Академический Документы
Профессиональный Документы
Культура Документы
Masters of Science
Information Security and
Assurance
[COMPARISON OF IT SECURITY
STANDARDS]
This paper proposes documenting the relationship between the FISMA security standards and guidelines
and the ISO 27001 Information Security Management System (ISMS) and provide complete mapping
between the two.
Page 3
Page 4
Introduction
The idea that information security and assurance, has become such critical element of any
organizations efforts to manage risk, is what drives the need for a well defined, thoroughly
documented, and measurable way of implementing a system security program.
The phrase security framework is a collective term for the various documents that give advice on
topics related to information systems security, predominantly regarding the planning, implementing,
managing, and auditing of overall information security practices.
One weakness that is very common across all the security frameworks is the narrow focus to a
particular area, topic, or approach. Security should be a holistic practice, with input from a variety of
fields and a wide-ranging overview of the problem, as well as details suitable to the situation or
environment. As Eugene Spafford has famously said, a secure system is one that does what it is
supposed to. (Breaux, Antn, & Spafford, 2009) Therefore, it is impossible to define a state of security
that is applicable to all computers, since not all computers are, in the minds of the users, supposed to do
the same thing.
Does the best practice mean something that will work for everyone in all situations? There is
very little (possibly nothing) that will be "secure" in any and every environment. Does best practice
Page 5
Business Requirements
Organizations in the public and private sectors depend on information technology in support
their missions and business functions. Information systems can be very diverse entities ranging from
high-end supercomputers to very specialized systems (e.g., industrial/process control systems,
telecommunications systems, and environmental control systems). Information systems are subject to
risks that can have adverse effects on organizational operations (including missions, functions, image, or
reputation), organizational assets, individuals, other organizations, by compromising the confidentiality,
Page 6
Organizational Risk
Risk related to the operation and use of information systems is another component of
organizational risk that senior leaders must address as a routine part of their ongoing risk management
responsibilities. Organizational risk can include many types of risk (e.g., investment risk, budgetary risk,
program management risk, legal liability risk, safety risk, inventory risk, and the risk from information
systems). Effective risk management requires recognition that organizations operate in a highly complex
and interconnected world using state-of-the-art and legacy information systemssystems that
organizations depend upon to accomplish critical missions and to conduct important business. Leaders
must recognize that explicit, well-informed management decisions are necessary in order to balance the
benefits gained from the use of these information systems with the risk of the same systems being the
vehicle through which adversaries cause mission or business failure. (Bowen, Chew, & Hash, Information
Security Guide For Government Executives, 2007)Managing risk is not an exact science. It brings
together the best collective judgments of the individuals, responsible for the strategic planning and dayto-day operations of organizations, to provide adequate security and risk mitigation, for the information
systems supporting the missions and business functions of those organizations.
Management Commitment
To achieve success with information system-dependent processes, senior leaders must be
committed to making information security a fundamental mission/business requirement. This top -level
commitment ensures that sufficient resources are available in the design, development,
implementation, operation, and disposition of information systems to provide adequate levels of
security for the systems in light of the explicit expectations placed upon those systems.
Information security is a strategic capability and an enabler of missions and business functions
across the organization. However, information security is but one important factor among many factors
considered by senior leaders in carrying out their risk management responsibilities within the
Page 7
Recognition and acceptance by senior leaders/executives of the risks (including potential magnitude
of harm) to organizational operations and assets, individuals, other organizations, and the Nation
arising from the use of information systems; and
Security Standards
Recognition for due care, due diligence and legal compliance, for the adequate protection of
information assets, is a universally acknowledged business requirement for organizations of all types
and sizes worldwide. Certification against well-known standards is the key to obtaining that recognition.
This paper will explore the two most well known security certifications that define a process for
Page 8
Project Plan
There are many different types of project. In practice they all have a number of common stages,
which will be included in my Capstone Project Plan, as shown below in Figure 1.
The Initiation Stage will typically confirm the project feasibility, and agree upon a scope and the
main objectives. I will establish a project charter and focus on the business drivers as the main
objectives. This stage will also consider risk and feasibility in the initiation phase review.
The Planning Stage shall list what to be done and when in the form of a Project Plan. A Quality
Control Plan evolves during this stage to provide metrics for staying on track, in order to meet
the project objectives.
The Execution Stage is broken down into many tasks, culminating in the compilation of the
deliverables.
The Testing Stage, also referred to as the Monitoring Stage, fulfils quality assurance tasks to
rectify until project deliverables pass acceptance criteria. These tasks break down into three
separate categories of management; time, quality and acceptance.
Submission of the project deliverables, along with the Project Closure Report, commences
during the Release Stage.
The Project Closure Stage will confirm realization of objectives and benefits; provide oral
assessment of deliverables and close down project.
Page 9
Page 10
Standards Overview
I am going to provide a guiding statement that you should keep in mind as I outline a more
detailed overview of the two standards. The NIST Risk Management Framework is focused on defining,
assessing, implementing, and monitoring the risk of a specific system, whereas the Information Security
Management System of the ISO 27001 standard is primarily a management system standard for which
compliance requires the organization to have a suite of management controls in place, not necessarily
information security controls. In summary, NIST is a risk management framework for a system, ISO
27001 defines a standard for a management process. One is not necessarily better than the other. In
fact, to compare the two standards is like comparing apples and oranges. However, they are perfectly
suited to complement one another, implemented side-by-side, in an effort to mitigate system risk to an
adequate level, and integrate that component of risk management as a critical part of managements
responsibility for managing the overall organizational risk.
Government Reform
In the summer of 2001, a few months after sworn in as the new President of the United States,
President George Bush introduced The Presidents Management Agenda, an ambitious plan for
improving the management and performance of the Federal Government. The premise of President
Bushs political vision is to run Government like a business.
Government likes to begin things to declare grand new programs and causes and national
objectives. But good beginnings are not the measure of success. What matters in the end is
completion. Performance. Results. Not just making promises, but making good on promises. In
my Administration, that will be the standard from the farthest regional office of government to
the highest office of the land. (Bush, 1999)
The focus of the Presidents Management Agenda is to address the areas of management that
need the most attention and will have the biggest impact for reform. There are five government wide
and nine program specific initiatives of improvement where the Bush administration can begin to deliver
on those promises. In the following diagram, you see that one of the five government wide initiatives is
Expanded Electronic Government, codified by the E-Government Act of 2002. Title III of the EGovernment Act, Information Security, has the most direct impact on defining and expanding the
responsibilities of those involved in operating, managing and securing Government Agency information
Page 13
Expanding E- Government
The Expanding E-Government initiative of the Presidents Management Agenda is more than
just information security; its employing technology to improve how the Government serves its citizens,
businesses and state and local governments. The information policy of E-Gov provides an agenda for
Federal information systems to include not just security, but also privacy and capital planning as well as
a standardized model for an information technology architecture that lends to the overarching goal of
function-driven business in Government. In hopes of attaining these goals, the OMB is taking a business motivated approach in developing enterprise architecture. To that end, OMB is identifying opportunities
to simplify and consolidate work into lines of business across the Federal Government. For over 200
Page 14
It initially tasked NIST to provide guidelines and standards for implementing computer security.
NIST has since published hundreds of Special Publications (SP) or guidelines to the computer security
community. Good information systems security is good business and IT professionals would be hard
pressed to find a better source of information pertaining to all aspects of computer security than in the
documents issued by NIST.
Clinger-Cohen Act
Another stellar piece of legislation is the Clinger-Cohen Act of 1996, which requires government
agencies to use performance based management principles for acquiring and managing information
Page 15
Cost/benefit analysis
Performance
Standards
Accountability
Life expectancy
Multiple uses
The Clinger-Cohen Act also demands agency Chief Information Officers (CIOs) to develop integrated
information technology architecture. The Federal Enterprise Architecture (FEA) is an OMB program that
intends to comply with the Clinger-Cohen Act and provide a model for sharing information and
resources across all Federal agencies. This will reduce overall spending and provided continuity in
Government services.
The substance of these laws and regulations, as they apply to IT professionals, is that IT
professionals understand their expanding roles and responsibilities so they may interface successfully
with other aspects of managing the Government like a business. Their actions and decisions mu st align
with the business goals of the organization.
Page 16
Page 17
Page 18
Computer security is a critical element in running a business with a mission so dependent on the
capabilities of information systems. The exhibit shows the five steps of risk management, which
includes the assessment and mitigation of risk during the Initiation Phase of C&A and a risk evaluation
during the Certification Phase of C&A. The formalization of risk management is in the element of
accountability executed in the last two phases of C&A, Authorization and Monitoring & Status
Reporting. NIST Special Publications and Federal Information Processing Standards, as well as mem os
and circulars from the OMB, provide well documented and easy to follow guidance for every step of the
C&A process.
Translation of Terminology
Before I move on to discuss the ISO standards and guidelines, it might be helpful and certainly
appropriate to examine a few key terms defined, sometimes uniquely different, by both NIST and the
ISO. I find the NIST glossary, contained as a standalone document NISTIR 7298, to be much more robust
Page 19
ISO
NIST
Information Security
Thankfully they both agree on
the basic definition of
information security
Preservation of confidentiality,
integrity and availability of
information.
Page 21
Use within organizations as a way to ensure that security risks are cost-effectively managed;
Use by the internal and external auditors of organizations to demonstrate the information
security policies, directives and standards adopted by an organization and determine the
degree of compliance with those policies, directives and standards;
The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC
27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific
information security controls are applicable to their particular information security situations, drawing
on those listed in the menu and potentially supplementing them with other a la carte options,
sometimes known as extended control sets. As with ISO/IEC 27002, the key to selecting applicable
Page 22
Page 23
Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or
nature.
Normative references - only ISO/IEC 27002:2005 considered essential to the use of 27001
Information security management system - the guts of the standard, based on the Plan-DoCheck-Act cycle where Plan = define requirements, assess risks, decide which controls are
applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act =
maintain and continuously improve the ISMS. Also specifies certain specific documents that are
required and controlled.
Internal ISMS audits - the organization must conduct periodic internal audits to ensure the ISMS
incorporate adequate controls, which operate effectively.
Management review of the ISMS - management must review the suitability, adequacy and
effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the
need for changes.
ISMS improvements - the organization must continually improve the ISMS by assessing and
where necessary making changes to ensure its suitability and effectiveness, addressing
nonconformance (noncompliance) and where possible preventing recurrent issues.
Annex A - Control objectives and controls - little more in fact than a list of titles of the control
sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).
Annex B - OECD principles and this International Standard - a table briefly showing which parts
of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of
Information Systems and Networks.
Annex C - Correspondence between ISO 9001:2000, ISO 14001:2004 and this International
Standard - the standard shares the same basic structure of other management systems
standards, meaning that an organization, which implements any one, should be familiar with
concepts such as PDCA, records and audits.
ISO 27002:2005
ISO/IEC 27002:2005, the latest version of Information technology - Security techniques - Code
of practice for information security management, to give it its full title, is an internationally accepted
standard of good practice for information security.
Page 25
Page 26
2.
New ISO 27000 standards (e.g. ISO/IEC 27000, 27003, 27004, 27007) referenced if they
release before updates to the 27002.
3.
Section 5 on "Security policy" is confusing. Terms such as 'overarching security policy' are
somewhat ambiguous when policies that are more detailed are needed covering particular
security requirements and controls. There was considerable discussion on this point in
Beijing but the resolution is unclear at this point.
4.
5.
Section 9.2 does not cover typical computer room 'environmental protection' very well - for
example, it is weak on environmental monitoring with local and remote alarms (for fire,
water, intrusion, power problems etc.). There are presumably other ISO/IEC standards in
this area, as well as national standards, building codes, laws etc.
6.
Section 10 is a bit of a mixed bag, covering issues such as outsourcing/3rd party IT service
delivery in addition to systems and network management. Some rationalization of these
items may be appropriate. Section 10.8 "Exchange of information" seems outdated, with a
lot going on these days in terms of mobile code, Web 2.0/Software As a Service etc. In
Beijing, a radical restructuring of 27002 was proposed but had insufficient time to consider
it prior to or during the meeting, so this major issue was tabled until the next SC27 meeting.
7.
Section 11.2 on "User access management" ought to include more on identification and
especially authentication of remote users, federated identity management, etc.
8.
Section 11.4 covers "Network access control" without mentioning the term "firewall".
9.
Section 12 does not explicitly cover security testing of new/changed application systems, at
least not clearly enough. Pragmatic advice on security testing would be worthwhile,
covering issues such as developing structured tests based on the security elements o f
Page 28
Section 14 on "Business continuity management" says very little about specifying and
meeting availability requirements, particularly the need to consider and, if necessary,
provide or improve resilience as well as facilitate recovery. This section would also benefit
from more explanation of "contingency", namely planning and preparing to cope with
incidents if/when other controls fail.
11.
Various changes needed in section 15 to reflect legal and regulatory changes since 2005,
such as the rise of "e-discovery", document/email retention and increasing use of computer
data as evidence in court.
12.
Section 15.3 "Information systems audit considerations" merely covers securing audit
tools/data. There is value in IT auditing for reviewing and making improvements to the
ISMS. Emphasis on the involvement of legal, risk, compliance and governance specialists in
the ISMS design and operations would be useful.
The revised standard plans to release in 2011, expectantly the same time the revised ISO/IEC 27001
is released.
Scope of ISO/IEC 27002
Like governance, information security is a broad topic with ramifications in all parts of the
modern organization. Information security, and the ISO/IEC 27001/2, is relevant to all types of
organization including commercial enterprises of all sizes (from one -man-bands up to multinational
giants), not-for-profits, charities, and government entities. The specific information security
requirements may be different in each case but the whole point of ISO 27001/2 is that there is a lot of
common ground.
Relationship to ISO/IEC 27001
ISO/IEC 27001 formally defines the mandatory requirements for an Information Security
Management System (ISMS). It uses ISO/IEC 27002 to indicate suitable information security controls
within the ISMS. However, since ISO/IEC 27002 is merely a guideline rather than a certification
standard, organizations are free to select and implement other controls as they see fit. ISO/IEC 27001
incorporates a summary of controls from ISO/IEC 27002 under Annex A.
Page 29
Process Mapping
ISO 27001
Certification
Process
Get Management
Support
Information System
Description
Inventory Information
Assets
Security Categorization
Comment
Given that C&A of all US Federal information
systems are mandated to comply with the
NIST standards and guidelines, management
support is implied.
Significant distinctions right from the
beginning; ISO requires that the scope of the
management system is defined. They are
looking for the bounds of an organization;
could be an international company, or a
department within any organization. NIST, on
the other hand, is looking for the boundaries
of an information system.
ISO considers the inventory of assets to be
crucial in order to focus on the amount of time
you have been given to accomplish the task of
implementing ISO 27001/27002.
Determining a systems Security
Categorization is a mandatory initial step
Page 31
Methods And
Procedures
Conduct Risk
Assessment
Threat Identification
Vulnerability
Identification
Initial Risk
Determination
Prepare Statement of
Applicability
Security Control
Identification
Develop ISMS
FISMA Mandate
Page 32
Compliance Review
Pre Certification
Assessment
Documentation And
Supporting Materials
External Certification
Audit
Office of Inspector
General (OIG) Audit
Page 34
Document Mapping
ISO 27001 Document
Records of Management
Decisions
Document Control
Procedures
ISMS Scope
ISMS Policy
None
Comment
For ISO 27001 certification, management is
involved every step of the way, which is why
an official Record of Management Decisions
is the first required document in the process.
The NIST C&A process requires the
management sign off on the work that has
been completed. It is known as the
Authorization Stage of C&A. Regarding the
ISMS: Minutes of management meetings,
investment decisions, mandating of policies,
reports, etc.
Document control procedure explaining how
ISMS documents are approved for use,
reviewed/updated/re-approved as necessary,
and version managed, disseminated as
necessary, marked etc. (see 4.3.2 for the full
list). If the organization already has a Quality
Management System conforming to ISO 9000,
the QMS document control procedure (or
equivalent from another management
system) may be applied to the ISMS.
ISMS scope defines the boundaries of the
ISMS in relation to the characteristics of the
business, the organization, its location,
[information] assets and technology. Any
exclusion from the ISMS scope must be
explicitly justified.
An ISMS policy defining the objective-setting
management framework for the ISMS, giving
it an overall sense of direction/purpose and
defining key principles. The ISMS policy must:
Page 35
Statement of Applicability
None
None
Documented in Yearly
OMB Memo: FISMA
Reporting Guidelines
(for FY2008,M-08-21)
Security awareness,
training and education
records in the CIO
report
Page 38
FY
2002
FY
2003
FY
2004
FY
2005
FY
2006
FY
2007
FY
2008
47%
62%
77%
85%
88%
92%
96%
35%
48%
57%
61%
77%
86%
92%
60%
64%
76%
72%
88%
95%
93%
7,957
7,998
8,623
10,289
10,595
10,304
10,679
It is stated that these numbers reflect the collective reports from agency CIOs. They are the
department heads who rely on making a good impression, through these FISMA reports, in order to
avoid budgetary penalties from the OMB.
FIPS 199
Risk Impact
Level
Number of
Agency
Systems
Number of
Contractor
Systems
Total
Number of
Systems
Percent
certified and
accredited
Percent with
tested
contingency
plans
Percent
with tested
security
controls
High
1,055
113
1168
98%
90%
95%
Moderate
3576
536
4112
95%
92%
95%
Low
3,952
738
4690
96%
90%
91%
Not
187
522
709
96%
96%
95%
8770
1909
10679
96%
92%
93%
Categorized
Total
There is a second FISMA report to OMB, from agency OIGs, who do not need to make an
impression on anyone; their budget is relatively fixed. Their job is to validate the numbers reported by
the agency CIO. Even though the overall statistics look very impressive, there are still a few
organizations, like the Department of Defense, that continue to struggle to attain a passing FISMA
grade. They are the only agency out of 26 that have received a failing audit from their OIG. This is also
the first year they have even had an external audit. The DoD owns 40% of all US Government
information systems. They have 265 systems in the HIGH impact category alone; that is more than 16
other agencies individual systems total. Table 5 puts the FISMA reporting into a more accurate
perspective by showing the number of systems owned by each agency. The OIG report summary shows
Page 39
Department of Defense
4279
Percentage
of US Gov't
Systems
40%
Department of Energy
1323
12%
Satisfactory
634
6%
Excellent
618
6%
Satisfactory
591
6%
Good
509
5%
Satisfactory
Department of Transportation
405
4%
Satisfactory
Department of State
356
3%
Good
Department of Commerce
312
3%
Satisfactory
Department of Justice
254
2%
Good
Department of Agriculture
245
2%
Poor
177
2%
Satisfactory
171
2%
Good
162
2%
Satisfactory
Department of Education
145
1%
Satisfactory
93
1%
Satisfactory
86
1%
Satisfactory
85
1%
Satisfactory
Department of Labor
72
1%
Satisfactory
40
<1%
Satisfactory
39
<1%
Satisfactory
29
<1%
Excellent
20
<1%
Good
20
<1%
Good
Smithsonian Institution
14
<1%
Satisfactory
Number of
Systems
OIG Report
Failing
10679
Page 40
Most US Government agencies implement the NIST RMF to a satisfactory level, according to the
OIG reports; which is to say they are doing a good job, but there is a lot of room for improvement.
58%
Financial
21%
Business
8%
Insurance
5%
Legal
4%
University
2%
Healthcare
2%
0%
10%
20%
30%
40%
50%
60%
70%
Figure 8 - ISO 27001 Certification by Industry (USA) (ISMS International Users Group, 2009)
Page 41
27%
Health
20%
Financial
11%
Business - Small
10%
Government - State
10%
Government - City
5%
Business - Large
3%
Government - US
3%
IT
2%
Telecommunications
2%
Government - Mil
2%
Insurance
1%
Systems Security
1%
Library
1%
Legal
1%
Church
1%
The total number of security violations reported by the Privacy Rights Clearinghouse is 245.
Four involved ISO 27001 certified organizations, and eleven involved US Government agencies, five of
which were from DoD. See Appendix C for the details of those incidents.
Page 42
Page 43
Sec
Security Policy
5.1
5.1.1
5.1.2
XX-1 controls
6.1
6.1.1
Internal Organization
Management Commitment to information
security
Information security Co-ordination
Organization of
Information
security
6.1.2
AT-5
6.2.3
7.1
7.1.1
7.1.2
7.1.3
7.2
7.2.1
7.2.2
8.1
8.1.1
Prior to Employment
Roles and Responsibilities
8.1.2
8.1.3
8.2
8.2.1
8.2.2
Screening
Terms and conditions of employment
During Employment
Management Responsibility
Information security awareness, education
and training
Disciplinary process
Termination or change of employment
Termination responsibility
Return of assets
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.2
6.2.1
6.2.2
Hum an Resource
Security
XX-1 controls
6.1.3
Asset
Management
8.2.3
8.3
8.3.1
8.3.2
Page 44
Physical and
Environm ental
Security
Com munications
and Operations
Management
8.3.3
9.1
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
Secure Areas
Physical security Perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and
environmental threats
Working in secure areas
9.1.6
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
10.1
10.1.1
10.1.2
10.1.3
10.1.4
10.4.1
10.4.2
10.5
10.5.1
10.6
10.6.1
Back-Up
Information Backup
Network Security Management
Network controls
10.6.2
10.7
10.7.1
10.7.2
10.7.3
10.2
10.2.1
10.2.2
10.2.3
10.3
10.3.1
10.3.2
10.4
PE-3
PE-3, PE-5, PE-6, PE-7
PE-3, PE-4, PE-5
CP Family; PE-1, PE-9, PE-10, PE-11,
PE-13, PE-15
AT-2, AT-3 , PL-4, PS-6, PE-2, PE-3, PE4,PE-6, PE-7, PE-8
PE-3 , PE-7, PE-16
PE-1, PE-18
PE-1, PE-9, PE-11, PE-12, PE-14
PE-4, PE-9
MA Family
MP-5, PE-17
MP-6
MP-5, PE-16
SA-9
SA-9
RA-3, SA-9
AU-4, AU-5, CP-2, SA-2, SC-5
CA-2, CA-6, CM-3, CM-4, CM-9, SA-11
Page 45
10.8.2
10.8.3
10.8.4
Electronic Messaging
10.8.5
10.9
10.9.1
CA-1, CA-3
10.9.2
10.9.3
10.10
10.10.1
On-Line transactions
Publicly available information
Monitoring
Audit logging
10.10.2
10.10.3
10.10.4
10.10.5
10.10.6
11.1
11.1.1
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.3
11.3.1
11.3.2
11.3.3
11.4
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7
11.5
11.5.1
11.5.2
11.5.3
11.5.4
11.5.5
10.7.4
10.8
10.8.1
Access control
Page 46
Information
Systems
Acquisition
Development and
Maintenance
12.1
12.2
12.2.1
12.2.2
12.2.3
Message integrity
12.2.4
12.3
12.3.1
None
12.3.2
12.4
12.4.1
Key Management
Security of System Files
Control of Operational software
SC-12, SC-17
12.4.2
12.4.3
12.5
12.5.4
12.5.5
12.6
12.6.1
13.1
12.1.1
12.5.1
12.5.2
12.5.3
Information
Security Incident
Management
None
11.5.6
11.6
11.6.1
11.6.2
11.7
11.7.1
11.7.2
13.1.1
13.1.2
13.2
SI-10
Page 47
Business
Continuity
Management
13.2.1
13.2.2
13.2.3
14.1
14.1.1
14.1.2
14.1.3
14.1.4
14.1.5
Com pliance
15.1
15.1.1
15.1.2
15.1.3
15.1.4
15.2.1
15.2.2
15.3
15.3.1
15.3.2
15.1.5
15.1.6
15.2
IR-1
IR-4
AU-9, IR-4
Page 48
Sec
Access Controls
AC
Access Controls
AC-1
AC-2
Account Management
AC-3
Access Enforcement
AC-4
AC-5
Separation of Duties
AC-6
Least Privilege
AC-7
11.5.1
AC-8
AC-9
AC-10
AC-11
Session Lock
AC-12
Withdrawn
AC-13
Withdrawn
AC-14
11.6.1
AC-15
AC-16
Security Attributes
7.2.2
AC-17
Remote Access
AC-18
Wireless Access
AC-19
AC-20
AC-22
AT
AT-1
AT-2
Security Awareness
AT-3
Security Training
AC-21
Aw areness and
Training
11.5.1
11.2.1, 11.2.2
None
Page 49
Audit and
Accountability
AT-4
None
AT-5
6.1.7
AU
AU-1
AU-3
AU-4
10.10.1, 10.3.1
AU-5
10.3.1, 10.10.1
AU-8
AU-9
AU-10
Non-repudiation
10.9.1, 12.2.3
AU-11
AU-12
AU-14
Audit Generation
Monitoring for Information
Disclosure
Session Audit
CA
CA-1
CA-2
Security Assessments
CA-3
CA-4
Withdrawn
CA-5
None
CA-6
Security Authorization
6.1.4, 10.3.2
CA-7
Continuous Monitoring
CM
Configuration Management
CM-1
CM-2
Baseline Configuration
12.4.1, 10.1.4
CM-3
AU-2
AU-6
AU-7
AU-13
Security Assessment
and Authorization
Configuration
Management
None
None
Page 50
Contingency
Planning
Identification and
Authentication
CM-4
CM-5
CM-6
Configuration Settings
None
CM-7
Least Functionality
None
CM-8
7.1.1, 7.1.2
CM-9
CP
Contingency Planning
CP-1
CP-2
Contingency Plan
CP-3
Contingency Training
CP-4
CP-5
Withdrawn
CP-6
9.1.4, 14.1.3
CP-7
9.1.4, 14.1.3
CP-8
Telecommunications Services
CP-9
CP-10
9.1.4, 14.1.3
IA
IA-1
11.4.3
IA-4
IA-5
Authenticator Management
IA-6
Authenticator Feedback
11.5.1
IA-7
Cryptographic Module
Authentication
Identification and Authentication
(Non-Organizational Users)
IA-2
IA-3
IA-8
Incident Response
IR
11.5.2
Incident Response
Page 51
None
IR-4
IR-5
Incident Monitoring
None
IR-6
Incident Reporting
6.1.6, 13.1.1
IR-7
None
IR-8
None
MA
Maintenance
MA-1
MA-2
Controlled Maintenance
9.2.4
MA-3
Maintenance Tools
9.2.4, 11.4.4
MA-4
Non-Local Maintenance
9.2.4, 11.4.4
MA-5
Maintenance Personnel
9.2.4, 12.4.3
MA-6
Timely Maintenance
9.2.4
MP
Media Protection
MP-1
MP-2
MP-3
Media Access
Media Marking
MP-4
Media Storage
MP-5
Media Transport
MP-6
Media Sanitization
PE
PE-1
PE-2
PE-3
PE-4
IR-2
IR-3
Maintenance
Media Protection
Physical and
Environm ental
Protection
PE-5
8.2.2
Page 52
Planning
Personnel Security
Risk Assessment
PE-6
PE-7
Visitor Control
PE-8
Access Records
PE-9
PE-10
PE-11
Emergency Power
9.1.4, 9.2.2
PE-12
Emergency Lighting
9.2.2
PE-13
Fire Protection
9.1.4
PE-14
9.2.2
PE-15
9.1.4
PE-16
PE-17
9.2.5, 11.7.2
PE-18
9.2.1, 11.3.2
PE-19
PL
Planning
PL-1
PL-2
None
PL-3
Withdrawn
PL-4
Rules of Behavior
PL-5
PL-6
6.1.2, 15.3.1
PS
Personnel Security
PS-1
PS-2
PS-3
Personnel Screening
8.1.2
PS-4
Personnel Termination
PS-5
Personnel Transfer
PS-6
Access Agreements
PS-7
PS-8
Personnel Sanctions
8.2.3, 15.1.5
RA
Risk Assessment
RA-1
RA-2
9.1.4
12.5.4
8.1.1
Page 53
System and
Com munications
Protection
RA-3
Risk Assessment
RA-4
Withdrawn
RA-5
Vulnerability Scanning
SA
SA-1
SA-2
Allocation of Resources
6.1.2, 10.3.1
SA-3
12.1.1
SA-4
Acquisitions
12.1.1, 12.5.5
SA-5
10.7.4, 15.1.3
SA-6
SA-7
User-Installed Software
SA-8
SA-9
SA-10
SA-11
Developer Configuration
Management
Developer Security Testing
SA-12
12.5.5
SA-13
Trustworthiness
12.5.5
SA-14
None
SC
SC-1
SC-2
Application Partitioning
10.4.1, 10.4.2
SC-3
SC-4
None
SC-5
10.3.1
SC-6
Resource Priority
None
SC-7
Boundary Protection
SC-8
Transmission Integrity
SC-9
Transmission Confidentiality
SC-10
Network Disconnect
12.6.1, 15.2.2
10.3.2, 12.5.5
Page 54
Systems and
Information Integrity
SC-11
Trusted Path
None
SC-12
12.3.2
SC-13
Use of Cryptography
12.3.1, 15.1.6
SC-14
SC-15
None
SC-16
7.2.2, 10.8.1
SC-17
12.3.2
SC-18
SC-19
10.6.1
SC-20
10.6.1
SC-21
10.6.1
SC-22
10.6.1
SC-23
Session Authenticity
10.6.1
SC-24
None
SC-25
Thin Nodes
None
SC-26
Honeypots
None
SC-27
None
SC-28
Operating System-Independent
Applications
Protection of Information at Rest
SC-29
Heterogeneity
None
SC-30
Virtualization Techniques
None
SC-31
None
SC-32
None
SC-33
None
SC-34
Non-Modifiable Executable
Programs
None
SI
SI-1
SI-2
Flaw Remediation
10.4.2
None
Page 55
Program Management
SI-3
10.4.1
SI-4
SI-5
SI-6
SI-7
SI-8
Spam Protection
None
SI-9
SI-10
12.2.1, 12.2.2
SI-11
Error Handling
None
SI-12
SI-13
PM
Program Management
PM-1
PM-2
PM-3
None
PM-4
None
PM-5
7.1.1, 7.1.2
PM-6
None
PM-7
PM-8
None
PM-9
6.2.1, 14.1.2
PM-10
6.1.4
PM-11
Mission/Business Process
Definition
None
None
None
None
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 62
Page 63
Page 64
Page 65