Home / Frameworks / NIST 800-53

NIST SP 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations

1196 All

149 Low 287 Moderate 370 High 96 Privacy

AC — Access Control (147 controls)

AC-1Policy And Procedures

AC-2Account Management

AC-2(1)Automated System Account Management

AC-2(2)Automated Temporary And Emergency Account Management

AC-2(3)Disable Accounts

AC-2(4)Automated Audit Actions

AC-2(5)Inactivity Logout

AC-2(6)Dynamic Privilege Management

AC-2(7)Privileged User Accounts

AC-2(8)Dynamic Account Management

AC-2(9)Restrictions On Use Of Shared And Group Accounts

AC-2(10)Shared And Group Account Credential Change

AC-2(11)Usage Conditions

AC-2(12)Account Monitoring For Atypical Usage

AC-2(13)Disable Accounts For High-Risk Individuals

AC-3Access Enforcement

AC-3(1)Restricted Access To Privileged Functions

AC-3(2)Dual Authorization

AC-3(3)Mandatory Access Control

AC-3(4)Discretionary Access Control

AC-3(5)Security-Relevant Information

AC-3(6)Protection Of User And System Information

AC-3(7)Role-Based Access Control

AC-3(8)Revocation Of Access Authorizations

AC-3(9)Controlled Release

AC-3(10)Audited Override Of Access Control Mechanisms

AC-3(11)Restrict Access To Specific Information Types

AC-3(12)Assert And Enforce Application Access

AC-3(13)Attribute-Based Access Control

AC-3(14)Individual Access

AC-3(15)Discretionary And Mandatory Access Control

AC-4Information Flow Enforcement

AC-4(1)Object Security And Privacy Attributes

AC-4(2)Processing Domains

AC-4(3)Dynamic Information Flow Control

AC-4(4)Flow Control Of Encrypted Information

AC-4(5)Embedded Data Types

AC-4(6)Metadata

AC-4(7)One-Way Flow Mechanisms

AC-4(8)Security And Privacy Policy Filters

AC-4(9)Human Reviews

AC-4(10)Enable And Disable Security Or Privacy Policy Filters

AC-4(11)Configuration Of Security Or Privacy Policy Filters

AC-4(12)Data Type Identifiers

AC-4(13)Decomposition Into Policy-Relevant Subcomponents

AC-4(14)Security Or Privacy Policy Filter Constraints

AC-4(15)Detection Of Unsanctioned Information

AC-4(16)Information Transfers On Interconnected Systems

AC-4(17)Domain Authentication

AC-4(18)Security Attribute Binding

AC-4(19)Validation Of Metadata

AC-4(20)Approved Solutions

AC-4(21)Physical Or Logical Separation Of Information Flows

AC-4(22)Access Only

AC-4(23)Modify Non-Releasable Information

AC-4(24)Internal Normalized Format

AC-4(25)Data Sanitization

AC-4(26)Audit Filtering Actions

AC-4(27)Redundant/Independent Filtering Mechanisms

AC-4(28)Linear Filter Pipelines

AC-4(29)Filter Orchestration Engines

AC-4(30)Filter Mechanisms Using Multiple Processes

AC-4(31)Failed Content Transfer Prevention

AC-4(32)Process Requirements For Information Transfer

AC-5Separation Of Duties

AC-6Least Privilege

AC-6(1)Authorize Access To Security Functions

AC-6(2)Non-Privileged Access For Nonsecurity Functions

AC-6(3)Network Access To Privileged Commands

AC-6(4)Separate Processing Domains

AC-6(5)Privileged Accounts

AC-6(6)Privileged Access By Non-Organizational Users

AC-6(7)Review Of User Privileges

AC-6(8)Privilege Levels For Code Execution

AC-6(9)Log Use Of Privileged Functions

AC-6(10)Prohibit Non-Privileged Users From Executing Privileged Functions

AC-7Unsuccessful Logon Attempts

AC-7(1)Automatic Account Lock

AC-7(2)Purge Or Wipe Mobile Device

AC-7(3)Biometric Attempt Limiting

AC-7(4)Use Of Alternate Authentication Factor

AC-8System Use Notification

AC-9Previous Logon Notification

AC-9(1)Unsuccessful Logons

AC-9(2)Successful And Unsuccessful Logons

AC-9(3)Notification Of Account Changes

AC-9(4)Additional Logon Information

AC-10Concurrent Session Control

AC-11Device Lock

AC-11(1)Pattern-Hiding Displays

AC-12Session Termination

AC-12(1)User-Initiated Logouts

AC-12(2)Termination Message

AC-12(3)Timeout Warning Message

AC-13Supervision And Review — Access Control

AC-14Permitted Actions Without Identification Or Authentication

AC-14(1)Necessary Uses

AC-15Automated Marking

AC-16Security And Privacy Attributes

AC-16(1)Dynamic Attribute Association

AC-16(2)Attribute Value Changes By Authorized Individuals

AC-16(3)Maintenance Of Attribute Associations By System

AC-16(4)Association Of Attributes By Authorized Individuals

AC-16(5)Attribute Displays On Objects To Be Output

AC-16(6)Maintenance Of Attribute Association

AC-16(7)Consistent Attribute Interpretation

AC-16(8)Association Techniques And Technologies

AC-16(9)Attribute Reassignment — Regrading Mechanisms

AC-16(10)Attribute Configuration By Authorized Individuals

AC-17Remote Access

AC-17(1)Monitoring And Control

AC-17(2)Protection Of Confidentiality And Integrity Using Encryption

AC-17(3)Managed Access Control Points

AC-17(4)Privileged Commands And Access

AC-17(5)Monitoring For Unauthorized Connections

AC-17(6)Protection Of Mechanism Information

AC-17(7)Additional Protection For Security Function Access

AC-17(8)Disable Nonsecure Network Protocols

AC-17(9)Disconnect Or Disable Access

AC-17(10)Authenticate Remote Commands

AC-18Wireless Access

AC-18(1)Authentication And Encryption

AC-18(2)Monitoring Unauthorized Connections

AC-18(3)Disable Wireless Networking

AC-18(4)Restrict Configurations By Users

AC-18(5)Antennas And Transmission Power Levels

AC-19Access Control For Mobile Devices

AC-19(1)Use Of Writable And Portable Storage Devices

AC-19(2)Use Of Personally Owned Portable Storage Devices

AC-19(3)Use Of Portable Storage Devices With No Identifiable Owner

AC-19(4)Restrictions For Classified Information

AC-19(5)Full Device Or Container-Based Encryption

AC-20Use Of External Systems

AC-20(1)Limits On Authorized Use

AC-20(2)Portable Storage Devices — Restricted Use

AC-20(3)Non-Organizationally Owned Systems — Restricted Use

AC-20(4)Network Accessible Storage Devices — Prohibited Use

AC-20(5)Portable Storage Devices — Prohibited Use

AC-21Information Sharing

AC-21(1)Automated Decision Support

AC-21(2)Information Search And Retrieval

AC-22Publicly Accessible Content

AC-23Data Mining Protection

AC-24Access Control Decisions

AC-24(1)Transmit Access Authorization Information

AC-24(2)No User Or Process Identity

AC-25Reference Monitor

AT — Awareness and Training (17 controls)

AT-1Policy And Procedures

AT-2Literacy Training And Awareness

AT-2(1)Practical Exercises

AT-2(2)Insider Threat

AT-2(3)Social Engineering And Mining

AT-2(4)Suspicious Communications And Anomalous System Behavior

AT-2(5)Advanced Persistent Threat

AT-2(6)Cyber Threat Environment

AT-3Role-Based Training

AT-3(1)Environmental Controls

AT-3(2)Physical Security Controls

AT-3(3)Practical Exercises

AT-3(4)Suspicious Communications And Anomalous System Behavior

AT-3(5)Processing Personally Identifiable Information

AT-4Training Records

AT-5Contacts With Security Groups And Associations

AT-6Training Feedback

AU — Audit and Accountability (69 controls)

AU-1Policy And Procedures

AU-2Event Logging

AU-2(1)Compilation Of Audit Records From Multiple Sources

AU-2(2)Selection Of Audit Events By Component

AU-2(3)Reviews And Updates

AU-2(4)Privileged Functions

AU-3Content Of Audit Records

AU-3(1)Additional Audit Information

AU-3(2)Centralized Management Of Planned Audit Record Content

AU-3(3)Limit Personally Identifiable Information Elements

AU-4Audit Log Storage Capacity

AU-4(1)Transfer To Alternate Storage

AU-5Response To Audit Logging Process Failures

AU-5(1)Storage Capacity Warning

AU-5(2)Real-Time Alerts

AU-5(3)Configurable Traffic Volume Thresholds

AU-5(4)Shutdown On Failure

AU-5(5)Alternate Audit Logging Capability

AU-6Audit Record Review, Analysis, And Reporting

AU-6(1)Automated Process Integration

AU-6(2)Automated Security Alerts

AU-6(3)Correlate Audit Record Repositories

AU-6(4)Central Review And Analysis

AU-6(5)Integrated Analysis Of Audit Records

AU-6(6)Correlation With Physical Monitoring

AU-6(7)Permitted Actions

AU-6(8)Full Text Analysis Of Privileged Commands

AU-6(9)Correlation With Information From Nontechnical Sources

AU-6(10)Audit Level Adjustment

AU-7Audit Record Reduction And Report Generation

AU-7(1)Automatic Processing

AU-7(2)Automatic Sort And Search

AU-8Time Stamps

AU-8(1)Synchronization With Authoritative Time Source

AU-8(2)Secondary Authoritative Time Source

AU-9Protection Of Audit Information

AU-9(1)Hardware Write-Once Media

AU-9(2)Store On Separate Physical Systems Or Components

AU-9(3)Cryptographic Protection

AU-9(4)Access By Subset Of Privileged Users

AU-9(5)Dual Authorization

AU-9(6)Read-Only Access

AU-9(7)Store On Component With Different Operating System

AU-10Non-Repudiation

AU-10(1)Association Of Identities

AU-10(2)Validate Binding Of Information Producer Identity

AU-10(3)Chain Of Custody

AU-10(4)Validate Binding Of Information Reviewer Identity

AU-10(5)Digital Signatures

AU-11Audit Record Retention

AU-11(1)Long-Term Retrieval Capability

AU-12Audit Record Generation

AU-12(1)System-Wide And Time-Correlated Audit Trail

AU-12(2)Standardized Formats

AU-12(3)Changes By Authorized Individuals

AU-12(4)Query Parameter Audits Of Personally Identifiable Information

AU-13Monitoring For Information Disclosure

AU-13(1)Use Of Automated Tools

AU-13(2)Review Of Monitored Sites

AU-13(3)Unauthorized Replication Of Information

AU-14Session Audit

AU-14(1)System Start-Up

AU-14(2)Capture And Record Content

AU-14(3)Remote Viewing And Listening

AU-15Alternate Audit Logging Capability

AU-16Cross-Organizational Audit Logging

AU-16(1)Identity Preservation

AU-16(2)Sharing Of Audit Information

AU-16(3)Disassociability

CA — Assessment, Authorization, and Monitoring (32 controls)

CA-1Policy And Procedures

CA-2Control Assessments

CA-2(1)Independent Assessors

CA-2(2)Specialized Assessments

CA-2(3)Leveraging Results From External Organizations

CA-3Information Exchange

CA-3(1)Unclassified National Security System Connections

CA-3(2)Classified National Security System Connections

CA-3(3)Unclassified Non-National Security System Connections

CA-3(4)Connections To Public Networks

CA-3(5)Restrictions On External System Connections

CA-3(6)Transfer Authorizations

CA-3(7)Transitive Information Exchanges

CA-4Security Certification

CA-5Plan Of Action And Milestones

CA-5(1)Automation Support For Accuracy And Currency

CA-6Authorization

CA-6(1)Joint Authorization — Intra-Organization

CA-6(2)Joint Authorization — Inter-Organization

CA-7Continuous Monitoring

CA-7(1)Independent Assessment

CA-7(2)Types Of Assessments

CA-7(3)Trend Analyses

CA-7(4)Risk Monitoring

CA-7(5)Consistency Analysis

CA-7(6)Automation Support For Monitoring

CA-8Penetration Testing

CA-8(1)Independent Penetration Testing Agent Or Team

CA-8(2)Red Team Exercises

CA-8(3)Facility Penetration Testing

CA-9Internal System Connections

CA-9(1)Compliance Checks

CM — Configuration Management (66 controls)

CM-1Policy And Procedures

CM-2Baseline Configuration

CM-2(1)Reviews And Updates

CM-2(2)Automation Support For Accuracy And Currency

CM-2(3)Retention Of Previous Configurations

CM-2(4)Unauthorized Software

CM-2(5)Authorized Software

CM-2(6)Development And Test Environments

CM-2(7)Configure Systems And Components For High-Risk Areas

CM-3Configuration Change Control

CM-3(1)Automated Documentation, Notification, And Prohibition Of Changes

CM-3(2)Testing, Validation, And Documentation Of Changes

CM-3(3)Automated Change Implementation

CM-3(4)Security And Privacy Representatives

CM-3(5)Automated Security Response

CM-3(6)Cryptography Management

CM-3(7)Review System Changes

CM-3(8)Prevent Or Restrict Configuration Changes

CM-4Impact Analyses

CM-4(1)Separate Test Environments

CM-4(2)Verification Of Controls

CM-5Access Restrictions For Change

CM-5(1)Automated Access Enforcement And Audit Records

CM-5(2)Review System Changes

CM-5(3)Signed Components

CM-5(4)Dual Authorization

CM-5(5)Privilege Limitation For Production And Operation

CM-5(6)Limit Library Privileges

CM-5(7)Automatic Implementation Of Security Safeguards

CM-6Configuration Settings

CM-6(1)Automated Management, Application, And Verification

CM-6(2)Respond To Unauthorized Changes

CM-6(3)Unauthorized Change Detection

CM-6(4)Conformance Demonstration

CM-7Least Functionality

CM-7(1)Periodic Review

CM-7(2)Prevent Program Execution

CM-7(3)Registration Compliance

CM-7(4)Unauthorized Software — Deny-By-Exception

CM-7(5)Authorized Software — Allow-By-Exception

CM-7(6)Confined Environments With Limited Privileges

CM-7(7)Code Execution In Protected Environments

CM-7(8)Binary Or Machine Executable Code

CM-7(9)Prohibiting The Use Of Unauthorized Hardware

CM-8System Component Inventory

CM-8(1)Updates During Installation And Removal

CM-8(2)Automated Maintenance

CM-8(3)Automated Unauthorized Component Detection

CM-8(4)Accountability Information

CM-8(5)No Duplicate Accounting Of Components

CM-8(6)Assessed Configurations And Approved Deviations

CM-8(7)Centralized Repository

CM-8(8)Automated Location Tracking

CM-8(9)Assignment Of Components To Systems

CM-9Configuration Management Plan

CM-9(1)Assignment Of Responsibility

CM-10Software Usage Restrictions

CM-10(1)Open-Source Software

CM-11User-Installed Software

CM-11(1)Alerts For Unauthorized Installations

CM-11(2)Software Installation With Privileged Status

CM-11(3)Automated Enforcement And Monitoring

CM-12Information Location

CM-12(1)Automated Tools To Support Information Location

CM-13Data Action Mapping

CM-14Signed Components

CP — Contingency Planning (56 controls)

CP-1Policy And Procedures

CP-2Contingency Plan

CP-2(1)Coordinate With Related Plans

CP-2(2)Capacity Planning

CP-2(3)Resume Mission And Business Functions

CP-2(4)Resume All Mission And Business Functions

CP-2(5)Continue Mission And Business Functions

CP-2(6)Alternate Processing And Storage Sites

CP-2(7)Coordinate With External Service Providers

CP-2(8)Identify Critical Assets

CP-3Contingency Training

CP-3(1)Simulated Events

CP-3(2)Mechanisms Used In Training Environments

CP-4Contingency Plan Testing

CP-4(1)Coordinate With Related Plans

CP-4(2)Alternate Processing Site

CP-4(3)Automated Testing

CP-4(4)Full Recovery And Reconstitution

CP-4(5)Self-Challenge

CP-5Contingency Plan Update

CP-6Alternate Storage Site

CP-6(1)Separation From Primary Site

CP-6(2)Recovery Time And Recovery Point Objectives

CP-6(3)Accessibility

CP-7Alternate Processing Site

CP-7(1)Separation From Primary Site

CP-7(2)Accessibility

CP-7(3)Priority Of Service

CP-7(4)Preparation For Use

CP-7(5)Equivalent Information Security Safeguards

CP-7(6)Inability To Return To Primary Site

CP-8Telecommunications Services

CP-8(1)Priority Of Service Provisions

CP-8(2)Single Points Of Failure

CP-8(3)Separation Of Primary And Alternate Providers

CP-8(4)Provider Contingency Plan

CP-8(5)Alternate Telecommunication Service Testing

CP-9System Backup

CP-9(1)Testing For Reliability And Integrity

CP-9(2)Test Restoration Using Sampling

CP-9(3)Separate Storage For Critical Information

CP-9(4)Protection From Unauthorized Modification

CP-9(5)Transfer To Alternate Storage Site

CP-9(6)Redundant Secondary System

CP-9(7)Dual Authorization For Deletion Or Destruction

CP-9(8)Cryptographic Protection

CP-10System Recovery And Reconstitution

CP-10(1)Contingency Plan Testing

CP-10(2)Transaction Recovery

CP-10(3)Compensating Security Controls

CP-10(4)Restore Within Time Period

CP-10(5)Failover Capability

CP-10(6)Component Protection

CP-11Alternate Communications Protocols

CP-13Alternative Security Mechanisms

IA — Identification and Authentication (74 controls)

IA-1Policy And Procedures

IA-2Identification And Authentication (Organizational Users)

IA-2(1)Multi-Factor Authentication To Privileged Accounts

IA-2(2)Multi-Factor Authentication To Non-Privileged Accounts

IA-2(3)Local Access To Privileged Accounts

IA-2(4)Local Access To Non-Privileged Accounts

IA-2(5)Individual Authentication With Group Authentication

IA-2(6)Access To Accounts —Separate Device

IA-2(7)Network Access To Non-Privileged Accounts — Separate Device

IA-2(8)Access To Accounts — Replay Resistant

IA-2(9)Network Access To Non-Privileged Accounts — Replay Resistant

IA-2(10)Single Sign-On

IA-2(11)Remote Access — Separate Device

IA-2(12)Acceptance Of Piv Credentials

IA-2(13)Out-Of-Band Authentication

IA-3Device Identification And Authentication

IA-3(1)Cryptographic Bidirectional Authentication

IA-3(2)Cryptographic Bidirectional Network Authentication

IA-3(3)Dynamic Address Allocation

IA-3(4)Device Attestation

IA-4Identifier Management

IA-4(1)Prohibit Account Identifiers As Public Identifiers

IA-4(2)Supervisor Authorization

IA-4(3)Multiple Forms Of Certification

IA-4(4)Identify User Status

IA-4(5)Dynamic Management

IA-4(6)Cross-Organization Management

IA-4(7)In-Person Registration

IA-4(8)Pairwise Pseudonymous Identifiers

IA-4(9)Attribute Maintenance And Protection

IA-5Authenticator Management

IA-5(1)Password-Based Authentication

IA-5(2)Public Key-Based Authentication

IA-5(3)In-Person Or Trusted External Party Registration

IA-5(4)Automated Support For Password Strength Determination

IA-5(5)Change Authenticators Prior To Delivery

IA-5(6)Protection Of Authenticators

IA-5(7)No Embedded Unencrypted Static Authenticators

IA-5(8)Multiple System Accounts

IA-5(9)Federated Credential Management

IA-5(10)Dynamic Credential Binding

IA-5(11)Hardware Token-Based Authentication

IA-5(12)Biometric Authentication Performance

IA-5(13)Expiration Of Cached Authenticators

IA-5(14)Managing Content Of Pki Trust Stores

IA-5(15)Gsa-Approved Products And Services

IA-5(16)In-Person Or Trusted External Party Authenticator Issuance

IA-5(17)Presentation Attack Detection For Biometric Authenticators

IA-5(18)Password Managers

IA-6Authentication Feedback

IA-7Cryptographic Module Authentication

IA-8Identification And Authentication (Non-Organizational Users)

IA-8(1)Acceptance Of Piv Credentials From Other Agencies

IA-8(2)Acceptance Of External Authenticators

IA-8(3)Use Of Ficam-Approved Products

IA-8(4)Use Of Defined Profiles

IA-8(5)Acceptance Of Piv-I Credentials

IA-8(6)Disassociability

IA-9Service Identification And Authentication

IA-9(1)Information Exchange

IA-9(2)Transmission Of Decisions

IA-10Adaptive Authentication

IA-11Re-Authentication

IA-12Identity Proofing

IA-12(1)Supervisor Authorization

IA-12(2)Identity Evidence

IA-12(3)Identity Evidence Validation And Verification

IA-12(4)In-Person Validation And Verification

IA-12(5)Address Confirmation

IA-12(6)Accept Externally-Proofed Identities

IA-13Identity Providers And Authorization Servers

IA-13(1)Protection Of Cryptographic Keys

IA-13(2)Verification Of Identity Assertions And Access Tokens

IA-13(3)Token Management

IR — Incident Response (42 controls)

IR-1Policy And Procedures

IR-2Incident Response Training

IR-2(1)Simulated Events

IR-2(2)Automated Training Environments

IR-3Incident Response Testing

IR-3(1)Automated Testing

IR-3(2)Coordination With Related Plans

IR-3(3)Continuous Improvement

IR-4Incident Handling

IR-4(1)Automated Incident Handling Processes

IR-4(2)Dynamic Reconfiguration

IR-4(3)Continuity Of Operations

IR-4(4)Information Correlation

IR-4(5)Automatic Disabling Of System

IR-4(6)Insider Threats

IR-4(7)Insider Threats — Intra-Organization Coordination

IR-4(8)Correlation With External Organizations

IR-4(9)Dynamic Response Capability

IR-4(10)Supply Chain Coordination

IR-4(11)Integrated Incident Response Team

IR-4(12)Malicious Code And Forensic Analysis

IR-4(13)Behavior Analysis

IR-4(14)Security Operations Center

IR-4(15)Public Relations And Reputation Repair

IR-5Incident Monitoring

IR-5(1)Automated Tracking, Data Collection, And Analysis

IR-6Incident Reporting

IR-6(1)Automated Reporting

IR-6(2)Vulnerabilities Related To Incidents

IR-6(3)Supply Chain Coordination

IR-7Incident Response Assistance

IR-7(1)Automation Support For Availability Of Information And Support

IR-7(2)Coordination With External Providers

IR-8Incident Response Plan

IR-8(1)Breaches

IR-9Information Spillage Response

IR-9(1)Responsible Personnel

IR-9(2)Training

IR-9(3)Post-Spill Operations

IR-9(4)Exposure To Unauthorized Personnel

IR-10Integrated Information Security Analysis Team

MA — Maintenance (30 controls)

MA-1Policy And Procedures

MA-2Controlled Maintenance

MA-2(1)Record Content

MA-2(2)Automated Maintenance Activities

MA-3Maintenance Tools

MA-3(1)Inspect Tools

MA-3(2)Inspect Media

MA-3(3)Prevent Unauthorized Removal

MA-3(4)Restricted Tool Use

MA-3(5)Execution With Privilege

MA-3(6)Software Updates And Patches

MA-4Nonlocal Maintenance

MA-4(1)Logging And Review

MA-4(2)Document Nonlocal Maintenance

MA-4(3)Comparable Security And Sanitization

MA-4(4)Authentication And Separation Of Maintenance Sessions

MA-4(5)Approvals And Notifications

MA-4(6)Cryptographic Protection

MA-4(7)Disconnect Verification

MA-5Maintenance Personnel

MA-5(1)Individuals Without Appropriate Access

MA-5(2)Security Clearances For Classified Systems

MA-5(3)Citizenship Requirements For Classified Systems

MA-5(4)Foreign Nationals

MA-5(5)Non-System Maintenance

MA-6Timely Maintenance

MA-6(1)Preventive Maintenance

MA-6(2)Predictive Maintenance

MA-6(3)Automated Support For Predictive Maintenance

MA-7Field Maintenance

MP — Media Protection (30 controls)

MP-1Policy And Procedures

MP-2Media Access

MP-2(1)Automated Restricted Access

MP-2(2)Cryptographic Protection

MP-3Media Marking

MP-4Media Storage

MP-4(1)Cryptographic Protection

MP-4(2)Automated Restricted Access

MP-5Media Transport

MP-5(1)Protection Outside Of Controlled Areas

MP-5(2)Documentation Of Activities

MP-5(3)Custodians

MP-5(4)Cryptographic Protection

MP-6Media Sanitization

MP-6(1)Review, Approve, Track, Document, And Verify

MP-6(2)Equipment Testing

MP-6(3)Nondestructive Techniques

MP-6(4)Controlled Unclassified Information

MP-6(5)Classified Information

MP-6(6)Media Destruction

MP-6(7)Dual Authorization

MP-6(8)Remote Purging Or Wiping Of Information

MP-7(1)Prohibit Use Without Owner

MP-7(2)Prohibit Use Of Sanitization-Resistant Media

MP-8Media Downgrading

MP-8(1)Documentation Of Process

MP-8(2)Equipment Testing

MP-8(3)Controlled Unclassified Information

MP-8(4)Classified Information

PE — Physical and Environmental Protection (59 controls)

PE-1Policy And Procedures

PE-2Physical Access Authorizations

PE-2(1)Access By Position Or Role

PE-2(2)Two Forms Of Identification

PE-2(3)Restrict Unescorted Access

PE-3Physical Access Control

PE-3(1)System Access

PE-3(2)Facility And Systems

PE-3(3)Continuous Guards

PE-3(4)Lockable Casings

PE-3(5)Tamper Protection

PE-3(6)Facility Penetration Testing

PE-3(7)Physical Barriers

PE-3(8)Access Control Vestibules

PE-4Access Control For Transmission

PE-5Access Control For Output Devices

PE-5(1)Access To Output By Authorized Individuals

PE-5(2)Link To Individual Identity

PE-5(3)Marking Output Devices

PE-6Monitoring Physical Access

PE-6(1)Intrusion Alarms And Surveillance Equipment

PE-6(2)Automated Intrusion Recognition And Responses

PE-6(3)Video Surveillance

PE-6(4)Monitoring Physical Access To Systems

PE-7Visitor Control

PE-8Visitor Access Records

PE-8(1)Automated Records Maintenance And Review

PE-8(2)Physical Access Records

PE-8(3)Limit Personally Identifiable Information Elements

PE-9Power Equipment And Cabling

PE-9(1)Redundant Cabling

PE-9(2)Automatic Voltage Controls

PE-10Emergency Shutoff

PE-10(1)Accidental And Unauthorized Activation

PE-11Emergency Power

PE-11(1)Alternate Power Supply — Minimal Operational Capability

PE-11(2)Alternate Power Supply — Self-Contained

PE-12Emergency Lighting

PE-12(1)Essential Mission And Business Functions

PE-13Fire Protection

PE-13(1)Detection Systems — Automatic Activation And Notification

PE-13(2)Suppression Systems — Automatic Activation And Notification

PE-13(3)Automatic Fire Suppression

PE-13(4)Inspections

PE-14Environmental Controls

PE-14(1)Automatic Controls

PE-14(2)Monitoring With Alarms And Notifications

PE-15Water Damage Protection

PE-15(1)Automation Support

PE-16Delivery And Removal

PE-17Alternate Work Site

PE-18Location Of System Components

PE-18(1)Facility Site

PE-19Information Leakage

PE-19(1)National Emissions Policies And Procedures

PE-20Asset Monitoring And Tracking

PE-21Electromagnetic Pulse Protection

PE-22Component Marking

PE-23Facility Location

PL — Planning (17 controls)

PL-1Policy And Procedures

PL-2System Security And Privacy Plans

PL-2(1)Concept Of Operations

PL-2(2)Functional Architecture

PL-2(3)Plan And Coordinate With Other Organizational Entities

PL-3System Security Plan Update

PL-4Rules Of Behavior

PL-4(1)Social Media And External Site/Application Usage Restrictions

PL-5Privacy Impact Assessment

PL-6Security-Related Activity Planning

PL-7Concept Of Operations

PL-8Security And Privacy Architectures

PL-8(1)Defense In Depth

PL-8(2)Supplier Diversity

PL-9Central Management

PL-10Baseline Selection

PL-11Baseline Tailoring

PM — Program Management (37 controls)

PM-1Information Security Program Plan

PM-2Information Security Program Leadership Role

PM-3Information Security And Privacy Resources

PM-4Plan Of Action And Milestones Process

PM-5System Inventory

PM-5(1)Inventory Of Personally Identifiable Information

PM-6Measures Of Performance

PM-7Enterprise Architecture

PM-7(1)Offloading

PM-8Critical Infrastructure Plan

PM-9Risk Management Strategy

PM-10Authorization Process

PM-11Mission And Business Process Definition

PM-12Insider Threat Program

PM-13Security And Privacy Workforce

PM-14Testing, Training, And Monitoring

PM-15Security And Privacy Groups And Associations

PM-16Threat Awareness Program

PM-16(1)Automated Means For Sharing Threat Intelligence

PM-17Protecting Controlled Unclassified Information On External Systems

PM-18Privacy Program Plan

PM-19Privacy Program Leadership Role

PM-20Dissemination Of Privacy Program Information

PM-20(1)Privacy Policies On Websites, Applications, And Digital Services

PM-21Accounting Of Disclosures

PM-22Personally Identifiable Information Quality Management

PM-23Data Governance Body

PM-24Data Integrity Board

PM-25Minimization Of Personally Identifiable Information Used In Testing, Training, And Research

PM-26Complaint Management

PM-27Privacy Reporting

PM-28Risk Framing

PM-29Risk Management Program Leadership Roles

PM-30Supply Chain Risk Management Strategy

PM-30(1)Suppliers Of Critical Or Mission-Essential Items

PM-31Continuous Monitoring Strategy

PS — Personnel Security (18 controls)

PS-1Policy And Procedures

PS-2Position Risk Designation

PS-3Personnel Screening

PS-3(1)Classified Information

PS-3(2)Formal Indoctrination

PS-3(3)Information Requiring Special Protective Measures

PS-3(4)Citizenship Requirements

PS-4Personnel Termination

PS-4(1)Post-Employment Requirements

PS-4(2)Automated Actions

PS-5Personnel Transfer

PS-6Access Agreements

PS-6(1)Information Requiring Special Protection

PS-6(2)Classified Information Requiring Special Protection

PS-6(3)Post-Employment Requirements

PS-7External Personnel Security

PS-8Personnel Sanctions

PS-9Position Descriptions

RA — Risk Assessment (26 controls)

RA-1Policy And Procedures

RA-2Security Categorization

RA-2(1)Impact-Level Prioritization

RA-3Risk Assessment

RA-3(1)Supply Chain Risk Assessment

RA-3(2)Use Of All-Source Intelligence

RA-3(3)Dynamic Threat Awareness

RA-3(4)Predictive Cyber Analytics

RA-4Risk Assessment Update

RA-5Vulnerability Monitoring And Scanning

RA-5(1)Update Tool Capability

RA-5(2)Update Vulnerabilities To Be Scanned

RA-5(3)Breadth And Depth Of Coverage

RA-5(4)Discoverable Information

RA-5(5)Privileged Access

RA-5(6)Automated Trend Analyses

RA-5(7)Automated Detection And Notification Of Unauthorized Components

RA-5(8)Review Historic Audit Logs

RA-5(9)Penetration Testing And Analyses

RA-5(10)Correlate Scanning Information

RA-5(11)Public Disclosure Program

RA-6Technical Surveillance Countermeasures Survey

RA-7Risk Response

RA-8Privacy Impact Assessments

RA-9Criticality Analysis

RA-10Threat Hunting

SA — System and Services Acquisition (147 controls)

SA-1Policy And Procedures

SA-2Allocation Of Resources

SA-3System Development Life Cycle

SA-3(1)Manage Preproduction Environment

SA-3(2)Use Of Live Or Operational Data

SA-3(3)Technology Refresh

SA-4Acquisition Process

SA-4(1)Functional Properties Of Controls

SA-4(2)Design And Implementation Information For Controls

SA-4(3)Development Methods, Techniques, And Practices

SA-4(4)Assignment Of Components To Systems

SA-4(5)System, Component, And Service Configurations

SA-4(6)Use Of Information Assurance Products

SA-4(7)Niap-Approved Protection Profiles

SA-4(8)Continuous Monitoring Plan For Controls

SA-4(9)Functions, Ports, Protocols, And Services In Use

SA-4(10)Use Of Approved Piv Products

SA-4(11)System Of Records

SA-4(12)Data Ownership

SA-5System Documentation

SA-5(1)Functional Properties Of Security Controls

SA-5(2)Security-Relevant External System Interfaces

SA-5(3)High-Level Design

SA-5(4)Low-Level Design

SA-5(5)Source Code

SA-6Software Usage Restrictions

SA-7User-Installed Software

SA-8Security And Privacy Engineering Principles

SA-8(1)Clear Abstractions

SA-8(2)Least Common Mechanism

SA-8(3)Modularity And Layering

SA-8(4)Partially Ordered Dependencies

SA-8(5)Efficiently Mediated Access

SA-8(6)Minimized Sharing

SA-8(7)Reduced Complexity

SA-8(8)Secure Evolvability

SA-8(9)Trusted Components

SA-8(10)Hierarchical Trust

SA-8(11)Inverse Modification Threshold

SA-8(12)Hierarchical Protection

SA-8(13)Minimized Security Elements

SA-8(14)Least Privilege

SA-8(15)Predicate Permission

SA-8(16)Self-Reliant Trustworthiness

SA-8(17)Secure Distributed Composition

SA-8(18)Trusted Communications Channels

SA-8(19)Continuous Protection

SA-8(20)Secure Metadata Management

SA-8(21)Self-Analysis

SA-8(22)Accountability And Traceability

SA-8(23)Secure Defaults

SA-8(24)Secure Failure And Recovery

SA-8(25)Economic Security

SA-8(26)Performance Security

SA-8(27)Human Factored Security

SA-8(28)Acceptable Security

SA-8(29)Repeatable And Documented Procedures

SA-8(30)Procedural Rigor

SA-8(31)Secure System Modification

SA-8(32)Sufficient Documentation

SA-8(33)Minimization

SA-9External System Services

SA-9(1)Risk Assessments And Organizational Approvals

SA-9(2)Identification Of Functions, Ports, Protocols, And Services

SA-9(3)Establish And Maintain Trust Relationship With Providers

SA-9(4)Consistent Interests Of Consumers And Providers

SA-9(5)Processing, Storage, And Service Location

SA-9(6)Organization-Controlled Cryptographic Keys

SA-9(7)Organization-Controlled Integrity Checking

SA-9(8)Processing And Storage Location — U.S. Jurisdiction

SA-10Developer Configuration Management

SA-10(1)Software And Firmware Integrity Verification

SA-10(2)Alternative Configuration Management Processes

SA-10(3)Hardware Integrity Verification

SA-10(4)Trusted Generation

SA-10(5)Mapping Integrity For Version Control

SA-10(6)Trusted Distribution

SA-10(7)Security And Privacy Representatives

SA-11Developer Testing And Evaluation

SA-11(1)Static Code Analysis

SA-11(2)Threat Modeling And Vulnerability Analyses

SA-11(3)Independent Verification Of Assessment Plans And Evidence

SA-11(4)Manual Code Reviews

SA-11(5)Penetration Testing

SA-11(6)Attack Surface Reviews

SA-11(7)Verify Scope Of Testing And Evaluation

SA-11(8)Dynamic Code Analysis

SA-11(9)Interactive Application Security Testing

SA-12Supply Chain Protection

SA-12(1)Acquisition Strategies / Tools / Methods

SA-12(2)Supplier Reviews

SA-12(3)Trusted Shipping And Warehousing

SA-12(4)Diversity Of Suppliers

SA-12(5)Limitation Of Harm

SA-12(6)Minimizing Procurement Time

SA-12(7)Assessments Prior To Selection / Acceptance / Update

SA-12(8)Use Of All-Source Intelligence

SA-12(9)Operations Security

SA-12(10)Validate As Genuine And Not Altered

SA-12(11)Penetration Testing / Analysis Of Elements, Processes, And Actors

SA-12(12)Inter-Organizational Agreements

SA-12(13)Critical Information System Components

SA-12(14)Identity And Traceability

SA-12(15)Processes To Address Weaknesses Or Deficiencies

SA-13Trustworthiness

SA-14Criticality Analysis

SA-14(1)Critical Components With No Viable Alternative Sourcing

SA-15Development Process, Standards, And Tools

SA-15(1)Quality Metrics

SA-15(2)Security And Privacy Tracking Tools

SA-15(3)Criticality Analysis

SA-15(4)Threat Modeling And Vulnerability Analysis

SA-15(5)Attack Surface Reduction

SA-15(6)Continuous Improvement

SA-15(7)Automated Vulnerability Analysis

SA-15(8)Reuse Of Threat And Vulnerability Information

SA-15(9)Use Of Live Data

SA-15(10)Incident Response Plan

SA-15(11)Archive System Or Component

SA-15(12)Minimize Personally Identifiable Information

SA-15(13)Logging Syntax

SA-16Developer-Provided Training

SA-17Developer Security And Privacy Architecture And Design

SA-17(1)Formal Policy Model

SA-17(2)Security-Relevant Components

SA-17(3)Formal Correspondence

SA-17(4)Informal Correspondence

SA-17(5)Conceptually Simple Design

SA-17(6)Structure For Testing

SA-17(7)Structure For Least Privilege

SA-17(8)Orchestration

SA-17(9)Design Diversity

SA-18Tamper Resistance And Detection

SA-18(1)Multiple Phases Of System Development Life Cycle

SA-18(2)Inspection Of Systems Or Components

SA-19Component Authenticity

SA-19(1)Anti-Counterfeit Training

SA-19(2)Configuration Control For Component Service And Repair

SA-19(3)Component Disposal

SA-19(4)Anti-Counterfeit Scanning

SA-20Customized Development Of Critical Components

SA-21Developer Screening

SA-21(1)Validation Of Screening

SA-22Unsupported System Components

SA-22(1)Alternative Sources For Continued Support

SA-23Specialization

SA-24Design For Cyber Resiliency

SC — System and Communications Protection (162 controls)

SC-1Policy And Procedures

SC-2Separation Of System And User Functionality

SC-2(1)Interfaces For Non-Privileged Users

SC-2(2)Disassociability

SC-3Security Function Isolation

SC-3(1)Hardware Separation

SC-3(2)Access And Flow Control Functions

SC-3(3)Minimize Nonsecurity Functionality

SC-3(4)Module Coupling And Cohesiveness

SC-3(5)Layered Structures

SC-4Information In Shared System Resources

SC-4(1)Security Levels

SC-4(2)Multilevel Or Periods Processing

SC-5Denial-Of-Service Protection

SC-5(1)Restrict Ability To Attack Other Systems

SC-5(2)Capacity, Bandwidth, And Redundancy

SC-5(3)Detection And Monitoring

SC-6Resource Availability

SC-7Boundary Protection

SC-7(1)Physically Separated Subnetworks

SC-7(2)Public Access

SC-7(3)Access Points

SC-7(4)External Telecommunications Services

SC-7(5)Deny By Default — Allow By Exception

SC-7(6)Response To Recognized Failures

SC-7(7)Split Tunneling For Remote Devices

SC-7(8)Route Traffic To Authenticated Proxy Servers

SC-7(9)Restrict Threatening Outgoing Communications Traffic

SC-7(10)Prevent Exfiltration

SC-7(11)Restrict Incoming Communications Traffic

SC-7(12)Host-Based Protection

SC-7(13)Isolation Of Security Tools, Mechanisms, And Support Components

SC-7(14)Protect Against Unauthorized Physical Connections

SC-7(15)Networked Privileged Accesses

SC-7(16)Prevent Discovery Of System Components

SC-7(17)Automated Enforcement Of Protocol Formats

SC-7(18)Fail Secure

SC-7(19)Block Communication From Non-Organizationally Configured Hosts

SC-7(20)Dynamic Isolation And Segregation

SC-7(21)Isolation Of System Components

SC-7(22)Separate Subnets For Connecting To Different Security Domains

SC-7(23)Disable Sender Feedback On Protocol Validation Failure

SC-7(24)Personally Identifiable Information

SC-7(25)Unclassified National Security System Connections

SC-7(26)Classified National Security System Connections

SC-7(27)Unclassified Non-National Security System Connections

SC-7(28)Connections To Public Networks

SC-7(29)Separate Subnets To Isolate Functions

SC-8Transmission Confidentiality And Integrity

SC-8(1)Cryptographic Protection

SC-8(2)Pre- And Post-Transmission Handling

SC-8(3)Cryptographic Protection For Message Externals

SC-8(4)Conceal Or Randomize Communications

SC-8(5)Protected Distribution System

SC-9Transmission Confidentiality

SC-10Network Disconnect

SC-11Trusted Path

SC-11(1)Irrefutable Communications Path

SC-12Cryptographic Key Establishment And Management

SC-12(1)Availability

SC-12(2)Symmetric Keys

SC-12(3)Asymmetric Keys

SC-12(4)Pki Certificates

SC-12(5)Pki Certificates / Hardware Tokens

SC-12(6)Physical Control Of Keys

SC-13Cryptographic Protection

SC-13(1)Fips-Validated Cryptography

SC-13(2)Nsa-Approved Cryptography

SC-13(3)Individuals Without Formal Access Approvals

SC-13(4)Digital Signatures

SC-14Public Access Protections

SC-15Collaborative Computing Devices And Applications

SC-15(1)Physical Or Logical Disconnect

SC-15(2)Blocking Inbound And Outbound Communications Traffic

SC-15(3)Disabling And Removal In Secure Work Areas

SC-15(4)Explicitly Indicate Current Participants

SC-16Transmission Of Security And Privacy Attributes

SC-16(1)Integrity Verification

SC-16(2)Anti-Spoofing Mechanisms

SC-16(3)Cryptographic Binding

SC-17Public Key Infrastructure Certificates

SC-18Mobile Code

SC-18(1)Identify Unacceptable Code And Take Corrective Actions

SC-18(2)Acquisition, Development, And Use

SC-18(3)Prevent Downloading And Execution

SC-18(4)Prevent Automatic Execution

SC-18(5)Allow Execution Only In Confined Environments

SC-19Voice Over Internet Protocol

SC-20Secure Name/Address Resolution Service (Authoritative Source)

SC-20(1)Child Subspaces

SC-20(2)Data Origin And Integrity

SC-21Secure Name/Address Resolution Service (Recursive Or Caching Resolver)

SC-21(1)Data Origin And Integrity

SC-22Architecture And Provisioning For Name/Address Resolution Service

SC-23Session Authenticity

SC-23(1)Invalidate Session Identifiers At Logout

SC-23(2)User-Initiated Logouts And Message Displays

SC-23(3)Unique System-Generated Session Identifiers

SC-23(4)Unique Session Identifiers With Randomization

SC-23(5)Allowed Certificate Authorities

SC-24Fail In Known State

SC-25Thin Nodes

SC-26(1)Detection Of Malicious Code

SC-27Platform-Independent Applications

SC-28Protection Of Information At Rest

SC-28(1)Cryptographic Protection

SC-28(2)Offline Storage

SC-28(3)Cryptographic Keys

SC-29Heterogeneity

SC-29(1)Virtualization Techniques

SC-30Concealment And Misdirection

SC-30(1)Virtualization Techniques

SC-30(2)Randomness

SC-30(3)Change Processing And Storage Locations

SC-30(4)Misleading Information

SC-30(5)Concealment Of System Components

SC-31Covert Channel Analysis

SC-31(1)Test Covert Channels For Exploitability

SC-31(2)Maximum Bandwidth

SC-31(3)Measure Bandwidth In Operational Environments

SC-32System Partitioning

SC-32(1)Separate Physical Domains For Privileged Functions

SC-33Transmission Preparation Integrity

SC-34Non-Modifiable Executable Programs

SC-34(1)No Writable Storage

SC-34(2)Integrity Protection On Read-Only Media

SC-34(3)Hardware-Based Protection

SC-35External Malicious Code Identification

SC-36Distributed Processing And Storage

SC-36(1)Polling Techniques

SC-36(2)Synchronization

SC-37Out-Of-Band Channels

SC-37(1)Ensure Delivery And Transmission

SC-38Operations Security

SC-39Process Isolation

SC-39(1)Hardware Separation

SC-39(2)Separate Execution Domain Per Thread

SC-40Wireless Link Protection

SC-40(1)Electromagnetic Interference

SC-40(2)Reduce Detection Potential

SC-40(3)Imitative Or Manipulative Communications Deception

SC-40(4)Signal Parameter Identification

SC-41Port And I/O Device Access

SC-42Sensor Capability And Data

SC-42(1)Reporting To Authorized Individuals Or Roles

SC-42(2)Authorized Use

SC-42(3)Prohibit Use Of Devices

SC-42(4)Notice Of Collection

SC-42(5)Collection Minimization

SC-43Usage Restrictions

SC-44Detonation Chambers

SC-45System Time Synchronization

SC-45(1)Synchronization With Authoritative Time Source

SC-45(2)Secondary Authoritative Time Source

SC-46Cross Domain Policy Enforcement

SC-47Alternate Communications Paths

SC-48Sensor Relocation

SC-48(1)Dynamic Relocation Of Sensors Or Monitoring Capabilities

SC-49Hardware-Enforced Separation And Policy Enforcement

SC-50Software-Enforced Separation And Policy Enforcement

SC-51Hardware-Based Protection

SI — System and Information Integrity (119 controls)

SI-1Policy And Procedures

SI-2Flaw Remediation

SI-2(1)Central Management

SI-2(2)Automated Flaw Remediation Status

SI-2(3)Time To Remediate Flaws And Benchmarks For Corrective Actions

SI-2(4)Automated Patch Management Tools

SI-2(5)Automatic Software And Firmware Updates

SI-2(6)Removal Of Previous Versions Of Software And Firmware

SI-2(7)Root Cause Analysis

SI-3Malicious Code Protection

SI-3(1)Central Management

SI-3(2)Automatic Updates

SI-3(3)Non-Privileged Users

SI-3(4)Updates Only By Privileged Users

SI-3(5)Portable Storage Devices

SI-3(6)Testing And Verification

SI-3(7)Nonsignature-Based Detection

SI-3(8)Detect Unauthorized Commands

SI-3(9)Authenticate Remote Commands

SI-3(10)Malicious Code Analysis

SI-4System Monitoring

SI-4(1)System-Wide Intrusion Detection System

SI-4(2)Automated Tools And Mechanisms For Real-Time Analysis

SI-4(3)Automated Tool And Mechanism Integration

SI-4(4)Inbound And Outbound Communications Traffic

SI-4(5)System-Generated Alerts

SI-4(6)Restrict Non-Privileged Users

SI-4(7)Automated Response To Suspicious Events

SI-4(8)Protection Of Monitoring Information

SI-4(9)Testing Of Monitoring Tools And Mechanisms

SI-4(10)Visibility Of Encrypted Communications

SI-4(11)Analyze Communications Traffic Anomalies

SI-4(12)Automated Organization-Generated Alerts

SI-4(13)Analyze Traffic And Event Patterns

SI-4(14)Wireless Intrusion Detection

SI-4(15)Wireless To Wireline Communications

SI-4(16)Correlate Monitoring Information

SI-4(17)Integrated Situational Awareness

SI-4(18)Analyze Traffic And Covert Exfiltration

SI-4(19)Risk For Individuals

SI-4(20)Privileged Users

SI-4(21)Probationary Periods

SI-4(22)Unauthorized Network Services

SI-4(23)Host-Based Devices

SI-4(24)Indicators Of Compromise

SI-4(25)Optimize Network Traffic Analysis

SI-5Security Alerts, Advisories, And Directives

SI-5(1)Automated Alerts And Advisories

SI-6Security And Privacy Function Verification

SI-6(1)Notification Of Failed Security Tests

SI-6(2)Automation Support For Distributed Testing

SI-6(3)Report Verification Results

SI-7Software, Firmware, And Information Integrity

SI-7(1)Integrity Checks

SI-7(2)Automated Notifications Of Integrity Violations

SI-7(3)Centrally Managed Integrity Tools

SI-7(4)Tamper-Evident Packaging

SI-7(5)Automated Response To Integrity Violations

SI-7(6)Cryptographic Protection

SI-7(7)Integration Of Detection And Response

SI-7(8)Auditing Capability For Significant Events

SI-7(9)Verify Boot Process

SI-7(10)Protection Of Boot Firmware

SI-7(11)Confined Environments With Limited Privileges

SI-7(12)Integrity Verification

SI-7(13)Code Execution In Protected Environments

SI-7(14)Binary Or Machine Executable Code

SI-7(15)Code Authentication

SI-7(16)Time Limit On Process Execution Without Supervision

SI-7(17)Runtime Application Self-Protection

SI-8Spam Protection

SI-8(1)Central Management

SI-8(2)Automatic Updates

SI-8(3)Continuous Learning Capability

SI-9Information Input Restrictions

SI-10Information Input Validation

SI-10(1)Manual Override Capability

SI-10(2)Review And Resolve Errors

SI-10(3)Predictable Behavior

SI-10(4)Timing Interactions

SI-10(5)Restrict Inputs To Trusted Sources And Approved Formats

SI-10(6)Injection Prevention

SI-11Error Handling

SI-12Information Management And Retention

SI-12(1)Limit Personally Identifiable Information Elements

SI-12(2)Minimize Personally Identifiable Information In Testing, Training, And Research

SI-12(3)Information Disposal

SI-13Predictable Failure Prevention

SI-13(1)Transferring Component Responsibilities

SI-13(2)Time Limit On Process Execution Without Supervision

SI-13(3)Manual Transfer Between Components

SI-13(4)Standby Component Installation And Notification

SI-13(5)Failover Capability

SI-14Non-Persistence

SI-14(1)Refresh From Trusted Sources

SI-14(2)Non-Persistent Information

SI-14(3)Non-Persistent Connectivity

SI-15Information Output Filtering

SI-16Memory Protection

SI-17Fail-Safe Procedures

SI-18Personally Identifiable Information Quality Operations

SI-18(1)Automation Support

SI-18(2)Data Tags

SI-18(3)Collection

SI-18(4)Individual Requests

SI-18(5)Notice Of Correction Or Deletion

SI-19De-Identification

SI-19(1)Collection

SI-19(2)Archiving

SI-19(3)Release

SI-19(4)Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

SI-19(5)Statistical Disclosure Control

SI-19(6)Differential Privacy

SI-19(7)Validated Algorithms And Software

SI-19(8)Motivated Intruder

SI-21Information Refresh

SI-22Information Diversity

SI-23Information Fragmentation

SR — Supply Chain Risk Management (27 controls)

SR-1Policy And Procedures

SR-2Supply Chain Risk Management Plan

SR-2(1)Establish Scrm Team

SR-3Supply Chain Controls And Processes

SR-3(1)Diverse Supply Base

SR-3(2)Limitation Of Harm

SR-3(3)Sub-Tier Flow Down

SR-4(1)Identity

SR-4(2)Track And Trace

SR-4(3)Validate As Genuine And Not Altered

SR-4(4)Supply Chain Integrity — Pedigree

SR-5Acquisition Strategies, Tools, And Methods

SR-5(1)Adequate Supply

SR-5(2)Assessments Prior To Selection, Acceptance, Modification, Or Update

SR-6Supplier Assessments And Reviews

SR-6(1)Testing And Analysis

SR-7Supply Chain Operations Security

SR-8Notification Agreements

SR-9Tamper Resistance And Detection

SR-9(1)Multiple Stages Of System Development Life Cycle

SR-10Inspection Of Systems Or Components

SR-11Component Authenticity

SR-11(1)Anti-Counterfeit Training

SR-11(2)Configuration Control For Component Service And Repair

SR-11(3)Anti-Counterfeit Scanning

SR-12Component Disposal