DoD SRG Rev 5
DoD Cloud Computing Security Requirements Guide - FedRAMP+ controls by Impact Level
Showing 345 controls at IL4 Mod impact level
AC - Access Control (43 controls)
AC-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
AC-2Account Management
IL4 ModIL4 HighIL5IL6
AC-2(1)Account Management | Automated System Account Management
IL4 ModIL4 HighIL5IL6
AC-2(2)Account Management | Automated Temporary and Emergency Account Management
IL4 ModIL4 HighIL5IL6
AC-2(3)Account Management | Disable Accounts
IL4 ModIL4 HighIL5IL6
AC-2(4)Account Management | Automated Audit Actions
IL4 ModIL4 HighIL5IL6
AC-2(5)Account Management | Inactivity Logout
IL4 ModIL4 HighIL5IL6
AC-2(7)Account Management | Privileged User Accounts
IL4 ModIL4 HighIL5IL6
AC-2(9)Account Management | Restrictions on Use of Shared and Group Accounts
IL4 ModIL4 HighIL5IL6
AC-2(12)Account Management | Account Monitoring for Atypical Usage
IL4 ModIL4 HighIL5IL6
AC-2(13)Account Management | Disable Accounts for High-risk Individuals
IL4 ModIL4 HighIL5IL6
AC-3Access Enforcement
IL4 ModIL4 HighIL5IL6
AC-4Information Flow Enforcement
IL4 ModIL4 HighIL5IL6
AC-4(21)Information Flow Enforcement | Physical or Logical Separation of Information Flows
IL4 ModIL4 HighIL5IL6
AC-5Separation of Duties
IL4 ModIL4 HighIL5IL6
AC-6Least Privilege
IL4 ModIL4 HighIL5IL6
AC-6(1)Least Privilege | Authorize Access to Security Functions
IL4 ModIL4 HighIL5IL6
AC-6(2)Least Privilege | Non-privileged Access for Nonsecurity Functions
IL4 ModIL4 HighIL5IL6
AC-6(5)Least Privilege | Privileged Accounts
IL4 ModIL4 HighIL5IL6
AC-6(7)Least Privilege | Review of User Privileges
IL4 ModIL4 HighIL5IL6
AC-6(9)Least Privilege | Log Use of Privileged Functions
IL4 ModIL4 HighIL5IL6
AC-6(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
IL4 ModIL4 HighIL5IL6
AC-7Unsuccessful Logon Attempts
IL4 ModIL4 HighIL5IL6
AC-8System Use Notification
IL4 ModIL4 HighIL5IL6
AC-11Device Lock
IL4 ModIL4 HighIL5IL6
AC-11(1)Device Lock | Pattern-hiding Displays
IL4 ModIL4 HighIL5IL6
AC-12Session Termination
IL4 ModIL4 HighIL5IL6
AC-14Permitted Actions Without Identification or Authentication
IL4 ModIL4 HighIL5IL6
AC-17Remote Access
IL4 ModIL4 HighIL5IL6
AC-17(1)Remote Access | Monitoring and Control
IL4 ModIL4 HighIL5IL6
AC-17(2)Remote Access | Protection of Confidentiality and Integrity Using Encryption
IL4 ModIL4 HighIL5IL6
AC-17(3)Remote Access | Managed Access Control Points
IL4 ModIL4 HighIL5IL6
AC-17(4)Remote Access | Privileged Commands and Access
IL4 ModIL4 HighIL5IL6
AC-18Wireless Access
IL4 ModIL4 HighIL5IL6
AC-18(1)Wireless Access | Authentication and Encryption
IL4 ModIL4 HighIL5IL6
AC-18(3)Wireless Access | Disable Wireless Networking
IL4 ModIL4 HighIL5IL6
AC-19Access Control for Mobile Devices
IL4 ModIL4 HighIL5IL6
AC-19(5)Access Control for Mobile Devices | Full Device or Container-based Encryption
IL4 ModIL4 HighIL5IL6
AC-20Use of External Systems
IL4 ModIL4 HighIL5IL6
AC-20(1)Use of External Systems | Limits on Authorized Use
IL4 ModIL4 HighIL5IL6
AC-20(2)Use of External Systems | Portable Storage Devices -- Restricted Use
IL4 ModIL4 HighIL5IL6
AC-21Information Sharing
IL4 ModIL4 HighIL5IL6
AC-22Publicly Accessible Content
IL4 ModIL4 HighIL5IL6
AT - Awareness and Training (6 controls)
AT-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
AT-2Literacy Training and Awareness
IL4 ModIL4 HighIL5IL6
AT-2(2)Literacy Training and Awareness | Insider Threat
IL4 ModIL4 HighIL5IL6
AT-2(3)Literacy Training and Awareness | Social Engineering and Mining
IL4 ModIL4 HighIL5IL6
AT-3Role-based Training
IL4 ModIL4 HighIL5IL6
AT-4Training Records
IL4 ModIL4 HighIL5IL6
AU - Audit and Accountability (17 controls)
AU-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
AU-2Event Logging
IL4 ModIL4 HighIL5IL6
AU-3Content of Audit Records
IL4 ModIL4 HighIL5IL6
AU-3(1)Content of Audit Records | Additional Audit Information
IL4 ModIL4 HighIL5IL6
AU-4Audit Log Storage Capacity
IL4 ModIL4 HighIL5IL6
AU-5Response to Audit Logging Process Failures
IL4 ModIL4 HighIL5IL6
AU-5(1)Response to Audit Logging Process Failures | Storage Capacity Warning
IL4 ModIL4 HighIL5IL6
AU-6Audit Record Review, Analysis, and Reporting
IL4 ModIL4 HighIL5IL6
AU-6(1)Audit Record Review, Analysis, and Reporting | Automated Process Integration
IL4 ModIL4 HighIL5IL6
AU-6(3)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
IL4 ModIL4 HighIL5IL6
AU-7Audit Record Reduction and Report Generation
IL4 ModIL4 HighIL5IL6
AU-7(1)Audit Record Reduction and Report Generation | Automatic Processing
IL4 ModIL4 HighIL5IL6
AU-8Time Stamps
IL4 ModIL4 HighIL5IL6
AU-9Protection of Audit Information
IL4 ModIL4 HighIL5IL6
AU-9(4)Protection of Audit Information | Access by Subset of Privileged Users
IL4 ModIL4 HighIL5IL6
AU-11Audit Record Retention
IL4 ModIL4 HighIL5IL6
AU-12Audit Record Generation
IL4 ModIL4 HighIL5IL6
CA - Assessment, Authorization, and Monitoring (14 controls)
CA-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
CA-2Control Assessments
IL4 ModIL4 HighIL5IL6
CA-2(1)Control Assessments | Independent Assessors
IL4 ModIL4 HighIL5IL6
CA-2(3)Control Assessments | Leveraging Results from External Organizations
IL4 ModIL4 HighIL5IL6
CA-3Information Exchange
IL4 ModIL4 HighIL5IL6
CA-5Plan of Action and Milestones
IL4 ModIL4 HighIL5IL6
CA-6Authorization
IL4 ModIL4 HighIL5IL6
CA-7Continuous Monitoring
IL4 ModIL4 HighIL5IL6
CA-7(1)Continuous Monitoring | Independent Assessment
IL4 ModIL4 HighIL5IL6
CA-7(4)Continuous Monitoring | Risk Monitoring
IL4 ModIL4 HighIL5IL6
CA-8Penetration Testing
IL4 ModIL4 HighIL5IL6
CA-8(1)Penetration Testing | Independent Penetration Testing Agent or Team
IL4 ModIL4 HighIL5IL6
CA-8(2)Penetration Testing | Red Team Exercises
IL4 ModIL4 HighIL5IL6
CA-9Internal System Connections
IL4 ModIL4 HighIL5IL6
CM - Configuration Management (27 controls)
CM-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
CM-2Baseline Configuration
IL4 ModIL4 HighIL5IL6
CM-2(2)Baseline Configuration | Automation Support for Accuracy and Currency
IL4 ModIL4 HighIL5IL6
CM-2(3)Baseline Configuration | Retention of Previous Configurations
IL4 ModIL4 HighIL5IL6
CM-2(7)Baseline Configuration | Configure Systems and Components for High-risk Areas
IL4 ModIL4 HighIL5IL6
CM-3Configuration Change Control
IL4 ModIL4 HighIL5IL6
CM-3(2)Configuration Change Control | Testing, Validation, and Documentation of Changes
IL4 ModIL4 HighIL5IL6
CM-3(4)Configuration Change Control | Security and Privacy Representatives
IL4 ModIL4 HighIL5IL6
CM-4Impact Analyses
IL4 ModIL4 HighIL5IL6
CM-4(2)Impact Analyses | Verification of Controls
IL4 ModIL4 HighIL5IL6
CM-5Access Restrictions for Change
IL4 ModIL4 HighIL5IL6
CM-5(1)Access Restrictions for Change | Automated Access Enforcement and Audit Records
IL4 ModIL4 HighIL5IL6
CM-5(5)Access Restrictions for Change | Privilege Limitation for Production and Operation
IL4 ModIL4 HighIL5IL6
CM-6Configuration Settings
IL4 ModIL4 HighIL5IL6
CM-6(1)Configuration Settings | Automated Management, Application, and Verification
IL4 ModIL4 HighIL5IL6
CM-7Least Functionality
IL4 ModIL4 HighIL5IL6
CM-7(1)Least Functionality | Periodic Review
IL4 ModIL4 HighIL5IL6
CM-7(2)Least Functionality | Prevent Program Execution
IL4 ModIL4 HighIL5IL6
CM-7(5)Least Functionality | Authorized Software -- Allow-by-exception
IL4 ModIL4 HighIL5IL6
CM-8System Component Inventory
IL4 ModIL4 HighIL5IL6
CM-8(1)System Component Inventory | Updates During Installation and Removal
IL4 ModIL4 HighIL5IL6
CM-8(3)System Component Inventory | Automated Unauthorized Component Detection
IL4 ModIL4 HighIL5IL6
CM-9Configuration Management Plan
IL4 ModIL4 HighIL5IL6
CM-10Software Usage Restrictions
IL4 ModIL4 HighIL5IL6
CM-11User-installed Software
IL4 ModIL4 HighIL5IL6
CM-12Information Location
IL4 ModIL4 HighIL5IL6
CM-12(1)Information Location | Automated Tools to Support Information Location
IL4 ModIL4 HighIL5IL6
CP - Contingency Planning (23 controls)
CP-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
CP-2Contingency Plan
IL4 ModIL4 HighIL5IL6
CP-2(1)Contingency Plan | Coordinate with Related Plans
IL4 ModIL4 HighIL5IL6
CP-2(3)Contingency Plan | Resume Mission and Business Functions
IL4 ModIL4 HighIL5IL6
CP-2(8)Contingency Plan | Identify Critical Assets
IL4 ModIL4 HighIL5IL6
CP-3Contingency Training
IL4 ModIL4 HighIL5IL6
CP-4Contingency Plan Testing
IL4 ModIL4 HighIL5IL6
CP-4(1)Contingency Plan Testing | Coordinate with Related Plans
IL4 ModIL4 HighIL5IL6
CP-6Alternate Storage Site
IL4 ModIL4 HighIL5IL6
CP-6(1)Alternate Storage Site | Separation from Primary Site
IL4 ModIL4 HighIL5IL6
CP-6(3)Alternate Storage Site | Accessibility
IL4 ModIL4 HighIL5IL6
CP-7Alternate Processing Site
IL4 ModIL4 HighIL5IL6
CP-7(1)Alternate Processing Site | Separation from Primary Site
IL4 ModIL4 HighIL5IL6
CP-7(2)Alternate Processing Site | Accessibility
IL4 ModIL4 HighIL5IL6
CP-7(3)Alternate Processing Site | Priority of Service
IL4 ModIL4 HighIL5IL6
CP-8Telecommunications Services
IL4 ModIL4 HighIL5IL6
CP-8(1)Telecommunications Services | Priority of Service Provisions
IL4 ModIL4 HighIL5IL6
CP-8(2)Telecommunications Services | Single Points of Failure
IL4 ModIL4 HighIL5IL6
CP-9System Backup
IL4 ModIL4 HighIL5IL6
CP-9(1)System Backup | Testing for Reliability and Integrity
IL4 ModIL4 HighIL5IL6
CP-9(8)System Backup | Cryptographic Protection
IL4 ModIL4 HighIL5IL6
CP-10System Recovery and Reconstitution
IL4 ModIL4 HighIL5IL6
CP-10(2)System Recovery and Reconstitution | Transaction Recovery
IL4 ModIL4 HighIL5IL6
GRR - DoD Governance, Risk and Resilience (10 controls)
GRR-1DoD PKI authentication
IL4 ModIL4 HighIL5IL6
GRR-2DoD IP addressing
IL4 ModIL4 HighIL5IL6
GRR-3Data Locations
IL4 ModIL4 HighIL5IL6
GRR-4Management Plane Connectivity
IL4 ModIL4 HighIL5IL6
GRR-5CSO Personnel
IL4 ModIL4 HighIL5IL6
GRR-6Private Connection Availability Between CSP'S/CSO's Network and DoD Network
IL4 ModIL4 HighIL5
GRR-7Reliance on Internet-Based Capabilities
IL4 ModIL4 HighIL5
GRR-8Raliance of Internet Access
IL4 ModIL4 HighIL5
GRR-9CSP/CSO's Protection
IL4 ModIL4 HighIL5
GRR-10Defense in depth architecture
IL4 ModIL4 HighIL5IL6
IA - Identification and Authentication (27 controls)
IA-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
IA-2Identification and Authentication (organizational Users)
IL4 ModIL4 HighIL5IL6
IA-2(1)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IL4 ModIL4 HighIL5IL6
IA-2(2)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IL4 ModIL4 HighIL5IL6
IA-2(5)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IL4 ModIL4 HighIL5IL6
IA-2(6)Identification and Authentication (organizational Users) | Access to Accounts --separate Device
IL4 ModIL4 HighIL5IL6
IA-2(8)Identification and Authentication (organizational Users) | Access to Accounts -- Replay Resistant
IL4 ModIL4 HighIL5IL6
IA-2(12)Identification and Authentication (organizational Users) | Acceptance of PIV Credentials
IL4 ModIL4 HighIL5IL6
IA-3Device Identification and Authentication
IL4 ModIL4 HighIL5IL6
IA-4Identifier Management
IL4 ModIL4 HighIL5IL6
IA-4(4)Identifier Management | Identify User Status
IL4 ModIL4 HighIL5IL6
IA-5Authenticator Management
IL4 ModIL4 HighIL5IL6
IA-5(1)Authenticator Management | Password-based Authentication
IL4 ModIL4 HighIL5IL6
IA-5(2)Authenticator Management | Public Key-based Authentication
IL4 ModIL4 HighIL5IL6
IA-5(6)Authenticator Management | Protection of Authenticators
IL4 ModIL4 HighIL5IL6
IA-5(7)Authenticator Management | No Embedded Unencrypted Static Authenticators
IL4 ModIL4 HighIL5IL6
IA-6Authentication Feedback
IL4 ModIL4 HighIL5IL6
IA-7Cryptographic Module Authentication
IL4 ModIL4 HighIL5IL6
IA-8Identification and Authentication (non-organizational Users)
IL4 ModIL4 HighIL5IL6
IA-8(1)Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies
IL4 ModIL4 HighIL5IL6
IA-8(2)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IL4 ModIL4 HighIL5IL6
IA-8(4)Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IL4 ModIL4 HighIL5IL6
IA-11Re-authentication
IL4 ModIL4 HighIL5IL6
IA-12Identity Proofing
IL4 ModIL4 HighIL5IL6
IA-12(2)Identity Proofing | Identity Evidence
IL4 ModIL4 HighIL5IL6
IA-12(3)Identity Proofing | Identity Evidence Validation and Verification
IL4 ModIL4 HighIL5IL6
IA-12(5)Identity Proofing | Address Confirmation
IL4 ModIL4 HighIL5IL6
IR - Incident Response (17 controls)
IR-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
IR-2Incident Response Training
IL4 ModIL4 HighIL5IL6
IR-3Incident Response Testing
IL4 ModIL4 HighIL5IL6
IR-3(2)Incident Response Testing | Coordination with Related Plans
IL4 ModIL4 HighIL5IL6
IR-4Incident Handling
IL4 ModIL4 HighIL5IL6
IR-4(1)Incident Handling | Automated Incident Handling Processes
IL4 ModIL4 HighIL5IL6
IR-5Incident Monitoring
IL4 ModIL4 HighIL5IL6
IR-6Incident Reporting
IL4 ModIL4 HighIL5IL6
IR-6(1)Incident Reporting | Automated Reporting
IL4 ModIL4 HighIL5IL6
IR-6(3)Incident Reporting | Supply Chain Coordination
IL4 ModIL4 HighIL5IL6
IR-7Incident Response Assistance
IL4 ModIL4 HighIL5IL6
IR-7(1)Incident Response Assistance | Automation Support for Availability of Information and Support
IL4 ModIL4 HighIL5IL6
IR-8Incident Response Plan
IL4 ModIL4 HighIL5IL6
IR-9Information Spillage Response
IL4 ModIL4 HighIL5IL6
IR-9(2)Information Spillage Response | Training
IL4 ModIL4 HighIL5IL6
IR-9(3)Information Spillage Response | Post-spill Operations
IL4 ModIL4 HighIL5IL6
IR-9(4)Information Spillage Response | Exposure to Unauthorized Personnel
IL4 ModIL4 HighIL5IL6
MA - Maintenance (11 controls)
MA-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
MA-2Controlled Maintenance
IL4 ModIL4 HighIL5IL6
MA-3Maintenance Tools
IL4 ModIL4 HighIL5IL6
MA-3(1)Maintenance Tools | Inspect Tools
IL4 ModIL4 HighIL5IL6
MA-3(2)Maintenance Tools | Inspect Media
IL4 ModIL4 HighIL5IL6
MA-3(3)Maintenance Tools | Prevent Unauthorized Removal
IL4 ModIL4 HighIL5IL6
MA-4Nonlocal Maintenance
IL4 ModIL4 HighIL5IL6
MA-5Maintenance Personnel
IL4 ModIL4 HighIL5IL6
MA-5(1)Maintenance Personnel | Individuals Without Appropriate Access
IL4 ModIL4 HighIL5IL6
MA-5(5)Maintenance Personnel | Non-system Maintenance
IL4 ModIL4 HighIL5IL6
MA-6Timely Maintenance
IL4 ModIL4 HighIL5IL6
MP - Media Protection (7 controls)
PE - Physical and Environmental Protection (19 controls)
PE-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
PE-2Physical Access Authorizations
IL4 ModIL4 HighIL5IL6
PE-3Physical Access Control
IL4 ModIL4 HighIL5IL6
PE-4Access Control for Transmission
IL4 ModIL4 HighIL5IL6
PE-5Access Control for Output Devices
IL4 ModIL4 HighIL5IL6
PE-6Monitoring Physical Access
IL4 ModIL4 HighIL5IL6
PE-6(1)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
IL4 ModIL4 HighIL5IL6
PE-8Visitor Access Records
IL4 ModIL4 HighIL5IL6
PE-9Power Equipment and Cabling
IL4 ModIL4 HighIL5IL6
PE-10Emergency Shutoff
IL4 ModIL4 HighIL5IL6
PE-11Emergency Power
IL4 ModIL4 HighIL5IL6
PE-12Emergency Lighting
IL4 ModIL4 HighIL5IL6
PE-13Fire Protection
IL4 ModIL4 HighIL5IL6
PE-13(1)Fire Protection | Detection Systems -- Automatic Activation and Notification
IL4 ModIL4 HighIL5IL6
PE-13(2)Fire Protection | Suppression Systems -- Automatic Activation and Notification
IL4 ModIL4 HighIL5IL6
PE-14Environmental Controls
IL4 ModIL4 HighIL5IL6
PE-15Water Damage Protection
IL4 ModIL4 HighIL5IL6
PE-16Delivery and Removal
IL4 ModIL4 HighIL5IL6
PE-17Alternate Work Site
IL4 ModIL4 HighIL5IL6
PL - Planning (7 controls)
PL-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
PL-2System Security and Privacy Plans
IL4 ModIL4 HighIL5IL6
PL-4Rules of Behavior
IL4 ModIL4 HighIL5IL6
PL-4(1)Rules of Behavior | Social Media and External Site/application Usage Restrictions
IL4 ModIL4 HighIL5IL6
PL-8Security and Privacy Architectures
IL4 ModIL4 HighIL5IL6
PL-10Baseline Selection
IL4 ModIL4 HighIL5IL6
PL-11Baseline Tailoring
IL4 ModIL4 HighIL5IL6
PS - Personnel Security (11 controls)
PS-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
PS-2Position Risk Designation
IL4 ModIL4 HighIL5IL6
PS-3Personnel Screening
IL4 ModIL4 HighIL5IL6
PS-3(3)Personnel Screening | Information Requiring Special Protective Measures
IL4 ModIL4 HighIL5IL6
PS-3(4)Personnel Screening | Citizenship Requirements
IL4 ModIL4 HighIL5IL6
PS-4Personnel Termination
IL4 ModIL4 HighIL5IL6
PS-5Personnel Transfer
IL4 ModIL4 HighIL5IL6
PS-6Access Agreements
IL4 ModIL4 HighIL5IL6
PS-7External Personnel Security
IL4 ModIL4 HighIL5IL6
PS-8Personnel Sanctions
IL4 ModIL4 HighIL5IL6
PS-9Position Descriptions
IL4 ModIL4 HighIL5IL6
RA - Risk Assessment (11 controls)
RA-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
RA-2Security Categorization
IL4 ModIL4 HighIL5IL6
RA-3Risk Assessment
IL4 ModIL4 HighIL5IL6
RA-3(1)Risk Assessment | Supply Chain Risk Assessment
IL4 ModIL4 HighIL5IL6
RA-5Vulnerability Monitoring and Scanning
IL4 ModIL4 HighIL5IL6
RA-5(2)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
IL4 ModIL4 HighIL5IL6
RA-5(3)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
IL4 ModIL4 HighIL5IL6
RA-5(5)Vulnerability Monitoring and Scanning | Privileged Access
IL4 ModIL4 HighIL5IL6
RA-5(11)Vulnerability Monitoring and Scanning | Public Disclosure Program
IL4 ModIL4 HighIL5IL6
RA-7Risk Response
IL4 ModIL4 HighIL5IL6
RA-9Criticality Analysis
IL4 ModIL4 HighIL5IL6
SA - System and Services Acquisition (26 controls)
SA-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
SA-2Allocation of Resources
IL4 ModIL4 HighIL5IL6
SA-3System Development Life Cycle
IL4 ModIL4 HighIL5IL6
SA-4Acquisition Process
IL4 ModIL4 HighIL5IL6
SA-4(1)Acquisition Process | Functional Properties of Controls
IL4 ModIL4 HighIL5IL6
SA-4(2)Acquisition Process | Design and Implementation Information for Controls
IL4 ModIL4 HighIL5IL6
SA-4(5)Acquisition Process | System, Component, and Service Configurations
IL4 ModIL4 HighIL5IL6
SA-4(9)Acquisition Process | Functions, Ports, Protocols, and Services in Use
IL4 ModIL4 HighIL5IL6
SA-4(10)Acquisition Process | Use of Approved PIV Products
IL4 ModIL4 HighIL5IL6
SA-5System Documentation
IL4 ModIL4 HighIL5IL6
SA-8Security and Privacy Engineering Principles
IL4 ModIL4 HighIL5IL6
SA-9External System Services
IL4 ModIL4 HighIL5IL6
SA-9(1)External System Services | Risk Assessments and Organizational Approvals
IL4 ModIL4 HighIL5IL6
SA-9(2)External System Services | Identification of Functions, Ports, Protocols, and Services
IL4 ModIL4 HighIL5IL6
SA-9(3)External System Services | Establish and Maintain Trust Relationship with Providers
IL4 ModIL4 HighIL5IL6
SA-9(5)External System Services | Processing, Storage, and Service Location
IL4 ModIL4 HighIL5IL6
SA-9(6)External System Services | Organization-controlled Cryptographic Keys
IL4 ModIL4 HighIL5IL6
SA-9(7)External System Services | Organization-controlled Integrity Checking
IL4 ModIL4 HighIL5IL6
SA-9(8)External System Services | Processing and Storage Location -- U.S. Jurisdiction
IL4 ModIL4 HighIL5IL6
SA-10Developer Configuration Management
IL4 ModIL4 HighIL5IL6
SA-11Developer Testing and Evaluation
IL4 ModIL4 HighIL5IL6
SA-11(1)Developer Testing and Evaluation | Static Code Analysis
IL4 ModIL4 HighIL5IL6
SA-11(2)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
IL4 ModIL4 HighIL5IL6
SA-15Development Process, Standards, and Tools
IL4 ModIL4 HighIL5IL6
SA-15(3)Development Process, Standards, and Tools | Criticality Analysis
IL4 ModIL4 HighIL5IL6
SA-22Unsupported System Components
IL4 ModIL4 HighIL5IL6
SC - System and Communications Protection (33 controls)
SC-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
SC-2Separation of System and User Functionality
IL4 ModIL4 HighIL5IL6
SC-4Information in Shared System Resources
IL4 ModIL4 HighIL5IL6
SC-5Denial-of-service Protection
IL4 ModIL4 HighIL5IL6
SC-7Boundary Protection
IL4 ModIL4 HighIL5IL6
SC-7(3)Boundary Protection | Access Points
IL4 ModIL4 HighIL5IL6
SC-7(4)Boundary Protection | External Telecommunications Services
IL4 ModIL4 HighIL5IL6
SC-7(5)Boundary Protection | Deny by Default -- Allow by Exception
IL4 ModIL4 HighIL5IL6
SC-7(7)Boundary Protection | Split Tunneling for Remote Devices
IL4 ModIL4 HighIL5IL6
SC-7(8)Boundary Protection | Route Traffic to Authenticated Proxy Servers
IL4 ModIL4 HighIL5IL6
SC-7(12)Boundary Protection | Host-based Protection
IL4 ModIL4 HighIL5IL6
SC-7(18)Boundary Protection | Fail Secure
IL4 ModIL4 HighIL5IL6
SC-8Transmission Confidentiality and Integrity
IL4 ModIL4 HighIL5IL6
SC-8(1)Transmission Confidentiality and Integrity | Cryptographic Protection
IL4 ModIL4 HighIL5IL6
SC-10Network Disconnect
IL4 ModIL4 HighIL5IL6
SC-12Cryptographic Key Establishment and Management
IL4 ModIL4 HighIL5IL6
SC-12(6)Cryptographic Key Establishment and Management | Physical Control of Keys
IL4 ModIL4 HighIL5IL6
SC-13Cryptographic Protection
IL4 ModIL4 HighIL5IL6
SC-15Collaborative Computing Devices and Applications
IL4 ModIL4 HighIL5IL6
SC-17Public Key Infrastructure Certificates
IL4 ModIL4 HighIL5IL6
SC-18Mobile Code
IL4 ModIL4 HighIL5IL6
SC-18(2)Mobile Code | Acquisition, Development, and Use
IL4 ModIL4 HighIL5IL6
SC-20Secure Name/address Resolution Service (authoritative Source)
IL4 ModIL4 HighIL5IL6
SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)
IL4 ModIL4 HighIL5IL6
SC-22Architecture and Provisioning for Name/address Resolution Service
IL4 ModIL4 HighIL5IL6
SC-23Session Authenticity
IL4 ModIL4 HighIL5IL6
SC-24Fail in Known State
IL4 ModIL4 HighIL5IL6
SC-28Protection of Information at Rest
IL4 ModIL4 HighIL5IL6
SC-28(1)Protection of Information at Rest | Cryptographic Protection
IL4 ModIL4 HighIL5IL6
SC-39Process Isolation
IL4 ModIL4 HighIL5IL6
SC-45System Time Synchronization
IL4 ModIL4 HighIL5IL6
SC-45(1)System Time Synchronization | Synchronization with Authoritative Time Source
IL4 ModIL4 HighIL5IL6
SC-46Cross Domain Policy Enforcement
IL4 ModIL4 HighIL5IL6
SI - System and Information Integrity (24 controls)
SI-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
SI-2Flaw Remediation
IL4 ModIL4 HighIL5IL6
SI-2(2)Flaw Remediation | Automated Flaw Remediation Status
IL4 ModIL4 HighIL5IL6
SI-2(3)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
IL4 ModIL4 HighIL5IL6
SI-3Malicious Code Protection
IL4 ModIL4 HighIL5IL6
SI-4System Monitoring
IL4 ModIL4 HighIL5IL6
SI-4(1)System Monitoring | System-wide Intrusion Detection System
IL4 ModIL4 HighIL5IL6
SI-4(2)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
IL4 ModIL4 HighIL5IL6
SI-4(4)System Monitoring | Inbound and Outbound Communications Traffic
IL4 ModIL4 HighIL5IL6
SI-4(5)System Monitoring | System-generated Alerts
IL4 ModIL4 HighIL5IL6
SI-4(16)System Monitoring | Correlate Monitoring Information
IL4 ModIL4 HighIL5IL6
SI-4(18)System Monitoring | Analyze Traffic and Covert Exfiltration
IL4 ModIL4 HighIL5IL6
SI-4(23)System Monitoring | Host-based Devices
IL4 ModIL4 HighIL5IL6
SI-5Security Alerts, Advisories, and Directives
IL4 ModIL4 HighIL5IL6
SI-6Security and Privacy Function Verification
IL4 ModIL4 HighIL5IL6
SI-7Software, Firmware, and Information Integrity
IL4 ModIL4 HighIL5IL6
SI-7(1)Software, Firmware, and Information Integrity | Integrity Checks
IL4 ModIL4 HighIL5IL6
SI-7(7)Software, Firmware, and Information Integrity | Integration of Detection and Response
IL4 ModIL4 HighIL5IL6
SI-8Spam Protection
IL4 ModIL4 HighIL5IL6
SI-8(2)Spam Protection | Automatic Updates
IL4 ModIL4 HighIL5IL6
SI-10Information Input Validation
IL4 ModIL4 HighIL5IL6
SI-11Error Handling
IL4 ModIL4 HighIL5IL6
SI-12Information Management and Retention
IL4 ModIL4 HighIL5IL6
SI-16Memory Protection
IL4 ModIL4 HighIL5IL6
SR - Supply Chain Risk Management (12 controls)
SR-1Policy and Procedures
IL4 ModIL4 HighIL5IL6
SR-2Supply Chain Risk Management Plan
IL4 ModIL4 HighIL5IL6
SR-2(1)Supply Chain Risk Management Plan | Establish SCRM Team
IL4 ModIL4 HighIL5IL6
SR-3Supply Chain Controls and Processes
IL4 ModIL4 HighIL5IL6
SR-5Acquisition Strategies, Tools, and Methods
IL4 ModIL4 HighIL5IL6
SR-6Supplier Assessments and Reviews
IL4 ModIL4 HighIL5IL6
SR-8Notification Agreements
IL4 ModIL4 HighIL5IL6
SR-10Inspection of Systems or Components
IL4 ModIL4 HighIL5IL6
SR-11Component Authenticity
IL4 ModIL4 HighIL5IL6
SR-11(1)Component Authenticity | Anti-counterfeit Training
IL4 ModIL4 HighIL5IL6
SR-11(2)Component Authenticity | Configuration Control for Component Service and Repair
IL4 ModIL4 HighIL5IL6
SR-12Component Disposal
IL4 ModIL4 HighIL5IL6