Home / Frameworks / FedRAMP Rev 5

FedRAMP Rev 5 v5

Federal Risk and Authorization Management Program Security Baselines

This is a reference tool, not an authoritative source. For official documentation, visit www.fedramp.gov.

410 All

138 LI-SaaS 156 Low 323 Moderate 410 High

AC — Access Control (50 controls)

AC-1Policy and Procedures

AC-2Account Management

AC-2 (01)Account Management | Automated System Account Management

MODERATE

HIGH

AC-2 (02)Account Management | Automated Temporary and Emergency Account Management

MODERATE

HIGH

AC-2 (03)Account Management | Disable Accounts

MODERATE

HIGH

AC-2 (04)Account Management | Automated Audit Actions

MODERATE

HIGH

AC-2 (05)Account Management | Inactivity Logout

MODERATE

HIGH

AC-2 (07)Account Management | Privileged User Accounts

MODERATE

HIGH

AC-2 (09)Account Management | Restrictions on Use of Shared and Group Accounts

MODERATE

HIGH

AC-2 (11)Account Management | Usage Conditions

HIGH

AC-2 (12)Account Management | Account Monitoring for Atypical Usage

MODERATE

HIGH

AC-2 (13)Account Management | Disable Accounts for High-risk Individuals

MODERATE

HIGH

AC-3Access Enforcement

AC-4Information Flow Enforcement

MODERATE

HIGH

AC-4 (04)Information Flow Enforcement | Flow Control of Encrypted Information

HIGH

AC-4 (21)Information Flow Enforcement | Physical or Logical Separation of Information Flows

MODERATE

HIGH

AC-5Separation of Duties

AC-6 (01)Least Privilege | Authorize Access to Security Functions

MODERATE

HIGH

AC-6 (02)Least Privilege | Non-privileged Access for Nonsecurity Functions

MODERATE

HIGH

AC-6 (03)Least Privilege | Network Access to Privileged Commands

HIGH

AC-6 (05)Least Privilege | Privileged Accounts

MODERATE

HIGH

AC-6 (07)Least Privilege | Review of User Privileges

MODERATE

HIGH

AC-6 (08)Least Privilege | Privilege Levels for Code Execution

HIGH

AC-6 (09)Least Privilege | Log Use of Privileged Functions

MODERATE

HIGH

AC-6 (10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

MODERATE

HIGH

AC-7Unsuccessful Logon Attempts

AC-8System Use Notification

AC-10Concurrent Session Control

AC-11 (01)Device Lock | Pattern-hiding Displays

MODERATE

HIGH

AC-12Session Termination

MODERATE

HIGH

AC-14Permitted Actions Without Identification or Authentication

AC-17 (01)Remote Access | Monitoring and Control

MODERATE

HIGH

AC-17 (02)Remote Access | Protection of Confidentiality and Integrity Using Encryption

MODERATE

HIGH

AC-17 (03)Remote Access | Managed Access Control Points

MODERATE

HIGH

AC-17 (04)Remote Access | Privileged Commands and Access

AC-18 (01)Wireless Access | Authentication and Encryption

MODERATE

HIGH

AC-18 (03)Wireless Access | Disable Wireless Networking

MODERATE

HIGH

AC-18 (04)Wireless Access | Restrict Configurations by Users

HIGH

AC-18 (05)Wireless Access | Antennas and Transmission Power Levels

HIGH

AC-19Access Control for Mobile Devices

AC-19 (05)Access Control for Mobile Devices | Full Device or Container-based Encryption

MODERATE

HIGH

AC-20Use of External Systems

AC-20 (01)Use of External Systems | Limits on Authorized Use

MODERATE

HIGH

AC-20 (02)Use of External Systems | Portable Storage Devices -- Restricted Use

MODERATE

HIGH

AC-21Information Sharing

MODERATE

HIGH

AC-22Publicly Accessible Content

AT — Awareness and Training (6 controls)

AT-1Policy and Procedures

AT-2Literacy Training and Awareness

AT-2 (02)Literacy Training and Awareness | Insider Threat

LOW

MODERATE

HIGH

AT-2 (03)Literacy Training and Awareness | Social Engineering and Mining

MODERATE

HIGH

AT-3Role-based Training

AU — Audit and Accountability (27 controls)

AU-1Policy and Procedures

AU-3Content of Audit Records

AU-3 (01)Content of Audit Records | Additional Audit Information

MODERATE

HIGH

AU-4Audit Log Storage Capacity

AU-5Response to Audit Logging Process Failures

AU-5 (01)Response to Audit Logging Process Failures | Storage Capacity Warning

HIGH

AU-5 (02)Response to Audit Logging Process Failures | Real-time Alerts

HIGH

AU-6Audit Record Review, Analysis, and Reporting

AU-6 (01)Audit Record Review, Analysis, and Reporting | Automated Process Integration

MODERATE

HIGH

AU-6 (03)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

MODERATE

HIGH

AU-6 (04)Audit Record Review, Analysis, and Reporting | Central Review and Analysis

HIGH

AU-6 (05)Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

HIGH

AU-6 (06)Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

HIGH

AU-6 (07)Audit Record Review, Analysis, and Reporting | Permitted Actions

HIGH

AU-7Audit Record Reduction and Report Generation

MODERATE

HIGH

AU-7 (01)Audit Record Reduction and Report Generation | Automatic Processing

AU-9Protection of Audit Information

AU-9 (02)Protection of Audit Information | Store on Separate Physical Systems or Components

HIGH

AU-9 (03)Protection of Audit Information | Cryptographic Protection

HIGH

AU-9 (04)Protection of Audit Information | Access by Subset of Privileged Users

AU-11Audit Record Retention

AU-12Audit Record Generation

AU-12 (01)Audit Record Generation | System-wide and Time-correlated Audit Trail

HIGH

AU-12 (03)Audit Record Generation | Changes by Authorized Individuals

HIGH

CA — Assessment, Authorization, and Monitoring (16 controls)

CA-1Policy and Procedures

CA-2Control Assessments

CA-2 (01)Control Assessments | Independent Assessors

LOW

MODERATE

HIGH

CA-2 (02)Control Assessments | Specialized Assessments

HIGH

CA-2 (03)Control Assessments | Leveraging Results from External Organizations

MODERATE

HIGH

CA-3Information Exchange

CA-3 (06)Information Exchange | Transfer Authorizations

HIGH

CA-5Plan of Action and Milestones

CA-7Continuous Monitoring

CA-7 (01)Continuous Monitoring | Independent Assessment

MODERATE

HIGH

CA-7 (04)Continuous Monitoring | Risk Monitoring

LOW

MODERATE

HIGH

CA-8Penetration Testing

CA-8 (01)Penetration Testing | Independent Penetration Testing Agent or Team

MODERATE

HIGH

CA-8 (02)Penetration Testing | Red Team Exercises

MODERATE

HIGH

CA-9Internal System Connections

CM — Configuration Management (34 controls)

CM-1Policy and Procedures

CM-2Baseline Configuration

CM-2 (02)Baseline Configuration | Automation Support for Accuracy and Currency

MODERATE

HIGH

CM-2 (03)Baseline Configuration | Retention of Previous Configurations

MODERATE

HIGH

CM-2 (07)Baseline Configuration | Configure Systems and Components for High-risk Areas

MODERATE

HIGH

CM-3Configuration Change Control

MODERATE

HIGH

CM-3 (01)Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes

HIGH

CM-3 (02)Configuration Change Control | Testing, Validation, and Documentation of Changes

MODERATE

HIGH

CM-3 (04)Configuration Change Control | Security and Privacy Representatives

MODERATE

HIGH

CM-3 (06)Configuration Change Control | Cryptography Management

CM-4 (01)Impact Analyses | Separate Test Environments

HIGH

CM-4 (02)Impact Analyses | Verification of Controls

MODERATE

HIGH

CM-5Access Restrictions for Change

CM-5 (01)Access Restrictions for Change | Automated Access Enforcement and Audit Records

MODERATE

HIGH

CM-5 (05)Access Restrictions for Change | Privilege Limitation for Production and Operation

MODERATE

HIGH

CM-6Configuration Settings

CM-6 (01)Configuration Settings | Automated Management, Application, and Verification

MODERATE

HIGH

CM-6 (02)Configuration Settings | Respond to Unauthorized Changes

HIGH

CM-7Least Functionality

CM-7 (01)Least Functionality | Periodic Review

MODERATE

HIGH

CM-7 (02)Least Functionality | Prevent Program Execution

MODERATE

HIGH

CM-7 (05)Least Functionality | Authorized Software -- Allow-by-exception

MODERATE

HIGH

CM-8System Component Inventory

CM-8 (01)System Component Inventory | Updates During Installation and Removal

MODERATE

HIGH

CM-8 (02)System Component Inventory | Automated Maintenance

HIGH

CM-8 (03)System Component Inventory | Automated Unauthorized Component Detection

MODERATE

HIGH

CM-8 (04)System Component Inventory | Accountability Information

HIGH

CM-9Configuration Management Plan

MODERATE

HIGH

CM-10Software Usage Restrictions

CM-11User-installed Software

CM-12Information Location

MODERATE

HIGH

CM-12 (01)Information Location | Automated Tools to Support Information Location

MODERATE

HIGH

CM-14Signed Components

HIGH

CP — Contingency Planning (35 controls)

CP-1Policy and Procedures

CP-2 (01)Contingency Plan | Coordinate with Related Plans

MODERATE

HIGH

CP-2 (02)Contingency Plan | Capacity Planning

HIGH

CP-2 (03)Contingency Plan | Resume Mission and Business Functions

MODERATE

HIGH

CP-2 (05)Contingency Plan | Continue Mission and Business Functions

HIGH

CP-2 (08)Contingency Plan | Identify Critical Assets

MODERATE

HIGH

CP-3Contingency Training

CP-3 (01)Contingency Training | Simulated Events

HIGH

CP-4Contingency Plan Testing

CP-4 (01)Contingency Plan Testing | Coordinate with Related Plans

MODERATE

HIGH

CP-4 (02)Contingency Plan Testing | Alternate Processing Site

HIGH

CP-6Alternate Storage Site

MODERATE

HIGH

CP-6 (01)Alternate Storage Site | Separation from Primary Site

MODERATE

HIGH

CP-6 (02)Alternate Storage Site | Recovery Time and Recovery Point Objectives

HIGH

CP-6 (03)Alternate Storage Site | Accessibility

MODERATE

HIGH

CP-7Alternate Processing Site

MODERATE

HIGH

CP-7 (01)Alternate Processing Site | Separation from Primary Site

MODERATE

HIGH

CP-7 (02)Alternate Processing Site | Accessibility

MODERATE

HIGH

CP-7 (03)Alternate Processing Site | Priority of Service

MODERATE

HIGH

CP-7 (04)Alternate Processing Site | Preparation for Use

HIGH

CP-8Telecommunications Services

MODERATE

HIGH

CP-8 (01)Telecommunications Services | Priority of Service Provisions

MODERATE

HIGH

CP-8 (02)Telecommunications Services | Single Points of Failure

MODERATE

HIGH

CP-8 (03)Telecommunications Services | Separation of Primary and Alternate Providers

HIGH

CP-8 (04)Telecommunications Services | Provider Contingency Plan

CP-9 (01)System Backup | Testing for Reliability and Integrity

MODERATE

HIGH

CP-9 (02)System Backup | Test Restoration Using Sampling

HIGH

CP-9 (03)System Backup | Separate Storage for Critical Information

HIGH

CP-9 (05)System Backup | Transfer to Alternate Storage Site

HIGH

CP-9 (08)System Backup | Cryptographic Protection

MODERATE

HIGH

CP-10System Recovery and Reconstitution

CP-10 (02)System Recovery and Reconstitution | Transaction Recovery

MODERATE

HIGH

CP-10 (04)System Recovery and Reconstitution | Restore Within Time Period

HIGH

IA — Identification and Authentication (30 controls)

IA-1Policy and Procedures

IA-2Identification and Authentication (organizational Users)

IA-2 (01)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

LOW

MODERATE

HIGH

IA-2 (02)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

LOW

MODERATE

HIGH

IA-2 (05)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

MODERATE

HIGH

IA-2 (06)Identification and Authentication (organizational Users) | Access to Accounts --separate Device

MODERATE

HIGH

IA-2 (08)Identification and Authentication (organizational Users) | Access to Accounts -- Replay Resistant

LOW

MODERATE

HIGH

IA-2 (12)Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IA-3Device Identification and Authentication

MODERATE

HIGH

IA-4Identifier Management

IA-4 (04)Identifier Management | Identify User Status

MODERATE

HIGH

IA-5Authenticator Management

IA-5 (01)Authenticator Management | Password-based Authentication

LOW

MODERATE

HIGH

IA-5 (02)Authenticator Management | Public Key-based Authentication

MODERATE

HIGH

IA-5 (06)Authenticator Management | Protection of Authenticators

MODERATE

HIGH

IA-5 (07)Authenticator Management | No Embedded Unencrypted Static Authenticators

MODERATE

HIGH

IA-5 (08)Authenticator Management | Multiple System Accounts

HIGH

IA-5 (13)Authenticator Management | Expiration of Cached Authenticators

HIGH

IA-6Authentication Feedback

IA-7Cryptographic Module Authentication

IA-8Identification and Authentication (non-organizational Users)

IA-8 (01)Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

LOW

MODERATE

HIGH

IA-8 (02)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

LOW

MODERATE

HIGH

IA-8 (04)Identification and Authentication (non-organizational Users) | Use of Defined Profiles

LOW

MODERATE

HIGH

IA-11Re-authentication

IA-12Identity Proofing

MODERATE

HIGH

IA-12 (02)Identity Proofing | Identity Evidence

MODERATE

HIGH

IA-12 (03)Identity Proofing | Identity Evidence Validation and Verification

MODERATE

HIGH

IA-12 (04)Identity Proofing | In-person Validation and Verification

HIGH

IA-12 (05)Identity Proofing | Address Confirmation

MODERATE

HIGH

IR — Incident Response (24 controls)

IR-1Policy and Procedures

IR-2Incident Response Training

IR-2 (01)Incident Response Training | Simulated Events

HIGH

IR-2 (02)Incident Response Training | Automated Training Environments

HIGH

IR-3Incident Response Testing

MODERATE

HIGH

IR-3 (02)Incident Response Testing | Coordination with Related Plans

MODERATE

HIGH

IR-4Incident Handling

IR-4 (01)Incident Handling | Automated Incident Handling Processes

MODERATE

HIGH

IR-4 (02)Incident Handling | Dynamic Reconfiguration

HIGH

IR-4 (04)Incident Handling | Information Correlation

HIGH

IR-4 (06)Incident Handling | Insider Threats

HIGH

IR-4 (11)Incident Handling | Integrated Incident Response Team

HIGH

IR-5Incident Monitoring

IR-5 (01)Incident Monitoring | Automated Tracking, Data Collection, and Analysis

HIGH

IR-6Incident Reporting

IR-6 (01)Incident Reporting | Automated Reporting

MODERATE

HIGH

IR-6 (03)Incident Reporting | Supply Chain Coordination

MODERATE

HIGH

IR-7Incident Response Assistance

IR-7 (01)Incident Response Assistance | Automation Support for Availability of Information and Support

MODERATE

HIGH

IR-8Incident Response Plan

IR-9Information Spillage Response

MODERATE

HIGH

IR-9 (02)Information Spillage Response | Training

MODERATE

HIGH

IR-9 (03)Information Spillage Response | Post-spill Operations

MODERATE

HIGH

IR-9 (04)Information Spillage Response | Exposure to Unauthorized Personnel

MODERATE

HIGH

MA — Maintenance (12 controls)

MA-1Policy and Procedures

MA-2Controlled Maintenance

MA-2 (02)Controlled Maintenance | Automated Maintenance Activities

HIGH

MA-3Maintenance Tools

MODERATE

HIGH

MA-3 (01)Maintenance Tools | Inspect Tools

MODERATE

HIGH

MA-3 (02)Maintenance Tools | Inspect Media

MODERATE

HIGH

MA-3 (03)Maintenance Tools | Prevent Unauthorized Removal

MODERATE

HIGH

MA-4Nonlocal Maintenance

MA-4 (03)Nonlocal Maintenance | Comparable Security and Sanitization

HIGH

MA-5Maintenance Personnel

MA-5 (01)Maintenance Personnel | Individuals Without Appropriate Access

MODERATE

HIGH

MA-6Timely Maintenance

MODERATE

HIGH

MP — Media Protection (10 controls)

MP-1Policy and Procedures

MP-6Media Sanitization

MP-6 (01)Media Sanitization | Review, Approve, Track, Document, and Verify

HIGH

MP-6 (02)Media Sanitization | Equipment Testing

HIGH

MP-6 (03)Media Sanitization | Nondestructive Techniques

PE — Physical and Environmental Protection (26 controls)

PE-1Policy and Procedures

PE-2Physical Access Authorizations

PE-3Physical Access Control

PE-3 (01)Physical Access Control | System Access

HIGH

PE-4Access Control for Transmission

MODERATE

HIGH

PE-5Access Control for Output Devices

MODERATE

HIGH

PE-6Monitoring Physical Access

PE-6 (01)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

MODERATE

HIGH

PE-6 (04)Monitoring Physical Access | Monitoring Physical Access to Systems

HIGH

PE-8Visitor Access Records

PE-8 (01)Visitor Access Records | Automated Records Maintenance and Review

HIGH

PE-9Power Equipment and Cabling

MODERATE

HIGH

PE-10Emergency Shutoff

PE-11 (01)Emergency Power | Alternate Power Supply -- Minimal Operational Capability

HIGH

PE-12Emergency Lighting

PE-13 (01)Fire Protection | Detection Systems -- Automatic Activation and Notification

MODERATE

HIGH

PE-13 (02)Fire Protection | Suppression Systems -- Automatic Activation and Notification

MODERATE

HIGH

PE-14Environmental Controls

PE-14 (02)Environmental Controls | Monitoring with Alarms and Notifications

HIGH

PE-15Water Damage Protection

PE-15 (01)Water Damage Protection | Automation Support

HIGH

PE-16Delivery and Removal

PE-17Alternate Work Site

MODERATE

HIGH

PE-18Location of System Components

HIGH

PL — Planning (7 controls)

PL-1Policy and Procedures

PL-2System Security and Privacy Plans

PL-4Rules of Behavior

PL-4 (01)Rules of Behavior | Social Media and External Site/application Usage Restrictions

LOW

MODERATE

HIGH

PL-8Security and Privacy Architectures

PL-10Baseline Selection

PL-11Baseline Tailoring

PS — Personnel Security (11 controls)

PS-1Policy and Procedures

PS-2Position Risk Designation

PS-3Personnel Screening

PS-3 (03)Personnel Screening | Information Requiring Special Protective Measures

MODERATE

HIGH

PS-4Personnel Termination

PS-4 (02)Personnel Termination | Automated Actions

HIGH

PS-5Personnel Transfer

PS-6Access Agreements

PS-7External Personnel Security

PS-8Personnel Sanctions

PS-9Position Descriptions

RA — Risk Assessment (13 controls)

RA-1Policy and Procedures

RA-2Security Categorization

RA-3 (01)Risk Assessment | Supply Chain Risk Assessment

LOW

MODERATE

HIGH

RA-5Vulnerability Monitoring and Scanning

RA-5 (02)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

LOW

MODERATE

HIGH

RA-5 (03)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

MODERATE

HIGH

RA-5 (04)Vulnerability Monitoring and Scanning | Discoverable Information

HIGH

RA-5 (05)Vulnerability Monitoring and Scanning | Privileged Access

MODERATE

HIGH

RA-5 (08)Vulnerability Monitoring and Scanning | Review Historic Audit Logs

HIGH

RA-5 (11)Vulnerability Monitoring and Scanning | Public Disclosure Program

RA-9Criticality Analysis

MODERATE

HIGH

SA — System and Services Acquisition (25 controls)

SA-1Policy and Procedures

SA-2Allocation of Resources

SA-3System Development Life Cycle

SA-4Acquisition Process

SA-4 (01)Acquisition Process | Functional Properties of Controls

MODERATE

HIGH

SA-4 (02)Acquisition Process | Design and Implementation Information for Controls

MODERATE

HIGH

SA-4 (05)Acquisition Process | System, Component, and Service Configurations

HIGH

SA-4 (09)Acquisition Process | Functions, Ports, Protocols, and Services in Use

MODERATE

HIGH

SA-4 (10)Acquisition Process | Use of Approved PIV Products

SA-5System Documentation

SA-8Security and Privacy Engineering Principles

SA-9External System Services

SA-9 (01)External System Services | Risk Assessments and Organizational Approvals

MODERATE

HIGH

SA-9 (02)External System Services | Identification of Functions, Ports, Protocols, and Services

MODERATE

HIGH

SA-9 (05)External System Services | Processing, Storage, and Service Location

MODERATE

HIGH

SA-10Developer Configuration Management

MODERATE

HIGH

SA-11Developer Testing and Evaluation

MODERATE

HIGH

SA-11 (01)Developer Testing and Evaluation | Static Code Analysis

MODERATE

HIGH

SA-11 (02)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

MODERATE

HIGH

SA-15Development Process, Standards, and Tools

MODERATE

HIGH

SA-15 (03)Development Process, Standards, and Tools | Criticality Analysis

MODERATE

HIGH

SA-16Developer-provided Training

HIGH

SA-17Developer Security and Privacy Architecture and Design

HIGH

SA-21Developer Screening

HIGH

SA-22Unsupported System Components

SC — System and Communications Protection (35 controls)

SC-1Policy and Procedures

SC-2Separation of System and User Functionality

MODERATE

HIGH

SC-3Security Function Isolation

HIGH

SC-4Information in Shared System Resources

MODERATE

HIGH

SC-5Denial-of-service Protection

SC-7Boundary Protection

SC-7 (03)Boundary Protection | Access Points

MODERATE

HIGH

SC-7 (04)Boundary Protection | External Telecommunications Services

MODERATE

HIGH

SC-7 (05)Boundary Protection | Deny by Default -- Allow by Exception

MODERATE

HIGH

SC-7 (07)Boundary Protection | Split Tunneling for Remote Devices

MODERATE

HIGH

SC-7 (08)Boundary Protection | Route Traffic to Authenticated Proxy Servers

MODERATE

HIGH

SC-7 (10)Boundary Protection | Prevent Exfiltration

HIGH

SC-7 (12)Boundary Protection | Host-based Protection

MODERATE

HIGH

SC-7 (18)Boundary Protection | Fail Secure

MODERATE

HIGH

SC-7 (20)Boundary Protection | Dynamic Isolation and Segregation

HIGH

SC-7 (21)Boundary Protection | Isolation of System Components

HIGH

SC-8Transmission Confidentiality and Integrity

SC-8 (01)Transmission Confidentiality and Integrity | Cryptographic Protection

LOW

MODERATE

HIGH

SC-10Network Disconnect

MODERATE

HIGH

SC-12Cryptographic Key Establishment and Management

SC-12 (01)Cryptographic Key Establishment and Management | Availability

HIGH

SC-13Cryptographic Protection

SC-15Collaborative Computing Devices and Applications

SC-17Public Key Infrastructure Certificates

SC-20Secure Name/address Resolution Service (authoritative Source)

SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)

SC-22Architecture and Provisioning for Name/address Resolution Service

SC-23Session Authenticity

MODERATE

HIGH

SC-24Fail in Known State

HIGH

SC-28Protection of Information at Rest

SC-28 (01)Protection of Information at Rest | Cryptographic Protection

LOW

MODERATE

HIGH

SC-39Process Isolation

SC-45System Time Synchronization

MODERATE

HIGH

SC-45 (01)System Time Synchronization | Synchronization with Authoritative Time Source

MODERATE

HIGH

SI — System and Information Integrity (35 controls)

SI-1Policy and Procedures

SI-2 (02)Flaw Remediation | Automated Flaw Remediation Status

MODERATE

HIGH

SI-2 (03)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

MODERATE

HIGH

SI-3Malicious Code Protection

SI-4System Monitoring

SI-4 (01)System Monitoring | System-wide Intrusion Detection System

MODERATE

HIGH

SI-4 (02)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

MODERATE

HIGH

SI-4 (04)System Monitoring | Inbound and Outbound Communications Traffic

MODERATE

HIGH

SI-4 (05)System Monitoring | System-generated Alerts

MODERATE

HIGH

SI-4 (10)System Monitoring | Visibility of Encrypted Communications

HIGH

SI-4 (11)System Monitoring | Analyze Communications Traffic Anomalies

HIGH

SI-4 (12)System Monitoring | Automated Organization-generated Alerts

HIGH

SI-4 (14)System Monitoring | Wireless Intrusion Detection

HIGH

SI-4 (16)System Monitoring | Correlate Monitoring Information

MODERATE

HIGH

SI-4 (18)System Monitoring | Analyze Traffic and Covert Exfiltration

MODERATE

HIGH

SI-4 (19)System Monitoring | Risk for Individuals

HIGH

SI-4 (20)System Monitoring | Privileged Users

HIGH

SI-4 (22)System Monitoring | Unauthorized Network Services

HIGH

SI-4 (23)System Monitoring | Host-based Devices

MODERATE

HIGH

SI-5Security Alerts, Advisories, and Directives

SI-5 (01)Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

HIGH

SI-6Security and Privacy Function Verification

MODERATE

HIGH

SI-7Software, Firmware, and Information Integrity

MODERATE

HIGH

SI-7 (01)Software, Firmware, and Information Integrity | Integrity Checks

MODERATE

HIGH

SI-7 (02)Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

HIGH

SI-7 (05)Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

HIGH

SI-7 (07)Software, Firmware, and Information Integrity | Integration of Detection and Response

MODERATE

HIGH

SI-7 (15)Software, Firmware, and Information Integrity | Code Authentication

SI-8 (02)Spam Protection | Automatic Updates

MODERATE

HIGH

SI-10Information Input Validation

SI-12Information Management and Retention

SI-16Memory Protection

MODERATE

HIGH

SR — Supply Chain Risk Management (14 controls)

SR-1Policy and Procedures

SR-2Supply Chain Risk Management Plan

SR-2 (01)Supply Chain Risk Management Plan | Establish SCRM Team

LOW

MODERATE

HIGH

SR-3Supply Chain Controls and Processes

SR-5Acquisition Strategies, Tools, and Methods

SR-6Supplier Assessments and Reviews

MODERATE

HIGH

SR-8Notification Agreements

SR-9Tamper Resistance and Detection

HIGH

SR-9 (01)Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

HIGH

SR-10Inspection of Systems or Components

SR-11Component Authenticity

SR-11 (01)Component Authenticity | Anti-counterfeit Training

LOW

MODERATE

HIGH

SR-11 (02)Component Authenticity | Configuration Control for Component Service and Repair

LOW

MODERATE

HIGH

SR-12Component Disposal