Nist Coc Nov 2017

Title
Access Agreements
Access Control for Mobile Devices
Access Control for Output Devices
Access Control for Transmission Medium
Access Control Policy and Procedures
Access Enforcement
Access Records
Access Restrictions for Change
Account Management
Acquisitions
Allocation of Resources
Alternate Processing Site
Alternate Storage Site
Alternate Work Site
Application Partitioning
Architecture and Provisioning for Name / Address Resolution Service
Audit and Accountability Policy and Procedures
Audit Generation
Audit Record Retention
Audit Reduction and Report Generation
Audit Review, Analysis, and Reporting
Audit Storage Capacity
Auditable Events
Authenticator Feedback
Authenticator Management
Automated Marking
Baseline Configuration
Boundary Protection
Collaborative Computing Devices
Concurrent Session Control
Configuration Change Control
Configuration Management Plan
Configuration Management Policy and Procedures
Configuration Settings
Contacts With Security Groups and Associations
Content of Audit Records
Contingency Plan
Contingency Plan Testing and Exercises
Contingency Plan Update
Contingency Planning Policy and Procedures
Contingency Training
Continuous Monitoring
Controlled Maintenance
Covert Channel Analysis
Critical Information System Components
Critical Infrastructure Plan
Cryptographic Key Establishment and Management
Cryptographic Module Authentication
Delivery and Removal
Denial of Service Protection
Developer Configuration Management
Developer Security Testing
Device Identification and Authentication
Emergency Lighting
Emergency Power
Emergency Shutof
Enterprise Architecture
Error Handling
External Information System Services
Fail In Known State
Fire Protection
Flaw Remediation
Heterogeneity
Honeypots
Identification and Authentication (Non-organizational Users)
Identification and Authentication (Organizational Users)
Identification and Authentication Policy and Procedures
Identifier Management
Incident Handling
Incident Monitoring
Incident Reporting
Incident Response Assistance
Incident Response Plan
Incident Response Policy and Procedures
Incident Response Testing and Exercises
Incident Response Training
Information Flow Enforcement
Information In Shared Resources
Information Input Restrictions
Information Input Validation
Information Leakage
Information Output Handling and Retention
Information Security Measures of Performance
Information Security Program Plan
Information Security Resources
Information System Backup
Information System Component Inventory
Information System Connections
Information System Documentation
Information System Inventory
Information System Monitoring
Information System Partitioning
Information System Recovery and Reconstitution
Least Functionality
Least Privilege
Life Cycle Support
Location of Information System Components
Maintenance Personnel
Maintenance Tools
Malicious Code Protection
Media Access
Media Marking
Media Protection Policy and Procedures
Media Sanitization
Media Storage
Media Transport
Mission/business Process Definition
Mobile Code
Monitoring for Information Disclosure
Monitoring Physical Access
Network Disconnect
Non-local Maintenance
Non-modifiable Executable Programs
Non-repudiation
Operating System-independent Applications
Permitted Actions Without Identification Or Authentication
Personnel Sanctions
Personnel Screening
Personnel Security Policy and Procedures
Personnel Termination
Personnel Transfer
Physical Access Authorizations
Physical Access Control
Physical and Environmental Protection Policy and Procedures
Plan of Action and Milestones
Plan of Action and Milestones Process
Position Categorization
Power Equipment and Power Cabling
Predictable Failure Prevention
Previous Logon (Access) Notification
Privacy Impact Assessment
Protection of Audit Information
Protection of Information At Rest
Public Access Protections
Public Key Infrastructure Certificates
Publicly Accessible Content
Remote Access
Resource Priority
Response To Audit Processing Failures
Risk Assessment
Risk Assessment Policy and Procedures
Risk Assessment Update
Risk Management Strategy
Rules of Behavior
Secure Name / Address Resolution Service (Authoritative Source)
Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
Security Alerts, Advisories, and Directives
Security Assessment and Authorization Policies and Procedures
Security Assessments
Security Attributes
Security Authorization
Security Authorization Process
Security Awareness
Security Awareness and Training Policy and Procedures
Security Categorization
Security Certification
Security Engineering Principles
Security Function Isolation
Security Functionality Verification
Security Impact Analysis
Security Planning Policy and Procedures
Security Training
Security Training Records
Security-related Activity Planning
Senior Information Security Officer
Separation of Duties
Session Audit
Session Authenticity
Session Lock
Session Termination
Software and Information Integrity
Software Usage Restrictions
Spam Protection
Supervision and Review Access Control
Supply Chain Protection
System and Communications Protection Policy and Procedures
System and Information Integrity Policy and Procedures
System and Services Acquisition Policy and Procedures
System Maintenance Policy and Procedures
System Security Plan
System Security Plan Update
System Use Notification
Telecommunications Services
Temperature and Humidity Controls
Thin Nodes
Third-party Personnel Security
Time Stamps
Timely Maintenance
Transmission Confidentiality
Transmission Integrity
Transmission of Security Attributes
Transmission Preparation Integrity
Trusted Path
Trustworthiness
Unsuccessful Login Attempts
Use of Cryptography
Use of External Information Systems
User-based Collaboration and Information Sharing
User-installed Software
Virtualization Techniques
Visitor Control
Voice Over Internet Protocol
Vulnerability Scanning
Water Damage Protection

Wireless Access
(empty)
Total Result
Description Count - Number
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
The organization: S 1
1
1
205
Class - all -
Family - all -
Title Count - Description

Access Agreements 1
Access Control for Mobile Devices 1
Access Control for Output Devices 1
Access Control for Transmission Medium 1
Access Control Policy and Procedures 1
Access Enforcement 1
Access Records 1
Access Restrictions for Change 1
Account Management 1
Acquisitions 1
Allocation of Resources 1
Alternate Processing Site 1
Alternate Storage Site 1
Alternate Work Site 1
Application Partitioning 1
Architecture and Provisioning for Name / Address Resolution Service 1
Audit and Accountability Policy and Procedures 1
Audit Generation 1
Audit Record Retention 1
Audit Reduction and Report Generation 1
Audit Review, Analysis, and Reporting 1
Audit Storage Capacity 1
Auditable Events 1
Authenticator Feedback 1
Authenticator Management 1
Automated Marking 1
Baseline Configuration 1
Boundary Protection 1
Collaborative Computing Devices 1
Concurrent Session Control 1
Configuration Change Control 1
Configuration Management Plan 1
Configuration Management Policy and Procedures 1
Configuration Settings 1
Contacts With Security Groups and Associations 1
Content of Audit Records 1
Contingency Plan 1
Contingency Plan Testing and Exercises 1
Contingency Plan Update 1
Contingency Planning Policy and Procedures 1
Contingency Training 1
Continuous Monitoring 1
Controlled Maintenance 1
Covert Channel Analysis 1
Critical Information System Components 1
Critical Infrastructure Plan 1
Cryptographic Key Establishment and Management 1
Cryptographic Module Authentication 1
Delivery and Removal 1
Denial of Service Protection 1
Developer Configuration Management 1
Developer Security Testing 1
Device Identification and Authentication 1
Emergency Lighting 1
Emergency Power 1
Emergency Shutof 1
Enterprise Architecture 1
Error Handling 1
External Information System Services 1
Fail In Known State 1
Fire Protection 1
Flaw Remediation 1
Heterogeneity 1
Honeypots 1
Identification and Authentication (Non-organizational Users) 1
Identification and Authentication (Organizational Users) 1
Identification and Authentication Policy and Procedures 1
Identifier Management 1
Incident Handling 1
Incident Monitoring 1
Incident Reporting 1
Incident Response Assistance 1
Incident Response Plan 1
Incident Response Policy and Procedures 1
Incident Response Testing and Exercises 1
Incident Response Training 1
Information Flow Enforcement 1
Information In Shared Resources 1
Information Input Restrictions 1
Information Input Validation 1
Information Leakage 1
Information Output Handling and Retention 1
Information Security Measures of Performance 1
Information Security Program Plan 1
Information Security Resources 1
Information System Backup 1
Information System Component Inventory 1
Information System Connections 1
Information System Documentation 1
Information System Inventory 1
Information System Monitoring 1
Information System Partitioning 1
Information System Recovery and Reconstitution 1
Least Functionality 1
Least Privilege 1
Life Cycle Support 1
Location of Information System Components 1
Maintenance Personnel 1
Maintenance Tools 1
Malicious Code Protection 1
Media Access 1
Media Marking 1
Media Protection Policy and Procedures 1
Media Sanitization 1
Media Storage 1
Media Transport 1
Mission/business Process Definition 1
Mobile Code 1
Monitoring for Information Disclosure 1
Monitoring Physical Access 1
Network Disconnect 1
Non-local Maintenance 1
Non-modifiable Executable Programs 1
Non-repudiation 1
Operating System-independent Applications 1
Permitted Actions Without Identification Or Authentication 1
Personnel Sanctions 1
Personnel Screening 1
Personnel Security Policy and Procedures 1
Personnel Termination 1
Personnel Transfer 1
Physical Access Authorizations 1
Physical Access Control 1
Physical and Environmental Protection Policy and Procedures 1
Plan of Action and Milestones 1
Plan of Action and Milestones Process 1
Position Categorization 1
Power Equipment and Power Cabling 1
Predictable Failure Prevention 1
Previous Logon (Access) Notification 1
Privacy Impact Assessment 1
Protection of Audit Information 1
Protection of Information At Rest 1
Public Access Protections 1
Public Key Infrastructure Certificates 1
Publicly Accessible Content 1
Remote Access 1
Resource Priority 1
Response To Audit Processing Failures 1
Risk Assessment 1
Risk Assessment Policy and Procedures 1
Risk Assessment Update 1
Risk Management Strategy 1
Rules of Behavior 1
Secure Name / Address Resolution Service (Authoritative Source) 1
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) 1
Security Alerts, Advisories, and Directives 1
Security Assessment and Authorization Policies and Procedures 1
Security Assessments 1
Security Attributes 1
Security Authorization 1
Security Authorization Process 1
Security Awareness 1
Security Awareness and Training Policy and Procedures 1
Security Categorization 1
Security Certification 1
Security Engineering Principles 1
Security Function Isolation 1
Security Functionality Verification 1
Security Impact Analysis 1
Security Planning Policy and Procedures 1
Security Training 1
Security Training Records 1
Security-related Activity Planning 1
Senior Information Security Officer 1
Separation of Duties 1
Session Audit 1
Session Authenticity 1
Session Lock 1
Session Termination 1
Software and Information Integrity 1
Software Usage Restrictions 1
Spam Protection 1
Supervision and Review Access Control 1
Supply Chain Protection 1
System and Communications Protection Policy and Procedures 1
System and Information Integrity Policy and Procedures 1
System and Services Acquisition Policy and Procedures 1
System Maintenance Policy and Procedures 1
System Security Plan 1
System Security Plan Update 1
System Use Notification 1
Telecommunications Services 1
Temperature and Humidity Controls 1
Thin Nodes 1
Third-party Personnel Security 1
Time Stamps 1
Timely Maintenance 1
Transmission Confidentiality 1
Transmission Integrity 1
Transmission of Security Attributes 1
Transmission Preparation Integrity 1
Trusted Path 1
Trustworthiness 1
Unsuccessful Login Attempts 1
Use of Cryptography 1
Use of External Information Systems 1
User-based Collaboration and Information Sharing 1
User-installed Software 1
Virtualization Techniques 1
Visitor Control 1
Voice Over Internet Protocol 1
Vulnerability Scanning 1
Water Damage Protection 1
Wireless Access 1
(empty)
Total Result 205
Class Family Number
Technical Access Control AC-1
OperationaAwareness and TraininAT-1
Technical Audit and AccountabiliAU-1
ManagemeSecurity Assessment anCA-1
OperationaConfiguration Manage CM-1
OperationaContingency Planning CP-1
Technical Identification and AuthIA-1
OperationaIncident Response IR-1
OperationaMaintenance MA-1
OperationaMedia Protection MP-1
OperationaPhysical and EnvironmePE-1
ManagemePlanning PL-1
ManagemeProgram ManagementPM-1
OperationaPersonnel Security PS-1
ManagemeRisk Assessment RA-1
ManagemeSystem and Services AcSA-1
Technical System and Communicat
SC-1
SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-15
SC-16
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-24
SC-25
SC-26
SC-27
SC-28
SC-29
Technical System and Communicat SC-30
OperationaSystem and InformationSI-1
Title Impact
Access Control Policy and Procedures LOW_MODERATE_HIGH
Account Management LOW_MODERATE_HIGH
Access Enforcement LOW_MODERATE_HIGH
Information Flow Enforcement MODERATE_HIGH
Separation of Duties MODERATE_HIGH
Least Privilege MODERATE_HIGH
Unsuccessful Login Attempts LOW_MODERATE_HIGH
System Use Notification LOW_MODERATE_HIGH
Previous Logon (Access) Notification NONE
Concurrent Session Control HIGH
Session Lock MODERATE_HIGH
Session Termination NONE
Supervision and Review Access Control NONE
Permitted Actions Without Identification Or Authentication LOW_MODERATE_HIGH
Automated Marking NONE
Security Attributes NONE
Remote Access LOW_MODERATE_HIGH
Wireless Access LOW_MODERATE_HIGH
Access Control for Mobile Devices LOW_MODERATE_HIGH
Use of External Information Systems LOW_MODERATE_HIGH
User-based Collaboration and Information Sharing NONE
Publicly Accessible Content LOW_MODERATE_HIGH
Security Awareness and Training Policy and Procedures LOW_MODERATE_HIGH
Security Awareness LOW_MODERATE_HIGH
Security Training LOW_MODERATE_HIGH
Security Training Records LOW_MODERATE_HIGH
Contacts With Security Groups and Associations NONE
Audit and Accountability Policy and Procedures LOW_MODERATE_HIGH
Auditable Events LOW_MODERATE_HIGH
Content of Audit Records LOW_MODERATE_HIGH
Audit Storage Capacity LOW_MODERATE_HIGH
Response To Audit Processing Failures LOW_MODERATE_HIGH
Audit Review, Analysis, and Reporting LOW_MODERATE_HIGH
Audit Reduction and Report Generation MODERATE_HIGH
Time Stamps LOW_MODERATE_HIGH
Protection of Audit Information LOW_MODERATE_HIGH
Non-repudiation HIGH
Audit Record Retention LOW_MODERATE_HIGH
Audit Generation LOW_MODERATE_HIGH
Monitoring for Information Disclosure NONE
Session Audit NONE
Security Assessment and Authorization Policies and Procedures LOW_MODERATE_HIGH
Security Assessments LOW_MODERATE_HIGH
Information System Connections LOW_MODERATE_HIGH
Security Certification NONE
Plan of Action and Milestones LOW_MODERATE_HIGH
Security Authorization LOW_MODERATE_HIGH
Continuous Monitoring LOW_MODERATE_HIGH
Configuration Management Policy and Procedures LOW_MODERATE_HIGH
Baseline Configuration LOW_MODERATE_HIGH
Configuration Change Control MODERATE_HIGH
Security Impact Analysis LOW_MODERATE_HIGH
Access Restrictions for Change MODERATE_HIGH
Configuration Settings LOW_MODERATE_HIGH
Least Functionality LOW_MODERATE_HIGH
Information System Component Inventory LOW_MODERATE_HIGH
Configuration Management Plan MODERATE_HIGH
Contingency Planning Policy and Procedures LOW_MODERATE_HIGH
Contingency Plan LOW_MODERATE_HIGH
Contingency Training LOW_MODERATE_HIGH
Contingency Plan Testing and Exercises LOW_MODERATE_HIGH
Contingency Plan Update NONE
Alternate Storage Site MODERATE_HIGH
Alternate Processing Site MODERATE_HIGH
Telecommunications Services MODERATE_HIGH
Information System Backup LOW_MODERATE_HIGH
Information System Recovery and Reconstitution LOW_MODERATE_HIGH
Identification and Authentication Policy and Procedures LOW_MODERATE_HIGH
Identification and Authentication (Organizational Users) LOW_MODERATE_HIGH
Device Identification and Authentication MODERATE_HIGH
Identifier Management LOW_MODERATE_HIGH
Authenticator Management LOW_MODERATE_HIGH
Authenticator Feedback LOW_MODERATE_HIGH
Cryptographic Module Authentication LOW_MODERATE_HIGH
Identification and Authentication (Non-organizational Users) LOW_MODERATE_HIGH
Incident Response Policy and Procedures LOW_MODERATE_HIGH
Incident Response Training LOW_MODERATE_HIGH
Incident Response Testing and Exercises MODERATE_HIGH
Incident Handling LOW_MODERATE_HIGH
Incident Monitoring LOW_MODERATE_HIGH
Incident Reporting LOW_MODERATE_HIGH
Incident Response Assistance LOW_MODERATE_HIGH
Incident Response Plan LOW_MODERATE_HIGH
System Maintenance Policy and Procedures LOW_MODERATE_HIGH
Controlled Maintenance LOW_MODERATE_HIGH
Maintenance Tools MODERATE_HIGH
Non-local Maintenance LOW_MODERATE_HIGH
Maintenance Personnel LOW_MODERATE_HIGH
Timely Maintenance MODERATE_HIGH
Media Protection Policy and Procedures LOW_MODERATE_HIGH
Media Access LOW_MODERATE_HIGH
Media Marking MODERATE_HIGH
Media Storage MODERATE_HIGH
Media Transport MODERATE_HIGH
Media Sanitization LOW_MODERATE_HIGH
Physical and Environmental Protection Policy and Procedures LOW_MODERATE_HIGH
Physical Access Authorizations LOW_MODERATE_HIGH
Physical Access Control LOW_MODERATE_HIGH
Access Control for Transmission Medium MODERATE_HIGH
Access Control for Output Devices MODERATE_HIGH
Monitoring Physical Access LOW_MODERATE_HIGH
Visitor Control LOW_MODERATE_HIGH
Access Records LOW_MODERATE_HIGH
Power Equipment and Power Cabling MODERATE_HIGH
Emergency Shutof MODERATE_HIGH
Emergency Power MODERATE_HIGH
Emergency Lighting LOW_MODERATE_HIGH
Fire Protection LOW_MODERATE_HIGH
Temperature and Humidity Controls LOW_MODERATE_HIGH
Water Damage Protection LOW_MODERATE_HIGH
Delivery and Removal LOW_MODERATE_HIGH
Alternate Work Site MODERATE_HIGH
Location of Information System Components MODERATE_HIGH
Information Leakage NONE
Security Planning Policy and Procedures LOW_MODERATE_HIGH
System Security Plan LOW_MODERATE_HIGH
System Security Plan Update NONE
Rules of Behavior LOW_MODERATE_HIGH
Privacy Impact Assessment LOW_MODERATE_HIGH
Security-related Activity Planning MODERATE_HIGH
Information Security Program Plan LOW_MODERATE_HIGH
Senior Information Security Officer LOW_MODERATE_HIGH
Information Security Resources LOW_MODERATE_HIGH
Plan of Action and Milestones Process LOW_MODERATE_HIGH
Information System Inventory LOW_MODERATE_HIGH
Information Security Measures of Performance LOW_MODERATE_HIGH
Enterprise Architecture LOW_MODERATE_HIGH
Critical Infrastructure Plan LOW_MODERATE_HIGH
Risk Management Strategy LOW_MODERATE_HIGH
Security Authorization Process LOW_MODERATE_HIGH
Mission/business Process Definition LOW_MODERATE_HIGH
Personnel Security Policy and Procedures LOW_MODERATE_HIGH
Position Categorization LOW_MODERATE_HIGH
Personnel Screening LOW_MODERATE_HIGH
Personnel Termination LOW_MODERATE_HIGH
Personnel Transfer LOW_MODERATE_HIGH
Access Agreements LOW_MODERATE_HIGH
Third-party Personnel Security LOW_MODERATE_HIGH
Personnel Sanctions LOW_MODERATE_HIGH
Risk Assessment Policy and Procedures LOW_MODERATE_HIGH
Security Categorization LOW_MODERATE_HIGH
Risk Assessment LOW_MODERATE_HIGH
Risk Assessment Update NONE
Vulnerability Scanning LOW_MODERATE_HIGH
System and Services Acquisition Policy and Procedures LOW_MODERATE_HIGH
Allocation of Resources LOW_MODERATE_HIGH
Life Cycle Support LOW_MODERATE_HIGH
Acquisitions LOW_MODERATE_HIGH
Information System Documentation LOW_MODERATE_HIGH
Software Usage Restrictions LOW_MODERATE_HIGH
User-installed Software LOW_MODERATE_HIGH
Security Engineering Principles MODERATE_HIGH
External Information System Services LOW_MODERATE_HIGH
Developer Configuration Management MODERATE_HIGH
Developer Security Testing MODERATE_HIGH
Supply Chain Protection HIGH
Trustworthiness HIGH
Critical Information System Components NONE
System and Communications Protection Policy and Procedures LOW_MODERATE_HIGH
Application Partitioning MODERATE_HIGH
Security Function Isolation HIGH
Information In Shared Resources MODERATE_HIGH
Denial of Service Protection LOW_MODERATE_HIGH
Resource Priority NONE
Boundary Protection LOW_MODERATE_HIGH
Transmission Integrity MODERATE_HIGH
Transmission Confidentiality MODERATE_HIGH
Network Disconnect MODERATE_HIGH
Trusted Path NONE
Cryptographic Key Establishment and Management LOW_MODERATE_HIGH
Use of Cryptography LOW_MODERATE_HIGH
Public Access Protections LOW_MODERATE_HIGH
Collaborative Computing Devices LOW_MODERATE_HIGH
Transmission of Security Attributes NONE
Public Key Infrastructure Certificates MODERATE_HIGH
Mobile Code MODERATE_HIGH
Voice Over Internet Protocol MODERATE_HIGH
Secure Name / Address Resolution Service (Authoritative Source) LOW_MODERATE_HIGH
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) HIGH
Architecture and Provisioning for Name / Address Resolution Service MODERATE_HIGH
Session Authenticity MODERATE_HIGH
Fail In Known State HIGH
Thin Nodes NONE
Honeypots NONE
Operating System-independent Applications NONE
Protection of Information At Rest MODERATE_HIGH
Heterogeneity NONE
Virtualization Techniques NONE
Covert Channel Analysis NONE
Information System Partitioning MODERATE_HIGH
Transmission Preparation Integrity NONE
Non-modifiable Executable Programs NONE
System and Information Integrity Policy and Procedures LOW_MODERATE_HIGH
Flaw Remediation LOW_MODERATE_HIGH
Malicious Code Protection LOW_MODERATE_HIGH
Information System Monitoring MODERATE_HIGH
Security Alerts, Advisories, and Directives LOW_MODERATE_HIGH
Security Functionality Verification HIGH
Software and Information Integrity MODERATE_HIGH
Spam Protection MODERATE_HIGH
Information Input Restrictions MODERATE_HIGH
Information Input Validation MODERATE_HIGH
Error Handling MODERATE_HIGH
Information Output Handling and Retention LOW_MODERATE_HIGH
Predictable Failure Prevention NONE
Priority Description Supplemental-GuidanceEnhancemeEnhancemen
P1 The organization develops, disseminates, and reviews/upd This control is intended to produce the policy and procedur
P1 The organization manages information system accounts, in The identification of aut MODERATEThe organization emp
P1 The information system enforces approved authorizationsAccess
f control policies NONE [ Withdrawn: Incorpor
P1 The information system enforces approved authorizationsInformation flow controlNONE The informa
P1 The organization: Separates duties of individuals as nec Examples of separation of duties include: (i) mission functio
P1 The organization employs the concept of least privilege, The access authorizations MODERATEThe organiz
P2 The information system: Enforces a limit of [ Assignment:Due to the potential for NONE The information syst
P1 The information system: Displays an approved system useSystem
no use notification messages can be implemented in th
P0 The information system notifies the user, upon successfulThis control is intended NONE The information syste
P2 The information system limits the number of concurrent sThe organization may define the maximum number of conc
P3 The information system: Prevents further access to the sysA session lock is a temp NONE The information system
[ Withdrawn: Incorporated into SC-10 ].
[ Withdrawn: Incorporated into AC-2 and AU-6 ].
P1 The organization: Identifies specific user actions that c This control is intended MODERATEThe organization permit
[ Withdrawn: Incorporated into MP-3 ].
P0 The information system supports and maintains the binding Security attributes are a NONE The information syste
P1 The organization: Documents allowed methods of remoteThis a control requires ex MODERATEThe organi
P1 The organization: Establishes usage restrictions and imp Wireless technologies incMODERATEThe informa
P1 The organization: Establishes usage restrictions and impl Mobile devices include pMODERATEThe organization rest
P1 The organization establishes terms and conditions, consisExternal information sysMODERATEThe organization perm
P0 The organization: Facilitates information sharing by ena The control applies to i NONE The information system
P2 The organization: Designates individuals authorized to poNonpublic information is any information for which the gen
P1 The organization provides basic security awareness trainiThe organization determiNONE The organiz
P1 The organization provides role-based security-related traiThe organization determiNONE The organiz
P3 The organization: Documents and monitors individual informWhile an organization may deem that organizationally man
P0 The organization establishes and institutionalizes contactOngoing contact with security groups and associations is of
P1 The organization: Determines, based on a risk assessmentThe purpose of this contrNONE [ Withdrawn: Incorpor
P1 The information system produces audit records that contai Audit record content thatMODERATEThe informa
P1 The organization allocates audit record storage capacity The organization considers the types of auditing to be perfo
P1 The information system: Alerts designated organizationalAudit
o processing failure HIGH The information syste
P1 The organization: Reviews and analyzes information system Related control: AU-7. HIGH The information system
P2 The information system provides an audit reduction and rAn audit reduction and re MODERATEThe information system
P1 The information system uses internal system clocks to genTime stamps generated bMODERATEThe information system
P1 The information system protects audit information and auAudit information include NONE The information syst
P1 The information system protects against an individual fal Examples of particular aNONE The informa
P3 The organization retains audit records for [ Assignment: oThe organization retains audit records until it is determined
P1 The information system: Provides audit record generationAudits records can be gen HIGH The informa
P0 The organization monitors open source information for evi None.
P0 The information system provides the capability to: CaptureSession auditing activiti NONE The information system
P2 The organization: Develops a security assessment plan thThe organization assesseMODERATEThe organi
P1 The organization: Authorizes connections from the infor This control applies to NONE The organiz
[ Withdrawn: Incorporated into CA-2 ].
P3 The organization: Develops a plan of action and milestonThe plan of action and mNONE The organization employ
P3 The organization: Assigns a senior-level executive or manSecurity authorization is the official management decision,
P3 The organization establishes a continuous monitoring str A continuous monitoringNONE The organi
P1 The organization develops, disseminates, and reviews/upThis control is intended to produce the policy and procedur
P1 The organization develops, documents, and maintains unde This control establishes MODERATEThe organization revi
P1 The organization: Determines the types of changes to theThe organization determiHIGH The organization empl
P2 The organization analyzes changes to the information sysSecurity impact analysesHIGH The organization anal
P1 The organization defines, documents, approves, and enforc Any changes to the hardw HIGH The organization empl
P1 The organization: Establishes and documents mandatory Configuration
co settings a HIGH The organization empl
P1 The organization configures the information system to provi
Information systems are MODERATEThe organization revi
P1 The organization develops, documents, and maintains anInformation
in deemed to be MODERATEThe organization upda
P1 The organization develops, documents, and implements aConfiguration items are NONE The organiz
P1 The organization: Develops a contingency plan for the infContingency planning forMODERATEThe organi
P2 The organization trains personnel in their contingency ro None. HIGH The organization incor
P2 The organization: Tests and/or exercises the contingency There are several methods MODERATEThe organiz
[ Withdrawn: Incorporated into CP-2 ].
P1 The organization establishes an alternate storage site i Related controls: CP-2, CMODERATEThe organiz
P1 The organization: Establishes an alternate processing sit Related control: CP-2. MODERATEThe organiz
P1 The organization establishes alternate telecommunicationRelated control: CP-2. MODERATEThe organization: Dev
P1 The organization: Conducts backups of user-level informaSystem-level informationMODERATEThe organization tests
P1 The organization provides for the recovery and reconstituRecovery is executing in NONE [ Withdrawn: Incorpor
P1 The information system uniquely identifies and authenticatOrganizational users inc LOW_MODE The information syste
P1 The information system uniquely identifies and authenticatThe devices requiring unNONE The informa
P1 The organization manages information system identifiers Common
for device identifierNONE The organiz
P1 The organization manages information system authenticator User authenticators incl LOW_MODE The inform
P1 The information system obscures feedback of authenticatiThe feedback from the information system does not provid
P1 The information system uses mechanisms for authentication None.
P1 The information system uniquely identifies and authentica Non-organizational users include all information system use
P2 The organization: Trains personnel in their incident respoIncident response traininHIGH The organization incor
P2 The organization tests and/or exercises the incident resp None. HIGH The organi
P1 The organization: Implements an incident handling capabil Incident-related informatMODERATEThe organi
P1 The organization tracks and documents information system Documenting information HIGH The organiz
P1 The organization: Requires personnel to report suspectedThe intent of this controMODERATEThe organization empl
P3 The organization provides an incident response support resPossible implementations MODERATEThe organi
P1 The organization: Develops an incident response plan thatIt is important that organizations have a formal, focused, an
P2 The organization: Schedules, performs, documents, and rev The control is intended MODERATEThe organization main
P2 The organization approves, controls, monitors the use of The intent of this contr MODERATEThe organiz
P1 The organization: Authorizes, monitors, and controls nonNon-local maintenance an MODERATEThe organization audi
P1 The organization: Establishes a process for maintenance Individuals not previouslNONE The organiz
P1 The organization obtains maintenance support and/or spar The organization specifies those information system compo
P1 The organization restricts access to [ Assignment: organizInformation system media MODERATEThe organi
P1 The organization: Marks, in accordance with organizationThe term marking is used when referring to the application
P1 The organization: Physically controls and securely stores Information system media NONE The organi
P1 The organization: Protects and controls [ Assignment: orgInformation system media NONE [ Withdrawn: Incorpor
P1 The organization: Sanitizes information system media, both This control applies to HIGH The organization trac
P1 The organization: Develops and keeps current a list of perAuthorization credentialsNONE The organization autho
P1 The organization: Enforces physical access authorizationsThe organization determiHIGH The organiz
P1 The organization controls physical access to information sy Physical protections applied to information system distributi
P1 The organization controls physical access to information Monitors, printers, and audio devices are examples of infor
P1 The organization: Monitors physical access to the informaInvestigation of and respMODERATEThe organization moni
P1 The organization controls physical access to the informatiIndividuals (to include o MODERATEThe organization escor
P3 The organization: Maintains visitor access records to the Visitor access records in HIGH The organization emp
P1 The organization protects power equipment and power ca This control, to include NONE The organization empl
P1 The organization: Provides the capability of shutting of This control applies to NONE [ Withdrawn: Incorporat
P1 The organization provides a short-term uninterruptible poThis control, to include HIGH The organization prov
P1 The organization employs and maintains automatic emergen This control, to include NONE The organization provide
P1 The organization employs and maintains fire suppressionFire suppression and detMODERATEThe organization empl
P1 The organization: Maintains temperature and humidity lev This control, to include NONE The organization empl
P1 The organization protects the information system from daThis control, to include HIGH The organization employ
P1 The organization authorizes, monitors, and controls [ AssEfectively enforcing authorizations for entry and exit of inf
P1 The organization: Employs [ Assignment: organization-defiAlternate work sites may include, for example, government
P2 The organization positions information system component Physical and environmenta HIGH The organization plans t
P0 The organization protects the information system from i The security categorizat NONE The organization ensure
P1 The organization: Develops a security plan for the informThe security plan contai NONE The organiz
[ Withdrawn: Incorporated into PL-2 ].
P1 The organization: Establishes and makes readily availableThe organization consider NONE The organization include
P1 The organization conducts a privacy impact assessment oNone.
P3 The organization plans and coordinates security-related ac Security-related activities include, for example, security ass
P1 The organization: Develops and disseminates an organizatThe information security program plan can be represented
P1 The organization appoints a senior information security The security officer described in this control is an organizati
P1 The organization: Ensures that all capital planning and Organizations may designate and empower an Investment
P1 The organization implements a process for ensuring that Tphe plan of action and milestones is a key document in the
P1 The organization develops and maintains an inventory of Ti his control addresses the inventory requirements in FISMA
P1 The organization develops, monitors, and reports on the Measures of performance are outcome-based metrics used
P1 The organization develops an enterprise architecture withThe enterprise architecture developed by the organization
P1 The organization addresses information security issues inThe requirement and guidance for defining critical infrastru
P1 The organization: Develops a comprehensive strategy to ma An organization-wide risk management strategy includes, fo
P1 The organization: Manages (i.e., documents, tracks, and rThe security authorization process for information systems
P1 The organization: Defines mission/business processes with Information protection needs are technology-independent,
P1 The organization: Assigns a risk designation to all positio Position risk designations are consistent with Office of Pers
P1 The organization: Screens individuals prior to authorizingScreening and rescreening NONE The organization ensur
P2 The organization, upon termination of individual employme Information system-related property includes, for example,
P2 The organization reviews logical and physical access autho This control applies when the reassignment or transfer of a
P3 The organization: Ensures that individuals requiring acc Access agreements includ NONE The organiz
P1 The organization: Establishes personnel security requiremThird-party providers include, for example, service bureaus
P3 The organization employs a formal sanctions process for pThe sanctions process is consistent with applicable federal
P1 The organization: Categorizes information and the informat A clearly defined authorization boundary is a prerequisite f
P1 The organization: Conducts an assessment of risk, includiA clearly defined authorization boundary is a prerequisite f
[ Withdrawn: Incorporated into RA-3 ].
P1 The organization: Scans for vulnerabilities in the infor The security categorizat MODERATEThe organization emplo
P1 The organization: Includes a determination of informatio Related controls: PM-3, PM-11.
P1 The organization: Manages the information system using Related
a control: PM-7.
P1 The organization includes the following requirements and/ The acquisition document MODERATEThe organization requ
P2 The organization: Obtains, protects as required, and makThe inability of the org MODERATEThe organization obta
P1 The organization: Uses software and associated documenta Tracking systems can incNONE The organiz
P1 The organization enforces explicit rules governing the instIf provided the necessary privileges, users have the ability t
P1 The organization applies information system security engiThe application of security engineering principles is primar
P1 The organization: Requires that providers of external inf An external information N s ONE The organiz
P1 The organization requires that information system devel Related controls: CM-3, NONE The organization requi
P2 The organization requires that information system develop Developmental security te NONE The organization requ
P1 The organization protects against supply chain threats byA defense-in-breadth app NONE The organiz
P1 The organization requires that the information system mee The intent of this control is to ensure that organizations rec
P0 The organization: Determines [ Assignment: organization The underlying assumptio NONE The organiz
P1 The information system separates user functionality (inc Information system manag NONE The informa
P1 The information system isolates security functions from nThe information system iNONE The information syste
P1 The information system prevents unauthorized and uninte The purpose of this contrNONE The informa
P1 The information system protects against or limits the efectA variety of technologiesNONE The information system
P0 The information system limits the use of resources by prioPriority protection helps prevent a lower-priority process fr
P1 The information system: Monitors and controls communicat Restricting external webMODERATEThe organiz
P1 The information system protects the integrity of transmitThis control applies to c MODERATEThe organi
P1 The information system protects the confidentiality of tr This control applies to c MODERATEThe organi
P2 The information system terminates the network connection This control applies to both internal and external networks.
P0 The information system establishes a trusted communicati A trusted path is employed for high-confidence connection
P1 The organization establishes and manages cryptographic Cryptographic key manage HIGH The organization maint
P1 The information system implements required cryptographic None. NONE The organization empl
P1 The information system protects the integrity and availabiThe purpose of this control is to ensure that organizations e
P1 The information system: Prohibits remote activation of coCollaborative computingNONE The information syste
P0 The information system associates security attributes w Security attributes may bNONE The information system
P1 The organization issues public key certificates under an [ For user certificates, each organization attains certificates f
P1 The organization: Defines acceptable and unacceptable mDecisions regarding the NONE The inform
P1 The organization: Establishes usage restrictions and impl None.
P1 The information system provides additional data origin anThis control enables remLOW_MODE The informa
P1 The information system performs data origin authenticatiA recursive resolving or NONE The informa
P1 The information systems that collectively provide name/ad A domain name system (DNS) server is an example of an in
P1 The information system provides mechanisms to protect Tt his control focuses on cNONE The information syste
P1 The information system fails to a [ Assignment: organizatiFailure in a known state can address safety or security in ac
P0 The information system employs processing componentsThe th deployment of information system components with m
P0 The information system includes components specificallyNone.d NONE The inform
P0 The information system includes: [ Assignment: organizatOperating system-independent applications are application
P1 The information system protects the confidentiality and inThis control is intended NONE The organization employ
P0 The organization employs diverse information technologieIncreasing the diversity of information technologies within
P0 The organization employs virtualization techniques to p Virtualization techniquesNONE The organiz
P0 The organization requires that information system develoInformation system develNONE The organization tests a
P1 The organization partitions the information system into Information system partitioning is a part of a defense-in-de
P0 The information system protects the integrity of informatInformation can be subjected to unauthorized changes (e.g
P0 The information system at [ Assignment: organization-de In this control, the ter NONE The organi
P1 The organization: Identifies, reports, and corrects infor The organization identif HIGH The organiz
P1 The organization: Employs malicious code protection mech Information system entryMODERATEThe organization cen
P1 The organization: Monitors events on the information syste Information system monit NONE The organization inte
P1 The organization: Receives information system security ale Security alerts and advi HIGH The organization employ
P1 The information system verifies the correct operation of The need to verify securiNONE The information system
P1 The information system detects unauthorized changes toThe organization employs MODERATEThe organization reas
P1 The organization: Employs spam protection mechanisms Information
at system entryHIGH The organization cen
P2 The organization restricts the capability to input informa Restrictions on organizational personnel authorized to inpu
P1 The information system checks the validity of informationRules for checking the valid syntax and semantics of inform
P2 The information system: Identifies potentially security-r The structure and content of error messages are carefully c
P2 The organization handles and retains both information wit The output handling and retention requirements cover the
P0 The organization: Protects the information system from While mean time to failur NONE The organization take
EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen Enhanceme
e the policy and procedures that are required for the efective implementation of selected security controls and control enhancements in t
The organization empMODERATEThe information systeMODERATEThe information systeMODERATEThe information system
[ Withdrawn: IncorporNONE The informa Dual authoNONE The informaNondiscretiNONE The information system
InformationNONE The information systeNONE The information systeNONE The information syst
nclude: (i) mission functions and distinct information system support functions are divided among diferent individuals/roles; (ii) diferent i
EstablishinMODERATEThe organizThis controNONE The organization authNONE The informa
Employing v
The information syst NONE The informa This enhancement applies only to mobile devices for which a login occurs (e.g., personal digita
can be implemented in the form of warning banners displayed when individuals log in to the information system. System use notification is
The information systeNONE The information systeNONE The information system notifies the user of [ Assignment: organization-de
maximum number of concurrent sessions for an information system account globally, by account type, by account, or a combination. This c
The information system session lock mechanism, when activated on a device with a display screen, places a publicly viewable pattern ont
The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish m
The information systeNONE The information systeNONE The informaExamples of NONE The informaThe support
AutomatedMODERATEThe organizThe encrypt MODERATEThe informRelated conMODERATEThe organizRelated con
AuthenticatHIGH The organizOrganizatioNONE The organization disaHIGH The organization does
The organization rest MODERATEThe organization prohMODERATEThe organiAn identifi NONE The organization: Prohibits the use of unc
The organization perm MODERATEThe organizLimits on the use of organization-controlled portable storage media in external information sys
The information system employs automated mechanisms to enable authorized users to make information-sharing decisions based on acc
rmation for which the general public is not authorized access in accordance with federal laws, Executive Orders, directives, policies, regulati
Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized ac
EnvironmentNONE The organizPhysical security controls include, for example, physical access control devices, physical intrusio
that organizationally mandated individual training programs and the development of individual training plans are necessary, this control do
ups and associations is of paramount importance in an environment of rapid technology changes and dynamic threats. Security groups and
[ Withdrawn: IncorporNONE [ Withdrawn: IncorporMODERATEThe organizThe list of MODERATEThe organization includes execution of pr
An exampleHIGH The organization centrally manages the content of audit records generated by [ Assignment: organization-
pes of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Related controls: AU-2, AU-5
The information systeHIGH The information systemNONE The information system NONE The information system invokes a system
The information system NONE [ Withdrawn: IncorporaNONE The organization analy NONE The informAn example
The information system provides the capability to automatically process audit records for events of interest based on selectable event crit
The information system synchronizes internal information system clocks [ Assignment: organization-defined frequency ] with [ Assignmen
The information syst NONE The information systeNONE The informaAn exampleNONE The organizAuditing may not be reliable w
This controNONE The informaThis controNONE The informaIf the revi NONE The informaThis contro
ords until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for e
The audit tNONE The informaAudit information normalized to a common standard promotes interoperability and exchange o
The information system initiates session audits at system start-up.

An independ
HIGH The organizPenetration testing exercises both physical and technical security controls. A standard method
An externaNONE The organizAn external network is a network that is not controlled by the organization (e.g., the Internet).
The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is acc
al management decision, conveyed through the authorization decision document, given by a senior organizational official or executive (i.e.
The organizNONE The organizExamples of vulnerability mitigation procedures are contained in Information Assurance Vulner
The organization revi HIGH The organiSoftware inMODERATEThe organization retaMODERATEThe organization: Dev
The organization emplMODERATEThe organiThe organizNONE The organiRelated coNONE The organizInformation security represent
The organization analNONE The organizChanges include information system upgrades and modifications.
The organization emplHIGH The organization condHIGH The informaCritical so NONE The organization enfo
The organization emplHIGH The organiResponsesMODERATE
t The organizRelated conNONE The information system (including modific
The organization revi HIGH The organiRelated conNONE The organizOrganizations use the registration process to manage, track, an
The organization updaHIGH The organiOrganizatioHIGH The organiThis contr HIGH The organization incl
In the absence of a dedicated configuration management team, the system integrator may be tasked with developing the confi
Examples ofHIGH The organization condHIGH The organization planNONE The organization plan
The organization incorNONE The organization employs automated mechanisms to provide a more thorough and realistic training envir
Examples ofHIGH The organization testsNONE The organization emplHIGH The organizRelated controls: CP-10, SC-24.
Hazards ofHIGH The organization confiMODERATEThe organizExplicit mitigation actions include, for example, duplicating bac
Hazards thaMODERATEThe organization identMODERATEThe organization deveHIGH The organization confi
The organization: DevMODERATEThe organization obtaHIGH The organization obtaHIGH The organization requires primary and alt
The organization testsHIGH The organization usesHIGH The organization storNONE [ Withdrawn: Incorpor
[ Withdrawn: IncorporMODERATEThe informDatabase m MODERATEThe organization provHIGH The organization prov
The information systeMODERATEThe information systeMODERATEThe information systeHIGH The information syste
Remote netNONE The information systeNONE The organizWith regard to dynamic address allocation for devices, DHCP-e
The organiNONE The organization requiNONE The organization requNONE The organizCharacteris
This contr MODERATEThe informa Status infoMODERATEThe organization requiNONE The organization empl
n system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying a
all information system users other than organizational users explicitly covered by IA-2. Users are uniquely identified and authenticated for a
The organization incorHIGH The organization employs automated mechanisms to provide a more thorough and realistic training envir
Automated mechanisms can provide the ability to more thoroughly and efectively test or exercise the incident response capab
An online NONE The organizDynamic recNONE The organizClasses of NONE The organization corr
Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the
The organization emplNONE The organization reports information system weaknesses, deficiencies, and/or vulnerabilities associated w
AutomatedNONE
m The organizExternal providers of information system protection capability include, for example, the Compu
have a formal, focused, and coordinated approach to responding to incidents. The organizations mission, strategies, and goals for incident r
The organization mainHIGH The organization employs automated mechanisms to schedule, conduct, and document maintenance and
Maintenanc MODERATEThe organization checHIGH The organization preveNONE The organization employs automated mec
The organization audiMODERATEThe organization docuHIGH The organization: ReqNONE The organiRelated con
The intent NONE The organization ensurNONE The organization ensuNONE The organization ensures that: Cleared for
nformation system components that, when not operational, result in increased risk to organizations, individuals, or the Nation because the
This controNONE The information system uses cryptographic mechanisms to protect and restrict access to information on p
eferring to the application or use of human-readable security attributes. The term labeling is used when referring to the application or use o
Related control: SC-13.
[ Withdrawn: IncorporMODERATEThe organizOrganizatioHIGH The organiCustodial rMODERATEThe organizThis control enhancement also
The organization tracHIGH The organization test HIGH The organizPortable, rNONE The organization sani
The organization authoNONE The organizExamples of NONE The organization restricts physical access to the facility containing an infor
This controNONE The organizThe extent/NONE The organization guarNONE The organization uses
ormation system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Additionally, phys
ices are examples of information system output devices.
The organization moniHIGH The organization employs automated mechanisms to recognize potential intrusions and initiate designate
The organization escorNONE The organization requires two forms of identification for visitor access to the facility.
The organization empHIGH The organization maintains a record of all physical access, both visitor and authorized individuals.
The organization emplNONE The organization employs automatic voltage controls for [ Assignment: organization-defined list of critical
[ Withdrawn: Incorporated into PE-10 ].
The organization provNONE The organizLong-term alternate power supplies for the information system are either manually or automati
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
The organization emplMODERATEThe organization emplMODERATEThe organization emplo NONE The organization ensures that the facility
The organization emplNONE The organization employs temperature and humidity monitoring that provides an alarm or notification of
The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damag
ns for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from
for example, government facilities or private residences of employees. The organization may define diferent sets of security controls for sp
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental
The organization ensures that information system components, associated data communications, and networks are protected in accordan
The securi NONE The organizUnique security requirements for the information system include, for example, encryption of ke
The organization includes in the rules of behavior, explicit restrictions on the use of social networking sites, posting information on comm
for example, security assessments, audits, system hardware and software maintenance, and contingency plan testing/exercises. Organizati
plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the
his control is an organizational official. For a federal agency (as defined in applicable federal laws, Executive Orders, directives, policies, or r
empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of t
is a key document in the information security program and is subject to federal reporting requirements established by OMB. The plan of a
ory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements.
come-based metrics used by an organization to measure the efectiveness or efficiency of the information security program and the securi
oped by the organization is aligned with the Federal Enterprise Architecture. The integration of information security requirements and asso
r defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applic
ment strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment me
s for information systems requires the implementation of the Risk Management Framework and the employment of associated security sta
technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of in
sistent with Office of Personnel Management policy and guidance. The screening criteria include explicit information security role appointm
The organization ensur NONE The organizTypes of information requiring formal indoctrination include, for example, Special Access Progr
rty includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building
ssignment or transfer of an employee is permanent or of such an extended duration as to make the actions warranted. In addition the orga
Information NONE The organizExamples of special protection measures include, for example, collateral, Special Access Progra
example, service bureaus, contractors, and other organizations providing information system development, information technology service
nt with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The process is described in acce
undary is a prerequisite for an efective security categorization. Security categorization describes the potential adverse impacts to organiza
undary is a prerequisite for an efective risk assessment. Risk assessments take into account vulnerabilities, threat sources, and security co
The organization emplo

HIGH The organization updaHIGH The organization emplHIGH The organization atte
The organization requHIGH The organization requNONE The organization requMODERATEThe organization ensu
The organization obtaHIGH The organization obtaMODERATEThe organizAn informaNONE The organizEach subsy
Software products without accompanying source code from sources with limited or no warranty are assessed for potential secu
es, users have the ability to install software. The organization identifies what types of software installations are permitted (e.g., updates and
ering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated int
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of informa
The organization requiNONE The organiThe configuration management process includes key organizational personnel that are respons
The organization requNONE The organization requiNONE The organization requires that information system developers/integrators
StockpilingNONE The organizThe organiNONE The organiTrusted shiNONE The organiDiversifica
ure that organizations recognize the importance of trustworthiness and making explicit trustworthiness decisions when designing, develop
Measures that the organization considers implementing include, for example, enhanced auditing, restrictions on source code a
The intent of this control enhancement is to ensure that administration options are not available to general users (including pro
The information systeNONE The information systeNONE The organiNonsecurity NONE The organization impl
Shared resources include, for example, memory, input/output queues, and network interface cards.
The information system NONE The information system manages excess capacity, bandwidth, or other redundancy to limit the efects of i
a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does no
Publicly acMODERATEThe information systeMODERATEThe organiThe TrustedMODERATEThe organization: Imp
AlternativeNONE The informaInformation can be intentionally and/or maliciously modified at data aggregation or protocol tr
AlternativeNONE The informaInformation can be intentionally and/or maliciously disclosed at data aggregation or protocol tr
al and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating a
h-confidence connections between the security functions of the information system and the user (e.g., for login).
The organization maint NONE The organization prodNONE The organization pro NONE The organization prod
The organization emplNONE The organization emplNONE The organization emplNONE The organization employs [ Selection: FIPS
nsure that organizations explicitly address the protection needs for public information and applications with such protection likely being im
The information systeNONE The informBlocking reNONE The organization disables or removes collaborative computing devices fro
The information system validates the integrity of security attributes exchanged between systems.
ation attains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy pub
Corrective NONE The organization ensuNONE The information syst NONE The informa Actions required before executi
An example means to indicate the security status of child subspaces is through the use of delegation signer (DS) resource recor
Local clients include, for example, DNS stub resolvers.
ver is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enha
The information systeNONE The information systeNONE The information systeNONE The informEmploying the concept of rand
ess safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a los
ystem components with minimal functionality (e.g., diskless nodes and thin client technologies) reduces the need to secure every user endp
Devices that actively seek out web-based malicious code by posing as clients are referred to as client honeypots or honey clien
pplications are applications that can run on multiple operating systems. Such applications promote portability and reconstitution on diferen
The organization employs cryptographic mechanisms to prevent unauthorized disclosure and modification of information at rest unless ot
ation technologies within the information system reduces the impact of the exploitation of a specific technology. Organizations that select t
While frequNONE The organization employs randomness in the implementation of the virtualization techniques.
The organization tests a subset of the vendor-identified covert channel avenues to determine if they are exploitable.
a part of a defense-in-depth protection strategy. An organizational assessment of risk guides the partitioning of information system compo
nauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points.
This controNONE The organizThis control enhancement covers protecting the integrity of information to be placed onto read
Due to infoMODERATEThe organization empNONE The organization measNONE The organization employs automated patc
The organization cen MODERATEThe information systeMODERATEThe information systeNONE The information syste
The organization inteMODERATEThe organization emplNONE The organization emplMODERATEThe informUnusual/una
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization
The information systemNONE The information systeNONE The organizOrganizational officials with information security responsibilitie
The organization reasHIGH The organization emplNONE The organization emplo
NONE The organization requires use of tamper-e
The organization cen NONE The information system automatically updates spam protection mechanisms (including signature definitio
sonnel authorized to input information to the information system may extend beyond the typical access controls employed by the system a
x and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify that inpu
r messages are carefully considered by the organization. The extent to which the information system is able to identify and handle error co
n requirements cover the full life cycle of the information, in some cases extending beyond the disposal of the information system. The Nati
The organization takeNONE The organization doesNONE The organization manuNONE The organizAutomatic or manual transfer o
EnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhanceme
s and control enhancements in the access control family. The policy and procedures are consistent with applicable federal laws, Executive O
NONE The organization: ReqNONE The informIn contrastNONE The organizPrivileged roles include, for example, key
NONE The informaSecurity-reNONE The organizThe use of encryption by the organization reduces the probability of unau
NONE The information systeNONE The information systeNONE The information syst NONE
t individuals/roles; (ii) diferent individuals perform information system support functions (e.g., system management, systems programmin
NONE The organizSuper userNONE The organizA qualified organizational user may be advised by a non-organizational us
ogin occurs (e.g., personal digital assistants) and not to mobile devices accessed without a login such as removable media. In certain situati
system. System use notification is intended only for information system access that includes an interactive login interface with a human use
of [ Assignment: organization-defined set of security-related changes to the users account ] during [ Assignment: organization-defined time
ccount, or a combination. This control addresses concurrent sessions for a given information system account and does not address concurr
s a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
xtent necessary to accomplish mission/business objectives.
NONE The informaObjects output from the information system include, for example, pages, screens, or equivalent. Output d
MODERATEThe organization moniNONE The organization ens MODERATEThe organizAdditional MODERATE
HIGH The organiActions that may be taken by the organization to confine wireless communications to organization-contro
nization: Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting clas
media in external information systems can include, for example, complete prohibition of the use of such devices or restrictions on how the d
n-sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
ders, directives, policies, regulations, standards, or guidance. Information protected under the Privacy Act and vendor proprietary informati
s and control enhancements in the security awareness and training family. The policy and procedures are consistent with applicable federa
nformation, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking malicious web lin
control devices, physical intrusion alarms, monitoring and surveillance equipment, and security guards (deployment and operating proced
ans are necessary, this control does not mandate either. Documentation for specialized training may be maintained by individual supervisor
amic threats. Security groups and associations can include, for example, special interest groups, specialized forums, professional association
s and control enhancements in the audit and accountability family. The policy and procedures are consistent with applicable federal laws, E
nization includes execution of privileged functions in the list of events to be audited by the information system.
d by [ Assignment: organization-defined information system components ].
city. Related controls: AU-2, AU-5, AU-6, AU-7, SI-4.
mation system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
NONE The organizA Security NONE The organizRelated conNONE The organizPermitted aNONE
st based on selectable event criteria.
ed frequency ] with [ Assignment: organization-defined authoritative time source ].
Auditing may not be reliable when performed by the information system to which the user being audited has privileged access. The privil
NONE The organizRelated control: SC-13.
nal purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests,
s interoperability and exchange of such information between dissimilar devices and information systems. This facilitates an audit system tha
s and control enhancements in the security assessment and authorization family. The policies and procedures are consistent with applicabl
ity controls. A standard method for penetration testing consists of: (i) pretest analysis based on full knowledge of the target system; (ii) pre
organization (e.g., the Internet). No direct connection means that an information system cannot connect to an external network without th
or the information system is accurate, up to date, and readily available.

zational official or executive (i.e., authorizing official) to authorize operation of an information system and to explicitly accept the risk to org
in Information Assurance Vulnerability Alerts. Testing is intended to ensure that the information system continues to provide adequate sec
s and control enhancements in the configuration management family. The policy and procedures are consistent with applicable federal law
HIGH The organization: DevHIGH The organization maintains a baseline configuration for development and test enviro
Information security representatives can include, for example, information system security officers or information system security manage
NONE The organization: LimNONE The organization limitNONE The informThe information system reacts automatica
mation system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., s
tion process to manage, track, and provide oversight for information systems and implemented functionality.
MODERATEThe organization veri NONE The organi: This control enhancement focuses on the configuration settings establish
tasked with developing the configuration management process.
s and control enhancements in the contingency planning family. The policy and procedures are consistent with applicable federal laws, Exe
NONE The organization plans
NONE The organization provides for the transfer of all essential missions and business func
rough and realistic training environment.
Related controls: CP-10, SC-24.
ude, for example, duplicating backup information at another alternate storage site if access to the first alternate site is hindered; or, if electr
MODERATEThe organization ensures that the alternate processing site provides information security measures equivalent to tha
nization requires primary and alternate telecommunications service providers to have contingency plans.
NONE The organization tranNONE The organization accomplishes information system backup by maintaining a redunda
NONE The organizExamples of NONE The organiProtection of backup and restoration hardware, firmware, and software in
s and control enhancements in the identification and authentication family. The policy and procedures are consistent with applicable feder
NONE The organization: All NONE The information systeNONE The information systeMODERATE
ss allocation for devices, DHCP-enabled clients typically obtain leases for IP addresses from DHCP servers.
NONE The informa: In contrast to conventional approaches to identification and authentication which employ static informa
NONE The organiThis contr NONE The organization protNONE The organizOrganizatioNONE
tication mechanism. Displaying asterisks when a user types in a password, is an example of obscuring feedback of authentication informatio
dentified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in accordan
s and control enhancements in the incident response family. The policy and procedures are consistent with applicable federal laws, Executi
rough and realistic training environment.
cise the incident response capability by providing more complete coverage of incident response issues, selecting more realistic test/exercis
NONE The organization implements a configurable capability to automatically disable the information system if any of the f
mation include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or
nd/or vulnerabilities associated with reported security incidents to appropriate organizational officials.
include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect,
rategies, and goals for incident response help determine the structure of its incident response capability.
s and control enhancements in the system maintenance family. The policy and procedures are consistent with applicable federal laws, Exec
and document maintenance and repairs as required, producing up-to date, accurate, complete, and available records of all maintenance an
nization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
NONE The organization requNONE The organization emplNONE The organization employs remote disconnect verifica
nization ensures that: Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenan
duals, or the Nation because the security functionality intended by that component is not being provided. Security-critical components incl
s and control enhancements in the media protection family. The policy and procedures are consistent with applicable federal laws, Executiv
estrict access to information on portable digital media.
erring to the application or use of security attributes with regard to internal data structures within the information system (see AC-16, Secu
This control enhancement also applies to mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, extern
NONE The organization saniNONE The organization destroys information system media that cannot be sanitized.
s and control enhancements in the physical and environmental protection family. The policy and procedures are consistent with applicable
to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances a
NONE The information systeNONE The organizRelated control: CA-2.
cal tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted tra
intrusions and initiate designated response actions.

the facility.
d authorized individuals.
ganization-defined list of critical information system components ].
m are either manually or automatically activated.

s and business functions.
nization ensures that the facility undergoes [ Assignment: organization-defined frequency ] fire marshal inspections and promptly resolves i
vides an alarm or notification of changes potentially harmful to personnel or equipment.
mation system from water damage in the event of a water leak.
possibly isolating the areas from the information system and media libraries.
nt sets of security controls for specific alternate work sites or types of sites.
d to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation str
works are protected in accordance with: national emissions and TEMPEST policies and procedures; and (ii) the sensitivity of the informatio
s and control enhancements in the security planning family. The policy and procedures are consistent with applicable federal laws, Executiv
de, for example, encryption of key data elements at rest. Specific protection needs for the information system include, for example, the Pri
s, posting information on commercial websites, and sharing information system account information.
plan testing/exercises. Organizational advance planning and coordination includes both emergency and nonemergency (i.e., planned or no
zation. The plan documents the organization-wide program management controls and organization-defined common controls. The security
e Orders, directives, policies, or regulations) this official is the Senior Agency Information Security Officer. Organizations may also refer to th
tion security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2.
tablished by OMB. The plan of action and milestones updates are based on the findings from security control assessments, security impact
ociated reporting requirements.
security program and the security controls employed in support of the program.
n security requirements and associated security controls into the organizations enterprise architecture helps to ensure that security conside
otection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related contr
, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization wit
yment of associated security standards and guidelines. Specific roles within the risk management process include a designated authorizing
on through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived fr
s and control enhancements in the personnel security family. The policy and procedures are consistent with applicable federal laws, Executi
formation security role appointment requirements (e.g., training, security clearance).
or example, Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI).
identification cards, and building passes. Exit interviews ensure that individuals understand any security constraints imposed by being form
s warranted. In addition the organization defines the actions appropriate for the type of reassignment or transfer; whether permanent or te
collateral, Special Access Program (SAP) and Sensitive Compartmented Information (SCI). Personnel security criteria are consistent with ap
, information technology services, outsourced applications, and network and security management. The organization explicitly includes pe
The process is described in access agreements and can be included as part of the general personnel policies and procedures for the organi
s and control enhancements in the risk assessment family. The policy and procedures are consistent with applicable federal laws, Executive
ntial adverse impacts to organizational operations, organizational assets, and individuals should the information and information system be
, threat sources, and security controls planned or in place to determine the level of residual risk posed to organizational operations and ass
HIGH The organization incluNONE The organization emplHIGH The organization emplNONE
s and control enhancements in the system and services acquisition family. The policy and procedures are consistent with applicable federa
NONE The organization requNONE The organiCOTS IA orNONE The organization: Limits the use of commercially pro
NONE The organization obtains, protects as required, and makes available to authorized personnel, the source code for the
ty are assessed for potential security impacts. The assessment addresses the fact that these types of software products are difficult or impo
are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose
or upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engi
d response, operation of information security-related devices such as firewalls, or key management services.
onal personnel that are responsible for reviewing and approving proposed changes to the information system, and security personnel that
n system developers/integrators create a security test and evaluation plan and implement the plan under the witness of an independent ve
NONE The organiBy avoidingNONE The organiBy minimizNONE The organization employs independent analysis and
cisions when designing, developing, and implementing organizational information systems. Trustworthiness is a characteristic or property o
ng, restrictions on source code and system utility access, and protection from deletion of system and application files.
s and control enhancements in the system and communications protection family. The policy and procedures are consistent with applicable
le to general users (including prohibiting the use of the grey-out option commonly used to eliminate accessibility to such information). For
NONE The organization implements security functions as a layered structure minimizing interactions between layers of the
dundancy to limit the efects of information flooding types of denial of service attacks.
ity process. This control does not apply to components in the information system for which there is only a single user/role.
MODERATEThe information system HIGH The organization pre MODERATEThe informThis contr HIGH
t data aggregation or protocol transformation points, compromising the integrity of the information.
at data aggregation or protocol transformation points, compromising the confidentiality of the information.
ude, for example, de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking assignments
NONE The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Cl
nization employs [ Selection: FIPS-validated; NSA-approved ] cryptography to implement digital signatures.
h such protection likely being implemented as part of other security controls.
aborative computing devices from information systems in [ Assignment: organization-defined secure work areas ].
agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance o
Actions required before executing mobile code, include, for example, prompting users prior to opening electronic mail attachments.
gation signer (DS) resource records in the DNS.
gle points of failure and to enhance redundancy, there are typically at least two authoritative domain name system (DNS) servers, one con
Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to deter
n secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a compon
e need to secure every user endpoint, and may reduce the exposure of information, information systems, and services to a successful attac
client honeypots or honey clients.
ity and reconstitution on diferent platform architectures, increasing the availability for critical functionality within an organization while in
n of information at rest unless otherwise protected by alternative physical measures.
ology. Organizations that select this control should consider that an increase in diversity may add complexity and management overhead, b
alization techniques.
exploitable.
ng of information system components into separate physical domains (or environments). The security categorization also guides the selecti
tocol transformation points.
ormation to be placed onto read-only media and controlling the media after information has been recorded onto the media. Protection me
s and control enhancements in the system and information integrity family. The policy and procedures are consistent with applicable feder
nization employs automated patch management tools to facilitate flaw remediation to [ Assignment: organization-defined information syste
NONE The organization doesNONE The organization tests malicious code protection mechanisms [ Assignment: organiza
MODERATEThe informa Alerts mayMODERATEThe information systeNONE The informaThe least-dNONE
ble throughout the organization as needed.
ormation security responsibilities include, for example, senior information security officers, information system security managers, and info
nization requires use of tamper-evident packaging for [ Assignment: organization-defined information system components ] during [ Selecti
sms (including signature definitions).
ntrols employed by the system and include limitations based on specific operational/project responsibilities. Related controls: AC-5, AC-6.
es) are in place to verify that inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to pre
e to identify and handle error conditions is guided by organizational policy and operational requirements. Sensitive information includes, fo
the information system. The National Archives and Records Administration provides guidance on records retention. Related controls: MP-2
Automatic or manual transfer of roles to a standby unit may occur upon detection of a component failure.
Enhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen
plicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and proced
d roles include, for example, key management, network and system administration, database administration, web administration.
n reduces the probability of unauthorized disclosure of information and can also detect unauthorized changes to information. Removing inf
The informa OrganizatioNONE The information systeNONE The information system
NONE The informa
nagement, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who
vised by a non-organizational user, if necessary.
movable media. In certain situations, this enhancement may not apply to mobile devices if the information on the device is encrypted with
ogin interface with a human user and is not intended to require notification when an interactive interface does not exist.
ment: organization-defined time period ].
nt and does not address concurrent sessions by a single user via multiple system accounts.
screens, or equivalent. Output devices include, for example, printers and video displays on computer terminals, monitors, screens on note
The organizThe organization can either make a determination of the relative security of the networking protocol or base the sec
nications to organization-controlled boundaries include: (i) reducing the power of the wireless transmission such that it cannot transit the
sing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s); and Enforces the
vices or restrictions on how the devices may be used and under what conditions the devices may be used.
on to be shared.
and vendor proprietary information are examples of nonpublic information. This control addresses posting information on an organizationa
onsistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational p
ents or invoking malicious web links.
ployment and operating procedures).
ntained by individual supervisors at the option of the organization.
forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations. The groups and asso
nt with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies a
bility exists.
[ Withdrawn: Incorpora
NONE The organization performs, in a physically dedicated information system, full-text analysis of pr
has privileged access. The privileged user may inhibit auditing or modify audit records. This control enhancement helps mitigate this risk b
nformation Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types o
his facilitates an audit system that produces event information that can be more readily analyzed and correlated. System log records and au
res are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organiz
dge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determ
o an external network without the use of an approved boundary protection device (e.g., firewall) that mediates the communication betwee
to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implemen
ntinues to provide adequate security against constantly evolving threats and vulnerabilities. Conformance testing also provides independen
stent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational polici
for development and test environments that is managed separately from the operational baseline configuration.
ormation system security managers. The configuration change control element in this control enhancement is consistent with the change co
mation system reacts automatically when inappropriate and/or unauthorized modifications have occurred to security functions or mechan
ty configuration guidance (i.e., security checklists), prior to being introduced into a production environment.
e configuration settings established by the organization for its information system components, the specific information system componen
with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and
ntial missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustain
nate site is hindered; or, if electronic accessibility to the alternate site is disrupted, planning for physical access to retrieve backup informati
urity measures equivalent to that of the primary site
backup by maintaining a redundant secondary system, not collocated, that can be activated without loss of information or disruption to the
dware, firmware, and software includes both physical and technical measures. Router tables, compilers, and other security-relevant system
consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational
The informa
An authentiHIGH The informAn authentication process resists replay attacks if it is impractical to achieve a succes
tion which employ static information system accounts for preregistered users, many service-oriented architecture implementations rely on e
The organiWhen an individual has accounts on multiple information systems, there is the risk that if one account is compromis
back of authentication information.
d by the organization in accordance with AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-or
h applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and pro
ecting more realistic test/exercise scenarios and environments, and more efectively stressing the response capability. Related control: AT-2
nformation system if any of the following security violations are detected: [ Assignment: organization-defined list of security violations ].
ent Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-6, AU-7, SI-4.
ernal providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems a
with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and
ble records of all maintenance and repair actions, needed, in process, and completed.
mploys remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.
), are used to conduct maintenance and diagnostic activities on an information system only when the system is jointly owned and operated
Security-critical components include, for example, firewalls, guards, gateways, intrusion detection systems, audit repositories, authenticatio
applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and pro
rmation system (see AC-16, Security Attributes). Removable information system media includes both digital media (e.g., diskettes, magneti
(e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with storage capability (e.g., not
a that cannot be sanitized.
es are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizati
nel with appropriate clearances and access authorizations.
modification of unencrypted transmissions. Protective measures to control physical access to information system distribution and transmis
pections and promptly resolves identified deficiencies.
l hazards in its risk mitigation strategy.

the sensitivity of the information being transmitted.
applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and pro
em include, for example, the Privacy Act and Health Insurance Portability and Accountability Act.
nemergency (i.e., planned or nonurgent unplanned) situations.

d common controls. The security plans for individual information systems and the organization-wide information security program plan tog
rganizations may also refer to this organizational official as the Senior Information Security Officer or Chief Information Security Officer.
rol assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions rega
s to ensure that security considerations are addressed by organizations early in the system development life cycle and are directly and expl
rds, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3.
risk across the organization with respect to the organizations risk tolerance, and approaches for monitoring risk over time. The use of a ris
include a designated authorizing official for each organizational information system. Related control: CA-6.
n protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to m
h applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and pr
onstraints imposed by being former employees and that proper accountability is achieved for all information system-related property. Exit in
ansfer; whether permanent or temporary. Actions that may be required when personnel are transferred or reassigned to other positions w
ty criteria are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
rganization explicitly includes personnel security requirements in acquisition-related documents.
es and procedures for the organization. Related controls: PL-4, PS-6.
pplicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and proc
ation and information system be comprised through a loss of confidentiality, integrity, or availability. The organization conducts the security
organizational operations and assets, individuals, other organizations, and the Nation based on the operation of the information system. Ris
The organization revieNONE The organizA standard method for penetration testing includes: (i) pre-test analysis based on fu
onsistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational p
mits the use of commercially provided information technology products to those products that have been successfully evaluated against a v
ersonnel, the source code for the information system to permit analysis and testing.
are products are difficult or impossible to review, repair, or extend, given that the organization does not have access to the original source
prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect). Related control: CM-2.
rganization applies security engineering principles to system upgrades and modifications to the extent feasible, given the current state of th
em, and security personnel that conduct impact analyses prior to the implementation of any changes to the system.
he witness of an independent verification and validation agent.
mploys independent analysis and penetration testing against delivered information systems, information system components, and informati
s is a characteristic or property of an information system that expresses the degree to which the system can be expected to preserve the co
cation files.
res are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organiza
sibility to such information). For example, administration options are not presented until the user has appropriately established a session w
teractions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
single user/role.
The informa
External neNONE The informa
Detecting iNONE The organizMeasures to
NONE The information syst
locating networking assignments at the application level if multiple application sessions are using a single, operating system-level network
using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
uthority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external
ectronic mail attachments.
e system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two d
ainst brute-force attacks to determine future session identifiers.
nformation system or a component of the system. Failure in a known safe state helps prevent systems from failing to a state that may cause
and services to a successful attack. Related control: SC-30.
y within an organization while information systems with a given operating system are under attack.
ty and management overhead, both of which have the potential to lead to mistakes and misconfigurations which could increase overall risk
gorization also guides the selection of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit network acc
d onto the media. Protection measures may include, as deemed necessary by the organization, a combination of prevention and detection
consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational
zation-defined information system components ].
echanisms [ Assignment: organization-defined frequency ] by introducing a known benign, non-spreading test case into the information syst
The organization protNONE The organizThe frequeNONE The organizThe enhance NONE The organiz
stem security managers, and information systems security officers.

m components ] during [ Selection: transportation from vendor to operational site; during operation; both ].
es. Related controls: AC-5, AC-6.

terpreters are prescreened to prevent the content from being unintentionally interpreted as commands.
ensitive information includes, for example, account numbers, social security numbers, and credit card numbers.
etention. Related controls: MP-2, MP-4.
EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen Enhanceme
rganizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The access control p
n, web administration.
ges to information. Removing information from online storage to offline storage eliminates the possibility of individuals gaining unauthorize
For exampleNONE The informa
Data type sNONE The informPolicy enfoNONE The informaConstrainin
rity); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) diferent administrator acc
on the device is encrypted with sufficiently strong encryption mechanisms, making purging unnecessary. The login is to the mobile device
does not exist.
inals, monitors, screens on notebook/laptop computers and personal digital assistants.

working protocol or base the security decision on the assessment of other entities. Bluetooth and peer-to-peer networking are examples o
n such that it cannot transit the physical perimeter of the organization; (ii) employing measures such as TEMPEST to control wireless eman
zing official(s); and Enforces the following restrictions on individuals permitted to use mobile devices in facilities containing information sys
information on an organizational information system that is accessible to the general public, typically without identification or authenticati
idance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. Th
anizations. The groups and associations selected are consistent with the organizations mission/business requirements. Information-sharing
Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The audit
on system, full-text analysis of privileged functions executed.
cement helps mitigate this risk by requiring that privileged access be further defined between audit-related privileges and other privileges,
t records relative to such types of actions and standard response processes for each type of action are developed and disseminated. The N
elated. System log records and audit records compliant with the Common Event Expression (CEE) are examples of standard formats for audi
s, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unneces
d (iii) testing designed to determine exploitability of identified vulnerabilities. Detailed rules of engagement are agreed upon by all parties b
ates the communication between the system and the network. In addition, the approved boundary protection device (typically a managed
e Nation based on the implementation of an agreed-upon set of security controls. Authorizing officials typically have budgetary oversight fo
testing also provides independent validation. See supplemental guidance for CA-2, enhancement (2) for further information on malicious u
ce. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The con
t is consistent with the change control element defined by the organization in CM-3.
to security functions or mechanisms. Automatic implementation of safeguards and countermeasures includes, for example, reversing the c
c information system components that have been assessed to determine compliance with the required configuration settings, and any app
isting organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The continge
perational continuity and sustains that continuity through restoration to primary processing and/or storage sites.
cess to retrieve backup information.
information or disruption to the operation.

d other security-relevant system software are examples of backup and restoration software.
uidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. Th
is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to add
ecture implementations rely on establishing identities at run time for entities that were previously unknown. Dynamic establishment of ide
hat if one account is compromised and the individual is using the same user identifier and authenticator, other accounts will be compromi
tiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or
ng organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The incident resp
e capability. Related control: AT-2.

ed list of security violations ].
nizational information systems and networks.
sting organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The informatio
m is jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied gover
audit repositories, authentication servers, and intrusion prevention systems. Related control: CP-2.
g organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The media protec
al media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-di
with storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones). Related control: MP-4. Related co
and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecess
system distribution and transmission lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of
g organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The security plan
mation security program plan together, provide complete coverage for all security controls employed within the organization. Common cont
Information Security Officer.
dance contains instructions regarding organizational plans of action and milestones. Related control: CA-5.
e cycle and are directly and explicitly related to the organizations mission/business processes. This also embeds into the enterprise archite
ng risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strateg
business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs dete
ng organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The personnel s
n system-related property. Exit interviews may not be possible for some employees (e.g., in the case of job abandonment, some illnesses, a
reassigned to other positions within the organization include, for example: (i) returning old and issuing new keys, identification cards, and
ndards, and guidance.
organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The risk assessmen
rganization conducts the security categorization process as an organization-wide activity with the involvement of the chief information offic
on of the information system. Risk assessments also take into account risk posed to organizational operations, organizational assets, or indiv
(i) pre-test analysis based on full knowledge of the target information system; (ii) pre-test identification of potential vulnerabilities based o
idance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The
successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists; and Req
ve access to the original source code and there is no owner who could make such repairs on behalf of the organization.
t). Related control: CM-2.
ible, given the current state of the hardware, software, and firmware within the system. Examples of security engineering principles includ
tem components, and information technology products.

n be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the sy
, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unneces
opriately established a session with administrator privileges.
or correctness of higher layers.
The information syst NONE The informA host-basNONE The organization isol NONE The organizInformation
operating system-level network connection. The time period of inactivity may, as the organization deems necessary, be a set of time period
tificates with a visibility external to the information system and does not include certificates related to internal system operations, for exam
rs are commonly located in two diferent network subnets and geographically separated (i.e., not located in the same physical facility). With
m failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitate
which could increase overall risk.

s restrict or prohibit network access and information flow among partitioned information system components. Related controls: AC-4, SC-7
tion of prevention and detection/response. This enhancement may be satisfied by requirements imposed by other controls such as AC-3, A
uidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. Th
est case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occu
Anomalies NONE
w The organization emplo
NONE The organization: AnaNONE The organization empl
EnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhancemeEnhancemen EnhancemeEnhanceme
nnecessary. The access control policy can be included as part of the general information security policy for the organization. Access control
f individuals gaining unauthorized access via a network. Related control: MP-4.

NONE The informa
Actions to NONE The informaTransferrinNONE The informa Attribution is a critical component of a se
d (iv) diferent administrator accounts for diferent roles. Access authorizations defined in this control are implemented by control AC-3. Re
The login is to the mobile device, not to any one account on the device. Therefore, a successful login to any account on the mobile device r
peer networking are examples of less than secure networking protocols.

MPEST to control wireless emanations; and (iii) configuring the wireless access such that it is point to point in nature.
ilities containing information systems processing, storing, or transmitting classified information: \ - Connection of unclassified mobile devic
out identification or authentication. The posting of information on non-organization information systems is covered by appropriate organiz
and procedures unnecessary. The security awareness and training policy can be included as part of the general information security policy
quirements. Information-sharing activities regarding threats, vulnerabilities, and incidents related to information systems are consistent wi
cedures unnecessary. The audit and accountability policy can be included as part of the general information security policy for the organiza
d privileges and other privileges, thus, limiting the users with audit-related privileges. Reducing the risk of audit compromises by privileged
eloped and disseminated. The National Archives and Records Administration (NARA) General Records Schedules (GRS) provide federal polic
ples of standard formats for audit records. If individual logging mechanisms within the information system do not conform to a standardize
policies and procedures unnecessary. The security assessment/authorization policies can be included as part of the general information sec
t are agreed upon by all parties before the commencement of any penetration testing scenario. These rules of engagement are correlated w
tion device (typically a managed interface/cross-domain system), provides information flow enforcement from the information system to th
cally have budgetary oversight for information systems or are responsible for the mission or business operations supported by the systems
rther information on malicious user testing, penetration testing, red-team exercises, and other forms of security testing. Related control: CA
procedures unnecessary. The configuration management policy can be included as part of the general information security policy for the or
des, for example, reversing the change, halting the information system or triggering an audit alert when an unauthorized modification to a
nfiguration settings, and any approved deviations from established configuration settings in the deployed information system components.
dures unnecessary. The contingency planning policy can be included as part of the general information security policy for the organization.
and procedures unnecessary. The identification and authentication policy can be included as part of the general information security polic
message. Techniques used to address this include protocols that use nonces or challenges (e.g., TLS), and time synchronous or challenge-re
n. Dynamic establishment of identities and association of attributes and privileges with these identities is anticipated and provisioned. Pre-
ther accounts will be compromised as well. Possible alternatives include, but are not limited to: (i) having the same user identifier but dife
o protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Accordingly, a risk asses
es unnecessary. The incident response policy can be included as part of the general information security policy for the organization. Inciden
ures unnecessary. The information system maintenance policy can be included as part of the general information security policy for the org
ted solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use of foreign nationa
s unnecessary. The media protection policy can be included as part of the general information security policy for the organization. Media p
s, digital video disks) and non-digital media (e.g., paper, microfilm). An organizational assessment of risk guides the selection of media requ
Related control: MP-4. Related controls: MP-2; SC-13.
olicies and procedures unnecessary. The physical and environmental protection policy can be included as part of the general information se
e jacks; and/or (iii) protection of cabling by conduit or cable trays. Related control: PE-2.
s unnecessary. The security planning policy addresses the overall policy requirements for confidentiality, integrity, and availability and can b
the organization. Common controls are documented in an appendix to the organizations information security program plan unless the con
mbeds into the enterprise architecture, an integral security architecture consistent with organizational risk management and information se
n of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sour
ormation protection needs determine the required security controls for the organization and the associated information systems supportin
es unnecessary. The personnel security policy can be included as part of the general information security policy for the organization. Perso
abandonment, some illnesses, and nonavailability of supervisors). Exit interviews are important for individuals with security clearances. Ti
w keys, identification cards, and building passes; (ii) closing previous information system accounts and establishing new accounts; (iii) chan
unnecessary. The risk assessment policy can be included as part of the general information security policy for the organization. Risk assessm
ent of the chief information officer, senior information security officer, information system owner, mission owners, and information owners
ns, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf o
potential vulnerabilities based on pre-test analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. Detaile
and procedures unnecessary. The system and services acquisition policy can be included as part of the general information security policy f
, if such a profile exists; and Requires, if no U.S. Government Protection Profile exists for a specific technology type but a commercially pro
organization.
ity engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and c
, stored, or transmitted by the system. Trustworthy information systems are systems that are capable of being trusted to operate within de
policies and procedures unnecessary. The system and communications protection policy can be included as part of the general information
NONE The informa

Related conNONE The informThis contr NONE The organiAutomatedNONE
m
ecessary, be a set of time periods by type of network access or for specific accesses.
rnal system operations, for example, application-specific time services.
n the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution reques
stem state information facilitates system restart and return to the operational mode of the organization with less disruption of mission/bus
nts. Related controls: AC-4, SC-7.
by other controls such as AC-3, AC-5, CM-3, CM-5, CM-9, MP-2, MP-4, MP-5, SA-12, SC-28, SI-3, and SI-7.
and procedures unnecessary. The system and information integrity policy can be included as part of the general information security polic
sociated incident reporting occur, as required.

NONE The organization emplNONE The organization corrNONE The organizIntegrated situational awareness enhance
EnhancemenEnhancement 18 Supplemental Guidance
the organization. Access control procedures can be developed for the security program in general and for a particular information system,
n is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in
mplemented by control AC-3. Related controls: AC-3.
account on the mobile device resets the unsuccessful login count to zero.
in nature.
tion of unclassified mobile devices to classified information systems is prohibited; - Connection of unclassified mobile devices to unclassifie
s covered by appropriate organizational policy. Related controls: AC-3, AU-13.

eral information security policy for the organization. Security awareness and training procedures can be developed for the security program
mation systems are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
n security policy for the organization. Audit and accountability procedures can be developed for the security program in general and for a p
audit compromises by privileged users can also be achieved, for example, by performing audit activity on a separate information system or
dules (GRS) provide federal policy on record retention.

do not conform to a standardized format, the system may convert individual audit records into a standardized format when compiling the s
art of the general information security policy for the organization. Security assessment/authorization procedures can be developed for the s
s of engagement are correlated with the tools, techniques, and procedures that are anticipated to be employed by threat-sources in carryin
rom the information system to the external network consistent with AC-4.
ations supported by the systems. Security authorization is an inherently federal responsibility and therefore, authorizing officials must be fe
curity testing. Related control: CA-2.
mation security policy for the organization. Configuration management procedures can be developed for the security program in general a
n unauthorized modification to a critical security file occurs.
formation system components. Related controls: CM-2, CM-6.
urity policy for the organization. Contingency planning procedures can be developed for the security program in general and for a particula
eneral information security policy for the organization. Identification and authentication procedures can be developed for the security prog
me synchronous or challenge-response one-time authenticators.
anticipated and provisioned. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and rela
the same user identifier but diferent authenticators on all systems; (ii) having diferent user identifiers and authenticators on each system;
ystems). Accordingly, a risk assessment is used in determining the authentication needs of the organization. Scalability, practicality, and sec
licy for the organization. Incident response procedures can be developed for the security program in general and for a particular informatio
mation security policy for the organization. System maintenance procedures can be developed for the security program in general and for a
arding the use of foreign nationals to conduct maintenance and diagnostic activities on an information system are fully documented within
cy for the organization. Media protection procedures can be developed for the security program in general and for a particular information
uides the selection of media requiring marking. Marking is generally not required for media containing information determined by the orga
art of the general information security policy for the organization. Physical and environmental protection procedures can be developed for
tegrity, and availability and can be included as part of the general information security policy for the organization. Security planning proced
rity program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed a
management and information security strategies. Security requirements and control integration are most efectively accomplished through
k-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and compreh
ed information systems supporting the mission/business processes. Inherent in defining an organizations information protection needs is an
olicy for the organization. Personnel security procedures can be developed for the security program in general and for a particular informa
duals with security clearances. Timely execution of this control is particularly essential for employees or contractors terminated for cause.
blishing new accounts; (iii) changing information system access authorizations; and (iv) providing for access to official records to which the
for the organization. Risk assessment procedures can be developed for the security program in general and for a particular information syst
owners, and information owners/stewards. The organization also considers potential adverse impacts to other organizations and, in accord
information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accor
identified vulnerabilities. Detailed rules of engagement are agreed upon by all parties before the commencement of any penetration testin
eral information security policy for the organization. System and services acquisition procedures can be developed for the security program
ogy type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, th
ecurity policy, architecture, and controls as the foundation for design; (iii) incorporating security into the system development life cycle; (iv)
ing trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are ex
part of the general information security policy for the organization. System and communications protection procedures can be developed
The informa
Fail secure is a condition achieved by the application of a set of information system mechanisms to ensure that in th
name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name
th less disruption of mission/business processes.

eneral information security policy for the organization. System and information integrity procedures can be developed for the security prog
d situational awareness enhances the capability of the organization to more quickly detect sophisticated attacks and investigate the metho
a particular information system, when required. The organizational risk management strategy is a key factor in the development of the acce
points for information flowing in an information system, allows forensic reconstruction of events when required, and increases policy comp
fied mobile devices to unclassified information systems requires approval from the appropriate authorizing official(s); - Use of internal or ex
eveloped for the security program in general and for a particular information system, when required. The organizational risk management s
s, standards, and guidance.

ty program in general and for a particular information system, when required. The organizational risk management strategy is a key factor i
separate information system or by using storage media that cannot be modified (e.g., write-once recording devices).
zed format when compiling the system-wide audit trail.
dures can be developed for the security program in general and for a particular information system, when required. The organizational risk
oyed by threat-sources in carrying out attacks. An organizational assessment of risk guides the decision on the level of independence requi
e, authorizing officials must be federal employees. Through the security authorization process, authorizing officials are accountable for the
he security program in general and for a particular information system, when required. The organizational risk management strategy is a ke
am in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the de
e developed for the security program in general and for a particular information system, when required. The organizational risk managemen
ties to validate identities and related credentials are essential.

authenticators on each system; (iii) employing some form of single sign-on mechanism; or (iv) including some form of one-time passwords
n. Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal inform
al and for a particular information system, when required. The organizational risk management strategy is a key factor in the development
rity program in general and for a particular information system, when required. The organizational risk management strategy is a key factor
em are fully documented within a Memorandum of Agreement.
l and for a particular information system, when required. The organizational risk management strategy is a key factor in the development o
rmation determined by the organization to be in the public domain or to be publicly releasable. Some organizations, however, may require
rocedures can be developed for the security program in general and for a particular information system, when required. The organizationa
ization. Security planning procedures can be developed for the security program in general and for a particular information system, when r
g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one o
fectively accomplished through the application of the Risk Management Framework and supporting security standards and guidelines. The
both broad-based and comprehensive. Related control: RA-3.
formation protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The
eral and for a particular information system, when required. The organizational risk management strategy is a key factor in the developmen
ntractors terminated for cause.

s to official records to which the employee had access at the previous work location and in the previous information system accounts.
d for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the
her organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-l
s, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing fe
cement of any penetration testing scenario.

veloped for the security program in general and for a particular information system, when required. The organizational risk management st
y to enforce its security policy, then the cryptographic module is FIPS-validated.
stem development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring system developers and integrators are tra
nd purposeful attacks that are expected to occur in the specified environments of operation. Two factors afecting the trustworthiness of an
n procedures can be developed for the security program in general and for a particular information system, when required. The organizatio
mechanisms to ensure that in the event of an operational failure of a boundary protection device at a managed interface (e.g., router, firew
external role only process name/address resolution information requests from clients external to the organization (i.e., on the external net
developed for the security program in general and for a particular information system, when required. The organizational risk managemen
ttacks and investigate the methods and techniques employed to carry out the attacks.
r in the development of the access control policy. Related control: PM-9.
uired, and increases policy compliance by attributing policy violations to specific organizations/individuals. Means to enforce this enhance
official(s); - Use of internal or external modems or wireless interfaces within the mobile devices is prohibited; and - Mobile devices and th
rganizational risk management strategy is a key factor in the development of the security awareness and training policy. Related control: PM
agement strategy is a key factor in the development of the audit and accountability policy. Related control: PM-9.
g devices).
required. The organizational risk management strategy is a key factor in the development of the security assessment and authorization pol
the level of independence required for penetration agents or penetration teams conducting penetration testing. Red team exercises are co
officials are accountable for the security risks associated with information system operations. Accordingly, authorizing officials are in mana
risk management strategy is a key factor in the development of the configuration management policy. Related control: PM-9.
strategy is a key factor in the development of the contingency planning policy. Related control: PM-9.
e organizational risk management strategy is a key factor in the development of the identification and authentication policy. Related contro
me form of one-time passwords on all systems.
of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational op
a key factor in the development of the incident response policy. Related control: PM-9.
nagement strategy is a key factor in the development of the system maintenance policy. Related control: PM-9.
key factor in the development of the media protection policy. Related control: PM-9.
nizations, however, may require markings for public information indicating that the information is publicly releasable. Organizations may ex
hen required. The organizational risk management strategy is a key factor in the development of the physical and environmental protectio
ular information system, when required. The organizational risk management strategy is a key factor in the development of the security pla
ary protection inherited by one or more organizational information systems). The organization-wide information security program plan will
ty standards and guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security require
omise of information occurs. The security categorization process is used to make such potential impact determinations. Mission/business p
is a key factor in the development of the personnel security policy. Related control: PM-9.
ormation system accounts.
factor in the development of the risk assessment policy. Related control: PM-9.
al Directives, potential national-level adverse impacts in categorizing the information system. The security categorization process facilitates
ation of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As suc
ganizational risk management strategy is a key factor in the development of the system and services acquisition policy. Related control: PM
evelopers and integrators are trained on how to develop secure software; (vi) tailoring security controls to meet organizational and operati
fecting the trustworthiness of an information system include: (i) security functionality (i.e., the security features or functions employed wit
m, when required. The organizational risk management strategy is a key factor in the development of the system and communications prote
aged interface (e.g., router, firewall, guard, application gateway residing on a protected subnetwork commonly referred to as a demilitarize
nization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular
e organizational risk management strategy is a key factor in the development of the system and information integrity policy. Related contro
Means to enforce this enhancement include ensuring that the information system resolution labels distinguish between information syste
ted; and - Mobile devices and the information stored on those devices are subject to random reviews/inspections by [ Assignment: organiza
aining policy. Related control: PM-9.
ssessment and authorization policy. Related control: PM-9.

esting. Red team exercises are conducted as a simulated adversarial attempt to compromise organizational missions and/or business proce
authorizing officials are in management positions with a level of authority commensurate with understanding and accepting such informati
ted control: PM-9.
entication policy. Related control: PM-9.
mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. Identification and authenti
releasable. Organizations may extend the scope of this control to include information system output devices containing organizational info
cal and environmental protection policy. Related control: PM-9.
development of the security planning policy. Related control: PM-9.
ation security program plan will indicate which separate security plans contain descriptions of common controls. Organizations have the fle
ting information security requirements and security controls into enterprise architectures. Related controls: PL-2, PM-11, RA-2.
erminations. Mission/business process definitions and associated information protection requirements are documented by the organizatio
categorization process facilitates the creation of an inventory of information assets, and in conjunction with CM-8, a mapping to the inform
vacy-related information. As such, organizational assessments of risk also address public access to federal information systems. The Genera
ition policy. Related control: PM-9.
meet organizational and operational needs; and (vii) reducing risk to acceptable levels, thus enabling informed risk management decisions
atures or functions employed within the system); and (ii) security assurance (i.e., the grounds for confidence that the security functionality
stem and communications protection policy. Related control: PM-9.
only referred to as a demilitarized zone), the system does not enter into an unsecure state where intended security properties no longer ho
tative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists).
n integrity policy. Related control: PM-9.
guish between information systems and organizations, and between specific system components or individuals involved in preparing, sendi
ections by [ Assignment: organization-defined security officials ], and if classified information is found, the incident handling policy is follow
missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organ
ing and accepting such information system-related security risks. Through the employment of a comprehensive continuous monitoring pro
ation. Identification and authentication requirements for information system access by organizational users are described in IA-2. Related c
es containing organizational information, including, for example, monitors and printers. Marking of removable media and information syste
ntrols. Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multipl
s: PL-2, PM-11, RA-2.
documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2.
h CM-8, a mapping to the information system components where the information is processed, stored, and transmitted. Related controls: C
information systems. The General Services Administration provides tools supporting that portion of the risk assessment dealing with public
med risk management decisions.
e that the security functionality is efective in its application). Appropriate security functionality for the information system can be obtaine
security properties no longer hold. A failure of a boundary protection device cannot lead to, or cause information external to the boundar
uals involved in preparing, sending, receiving, or disseminating information.
ncident handling policy is followed.
he information system and organization. While penetration testing may be laboratory-based testing, red team exercises are intended to be
nsive continuous monitoring process, the critical information contained in the authorization package (i.e., the security plan (including risk a
are described in IA-2. Related controls: AC-14, AC-17, AC-18, MA-4.
ble media and information system output is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, stan
ocuments. In the case of multiple documents, the documents describing common controls are included as attachments to the information
: PM-7, PM-8, RA-2.

transmitted. Related controls: CM-8, MP-4, SC-7.
k assessment dealing with public access to federal information systems. Risk assessments (either formal or informal) can be conducted by o
ormation system can be obtained by using the Risk Management Framework (Steps 1, 2, and 3) to select and implement the necessary man
mation external to the boundary protection device to enter the device, nor can a failure permit unauthorized information release.
am exercises are intended to be more comprehensive in nature and reflect real-world conditions. Information system monitoring, maliciou
he security plan (including risk assessment), the security assessment report, and the plan of action and milestones) is updated on an ongo
ctives, policies, regulations, standards, and guidance.

attachments to the information security program plan. If the information security program plan contains multiple documents, the organiza
informal) can be conducted by organizations at various steps in the Risk Management Framework including: information system categoriza
nd implement the necessary management, operational, and technical security controls necessary to mitigate risk to organizational operatio
zed information release.

tion system monitoring, malicious user testing, penetration testing, red-team exercises, and other forms of security testing (e.g., independe
lestones) is updated on an ongoing basis, providing the authorizing official and the information system owner with an up-to-date status of
multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, im
g: information system categorization; security control selection; security control implementation; security control assessment; information
te risk to organizational operations and assets, individuals, other organizations, and the Nation. Appropriate security assurance can be obta
security testing (e.g., independent verification and validation) are conducted to improve the readiness of the organization by exercising org
ner with an up-to-date status of the security state of the information system. To reduce the administrative cost of security reauthorization,
onsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example
control assessment; information system authorization; and security control monitoring. RA-3 is a noteworthy security control in that the con
e security assurance can be obtained by: (i) the actions taken by developers and implementers of security controls with regard to the desig
he organization by exercising organizational capabilities and indicating current performance levels as a means of focusing organizational acti
cost of security reauthorization, the authorizing official uses the results of the continuous monitoring process to the maximum extent poss
e common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize
hy security control in that the control must be partially implemented prior to the implementation of other controls in order to complete the
controls with regard to the design, development, implementation, and operation of those controls; and (ii) the actions taken by assessors to
ans of focusing organizational actions to improve the security state of the system and organization. Testing is conducted in accordance with
ess to the maximum extent possible as the basis for rendering a reauthorization decision. OMB policy requires that federal information syst
op, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family w
controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in the se
the actions taken by assessors to determine the extent to which the controls are implemented correctly, operating as intended, and produ
s conducted in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Testing methods
ires that federal information systems are reauthorized at least every three years or when there is a significant change to the system. The or
on controls from the PE family when such controls are not associated with a particular information system but instead, support multiple inf
play an important role in the security control selection process during the application of tailoring guidance for security control baselines a
perating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. D
and standards. Testing methods are approved by authorizing officials in coordination with the organizations Risk Executive Function. Vulner
ant change to the system. The organization defines what constitutes a significant change to the information system. Related controls: CA-2,
but instead, support multiple information systems. Related control: PM-8.
e for security control baselines and when considering supplementing the tailored baselines with additional security controls or control enh
nts for the information system. Developers and implementers can increase the assurance in security controls by employing well-defined sec
s Risk Executive Function. Vulnerabilities uncovered during red team exercises are incorporated into the vulnerability remediation process.
n system. Related controls: CA-2, CA-7, PM-9, PM-10.
security controls or control enhancements.
ls by employing well-defined security policy models, structured, disciplined, and rigorous hardware and software development techniques,
lnerability remediation process. Related controls: RA-5, SI-2.
ftware development techniques, and sound system/security engineering principles. Assurance is also based on the assessment of evidence

Nist Coc Nov 2017

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Nist Coc Nov 2017

Загружено:

Авторское право:

Доступные форматы

Title

Water Damage Protection

Title Count - Description

The information system initiates session audits at system start-up.

The organization emplo

xtent necessary to accomplish mission/business objectives.

or the information system is accurate, up to date, and readily available.

intrusions and initiate designated response actions.

m are either manually or automatically activated.

gation signer (DS) resource records in the DNS.

pections and promptly resolves identified deficiencies.

l hazards in its risk mitigation strategy.

nemergency (i.e., planned or nonurgent unplanned) situations.

stem security managers, and information systems security officers.

es. Related controls: AC-5, AC-6.

inals, monitors, screens on notebook/laptop computers and personal digital assistants.

on system, full-text analysis of privileged functions executed.

cess to retrieve backup information.

information or disruption to the operation.

e capability. Related control: AT-2.

nizational information systems and networks.

tem components, and information technology products.

which could increase overall risk.

f individuals gaining unauthorized access via a network. Related control: MP-4.

peer networking are examples of less than secure networking protocols.

NONE The informa

rnal system operations, for example, application-specific time services.

sociated incident reporting occur, as required.

s covered by appropriate organizational policy. Related controls: AC-3, AU-13.

dules (GRS) provide federal policy on record retention.

n unauthorized modification to a critical security file occurs.

formation system components. Related controls: CM-2, CM-6.

th less disruption of mission/business processes.

s, standards, and guidance.

zed format when compiling the system-wide audit trail.

ties to validate identities and related credentials are essential.

em are fully documented within a Memorandum of Agreement.

both broad-based and comprehensive. Related control: RA-3.

ntractors terminated for cause.

cement of any penetration testing scenario.

y to enforce its security policy, then the cryptographic module is FIPS-validated.

me form of one-time passwords on all systems.

ormation system accounts.

aining policy. Related control: PM-9.

ssessment and authorization policy. Related control: PM-9.

ted control: PM-9.

entication policy. Related control: PM-9.

development of the security planning policy. Related control: PM-9.

ition policy. Related control: PM-9.

stem and communications protection policy. Related control: PM-9.

s: PL-2, PM-11, RA-2.

med risk management decisions.

ncident handling policy is followed.

are described in IA-2. Related controls: AC-14, AC-17, AC-18, MA-4.

: PM-7, PM-8, RA-2.

ctives, policies, regulations, standards, and guidance.

zed information release.

Вам также может понравиться