SC-42(2) - Sensor Capability and Data | Authorized Use

SC-42(4) - Sensor Capability and Data | Notice of Collection

SC-42(5) - Sensor Capability and Data | Collection Minimization

SC-43 - Usage Restrictions

SC-44 - Detonation Chambers

SC-45 - System Time Synchronization

SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source

SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source

SC-46 - Cross Domain Policy Enforcement

SC-47 - Alternate Communications Paths

SC-48 - Sensor Relocation

SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities

SC-49 - Hardware-enforced Separation and Policy Enforcement

SC-50 - Software-enforced Separation and Policy Enforcement

SC-51 - Hardware-based Protection

SI - System and Information Integrity

SI-1 - Policy and Procedures

SI-2 - Flaw Remediation

SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status

SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

SI-2(4) - Flaw Remediation | Automated Patch Management Tools

SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates

SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware

SI-3 - Malicious Code Protection

SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users

SI-3(6) - Malicious Code Protection | Testing and Verification

SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands

SI-3(10) - Malicious Code Protection | Malicious Code Analysis

SI-4 - System Monitoring

SI-4(1) - System Monitoring | System-wide Intrusion Detection System

SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration

SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic

SI-4(5) - System Monitoring | System-generated Alerts

SI-4(7) - System Monitoring | Automated Response to Suspicious Events

SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms

SI-4(10) - System Monitoring | Visibility of Encrypted Communications

SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies

SI-4(12) - System Monitoring | Automated Organization-generated Alerts

SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns

SI-4(14) - System Monitoring | Wireless Intrusion Detection

SI-4(15) - System Monitoring | Wireless to Wireline Communications

SI-4(16) - System Monitoring | Correlate Monitoring Information

SI-4(17) - System Monitoring | Integrated Situational Awareness

SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration

SI-4(19) - System Monitoring | Risk for Individuals

SI-4(20) - System Monitoring | Privileged Users

SI-4(21) - System Monitoring | Probationary Periods

SI-4(22) - System Monitoring | Unauthorized Network Services

SI-4(23) - System Monitoring | Host-based Devices

SI-4(24) - System Monitoring | Indicators of Compromise

SI-4(25) - System Monitoring | Optimize Network Traffic Analysis

SI-5 - Security Alerts, Advisories, and Directives

SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

SI-6 - Security and Privacy Function Verification

SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing

SI-6(3) - Security and Privacy Function Verification | Report Verification Results

SI-7 - Software, Firmware, and Information Integrity

SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks

SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools

SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection

SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response

SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events

SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process

SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware

SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification

SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication

SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision

SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection

SI-8 - Spam Protection

SI-8(2) - Spam Protection | Automatic Updates

SI-8(3) - Spam Protection | Continuous Learning Capability

SI-10 - Information Input Validation

SI-10(1) - Information Input Validation | Manual Override Capability

SI-10(2) - Information Input Validation | Review and Resolve Errors

SI-10(3) - Information Input Validation | Predictable Behavior

SI-10(4) - Information Input Validation | Timing Interactions

SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats

SI-10(6) - Information Input Validation | Injection Prevention

SI-11 - Error Handling

SI-12 - Information Management and Retention

SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements

SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research

SI-12(3) - Information Management and Retention | Information Disposal

SI-13 - Predictable Failure Prevention

SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities

SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components

SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification

SI-13(5) - Predictable Failure Prevention | Failover Capability

SI-14 - Non-persistence

SI-14(1) - Non-persistence | Refresh from Trusted Sources

SI-14(2) - Non-persistence | Non-persistent Information

SI-14(3) - Non-persistence | Non-persistent Connectivity

SI-15 - Information Output Filtering

SI-16 - Memory Protection

SI-17 - Fail-safe Procedures

SI-18 - Personally Identifiable Information Quality Operations

SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support

SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags

SI-18(3) - Personally Identifiable Information Quality Operations | Collection

SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests

SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion

SI-19 - De-identification

SI-19(1) - De-identification | Collection

SI-19(2) - De-identification | Archiving

SI-19(3) - De-identification | Release

SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers

SI-19(5) - De-identification | Statistical Disclosure Control

SI-19(6) - De-identification | Differential Privacy

SI-19(7) - De-identification | Validated Algorithms and Software

SI-19(8) - De-identification | Motivated Intruder

SI-20 - Tainting

SI-21 - Information Refresh

SI-22 - Information Diversity

SI-23 - Information Fragmentation

SR - Supply Chain Risk Management

SR-1 - Policy and Procedures

SR-2 - Supply Chain Risk Management Plan

SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team

SR-3 - Supply Chain Controls and Processes

SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base

SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm

SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down

SR-4 - Provenance

SR-4(1) - Provenance | Identity

SR-4(2) - Provenance | Track and Trace

SR-4(3) - Provenance | Validate as Genuine and Not Altered

SR-4(4) - Provenance | Supply Chain Integrity — Pedigree

SR-5 - Acquisition Strategies, Tools, and Methods

SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply

SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update

SR-6 - Supplier Assessments and Reviews

SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis

SR-7 - Supply Chain Operations Security

SR-8 - Notification Agreements

SR-9 - Tamper Resistance and Detection

SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

SR-10 - Inspection of Systems or Components

SR-11 - Component Authenticity

SR-11(1) - Component Authenticity | Anti-counterfeit Training

SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair

SR-11(3) - Component Authenticity | Anti-counterfeit Scanning

SR-12 - Component Disposal

CA-5 - Plan of Action and Milestones

a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

ID: CA-5

Enhancements: 1

Space Segment Guidance

In a space context, a POA&M should address software or firmware fixes and potential hardware or design rework when critical vulnerabilities surface. Because on-orbit maintenance windows are limited or sometimes impossible, teams need a realistic timeline for testing patches offline (via simulation or digital twin) before attempting any upload. The POA&M should also outline contingency measures (e.g., activating redundant subsystems) if a permanent fix is not feasible. This careful scheduling helps the program office and operators mitigate risk effectively while keeping the spacecraft’s operational tempo on track.

Sample Requirements

Requirement	Rationale/Additional Guidance/Notes
In coordination with [organization], the [organization] shall prioritize and remediate flaws identified during security testing/evaluation.{CA-2,CA-5,SA-11,SI-3,SI-3(10)}
The [organization] shall implement a verifiable flaw remediation process into the developmental and operational configuration management process.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-5,SA-3,SA-3(1),SA-11,SI-3,SI-3(10)}	The verifiable process should also include a cross reference to mission objectives and impact statements. Understanding the flaws discovered and how they correlate to mission objectives will aid in prioritization.
The [organization] shall maintain an up-to-date Plan of Action and Milestones (POA&M) that identifies, assesses, prioritizes, and documents specific actions to be taken to correct deficiencies in the spacecraft's security posture.{CA-5}
The [organization] shall determine the vulnerabilities/weaknesses that require remediation, and coordinate the timeline for that remediation, in accordance with the analysis of the vulnerability scan report, the mission assessment of risk, and mission needs.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-5,CM-3,RA-5,RA-7,SI-3,SI-3(10)}

CA-5 - Plan of Action and Milestones

Space Segment Guidance

Informational References

ISO 27001

Countermeasures Covered by Control

Space Threats Tagged by Control

Sample Requirements

Related SPARTA Techniques and Sub-Techniques