CM-5(6) - Reference

NIST References

SP 800-53 Revision 5

AC - Access Control

AC-1 - Policy and Procedures

AC-2 - Account Management

AC-2(1) - Account Management | Automated System Account Management

AC-2(2) - Account Management | Automated Temporary and Emergency Account Management

AC-2(3) - Account Management | Disable Accounts

AC-2(4) - Account Management | Automated Audit Actions

AC-2(5) - Account Management | Inactivity Logout

AC-2(6) - Account Management | Dynamic Privilege Management

AC-2(7) - Account Management | Privileged User Accounts

AC-2(8) - Account Management | Dynamic Account Management

AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts

AC-2(11) - Account Management | Usage Conditions

AC-2(12) - Account Management | Account Monitoring for Atypical Usage

AC-2(13) - Account Management | Disable Accounts for High-risk Individuals

AC-3 - Access Enforcement

AC-3(2) - Access Enforcement | Dual Authorization

AC-3(3) - Access Enforcement | Mandatory Access Control

AC-3(4) - Access Enforcement | Discretionary Access Control

AC-3(5) - Access Enforcement | Security-relevant Information

AC-3(7) - Access Enforcement | Role-based Access Control

AC-3(8) - Access Enforcement | Revocation of Access Authorizations

AC-3(9) - Access Enforcement | Controlled Release

AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms

AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types

AC-3(12) - Access Enforcement | Assert and Enforce Application Access

AC-3(13) - Access Enforcement | Attribute-based Access Control

AC-3(14) - Access Enforcement | Individual Access

AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control

AC-4 - Information Flow Enforcement

AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes

AC-4(2) - Information Flow Enforcement | Processing Domains

AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control

AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information

AC-4(5) - Information Flow Enforcement | Embedded Data Types

AC-4(6) - Information Flow Enforcement | Metadata

AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms

AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters

AC-4(9) - Information Flow Enforcement | Human Reviews

AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters

AC-4(12) - Information Flow Enforcement | Data Type Identifiers

AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents

AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints

AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information

AC-4(17) - Information Flow Enforcement | Domain Authentication

AC-4(19) - Information Flow Enforcement | Validation of Metadata

AC-4(20) - Information Flow Enforcement | Approved Solutions

AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows

AC-4(22) - Information Flow Enforcement | Access Only

AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information

AC-4(24) - Information Flow Enforcement | Internal Normalized Format

AC-4(25) - Information Flow Enforcement | Data Sanitization

AC-4(26) - Information Flow Enforcement | Audit Filtering Actions

AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms

AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines

AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines

AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes

AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention

AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer

AC-5 - Separation of Duties

AC-6 - Least Privilege

AC-6(1) - Least Privilege | Authorize Access to Security Functions

AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions

AC-6(3) - Least Privilege | Network Access to Privileged Commands

AC-6(4) - Least Privilege | Separate Processing Domains

AC-6(5) - Least Privilege | Privileged Accounts

AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users

AC-6(7) - Least Privilege | Review of User Privileges

AC-6(8) - Least Privilege | Privilege Levels for Code Execution

AC-6(9) - Least Privilege | Log Use of Privileged Functions

AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

AC-7 - Unsuccessful Logon Attempts

AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device

AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting

AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor

AC-8 - System Use Notification

AC-9 - Previous Logon Notification

AC-9(1) - Previous Logon Notification | Unsuccessful Logons

AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons

AC-9(3) - Previous Logon Notification | Notification of Account Changes

AC-9(4) - Previous Logon Notification | Additional Logon Information

AC-10 - Concurrent Session Control

AC-11 - Device Lock

AC-11(1) - Device Lock | Pattern-hiding Displays

AC-12 - Session Termination

AC-12(1) - Session Termination | User-initiated Logouts

AC-12(2) - Session Termination | Termination Message

AC-12(3) - Session Termination | Timeout Warning Message

AC-14 - Permitted Actions Without Identification or Authentication

AC-16 - Security and Privacy Attributes

AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association

AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals

AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System

AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals

AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output

AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association

AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation

AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies

AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms

AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals

AC-17 - Remote Access

AC-17(1) - Remote Access | Monitoring and Control

AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption

AC-17(3) - Remote Access | Managed Access Control Points

AC-17(4) - Remote Access | Privileged Commands and Access

AC-17(6) - Remote Access | Protection of Mechanism Information

AC-17(9) - Remote Access | Disconnect or Disable Access

AC-17(10) - Remote Access | Authenticate Remote Commands

AC-18 - Wireless Access

AC-18(1) - Wireless Access | Authentication and Encryption

AC-18(3) - Wireless Access | Disable Wireless Networking

AC-18(4) - Wireless Access | Restrict Configurations by Users

AC-18(5) - Wireless Access | Antennas and Transmission Power Levels

AC-19 - Access Control for Mobile Devices

AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information

AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption

AC-20 - Use of External Systems

AC-20(1) - Use of External Systems | Limits on Authorized Use

AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use

AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use

AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use

AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use

AC-21 - Information Sharing

AC-21(1) - Information Sharing | Automated Decision Support

AC-21(2) - Information Sharing | Information Search and Retrieval

AC-22 - Publicly Accessible Content

AC-23 - Data Mining Protection

AC-24 - Access Control Decisions

AC-24(1) - Access Control Decisions | Transmit Access Authorization Information

AC-24(2) - Access Control Decisions | No User or Process Identity

AC-25 - Reference Monitor

AT - Awareness and Training

AT-1 - Policy and Procedures

AT-2 - Literacy Training and Awareness

AT-2(1) - Literacy Training and Awareness | Practical Exercises

AT-2(2) - Literacy Training and Awareness | Insider Threat

AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining

AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior

AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat

AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment

AT-3 - Role-based Training

AT-3(1) - Role-based Training | Environmental Controls

AT-3(2) - Role-based Training | Physical Security Controls

AT-3(3) - Role-based Training | Practical Exercises

AT-3(5) - Role-based Training | Processing Personally Identifiable Information

AT-4 - Training Records

AT-6 - Training Feedback

AU - Audit and Accountability

AU-1 - Policy and Procedures

AU-2 - Event Logging

AU-3 - Content of Audit Records

AU-3(1) - Content of Audit Records | Additional Audit Information

AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements

AU-4 - Audit Log Storage Capacity

AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage

AU-5 - Response to Audit Logging Process Failures

AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning

AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts

AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds

AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure

AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability

AU-6 - Audit Record Review, Analysis, and Reporting

AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration

AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis

AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions

AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands

AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources

AU-7 - Audit Record Reduction and Report Generation

AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing

AU-8 - Time Stamps

AU-9 - Protection of Audit Information

AU-9(1) - Protection of Audit Information | Hardware Write-once Media

AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components

AU-9(3) - Protection of Audit Information | Cryptographic Protection

AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users

AU-9(5) - Protection of Audit Information | Dual Authorization

AU-9(6) - Protection of Audit Information | Read-only Access

AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System

AU-10 - Non-repudiation

AU-10(1) - Non-repudiation | Association of Identities

AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity

AU-10(3) - Non-repudiation | Chain of Custody

AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity

AU-11 - Audit Record Retention

AU-11(1) - Audit Record Retention | Long-term Retrieval Capability

AU-12 - Audit Record Generation

AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail

AU-12(2) - Audit Record Generation | Standardized Formats

AU-12(3) - Audit Record Generation | Changes by Authorized Individuals

AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information

AU-13 - Monitoring for Information Disclosure

AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools

AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites

AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information

AU-14 - Session Audit

AU-14(1) - Session Audit | System Start-up

AU-14(3) - Session Audit | Remote Viewing and Listening

AU-16 - Cross-organizational Audit Logging

AU-16(1) - Cross-organizational Audit Logging | Identity Preservation

AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information

AU-16(3) - Cross-organizational Audit Logging | Disassociability

CA - Assessment, Authorization, and Monitoring

CA-1 - Policy and Procedures

CA-2 - Control Assessments

CA-2(1) - Control Assessments | Independent Assessors

CA-2(2) - Control Assessments | Specialized Assessments

CA-2(3) - Control Assessments | Leveraging Results from External Organizations

CA-3 - Information Exchange

CA-3(6) - Information Exchange | Transfer Authorizations

CA-3(7) - Information Exchange | Transitive Information Exchanges

CA-5 - Plan of Action and Milestones

CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency

CA-6 - Authorization

CA-6(1) - Authorization | Joint Authorization — Intra-organization

CA-6(2) - Authorization | Joint Authorization — Inter-organization

CA-7 - Continuous Monitoring

CA-7(1) - Continuous Monitoring | Independent Assessment

CA-7(3) - Continuous Monitoring | Trend Analyses

CA-7(4) - Continuous Monitoring | Risk Monitoring

CA-7(5) - Continuous Monitoring | Consistency Analysis

CA-7(6) - Continuous Monitoring | Automation Support for Monitoring

CA-8 - Penetration Testing

CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team

CA-8(2) - Penetration Testing | Red Team Exercises

CA-8(3) - Penetration Testing | Facility Penetration Testing

CA-9 - Internal System Connections

CA-9(1) - Internal System Connections | Compliance Checks

CM - Configuration Management

CM-1 - Policy and Procedures

CM-2 - Baseline Configuration

CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency

CM-2(3) - Baseline Configuration | Retention of Previous Configurations

CM-2(6) - Baseline Configuration | Development and Test Environments

CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas

CM-3 - Configuration Change Control

CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes

CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes

CM-3(3) - Configuration Change Control | Automated Change Implementation

CM-3(4) - Configuration Change Control | Security and Privacy Representatives

CM-3(5) - Configuration Change Control | Automated Security Response

CM-3(6) - Configuration Change Control | Cryptography Management

CM-3(7) - Configuration Change Control | Review System Changes

CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes

CM-4 - Impact Analyses

CM-4(1) - Impact Analyses | Separate Test Environments

CM-4(2) - Impact Analyses | Verification of Controls

CM-5 - Access Restrictions for Change

CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records

CM-5(4) - Access Restrictions for Change | Dual Authorization

CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation

CM-5(6) - Access Restrictions for Change | Limit Library Privileges

CM-6 - Configuration Settings

CM-6(1) - Configuration Settings | Automated Management, Application, and Verification

CM-6(2) - Configuration Settings | Respond to Unauthorized Changes

CM-7 - Least Functionality

CM-7(1) - Least Functionality | Periodic Review

CM-7(2) - Least Functionality | Prevent Program Execution

CM-7(3) - Least Functionality | Registration Compliance

CM-7(4) - Least Functionality | Unauthorized Software

CM-7(5) - Least Functionality | Authorized Software

CM-7(6) - Least Functionality | Confined Environments with Limited Privileges

CM-7(7) - Least Functionality | Code Execution in Protected Environments

CM-7(8) - Least Functionality | Binary or Machine Executable Code

CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware

CM-8 - System Component Inventory

CM-8(1) - System Component Inventory | Updates During Installation and Removal

CM-8(2) - System Component Inventory | Automated Maintenance

CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection

CM-8(4) - System Component Inventory | Accountability Information

CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations

CM-8(7) - System Component Inventory | Centralized Repository

CM-8(8) - System Component Inventory | Automated Location Tracking

CM-8(9) - System Component Inventory | Assignment of Components to Systems

CM-9 - Configuration Management Plan

CM-9(1) - Configuration Management Plan | Assignment of Responsibility

CM-10 - Software Usage Restrictions

CM-10(1) - Software Usage Restrictions | Open-source Software

CM-11 - User-installed Software

CM-11(2) - User-installed Software | Software Installation with Privileged Status

CM-11(3) - User-installed Software | Automated Enforcement and Monitoring

CM-12 - Information Location

CM-12(1) - Information Location | Automated Tools to Support Information Location

CM-13 - Data Action Mapping

CM-14 - Signed Components

CP - Contingency Planning

CP-1 - Policy and Procedures

CP-2 - Contingency Plan

CP-2(1) - Contingency Plan | Coordinate with Related Plans

CP-2(2) - Contingency Plan | Capacity Planning

CP-2(3) - Contingency Plan | Resume Mission and Business Functions

CP-2(5) - Contingency Plan | Continue Mission and Business Functions

CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites

CP-2(7) - Contingency Plan | Coordinate with External Service Providers

CP-2(8) - Contingency Plan | Identify Critical Assets

CP-3 - Contingency Training

CP-3(1) - Contingency Training | Simulated Events

CP-3(2) - Contingency Training | Mechanisms Used in Training Environments

CP-4 - Contingency Plan Testing

CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans

CP-4(2) - Contingency Plan Testing | Alternate Processing Site

CP-4(3) - Contingency Plan Testing | Automated Testing

CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution

CP-4(5) - Contingency Plan Testing | Self-challenge

CP-6 - Alternate Storage Site

CP-6(1) - Alternate Storage Site | Separation from Primary Site

CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives

CP-6(3) - Alternate Storage Site | Accessibility

CP-7 - Alternate Processing Site

CP-7(1) - Alternate Processing Site | Separation from Primary Site

CP-7(2) - Alternate Processing Site | Accessibility

CP-7(3) - Alternate Processing Site | Priority of Service

CP-7(4) - Alternate Processing Site | Preparation for Use

CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site

CP-8 - Telecommunications Services

CP-8(1) - Telecommunications Services | Priority of Service Provisions

CP-8(2) - Telecommunications Services | Single Points of Failure

CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers

CP-8(4) - Telecommunications Services | Provider Contingency Plan

CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing

CP-9 - System Backup

CP-9(1) - System Backup | Testing for Reliability and Integrity

CP-9(2) - System Backup | Test Restoration Using Sampling

CP-9(3) - System Backup | Separate Storage for Critical Information

CP-9(5) - System Backup | Transfer to Alternate Storage Site

CP-9(6) - System Backup | Redundant Secondary System

CP-9(7) - System Backup | Dual Authorization

CP-9(8) - System Backup | Cryptographic Protection

CP-10 - System Recovery and Reconstitution

CP-10(2) - System Recovery and Reconstitution | Transaction Recovery

CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period

CP-10(6) - System Recovery and Reconstitution | Component Protection

CP-11 - Alternate Communications Protocols

CP-12 - Safe Mode

CP-13 - Alternative Security Mechanisms

IA - Identification and Authentication

IA-1 - Policy and Procedures

IA-2 - Identification and Authentication (organizational Users)

IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device

IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on

IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication

IA-3 - Device Identification and Authentication

IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication

IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation

IA-3(4) - Device Identification and Authentication | Device Attestation

IA-4 - Identifier Management

IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers

IA-4(4) - Identifier Management | Identify User Status

IA-4(5) - Identifier Management | Dynamic Management

IA-4(6) - Identifier Management | Cross-organization Management

IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers

IA-4(9) - Identifier Management | Attribute Maintenance and Protection

IA-5 - Authenticator Management

IA-5(1) - Authenticator Management | Password-based Authentication

IA-5(2) - Authenticator Management | Public Key-based Authentication

IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery

IA-5(6) - Authenticator Management | Protection of Authenticators

IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators

IA-5(8) - Authenticator Management | Multiple System Accounts

IA-5(9) - Authenticator Management | Federated Credential Management

IA-5(10) - Authenticator Management | Dynamic Credential Binding

IA-5(12) - Authenticator Management | Biometric Authentication Performance

IA-5(13) - Authenticator Management | Expiration of Cached Authenticators

IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores

IA-5(15) - Authenticator Management | Gsa-approved Products and Services

IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance

IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators

IA-5(18) - Authenticator Management | Password Managers

IA-6 - Authentication Feedback

IA-7 - Cryptographic Module Authentication

IA-8 - Identification and Authentication (non-organizational Users)

IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles

IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials

IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability

IA-9 - Service Identification and Authentication

IA-10 - Adaptive Authentication

IA-11 - Re-authentication

IA-12 - Identity Proofing

IA-12(1) - Identity Proofing | Supervisor Authorization

IA-12(2) - Identity Proofing | Identity Evidence

IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification

IA-12(4) - Identity Proofing | In-person Validation and Verification

IA-12(5) - Identity Proofing | Address Confirmation

IA-12(6) - Identity Proofing | Accept Externally-proofed Identities

IR - Incident Response

IR-1 - Policy and Procedures

IR-2 - Incident Response Training

IR-2(1) - Incident Response Training | Simulated Events

IR-2(2) - Incident Response Training | Automated Training Environments

IR-2(3) - Incident Response Training | Breach

IR-3 - Incident Response Testing

IR-3(1) - Incident Response Testing | Automated Testing

IR-3(2) - Incident Response Testing | Coordination with Related Plans

IR-3(3) - Incident Response Testing | Continuous Improvement

IR-4 - Incident Handling

IR-4(1) - Incident Handling | Automated Incident Handling Processes

IR-4(2) - Incident Handling | Dynamic Reconfiguration

IR-4(3) - Incident Handling | Continuity of Operations

IR-4(4) - Incident Handling | Information Correlation

IR-4(5) - Incident Handling | Automatic Disabling of System

IR-4(6) - Incident Handling | Insider Threats

IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination

IR-4(8) - Incident Handling | Correlation with External Organizations

IR-4(9) - Incident Handling | Dynamic Response Capability

IR-4(10) - Incident Handling | Supply Chain Coordination

IR-4(11) - Incident Handling | Integrated Incident Response Team

IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis

IR-4(13) - Incident Handling | Behavior Analysis

IR-4(14) - Incident Handling | Security Operations Center

IR-4(15) - Incident Handling | Public Relations and Reputation Repair

IR-5 - Incident Monitoring

IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis

IR-6 - Incident Reporting

IR-6(1) - Incident Reporting | Automated Reporting

IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents

IR-6(3) - Incident Reporting | Supply Chain Coordination

IR-7 - Incident Response Assistance

IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support

IR-7(2) - Incident Response Assistance | Coordination with External Providers

IR-8 - Incident Response Plan

IR-8(1) - Incident Response Plan | Breaches

IR-9 - Information Spillage Response

IR-9(2) - Information Spillage Response | Training

IR-9(3) - Information Spillage Response | Post-spill Operations

IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel

MA - Maintenance

MA-1 - Policy and Procedures

MA-2 - Controlled Maintenance

MA-2(2) - Controlled Maintenance | Automated Maintenance Activities

MA-3 - Maintenance Tools

MA-3(1) - Maintenance Tools | Inspect Tools

MA-3(2) - Maintenance Tools | Inspect Media

MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal

MA-3(4) - Maintenance Tools | Restricted Tool Use

MA-3(5) - Maintenance Tools | Execution with Privilege

MA-3(6) - Maintenance Tools | Software Updates and Patches

MA-4 - Nonlocal Maintenance

MA-4(1) - Nonlocal Maintenance | Logging and Review

MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization

MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions

MA-4(5) - Nonlocal Maintenance | Approvals and Notifications

MA-4(6) - Nonlocal Maintenance | Cryptographic Protection

MA-4(7) - Nonlocal Maintenance | Disconnect Verification

MA-5 - Maintenance Personnel

MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access

MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems

MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems

MA-5(4) - Maintenance Personnel | Foreign Nationals

MA-5(5) - Maintenance Personnel | Non-system Maintenance

MA-6 - Timely Maintenance

MA-6(1) - Timely Maintenance | Preventive Maintenance

MA-6(2) - Timely Maintenance | Predictive Maintenance

MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance

MA-7 - Field Maintenance

MP - Media Protection

MP-1 - Policy and Procedures

MP-2 - Media Access

MP-3 - Media Marking

MP-4 - Media Storage

MP-4(2) - Media Storage | Automated Restricted Access

MP-5 - Media Transport

MP-5(3) - Media Transport | Custodians

MP-6 - Media Sanitization

MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify

MP-6(2) - Media Sanitization | Equipment Testing

MP-6(3) - Media Sanitization | Nondestructive Techniques

MP-6(7) - Media Sanitization | Dual Authorization

MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information

MP-7 - Media Use

MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media

MP-8 - Media Downgrading

MP-8(1) - Media Downgrading | Documentation of Process

MP-8(2) - Media Downgrading | Equipment Testing

MP-8(3) - Media Downgrading | Controlled Unclassified Information

MP-8(4) - Media Downgrading | Classified Information

PE - Physical and Environmental Protection

PE-1 - Policy and Procedures

PE-2 - Physical Access Authorizations

PE-2(1) - Physical Access Authorizations | Access by Position or Role

PE-2(2) - Physical Access Authorizations | Two Forms of Identification

PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access

PE-3 - Physical Access Control

PE-3(1) - Physical Access Control | System Access

PE-3(2) - Physical Access Control | Facility and Systems

PE-3(3) - Physical Access Control | Continuous Guards

PE-3(4) - Physical Access Control | Lockable Casings

PE-3(5) - Physical Access Control | Tamper Protection

PE-3(7) - Physical Access Control | Physical Barriers

PE-3(8) - Physical Access Control | Access Control Vestibules

PE-4 - Access Control for Transmission

PE-5 - Access Control for Output Devices

PE-5(2) - Access Control for Output Devices | Link to Individual Identity

PE-6 - Monitoring Physical Access

PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses

PE-6(3) - Monitoring Physical Access | Video Surveillance

PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems

PE-8 - Visitor Access Records

PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review

PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements

PE-9 - Power Equipment and Cabling

PE-9(1) - Power Equipment and Cabling | Redundant Cabling

PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls

PE-10 - Emergency Shutoff

PE-11 - Emergency Power

PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability

PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained

PE-12 - Emergency Lighting

PE-12(1) - Emergency Lighting | Essential Mission and Business Functions

PE-13 - Fire Protection

PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification

PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification

PE-13(4) - Fire Protection | Inspections

PE-14 - Environmental Controls

PE-14(1) - Environmental Controls | Automatic Controls

PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications

PE-15 - Water Damage Protection

PE-15(1) - Water Damage Protection | Automation Support

PE-16 - Delivery and Removal

PE-17 - Alternate Work Site

PE-18 - Location of System Components

PE-19 - Information Leakage

PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures

PE-20 - Asset Monitoring and Tracking

PE-21 - Electromagnetic Pulse Protection

PE-22 - Component Marking

PE-23 - Facility Location

PL - Planning

PL-1 - Policy and Procedures

PL-2 - System Security and Privacy Plans

PL-4 - Rules of Behavior

PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions

PL-7 - Concept of Operations

PL-8 - Security and Privacy Architectures

PL-8(1) - Security and Privacy Architectures | Defense in Depth

PL-8(2) - Security and Privacy Architectures | Supplier Diversity

PL-9 - Central Management

PL-10 - Baseline Selection

PL-11 - Baseline Tailoring

PM - Program Management

PM-1 - Information Security Program Plan

PM-2 - Information Security Program Leadership Role

PM-3 - Information Security and Privacy Resources

PM-4 - Plan of Action and Milestones Process

PM-5 - System Inventory

PM-5(1) - System Inventory | Inventory of Personally Identifiable Information

PM-6 - Measures of Performance

PM-7 - Enterprise Architecture

PM-7(1) - Enterprise Architecture | Offloading

PM-8 - Critical Infrastructure Plan

PM-9 - Risk Management Strategy

PM-10 - Authorization Process

PM-11 - Mission and Business Process Definition

PM-12 - Insider Threat Program

PM-13 - Security and Privacy Workforce

PM-14 - Testing, Training, and Monitoring

PM-15 - Security and Privacy Groups and Associations

PM-16 - Threat Awareness Program

PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence

PM-17 - Protecting Controlled Unclassified Information on External Systems

PM-18 - Privacy Program Plan

PM-19 - Privacy Program Leadership Role

PM-20 - Dissemination of Privacy Program Information

PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services

PM-21 - Accounting of Disclosures

PM-22 - Personally Identifiable Information Quality Management

PM-23 - Data Governance Body

PM-24 - Data Integrity Board

PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research

PM-26 - Complaint Management

PM-27 - Privacy Reporting

PM-28 - Risk Framing

PM-29 - Risk Management Program Leadership Roles

PM-30 - Supply Chain Risk Management Strategy

PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items

PM-31 - Continuous Monitoring Strategy

PM-32 - Purposing

PS - Personnel Security

PS-1 - Policy and Procedures

PS-2 - Position Risk Designation

PS-3 - Personnel Screening

PS-3(1) - Personnel Screening | Classified Information

PS-3(2) - Personnel Screening | Formal Indoctrination

PS-3(3) - Personnel Screening | Information with Special Protective Measures

PS-3(4) - Personnel Screening | Citizenship Requirements

PS-4 - Personnel Termination

PS-4(1) - Personnel Termination | Post-employment Requirements

PS-4(2) - Personnel Termination | Automated Actions

PS-5 - Personnel Transfer

PS-6 - Access Agreements

PS-6(2) - Access Agreements | Classified Information Requiring Special Protection

PS-6(3) - Access Agreements | Post-employment Requirements

PS-7 - External Personnel Security

PS-8 - Personnel Sanctions

PS-9 - Position Descriptions

PT - Personally Identifiable Information Processing and Transparency

PT-1 - Policy and Procedures

PT-2 - Authority to Process Personally Identifiable Information

PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging

PT-2(2) - Authority to Process Personally Identifiable Information | Automation

PT-3 - Personally Identifiable Information Processing Purposes

PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging

PT-3(2) - Personally Identifiable Information Processing Purposes | Automation

PT-4 - Consent

PT-4(1) - Consent | Tailored Consent

PT-4(2) - Consent | Just-in-time Consent

PT-4(3) - Consent | Revocation

PT-5 - Privacy Notice

PT-5(1) - Privacy Notice | Just-in-time Notice

PT-5(2) - Privacy Notice | Privacy Act Statements

PT-6 - System of Records Notice

PT-6(1) - System of Records Notice | Routine Uses

PT-6(2) - System of Records Notice | Exemption Rules

PT-7 - Specific Categories of Personally Identifiable Information

PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers

PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information

PT-8 - Computer Matching Requirements

RA - Risk Assessment

RA-1 - Policy and Procedures

RA-2 - Security Categorization

RA-2(1) - Security Categorization | Impact-level Prioritization

RA-3 - Risk Assessment

RA-3(1) - Risk Assessment | Supply Chain Risk Assessment

RA-3(2) - Risk Assessment | Use of All-source Intelligence

RA-3(3) - Risk Assessment | Dynamic Threat Awareness

RA-3(4) - Risk Assessment | Predictive Cyber Analytics

RA-5 - Vulnerability Monitoring and Scanning

RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information

RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access

RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses

RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs

RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information

RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program

RA-6 - Technical Surveillance Countermeasures Survey

RA-7 - Risk Response

RA-8 - Privacy Impact Assessments

RA-9 - Criticality Analysis

RA-10 - Threat Hunting

SA - System and Services Acquisition

SA-1 - Policy and Procedures

SA-2 - Allocation of Resources

SA-3 - System Development Life Cycle

SA-3(1) - System Development Life Cycle | Manage Preproduction Environment

SA-3(2) - System Development Life Cycle | Use of Live or Operational Data

SA-3(3) - System Development Life Cycle | Technology Refresh

SA-4 - Acquisition Process

SA-4(1) - Acquisition Process | Functional Properties of Controls

SA-4(2) - Acquisition Process | Design and Implementation Information for Controls

SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices

SA-4(5) - Acquisition Process | System, Component, and Service Configurations

SA-4(6) - Acquisition Process | Use of Information Assurance Products

SA-4(7) - Acquisition Process | Niap-approved Protection Profiles

SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls

SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use

SA-4(10) - Acquisition Process | Use of Approved PIV Products

SA-4(11) - Acquisition Process | System of Records

SA-4(12) - Acquisition Process | Data Ownership

SA-5 - System Documentation

SA-8 - Security and Privacy Engineering Principles

SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions

SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism

SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering

SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies

SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access

SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing

SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity

SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability

SA-8(9) - Security and Privacy Engineering Principles | Trusted Components

SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust

SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold

SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection

SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements

SA-8(14) - Security and Privacy Engineering Principles | Least Privilege

SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission

SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness

SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition

SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels

SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection

SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management

SA-8(21) - Security and Privacy Engineering Principles | Self-analysis

SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability

SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults

SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery

SA-8(25) - Security and Privacy Engineering Principles | Economic Security

SA-8(26) - Security and Privacy Engineering Principles | Performance Security

SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security

SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security

SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures

SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor

SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification

SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation

SA-8(33) - Security and Privacy Engineering Principles | Minimization

SA-9 - External System Services

SA-9(1) - External System Services | Risk Assessments and Organizational Approvals

SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services

SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers

SA-9(4) - External System Services | Consistent Interests of Consumers and Providers

SA-9(5) - External System Services | Processing, Storage, and Service Location

SA-9(6) - External System Services | Organization-controlled Cryptographic Keys

SA-9(7) - External System Services | Organization-controlled Integrity Checking

SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction

SA-10 - Developer Configuration Management

SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification

SA-10(2) - Developer Configuration Management | Alternative Configuration Management

SA-10(3) - Developer Configuration Management | Hardware Integrity Verification

SA-10(4) - Developer Configuration Management | Trusted Generation

SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control

SA-10(6) - Developer Configuration Management | Trusted Distribution

SA-10(7) - Developer Configuration Management | Security and Privacy Representatives

SA-11 - Developer Testing and Evaluation

SA-11(1) - Developer Testing and Evaluation | Static Code Analysis

SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence

SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews

SA-11(5) - Developer Testing and Evaluation | Penetration Testing

SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews

SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation

SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis

SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing

SA-15 - Development Process, Standards, and Tools

SA-15(1) - Development Process, Standards, and Tools | Quality Metrics

SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools

SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis

SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction

SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement

SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis

SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information

SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan

SA-15(11) - Development Process, Standards, and Tools | Archive System or Component

SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information

SA-16 - Developer-provided Training

SA-17 - Developer Security and Privacy Architecture and Design

SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model

SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components

SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence

SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence

SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design

SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing

SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege

SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration

SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity

SA-20 - Customized Development of Critical Components

SA-21 - Developer Screening

SA-22 - Unsupported System Components

SA-23 - Specialization

SC - System and Communications Protection

SC-1 - Policy and Procedures

SC-2 - Separation of System and User Functionality

SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users

SC-2(2) - Separation of System and User Functionality | Disassociability

SC-3 - Security Function Isolation

SC-3(1) - Security Function Isolation | Hardware Separation

SC-3(2) - Security Function Isolation | Access and Flow Control Functions

SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality

SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness

SC-3(5) - Security Function Isolation | Layered Structures

SC-4 - Information in Shared System Resources

SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing

SC-5 - Denial-of-service Protection

SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems

SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy

SC-5(3) - Denial-of-service Protection | Detection and Monitoring

SC-6 - Resource Availability

SC-7 - Boundary Protection

SC-7(3) - Boundary Protection | Access Points

SC-7(4) - Boundary Protection | External Telecommunications Services

SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception

SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices

SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers

SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic

SC-7(10) - Boundary Protection | Prevent Exfiltration

SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic

SC-7(12) - Boundary Protection | Host-based Protection

SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components

SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections

SC-7(15) - Boundary Protection | Networked Privileged Accesses

SC-7(16) - Boundary Protection | Prevent Discovery of System Components

SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats

SC-7(18) - Boundary Protection | Fail Secure

SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts

SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation

SC-7(21) - Boundary Protection | Isolation of System Components

SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains

SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure

SC-7(24) - Boundary Protection | Personally Identifiable Information

SC-7(25) - Boundary Protection | Unclassified National Security System Connections

SC-7(26) - Boundary Protection | Classified National Security System Connections

SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections

SC-7(28) - Boundary Protection | Connections to Public Networks

SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions

SC-8 - Transmission Confidentiality and Integrity

SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection

SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals

SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications

SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System

SC-10 - Network Disconnect

SC-11 - Trusted Path

SC-11(1) - Trusted Path | Irrefutable Communications Path

SC-12 - Cryptographic Key Establishment and Management

SC-12(1) - Cryptographic Key Establishment and Management | Availability

SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys

SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys

SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys

SC-13 - Cryptographic Protection

SC-15 - Collaborative Computing Devices and Applications

SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect

SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas

SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants

SC-16 - Transmission of Security and Privacy Attributes

SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification

SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms

SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding

SC-17 - Public Key Infrastructure Certificates

SC-18 - Mobile Code

SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions

SC-18(2) - Mobile Code | Acquisition, Development, and Use

SC-18(3) - Mobile Code | Prevent Downloading and Execution

SC-18(4) - Mobile Code | Prevent Automatic Execution

SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments

SC-20 - Secure Name/address Resolution Service (authoritative Source)

SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity

SC-21 - Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22 - Architecture and Provisioning for Name/address Resolution Service

SC-23 - Session Authenticity

SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout

SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers

SC-23(5) - Session Authenticity | Allowed Certificate Authorities

SC-24 - Fail in Known State

SC-25 - Thin Nodes

SC-26 - Decoys

SC-27 - Platform-independent Applications

SC-28 - Protection of Information at Rest

SC-28(1) - Protection of Information at Rest | Cryptographic Protection

SC-28(2) - Protection of Information at Rest | Offline Storage

SC-28(3) - Protection of Information at Rest | Cryptographic Keys

SC-29 - Heterogeneity

SC-29(1) - Heterogeneity | Virtualization Techniques

SC-30 - Concealment and Misdirection

SC-30(2) - Concealment and Misdirection | Randomness

SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations

SC-30(4) - Concealment and Misdirection | Misleading Information

SC-30(5) - Concealment and Misdirection | Concealment of System Components

SC-31 - Covert Channel Analysis

SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability

SC-31(2) - Covert Channel Analysis | Maximum Bandwidth

SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments

SC-32 - System Partitioning

SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions

SC-34 - Non-modifiable Executable Programs

SC-34(1) - Non-modifiable Executable Programs | No Writable Storage

SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media

SC-35 - External Malicious Code Identification

SC-36 - Distributed Processing and Storage

SC-36(1) - Distributed Processing and Storage | Polling Techniques

SC-36(2) - Distributed Processing and Storage | Synchronization

SC-37 - Out-of-band Channels

SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission

SC-38 - Operations Security

SC-39 - Process Isolation

SC-39(1) - Process Isolation | Hardware Separation

SC-39(2) - Process Isolation | Separate Execution Domain Per Thread

SC-40 - Wireless Link Protection

SC-40(1) - Wireless Link Protection | Electromagnetic Interference

SC-40(2) - Wireless Link Protection | Reduce Detection Potential

SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception

SC-40(4) - Wireless Link Protection | Signal Parameter Identification

SC-41 - Port and I/O Device Access

SC-42 - Sensor Capability and Data

SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles

SC-42(2) - Sensor Capability and Data | Authorized Use

SC-42(4) - Sensor Capability and Data | Notice of Collection

SC-42(5) - Sensor Capability and Data | Collection Minimization

SC-43 - Usage Restrictions

SC-44 - Detonation Chambers

SC-45 - System Time Synchronization

SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source

SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source

SC-46 - Cross Domain Policy Enforcement

SC-47 - Alternate Communications Paths

SC-48 - Sensor Relocation

SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities

SC-49 - Hardware-enforced Separation and Policy Enforcement

SC-50 - Software-enforced Separation and Policy Enforcement

SC-51 - Hardware-based Protection

SI - System and Information Integrity

SI-1 - Policy and Procedures

SI-2 - Flaw Remediation

SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status

SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

SI-2(4) - Flaw Remediation | Automated Patch Management Tools

SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates

SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware

SI-3 - Malicious Code Protection

SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users

SI-3(6) - Malicious Code Protection | Testing and Verification

SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands

SI-3(10) - Malicious Code Protection | Malicious Code Analysis

SI-4 - System Monitoring

SI-4(1) - System Monitoring | System-wide Intrusion Detection System

SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration

SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic

SI-4(5) - System Monitoring | System-generated Alerts

SI-4(7) - System Monitoring | Automated Response to Suspicious Events

SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms

SI-4(10) - System Monitoring | Visibility of Encrypted Communications

SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies

SI-4(12) - System Monitoring | Automated Organization-generated Alerts

SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns

SI-4(14) - System Monitoring | Wireless Intrusion Detection

SI-4(15) - System Monitoring | Wireless to Wireline Communications

SI-4(16) - System Monitoring | Correlate Monitoring Information

SI-4(17) - System Monitoring | Integrated Situational Awareness

SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration

SI-4(19) - System Monitoring | Risk for Individuals

SI-4(20) - System Monitoring | Privileged Users

SI-4(21) - System Monitoring | Probationary Periods

SI-4(22) - System Monitoring | Unauthorized Network Services

SI-4(23) - System Monitoring | Host-based Devices

SI-4(24) - System Monitoring | Indicators of Compromise

SI-4(25) - System Monitoring | Optimize Network Traffic Analysis

SI-5 - Security Alerts, Advisories, and Directives

SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

SI-6 - Security and Privacy Function Verification

SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing

SI-6(3) - Security and Privacy Function Verification | Report Verification Results

SI-7 - Software, Firmware, and Information Integrity

SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks

SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools

SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection

SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response

SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events

SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process

SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware

SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification

SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication

SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision

SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection

SI-8 - Spam Protection

SI-8(2) - Spam Protection | Automatic Updates

SI-8(3) - Spam Protection | Continuous Learning Capability

SI-10 - Information Input Validation

SI-10(1) - Information Input Validation | Manual Override Capability

SI-10(2) - Information Input Validation | Review and Resolve Errors

SI-10(3) - Information Input Validation | Predictable Behavior

SI-10(4) - Information Input Validation | Timing Interactions

SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats

SI-10(6) - Information Input Validation | Injection Prevention

SI-11 - Error Handling

SI-12 - Information Management and Retention

SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements

SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research

SI-12(3) - Information Management and Retention | Information Disposal

SI-13 - Predictable Failure Prevention

SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities

SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components

SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification

SI-13(5) - Predictable Failure Prevention | Failover Capability

SI-14 - Non-persistence

SI-14(1) - Non-persistence | Refresh from Trusted Sources

SI-14(2) - Non-persistence | Non-persistent Information

SI-14(3) - Non-persistence | Non-persistent Connectivity

SI-15 - Information Output Filtering

SI-16 - Memory Protection

SI-17 - Fail-safe Procedures

SI-18 - Personally Identifiable Information Quality Operations

SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support

SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags

SI-18(3) - Personally Identifiable Information Quality Operations | Collection

SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests

SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion

SI-19 - De-identification

SI-19(1) - De-identification | Collection

SI-19(2) - De-identification | Archiving

SI-19(3) - De-identification | Release

SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers

SI-19(5) - De-identification | Statistical Disclosure Control

SI-19(6) - De-identification | Differential Privacy

SI-19(7) - De-identification | Validated Algorithms and Software

SI-19(8) - De-identification | Motivated Intruder

SI-20 - Tainting

SI-21 - Information Refresh

SI-22 - Information Diversity

SI-23 - Information Fragmentation

SR - Supply Chain Risk Management

SR-1 - Policy and Procedures

SR-2 - Supply Chain Risk Management Plan

SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team

SR-3 - Supply Chain Controls and Processes

SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base

SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm

SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down

SR-4 - Provenance

SR-4(1) - Provenance | Identity

SR-4(2) - Provenance | Track and Trace

SR-4(3) - Provenance | Validate as Genuine and Not Altered

SR-4(4) - Provenance | Supply Chain Integrity — Pedigree

SR-5 - Acquisition Strategies, Tools, and Methods

SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply

SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update

SR-6 - Supplier Assessments and Reviews

SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis

SR-7 - Supply Chain Operations Security

SR-8 - Notification Agreements

SR-9 - Tamper Resistance and Detection

SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

SR-10 - Inspection of Systems or Components

SR-11 - Component Authenticity

SR-11(1) - Component Authenticity | Anti-counterfeit Training

SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair

SR-11(3) - Component Authenticity | Anti-counterfeit Scanning

SR-12 - Component Disposal

CM-5(6) - Access Restrictions for Change | Limit Library Privileges

Limit privileges to change software resident within software libraries.

ID: CM-5(6)

Enhancement of : CM-5

Space Segment Guidance

Restricting or prohibiting the transfer of specific software components helps prevent mishandling or illicit uploads that could compromise spacecraft integrity. In practice, engineering teams may designate specific “critical” binaries, such as flight controllers or cryptographic libraries, as non-transferable unless unique conditions are met (e.g., multi-party approvals). This approach is particularly relevant when multiple organizations collaborate on a single bus or when commands are routed through disparate ground stations. By defining which files can (and cannot) move between nodes, the mission avoids accidentally inserting test modules into production or allowing an adversary to slip unapproved firmware onto the on-orbit asset.

Countermeasures Covered by Control

ID	Name	Description	D3FEND
CM0004	Development Environment Security	In order to secure the development environment, the first step is understanding all the devices and people who interact with it. Maintain an accurate inventory of all people and assets that touch the development environment. Ensure strong multi-factor authentication is used across the development environment, especially for code repositories, as threat actors may attempt to sneak malicious code into software that's being built without being detected. Use zero-trust access controls to the code repositories where possible. For example, ensure the main branches in repositories are protected from injecting malicious code. A secure development environment requires change management, privilege management, auditing and in-depth monitoring across the environment.	D3-AI \| D3-AVE \| D3-SWI \| D3-HCI \| D3-NNI \| D3-OAM \| D3-AM \| D3-OM \| D3-DI \| D3-MFA \| D3-CH \| D3-OTP \| D3-BAN \| D3-PA \| D3- FAPA \| D3- DQSA \| D3-IBCA \| D3-PCSV \| D3-PSMD
CM0010	Update Software	Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times. Release updated versions of the software/firmware systems incorporating security-relevant updates, after suitable regression testing, at a frequency no greater than mission-defined frequency [i.e., 30 days]. Ideally old versions of software are removed after upgrading but restoration states (i.e., gold images) are recommended to remain on the system.	D3-SU
CM0012	Software Bill of Materials	Generate Software Bill of Materials (SBOM) against the entire software supply chain and cross correlate with known vulnerabilities (e.g., Common Vulnerabilities and Exposures) to mitigate known vulnerabilities. Protect the SBOM according to countermeasures in CM0001.	D3-AI \| D3-AVE \| D3-SWI
CM0013	Dependency Confusion	Ensure proper protections are in place for ensuring dependency confusion is mitigated like ensuring that internal dependencies be pulled from private repositories vice public repositories, ensuring that your CI/CD/development environment is secure as defined in CM0004 and validate dependency integrity by ensuring checksums match official packages.	D3-LFP \| D3-UBA \| D3-RAPA \| D3-MAC
CM0015	Software Source Control	Prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.	D3-PM \| D3-SBV \| D3-EI \| D3-EAL \| D3- EDL \| D3-DCE
CM0021	Software Digital Signature	Prevent the installation of Flight Software without verification that the component has been digitally signed using a certificate that is recognized and approved by the mission.	D3-CH \| D3-CBAN \| D3-FV \| D3-DLIC \| D3-EAL \| D3-SBV
CM0023	Configuration Management	Use automated mechanisms to maintain and validate baseline configuration to ensure the spacecraft's is up-to-date, complete, accurate, and readily available.	D3-ACH \| D3-CI \| D3-SICA \| D3-USICA

Sample Requirements

Requirement	Rationale/Additional Guidance/Notes
The [organization] shall develop and document program-specific configuration management policies and procedures for the hardware and software for the spacecraft. {CM-1,CM-3,CM-5(6),SA-10,SA-10(3)}
The [organization] shall define processes and procedures to be followed when integrity verification tools detect unauthorized changes to software, firmware, and information.{SV-IT-2}{CM-3,CM-3(1),CM-3(5),CM-5(6),CM-6,CP-2,IR-6,IR-6(2),PM-30,SC-16(1),SC-51,SI-3,SI-4(7),SI-4(24),SI-7,SI-7(7),SI-7(10)}
The [organization] shall develop and document spacecraft integrity policies covering both hardware and software. {CM-5(6),SA-10(3),SI-1,SI-7(12)}
The [organization] shall enable integrity verification of software and firmware components.{SV-IT-2}{CM-3(5),CM-5(6),CM-10(1),SA-8(9),SA-8(11),SA-8(21),SA-10(1),SI-3,SI-4(24),SI-7,SI-7(10),SI-7(12),SR-4(4)}	* The integrity verification mechanisms may include: Stipulating and monitoring logical delivery of products and services, requiring downloading from approved, verification-enhanced sites; Encrypting elements (software, software patches, etc.) and supply chain process data in transit (motion) and at rest throughout delivery; Requiring suppliers to provide their elements “secure by default”, so that additional configuration is required to make the element insecure; Implementing software designs using programming languages and tools that reduce the likelihood of weaknesses; Implementing cryptographic hash verification; and Establishing performance and sub-element baseline for the system and system elements to help detect unauthorized tampering/modification during repairs/refurbishing. Stipulating and monitoring logical delivery of products and services, requiring downloading from approved, verification-enhanced sites; Encrypting elements (software, software patches, etc.) and supply chain process data in transit (motion) and at rest throughout delivery; Requiring suppliers to provide their elements “secure by default”, so that additional configuration is required to make the element insecure; Implementing software designs using programming languages and tools that reduce the likelihood of weaknesses; Implementing cryptographic hash verification; and Establishing performance and sub-element baseline for the system and system elements to help detect unauthorized tampering/modification during repairs/refurbishing.
The [spacecraft] shall employ the principle of least privilege, allowing only authorized accesses processes which are necessary to accomplish assigned tasks in accordance with system functions.{SV-AC-6}{AC-3,AC-6,AC-6(9),CA-9,CM-5,CM-5(5),CM-5(6),SA-8(2),SA-8(5),SA-8(6),SA-8(14),SA-8(23),SA-17(7),SC-2,SC-7(29),SC-32,SC-32(1),SI-3}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0006		Gather FSW Development Information	Threat actors may obtain information regarding the flight software (FSW) development environment for the victim spacecraft. This information may include the development environment, source code, compiled binaries, testing tools, and fault management.
	REC-0006.01	Development Environment	Threat actors may gather information regarding the development environment for the victim spacecraft's FSW. This information can include IDEs, configurations, source code, environment variables, source code repositories, code "secrets", and compiled binaries.
IA-0001		Compromise Supply Chain	Threat actors may manipulate or compromise products or product delivery mechanisms before the customer receives them in order to achieve data or system compromise.
	IA-0001.01	Software Dependencies & Development Tools	Threat actors may manipulate software dependencies (i.e. dependency confusion) and/or development tools prior to the customer receiving them in order to achieve data or system compromise. Software binaries and applications often depend on external software to function properly. spacecraft developers may use open source projects to help with their creation. These open source projects may be targeted by threat actors as a way to add malicious code to the victim spacecraft's dependencies.
	IA-0001.02	Software Supply Chain	Threat actors may manipulate software binaries and applications prior to the customer receiving them in order to achieve data or system compromise. This attack can take place in a number of ways, including manipulation of source code, manipulation of the update and/or distribution mechanism, or replacing compiled versions with a malicious one.
IA-0002		Compromise Software Defined Radio	Threat actors may target software defined radios due to their software nature to establish C2 channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert C2 channels for a threat actor.
IA-0004		Secondary/Backup Communication Channel	Threat actors may compromise alternative communication pathways which may not be as protected as the primary pathway. Depending on implementation the contingency communication pathways/solutions may lack the same level of security (i.e., physical security, encryption, authentication, etc.) which if forced to use could provide a threat actor an opportunity to launch attacks. Typically these would have to be coupled with other denial of service techniques on the primary pathway to force usage of secondary pathways.
	IA-0004.02	Receiver	Threat actors may target the backup/secondary receiver on the spacecraft as a method to inject malicious communications into the mission. The secondary receivers may come from different supply chains than the primary which could have different level of security and weaknesses. Similar to the ground station, the communication through the secondary receiver could be forced or happening naturally.
IA-0006		Compromise Hosted Payload	Threat actors may compromise the target spacecraft hosted payload to initially access and/or persist within the system. Hosted payloads can usually be accessed from the ground via a specific command set. The command pathways can leverage the same ground infrastructure or some host payloads have their own ground infrastructure which can provide an access vector as well. Threat actors may be able to leverage the ability to command hosted payloads to upload files or modify memory addresses in order to compromise the system. Depending on the implementation, hosted payloads may provide some sort of lateral movement potential.
IA-0007		Compromise Ground System	Threat actors may initially compromise the ground system in order to access the target spacecraft. Once compromised, the threat actor can perform a multitude of initial access techniques, including replay, compromising FSW deployment, compromising encryption keys, and compromising authentication schemes. Threat actors may also perform further reconnaissance within the system to enumerate mission networks and gather information related to ground station logical topology, missions ran out of said ground station, birds that are in-band of targeted ground stations, and other mission system capabilities.
	IA-0007.01	Compromise On-Orbit Update	Threat actors may manipulate and modify on-orbit updates before they are sent to the target spacecraft. This attack can be done in a number of ways, including manipulation of source code, manipulating environment variables, on-board table/memory values, or replacing compiled versions with a malicious one.
IA-0011		Auxiliary Device Compromise	Threat actors may exploit the auxiliary/peripheral devices that get plugged into spacecrafts. It is no longer atypical to see spacecrafts, especially CubeSats, with Universal Serial Bus (USB) ports or other ports where auxiliary/peripheral devices can be plugged in. Threat actors can execute malicious code on the spacecrafts by copying the malicious code to auxiliary/peripheral devices and taking advantage of logic on the spacecraft to execute code on these devices. This may occur through manual manipulation of the auxiliary/peripheral devices, modification of standard IT systems used to initially format/create the auxiliary/peripheral device, or modification to the auxiliary/peripheral devices' firmware itself.
IA-0012		Assembly, Test, and Launch Operation Compromise	Threat actors may target the spacecraft hardware and/or software while the spacecraft is at Assembly, Test, and Launch Operation (ATLO). ATLO is often the first time pieces of the spacecraft are fully integrated and exchanging data across interfaces. Malware could propagate from infected devices across the integrated spacecraft. For example, test equipment (i.e., transient cyber asset) is often brought in for testing elements of the spacecraft. Additionally, varying levels of physical security is in place which may be a reduction in physical security typically seen during development. The ATLO environment should be considered a viable attack vector and the appropriate/equivalent security controls from the primary development environment should be implemented during ATLO as well.
EX-0003		Modify Authentication Process	Threat actors may modify the internal authentication process of the victim spacecraft to facilitate initial access, recurring execution, or prevent authorized entities from accessing the spacecraft. This can be done through the modification of the software binaries or memory manipulation techniques.
EX-0004		Compromise Boot Memory	Threat actors may manipulate boot memory in order to execute malicious code, bypass internal processes, or DoS the system. This technique can be used to perform other tactics such as Defense Evasion.
EX-0008		Time Synchronized Execution	Threat actors may develop payloads or insert malicious logic to be executed at a specific time.
	EX-0008.01	Absolute Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Absolute Time Sequences (ATS), the event is triggered at specific date/time - regardless of the state or location of the target.
	EX-0008.02	Relative Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Relative Time Sequences (RTS), the event is triggered in relation to some other event. For example, a specific amount of time after boot.
EX-0009		Exploit Code Flaws	Threats actors may identify and exploit flaws or weaknesses within the software running on-board the target spacecraft. These attacks may be extremely targeted and tailored to specific coding errors introduced as a result of poor coding practices or they may target known issues in the commercial software components.
	EX-0009.01	Flight Software	Threat actors may abuse known or unknown flight software code flaws in order to further the attack campaign. Some FSW suites contain API functionality for operator interaction. Threat actors may seek to exploit these or abuse a vulnerability/misconfiguration to maliciously execute code or commands. In some cases, these code flaws can perpetuate throughout the victim spacecraft, allowing access to otherwise segmented subsystems.
	EX-0009.02	Operating System	Threat actors may exploit flaws in the operating system code, which controls the storage, memory management, provides resources to the FSW, and controls the bus. There has been a trend where some modern spacecraft are running Unix-based operating systems and establishing SSH connections for communications between the ground and spacecraft. Threat actors may seek to gain access to command line interfaces & shell environments in these instances. Additionally, most operating systems, including real-time operating systems, include API functionality for operator interaction. Threat actors may seek to exploit these or abuse a vulnerability/misconfiguration to maliciously execute code or commands.
	EX-0009.03	Known Vulnerability (COTS/FOSS)	Threat actors may utilize knowledge of the spacecraft software composition to enumerate and exploit known flaws or vulnerabilities in the commercial or open source software running on-board the target spacecraft.
EX-0010		Malicious Code	Threat actors may rely on other tactics and techniques in order to execute malicious code on the victim spacecraft. This can be done via compromising the supply chain or development environment in some capacity or taking advantage of known commands. However, once malicious code has been uploaded to the victim spacecraft, the threat actor can then trigger the code to run via a specific command or wait for a legitimate user to trigger it accidently. The code itself can do a number of different things to the hosted payload, subsystems, or underlying OS.
	EX-0010.01	Ransomware	Threat actors may encrypt spacecraft data to interrupt availability and usability. Threat actors can attempt to render stored data inaccessible by encrypting files or data and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key or to render data permanently inaccessible in cases where the key is not saved or transmitted.
	EX-0010.02	Wiper Malware	Threat actors may deploy wiper malware, which is a type of malicious software designed to destroy data or render it unusable. Wiper malware can spread through various means, software vulnerabilities (CWE/CVE), or by exploiting weak or stolen credentials.
	EX-0010.03	Rootkit	Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the flight software or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware.
	EX-0010.04	Bootkit	Adversaries may use bootkits to persist on systems and evade detection. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
PER-0001		Memory Compromise	Threat actors may manipulate memory (boot, RAM, etc.) in order for their malicious code and/or commands to remain on the victim spacecraft. The spacecraft may have mechanisms that allow for the automatic running of programs on system reboot, entering or returning to/from safe mode, or during specific events. Threat actors may target these specific memory locations in order to store their malicious code or file, ensuring that the attack remains on the system even after a reset.
PER-0002		Backdoor	Threat actors may find and target various backdoors, or inject their own, within the victim spacecraft in the hopes of maintaining their attack.
	PER-0002.02	Software Backdoor	Threat actors may inject code to create their own backdoor to establish persistent access to the spacecraft. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable).
DE-0007		Evasion via Rootkit	Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the flight software or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware.
DE-0008		Evasion via Bootkit	Adversaries may use bootkits to persist on systems and evade detection. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
LM-0001		Hosted Payload	Threat actors may use the hosted payload within the victim spacecraft in order to gain access to other subsystems. The hosted payload often has a need to gather and send data to the internal subsystems, depending on its purpose. Threat actors may be able to take advantage of this communication in order to laterally move to the other subsystems and have commands be processed.
EXF-0006		Modify Communications Configuration	Threat actors can manipulate communications equipment, modifying the existing software, hardware, or the transponder configuration to exfiltrate data via unintentional channels the mission has no control over.
	EXF-0006.01	Software Defined Radio	Threat actors may target software defined radios due to their software nature to setup exfiltration channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert exfiltration channels for a threat actor.
	EXF-0006.02	Transponder	Threat actors may change the transponder configuration to exfiltrate data via radio access to an attacker-controlled asset.
EXF-0008		Compromised Developer Site	Threat actors may compromise development environments located within the ground system or a developer/partner site. This attack can take place in a number of different ways, including manipulation of source code, manipulating environment variables, or replacing compiled versions with a malicious one. This technique is usually performed before the target spacecraft is in orbit, with the hopes of adding malicious code to the actual FSW during the development process.

CM-5(6) - Access Restrictions for Change | Limit Library Privileges

Space Segment Guidance

Informational References

ISO 27001

Countermeasures Covered by Control

Space Threats Tagged by Control

Sample Requirements

Related SPARTA Techniques and Sub-Techniques