1. Home
  2. Space Segment Control Tailoring

Space Segment Control Tailorings

Building off TOR-2023-02161 Rev A, we provide the following SPARTA-linked guidance to tailor NIST SP 800-53 controls into baselines that guide cybersecurity requirements for protecting space segment capabilities. There are two starting baselines provided as maximum and minimum perspectives based on the system impact and threat-focused space segment risk assessment.

CNSS “Maximum” Control Tailoring

The original TOR-2023-02161 Rev A maximum control baseline was adopted by the Committee on National Security Systems (CNSS) as the basis for an updated CNSS Instruction No. 1253 Attachment 2 to Appendix F, Space Platform Overlay. The full rationale for the tailoring approach is in the original technical operating report (TOR), but authoritative tailoring guidance is now provided by the CNSS Space Platform Overlay. The new overlay now also specifically leverages website links back to SPARTA for additional control knowledge, such as applicable threats, implementation guidance, countermeasures/mitigations, sample specification requirements, and other helpful knowledge. To access this additional knowledge, select individual controls below or export the entire baseline after selecting the CNSS button.

For context, this maximum overlay’s provenance is from NIST SP 800-53B baselines that were tailored by the CNSS to create CNSSI 1253 control baselines. Starting with the CNSSI 1253 High-High-High baseline, controls were further tailored through space segment threat-focused analysis. This tailoring is represented in removed controls based on specific assumptions and added controls based on SPARTA-defined techniques. One should interpret the overlay as a notional maximum control baseline starting point from which system security engineering can more efficiently define cybersecurity requirements before development begins. Any space National Security System should perform further tailoring based on their specific risk tolerance, system impact, and other program considerations.

Federal Civilian and Commercial “Minimum” Control Tailoring

Aerospace also presents a minimum control baseline that is based on SPARTA notional risk scores. This baseline is recommended for federal civilian executive branch and commercial capabilities that have medium criticality under SPARTA Notional Risk Scores and a desire to mitigate high (red) risk scores. Further information about this minimum baseline is provided in TOR-2023-02161 Rev A.

The table below is provided for interpreting control tailoring under CNSS or the Minimum control tailoring baselines in the context of SPARTA. Select the button for the desired baseline to filter for each control set. Control links can be selected to access the control pages that provide additional knowledge about overlay guidance, linked techniques and countermeasures, example requirements, and other details.

ID Name SPARTA Countermeasures MIN CNSS Space Platform Control Tailoring
AC-1 Policy and Procedures CM0005 NA YES
AC-2 Account Management CM0005 NA NA
1 Account Management | Automated System Account Management CM0005 CM0002 CM0055 NA NA
2 Account Management | Automated Temporary and Emergency Account Management CM0005 CM0002 CM0055 NA NA
3 Account Management | Disable Accounts CM0005 CM0002 CM0055 NA NA
4 Account Management | Automated Audit Actions CM0005 CM0002 CM0055 NA NA
5 Account Management | Inactivity Logout CM0005 CM0002 CM0055 NA NA
6 Account Management | Dynamic Privilege Management CM0005 CM0002 CM0055 NA NA
7 Account Management | Privileged User Accounts CM0005 CM0002 CM0055 NA NA
8 Account Management | Dynamic Account Management CM0005 CM0002 CM0055 NA NA
9 Account Management | Restrictions on Use of Shared and Group Accounts CM0005 CM0002 CM0055 NA NA
11 Account Management | Usage Conditions CM0005 CM0002 CM0055 NA NA
12 Account Management | Account Monitoring for Atypical Usage CM0005 CM0002 CM0055 NA NA
13 Account Management | Disable Accounts for High-risk Individuals CM0005 CM0002 CM0055 NA NA
AC-3 Access Enforcement CM0055 CM0005 NA YES
2 Access Enforcement | Dual Authorization CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 YES YES
3 Access Enforcement | Mandatory Access Control CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA YES
4 Access Enforcement | Discretionary Access Control CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA YES
5 Access Enforcement | Security-relevant Information CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
7 Access Enforcement | Role-based Access Control CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
8 Access Enforcement | Revocation of Access Authorizations CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA YES
9 Access Enforcement | Controlled Release CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
10 Access Enforcement | Audited Override of Access Control Mechanisms CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 YES YES
11 Access Enforcement | Restrict Access to Specific Information Types CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 YES YES
12 Access Enforcement | Assert and Enforce Application Access CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
13 Access Enforcement | Attribute-based Access Control CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 YES YES
14 Access Enforcement | Individual Access CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
15 Access Enforcement | Discretionary and Mandatory Access Control CM0054 CM0055 CM0005 CM0002 CM0001 CM0008 CM0052 CM0049 CM0004 CM0007 CM0035 CM0039 NA NA
AC-4 Information Flow Enforcement CM0050 CM0005 CM0038 YES YES
1 Information Flow Enforcement | Object Security and Privacy Attributes CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
2 Information Flow Enforcement | Processing Domains CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 YES YES
3 Information Flow Enforcement | Dynamic Information Flow Control CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
4 Information Flow Enforcement | Flow Control of Encrypted Information CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
5 Information Flow Enforcement | Embedded Data Types CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
6 Information Flow Enforcement | Metadata CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
7 Information Flow Enforcement | One-way Flow Mechanisms CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
8 Information Flow Enforcement | Security and Privacy Policy Filters CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
9 Information Flow Enforcement | Human Reviews CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
10 Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
11 Information Flow Enforcement | Configuration of Security or Privacy Policy Filters CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
12 Information Flow Enforcement | Data Type Identifiers CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
13 Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
14 Information Flow Enforcement | Security or Privacy Policy Filter Constraints CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 YES YES
15 Information Flow Enforcement | Detection of Unsanctioned Information CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
17 Information Flow Enforcement | Domain Authentication CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
19 Information Flow Enforcement | Validation of Metadata CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
20 Information Flow Enforcement | Approved Solutions CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
21 Information Flow Enforcement | Physical or Logical Separation of Information Flows CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
22 Information Flow Enforcement | Access Only CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
23 Information Flow Enforcement | Modify Non-releasable Information CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
24 Information Flow Enforcement | Internal Normalized Format CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
25 Information Flow Enforcement | Data Sanitization CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
26 Information Flow Enforcement | Audit Filtering Actions CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
27 Information Flow Enforcement | Redundant/independent Filtering Mechanisms CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
28 Information Flow Enforcement | Linear Filter Pipelines CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
29 Information Flow Enforcement | Filter Orchestration Engines CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
30 Information Flow Enforcement | Filter Mechanisms Using Multiple Processes CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
31 Information Flow Enforcement | Failed Content Transfer Prevention CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
32 Information Flow Enforcement | Process Requirements for Information Transfer CM0039 CM0038 CM0001 CM0040 CM0050 CM0005 NA NA
AC-5 Separation of Duties NA NA
AC-6 Least Privilege CM0052 CM0039 CM0005 CM0038 YES YES
1 Least Privilege | Authorize Access to Security Functions CM0005 NA NA
2 Least Privilege | Non-privileged Access for Nonsecurity Functions CM0005 NA NA
3 Least Privilege | Network Access to Privileged Commands CM0005 NA NA
4 Least Privilege | Separate Processing Domains CM0005 NA NA
5 Least Privilege | Privileged Accounts CM0005 NA NA
6 Least Privilege | Privileged Access by Non-organizational Users CM0005 NA NA
7 Least Privilege | Review of User Privileges CM0005 NA NA
8 Least Privilege | Privilege Levels for Code Execution CM0005 NA NA
9 Least Privilege | Log Use of Privileged Functions CM0005 NA YES
10 Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions CM0005 NA NA
AC-7 Unsuccessful Logon Attempts CM0005 NA NA
2 Unsuccessful Logon Attempts | Purge or Wipe Mobile Device NA NA
3 Unsuccessful Logon Attempts | Biometric Attempt Limiting NA NA
4 Unsuccessful Logon Attempts | Use of Alternate Authentication Factor NA NA
AC-8 System Use Notification CM0005 NA NA
AC-9 Previous Logon Notification NA NA
1 Previous Logon Notification | Unsuccessful Logons NA NA
2 Previous Logon Notification | Successful and Unsuccessful Logons NA NA
3 Previous Logon Notification | Notification of Account Changes NA NA
4 Previous Logon Notification | Additional Logon Information NA NA
AC-10 Concurrent Session Control CM0005 NA NA
AC-11 Device Lock CM0005 NA NA
1 Device Lock | Pattern-hiding Displays CM0005 NA NA
AC-12 Session Termination CM0036 CM0005 YES YES
1 Session Termination | User-initiated Logouts CM0005 NA YES
2 Session Termination | Termination Message CM0005 NA YES
3 Session Termination | Timeout Warning Message CM0005 NA NA
AC-14 Permitted Actions Without Identification or Authentication CM0005 YES YES
AC-16 Security and Privacy Attributes CM0005 NA NA
1 Security and Privacy Attributes | Dynamic Attribute Association CM0005 NA NA
2 Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals CM0005 NA NA
3 Security and Privacy Attributes | Maintenance of Attribute Associations by System CM0005 NA NA
4 Security and Privacy Attributes | Association of Attributes by Authorized Individuals CM0005 NA NA
5 Security and Privacy Attributes | Attribute Displays on Objects to Be Output CM0005 NA NA
6 Security and Privacy Attributes | Maintenance of Attribute Association CM0005 NA NA
7 Security and Privacy Attributes | Consistent Attribute Interpretation CM0005 NA NA
8 Security and Privacy Attributes | Association Techniques and Technologies CM0005 NA NA
9 Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms CM0005 NA NA
10 Security and Privacy Attributes | Attribute Configuration by Authorized Individuals CM0005 NA NA
AC-17 Remote Access CM0005 YES YES
1 Remote Access | Monitoring and Control CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 YES YES
2 Remote Access | Protection of Confidentiality and Integrity Using Encryption CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 YES YES
3 Remote Access | Managed Access Control Points CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 NA NA
4 Remote Access | Privileged Commands and Access CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 NA YES
6 Remote Access | Protection of Mechanism Information CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 NA YES
9 Remote Access | Disconnect or Disable Access CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 NA NA
10 Remote Access | Authenticate Remote Commands CM0002 CM0055 CM0005 CM0034 CM0031 CM0033 YES YES
AC-18 Wireless Access CM0005 NA NA
1 Wireless Access | Authentication and Encryption CM0002 CM0031 CM0005 CM0029 NA NA
3 Wireless Access | Disable Wireless Networking CM0002 CM0031 CM0005 CM0029 NA NA
4 Wireless Access | Restrict Configurations by Users CM0002 CM0031 CM0005 CM0029 NA NA
5 Wireless Access | Antennas and Transmission Power Levels CM0002 CM0031 CM0005 CM0029 NA NA
AC-19 Access Control for Mobile Devices CM0005 NA NA
4 Access Control for Mobile Devices | Restrictions for Classified Information CM0005 NA NA
5 Access Control for Mobile Devices | Full Device or Container-based Encryption CM0005 NA NA
AC-20 Use of External Systems CM0005 NA YES
1 Use of External Systems | Limits on Authorized Use CM0005 CM0024 CM0026 CM0004 NA YES
2 Use of External Systems | Portable Storage Devices — Restricted Use CM0005 CM0024 CM0026 CM0004 NA NA
3 Use of External Systems | Non-organizationally Owned Systems — Restricted Use CM0005 CM0024 CM0026 CM0004 NA YES
4 Use of External Systems | Network Accessible Storage Devices — Prohibited Use CM0005 CM0024 CM0026 CM0004 NA NA
5 Use of External Systems | Portable Storage Devices — Prohibited Use CM0005 CM0024 CM0026 CM0004 NA NA
AC-21 Information Sharing CM0005 NA NA
1 Information Sharing | Automated Decision Support NA NA
2 Information Sharing | Information Search and Retrieval NA NA
AC-22 Publicly Accessible Content CM0005 NA NA
AC-23 Data Mining Protection NA NA
AC-24 Access Control Decisions NA NA
1 Access Control Decisions | Transmit Access Authorization Information NA NA
2 Access Control Decisions | No User or Process Identity NA NA
AC-25 Reference Monitor NA YES
AT-1 Policy and Procedures NA NA
AT-2 Literacy Training and Awareness CM0041 CM0052 NA NA
1 Literacy Training and Awareness | Practical Exercises CM0041 CM0052 CM0005 NA NA
2 Literacy Training and Awareness | Insider Threat CM0041 CM0052 CM0005 NA NA
3 Literacy Training and Awareness | Social Engineering and Mining CM0041 CM0052 CM0005 NA NA
4 Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior CM0041 CM0052 CM0005 NA NA
5 Literacy Training and Awareness | Advanced Persistent Threat CM0041 CM0052 CM0005 NA NA
6 Literacy Training and Awareness | Cyber Threat Environment CM0041 CM0052 CM0005 NA NA
AT-3 Role-based Training CM0041 CM0005 NA NA
1 Role-based Training | Environmental Controls CM0005 CM0041 NA NA
2 Role-based Training | Physical Security Controls CM0005 CM0041 NA NA
3 Role-based Training | Practical Exercises CM0005 CM0041 NA NA
5 Role-based Training | Processing Personally Identifiable Information CM0005 CM0041 NA NA
AT-4 Training Records CM0005 NA NA
AT-6 Training Feedback NA NA
AU-1 Policy and Procedures NA YES
AU-2 Event Logging CM0005 CM0032 YES YES
AU-3 Content of Audit Records CM0005 CM0032 YES YES
1 Content of Audit Records | Additional Audit Information CM0005 CM0034 CM0032 YES YES
3 Content of Audit Records | Limit Personally Identifiable Information Elements CM0005 CM0034 CM0032 NA NA
AU-4 Audit Log Storage Capacity CM0005 CM0032 YES YES
1 Audit Log Storage Capacity | Transfer to Alternate Storage CM0005 CM0032 YES YES
AU-5 Response to Audit Logging Process Failures CM0005 CM0032 YES YES
1 Response to Audit Logging Process Failures | Storage Capacity Warning CM0005 CM0032 NA YES
2 Response to Audit Logging Process Failures | Real-time Alerts CM0005 CM0032 YES YES
3 Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds CM0005 CM0032 NA NA
4 Response to Audit Logging Process Failures | Shutdown on Failure CM0005 CM0032 NA NA
5 Response to Audit Logging Process Failures | Alternate Audit Logging Capability CM0005 CM0032 YES YES
AU-6 Audit Record Review, Analysis, and Reporting CM0052 CM0005 YES YES
1 Audit Record Review, Analysis, and Reporting | Automated Process Integration CM0005 CM0032 YES YES
3 Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories CM0005 CM0032 NA NA
4 Audit Record Review, Analysis, and Reporting | Central Review and Analysis CM0005 CM0032 YES YES
5 Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records CM0005 CM0032 NA NA
6 Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring CM0005 CM0032 NA NA
7 Audit Record Review, Analysis, and Reporting | Permitted Actions CM0005 CM0032 NA NA
8 Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands CM0005 CM0032 NA NA
9 Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources CM0005 CM0032 NA NA
AU-7 Audit Record Reduction and Report Generation CM0052 CM0005 NA NA
1 Audit Record Reduction and Report Generation | Automatic Processing CM0005 NA NA
AU-8 Time Stamps CM0005 CM0032 YES YES
AU-9 Protection of Audit Information CM0005 CM0032 YES YES
1 Protection of Audit Information | Hardware Write-once Media CM0005 CM0032 NA NA
2 Protection of Audit Information | Store on Separate Physical Systems or Components CM0005 CM0032 YES YES
3 Protection of Audit Information | Cryptographic Protection CM0005 CM0032 YES YES
4 Protection of Audit Information | Access by Subset of Privileged Users CM0005 CM0032 NA NA
5 Protection of Audit Information | Dual Authorization CM0005 CM0032 NA YES
6 Protection of Audit Information | Read-only Access CM0005 CM0032 NA NA
7 Protection of Audit Information | Store on Component with Different Operating System CM0005 CM0032 NA NA
AU-10 Non-repudiation CM0052 CM0005 NA NA
1 Non-repudiation | Association of Identities NA NA
2 Non-repudiation | Validate Binding of Information Producer Identity NA NA
3 Non-repudiation | Chain of Custody NA NA
4 Non-repudiation | Validate Binding of Information Reviewer Identity NA NA
AU-11 Audit Record Retention CM0005 NA NA
1 Audit Record Retention | Long-term Retrieval Capability NA NA
AU-12 Audit Record Generation CM0052 CM0005 YES YES
1 Audit Record Generation | System-wide and Time-correlated Audit Trail CM0005 NA NA
2 Audit Record Generation | Standardized Formats CM0005 NA NA
3 Audit Record Generation | Changes by Authorized Individuals CM0005 NA YES
4 Audit Record Generation | Query Parameter Audits of Personally Identifiable Information CM0005 NA NA
AU-13 Monitoring for Information Disclosure CM0052 NA NA
1 Monitoring for Information Disclosure | Use of Automated Tools NA NA
2 Monitoring for Information Disclosure | Review of Monitored Sites NA NA
3 Monitoring for Information Disclosure | Unauthorized Replication of Information NA NA
AU-14 Session Audit CM0005 CM0032 NA NA
1 Session Audit | System Start-up CM0005 NA NA
3 Session Audit | Remote Viewing and Listening CM0005 NA NA
AU-16 Cross-organizational Audit Logging NA NA
1 Cross-organizational Audit Logging | Identity Preservation NA NA
2 Cross-organizational Audit Logging | Sharing of Audit Information NA NA
3 Cross-organizational Audit Logging | Disassociability NA NA
CA-1 Policy and Procedures NA YES
CA-2 Control Assessments NA YES
1 Control Assessments | Independent Assessors NA YES
2 Control Assessments | Specialized Assessments NA YES
3 Control Assessments | Leveraging Results from External Organizations NA NA
CA-3 Information Exchange CM0005 YES YES
6 Information Exchange | Transfer Authorizations CM0039 CM0005 CM0053 CM0065 CM0055 CM0038 YES YES
7 Information Exchange | Transitive Information Exchanges CM0039 CM0005 CM0053 CM0065 CM0055 CM0038 YES YES
CA-5 Plan of Action and Milestones NA YES
1 Plan of Action and Milestones | Automation Support for Accuracy and Currency NA NA
CA-6 Authorization NA YES
1 Authorization | Joint Authorization — Intra-organization NA NA
2 Authorization | Joint Authorization — Inter-organization NA NA
CA-7 Continuous Monitoring CM0052 CM0005 YES YES
1 Continuous Monitoring | Independent Assessment CM0005 CM0034 CM0032 NA YES
3 Continuous Monitoring | Trend Analyses CM0005 CM0034 CM0032 NA YES
4 Continuous Monitoring | Risk Monitoring CM0005 CM0034 CM0032 NA YES
5 Continuous Monitoring | Consistency Analysis CM0005 CM0034 CM0032 NA YES
6 Continuous Monitoring | Automation Support for Monitoring CM0005 CM0034 CM0032 YES YES
CA-8 Penetration Testing CM0008 CM0004 CM0018 CM0005 CM0053 YES YES
1 Penetration Testing | Independent Penetration Testing Agent or Team CM0028 CM0053 NA YES
2 Penetration Testing | Red Team Exercises CM0028 CM0053 NA NA
3 Penetration Testing | Facility Penetration Testing CM0028 CM0053 NA NA
CA-9 Internal System Connections CM0005 NA YES
1 Internal System Connections | Compliance Checks NA NA
CM-1 Policy and Procedures NA YES
CM-2 Baseline Configuration CM0005 YES YES
2 Baseline Configuration | Automation Support for Accuracy and Currency CM0004 CM0005 NA YES
3 Baseline Configuration | Retention of Previous Configurations CM0004 CM0005 NA NA
6 Baseline Configuration | Development and Test Environments CM0004 CM0005 NA NA
7 Baseline Configuration | Configure Systems and Components for High-risk Areas CM0004 CM0005 NA NA
CM-3 Configuration Change Control CM0005 CM0072 NA YES
1 Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes CM0005 CM0004 CM0010 CM0023 NA YES
2 Configuration Change Control | Testing, Validation, and Documentation of Changes CM0005 CM0004 CM0010 CM0023 YES YES
3 Configuration Change Control | Automated Change Implementation CM0005 CM0004 CM0010 CM0023 NA NA
4 Configuration Change Control | Security and Privacy Representatives CM0005 CM0004 CM0010 CM0023 NA YES
5 Configuration Change Control | Automated Security Response CM0005 CM0004 CM0010 CM0023 NA YES
6 Configuration Change Control | Cryptography Management CM0005 CM0004 CM0010 CM0023 NA YES
7 Configuration Change Control | Review System Changes CM0005 CM0004 CM0010 CM0023 YES YES
8 Configuration Change Control | Prevent or Restrict Configuration Changes CM0005 CM0004 CM0010 CM0023 YES YES
CM-4 Impact Analyses CM0005 YES YES
1 Impact Analyses | Separate Test Environments CM0004 CM0010 YES YES
2 Impact Analyses | Verification of Controls CM0004 CM0010 NA YES
CM-5 Access Restrictions for Change CM0023 YES YES
1 Access Restrictions for Change | Automated Access Enforcement and Audit Records CM0005 NA YES
4 Access Restrictions for Change | Dual Authorization CM0005 NA NA
5 Access Restrictions for Change | Privilege Limitation for Production and Operation CM0005 NA YES
6 Access Restrictions for Change | Limit Library Privileges CM0005 NA YES
CM-6 Configuration Settings CM0005 NA YES
1 Configuration Settings | Automated Management, Application, and Verification CM0005 NA NA
2 Configuration Settings | Respond to Unauthorized Changes CM0005 NA NA
CM-7 Least Functionality CM0039 CM0047 CM0005 YES YES
1 Least Functionality | Periodic Review CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA YES
2 Least Functionality | Prevent Program Execution CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA YES
3 Least Functionality | Registration Compliance CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA NA
4 Least Functionality | Unauthorized Software CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA NA
5 Least Functionality | Authorized Software CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 YES YES
6 Least Functionality | Confined Environments with Limited Privileges CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA NA
7 Least Functionality | Code Execution in Protected Environments CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 NA NA
8 Least Functionality | Binary or Machine Executable Code CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 YES YES
9 Least Functionality | Prohibiting The Use of Unauthorized Hardware CM0005 CM0010 CM0039 CM0047 CM0069 CM0004 CM0015 CM0024 CM0028 YES YES
CM-8 System Component Inventory CM0012 CM0005 YES YES
1 System Component Inventory | Updates During Installation and Removal CM0005 CM0012 NA YES
2 System Component Inventory | Automated Maintenance CM0005 CM0012 NA YES
3 System Component Inventory | Automated Unauthorized Component Detection CM0005 CM0012 NA YES
4 System Component Inventory | Accountability Information CM0005 CM0012 NA YES
6 System Component Inventory | Assessed Configurations and Approved Deviations CM0005 CM0012 NA NA
7 System Component Inventory | Centralized Repository CM0005 CM0012 NA NA
8 System Component Inventory | Automated Location Tracking CM0005 CM0012 NA NA
9 System Component Inventory | Assignment of Components to Systems CM0005 CM0012 NA NA
CM-9 Configuration Management Plan CM0005 NA YES
1 Configuration Management Plan | Assignment of Responsibility NA NA
CM-10 Software Usage Restrictions YES YES
1 Software Usage Restrictions | Open-source Software CM0011 CM0012 CM0013 CM0005 YES YES
CM-11 User-installed Software CM0005 NA NA
2 User-installed Software | Software Installation with Privileged Status CM0005 CM0012 CM0021 CM0023 CM0047 CM0032 NA NA
3 User-installed Software | Automated Enforcement and Monitoring CM0005 CM0012 CM0021 CM0023 CM0047 CM0032 NA NA
CM-12 Information Location CM0001 CM0005 NA YES
1 Information Location | Automated Tools to Support Information Location CM0001 CM0005 NA YES
CM-13 Data Action Mapping NA NA
CM-14 Signed Components CM0004 CM0015 CM0021 CM0005 YES YES
CP-1 Policy and Procedures NA YES
CP-2 Contingency Plan CM0005 YES YES
1 Contingency Plan | Coordinate with Related Plans CM0005 CM0044 CM0022 CM0004 YES YES
2 Contingency Plan | Capacity Planning CM0005 CM0044 CM0022 CM0004 NA YES
3 Contingency Plan | Resume Mission and Business Functions CM0005 CM0044 CM0022 CM0004 YES YES
5 Contingency Plan | Continue Mission and Business Functions CM0005 CM0044 CM0022 CM0004 YES YES
6 Contingency Plan | Alternate Processing and Storage Sites CM0005 CM0044 CM0022 CM0004 NA YES
7 Contingency Plan | Coordinate with External Service Providers CM0005 CM0044 CM0022 CM0004 YES YES
8 Contingency Plan | Identify Critical Assets CM0005 CM0044 CM0022 CM0004 YES YES
CP-3 Contingency Training NA NA
1 Contingency Training | Simulated Events CM0005 NA NA
2 Contingency Training | Mechanisms Used in Training Environments CM0005 NA NA
CP-4 Contingency Plan Testing NA YES
1 Contingency Plan Testing | Coordinate with Related Plans CM0018 CM0005 CM0042 CM0051 NA YES
2 Contingency Plan Testing | Alternate Processing Site CM0018 CM0005 CM0042 CM0051 NA YES
3 Contingency Plan Testing | Automated Testing CM0018 CM0005 CM0042 CM0051 NA NA
4 Contingency Plan Testing | Full Recovery and Reconstitution CM0018 CM0005 CM0042 CM0051 NA YES
5 Contingency Plan Testing | Self-challenge CM0018 CM0005 CM0042 CM0051 YES YES
CP-6 Alternate Storage Site NA NA
1 Alternate Storage Site | Separation from Primary Site NA NA
2 Alternate Storage Site | Recovery Time and Recovery Point Objectives NA NA
3 Alternate Storage Site | Accessibility NA NA
CP-7 Alternate Processing Site NA NA
1 Alternate Processing Site | Separation from Primary Site NA NA
2 Alternate Processing Site | Accessibility NA NA
3 Alternate Processing Site | Priority of Service NA NA
4 Alternate Processing Site | Preparation for Use NA NA
6 Alternate Processing Site | Inability to Return to Primary Site NA NA
CP-8 Telecommunications Services CM0005 CM0029 NA NA
1 Telecommunications Services | Priority of Service Provisions CM0005 CM0070 NA NA
2 Telecommunications Services | Single Points of Failure CM0005 CM0070 NA NA
3 Telecommunications Services | Separation of Primary and Alternate Providers CM0005 CM0070 NA NA
4 Telecommunications Services | Provider Contingency Plan CM0005 CM0070 NA NA
5 Telecommunications Services | Alternate Telecommunication Service Testing CM0005 CM0070 NA NA
CP-9 System Backup CM0005 CM0056 NA NA
1 System Backup | Testing for Reliability and Integrity CM0005 NA NA
2 System Backup | Test Restoration Using Sampling CM0005 NA NA
3 System Backup | Separate Storage for Critical Information CM0005 NA NA
5 System Backup | Transfer to Alternate Storage Site CM0005 NA NA
6 System Backup | Redundant Secondary System CM0005 NA NA
7 System Backup | Dual Authorization CM0005 NA NA
8 System Backup | Cryptographic Protection CM0005 NA NA
CP-10 System Recovery and Reconstitution CM0005 CM0032 CM0044 YES YES
2 System Recovery and Reconstitution | Transaction Recovery CM0005 CM0032 CM0044 NA NA
4 System Recovery and Reconstitution | Restore Within Time Period CM0005 CM0032 CM0044 YES YES
6 System Recovery and Reconstitution | Component Protection CM0005 CM0032 CM0044 YES YES
CP-11 Alternate Communications Protocols CM0072 NA NA
CP-12 Safe Mode CM0006 CM0044 YES YES
CP-13 Alternative Security Mechanisms YES YES
IA-1 Policy and Procedures NA YES
IA-2 Identification and Authentication (organizational Users) CM0005 NA NA
1 Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts CM0005 CM0065 CM0033 NA NA
2 Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts CM0005 CM0065 CM0033 NA NA
5 Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication CM0005 CM0065 CM0033 NA NA
6 Identification and Authentication (organizational Users) | Access to Accounts — Separate Device CM0005 CM0065 CM0033 NA NA
8 Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant CM0005 CM0065 CM0033 NA NA
10 Identification and Authentication (organizational Users) | Single Sign-on CM0005 CM0065 CM0033 NA NA
12 Identification and Authentication (organizational Users) | Acceptance of PIV Credentials CM0005 CM0065 CM0033 NA NA
13 Identification and Authentication (organizational Users) | Out-of-band Authentication CM0005 CM0065 CM0033 NA NA
IA-3 Device Identification and Authentication CM0033 CM0005 YES YES
1 Device Identification and Authentication | Cryptographic Bidirectional Authentication CM0031 CM0033 CM0005 YES YES
3 Device Identification and Authentication | Dynamic Address Allocation CM0031 CM0033 CM0005 NA NA
4 Device Identification and Authentication | Device Attestation CM0031 CM0033 CM0005 NA NA
IA-4 Identifier Management CM0052 CM0031 CM0033 CM0005 YES YES
1 Identifier Management | Prohibit Account Identifiers as Public Identifiers CM0002 CM0031 CM0005 CM0035 NA NA
4 Identifier Management | Identify User Status CM0002 CM0031 CM0005 CM0035 NA NA
5 Identifier Management | Dynamic Management CM0002 CM0031 CM0005 CM0035 NA NA
6 Identifier Management | Cross-organization Management CM0002 CM0031 CM0005 CM0035 NA NA
8 Identifier Management | Pairwise Pseudonymous Identifiers CM0002 CM0031 CM0005 CM0035 NA NA
9 Identifier Management | Attribute Maintenance and Protection CM0002 CM0031 CM0005 CM0035 YES YES
IA-5 Authenticator Management CM0002 CM0005 CM0035 YES YES
1 Authenticator Management | Password-based Authentication CM0005 CM0002 NA NA
2 Authenticator Management | Public Key-based Authentication CM0005 CM0002 NA NA
5 Authenticator Management | Change Authenticators Prior to Delivery CM0005 CM0002 NA NA
6 Authenticator Management | Protection of Authenticators CM0005 CM0002 NA YES
7 Authenticator Management | No Embedded Unencrypted Static Authenticators CM0005 CM0002 YES YES
8 Authenticator Management | Multiple System Accounts CM0005 CM0002 NA NA
9 Authenticator Management | Federated Credential Management CM0005 CM0002 NA NA
10 Authenticator Management | Dynamic Credential Binding CM0005 CM0002 NA NA
12 Authenticator Management | Biometric Authentication Performance CM0005 CM0002 NA NA
13 Authenticator Management | Expiration of Cached Authenticators CM0005 CM0002 NA NA
14 Authenticator Management | Managing Content of PKI Trust Stores CM0005 CM0002 NA NA
15 Authenticator Management | Gsa-approved Products and Services CM0005 CM0002 NA NA
16 Authenticator Management | In-person or Trusted External Party Authenticator Issuance CM0005 CM0002 NA NA
17 Authenticator Management | Presentation Attack Detection for Biometric Authenticators CM0005 CM0002 NA NA
18 Authenticator Management | Password Managers CM0005 CM0002 NA NA
IA-6 Authentication Feedback CM0005 NA NA
IA-7 Cryptographic Module Authentication CM0002 CM0031 CM0033 CM0005 YES YES
IA-8 Identification and Authentication (non-organizational Users) CM0005 NA NA
1 Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies NA NA
2 Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators NA NA
4 Identification and Authentication (non-organizational Users) | Use of Defined Profiles NA NA
5 Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials NA NA
6 Identification and Authentication (non-organizational Users) | Disassociability NA NA
IA-9 Service Identification and Authentication NA YES
IA-10 Adaptive Authentication NA YES
IA-11 Re-authentication CM0005 NA NA
IA-12 Identity Proofing CM0052 CM0054 CM0005 NA NA
1 Identity Proofing | Supervisor Authorization CM0052 CM0054 CM0005 NA NA
2 Identity Proofing | Identity Evidence CM0052 CM0054 CM0005 NA NA
3 Identity Proofing | Identity Evidence Validation and Verification CM0052 CM0054 CM0005 NA NA
4 Identity Proofing | In-person Validation and Verification CM0052 CM0054 CM0005 NA NA
5 Identity Proofing | Address Confirmation CM0052 CM0054 CM0005 NA NA
6 Identity Proofing | Accept Externally-proofed Identities CM0052 CM0054 CM0005 NA NA
IR-1 Policy and Procedures NA YES
IR-2 Incident Response Training CM0005 NA NA
1 Incident Response Training | Simulated Events CM0005 CM0041 CM0052 NA NA
2 Incident Response Training | Automated Training Environments CM0005 CM0041 CM0052 NA NA
3 Incident Response Training | Breach CM0005 CM0041 CM0052 NA NA
IR-3 Incident Response Testing NA YES
1 Incident Response Testing | Automated Testing CM0005 NA NA
2 Incident Response Testing | Coordination with Related Plans CM0005 NA YES
3 Incident Response Testing | Continuous Improvement CM0005 NA NA
IR-4 Incident Handling CM0052 CM0005 CM0032 CM0044 YES YES
1 Incident Handling | Automated Incident Handling Processes CM0005 CM0044 CM0032 CM0052 CM0034 NA YES
2 Incident Handling | Dynamic Reconfiguration CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
3 Incident Handling | Continuity of Operations CM0005 CM0044 CM0032 CM0052 CM0034 YES YES
4 Incident Handling | Information Correlation CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
5 Incident Handling | Automatic Disabling of System CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
6 Incident Handling | Insider Threats CM0005 CM0044 CM0032 CM0052 CM0034 YES YES
7 Incident Handling | Insider Threats — Intra-organization Coordination CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
8 Incident Handling | Correlation with External Organizations CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
9 Incident Handling | Dynamic Response Capability CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
10 Incident Handling | Supply Chain Coordination CM0005 CM0044 CM0032 CM0052 CM0034 NA YES
11 Incident Handling | Integrated Incident Response Team CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
12 Incident Handling | Malicious Code and Forensic Analysis CM0005 CM0044 CM0032 CM0052 CM0034 YES YES
13 Incident Handling | Behavior Analysis CM0005 CM0044 CM0032 CM0052 CM0034 NA YES
14 Incident Handling | Security Operations Center CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
15 Incident Handling | Public Relations and Reputation Repair CM0005 CM0044 CM0032 CM0052 CM0034 NA NA
IR-5 Incident Monitoring CM0005 CM0032 CM0068 YES YES
1 Incident Monitoring | Automated Tracking, Data Collection, and Analysis CM0005 CM0032 CM0068 YES YES
IR-6 Incident Reporting CM0005 NA YES
1 Incident Reporting | Automated Reporting CM0005 NA NA
2 Incident Reporting | Vulnerabilities Related to Incidents CM0005 NA YES
3 Incident Reporting | Supply Chain Coordination CM0005 NA NA
IR-7 Incident Response Assistance CM0005 NA NA
1 Incident Response Assistance | Automation Support for Availability of Information and Support CM0005 NA NA
2 Incident Response Assistance | Coordination with External Providers CM0005 NA NA
IR-8 Incident Response Plan NA YES
1 Incident Response Plan | Breaches NA NA
IR-9 Information Spillage Response NA NA
2 Information Spillage Response | Training NA NA
3 Information Spillage Response | Post-spill Operations NA NA
4 Information Spillage Response | Exposure to Unauthorized Personnel NA NA
MA-1 Policy and Procedures NA NA
MA-2 Controlled Maintenance CM0005 NA NA
2 Controlled Maintenance | Automated Maintenance Activities NA NA
MA-3 Maintenance Tools CM0005 NA NA
1 Maintenance Tools | Inspect Tools CM0005 NA NA
2 Maintenance Tools | Inspect Media CM0005 NA NA
3 Maintenance Tools | Prevent Unauthorized Removal CM0005 NA NA
4 Maintenance Tools | Restricted Tool Use CM0005 NA NA
5 Maintenance Tools | Execution with Privilege CM0005 NA NA
6 Maintenance Tools | Software Updates and Patches CM0005 NA NA
MA-4 Nonlocal Maintenance CM0005 NA NA
1 Nonlocal Maintenance | Logging and Review CM0005 NA NA
3 Nonlocal Maintenance | Comparable Security and Sanitization CM0005 NA NA
4 Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions CM0005 NA NA
5 Nonlocal Maintenance | Approvals and Notifications CM0005 NA NA
6 Nonlocal Maintenance | Cryptographic Protection CM0005 NA NA
7 Nonlocal Maintenance | Disconnect Verification CM0005 NA NA
MA-5 Maintenance Personnel NA NA
1 Maintenance Personnel | Individuals Without Appropriate Access CM0005 NA NA
2 Maintenance Personnel | Security Clearances for Classified Systems CM0005 NA NA
3 Maintenance Personnel | Citizenship Requirements for Classified Systems CM0005 NA NA
4 Maintenance Personnel | Foreign Nationals CM0005 NA NA
5 Maintenance Personnel | Non-system Maintenance CM0005 NA NA
MA-6 Timely Maintenance CM0005 NA NA
1 Timely Maintenance | Preventive Maintenance NA NA
2 Timely Maintenance | Predictive Maintenance NA NA
3 Timely Maintenance | Automated Support for Predictive Maintenance NA NA
MA-7 Field Maintenance CM0028 CM0052 CM0004 CM0023 CM0005 CM0037 NA NA
MP-1 Policy and Procedures NA NA
MP-2 Media Access CM0005 NA NA
MP-3 Media Marking CM0005 NA NA
MP-4 Media Storage CM0005 NA NA
2 Media Storage | Automated Restricted Access NA NA
MP-5 Media Transport CM0005 NA NA
3 Media Transport | Custodians NA NA
MP-6 Media Sanitization CM0005 NA NA
1 Media Sanitization | Review, Approve, Track, Document, and Verify CM0005 NA NA
2 Media Sanitization | Equipment Testing CM0005 NA NA
3 Media Sanitization | Nondestructive Techniques CM0005 NA NA
7 Media Sanitization | Dual Authorization CM0005 NA NA
8 Media Sanitization | Remote Purging or Wiping of Information CM0005 NA NA
MP-7 Media Use CM0052 CM0005 NA NA
2 Media Use | Prohibit Use of Sanitization-resistant Media NA NA
MP-8 Media Downgrading NA NA
1 Media Downgrading | Documentation of Process NA NA
2 Media Downgrading | Equipment Testing NA NA
3 Media Downgrading | Controlled Unclassified Information NA NA
4 Media Downgrading | Classified Information NA NA
PE-1 Policy and Procedures NA YES
PE-2 Physical Access Authorizations CM0052 CM0053 NA NA
1 Physical Access Authorizations | Access by Position or Role CM0053 NA NA
2 Physical Access Authorizations | Two Forms of Identification CM0053 NA NA
3 Physical Access Authorizations | Restrict Unescorted Access CM0053 NA NA
PE-3 Physical Access Control CM0054 CM0053 NA NA
1 Physical Access Control | System Access CM0053 CM0005 NA NA
2 Physical Access Control | Facility and Systems CM0053 CM0005 NA NA
3 Physical Access Control | Continuous Guards CM0053 CM0005 NA NA
4 Physical Access Control | Lockable Casings CM0053 CM0005 NA NA
5 Physical Access Control | Tamper Protection CM0053 CM0005 NA NA
7 Physical Access Control | Physical Barriers CM0053 CM0005 NA NA
8 Physical Access Control | Access Control Vestibules CM0053 CM0005 NA NA
PE-4 Access Control for Transmission CM0071 NA NA
PE-5 Access Control for Output Devices NA NA
2 Access Control for Output Devices | Link to Individual Identity NA NA
PE-6 Monitoring Physical Access YES YES
1 Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment NA YES
2 Monitoring Physical Access | Automated Intrusion Recognition and Responses NA YES
3 Monitoring Physical Access | Video Surveillance NA NA
4 Monitoring Physical Access | Monitoring Physical Access to Systems NA YES
PE-8 Visitor Access Records NA NA
1 Visitor Access Records | Automated Records Maintenance and Review NA NA
3 Visitor Access Records | Limit Personally Identifiable Information Elements NA NA
PE-9 Power Equipment and Cabling NA YES
1 Power Equipment and Cabling | Redundant Cabling NA NA
2 Power Equipment and Cabling | Automatic Voltage Controls NA NA
PE-10 Emergency Shutoff YES YES
PE-11 Emergency Power NA YES
1 Emergency Power | Alternate Power Supply — Minimal Operational Capability NA YES
2 Emergency Power | Alternate Power Supply — Self-contained NA NA
PE-12 Emergency Lighting NA NA
1 Emergency Lighting | Essential Mission and Business Functions NA NA
PE-13 Fire Protection NA NA
1 Fire Protection | Detection Systems – Automatic Activation and Notification NA NA
2 Fire Protection | Suppression Systems – Automatic Activation and Notification NA NA
4 Fire Protection | Inspections NA NA
PE-14 Environmental Controls NA YES
1 Environmental Controls | Automatic Controls NA NA
2 Environmental Controls | Monitoring with Alarms and Notifications NA NA
PE-15 Water Damage Protection NA NA
1 Water Damage Protection | Automation Support NA NA
PE-16 Delivery and Removal NA NA
PE-17 Alternate Work Site NA NA
PE-18 Location of System Components NA YES
PE-19 Information Leakage CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 NA YES
1 Information Leakage | National Emissions and Tempest Policies and Procedures CM0003 CM0062 CM0057 CM0058 CM0059 CM0060 CM0061 CM0063 CM0064 NA YES
PE-20 Asset Monitoring and Tracking YES YES
PE-21 Electromagnetic Pulse Protection CM0003 YES YES
PE-22 Component Marking NA NA
PE-23 Facility Location NA NA
PL-1 Policy and Procedures NA YES
PL-2 System Security and Privacy Plans NA YES
PL-4 Rules of Behavior NA NA
1 Rules of Behavior | Social Media and External Site/application Usage Restrictions NA NA
PL-7 Concept of Operations NA YES
PL-8 Security and Privacy Architectures CM0005 YES YES
1 Security and Privacy Architectures | Defense in Depth CM0005 CM0004 YES YES
2 Security and Privacy Architectures | Supplier Diversity CM0005 CM0004 YES YES
PL-9 Central Management CM0005 NA NA
PL-10 Baseline Selection CM0005 NA YES
PL-11 Baseline Tailoring CM0005 NA YES
PM-1 Information Security Program Plan NA YES
PM-2 Information Security Program Leadership Role NA NA
PM-3 Information Security and Privacy Resources NA NA
PM-4 Plan of Action and Milestones Process NA NA
PM-5 System Inventory NA NA
1 System Inventory | Inventory of Personally Identifiable Information NA NA
PM-6 Measures of Performance NA NA
PM-7 Enterprise Architecture NA NA
1 Enterprise Architecture | Offloading NA NA
PM-8 Critical Infrastructure Plan NA NA
PM-9 Risk Management Strategy NA NA
PM-10 Authorization Process NA NA
PM-11 Mission and Business Process Definition CM0001 CM0022 CM0005 YES YES
PM-12 Insider Threat Program CM0052 YES YES
PM-13 Security and Privacy Workforce NA NA
PM-14 Testing, Training, and Monitoring CM0052 YES YES
PM-15 Security and Privacy Groups and Associations NA NA
PM-16 Threat Awareness Program CM0009 YES YES
1 Threat Awareness Program | Automated Means for Sharing Threat Intelligence CM0009 CM0005 YES YES
PM-17 Protecting Controlled Unclassified Information on External Systems CM0001 CM0022 CM0005 YES YES
PM-18 Privacy Program Plan NA NA
PM-19 Privacy Program Leadership Role NA NA
PM-20 Dissemination of Privacy Program Information NA NA
1 Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services NA NA
PM-21 Accounting of Disclosures NA NA
PM-22 Personally Identifiable Information Quality Management NA NA
PM-23 Data Governance Body NA NA
PM-24 Data Integrity Board NA NA
PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research NA NA
PM-26 Complaint Management NA NA
PM-27 Privacy Reporting NA NA
PM-28 Risk Framing NA NA
PM-29 Risk Management Program Leadership Roles NA NA
PM-30 Supply Chain Risk Management Strategy CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
1 Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
PM-31 Continuous Monitoring Strategy CM0005 NA YES
PM-32 Purposing CM0022 CM0005 YES YES
PS-1 Policy and Procedures NA NA
PS-2 Position Risk Designation NA NA
PS-3 Personnel Screening CM0052 NA NA
1 Personnel Screening | Classified Information NA NA
2 Personnel Screening | Formal Indoctrination NA NA
3 Personnel Screening | Information with Special Protective Measures NA NA
4 Personnel Screening | Citizenship Requirements NA NA
PS-4 Personnel Termination CM0052 NA NA
1 Personnel Termination | Post-employment Requirements NA NA
2 Personnel Termination | Automated Actions NA NA
PS-5 Personnel Transfer CM0052 NA NA
PS-6 Access Agreements NA NA
2 Access Agreements | Classified Information Requiring Special Protection NA NA
3 Access Agreements | Post-employment Requirements NA NA
PS-7 External Personnel Security NA NA
PS-8 Personnel Sanctions CM0052 NA NA
PS-9 Position Descriptions NA NA
PT-1 Policy and Procedures NA NA
PT-2 Authority to Process Personally Identifiable Information NA NA
1 Authority to Process Personally Identifiable Information | Data Tagging NA NA
2 Authority to Process Personally Identifiable Information | Automation NA NA
PT-3 Personally Identifiable Information Processing Purposes NA NA
1 Personally Identifiable Information Processing Purposes | Data Tagging NA NA
2 Personally Identifiable Information Processing Purposes | Automation NA NA
PT-4 Consent NA NA
1 Consent | Tailored Consent NA NA
2 Consent | Just-in-time Consent NA NA
3 Consent | Revocation NA NA
PT-5 Privacy Notice NA NA
1 Privacy Notice | Just-in-time Notice NA NA
2 Privacy Notice | Privacy Act Statements NA NA
PT-6 System of Records Notice NA NA
1 System of Records Notice | Routine Uses NA NA
2 System of Records Notice | Exemption Rules NA NA
PT-7 Specific Categories of Personally Identifiable Information NA NA
1 Specific Categories of Personally Identifiable Information | Social Security Numbers NA NA
2 Specific Categories of Personally Identifiable Information | First Amendment Information NA NA
PT-8 Computer Matching Requirements NA NA
RA-1 Policy and Procedures NA YES
RA-2 Security Categorization NA YES
1 Security Categorization | Impact-level Prioritization NA NA
RA-3 Risk Assessment YES YES
1 Risk Assessment | Supply Chain Risk Assessment CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 YES YES
2 Risk Assessment | Use of All-source Intelligence CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 YES YES
3 Risk Assessment | Dynamic Threat Awareness CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 YES YES
4 Risk Assessment | Predictive Cyber Analytics CM0022 CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 CM0009 CM0032 YES YES
RA-5 Vulnerability Monitoring and Scanning CM0008 CM0004 CM0011 CM0013 CM0016 CM0019 CM0005 YES YES
2 Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA YES
3 Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 YES YES
4 Vulnerability Monitoring and Scanning | Discoverable Information CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA YES
5 Vulnerability Monitoring and Scanning | Privileged Access CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA YES
6 Vulnerability Monitoring and Scanning | Automated Trend Analyses CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA NA
8 Vulnerability Monitoring and Scanning | Review Historic Audit Logs CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA NA
10 Vulnerability Monitoring and Scanning | Correlate Scanning Information CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA NA
11 Vulnerability Monitoring and Scanning | Public Disclosure Program CM0004 CM0005 CM0011 CM0008 CM0012 CM0018 NA NA
RA-6 Technical Surveillance Countermeasures Survey YES YES
RA-7 Risk Response CM0005 NA YES
RA-8 Privacy Impact Assessments NA NA
RA-9 Criticality Analysis CM0022 CM0004 CM0005 YES YES
RA-10 Threat Hunting CM0009 CM0052 CM0005 CM0032 YES YES
SA-1 Policy and Procedures NA YES
SA-2 Allocation of Resources CM0005 YES YES
SA-3 System Development Life Cycle CM0004 CM0005 YES YES
1 System Development Life Cycle | Manage Preproduction Environment CM0001 CM0004 CM0005 NA YES
2 System Development Life Cycle | Use of Live or Operational Data CM0001 CM0004 CM0005 NA YES
3 System Development Life Cycle | Technology Refresh CM0001 CM0004 CM0005 NA NA
SA-4 Acquisition Process CM0005 NA YES
1 Acquisition Process | Functional Properties of Controls CM0005 CM0004 CM0001 NA YES
2 Acquisition Process | Design and Implementation Information for Controls CM0005 CM0004 CM0001 NA YES
3 Acquisition Process | Development Methods, Techniques, and Practices CM0005 CM0004 CM0001 NA YES
5 Acquisition Process | System, Component, and Service Configurations CM0005 CM0004 CM0001 YES YES
6 Acquisition Process | Use of Information Assurance Products CM0005 CM0004 CM0001 NA NA
7 Acquisition Process | Niap-approved Protection Profiles CM0005 CM0004 CM0001 NA NA
8 Acquisition Process | Continuous Monitoring Plan for Controls CM0005 CM0004 CM0001 NA NA
9 Acquisition Process | Functions, Ports, Protocols, and Services in Use CM0005 CM0004 CM0001 YES YES
10 Acquisition Process | Use of Approved PIV Products CM0005 CM0004 CM0001 NA NA
11 Acquisition Process | System of Records CM0005 CM0004 CM0001 NA NA
12 Acquisition Process | Data Ownership CM0005 CM0004 CM0001 NA YES
SA-5 System Documentation CM0001 CM0008 CM0007 CM0005 YES YES
SA-8 Security and Privacy Engineering Principles CM0005 YES YES
1 Security and Privacy Engineering Principles | Clear Abstractions CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
2 Security and Privacy Engineering Principles | Least Common Mechanism CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
3 Security and Privacy Engineering Principles | Modularity and Layering CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES NA
4 Security and Privacy Engineering Principles | Partially Ordered Dependencies CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES NA
5 Security and Privacy Engineering Principles | Efficiently Mediated Access CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
6 Security and Privacy Engineering Principles | Minimized Sharing CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
7 Security and Privacy Engineering Principles | Reduced Complexity CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
8 Security and Privacy Engineering Principles | Secure Evolvability CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
9 Security and Privacy Engineering Principles | Trusted Components CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
10 Security and Privacy Engineering Principles | Hierarchical Trust CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
11 Security and Privacy Engineering Principles | Inverse Modification Threshold CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
12 Security and Privacy Engineering Principles | Hierarchical Protection CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
13 Security and Privacy Engineering Principles | Minimized Security Elements CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
14 Security and Privacy Engineering Principles | Least Privilege CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
15 Security and Privacy Engineering Principles | Predicate Permission CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
16 Security and Privacy Engineering Principles | Self-reliant Trustworthiness CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
17 Security and Privacy Engineering Principles | Secure Distributed Composition CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
18 Security and Privacy Engineering Principles | Trusted Communications Channels CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
19 Security and Privacy Engineering Principles | Continuous Protection CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
20 Security and Privacy Engineering Principles | Secure Metadata Management CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
21 Security and Privacy Engineering Principles | Self-analysis CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
22 Security and Privacy Engineering Principles | Accountability and Traceability CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
23 Security and Privacy Engineering Principles | Secure Defaults CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
24 Security and Privacy Engineering Principles | Secure Failure and Recovery CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 YES YES
25 Security and Privacy Engineering Principles | Economic Security CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
26 Security and Privacy Engineering Principles | Performance Security CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
27 Security and Privacy Engineering Principles | Human Factored Security CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
28 Security and Privacy Engineering Principles | Acceptable Security CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
29 Security and Privacy Engineering Principles | Repeatable and Documented Procedures CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
30 Security and Privacy Engineering Principles | Procedural Rigor CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
31 Security and Privacy Engineering Principles | Secure System Modification CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA YES
32 Security and Privacy Engineering Principles | Sufficient Documentation CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
33 Security and Privacy Engineering Principles | Minimization CM0031 CM0050 CM0013 CM0039 CM0005 CM0038 CM0002 CM0032 CM0044 CM0042 NA NA
SA-9 External System Services CM0005 YES YES
1 External System Services | Risk Assessments and Organizational Approvals CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
2 External System Services | Identification of Functions, Ports, Protocols, and Services CM0005 CM0002 CM0030 CM0050 CM0001 NA YES
3 External System Services | Establish and Maintain Trust Relationship with Providers CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
4 External System Services | Consistent Interests of Consumers and Providers CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
5 External System Services | Processing, Storage, and Service Location CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
6 External System Services | Organization-controlled Cryptographic Keys CM0005 CM0002 CM0030 CM0050 CM0001 YES YES
7 External System Services | Organization-controlled Integrity Checking CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
8 External System Services | Processing and Storage Location — U.s. Jurisdiction CM0005 CM0002 CM0030 CM0050 CM0001 NA NA
SA-10 Developer Configuration Management CM0004 CM0023 CM0005 YES YES
1 Developer Configuration Management | Software and Firmware Integrity Verification CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 YES YES
2 Developer Configuration Management | Alternative Configuration Management CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 NA YES
3 Developer Configuration Management | Hardware Integrity Verification CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 YES YES
4 Developer Configuration Management | Trusted Generation CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 YES YES
5 Developer Configuration Management | Mapping Integrity for Version Control CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 NA NA
6 Developer Configuration Management | Trusted Distribution CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 NA NA
7 Developer Configuration Management | Security and Privacy Representatives CM0021 CM0005 CM0024 CM0027 CM0028 CM0026 CM0004 CM0010 CM0012 CM0015 CM0023 YES YES
SA-11 Developer Testing and Evaluation CM0004 CM0005 YES YES
1 Developer Testing and Evaluation | Static Code Analysis CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
2 Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
3 Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 NA YES
4 Developer Testing and Evaluation | Manual Code Reviews CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
5 Developer Testing and Evaluation | Penetration Testing CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
6 Developer Testing and Evaluation | Attack Surface Reviews CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
7 Developer Testing and Evaluation | Verify Scope of Testing and Evaluation CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 NA YES
8 Developer Testing and Evaluation | Dynamic Code Analysis CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
9 Developer Testing and Evaluation | Interactive Application Security Testing CM0004 CM0016 CM0019 CM0020 CM0005 CM0008 CM0018 YES YES
SA-15 Development Process, Standards, and Tools CM0004 CM0017 CM0005 YES YES
1 Development Process, Standards, and Tools | Quality Metrics CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
2 Development Process, Standards, and Tools | Security and Privacy Tracking Tools CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
3 Development Process, Standards, and Tools | Criticality Analysis CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 YES YES
5 Development Process, Standards, and Tools | Attack Surface Reduction CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA YES
6 Development Process, Standards, and Tools | Continuous Improvement CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
7 Development Process, Standards, and Tools | Automated Vulnerability Analysis CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 YES YES
8 Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 YES YES
10 Development Process, Standards, and Tools | Incident Response Plan CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
11 Development Process, Standards, and Tools | Archive System or Component CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
12 Development Process, Standards, and Tools | Minimize Personally Identifiable Information CM0022 CM0004 CM0005 CM0011 CM0016 CM0019 CM0020 NA NA
SA-16 Developer-provided Training NA NA
SA-17 Developer Security and Privacy Architecture and Design CM0005 YES YES
1 Developer Security and Privacy Architecture and Design | Formal Policy Model CM0039 NA NA
2 Developer Security and Privacy Architecture and Design | Security-relevant Components CM0039 NA NA
3 Developer Security and Privacy Architecture and Design | Formal Correspondence CM0039 NA NA
4 Developer Security and Privacy Architecture and Design | Informal Correspondence CM0039 NA NA
5 Developer Security and Privacy Architecture and Design | Conceptually Simple Design CM0039 NA NA
6 Developer Security and Privacy Architecture and Design | Structure for Testing CM0039 NA NA
7 Developer Security and Privacy Architecture and Design | Structure for Least Privilege CM0039 YES YES
8 Developer Security and Privacy Architecture and Design | Orchestration CM0039 NA NA
9 Developer Security and Privacy Architecture and Design | Design Diversity CM0039 NA NA
SA-20 Customized Development of Critical Components NA NA
SA-21 Developer Screening NA NA
SA-22 Unsupported System Components CM0005 NA NA
SA-23 Specialization NA NA
SC-1 Policy and Procedures NA YES
SC-2 Separation of System and User Functionality CM0005 NA YES
1 Separation of System and User Functionality | Interfaces for Non-privileged Users CM0040 CM0018 CM0039 CM0005 CM0038 NA NA
2 Separation of System and User Functionality | Disassociability CM0040 CM0018 CM0039 CM0005 CM0038 YES YES
SC-3 Security Function Isolation CM0005 CM0038 YES YES
1 Security Function Isolation | Hardware Separation NA NA
2 Security Function Isolation | Access and Flow Control Functions NA NA
3 Security Function Isolation | Minimize Nonsecurity Functionality NA NA
4 Security Function Isolation | Module Coupling and Cohesiveness NA YES
5 Security Function Isolation | Layered Structures NA NA
SC-4 Information in Shared System Resources CM0040 CM0005 CM0038 YES YES
2 Information in Shared System Resources | Multilevel or Periods Processing NA NA
SC-5 Denial-of-service Protection CM0005 CM0032 CM0042 CM0044 CM0029 YES YES
1 Denial-of-service Protection | Restrict Ability to Attack Other Systems CM0005 CM0032 NA YES
2 Denial-of-service Protection | Capacity, Bandwidth, and Redundancy CM0005 CM0032 NA YES
3 Denial-of-service Protection | Detection and Monitoring CM0005 CM0032 YES YES
SC-6 Resource Availability CM0038 YES YES
SC-7 Boundary Protection CM0052 CM0002 CM0033 CM0055 CM0005 CM0034 YES YES
3 Boundary Protection | Access Points CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
4 Boundary Protection | External Telecommunications Services CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
5 Boundary Protection | Deny by Default — Allow by Exception CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
7 Boundary Protection | Split Tunneling for Remote Devices CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
8 Boundary Protection | Route Traffic to Authenticated Proxy Servers CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
9 Boundary Protection | Restrict Threatening Outgoing Communications Traffic CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
10 Boundary Protection | Prevent Exfiltration CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
11 Boundary Protection | Restrict Incoming Communications Traffic CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
12 Boundary Protection | Host-based Protection CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
13 Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
14 Boundary Protection | Protect Against Unauthorized Physical Connections CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA YES
15 Boundary Protection | Networked Privileged Accesses CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
16 Boundary Protection | Prevent Discovery of System Components CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
17 Boundary Protection | Automated Enforcement of Protocol Formats CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
18 Boundary Protection | Fail Secure CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
19 Boundary Protection | Block Communication from Non-organizationally Configured Hosts CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
20 Boundary Protection | Dynamic Isolation and Segregation CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
21 Boundary Protection | Isolation of System Components CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
22 Boundary Protection | Separate Subnets for Connecting to Different Security Domains CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
23 Boundary Protection | Disable Sender Feedback on Protocol Validation Failure CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
24 Boundary Protection | Personally Identifiable Information CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
25 Boundary Protection | Unclassified National Security System Connections CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
26 Boundary Protection | Classified National Security System Connections CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
27 Boundary Protection | Unclassified Non-national Security System Connections CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
28 Boundary Protection | Connections to Public Networks CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 NA NA
29 Boundary Protection | Separate Subnets to Isolate Functions CM0005 CM0002 CM0038 CM0032 CM0031 CM0033 CM0037 CM0022 CM0040 CM0018 CM0039 YES YES
SC-8 Transmission Confidentiality and Integrity CM0049 CM0005 CM0006 CM0071 YES YES
1 Transmission Confidentiality and Integrity | Cryptographic Protection CM0005 CM0049 CM0029 CM0053 CM0071 YES YES
2 Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling CM0005 CM0049 CM0029 CM0053 CM0071 NA YES
3 Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals CM0005 CM0049 CM0029 CM0053 CM0071 YES YES
4 Transmission Confidentiality and Integrity | Conceal or Randomize Communications CM0005 CM0049 CM0029 CM0053 CM0071 YES YES
5 Transmission Confidentiality and Integrity | Protected Distribution System CM0005 CM0049 CM0029 CM0053 CM0071 NA NA
SC-10 Network Disconnect CM0002 CM0036 CM0005 YES YES
SC-11 Trusted Path NA NA
1 Trusted Path | Irrefutable Communications Path NA NA
SC-12 Cryptographic Key Establishment and Management CM0002 CM0030 CM0005 YES YES
1 Cryptographic Key Establishment and Management | Availability CM0002 CM0030 CM0005 CM0053 YES YES
2 Cryptographic Key Establishment and Management | Symmetric Keys CM0002 CM0030 CM0005 CM0053 NA NA
3 Cryptographic Key Establishment and Management | Asymmetric Keys CM0002 CM0030 CM0005 CM0053 YES YES
6 Cryptographic Key Establishment and Management | Physical Control of Keys CM0002 CM0030 CM0005 CM0053 NA NA
SC-13 Cryptographic Protection CM0002 CM0033 CM0050 CM0005 CM0006 YES YES
SC-15 Collaborative Computing Devices and Applications CM0005 NA NA
1 Collaborative Computing Devices and Applications | Physical or Logical Disconnect NA NA
3 Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas NA NA
4 Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants NA NA
SC-16 Transmission of Security and Privacy Attributes YES YES
1 Transmission of Security and Privacy Attributes | Integrity Verification CM0031 CM0050 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 NA YES
2 Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms CM0031 CM0050 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 YES YES
3 Transmission of Security and Privacy Attributes | Cryptographic Binding CM0031 CM0050 CM0005 CM0032 CM0042 CM0044 CM0048 CM0002 CM0038 YES YES
SC-17 Public Key Infrastructure Certificates NA NA
SC-18 Mobile Code NA NA
1 Mobile Code | Identify Unacceptable Code and Take Corrective Actions CM0005 NA NA
2 Mobile Code | Acquisition, Development, and Use CM0005 NA NA
3 Mobile Code | Prevent Downloading and Execution CM0005 NA NA
4 Mobile Code | Prevent Automatic Execution CM0005 NA NA
5 Mobile Code | Allow Execution Only in Confined Environments CM0005 NA NA
SC-20 Secure Name/address Resolution Service (authoritative Source) CM0005 NA NA
2 Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity NA NA
SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver) CM0005 NA NA
SC-22 Architecture and Provisioning for Name/address Resolution Service CM0005 NA NA
SC-23 Session Authenticity CM0033 CM0005 YES YES
1 Session Authenticity | Invalidate Session Identifiers at Logout CM0005 NA YES
3 Session Authenticity | Unique System-generated Session Identifiers CM0005 NA YES
5 Session Authenticity | Allowed Certificate Authorities CM0005 NA NA
SC-24 Fail in Known State CM0005 CM0006 CM0042 CM0044 YES YES
SC-25 Thin Nodes NA NA
SC-26 Decoys NA NA
SC-27 Platform-independent Applications NA NA
SC-28 Protection of Information at Rest CM0049 CM0005 NA YES
1 Protection of Information at Rest | Cryptographic Protection CM0002 CM0049 CM0005 CM0030 YES YES
2 Protection of Information at Rest | Offline Storage CM0002 CM0049 CM0005 CM0030 NA NA
3 Protection of Information at Rest | Cryptographic Keys CM0002 CM0049 CM0005 CM0030 YES YES
SC-29 Heterogeneity NA NA
1 Heterogeneity | Virtualization Techniques NA NA
SC-30 Concealment and Misdirection NA YES
2 Concealment and Misdirection | Randomness NA NA
3 Concealment and Misdirection | Change Processing and Storage Locations NA NA
4 Concealment and Misdirection | Misleading Information NA NA
5 Concealment and Misdirection | Concealment of System Components NA YES
SC-31 Covert Channel Analysis NA NA
1 Covert Channel Analysis | Test Covert Channels for Exploitability NA NA
2 Covert Channel Analysis | Maximum Bandwidth NA NA
3 Covert Channel Analysis | Measure Bandwidth in Operational Environments NA NA
SC-32 System Partitioning NA YES
1 System Partitioning | Separate Physical Domains for Privileged Functions CM0022 CM0031 CM0040 CM0039 CM0032 CM0038 YES YES
SC-34 Non-modifiable Executable Programs NA NA
1 Non-modifiable Executable Programs | No Writable Storage NA NA
2 Non-modifiable Executable Programs | Integrity Protection on Read-only Media NA NA
SC-35 External Malicious Code Identification NA NA
SC-36 Distributed Processing and Storage NA NA
1 Distributed Processing and Storage | Polling Techniques NA NA
2 Distributed Processing and Storage | Synchronization NA NA
SC-37 Out-of-band Channels NA NA
1 Out-of-band Channels | Ensure Delivery and Transmission NA NA
SC-38 Operations Security CM0052 CM0004 CM0005 YES YES
SC-39 Process Isolation CM0005 CM0038 YES YES
1 Process Isolation | Hardware Separation NA NA
2 Process Isolation | Separate Execution Domain Per Thread NA NA
SC-40 Wireless Link Protection CM0029 YES YES
1 Wireless Link Protection | Electromagnetic Interference CM0029 YES YES
2 Wireless Link Protection | Reduce Detection Potential CM0029 NA NA
3 Wireless Link Protection | Imitative or Manipulative Communications Deception CM0029 YES YES
4 Wireless Link Protection | Signal Parameter Identification CM0029 YES YES
SC-41 Port and I/O Device Access CM0037 NA YES
SC-42 Sensor Capability and Data NA NA
1 Sensor Capability and Data | Reporting to Authorized Individuals or Roles NA NA
2 Sensor Capability and Data | Authorized Use NA NA
4 Sensor Capability and Data | Notice of Collection NA NA
5 Sensor Capability and Data | Collection Minimization NA NA
SC-43 Usage Restrictions NA NA
SC-44 Detonation Chambers NA NA
SC-45 System Time Synchronization CM0005 CM0048 YES YES
1 System Time Synchronization | Synchronization with Authoritative Time Source CM0005 CM0048 YES YES
2 System Time Synchronization | Secondary Authoritative Time Source CM0005 CM0048 YES YES
SC-46 Cross Domain Policy Enforcement NA NA
SC-47 Alternate Communications Paths CM0070 NA YES
SC-48 Sensor Relocation NA NA
1 Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities NA NA
SC-49 Hardware-enforced Separation and Policy Enforcement CM0040 CM0039 CM0005 CM0038 NA NA
SC-50 Software-enforced Separation and Policy Enforcement CM0040 CM0039 CM0005 CM0038 NA NA
SC-51 Hardware-based Protection CM0028 CM0005 CM0053 CM0014 YES YES
SI-1 Policy and Procedures NA YES
SI-2 Flaw Remediation CM0004 CM0010 CM0005 CM0072 YES YES
2 Flaw Remediation | Automated Flaw Remediation Status CM0005 CM0004 NA NA
3 Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions CM0005 CM0004 NA NA
4 Flaw Remediation | Automated Patch Management Tools CM0005 CM0004 NA NA
5 Flaw Remediation | Automatic Software and Firmware Updates CM0005 CM0004 NA NA
6 Flaw Remediation | Removal of Previous Versions of Software and Firmware CM0005 CM0004 YES YES
SI-3 Malicious Code Protection CM0027 CM0011 CM0018 CM0005 CM0032 YES YES
4 Malicious Code Protection | Updates Only by Privileged Users CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0005 NA NA
6 Malicious Code Protection | Testing and Verification CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0005 NA NA
8 Malicious Code Protection | Detect Unauthorized Commands CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0005 YES YES
10 Malicious Code Protection | Malicious Code Analysis CM0002 CM0033 CM0047 CM0055 CM0034 CM0032 CM0043 CM0005 NA YES
SI-4 System Monitoring CM0052 CM0005 CM0032 CM0066 CM0067 CM0068 YES YES
1 System Monitoring | System-wide Intrusion Detection System CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
2 System Monitoring | Automated Tools and Mechanisms for Real-time Analysis CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
3 System Monitoring | Automated Tool and Mechanism Integration CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
4 System Monitoring | Inbound and Outbound Communications Traffic CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
5 System Monitoring | System-generated Alerts CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
7 System Monitoring | Automated Response to Suspicious Events CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA YES
9 System Monitoring | Testing of Monitoring Tools and Mechanisms CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
10 System Monitoring | Visibility of Encrypted Communications CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
11 System Monitoring | Analyze Communications Traffic Anomalies CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
12 System Monitoring | Automated Organization-generated Alerts CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA YES
13 System Monitoring | Analyze Traffic and Event Patterns CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
14 System Monitoring | Wireless Intrusion Detection CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
15 System Monitoring | Wireless to Wireline Communications CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
16 System Monitoring | Correlate Monitoring Information CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
17 System Monitoring | Integrated Situational Awareness CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
18 System Monitoring | Analyze Traffic and Covert Exfiltration CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
19 System Monitoring | Risk for Individuals CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
20 System Monitoring | Privileged Users CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
21 System Monitoring | Probationary Periods CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
22 System Monitoring | Unauthorized Network Services CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
23 System Monitoring | Host-based Devices CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 NA NA
24 System Monitoring | Indicators of Compromise CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
25 System Monitoring | Optimize Network Traffic Analysis CM0005 CM0032 CM0066 CM0067 CM0068 CM0050 CM0073 CM0051 YES YES
SI-5 Security Alerts, Advisories, and Directives CM0005 NA NA
1 Security Alerts, Advisories, and Directives | Automated Alerts and Advisories CM0005 NA NA
SI-6 Security and Privacy Function Verification CM0005 CM0032 YES YES
2 Security and Privacy Function Verification | Automation Support for Distributed Testing NA NA
3 Security and Privacy Function Verification | Report Verification Results NA NA
SI-7 Software, Firmware, and Information Integrity CM0049 CM0021 CM0005 YES YES
1 Software, Firmware, and Information Integrity | Integrity Checks CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
2 Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
3 Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA NA
5 Software, Firmware, and Information Integrity | Automated Response to Integrity Violations CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
6 Software, Firmware, and Information Integrity | Cryptographic Protection CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
7 Software, Firmware, and Information Integrity | Integration of Detection and Response CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
8 Software, Firmware, and Information Integrity | Auditing Capability for Significant Events CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 YES YES
9 Software, Firmware, and Information Integrity | Verify Boot Process CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 YES YES
10 Software, Firmware, and Information Integrity | Protection of Boot Firmware CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA YES
12 Software, Firmware, and Information Integrity | Integrity Verification CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 YES YES
15 Software, Firmware, and Information Integrity | Code Authentication CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 YES YES
16 Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 NA NA
17 Software, Firmware, and Information Integrity | Runtime Application Self-protection CM0049 CM0005 CM0032 CM0014 CM0021 CM0044 YES YES
SI-8 Spam Protection NA NA
2 Spam Protection | Automatic Updates NA NA
3 Spam Protection | Continuous Learning Capability NA NA
SI-10 Information Input Validation CM0002 CM0033 CM0005 CM0043 YES YES
1 Information Input Validation | Manual Override Capability CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 NA NA
2 Information Input Validation | Review and Resolve Errors CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 NA NA
3 Information Input Validation | Predictable Behavior CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 YES YES
4 Information Input Validation | Timing Interactions CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 NA NA
5 Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 YES YES
6 Information Input Validation | Injection Prevention CM0002 CM0005 CM0043 CM0033 CM0069 CM0032 YES YES
SI-11 Error Handling CM0005 CM0044 YES YES
SI-12 Information Management and Retention NA YES
1 Information Management and Retention | Limit Personally Identifiable Information Elements NA NA
2 Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research NA NA
3 Information Management and Retention | Information Disposal NA NA
SI-13 Predictable Failure Prevention CM0042 CM0051 YES YES
1 Predictable Failure Prevention | Transferring Component Responsibilities NA NA
3 Predictable Failure Prevention | Manual Transfer Between Components NA NA
4 Predictable Failure Prevention | Standby Component Installation and Notification NA YES
5 Predictable Failure Prevention | Failover Capability NA NA
SI-14 Non-persistence NA YES
1 Non-persistence | Refresh from Trusted Sources CM0031 CM0036 CM0005 NA YES
2 Non-persistence | Non-persistent Information CM0031 CM0036 CM0005 NA NA
3 Non-persistence | Non-persistent Connectivity CM0031 CM0036 CM0005 YES YES
SI-15 Information Output Filtering NA NA
SI-16 Memory Protection CM0005 CM0032 CM0045 YES YES
SI-17 Fail-safe Procedures CM0032 CM0042 CM0044 CM0038 YES YES
SI-18 Personally Identifiable Information Quality Operations NA NA
1 Personally Identifiable Information Quality Operations | Automation Support NA NA
2 Personally Identifiable Information Quality Operations | Data Tags NA NA
3 Personally Identifiable Information Quality Operations | Collection NA NA
4 Personally Identifiable Information Quality Operations | Individual Requests NA NA
5 Personally Identifiable Information Quality Operations | Notice of Correction or Deletion NA NA
SI-19 De-identification NA NA
1 De-identification | Collection CM0002 CM0050 CM0005 NA NA
2 De-identification | Archiving CM0002 CM0050 CM0005 NA NA
3 De-identification | Release CM0002 CM0050 CM0005 NA NA
4 De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers CM0002 CM0050 CM0005 NA NA
5 De-identification | Statistical Disclosure Control CM0002 CM0050 CM0005 NA NA
6 De-identification | Differential Privacy CM0002 CM0050 CM0005 NA NA
7 De-identification | Validated Algorithms and Software CM0002 CM0050 CM0005 NA NA
8 De-identification | Motivated Intruder CM0002 CM0050 CM0005 NA NA
SI-20 Tainting NA NA
SI-21 Information Refresh CM0001 CM0005 NA YES
SI-22 Information Diversity NA NA
SI-23 Information Fragmentation CM0001 NA NA
SR-1 Policy and Procedures CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
SR-2 Supply Chain Risk Management Plan CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
1 Supply Chain Risk Management Plan | Establish Scrm Team CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
SR-3 Supply Chain Controls and Processes CM0022 CM0024 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
1 Supply Chain Controls and Processes | Diverse Supply Base CM0025 CM0026 CM0005 CM0022 CM0004 YES YES
2 Supply Chain Controls and Processes | Limitation of Harm CM0025 CM0026 CM0005 CM0022 CM0004 YES YES
3 Supply Chain Controls and Processes | Sub-tier Flow Down CM0025 CM0026 CM0005 CM0022 CM0004 YES YES
SR-4 Provenance CM0024 CM0025 CM0026 CM0004 CM0005 YES YES
1 Provenance | Identity CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 YES YES
2 Provenance | Track and Trace CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 YES YES
3 Provenance | Validate as Genuine and Not Altered CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 YES YES
4 Provenance | Supply Chain Integrity — Pedigree CM0024 CM0025 CM0026 CM0004 CM0005 CM0028 YES YES
SR-5 Acquisition Strategies, Tools, and Methods CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
1 Acquisition Strategies, Tools, and Methods | Adequate Supply CM0022 CM0025 CM0026 CM0005 CM0024 CM0027 CM0028 CM0004 YES YES
2 Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update CM0022 CM0025 CM0026 CM0005 CM0024 CM0027 CM0028 CM0004 YES YES
SR-6 Supplier Assessments and Reviews CM0025 CM0004 CM0005 YES YES
1 Supplier Assessments and Reviews | Testing and Analysis CM0024 CM0027 CM0028 CM0004 CM0018 CM0005 YES YES
SR-7 Supply Chain Operations Security CM0001 CM0022 CM0004 CM0005 YES YES
SR-8 Notification Agreements CM0009 CM0005 NA NA
SR-9 Tamper Resistance and Detection CM0024 CM0028 CM0005 YES YES
1 Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle CM0024 CM0028 CM0005 YES YES
SR-10 Inspection of Systems or Components CM0024 CM0028 CM0005 YES YES
SR-11 Component Authenticity CM0024 CM0025 CM0026 CM0027 CM0028 CM0004 CM0005 YES YES
1 Component Authenticity | Anti-counterfeit Training CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 NA NA
2 Component Authenticity | Configuration Control for Component Service and Repair CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 NA NA
3 Component Authenticity | Anti-counterfeit Scanning CM0041 CM0005 CM0052 CM0023 CM0053 CM0024 CM0028 YES YES
SR-12 Component Disposal CM0001 CM0005 NA YES