>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Home / Frameworks / SCF

SCF v2025.4

Official SCF Download

Secure Controls Framework - A comprehensive meta-framework harmonizing 100+ security standards

The Secure Controls Framework (SCF) is licensed under Creative Commons Attribution-NoDerivatives 4.0 (CC BY-ND) . Content must be attributed to the Secure Controls Framework Council. SCF harmonizes 100+ security, privacy, and compliance frameworks.

SCF Official CC BY-ND 4.0
1451 All

AAT Artificial Intelligence & Autonomous Technologies (156 controls)

AAT-01Artificial Intelligence (AI) & Autonomous Technologies Governance
AAT-01.1AI & Autonomous Technologies-Related Legal Requirements Definition
AAT-01.2Trustworthy AI & Autonomous Technologies
AAT-01.3AI & Autonomous Technologies Value Sustainment
AAT-01.4AI Model & Agent Inventory & Lifecycle Management
AAT-02Situational Awareness of AI & Autonomous Technologies
AAT-02.1AI & Autonomous Technologies Risk Mapping
AAT-02.2AI & Autonomous Technologies Internal Controls
AAT-02.3Adequate Protections For AI & Autonomous Technologies
AAT-02.4AI Threat Modeling & Risk Assessment
AAT-03AI & Autonomous Technologies Context Definition
AAT-03.1AI & Autonomous Technologies Mission and Goals Definition
AAT-03.2Model & AI Agent Documentation
AAT-04AI & Autonomous Technologies Business Case
AAT-04.1AI & Autonomous Technologies Potential Benefits Analysis
AAT-04.2AI & Autonomous Technologies Potential Costs Analysis
AAT-04.3AI & Autonomous Technologies Targeted Application Scope
AAT-04.4AI & Autonomous Technologies Cost / Benefit Mapping
AAT-05AI & Autonomous Technologies Training
AAT-06AI & Autonomous Technologies Fairness & Bias
AAT-07AI & Autonomous Technologies Risk Management Decisions
AAT-07.1AI & Autonomous Technologies Impact Assessment
AAT-07.2AI & Autonomous Technologies Likelihood & Impact Risk Analysis
AAT-07.3AI & Autonomous Technologies Continuous Improvements
AAT-08Assigned Responsibilities for AI & Autonomous Technologies
AAT-09AI & Autonomous Technologies Risk Profiling
AAT-09.1AI & Autonomous Technologies High Risk Designations
AAT-10Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
AAT-10.1AI TEVV Trustworthiness Assessment
AAT-10.2AI TEVV Tools
AAT-10.3AI TEVV Trustworthiness Demonstration
AAT-10.4AI TEVV Safety Demonstration
AAT-10.5AI TEVV Security & Resiliency Assessment
AAT-10.6AI TEVV Transparency & Accountability Assessment
AAT-10.7AI TEVV Privacy Assessment
AAT-10.8AI TEVV Fairness & Bias Assessment
AAT-10.9AI & Autonomous Technologies Model Validation
AAT-10.10AI TEVV Results Evaluation
AAT-10.11AI TEVV Effectiveness
AAT-10.12AI TEVV Comparable Deployment Settings
AAT-10.13AI TEVV Post-Deployment Monitoring
AAT-10.14Updating AI & Autonomous Technologies
AAT-10.15AI TEVV Reporting
AAT-10.16AI TEVV Empirically Validated Methods
AAT-10.17AI TEVV Benchmarking Content Provenance
AAT-10.18AI TEVV Model Collapse Mitigations
AAT-10.19AI TEVV Third-Party Risk Management
AAT-11Robust Stakeholder Engagement for AI & Autonomous Technologies
AAT-11.1AI & Autonomous Technologies Stakeholder Feedback Integration
AAT-11.2AI & Autonomous Technologies Ongoing Assessments
AAT-11.3AI & Autonomous Technologies End User Feedback
AAT-11.4AI & Autonomous Technologies Incident & Error Reporting
AAT-12AI & Autonomous Technologies Intellectual Property Infringement Protections
AAT-12.1Data Source Identification
AAT-12.2Data Source Integrity
AAT-12.3Data Source Lineage & Origin Disclosure
AAT-12.4Digital Content Modification Logging
AAT-13AI & Autonomous Technologies Stakeholder Diversity
AAT-13.1AI & Autonomous Technologies Stakeholder Competencies
AAT-14AI & Autonomous Technologies Requirements Definitions
AAT-14.1AI & Autonomous Technologies Implementation Tasks Definition
AAT-14.2AI & Autonomous Technologies Knowledge Limits
AAT-15AI & Autonomous Technologies Viability Decisions
AAT-15.1AI & Autonomous Technologies Negative Residual Risks
AAT-15.2Responsibility To Supersede, Deactivate and/or Disengage AI & Autonomous Technologies
AAT-16AI & Autonomous Technologies Production Monitoring
AAT-16.1AI & Autonomous Technologies Measurement Approaches
AAT-16.2Measuring AI & Autonomous Technologies Effectiveness
AAT-16.3Unmeasurable AI & Autonomous Technologies Risks
AAT-16.4Efficacy of AI & Autonomous Technologies Measurement
AAT-16.5AI & Autonomous Technologies Domain Expert Reviews
AAT-16.6AI & Autonomous Technologies Performance Changes
AAT-16.7Pre-Trained AI & Autonomous Technologies Models
AAT-16.8AI & Autonomous Technologies Event Logging
AAT-16.9Serious Incident Reporting For AI & Autonomous Technologies
AAT-16.10Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies
AAT-16.11Anomaly Detection & Human Oversight
AAT-16.12Human-in-the-Loop & Escalation
AAT-16.13Emergent Behavior & Collusion Protections
AAT-16.14Multi-Agent Trust & Communication Validation
AAT-17AI & Autonomous Technologies Harm Prevention
AAT-17.1AI & Autonomous Technologies Human Subject Protections
AAT-17.2AI & Autonomous Technologies Environmental Impact & Sustainability
AAT-17.3Previously Unknown AI & Autonomous Technologies Threats & Risks
AAT-17.4Novel Risk Assessment Methods & Technologies
AAT-17.5Fine Tuning Risk Mitigation
AAT-18AI & Autonomous Technologies Risk Tracking Approaches
AAT-18.1AI & Autonomous Technologies Risk Response
AAT-19AI & Autonomous Technologies Conformity
AAT-19.1Manipulative or Deceptive Techniques
AAT-19.2Materially Distorting Behaviors
AAT-19.3Social Scoring
AAT-19.4Detrimental or Unfavorable Treatment
AAT-19.5Risk and Criminal Profiling
AAT-19.6Populating Facial Recognition Databases
AAT-19.7Emotion Inference
AAT-19.8Biometric Categorization
AAT-20AI & Autonomous Technologies Development Practices
AAT-20.1AI & Autonomous Technologies Transparency
AAT-20.2AI & Autonomous Technologies Implementation Documentation
AAT-20.3AI & Autonomous Technologies Human Domain Knowledge Reliance
AAT-21AI & Autonomous Technologies Registration
AAT-22AI & Autonomous Technologies Deployment
AAT-22.1AI & Autonomous Technologies Human Oversight
AAT-22.2AI & Autonomous Technologies Oversight Measures
AAT-22.3AI & Autonomous Technologies Separate Verification
AAT-22.4AI & Autonomous Technologies Oversight Functions Competency
AAT-22.5AI & Autonomous Technologies Data Relevance
AAT-22.6AI & Autonomous Technologies Irregularity Reporting
AAT-22.7AI & Autonomous Technologies Use Notification To Employees
AAT-22.8AI & Autonomous Technologies Use Notification To Users
AAT-23AI & Autonomous Technologies Output Marking
AAT-24Real World Testing of AI & Autonomous Technologies
AAT-25AI & Autonomous Technologies System Value Chain
AAT-25.1AI & Autonomous Technologies System Value Chain Fallbacks
AAT-26AI & Autonomous Technologies Testing Techniques
AAT-26.1Generative Artificial Intelligence (GAI) Identification
AAT-26.2AI & Autonomous Technologies Capabilities Testing
AAT-26.3Real-World Testing
AAT-26.4Documenting Testing Guidance
AAT-27AI & Autonomous Technologies Output Filtering
AAT-27.1Human Moderation
AAT-28AI Model Resilience
AAT-28.1Model Pollution
AAT-28.2Cascading Hallucination Defense
AAT-28.3Resource Exhaustion & DoS Resilience
AAT-29AI Agent Governance
AAT-29.1Infrastructure Hardening & Isolation
AAT-29.2AI Agent Limitations
AAT-29.3Tool & API Invocation Controls
AAT-29.4Orchestration Protocol Safeguards
AAT-29.5Data Pipeline & Input Integrity
AAT-29.6Privileged Role & Delegation Boundaries
AAT-29.7AI Agent Data Access Restrictions
AAT-29.8Data Extraction
AAT-29.9AI Agent Identity & Impersonation Defense
AAT-29.10AI Agent Logic Integrity
AAT-29.11Sandboxing AI Agents
AAT-29.12Prompt Injection Defense
AAT-29.13Agent Kill Switch / User Control
AAT-29.14Adversarial & Red Team Testing
AAT-29.15Self-Modification Controls
AAT-29.16Purging AI Agent Data
AAT-29.17Delegation and Chaining Control
AAT-29.18Behavioral Drift Detection
AAT-29.19AI Agent Action Authentication & Authorization
AAT-29.20Transparency & Audit
AAT-29.21Explainability
AAT-29.22Ethics, Fairness & Bias Detection
AAT-29.23Agent Output Integrity & Verification
AAT-30Agentic Output Traceability & Repudiation
AAT-30.1AI Agent Logging
AAT-30.2Session Management
AAT-31Human-in-the-Loop Workload & Manipulation
AAT-32Robotic Process Automation (RPA)
AAT-32.1Business Process Task Enumeration

AST Asset Management (62 controls)

AST-01Asset Governance
AST-01.1Asset-Service Dependencies
AST-01.2Stakeholder Identification & Involvement
AST-01.3Standardized Naming Convention
AST-01.4Approved Technologies
AST-02Asset Inventories
AST-02.1Updates During Installations / Removals
AST-02.2Automated Unauthorized Component Detection
AST-02.3Component Duplication Avoidance
AST-02.4Approved Baseline Deviations
AST-02.5Network Access Control (NAC)
AST-02.6Dynamic Host Configuration Protocol (DHCP) Server Logging
AST-02.7Software Licensing Restrictions
AST-02.8Data Action Mapping
AST-02.9Configuration Management Database (CMDB)
AST-02.10Automated Location Tracking
AST-02.11Component Assignment
AST-03Asset Ownership Assignment
AST-03.1Accountability Information
AST-03.2Provenance
AST-04Network Diagrams & Data Flow Diagrams (DFDs)
AST-04.1Asset Scope Classification
AST-04.2Control Applicability Boundary Graphical Representation
AST-04.3Compliance-Specific Asset Identification
AST-05Security of Assets & Media
AST-05.1Management Approval For External Media Transfer
AST-06Unattended End-User Equipment
AST-06.1Asset Storage In Automobiles
AST-07Kiosks & Point of Interaction (PoI) Devices
AST-08Physical Tampering Detection
AST-09Secure Disposal, Destruction or Re-Use of Equipment
AST-10Return of Assets
AST-11Removal of Assets
AST-12Use of Personal Devices
AST-13Use of Third-Party Devices
AST-14Usage Parameters
AST-14.1Bluetooth & Wireless Devices
AST-14.2Infrared Communications
AST-15Logical Tampering Protection
AST-15.1Technology Asset Inspections
AST-16Bring Your Own Device (BYOD) Usage
AST-17Prohibited Equipment & Services
AST-18Roots of Trust Protection
AST-19Telecommunications Equipment
AST-20Video Teleconference (VTC) Security
AST-21Voice Over Internet Protocol (VoIP) Security
AST-22Microphones & Web Cameras
AST-23Multi-Function Devices (MFD)
AST-24Travel-Only Devices
AST-25Re-Imaging Devices After Travel
AST-26System Administrative Processes
AST-27Jump Server
AST-28Database Administrative Processes
AST-28.1Database Management System (DBMS)
AST-29Radio Frequency Identification (RFID) Security
AST-29.1Contactless Access Control Systems
AST-30Decommissioning
AST-31Asset Categorization
AST-31.1Categorize Artificial Intelligence (AI)-Related Technologies
AST-31.2High-Risk Asset Categorization
AST-31.3Asset Attributes
AST-32Automated Network Asset Discovery

BCD Business Continuity & Disaster Recovery (58 controls)

BCD-01Business Continuity Management System (BCMS)
BCD-01.1Coordinate with Related Plans
BCD-01.2Coordinate With External Service Providers
BCD-01.3Transfer to Alternate Processing / Storage Site
BCD-01.4Recovery Time / Point Objectives (RTO / RPO)
BCD-01.5Recovery Operations Criteria
BCD-01.6Recovery Operations Communications
BCD-02Identify Critical Assets
BCD-02.1Resume All Missions & Business Functions
BCD-02.2Continue Essential Mission & Business Functions
BCD-02.3Resume Essential Missions & Business Functions
BCD-02.4Data Storage Location Reviews
BCD-03Contingency Training
BCD-03.1Simulated Events
BCD-03.2Automated Training Environments
BCD-04Contingency Plan Testing & Exercises
BCD-04.1Coordinated Testing with Related Plans
BCD-04.2Alternate Storage & Processing Sites
BCD-05Contingency Plan Root Cause Analysis (RCA) & Lessons Learned
BCD-06Ongoing Contingency Planning
BCD-06.1Contingency Planning Components
BCD-06.2Contingency Plan Update Notifications
BCD-07Alternative Security Measures
BCD-08Alternate Storage Site
BCD-08.1Separation from Primary Site
BCD-08.2Accessibility
BCD-09Alternate Processing Site
BCD-09.1Separation from Primary Site
BCD-09.2Accessibility
BCD-09.3Alternate Site Priority of Service
BCD-09.4Preparation for Use
BCD-09.5Inability to Return to Primary Site
BCD-10Telecommunications Services Availability
BCD-10.1Telecommunications Priority of Service Provisions
BCD-10.2Separation of Primary / Alternate Providers
BCD-10.3Provider Contingency Plan
BCD-10.4Alternate Communications Channels
BCD-11Data Backups
BCD-11.1Testing for Reliability & Integrity
BCD-11.2Separate Storage for Critical Information
BCD-11.3Recovery Images
BCD-11.4Cryptographic Protection
BCD-11.5Test Restoration Using Sampling
BCD-11.6Transfer to Alternate Storage Site
BCD-11.7Redundant Secondary System
BCD-11.8Dual Authorization For Backup Media Destruction
BCD-11.9Backup Access
BCD-11.10Backup Modification and/or Destruction
BCD-12Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution
BCD-12.1Transaction Recovery
BCD-12.2Failover Capability
BCD-12.3Electronic Discovery (eDiscovery)
BCD-12.4Restore Within Time Period
BCD-13Backup & Restoration Hardware Protection
BCD-13.1Restoration Integrity Verification
BCD-14Isolated Recovery Environment
BCD-15Reserve Hardware
BCD-16AI & Autonomous Technologies Incidents

DCH Data Classification & Handling (85 controls)

DCH-01Data Protection
DCH-01.1Data Stewardship
DCH-01.2Sensitive / Regulated Data Protection
DCH-01.3Sensitive / Regulated Media Records
DCH-01.4Defining Access Authorizations for Sensitive / Regulated Data
DCH-02Data & Asset Classification
DCH-02.1Highest Classification Level
DCH-03Media Access
DCH-03.1Disclosure of Information
DCH-03.2Masking Displayed Data
DCH-03.3Controlled Release
DCH-04Media Marking
DCH-04.1Automated Marking
DCH-05Cybersecurity & Data Protection Attributes
DCH-05.1Dynamic Attribute Association
DCH-05.2Attribute Value Changes By Authorized Individuals
DCH-05.3Maintenance of Attribute Associations By System
DCH-05.4Association of Attributes By Authorized Individuals
DCH-05.5Attribute Displays for Output Devices
DCH-05.6Data Subject Attribute Associations
DCH-05.7Consistent Attribute Interpretation
DCH-05.8Identity Association Techniques & Technologies
DCH-05.9Attribute Reassignment
DCH-05.10Attribute Configuration By Authorized Individuals
DCH-05.11Audit Changes
DCH-06Media Storage
DCH-06.1Physically Secure All Media
DCH-06.2Sensitive Data Inventories
DCH-06.3Periodic Scans for Sensitive / Regulated Data
DCH-06.4Making Sensitive Data Unreadable In Storage
DCH-06.5Storing Authentication Data
DCH-07Media Transportation
DCH-07.1Custodians
DCH-07.2Encrypting Data In Storage Media
DCH-08Physical Media Disposal
DCH-09System Media Sanitization
DCH-09.1System Media Sanitization Documentation
DCH-09.2Equipment Testing
DCH-09.3Sanitization of Personal Data (PD)
DCH-09.4First Time Use Sanitization
DCH-09.5Dual Authorization for Sensitive Data Destruction
DCH-10Media Use
DCH-10.1Limitations on Use
DCH-10.2Prohibit Use Without Owner
DCH-11Data Reclassification
DCH-12Removable Media Security
DCH-13Use of External Technology Assets, Applications and/or Services (TAAS)
DCH-13.1Limits of Authorized Use
DCH-13.2Portable Storage Devices
DCH-13.3Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS)
DCH-13.4Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS)
DCH-14Information Sharing
DCH-14.1Information Search & Retrieval
DCH-14.2Transfer Authorizations
DCH-14.3Data Access Mapping
DCH-15Publicly Accessible Content
DCH-16Data Mining Protection
DCH-17Ad-Hoc Transfers
DCH-18Media & Data Retention
DCH-18.1Minimize Sensitive / Regulated Data
DCH-18.2Limit Sensitive / Regulated Data In Testing, Training & Research
DCH-18.3Temporary Files Containing Personal Data (PD)
DCH-19Geographic Location of Data
DCH-20Archived Data Sets
DCH-21Information Disposal
DCH-22Data Quality Operations
DCH-22.1Updating & Correcting Personal Data (PD)
DCH-22.2Data Tags
DCH-22.3Primary Source Personal Data (PD) Collection
DCH-23De-Identification (Anonymization)
DCH-23.1De-Identify Dataset Upon Collection
DCH-23.2Archiving
DCH-23.3Release
DCH-23.4Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers
DCH-23.5Statistical Disclosure Control
DCH-23.6Differential Data Privacy
DCH-23.7Automated De-Identification of Sensitive Data
DCH-23.8Motivated Intruder
DCH-23.9Code Names
DCH-24Information Location
DCH-24.1Automated Tools to Support Information Location
DCH-25Transfer of Sensitive and/or Regulated Data
DCH-25.1Transfer Activity Limits
DCH-26Data Localization
DCH-27Data Rights Management (DRM)

END Endpoint Security (47 controls)

END-01Endpoint Device Management (EDM)
END-01.1Unified Endpoint Device Management (UEDM)
END-02Endpoint Protection Measures
END-03Prohibit Installation Without Privileged Status
END-03.1Software Installation Alerts
END-03.2Governing Access Restriction for Change
END-04Malicious Code Protection (Anti-Malware)
END-04.1Automatic Antimalware Signature Updates
END-04.2Documented Protection Measures
END-04.3Centralized Management of Antimalware Technologies
END-04.4Heuristic / Nonsignature-Based Detection
END-04.5Malware Protection Mechanism Testing
END-04.6Evolving Malware Threats
END-04.7Always On Protection
END-05Software Firewall
END-06Endpoint File Integrity Monitoring (FIM)
END-06.1Integrity Checks
END-06.2Endpoint Detection & Response (EDR)
END-06.3Automated Notifications of Integrity Violations
END-06.4Automated Response to Integrity Violations
END-06.5Boot Process Integrity
END-06.6Protection of Boot Firmware
END-06.7Binary or Machine-Executable Code
END-06.8Extended Detection & Response (XDR)
END-07Host Intrusion Detection and Prevention Systems (HIDS / HIPS)
END-08Phishing & Spam Protection
END-08.1Central Management
END-08.2Automatic Spam and Phishing Protection Updates
END-09Trusted Path
END-10Mobile Code
END-11Thin Nodes
END-12Port & Input / Output (I/O) Device Access
END-13Sensor Capability
END-13.1Authorized Use
END-13.2Notice of Collection
END-13.3Collection Minimization
END-13.4Sensor Delivery Verification
END-14Collaborative Computing Devices
END-14.1Disabling / Removal In Secure Work Areas
END-14.2Explicitly Indicate Current Participants
END-14.3Participant Identity Verification
END-14.4Participant Connection Management
END-14.5Malicious Link & File Protections
END-14.6Explicit Indication Of Use
END-15Hypervisor Access
END-16Restrict Access To Security Functions
END-16.1Host-Based Security Function Isolation

GOV Cybersecurity & Data Protection Governance (38 controls)

GOV-01Cybersecurity & Data Protection Governance Program
GOV-01.1Steering Committee & Program Oversight
GOV-01.2Status Reporting To Governing Body
GOV-01.3Commitment To Continual Improvements
GOV-02Publishing Cybersecurity & Data Protection Documentation
GOV-02.1Exception Management
GOV-03Periodic Review & Update of Cybersecurity & Data Protection Program
GOV-04Assigned Cybersecurity & Data Protection Responsibilities
GOV-04.1Stakeholder Accountability Structure
GOV-04.2Authoritative Chain of Command
GOV-05Measures of Performance
GOV-05.1Key Performance Indicators (KPIs)
GOV-05.2Key Risk Indicators (KRIs)
GOV-06Contacts With Authorities
GOV-07Contacts With Groups & Associations
GOV-08Defining Business Context & Mission
GOV-09Define Control Objectives
GOV-10Data Governance
GOV-11Purpose Validation
GOV-12Forced Technology Transfer (FTT)
GOV-13State-Sponsored Espionage
GOV-14Business As Usual (BAU) Secure Practices
GOV-15Operationalizing Cybersecurity & Data Protection Practices
GOV-15.1Select Controls
GOV-15.2Implement Controls
GOV-15.3Assess Controls
GOV-15.4Authorize Technology Assets, Applications and/or Services (TAAS)
GOV-15.5Monitor Controls
GOV-16Materiality Determination
GOV-16.1Material Risks
GOV-16.2Material Threats
GOV-17Cybersecurity & Data Protection Status Reporting
GOV-18Quality Management System (QMS)
GOV-19Assurance
GOV-19.1Assurance Levels (AL)
GOV-19.2Assessment Objectives (AO)
GOV-20Mergers, Acquisitions & Divestitures (MA&D)
GOV-20.1Virtual Data Room (VDR)

HRS Human Resources Security (46 controls)

HRS-01Human Resources Security Management
HRS-01.1Onboarding, Transferring & Offboarding Personnel
HRS-02Position Categorization
HRS-02.1Users With Elevated Privileges
HRS-02.2Probationary Periods
HRS-03Defined Roles & Responsibilities
HRS-03.1User Awareness
HRS-03.2Competency Requirements for Security-Related Positions
HRS-04Personnel Screening
HRS-04.1Roles With Special Protection Measures
HRS-04.2Formal Indoctrination
HRS-04.3Citizenship Requirements
HRS-04.4Citizenship Identification
HRS-05Terms of Employment
HRS-05.1Rules of Behavior
HRS-05.2Social Media & Social Networking Restrictions
HRS-05.3Technology Use Restrictions
HRS-05.4Use of Critical Technologies
HRS-05.5Use of Mobile Devices
HRS-05.6Security-Minded Dress Code
HRS-05.7Policy Familiarization & Acknowledgement
HRS-06Access Agreements
HRS-06.1Confidentiality Agreements
HRS-06.2Post-Employment Requirements Awareness
HRS-07Personnel Sanctions
HRS-07.1Workplace Investigations
HRS-07.2Updating Disciplinary Processes
HRS-07.3Preventative Access Restriction
HRS-08Personnel Transfer
HRS-09Personnel Termination
HRS-09.1Asset Collection
HRS-09.2High-Risk Terminations
HRS-09.3Post-Employment Requirements Notification
HRS-09.4Automated Employment Status Notifications
HRS-10Third-Party Personnel Security
HRS-11Separation of Duties (SoD)
HRS-12Incompatible Roles
HRS-12.1Two-Person Rule
HRS-13Identify Critical Skills & Gaps
HRS-13.1Remediate Identified Skills Deficiencies
HRS-13.2Identify Vital Cybersecurity & Data Privacy Staff
HRS-13.3Establish Redundancy for Vital Cybersecurity & Data Privacy Staff
HRS-13.4Perform Succession Planning
HRS-14Identifying Authorized Work Locations
HRS-14.1Communicating Authorized Work Locations
HRS-15Reporting Suspicious Activities

IAC Identification & Authentication (112 controls)

IAC-01Identity & Access Management (IAM)
IAC-01.1Retain Access Records
IAC-01.2Authenticate, Authorize and Audit (AAA)
IAC-01.3User & Service Account Inventories
IAC-02Identification & Authentication for Organizational Users
IAC-02.1Group Authentication
IAC-02.2Replay-Resistant Authentication
IAC-02.3Acceptance of PIV Credentials
IAC-02.4Out-of-Band Authentication (OOBA)
IAC-03Identification & Authentication for Non-Organizational Users
IAC-03.1Acceptance of PIV Credentials from Other Organizations
IAC-03.2Acceptance of Third-Party Credentials
IAC-03.3Use of FICAM-Issued Profiles
IAC-03.4Disassociability
IAC-03.5Acceptance of External Authenticators
IAC-04Identification & Authentication for Devices
IAC-04.1Device Attestation
IAC-04.2Device Authorization Enforcement
IAC-05Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS)
IAC-05.1Sharing Identification & Authentication Information
IAC-05.2Privileged Access by Non-Organizational Users
IAC-06Multi-Factor Authentication (MFA)
IAC-06.1Network Access to Privileged Accounts
IAC-06.2Network Access to Non-Privileged Accounts
IAC-06.3Local Access to Privileged Accounts
IAC-06.4Out-of-Band Multi-Factor Authentication
IAC-06.5Alternative Multi-Factor Authentication
IAC-07User Provisioning & De-Provisioning
IAC-07.1Change of Roles & Duties
IAC-07.2Termination of Employment
IAC-08Role-Based Access Control (RBAC)
IAC-09Identifier Management (User Names)
IAC-09.1User Identity (ID) Management
IAC-09.2Identity User Status
IAC-09.3Dynamic Management
IAC-09.4Cross-Organization Management
IAC-09.5Privileged Account Identifiers
IAC-09.6Pairwise Pseudonymous Identifiers (PPID)
IAC-10Authenticator Management
IAC-10.1Password-Based Authentication
IAC-10.2PKI-Based Authentication
IAC-10.3In-Person or Trusted Third-Party Registration
IAC-10.4Automated Support For Password Strength
IAC-10.5Protection of Authenticators
IAC-10.6No Embedded Unencrypted Static Authenticators
IAC-10.7Hardware Token-Based Authentication
IAC-10.8Default Authenticators
IAC-10.9Multiple System Accounts
IAC-10.10Expiration of Cached Authenticators
IAC-10.11Password Managers
IAC-10.12Biometric Authentication
IAC-10.13Events Requiring Authenticator Change
IAC-10.14Passkeys
IAC-11Authenticator Feedback
IAC-12Cryptographic Module Authentication
IAC-12.1Hardware Security Modules (HSM)
IAC-13Adaptive Identification & Authentication
IAC-13.1Single Sign-On (SSO) Transparent Authentication
IAC-13.2Federated Credential Management
IAC-13.3Continuous Authentication
IAC-14Re-Authentication
IAC-15Account Management
IAC-15.1Automated System Account Management (Directory Services)
IAC-15.2Removal of Temporary / Emergency Accounts
IAC-15.3Disable Inactive Accounts
IAC-15.4Automated Audit Actions
IAC-15.5Restrictions on Shared Groups / Accounts
IAC-15.6Account Disabling for High Risk Individuals
IAC-15.7System Account Reviews
IAC-15.8Usage Conditions
IAC-15.9Emergency Accounts
IAC-16Privileged Account Management (PAM)
IAC-16.1Privileged Account Inventories
IAC-16.2Privileged Account Separation
IAC-16.3Privileged Command Execution
IAC-16.4Dedicated Privileged Account
IAC-17Periodic Review of Account Privileges
IAC-18User Responsibilities for Account Management
IAC-19Credential Sharing
IAC-20Access Enforcement
IAC-20.1Access To Sensitive / Regulated Data
IAC-20.2Database Access
IAC-20.3Use of Privileged Utility Programs
IAC-20.4Dedicated Administrative Machines
IAC-20.5Dual Authorization for Privileged Commands
IAC-20.6Revocation of Access Authorizations
IAC-20.7Authorized System Accounts
IAC-21Least Privilege
IAC-21.1Authorize Access to Security Functions
IAC-21.2Non-Privileged Access for Non-Security Functions
IAC-21.3Management Approval For Privileged Accounts
IAC-21.4Auditing Use of Privileged Functions
IAC-21.5Prohibit Non-Privileged Users from Executing Privileged Functions
IAC-21.6Network Access to Privileged Commands
IAC-21.7Privilege Levels for Code Execution
IAC-22Account Lockout
IAC-23Concurrent Session Control
IAC-24Session Lock
IAC-24.1Pattern-Hiding Displays
IAC-25Session Termination
IAC-25.1User-Initiated Logouts / Message Displays
IAC-26Permitted Actions Without Identification or Authorization
IAC-27Reference Monitor
IAC-28Identity Proofing (Identity Verification)
IAC-28.1Management Approval For New or Changed Accounts
IAC-28.2Identity Evidence
IAC-28.3Identity Evidence Validation & Verification
IAC-28.4In-Person Validation & Verification
IAC-28.5Address Confirmation
IAC-29Attribute-Based Access Control (ABAC)
IAC-29.1Real-Time Access Decisions
IAC-29.2Access Profile Rules

IRO Incident Response (41 controls)

IRO-01Incident Response Operations
IRO-02Incident Handling
IRO-02.1Automated Incident Handling Processes
IRO-02.2Insider Threat Response Capability
IRO-02.3Dynamic Reconfiguration
IRO-02.4Incident Classification & Prioritization
IRO-02.5Correlation with External Organizations
IRO-02.6Automatic Disabling of Technology Assets, Applications and/or Services (TAAS)
IRO-03Indicators of Compromise (IOC)
IRO-04Incident Response Plan (IRP)
IRO-04.1Data Breach
IRO-04.2IRP Update
IRO-04.3Continuous Incident Response Improvements
IRO-05Incident Response Training
IRO-05.1Simulated Incidents
IRO-05.2Automated Incident Response Training Environments
IRO-06Incident Response Testing
IRO-06.1Coordination with Related Plans
IRO-07Integrated Security Incident Response Team (ISIRT)
IRO-08Chain of Custody & Forensics
IRO-09Situational Awareness For Incidents
IRO-09.1Automated Tracking, Data Collection & Analysis
IRO-09.2Recurring Incident Analysis
IRO-10Incident Stakeholder Reporting
IRO-10.1Automated Reporting
IRO-10.2Cyber Incident Reporting for Sensitive / Regulated Data
IRO-10.3Vulnerabilities Related To Incidents
IRO-10.4Supply Chain Coordination
IRO-10.5Serious Incident Reporting
IRO-11Incident Reporting Assistance
IRO-11.1Automation Support of Availability of Information / Support
IRO-11.2Coordination With External Providers
IRO-12Sensitive / Regulated Data Spill Response
IRO-12.1Sensitive / Regulated Data Spill Responsible Personnel
IRO-12.2Sensitive / Regulated Data Spill Training
IRO-12.3Post-Sensitive / Regulated Data Spill Operations
IRO-12.4Sensitive / Regulated Data Exposure to Unauthorized Personnel
IRO-13Root Cause Analysis (RCA) & Lessons Learned
IRO-14Regulatory & Law Enforcement Contacts
IRO-15Detonation Chambers (Sandboxes)
IRO-16Public Relations & Reputation Repair

MON Continuous Monitoring (70 controls)

MON-01Continuous Monitoring
MON-01.1Intrusion Detection & Prevention Systems (IDS & IPS)
MON-01.2Automated Tools for Real-Time Analysis
MON-01.3Inbound & Outbound Communications Traffic
MON-01.4System Generated Alerts
MON-01.5Wireless Intrusion Detection System (WIDS)
MON-01.6Host-Based Devices
MON-01.7File Integrity Monitoring (FIM)
MON-01.8Security Event Monitoring
MON-01.9Proxy Logging
MON-01.10Deactivated Account Activity
MON-01.11Automated Response to Suspicious Events
MON-01.12Automated Alerts
MON-01.13Alert Threshold Tuning
MON-01.14Individuals Posing Greater Risk
MON-01.15Privileged User Oversight
MON-01.16Analyze and Prioritize Monitoring Requirements
MON-01.17Real-Time Session Monitoring
MON-02Centralized Collection of Security Event Logs
MON-02.1Correlate Monitoring Information
MON-02.2Central Review & Analysis
MON-02.3Integration of Scanning & Other Monitoring Information
MON-02.4Correlation with Physical Monitoring
MON-02.5Permitted Actions
MON-02.6Audit Level Adjustments
MON-02.7System-Wide / Time-Correlated Audit Trail
MON-02.8Changes by Authorized Individuals
MON-02.9Inventory of Technology Asset Event Logging
MON-03Content of Event Logs
MON-03.1Sensitive Audit Information
MON-03.2Audit Trails
MON-03.3Privileged Functions Logging
MON-03.4Verbosity Logging for Boundary Devices
MON-03.5Limit Personal Data (PD) In Audit Records
MON-03.6Centralized Management of Planned Audit Record Content
MON-03.7Database Logging
MON-04Event Log Storage Capacity
MON-05Response To Event Log Processing Failures
MON-05.1Real-Time Alerts of Event Logging Failure
MON-05.2Event Log Storage Capacity Alerting
MON-06Monitoring Reporting
MON-06.1Query Parameter Audits of Personal Data (PD)
MON-06.2Trend Analysis Reporting
MON-07Time Stamps
MON-07.1Synchronization With Authoritative Time Source
MON-08Protection of Event Logs
MON-08.1Event Log Backup on Separate Physical Systems / Components
MON-08.2Access by Subset of Privileged Users
MON-08.3Cryptographic Protection of Event Log Information
MON-08.4Dual Authorization for Event Log Movement
MON-09Non-Repudiation
MON-09.1Identity Binding
MON-10Event Log Retention
MON-11Monitoring For Information Disclosure
MON-11.1Analyze Traffic for Covert Exfiltration
MON-11.2Unauthorized Network Services
MON-11.3Monitoring for Indicators of Compromise (IOC)
MON-12Session Audit
MON-13Alternate Event Logging Capability
MON-14Cross-Organizational Monitoring
MON-14.1Sharing of Event Logs
MON-15Covert Channel Analysis
MON-16Anomalous Behavior
MON-16.1Insider Threats
MON-16.2Third-Party Threats
MON-16.3Unauthorized Activities
MON-16.4Account Creation and Modification Logging
MON-17Event Log Analysis & Triage
MON-17.1Event Log Review Escalation Matrix
MON-18File Activity Monitoring (FAM)

NET Network Security (98 controls)

NET-01Network Security Controls (NSC)
NET-01.1Zero Trust Architecture (ZTA)
NET-02Layered Network Defenses
NET-02.1Denial of Service (DoS) Protection
NET-02.2Guest Networks
NET-02.3Cross Domain Solution (CDS)
NET-03Boundary Protection
NET-03.1Limit Network Connections
NET-03.2External Telecommunications Services
NET-03.3Prevent Discovery of Internal Information
NET-03.4Personal Data (PD)
NET-03.5Prevent Unauthorized Exfiltration
NET-03.6Dynamic Isolation & Segregation (Sandboxing)
NET-03.7Isolation of System Components
NET-03.8Separate Subnet for Connecting to Different Security Domains
NET-04Data Flow Enforcement – Access Control Lists (ACLs)
NET-04.1Deny Traffic by Default & Allow Traffic by Exception
NET-04.2Object Security Attributes
NET-04.3Content Check for Encrypted Data
NET-04.4Embedded Data Types
NET-04.5Metadata
NET-04.6Human Reviews
NET-04.7Policy Decision Point (PDP)
NET-04.8Data Type Identifiers
NET-04.9Decomposition Into Policy-Related Subcomponents
NET-04.10Detection of Unsanctioned Information
NET-04.11Approved Solutions
NET-04.12Cross Domain Authentication
NET-04.13Metadata Validation
NET-04.14Application Proxy
NET-05Interconnection Security Agreements (ISAs)
NET-05.1External System Connections
NET-05.2Internal System Connections
NET-06Network Segmentation (macrosegementation)
NET-06.1Security Management Subnets
NET-06.2Virtual Local Area Network (VLAN) Separation
NET-06.3Sensitive / Regulated Data Enclave (Secure Zone)
NET-06.4Segregation From Enterprise Services
NET-06.5Direct Internet Access Restrictions
NET-06.6Microsegmentation
NET-06.7Software Defined Networking (SDN)
NET-07Network Connection Termination
NET-08Network Intrusion Detection / Prevention Systems (NIDS / NIPS)
NET-08.1DMZ Networks
NET-08.2Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)
NET-08.3Host Containment
NET-08.4Resource Containment
NET-09Session Integrity
NET-09.1Invalidate Session Identifiers at Logout
NET-09.2Unique System-Generated Session Identifiers
NET-10Domain Name Service (DNS) Resolution
NET-10.1Architecture & Provisioning for Name / Address Resolution Service
NET-10.2Secure Name / Address Resolution Service (Recursive or Caching Resolver)
NET-10.3Sender Policy Framework (SPF)
NET-10.4Domain Registrar Security
NET-11Out-of-Band Channels
NET-12Safeguarding Data Over Open Networks
NET-12.1Wireless Link Protection
NET-12.2End-User Messaging Technologies
NET-13Electronic Messaging
NET-14Remote Access
NET-14.1Automated Monitoring & Control
NET-14.2Protection of Confidentiality / Integrity Using Encryption
NET-14.3Managed Access Control Points
NET-14.4Remote Privileged Commands & Sensitive Data Access
NET-14.5Work From Anywhere (WFA) - Telecommuting Security
NET-14.6Third-Party Remote Access Governance
NET-14.7Endpoint Security Validation
NET-14.8Expeditious Disconnect / Disable Capability
NET-15Wireless Networking
NET-15.1Authentication & Encryption
NET-15.2Disable Wireless Networking
NET-15.3Restrict Configuration By Users
NET-15.4Wireless Boundaries
NET-15.5Rogue Wireless Detection
NET-16Intranets
NET-17Data Loss Prevention (DLP)
NET-18DNS & Content Filtering
NET-18.1Route Internal Traffic to Proxy Servers
NET-18.2Visibility of Encrypted Communications
NET-18.3Route Privileged Network Access
NET-18.4Protocol Compliance Enforcement
NET-18.5Domain Name Verification
NET-18.6Internet Address Denylisting
NET-18.7Bandwidth Control
NET-18.8Authenticated Proxy
NET-18.9Certificate Denylisting
NET-19Content Disarm and Reconstruction (CDR)
NET-20Email Content Protections
NET-20.1Email Domain Reputation Protections
NET-20.2Sender Denylisting
NET-20.3Authenticated Received Chain (ARC)
NET-20.4Domain-Based Message Authentication Reporting and Conformance (DMARC)
NET-20.5User Digital Signatures for Outgoing Email
NET-20.6Encryption for Outgoing Email
NET-20.7Adaptive Email Protections
NET-20.8Email Labeling
NET-20.9User Threat Reporting

PES Physical & Environmental Security (51 controls)

PES-01Physical & Environmental Protections
PES-01.1Physical Security Plan (PSP)
PES-01.2Zone-Based Physical Security
PES-02Physical Access Authorizations
PES-02.1Role-Based Physical Access
PES-02.2Dual Authorization for Physical Access
PES-03Physical Access Control
PES-03.1Controlled Ingress & Egress Points
PES-03.2Lockable Physical Casings
PES-03.3Physical Access Logs
PES-03.4Access To Critical Systems
PES-04Physical Security of Offices, Rooms & Facilities
PES-04.1Working in Secure Areas
PES-04.2Searches
PES-04.3Temporary Storage
PES-05Monitoring Physical Access
PES-05.1Intrusion Alarms / Surveillance Equipment
PES-05.2Monitoring Physical Access To Critical Systems
PES-06Visitor Control
PES-06.1Distinguish Visitors from On-Site Personnel
PES-06.2Identification Requirement
PES-06.3Restrict Unescorted Access
PES-06.4Automated Records Management & Review
PES-06.5Minimize Visitor Personal Data (PD)
PES-06.6Visitor Access Revocation
PES-07Supporting Utilities
PES-07.1Automatic Voltage Controls
PES-07.2Emergency Shutoff
PES-07.3Emergency Power
PES-07.4Emergency Lighting
PES-07.5Water Damage Protection
PES-07.6Automation Support for Water Damage Protection
PES-07.7Redundant Cabling
PES-08Fire Protection
PES-08.1Fire Detection Devices
PES-08.2Fire Suppression Devices
PES-08.3Automatic Fire Suppression
PES-09Temperature & Humidity Controls
PES-09.1Monitoring with Alarms / Notifications
PES-10Delivery & Removal
PES-11Alternate Work Site
PES-12Equipment Siting & Protection
PES-12.1Transmission Medium Security
PES-12.2Access Control for Output Devices
PES-13Information Leakage Due To Electromagnetic Signals Emanations
PES-14Asset Monitoring and Tracking
PES-15Electromagnetic Pulse (EMP) Protection
PES-16Component Marking
PES-17Proximity Sensor
PES-18On-Site Client Segregation
PES-19Physical Access Device Inventories

PRI Data Privacy (102 controls)

PRI-01Data Privacy Program
PRI-01.1Chief Privacy Officer (CPO)
PRI-01.2Privacy Act Statements
PRI-01.3Dissemination of Data Privacy Program Information
PRI-01.4Data Protection Officer (DPO)
PRI-01.5Binding Corporate Rules (BCR)
PRI-01.6Security of Personal Data (PD)
PRI-01.7Limiting Personal Data (PD) Disclosures
PRI-01.8Data Fiduciary
PRI-01.9Personal Data (PD) Process Manager
PRI-01.10Financial Incentives For Personal Data (PD)
PRI-01.11Reasonable Data Privacy Practices
PRI-02Data Privacy Notice
PRI-02.1Purpose Specification
PRI-02.2Automated Data Management Processes
PRI-02.3Computer Matching Agreements (CMA)
PRI-02.4System of Records Notice (SORN)
PRI-02.5System of Records Notice (SORN) Review Process
PRI-02.6Privacy Act Exemptions
PRI-02.7Real-Time or Layered Notice
PRI-02.8Purpose Compatibility
PRI-02.9Privacy Notice Formatting
PRI-02.10Symmetry In Choice
PRI-02.11Choice Architecture
PRI-02.12Choice Architecture Testing
PRI-02.13Notice of Right To Limit
PRI-02.14Alternative Means To Deliver Privacy Notice
PRI-03Choice & Consent
PRI-03.1Tailored Consent
PRI-03.2Just-In-Time Notice & Updated Consent
PRI-03.3Prohibition of Selling, Processing and/or Sharing Personal Data (PD)
PRI-03.4Revoke Consent
PRI-03.5Product or Service Delivery Restrictions
PRI-03.6Authorized Agent
PRI-03.7Active Participation By Data Subjects
PRI-03.8Global Privacy Control (GPC)
PRI-03.9Continued Use of Personal Data (PD)
PRI-03.10Cease Processing, Storing and/or Sharing Personal Data (PD)
PRI-03.11Communicating Processing Changes
PRI-03.12Data Subject Opt-In Consent
PRI-03.13Parent or Guardian Opt-In Consent For Minors
PRI-04Restrict Collection To Identified Purpose
PRI-04.1Authority To Collect, Process, Store & Share Personal Data (PD)
PRI-04.2Primary Sources
PRI-04.3Identifiable Image Collection
PRI-04.4Acquired Personal Data (PD)
PRI-04.5Validate Collected Personal Data (PD)
PRI-04.6Re-Validate Collected Personal Data (PD)
PRI-04.7Personal Data (PD) Collection Methods
PRI-05Personal Data (PD) Retention & Disposal
PRI-05.1Internal Use of Personal Data (PD) For Testing, Training and Research
PRI-05.2Personal Data (PD) Accuracy & Integrity
PRI-05.3Data Masking
PRI-05.4Usage Restrictions of Personal Data (PD)
PRI-05.5Inventory of Personal Data (PD)
PRI-05.6Personal Data (PD) Inventory Automation Support
PRI-05.7Personal Data (PD) Categories
PRI-05.8Personal Data (PD) Formats
PRI-06Data Subject Empowerment
PRI-06.1Correcting Inaccurate Personal Data (PD)
PRI-06.2Notice of Correction or Processing Change
PRI-06.3Appeal Adverse Decision
PRI-06.4User Feedback Management
PRI-06.5Right to Erasure
PRI-06.6Data Portability
PRI-06.7Personal Data (PD) Exports
PRI-06.8Data Subject Authentication
PRI-07Information Sharing With Third Parties
PRI-07.1Data Privacy Requirements for Contractors & Service Providers
PRI-07.2Joint Processing of Personal Data (PD)
PRI-07.3Obligation To Inform Third-Parties
PRI-07.4Reject Unauthenticated or Untrustworthy Disclosure Requests
PRI-07.5Justification To Reject Disclosure Requests
PRI-08Testing, Training & Monitoring
PRI-09Personal Data (PD) Lineage
PRI-10Data Quality Management
PRI-10.1Data Quality Automation
PRI-10.2Data Analytics Bias
PRI-11Data Tagging
PRI-12Updating Personal Data (PD) Process
PRI-12.1Enabling Data Subjects To Update Personal Data (PD)
PRI-13Data Management Board
PRI-14Documenting Data Processing Activities
PRI-14.1Accounting of Disclosures
PRI-14.2Notification of Disclosure Request To Data Subject
PRI-15Register As A Data Controller and/or Data Processor
PRI-16Potential Human Rights Abuses
PRI-17Data Subject Communications
PRI-17.1Conspicuous Link To Data Privacy Notice
PRI-17.2Notice of Financial Incentive
PRI-17.3Data Subject Communications Documentation
PRI-17.4Data Subject Communications Metrics
PRI-17.5Data Subject Communications Disclosure
PRI-18Data Controller Communications
PRI-19Automated Decision-Making Technology (ADMT) For Data Subject Actions
PRI-19.1Automated Decision-Making Technology (ADMT) Use Notification
PRI-19.2Automated Decision-Making Technology (ADMT) Opt-Out Consent
PRI-19.3Automated Decision-Making Technology (ADMT) Transparency
PRI-20Data Brokers
PRI-21Notice of Right To Opt-Out
PRI-21.1Opt-Out Links
PRI-21.2Alternative Out-Out Link

TDA Technology Development & Acquisition (70 controls)

TDA-01Technology Development & Acquisition
TDA-01.1Product Management
TDA-01.2Integrity Mechanisms for Software / Firmware Updates
TDA-01.3Malware Testing Prior to Release
TDA-01.4DevSecOps
TDA-02Minimum Viable Product (MVP) Security Requirements
TDA-02.1Ports, Protocols & Services In Use
TDA-02.2Information Assurance Enabled Products
TDA-02.3Development Methods, Techniques & Processes
TDA-02.4Pre-Established Secure Configurations
TDA-02.5Identification & Justification of Ports, Protocols & Services
TDA-02.6Insecure Ports, Protocols & Services
TDA-02.7Cybersecurity & Data Privacy Representatives For Product Changes
TDA-02.8Minimizing Attack Surfaces
TDA-02.9Ongoing Product Security Support
TDA-02.10Product Testing & Reviews
TDA-02.11Disclosure of Vulnerabilities
TDA-02.12Products With Digital Elements
TDA-02.13Reporting Exploitable Vulnerabilities
TDA-02.14Logging Syntax
TDA-03Commercial Off-The-Shelf (COTS) Security Solutions
TDA-03.1Supplier Diversity
TDA-04Documentation Requirements
TDA-04.1Functional Properties
TDA-04.2Software Bill of Materials (SBOM)
TDA-05Developer Architecture & Design
TDA-05.1Physical Diagnostic & Test Interfaces
TDA-05.2Diagnostic & Test Interface Monitoring
TDA-06Secure Software Development Practices (SSDP)
TDA-06.1Criticality Analysis
TDA-06.2Threat Modeling
TDA-06.3Software Assurance Maturity Model (SAMM)
TDA-06.4Supporting Toolchain
TDA-06.5Software Design Review
TDA-06.6Software Design Root Cause Analysis
TDA-07Secure Development Environments
TDA-08Separation of Development, Testing and Operational Environments
TDA-08.1Secure Migration Practices
TDA-09Cybersecurity & Data Protection Testing Throughout Development
TDA-09.1Continuous Monitoring Plan
TDA-09.2Static Code Analysis
TDA-09.3Dynamic Code Analysis
TDA-09.4Malformed Input Testing
TDA-09.5Application Penetration Testing
TDA-09.6Secure Settings By Default
TDA-09.7Manual Code Review
TDA-10Use of Live Data
TDA-10.1Test Data Integrity
TDA-11Product Tampering and Counterfeiting (PTC)
TDA-11.1Anti-Counterfeit Training
TDA-11.2Component Disposal
TDA-12Customized Development of Critical Components
TDA-13Developer Screening
TDA-14Developer Configuration Management
TDA-14.1Software / Firmware Integrity Verification
TDA-14.2Hardware Integrity Verification
TDA-15Developer Threat Analysis & Flaw Remediation
TDA-16Developer-Provided Training
TDA-17Unsupported Technology Assets, Applications and/or Services (TAAS)
TDA-17.1Alternate Sources for Continued Support
TDA-18Input Data Validation
TDA-19Error Handling
TDA-20Access to Program Source Code
TDA-20.1Software Release Integrity Verification
TDA-20.2Archiving Software Releases
TDA-20.3Software Escrow
TDA-20.4Approved Code
TDA-21Product Conformity Governance
TDA-22Technical Documentation Artifacts
TDA-22.1Product-Specific Risk Assessment Artifacts