security control baselines – summary

LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS

T

his appendix contains the security control baselines that represent the starting point in determining the security controls for low-impact, moderate-impact, and high-impact information systems.[90]</sup> The three security control baselines are hierarchical in nature with regard to the security controls employed in those baselines.[91]</sup> If a security control is selected for one of the baselines, the family identifier and control number are listed in the appropriate column. If a security control is not used in a particular baseline, the entry is marked not selected. Security control enhancements, when used to supplement security controls, are indicated by the number of the enhancement. For example, the IR-2 (1) (2) entry in the high baseline for IR-2 indicates that the second control from the Incident Response family has been selected along with control enhancements (1) and (2). Some security controls and enhancements are not used in any of the baselines in this appendix but are available for use by organizations if needed. This situation occurs, for example, when the results of a risk assessment indicate the need for additional security controls or control enhancements in order to adequately mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.

Organizations can use the recommended priority code designation associated with each security control in the baselines to assist in making sequencing decisions for control implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control, and a Priority Code 0 [P0] indicates the security control is not selected in any baseline). This recommended sequencing prioritization helps ensure that security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources. The implementation of security controls by sequence priority code does not imply any defined level of risk mitigation until all controls in the security plan have been implemented. The priority codes are used only for implementation sequencing, not for making security control selection decisions. Table D-1 summarizes sequence priority codes for the baseline security controls in Table D-2.

TABLE D-1: SECURITY CONTROL PRIORITIZATION CODES

Priority Code Sequencing Action
Priority Code 1 (P1) FIRST Implement P1 security controls first.
Priority Code 2 (P2) NEXT Implement P2 security controls after implementation of P1 controls.
Priority Code 3 (P3) LAST Implement P3 security controls after implementation of P1 and P2 controls.
Unspecified Priority Code (P0) NONE Security control not selected in any baseline.

Table D-2 provides a summary of the security controls and control enhancements from Appendix F that have been allocated to the initial security control baselines (i.e., low, moderate, and high). The sequence priority codes for security control implementation and those security controls that have been withdrawn from Appendix F are also indicated in Table D-2. In addition to Table D-2, the sequence priority codes and security control baselines are annotated in a priority and baseline allocation summary section below each security control in Appendix F.

TABLE D-2: SECURITY CONTROL BASELINES[92]</sup>

CNTL control name priority initial control baselines
LOW MOD HIGH
Access Control
AC-1 Access Control Policy and Procedures P1 AC-1 AC-1 AC-1
AC-2 Account Management P1 AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) (5) (11) (12) (13)
AC-3 Access Enforcement P1 AC-3 AC-3 AC-3
AC-4 Information Flow Enforcement P1 Not Selected AC-4 AC-4
AC-5 Separation of Duties P1 Not Selected AC-5 AC-5
AC-6 Least Privilege P1 Not Selected AC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (9) (10)
AC-7 Unsuccessful Logon Attempts P2 AC-7 AC-7 AC-7
AC-8 System Use Notification P1 AC-8 AC-8 AC-8
AC-9 Previous Logon (Access) Notification P0 Not Selected Not Selected Not Selected
AC-10 Concurrent Session Control P3 Not Selected Not Selected AC-10
AC-11 Session Lock P3 Not Selected AC-11 (1) AC-11 (1)
AC-12 Session Termination P2 Not Selected AC-12 AC-12
AC-13 Withdrawn --- --- --- ---
AC-14 Permitted Actions without Identification or Authentication P3 AC-14 AC-14 AC-14
AC-15 Withdrawn --- --- --- ---
AC-16 Security Attributes P0 Not Selected Not Selected Not Selected
AC-17 Remote Access P1 AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4)
AC-18 Wireless Access P1 AC-18 AC-18 (1) AC-18 (1) (4) (5)
AC-19 Access Control for Mobile Devices P1 AC-19 AC-19 (5) AC-19 (5)
AC-20 Use of External Information Systems P1 AC-20 AC-20 (1) (2) AC-20 (1) (2)
AC-21 Information Sharing P2 Not Selected AC-21 AC-21
AC-22 Publicly Accessible Content P3 AC-22 AC-22 AC-22
AC-23 Data Mining Protection P0 Not Selected Not Selected Not Selected
AC-24 Access Control Decisions P0 Not Selected Not Selected Not Selected
AC-25 Reference Monitor P0 Not Selected Not Selected Not Selected
Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures P1 AT-1 AT-1 AT-1
AT-2 Security Awareness Training P1 AT-2 AT-2 (2) AT-2 (2)
AT-3 Role-Based Security Training P1 AT-3 AT-3 AT-3
AT-4 Security Training Records P3 AT-4 AT-4 AT-4
AT-5 Withdrawn --- --- --- ---
Audit and Accountability
AU-1 Audit and Accountability Policy and Procedures P1 AU-1 AU-1 AU-1
AU-2 Audit Events P1 AU-2 AU-2 (3) AU-2 (3)
AU-3 Content of Audit Records P1 AU-3 AU-3 (1) AU-3 (1) (2)
AU-4 Audit Storage Capacity P1 AU-4 AU-4 AU-4
AU-5 Response to Audit Processing Failures P1 AU-5 AU-5 AU-5 (1) (2)
AU-6 Audit Review, Analysis, and Reporting P1 AU-6 AU-6 (1) (3) AU-6 (1) (3) (5) (6)
AU-7 Audit Reduction and Report Generation P2 Not Selected AU-7 (1) AU-7 (1)
AU-8 Time Stamps P1 AU-8 AU-8 (1) AU-8 (1)
AU-9 Protection of Audit Information P1 AU-9 AU-9 (4) AU-9 (2) (3) (4)
AU-10 Non-repudiation P2 Not Selected Not Selected AU-10
AU-11 Audit Record Retention P3 AU-11 AU-11 AU-11
AU-12 Audit Generation P1 AU-12 AU-12 AU-12 (1) (3)
AU-13 Monitoring for Information Disclosure P0 Not Selected Not Selected Not Selected
AU-14 Session Audit P0 Not Selected Not Selected Not Selected
AU-15 Alternate Audit Capability P0 Not Selected Not Selected Not Selected
AU-16 Cross-Organizational Auditing P0 Not Selected Not Selected Not Selected
Security Assessment and Authorization
CA-1 Security Assessment and Authorization Policies and Procedures P1 CA-1 CA-1 CA-1
CA-2 Security Assessments P2 CA-2 CA-2 (1) CA-2 (1) (2)
CA-3 System Interconnections P1 CA-3 CA-3 (5) CA-3 (5)
CA-4 Withdrawn --- --- --- ---
CA-5 Plan of Action and Milestones P3 CA-5 CA-5 CA-5
CA-6 Security Authorization P2 CA-6 CA-6 CA-6
CA-7 Continuous Monitoring P2 CA-7 CA-7 (1) CA-7 (1)
CA-8 Penetration Testing P2 Not Selected Not Selected CA-8
CA-9 Internal System Connections P2 CA-9 CA-9 CA-9
Configuration Management
CM-1 Configuration Management Policy and Procedures P1 CM-1 CM-1 CM-1
CM-2 Baseline Configuration P1 CM-2 CM-2 (1) (3) (7) CM-2 (1) (2) (3) (7)
CM-3 Configuration Change Control P1 Not Selected CM-3 (2) CM-3 (1) (2)
CM-4 Security Impact Analysis P2 CM-4 CM-4 CM-4 (1)
CM-5 Access Restrictions for Change P1 Not Selected CM-5 CM-5 (1) (2) (3)
CM-6 Configuration Settings P1 CM-6 CM-6 CM-6 (1) (2)
CM-7 Least Functionality P1 CM-7 CM-7 (1) (2) (4) CM-7 (1) (2) (5)
CM-8 Information System Component Inventory P1 CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3) (4) (5)
CM-9 Configuration Management Plan P1 Not Selected CM-9 CM-9
CM-10 Software Usage Restrictions P2 CM-10 CM-10 CM-10
CM-11 User-Installed Software P1 CM-11 CM-11 CM-11
Contingency Planning
CP-1 Contingency Planning Policy and Procedures P1 CP-1 CP-1 CP-1
CP-2 Contingency Plan P1 CP-2 CP-2 (1) (3) (8) CP-2 (1) (2) (3) (4) (5) (8)
CP-3 Contingency Training P2 CP-3 CP-3 CP-3 (1)
CP-4 Contingency Plan Testing P2 CP-4 CP-4 (1) CP-4 (1) (2)
CP-5 Withdrawn --- --- --- ---
CP-6 Alternate Storage Site P1 Not Selected CP-6 (1) (3) CP-6 (1) (2) (3)
CP-7 Alternate Processing Site P1 Not Selected CP-7 (1) (2) (3) CP-7 (1) (2) (3) (4)
CP-8 Telecommunications Services P1 Not Selected CP-8 (1) (2) CP-8 (1) (2) (3) (4)
CP-9 Information System Backup P1 CP-9 CP-9 (1) CP-9 (1) (2) (3) (5)
CP-10 Information System Recovery and Reconstitution P1 CP-10 CP-10 (2) CP-10 (2) (4)
CP-11 Alternate Communications Protocols P0 Not Selected Not Selected Not Selected
CP-12 Safe Mode P0 Not Selected Not Selected Not Selected
CP-13 Alternative Security Mechanisms P0 Not Selected Not Selected Not Selected
Identification and Authentication
IA-1 Identification and Authentication Policy and Procedures P1 IA-1 IA-1 IA-1
IA-2 Identification and Authentication (Organizational Users) P1 IA-2 (1) (12) IA-2 (1) (2) (3) (8) (11) (12) IA-2 (1) (2) (3) (4) (8) (9) (11) (12)
IA-3 Device Identification and Authentication P1 Not Selected IA-3 IA-3
IA-4 Identifier Management P1 IA-4 IA-4 IA-4
IA-5 Authenticator Management P1 IA-5 (1) (11) IA-5 (1) (2) (3) (11) IA-5 (1) (2) (3) (11)
IA-6 Authenticator Feedback P2 IA-6 IA-6 IA-6
IA-7 Cryptographic Module Authentication P1 IA-7 IA-7 IA-7
IA-8 Identification and Authentication (Non-Organizational Users) P1 IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4)
IA-9 Service Identification and Authentication P0 Not Selected Not Selected Not Selected
IA-10 Adaptive Identification and Authentication P0 Not Selected Not Selected Not Selected
IA-11 Re-authentication P0 Not Selected Not Selected Not Selected
Incident Response
IR-1 Incident Response Policy and Procedures P1 IR-1 IR-1 IR-1
IR-2 Incident Response Training P2 IR-2 IR-2 IR-2 (1) (2)
IR-3 Incident Response Testing P2 Not Selected IR-3 (2) IR-3 (2)
IR-4 Incident Handling P1 IR-4 IR-4 (1) IR-4 (1) (4)
IR-5 Incident Monitoring P1 IR-5 IR-5 IR-5 (1)
IR-6 Incident Reporting P1 IR-6 IR-6 (1) IR-6 (1)
IR-7 Incident Response Assistance P2 IR-7 IR-7 (1) IR-7 (1)
IR-8 Incident Response Plan P1 IR-8 IR-8 IR-8
IR-9 Information Spillage Response P0 Not Selected Not Selected Not Selected
IR-10 Integrated Information Security Analysis Team P0 Not Selected Not Selected Not Selected
Maintenance
MA-1 System Maintenance Policy and Procedures P1 MA-1 MA-1 MA-1
MA-2 Controlled Maintenance P2 MA-2 MA-2 MA-2 (2)
MA-3 Maintenance Tools P3 Not Selected MA-3 (1) (2) MA-3 (1) (2) (3)
MA-4 Nonlocal Maintenance P2 MA-4 MA-4 (2) MA-4 (2) (3)
MA-5 Maintenance Personnel P2 MA-5 MA-5 MA-5 (1)
MA-6 Timely Maintenance P2 Not Selected MA-6 MA-6
Media Protection
MP-1 Media Protection Policy and Procedures P1 MP-1 MP-1 MP-1
MP-2 Media Access P1 MP-2 MP-2 MP-2
MP-3 Media Marking P2 Not Selected MP-3 MP-3
MP-4 Media Storage P1 Not Selected MP-4 MP-4
MP-5 Media Transport P1 Not Selected MP-5 (4) MP-5 (4)
MP-6 Media Sanitization P1 MP-6 MP-6 MP-6 (1) (2) (3)
MP-7 Media Use P1 MP-7 MP-7 (1) MP-7 (1)
MP-8 Media Downgrading P0 Not Selected Not Selected Not Selected
Physical and Environmental Protection
PE-1 Physical and Environmental Protection Policy and Procedures P1 PE-1 PE-1 PE-1
PE-2 Physical Access Authorizations P1 PE-2 PE-2 PE-2
PE-3 Physical Access Control P1 PE-3 PE-3 PE-3 (1)
PE-4 Access Control for Transmission Medium P1 Not Selected PE-4 PE-4
PE-5 Access Control for Output Devices P2 Not Selected PE-5 PE-5
PE-6 Monitoring Physical Access P1 PE-6 PE-6 (1) PE-6 (1) (4)
PE-7 Withdrawn --- --- --- ---
PE-8 Visitor Access Records P3 PE-8 PE-8 PE-8 (1)
PE-9 Power Equipment and Cabling P1 Not Selected PE-9 PE-9
PE-10 Emergency Shutoff P1 Not Selected PE-10 PE-10
PE-11 Emergency Power P1 Not Selected PE-11 PE-11 (1)
PE-12 Emergency Lighting P1 PE-12 PE-12 PE-12
PE-13 Fire Protection P1 PE-13 PE-13 (3) PE-13 (1) (2) (3)
PE-14 Temperature and Humidity Controls P1 PE-14 PE-14 PE-14
PE-15 Water Damage Protection P1 PE-15 PE-15 PE-15 (1)
PE-16 Delivery and Removal P2 PE-16 PE-16 PE-16
PE-17 Alternate Work Site P2 Not Selected PE-17 PE-17
PE-18 Location of Information System Components P3 Not Selected Not Selected PE-18
PE-19 Information Leakage P0 Not Selected Not Selected Not Selected
PE-20 Asset Monitoring and Tracking P0 Not Selected Not Selected Not Selected
Planning
PL-1 Security Planning Policy and Procedures P1 PL-1 PL-1 PL-1
PL-2 System Security Plan P1 PL-2 PL-2 (3) PL-2 (3)
PL-3 Withdrawn --- --- --- ---
PL-4 Rules of Behavior P2 PL-4 PL-4 (1) PL-4 (1)
PL-5 Withdrawn --- --- --- ---
PL-6 Withdrawn --- --- --- ---
PL-7 Security Concept of Operations P0 Not Selected Not Selected Not Selected
PL-8 Information Security Architecture P1 Not Selected PL-8 PL-8
PL-9 Central Management P0 Not Selected Not Selected Not Selected
Personnel Security
PS-1 Personnel Security Policy and Procedures P1 PS-1 PS-1 PS-1
PS-2 Position Risk Designation P1 PS-2 PS-2 PS-2
PS-3 Personnel Screening P1 PS-3 PS-3 PS-3
PS-4 Personnel Termination P1 PS-4 PS-4 PS-4 (2)
PS-5 Personnel Transfer P2 PS-5 PS-5 PS-5
PS-6 Access Agreements P3 PS-6 PS-6 PS-6
PS-7 Third-Party Personnel Security P1 PS-7 PS-7 PS-7
PS-8 Personnel Sanctions P3 PS-8 PS-8 PS-8
Risk Assessment
RA-1 Risk Assessment Policy and Procedures P1 RA-1 RA-1 RA-1
RA-2 Security Categorization P1 RA-2 RA-2 RA-2
RA-3 Risk Assessment P1 RA-3 RA-3 RA-3
RA-4 Withdrawn --- --- --- ---
RA-5 Vulnerability Scanning P1 RA-5 RA-5 (1) (2) (5) RA-5 (1) (2) (4) (5)
RA-6 Technical Surveillance Countermeasures Survey P0 Not Selected Not Selected Not Selected
System and Services Acquisition
SA-1 System and Services Acquisition Policy and Procedures P1 SA-1 SA-1 SA-1
SA-2 Allocation of Resources P1 SA-2 SA-2 SA-2
SA-3 System Development Life Cycle P1 SA-3 SA-3 SA-3
SA-4 Acquisition Process P1 SA-4 (10) SA-4 (1) (2) (9) (10) SA-4 (1) (2) (9) (10)
SA-5 Information System Documentation P2 SA-5 SA-5 SA-5
SA-6 Withdrawn --- --- --- ---
SA-7 Withdrawn --- --- --- ---
SA-8 Security Engineering Principles P1 Not Selected SA-8 SA-8
SA-9 External Information System Services P1 SA-9 SA-9 (2) SA-9 (2)
SA-10 Developer Configuration Management P1 Not Selected SA-10 SA-10
SA-11 Developer Security Testing and Evaluation P1 Not Selected SA-11 SA-11
SA-12 Supply Chain Protection P1 Not Selected Not Selected SA-12
SA-13 Trustworthiness P0 Not Selected Not Selected Not Selected
SA-14 Criticality Analysis P0 Not Selected Not Selected Not Selected
SA-15 Development Process, Standards, and Tools P2 Not Selected Not Selected SA-15
SA-16 Developer-Provided Training P2 Not Selected Not Selected SA-16
SA-17 Developer Security Architecture and Design P1 Not Selected Not Selected SA-17
SA-18 Tamper Resistance and Detection P0 Not Selected Not Selected Not Selected
SA-19 Component Authenticity P0 Not Selected Not Selected Not Selected
SA-20 Customized Development of Critical Components P0 Not Selected Not Selected Not Selected
SA-21 Developer Screening P0 Not Selected Not Selected Not Selected
SA-22 Unsupported System Components P0 Not Selected Not Selected Not Selected
System and Communications Protection
SC-1 System and Communications Protection Policy and Procedures P1 SC-1 SC-1 SC-1
SC-2 Application Partitioning P1 Not Selected SC-2 SC-2
SC-3 Security Function Isolation P1 Not Selected Not Selected SC-3
SC-4 Information in Shared Resources P1 Not Selected SC-4 SC-4
SC-5 Denial of Service Protection P1 SC-5 SC-5 SC-5
SC-6 Resource Availability P0 Not Selected Not Selected Not Selected
SC-7 Boundary Protection P1 SC-7 SC-7 (3) (4) (5) (7) SC-7 (3) (4) (5) (7) (8) (18) (21)
SC-8 Transmission Confidentiality and Integrity P1 Not Selected SC-8 (1) SC-8 (1)
SC-9 Withdrawn --- --- --- ---
SC-10 Network Disconnect P2 Not Selected SC-10 SC-10
SC-11 Trusted Path P0 Not Selected Not Selected Not Selected
SC-12 Cryptographic Key Establishment and Management P1 SC-12 SC-12 SC-12 (1)
SC-13 Cryptographic Protection P1 SC-13 SC-13 SC-13
SC-14 Withdrawn --- --- --- ---
SC-15 Collaborative Computing Devices P1 SC-15 SC-15 SC-15
SC-16 Transmission of Security Attributes P0 Not Selected Not Selected Not Selected
SC-17 Public Key Infrastructure Certificates P1 Not Selected SC-17 SC-17
SC-18 Mobile Code P2 Not Selected SC-18 SC-18
SC-19 Voice Over Internet Protocol P1 Not Selected SC-19 SC-19
SC-20 Secure Name /Address Resolution Service P1 SC-20 SC-20 SC-20
SC-21 Secure Name /Address Resolution Service P1 SC-21 SC-21 SC-21
SC-22 Architecture and Provisioning for P1 SC-22 SC-22 SC-22
SC-23 Session Authenticity P1 Not Selected SC-23 SC-23
SC-24 Fail in Known State P1 Not Selected Not Selected SC-24
SC-25 Thin Nodes P0 Not Selected Not Selected Not Selected
SC-26 Honeypots P0 Not Selected Not Selected Not Selected
SC-27 Platform-Independent Applications P0 Not Selected Not Selected Not Selected
SC-28 Protection of Information at Rest P1 Not Selected SC-28 SC-28
SC-29 Heterogeneity P0 Not Selected Not Selected Not Selected
SC-30 Concealment and Misdirection P0 Not Selected Not Selected Not Selected
SC-31 Covert Channel Analysis P0 Not Selected Not Selected Not Selected
SC-32 Information System Partitioning P0 Not Selected Not Selected Not Selected
SC-33 Withdrawn --- --- --- ---
SC-34 Non-Modifiable Executable Programs P0 Not Selected Not Selected Not Selected
SC-35 Honeyclients P0 Not Selected Not Selected Not Selected
SC-36 Distributed Processing and Storage P0 Not Selected Not Selected Not Selected
SC-37 Out-of-Band Channels P0 Not Selected Not Selected Not Selected
SC-38 Operations Security P0 Not Selected Not Selected Not Selected
SC-39 Process Isolation P1 SC-39 SC-39 SC-39
SC-40 Wireless Link Protection P0 Not Selected Not Selected Not Selected
SC-41 Port and I/O Device Access P0 Not Selected Not Selected Not Selected
SC-42 Sensor Capability and Data P0 Not Selected Not Selected Not Selected
SC-43 Usage Restrictions P0 Not Selected Not Selected Not Selected
SC-44 Detonation Chambers P0 Not Selected Not Selected Not Selected
System and Information Integrity
SI-1 System and Information Integrity Policy and Procedures P1 SI-1 SI-1 SI-1
SI-2 Flaw Remediation P1 SI-2 SI-2 (2) SI-2 (1) (2)
SI-3 Malicious Code Protection P1 SI-3 SI-3 (1) (2) SI-3 (1) (2)
SI-4 Information System Monitoring P1 SI-4 SI-4 (2) (4) (5) SI-4 (2) (4) (5)
SI-5 Security Alerts, Advisories, and Directives P1 SI-5 SI-5 SI-5 (1)
SI-6 Security Function Verification P1 Not Selected Not Selected SI-6
SI-7 Software, Firmware, and Information Integrity P1 Not Selected SI-7 (1) (7) SI-7 (1) (2) (5) (7) (14)
SI-8 Spam Protection P2 Not Selected SI-8 (1) (2) SI-8 (1) (2)
SI-9 Withdrawn --- --- --- ---
SI-10 Information Input Validation P1 Not Selected SI-10 SI-10
SI-11 Error Handling P2 Not Selected SI-11 SI-11
SI-12 Information Handling and Retention P2 SI-12 SI-12 SI-12
SI-13 Predictable Failure Prevention P0 Not Selected Not Selected Not Selected
SI-14 Non-Persistence P0 Not Selected Not Selected Not Selected
SI-15 Information Output Filtering P0 Not Selected Not Selected Not Selected
SI-16 Memory Protection P1 Not Selected SI-16 SI-16
SI-17 Fail-Safe Procedures P0 Not Selected Not Selected Not Selected

Tables D-3 through D-19 provide a more detailed summary of the security controls and control enhancements in Appendix F. Each table focuses on a different security control family. Whereas Table D-2 includes only those security controls and control enhancements allocated to the three security control baselines, Tables D-3 through D-19 include all controls and enhancements for the respective security control families. The tables include the following information: (i) the security controls and control enhancements that have been selected for the security control baselines as indicated by an “x” in the column for the selected baseline;[93]</sup> (ii) the security controls and control enhancements that have not been selected for any security control baseline (i.e., the controls and control enhancements available for selection to achieve greater protection) as indicated by blank cells in the baseline columns; (iii) the security controls and control enhancements that have been withdrawn from Appendix F as indicated by an “x” in the respective withdrawn column; and (iv) the security controls and control enhancements that have assurance-related characteristics or properties (i.e., assurance-related controls) as indicated by an “x” in the respective assurance column. Assurance-related controls are discussed in greater detail in Appendix E to include the allocation of such controls to security control baselines (see Tables E-1 through E-3).

TABLE D-3: SUMMARY — ACCESS CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
AC-1 Access Control Policy and Procedures x x x x
AC-2 Account Management x x x
AC-2(1) _account management automated system account management_ x x
AC-2(2) _account management removal of temporary / emergency accounts_ x x
AC-2(3) _account management disable inactive accounts_ x x
AC-2(4) _account management automated audit actions_ x x
AC-2(5) _account management inactivity logout_ x
AC-2(6) _account management dynamic privilege management_
AC-2(7) _account management role-based schemes_
AC-2(8) _account management dynamic account creation_
AC-2(9) _account management restrictions on use of shared / group accounts_
AC-2(10) _account management shared / group account credential termination_
AC-2(11) _account management usage conditions_ x
AC-2(12) _account management account monitoring / atypical usage_ x
AC-2(13) _account management disable accounts for high-risk individuals_ x
AC-3 Access Enforcement x x x
AC-3(1) _access enforcement restricted access to privileged functions_ x Incorporated into AC-6.
AC-3(2) _access enforcement dual authorization_
AC-3(3) _access enforcement mandatory access control_
AC-3(4) _access enforcement discretionary access control_
AC-3(5) _access enforcement security-relevant information_
AC-3(6) _access enforcement protection of user and system information_ x Incorporated into MP-4 and SC-28.
AC-3(7) _access enforcement role-based access control_
AC-3(8) _access enforcement revocation of access authorizations_
AC-3(9) _access enforcement controlled release_
AC-3(10) _access enforcement audited override of access control mechanisms_
AC-4 Information Flow Enforcement x x
AC-4(1) _information flow enforcement object security attributes_
AC-4(2) _information flow enforcement processing domains_
AC-4(3) _information flow enforcement dynamic information flow control_
AC-4(4) _information flow enforcement content check encrypted information_
AC-4(5) _information flow enforcement embedded data types_
AC-4(6) _information flow enforcement metadata_
AC-4(7) _information flow enforcement one-way flow mechanisms_
AC-4(8) _information flow enforcement security policy filters_
AC-4(9) _information flow enforcement human reviews_
AC-4(10) _information flow enforcement enable / disable security policy filters_
AC-4(11) _information flow enforcement configuration of security policy filters_
AC-4(12) _information flow enforcement data type identifiers_
AC-4(13) _information flow enforcement decomposition into policy-relevant subcomponents_
AC-4(14) _information flow enforcement security policy filter constraints_
AC-4(15) _information flow enforcement detection of unsanctioned information_
AC-4(16) _information flow enforcement information transfers on interconnected systems_ x Incorporated into AC-4.
AC-4(17) _information flow enforcement domain authentication_
AC-4(18) _information flow enforcement security attribute binding_
AC-4(19) _information flow enforcement validation of metadata_
AC-4(20) _information flow enforcement approved solutions_
AC-4(21) _information flow enforcement physical / logical separation of information flows_
AC-4(22) _information flow enforcement access only_
AC-5 Separation of Duties x x
AC-6 Least Privilege x x
AC-6(1) _least privilege authorize access to security functions_ x x
AC-6(2) _least privilege non-privileged access for nonsecurity functions_ x x
AC-6(3) _least privilege network access to privileged commands_ x
AC-6(4) _least privilege separate processing domains_
AC-6(5) _least privilege privileged accounts_ x x
AC-6(6) _least privilege privileged access by non-organizational users_
AC-6(7) _least privilege review of user privileges_
AC-6(8) _least privilege privilege levels for code execution_
AC-6(9) _least privilege auditing use of privileged functions_ x x
AC-6(10) _least privilege prohibit non-privileged users from executing privileged functions_ x x
AC-7 Unsuccessful Logon Attempts x x x
AC-7(1) _unsuccessful logon attempts automatic account lock_ x Incorporated into AC-7.
AC-7(2) _unsuccessful logon attempts purge / wipe mobile device_
AC-8 System Use Notification x x x
AC-9 Previous Logon (Access) Notification
AC-9(1) _previous logon notification unsuccessful logons_
AC-9(2) _previous logon notification successful / unsuccessful logons_
AC-9(3) _previous logon notification notification of account changes_
AC-9(4) _previous logon notification additional logon information_
AC-10 Concurrent Session Control x
AC-11 Session Lock x x
AC-11(1) _session lock pattern-hiding displays_ x x
AC-12 Session Termination x x
AC-12(1) _session termination user-initiated logouts / message displays_
AC-13 Supervision and Review — Access Control x Incorporated into AC-2 and AU-6.
AC-14 Permitted Actions without Identification or Authentication x x x
AC-14(1) _permitted actions without identification or authentication necessary uses_ x Incorporated into AC-14.
AC-15 Automated Marking x Incorporated into MP-3.
AC-16 Security Attributes
AC-16(1) _security attributes dynamic attribute association_
AC-16(2) _security attributes attribute value changes by authorized individuals_
AC-16(3) _security attributes maintenance of attribute associations by information system_
AC-16(4) _security attributes association of attributes by authorized individuals_
AC-16(5) _security attributes attribute displays for output devices_
AC-16(6) _security attributes maintenance of attribute association by organization_
AC-16(7) _security attributes consistent attribute interpretation_
AC-16(8) _security attributes association techniques / technologies_
AC-16(9) _security attributes attribute reassignment_
AC-16(10) _security attributes attribute configuration by authorized individuals_
AC-17 Remote Access x x x
AC-17(1) _remote access automated monitoring / control_ x x
AC-17(2) _remote access protection of confidentiality / integrity using encryption_ x x
AC-17(3) _remote access managed access control points_ x x
AC-17(4) _remote access privileged commands / access_ x x
AC-17(5) _remote access monitoring for unauthorized connections_ x Incorporated into SI-4.
AC-17(6) _remote access protection of information_
AC-17(7) _remote access additional protection for security function access_ x Incorporated into AC-3(10).
AC-17(8) _remote access disable nonsecure network protocols_ x Incorporated into CM-7.
AC-17(9) _remote access disconnect / disable access_
AC-18 Wireless Access x x x
AC-18(1) _wireless access authentication and encryption_ x x
AC-18(2) _wireless access monitoring unauthorized connections_ x Incorporated into SI-4.
AC-18(3) _wireless access disable wireless networking_
AC-18(4) _wireless access restrict configurations by users_ x
AC-18(5) _wireless access antennas / transmission power levels_ x
AC-19 Access Control for Mobile Devices x x x
AC-19(1) _access control for mobile devices use of writable / portable storage devices_ x Incorporated into MP-7.
AC-19(2) _access control for mobile devices use of personally owned portable storage devices_ x Incorporated into MP-7.
AC-19(3) _access control for mobile devices use of portable storage devices with no identifiable owner_ x Incorporated into MP-7.
AC-19(4) _access control for mobile devices restrictions for classified information_
AC-19(5) _access control for mobile devices full device / container-based encryption_ x x
AC-20 Use of External Information Systems x x x
AC-20(1) _use of external information systems limits on authorized use_ x x
AC-20(2) _use of external information systems portable storage devices_ x x
AC-20(3) _use of external information systems non-organizationally owned systems / components / devices_
AC-20(4) _use of external information systems network accessible storage devices_
AC-21 Information Sharing x x
AC-21(1) _information sharing automated decision support_
AC-21(2) _information sharing information search and retrieval_
AC-22 Publicly Accessible Content x x x
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-24(1) _access control decisions transmit access authorization information_
AC-24(2) _access control decisions no user or process identity_
AC-25 Reference Monitor x

TABLE D-4: SUMMARY — AWARENESS AND TRAINING CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
AT-1 Security Awareness and Training Policy and Procedures x x x x
AT-2 Security Awareness Training x x x x
AT-2(1) _security awareness practical exercises_ x
AT-2(2) _security awareness insider threat_ x x x
AT-3 Role-Based Security Training x x x x
AT-3(1) _role-based security training environmental controls_ x
AT-3(2) _role-based security training physical security controls_ x
AT-3(3) _role-based security training practical exercises_ x
AT-3(4) _role-based security training suspicious communications and anomalous system behavior_ x
AT-4 Security Training Records x x x x
AT-5 Contacts with Security Groups and Associations x Incorporated into PM-15.

TABLE D-5: SUMMARY — AUDIT AND ACCOUNTABILITY CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
AU-1 Audit and Accountability Policy and Procedures x x x x
AU-2 Audit Events x x x
AU-2(1) _audit events compilation of audit records from multiple sources_ x Incorporated into AU-12.
AU-2(2) _audit events selection of audit events by component_ x Incorporated into AU-12.
AU-2(3) _audit events reviews and updates_ x x
AU-2(4) _audit events privileged functions_ x Incorporated into AC-6(9).
AU-3 Content of Audit Records x x x
AU-3(1) _content of audit records additional audit information_ x x
AU-3(2) _content of audit records centralized management of planned audit record content_ x
AU-4 Audit Storage Capacity x x x
AU-4(1) _audit storage capacity transfer to alternate storage_
AU-5 Response to Audit Processing Failures x x x
AU-5(1) _response to audit processing failures audit storage capacity_ x
AU-5(2) _response to audit processing failures real-time alerts_ x
AU-5(3) _response to audit processing failures configurable traffic volume thresholds_
AU-5(4) _response to audit processing failures shutdown on failure_
AU-6 Audit Review, Analysis, and Reporting x x x x
AU-6(1) _audit review, analysis, and reporting process integration_ x x x
AU-6(2) _audit review, analysis, and reporting automated security alerts_ x Incorporated into SI-4.
AU-6(3) _audit review, analysis, and reporting correlate audit repositories_ x x x
AU-6(4) _audit review, analysis, and reporting central review and analysis_ x
AU-6(5) _audit review, analysis, and reporting integration / scanning and monitoring capabilities_ x x
AU-6(6) _audit review, analysis, and reporting correlation with physical monitoring_ x x
AU-6(7) _audit review, analysis, and reporting permitted actions_ x
AU-6(8) _audit review, analysis, and reporting full text analysis of privileged commands_ x
AU-6(9) _audit review, analysis, and reporting correlation with information from nontechnical sources_ x
AU-6(10) _audit review, analysis, and reporting audit level adjustment_ x
AU-7 Audit Reduction and Report Generation x x x
AU-7(1) _audit reduction and report generation automatic processing_ x x x
AU-7(2) _audit reduction and report generation automatic sort and search_
AU-8 Time Stamps x x x
AU-8(1) _time stamps synchronization with authoritative time source_ x x
AU-8(2) _time stamps secondary authoritative time source_
AU-9 Protection of Audit Information x x x
AU-9(1) _protection of audit information hardware write-once_ media
AU-9(2) _protection of audit information audit backup on separate physical systems / components_ x
AU-9(3) _protection of audit information cryptographic protection_ x
AU-9(4) _protection of audit information access by subset of privileged users_ x x
AU-9(5) _protection of audit information dual authorization_
AU-9(6) _protection of audit information read-only access_
AU-10 Non-repudiation x x
AU-10(1) _non-repudiation association of identities_ x
AU-10(2) _non-repudiation validate binding of information producer identity_ x
AU-10(3) _non-repudiation chain of custody_ x
AU-10(4) _non-repudiation validate binding of information reviewer identity_ x
AU-10(5) _non-repudiation digital signatures_ x Incorporated into SI-7.
AU-11 Audit Record Retention x x x
AU-11(1) _audit record retention long-term retrieval capability_ x
AU-12 Audit Generation x x x
AU-12(1) _audit generation system-wide / time-correlated audit trail_ x
AU-12(2) _audit generation standardized formats_
AU-12(3) _audit generation changes by authorized individuals_ x
AU-13 Monitoring for Information Disclosure x
AU-13(1) _monitoring for information disclosure use of automated tools_ x
AU-13(2) _monitoring for information disclosure review of monitored sites_ x
AU-14 Session Audit x
AU-14(1) _session audit system start-up_ x
AU-14(2) _session audit capture/record and log content_ x
AU-14(3) _session audit remote viewing / listening_ x
AU-15 Alternate Audit Capability
AU-16 Cross-Organizational Auditing
AU-16(1) _cross-organizational auditing identity preservation_
AU-16(2) _cross-organizational auditing sharing of audit information_

TABLE D-6: SUMMARY — SECURITY ASSESSMENT AND AUTHORIZATION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
CA-1 Security Assessment and Authorization Policies and Procedures x x x x
CA-2 Security Assessments x x x x
CA-2(1) _security assessments independent assessors_ x x x
CA-2(2) _security assessments specialized assessments_ x x
CA-2(3) _security assessments external organizations_ x
CA-3 System Interconnections x x x x
CA-3(1) _system interconnections unclassified national security system connections_
CA-3(2) _system interconnections classified national security system connections_
CA-3(3) _system interconnections unclassified non-national security system connections_
CA-3(4) _system interconnections connections to public networks_
CA-3(5) _system interconnections restrictions on external system connections_ x x
CA-4 Security Certification x Incorporated into CA-2.
CA-5 Plan of Action and Milestones x x x x
CA-5(1) _plan of action and milestones automation support for accuracy / currency_ x
CA-6 Security Authorization x x x x
CA-7 Continuous Monitoring x x x x
CA-7(1) _continuous monitoring independent assessment_ x x x
CA-7(2) _continuous monitoring types of assessments_ x Incorporated into CA-2.
CA-7(3) _continuous monitoring trend analyses_ x
CA-8 Penetration Testing x x
CA-8(1) _penetration testing independent penetration agent or team_ x
CA-8(2) _penetration testing red team exercises_ x
CA-9 Internal System Connections x x x x
CA-9(1) _internal system connections security compliance checks_ x

TABLE D-7: SUMMARY — CONFIGURATION MANAGEMENT CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
CM-1 Configuration Management Policy and Procedures x x x x
CM-2 Baseline Configuration x x x x
CM-2(1) _baseline configuration reviews and updates_ x x x
CM-2(2) _baseline configuration automation support for accuracy / currency_ x x
CM-2(3) _baseline configuration retention of previous configurations_ x x x
CM-2(4) _baseline configuration unauthorized software_ x Incorporated into CM-7.
CM-2(5) _baseline configuration authorized software_ x Incorporated into CM-7.
CM-2(6) _baseline configuration development and test environments_ x
CM-2(7) _baseline configuration configure systems, components, or devices for high-risk areas_ x x x
CM-3 Configuration Change Control x x x
CM-3(1) _configuration change control automated document / notification / prohibition of changes_ x x
CM-3(2) _configuration change control test / validate / document changes_ x x x
CM-3(3) _configuration change control automated change implementation_
CM-3(4) _configuration change control security representative_
CM-3(5) _configuration change control automated security response_
CM-3(6) _configuration change control cryptography management_
CM-4 Security Impact Analysis x x x x
CM-4(1) _security impact analysis separate test environments_ x x
CM-4(2) _security impact analysis verification of security functions_ x
CM-5 Access Restrictions for Change x x
CM-5(1) _access restrictions for change automated access enforcement / auditing_ x
CM-5(2) _access restrictions for change review system changes_ x
CM-5(3) _access restrictions for change signed components_ x
CM-5(4) _access restrictions for change dual authorization_
CM-5(5) _access restrictions for change limit production / operational privileges_
CM-5(6) _access restrictions for change limit library privileges_
CM-5(7) _access restrictions for change automatic implementation of security safeguards_ x Incorporated into SI-7.
CM-6 Configuration Settings x x x
CM-6(1) _configuration settings automated central management / application / verification_ x
CM-6(2) _configuration settings respond to unauthorized changes_ x
CM-6(3) _configuration settings unauthorized change detection_ x Incorporated into SI-7.
CM-6(4) _configuration settings conformance demonstration_ x Incorporated into CM-4.
CM-7 Least Functionality x x x
CM-7(1) _least functionality periodic review_ x x
CM-7(2) _least functionality prevent program execution_ x x
CM-7(3) _least functionality registration compliance_
CM-7(4) _least functionality unauthorized software / blacklisting_ x
CM-7(5) _least functionality authorized software / whitelisting_ x
CM-8 Information System Component Inventory x x x x
CM-8(1) _information system component inventory updates during installations / removals_ x x x
CM-8(2) _information system component inventory automated maintenance_ x x
CM-8(3) _information system component inventory automated unauthorized component detection_ x x x
CM-8(4) _information system component inventory accountability information_ x x
CM-8(5) _information system component inventory no duplicate accounting of components_ x x x
CM-8(6) _information system component inventory assessed configurations / approved deviations_ x
CM-8(7) _information system component inventory centralized repository_ x
CM-8(8) _information system component inventory automated location tracking_ x
CM-8(9) _information system component inventory assignment of components to systems_ x
CM-9 Configuration Management Plan x x
CM-9(1) _configuration management plan assignment of responsibility_
CM-10 Software Usage Restrictions x x x
CM-10(1) _software usage restrictions open source software_
CM-11 User-Installed Software x x x
CM-11(1) _user-installed software alerts for unauthorized installations_
CM-11(2) _user-installed software prohibit installation without privileged status_

TABLE D-8: SUMMARY — CONTINGENCY PLANNING CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
CP-1 Contingency Planning Policy and Procedures x x x x
CP-2 Contingency Plan x x x
CP-2(1) _contingency plan coordinate with related plans_ x x
CP-2(2) _contingency plan capacity planning_ x
CP-2(3) _contingency plan resume essential missions / business functions_ x x
CP-2(4) _contingency plan resume all missions / business functions_ x
CP-2(5) _contingency plan continue essential missions / business functions_ x
CP-2(6) _contingency plan alternate processing / storage site_
CP-2(7) _contingency plan coordinate with external service providers_
CP-2(8) _contingency plan identify critical assets_ x x
CP-3 Contingency Training x x x x
CP-3(1) _contingency training simulated events_ x x
CP-3(2) _contingency training automated training environments_ x
CP-4 Contingency Plan Testing x x x x
CP-4(1) _contingency plan testing coordinate with related plans_ x x x
CP-4(2) _contingency plan testing alternate processing site_ x x
CP-4(3) _contingency plan testing automated testing_ x
CP-4(4) _contingency plan testing full recovery / reconstitution_ x
CP-5 Contingency Plan Update x Incorporated into CP-2.
CP-6 Alternate Storage Site x x
CP-6(1) _alternate storage site separation from primary site_ x x
CP-6(2) _alternate storage site recovery time / point objectives_ x
CP-6(3) _alternate storage site accessibility_ x x
CP-7 Alternate Processing Site x x
CP-7(1) _alternate processing site separation from primary site_ x x
CP-7(2) _alternate processing site accessibility_ x x
CP-7(3) _alternate processing site priority of service_ x x
CP-7(4) _alternate processing site preparation for use_ x
CP-7(5) _alternate processing site equivalent information security safeguards_ x Incorporated into CP-7.
CP-7(6) _alternate processing site inability to return to primary site_
CP-8 Telecommunications Services x x
CP-8(1) _telecommunications services priority of service provisions_ x x
CP-8(2) _telecommunications services single points of failure_ x x
CP-8(3) _telecommunications services separation of primary / alternate providers_ x
CP-8(4) _telecommunications services provider contingency plan_ x
CP-8(5) _telecommunications services alternate telecommunication service testing_
CP-9 Information System Backup x x x
CP-9(1) _information system backup testing for reliability / integrity_ x x
CP-9(2) _information system backup test restoration using sampling_ x
CP-9(3) _information system backup separate storage for critical information_ x
CP-9(4) _information system backup protection from unauthorized modification_ x Incorporated into CP-9.
CP-9(5) _information system backup transfer to alternate storage site_ x
CP-9(6) _information system backup redundant secondary system_
CP-9(7) _information system backup dual authorization_
CP-10 Information System Recovery and Reconstitution x x x
CP-10(1) _information system recovery and reconstitution contingency plan testing_ x Incorporated into CP-4.
CP-10(2) _information system recovery and reconstitution transaction recovery_ x x
CP-10(3) _information system recovery and reconstitution compensating security controls_ x Addressed by tailoring procedures.
CP-10(4) _information system recovery and reconstitution restore within time period_ x
CP-10(5) _information system recovery and reconstitution failover capability_ x Incorporated into SI-13.
CP-10(6) _information system recovery and reconstitution component protection_
CP-11 Alternate Communications Protocols
CP-12 Safe Mode x
CP-13 Alternative Security Mechanisms

TABLE D-9: SUMMARY — IDENTIFICATION AND AUTHENTICATION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
IA-1 Identification and Authentication Policy and Procedures x x x x
IA-2 Identification and Authentication (Organizational Users) x x x
IA-2(1) _identification and authentication (organizational users) network access to privileged accounts_ x x x
IA-2(2) _identification and authentication (organizational users) network access to non-privileged accounts_ x x
IA-2(3) _identification and authentication (organizational users) local access to privileged accounts_ x x
IA-2(4) _identification and authentication (organizational users) local access to non-privileged accounts_ x
IA-2(5) _identification and authentication (organizational users) group authentication_
IA-2(6) _identification and authentication (organizational users) network access to privileged accounts - separate device_
IA-2(7) _identification and authentication (organizational users) network access to non-privileged accounts - separate device_
IA-2(8) _identification and authentication (organizational users) network access to privileged accounts - replay resistant_ x x
IA-2(9) _identification and authentication (organizational users) network access to non-privileged accounts - replay resistant_ x
IA-2(10) _identification and authentication (organizational users) single sign-on_
IA-2(11) _identification and authentication (organizational users) remote access - separate device_ x x
IA-2(12) _identification and authentication (organizational users) acceptance of piv credentials_ x x x
IA-2(13) _identification and authentication out-of-band authentication_
IA-3 Device Identification and Authentication x x
IA-3(1) _device identification and authentication cryptographic bidirectional authentication_
IA-3(2) _device identification and authentication cryptographic bidirectional network authentication_ x Incorporated into IA-3(1).
IA-3(3) _device identification and authentication dynamic address allocation_
IA-3(4) _device identification and authentication device attestation_
IA-4 Identifier Management x x x
IA-4(1) _identifier management prohibit account identifiers as public identifiers_
IA-4(2) _identifier management supervisor authorization_
IA-4(3) _identifier management multiple forms of certification_
IA-4(4) _identifier management identify user status_
IA-4(5) _identifier management dynamic management_
IA-4(6) _identifier management cross-organization management_
IA-4(7) _identifier management in-person registration_
IA-5 Authenticator Management x x x
IA-5(1) _authenticator management password-based authentication_ x x x
IA-5(2) _authenticator management pki-based authentication_ x x
IA-5(3) _authenticator management in-person or trusted third-party registration_ x x
IA-5(4) _authenticator management automated support for password strength determination_
IA-5(5) _authenticator management change authenticators prior to delivery_
IA-5(6) _authenticator management protection of authenticators_
IA-5(7) _authenticator management no embedded unencrypted static authenticators_
IA-5(8) _authenticator management multiple information system accounts_
IA-5(9) _authenticator management cross-organization credential management_
IA-5(10) _authenticator management dynamic credential association_
IA-5(11) _authenticator management hardware token-based authentication_ x x x
IA-5(12) _authenticator management biometric-based authentication_
IA-5(13) _authenticator management expiration of cached authenticators_
IA-5(14) _authenticator management managing content of pki trust stores_
IA-5(15) _authenticator management ficam-approved products and services_
IA-6 Authenticator Feedback x x x
IA-7 Cryptographic Module Authentication x x x
IA-8 Identification and Authentication (Non-Organizational Users) x x x
IA-8(1) _identification and authentication (non-organizational users) acceptance of piv credentials from other agencies_ x x x
IA-8(2) _identification and authentication (non-organizational users) acceptance of third-party credentials_ x x x
IA-8(3) _identification and authentication (non-organizational users) use of ficam-approved products_ x x x
IA-8(4) _identification and authentication (non-organizational users) use of ficam-issued profiles_ x x x
IA-8(5) _identification and authentication (non-organizational users) acceptance of piv-i credentials_
IA-9 Service Identification and Authentication
IA-9(1) _service identification and authentication information exchange_
IA-9(2) _service identification and authentication transmission of decisions_
IA-10 Adaptive Identification and Authentication
IA-11 Re-authentication

TABLE D-10: SUMMARY — INCIDENT RESPONSE CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
IR-1 Incident Response Policy and Procedures x x x x
IR-2 Incident Response Training x x x x
IR-2(1) _incident response training simulated events_ x x
IR-2(2) _incident response training automated training environments_ x x
IR-3 Incident Response Testing x x x
IR-3(1) _incident response testing automated testing_ x
IR-3(2) _incident response testing coordination with related plans_ x x x
IR-4 Incident Handling x x x
IR-4(1) _incident handling automated incident handling processes_ x x
IR-4(2) _incident handling dynamic reconfiguration_
IR-4(3) _incident handling continuity of operations_
IR-4(4) _incident handling information correlation_ x
IR-4(5) _incident handling automatic disabling of information system_
IR-4(6) _incident handling insider threats - specific capabilities_
IR-4(7) _incident handling insider threats - intra-organization coordination_
IR-4(8) _incident handling correlation with external organizations_
IR-4(9) _incident handling dynamic response capability_
IR-4(10) _incident handling supply chain coordination_
IR-5 Incident Monitoring x x x x
IR-5(1) _incident monitoring automated tracking / data collection / analysis_ x x
IR-6 Incident Reporting x x x
IR-6(1) _incident reporting automated reporting_ x x
IR-6(2) _incident reporting vulnerabilities related to incidents_
IR-6(3) _incident reporting coordination with supply chain_
IR-7 Incident Response Assistance x x x
IR-7(1) _incident response assistance automation support for availability of information / support_ x x
IR-7(2) _incident response assistance coordination with external providers_
IR-8 Incident Response Plan x x x
IR-9 Information Spillage Response
IR-9(1) _information spillage response responsible personnel_
IR-9(2) _information spillage response training_
IR-9(3) _information spillage response post-spill operations_
IR-9(4) _information spillage response exposure to unauthorized personnel_
IR-10 Integrated Information Security Analysis Team

TABLE D-11: SUMMARY — MAINTENANCE CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
MA-1 System Maintenance Policy and Procedures x x x x
MA-2 Controlled Maintenance x x x
MA-2(1) _controlled maintenance record content_ x Incorporated into MA-2.
MA-2(2) _controlled maintenance automated maintenance activities_ x
MA-3 Maintenance Tools x x
MA-3(1) _maintenance tools inspect tools_ x x
MA-3(2) _maintenance tools inspect media_ x x
MA-3(3) _maintenance tools prevent unauthorized removal_ x
MA-3(4) _maintenance tools restricted tool use_
MA-4 Nonlocal Maintenance x x x
MA-4(1) _nonlocal maintenance auditing and review_
MA-4(2) _nonlocal maintenance document nonlocal maintenance_ x x
MA-4(3) _nonlocal maintenance comparable security / sanitization_ x
MA-4(4) _nonlocal maintenance authentication / separation of maintenance sessions_
MA-4(5) _nonlocal maintenance approvals and notifications_
MA-4(6) _nonlocal maintenance cryptographic protection_
MA-4(7) _nonlocal maintenance remote disconnect verification_
MA-5 Maintenance Personnel x x x
MA-5(1) _maintenance personnel individuals without appropriate access_ x
MA-5(2) _maintenance personnel security clearances for classified systems_
MA-5(3) _maintenance personnel citizenship requirements for classified systems_
MA-5(4) _maintenance personnel foreign nationals_
MA-5(5) _maintenance personnel non-system-related maintenance_
MA-6 Timely Maintenance x x
MA-6(1) _timely maintenance preventive maintenance_
MA-6(2) _timely maintenance predictive maintenance_
MA-6(3) _timely maintenance automated support for predictive maintenance_

TABLE D-12: SUMMARY — MEDIA PROTECTION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
MP-1 Media Protection Policy and Procedures x x x x
MP-2 Media Access x x x
MP-2(1) _media access automated restricted access_ x Incorporated into MP-4(2).
MP-2(2) _media access cryptographic protection_ x Incorporated into SC-28(1).
MP-3 Media Marking x x
MP-4 Media Storage x x
MP-4(1) _media storage cryptographic protection_ x Incorporated into SC-28(1).
MP-4(2) _media storage automated restricted access_
MP-5 Media Transport x x
MP-5(1) _media transport protection outside of controlled areas_ x Incorporated into MP-5.
MP-5(2) _media transport documentation of activities_ x Incorporated into MP-5.
MP-5(3) _media transport custodians_
MP-5(4) _media transport cryptographic protection_ x x
MP-6 Media Sanitization x x x
MP-6(1) _media sanitization review / approve / track / document / verify_ x
MP-6(2) _media sanitization equipment testing_ x
MP-6(3) _media sanitization nondestructive techniques_ x
MP-6(4) _media sanitization controlled unclassified information_ x Incorporated into MP-6.
MP-6(5) _media sanitization classified information_ x Incorporated into MP-6.
MP-6(6) _media sanitization media destruction_ x Incorporated into MP-6.
MP-6(7) _media sanitization dual authorization_
MP-6(8) _media sanitization remote purging / wiping of information_
MP-7 Media Use x x x
MP-7(1) _media use prohibit use without owner_ x x
MP-7(2) _media use prohibit use of sanitization-resistant media_
MP-8 Media Downgrading
MP-8(1) _media downgrading documentation of process_
MP-8(2) _media downgrading equipment testing_
MP-8(3) _media downgrading controlled unclassified information_
MP-8(4) _media downgrading classified information_

TABLE D-13: SUMMARY — PHYSICAL AND ENVIRONMENTAL PROTECTION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
PE-1 Physical and Environmental Protection Policy and Procedures x x x x
PE-2 Physical Access Authorizations x x x
PE-2(1) _physical access authorizations access by position / role_
PE-2(2) _physical access authorizations two forms of identification_
PE-2(3) _physical access authorizations restrict unescorted access_
PE-3 Physical Access Control x x x
PE-3(1) _physical access control information system access_ x
PE-3(2) _physical access control facility / information system boundaries_
PE-3(3) _physical access control continuous guards / alarms / monitoring_
PE-3(4) _physical access control lockable casings_
PE-3(5) _physical access control tamper protection_
PE-3(6) _physical access control facility penetration testing_
PE-4 Access Control for Transmission Medium x x
PE-5 Access Control for Output Devices x x
PE-5(1) _access control for output devices access to output by authorized individuals_
PE-5(2) _access control for output devices access to output by individual identity_
PE-5(3) _access control for output devices marking output devices_
PE-6 Monitoring Physical Access x x x x
PE-6(1) _monitoring physical access intrusion alarms / surveillance equipment_ x x x
PE-6(2) _monitoring physical access automated intrusion recognition / responses_ x
PE-6(3) _monitoring physical access video surveillance_ x
PE-6(4) _monitoring physical access monitoring physical access to information systems_ x x
PE-7 Visitor Control x Incorporated into PE-2 and PE-3.
PE-8 Visitor Access Records x x x x
PE-8(1) _visitor access records automated records maintenance / review_ x
PE-8(2) _visitor access records physical access records_ x Incorporated into PE-2.
PE-9 Power Equipment and Cabling x x
PE-9(1) _power equipment and cabling redundant cabling_
PE-9(2) _power equipment and cabling automatic voltage controls_
PE-10 Emergency Shutoff x x
PE-10(1) _emergency shutoff accidental / unauthorized activation_ x Incorporated into PE-10.
PE-11 Emergency Power x x
PE-11(1) _emergency power long-term alternate power supply - minimal operational capability_ x
PE-11(2) _emergency power long-term alternate power supply - self-contained_
PE-12 Emergency Lighting x x x
PE-12(1) _emergency lighting essential missions / business functions_
PE-13 Fire Protection x x x
PE-13(1) _fire protection detection devices / systems_ x
PE-13(2) _fire protection suppression devices / systems_ x
PE-13(3) _fire protection automatic fire suppression_ x x
PE-13(4) _fire protection inspections_
PE-14 Temperature and Humidity Controls x x x
PE-14(1) _temperature and humidity controls automatic controls_
PE-14(2) _temperature and humidity controls monitoring with alarms / notifications_
PE-15 Water Damage Protection x x x
PE-15(1) _water damage protection automation support_ x
PE-16 Delivery and Removal x x x
PE-17 Alternate Work Site x x
PE-18 Location of Information System Components x
PE-18(1) _location of information system components facility site_
PE-19 Information Leakage
PE-19(1) _information leakage national emissions / tempest policies and procedures_
PE-20 Asset Monitoring and Tracking

TABLE D-14: SUMMARY — PLANNING CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
PL-1 Security Planning Policy and Procedures x x x x
PL-2 System Security Plan x x x x
PL-2(1) _system security plan concept of operations_ x Incorporated into PL-7.
PL-2(2) _system security plan functional architecture_ x Incorporated into PL-8.
PL-2(3) _system security plan plan / coordinate with other organizational entities_ x x x
PL-3 System Security Plan Update x Incorporated into PL-2.
PL-4 Rules of Behavior x x x x
PL-4(1) _rules of behavior social media and networking restrictions_ x x x
PL-5 Privacy Impact Assessment x Incorporated into Appendix J, AR-2.
PL-6 Security-Related Activity Planning x Incorporated into PL-2.
PL-7 Security Concept of Operations
PL-8 Information Security Architecture x x x
PL-8(1) _information security architecture defense-in-depth_ x
PL-8(2) _information security architecture supplier diversity_ x
PL-9 Central Management x

TABLE D-15: SUMMARY — PERSONNEL SECURITY CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
PS-1 Personnel Security Policy and Procedures x x x x
PS-2 Position Risk Designation x x x
PS-3 Personnel Screening x x x
PS-3(1) _personnel screening classified Information_
PS-3(2) _personnel screening formal indoctrination_
PS-3(3) _personnel screening information with special protection measures_
PS-4 Personnel Termination x x x
PS-4(1) _personnel termination post-employment requirements_
PS-4(2) _personnel termination automated notification_ x
PS-5 Personnel Transfer x x x
PS-6 Access Agreements x x x x
PS-6(1) _access agreements information requiring special protection_ x Incorporated into PS-3.
PS-6(2) _access agreements classified information requiring special protection_ x
PS-6(3) _access agreements post-employment requirements_ x
PS-7 Third-Party Personnel Security x x x x
PS-8 Personnel Sanctions x x x

TABLE D-16: SUMMARY — RISK ASSESSMENT CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
RA-1 Risk Assessment Policy and Procedures x x x x
RA-2 Security Categorization x x x
RA-3 Risk Assessment x x x x
RA-4 Risk Assessment Update x Incorporated into RA-3.
RA-5 Vulnerability Scanning x x x x
RA-5(1) _vulnerability scanning update tool capability_ x x x
RA-5(2) _vulnerability scanning update by frequency / prior to new scan / when identified_ x x x
RA-5(3) _vulnerability scanning breadth / depth of coverage_ x
RA-5(4) _vulnerability scanning discoverable information_ x x
RA-5(5) _vulnerability scanning privileged access_ x x x
RA-5(6) _vulnerability scanning automated trend analyses_ x
RA-5(7) _vulnerability scanning automated detection and notification of unauthorized components_ x Incorporated into CM-8.
RA-5(8) _vulnerability scanning review historic audit logs_ x
RA-5(9) _vulnerability scanning penetration testing and analyses_ x Incorporated into CA-8.
RA-5(10) _vulnerability scanning correlate scanning information_ x
RA-6 Technical Surveillance Countermeasures Survey x

TABLE D-17: SUMMARY — SYSTEM AND SERVICES ACQUISITION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
SA-1 System and Services Acquisition Policy and Procedures x x x x
SA-2 Allocation of Resources x x x x
SA-3 System Development Life Cycle x x x x
SA-4 Acquisition Process x x x x
SA-4(1) _acquisition process functional properties of security controls_ x x x
SA-4(2) _acquisition process design / implementation information for security controls_ x x x
SA-4(3) _acquisition process development methods / techniques / practices_ x
SA-4(4) _acquisition process assignment of components to systems_ x Incorporated into CM-8(9).
SA-4(5) _acquisition process system / component / service configurations_ x
SA-4(6) _acquisition process use of Information assurance products_ x
SA-4(7) _acquisition process niap-approved protection profiles_ x
SA-4(8) _acquisition process continuous monitoring plan_ x
SA-4(9) _acquisition process functions / ports / protocols / services in use_ x x x
SA-4(10) _acquisition process use of approved piv products_ x x x x
SA-5 Information System Documentation x x x x
SA-5(1) _information system documentation functional properties of security controls_ x Incorporated into SA-4(1).
SA-5(2) _information system documentation security-relevant external system interfaces_ x Incorporated into SA-4(2).
SA-5(3) _information system documentation high-level design_ x Incorporated into SA-4(2).
SA-5(4) _information system documentation low-level design_ x Incorporated into SA-4(2).
SA-5(5) _information system documentation source code_ x Incorporated into SA-4(2).
SA-6 Software Usage Restrictions x Incorporated into CM-10 and SI-7.
SA-7 User-Installed Software x Incorporated into CM-11 and SI-7.
SA-8 Security Engineering Principles x x x
SA-9 External Information System Services x x x x
SA-9(1) _external information systems risk assessments / organizational approvals_ x
SA-9(2) _external information systems identification of functions / ports / protocols / services_ x x x
SA-9(3) _external information systems establish / maintain trust relationship with providers_ x
SA-9(4) _external information systems consistent interests of consumers and providers_ x
SA-9(5) _external information systems processing, storage, and service location_ x
SA-10 Developer Configuration Management x x x
SA-10(1) _developer configuration management software / firmware integrity verification_ x
SA-10(2) _developer configuration management alternative configuration management processes_ x
SA-10(3) _developer configuration management hardware integrity verification_ x
SA-10(4) _developer configuration management trusted generation_ x
SA-10(5) _developer configuration management mapping integrity for version control_ x
SA-10(6) _developer configuration management trusted distribution_ x
SA-11 Developer Security Testing and Evaluation x x x
SA-11(1) _developer security testing and evaluation static code analysis_ x
SA-11(2) _developer security testing and evaluation threat and vulnerability analyses_ x
SA-11(3) _developer security testing and evaluation independent verification of assessment plans / evidence_ x
SA-11(4) _developer security testing and evaluation manual code reviews_ x
SA-11(5) _developer security testing and evaluation penetration testing_ x
SA-11(6) _developer security testing and evaluation attack surface reviews_ x
SA-11(7) _developer security testing and evaluation verify scope of testing / evaluation_ x
SA-11(8) _developer security testing and evaluation dynamic code analysis_ x
SA-12 Supply Chain Protection x x
SA-12(1) _supply chain protection acquisition strategies / tools / methods_ x
SA-12(2) _supply chain protection supplier reviews_ x
SA-12(3) _supply chain protection trusted shipping and warehousing_ x Incorporated into SA-12(1).
SA-12(4) _supply chain protection diversity of suppliers_ x Incorporated into SA-12(13).
SA-12(5) _supply chain protection limitation of harm_ x
SA-12(6) _supply chain protection minimizing procurement time_ x Incorporated into SA-12(1).
SA-12(7) _supply chain protection assessments prior to selection / acceptance / update_ x
SA-12(8) _supply chain protection use of all-source intelligence_ x
SA-12(9) _supply chain protection operations security_ x
SA-12(10) _supply chain protection validate as genuine and not altered_ x
SA-12(11) _supply chain protection penetration testing / analysis of elements, processes, and actors_ x
SA-12(12) _supply chain protection inter-organizational agreements_ x
SA-12(13) _supply chain protection critical information system components_ x
SA-12(14) _supply chain protection identity and traceability_ x
SA-12(15) _supply chain protection processes to address weaknesses or deficiencies_ x
SA-13 Trustworthiness x
SA-14 Criticality Analysis x
SA-14(1) _criticality analysis critical components with no viable alternative sourcing_ x Incorporated into SA-20.
SA-15 Development Process, Standards, and Tools x x
SA-15(1) _development process, standards, and tools quality metrics_ x
SA-15(2) _development process, standards, and tools security tracking tools_ x
SA-15(3) _development process, standards, and tools criticality analysis_ x
SA-15(4) _development process, standards, and tools threat modeling / vulnerability analysis_ x
SA-15(5) _development process, standards, and tools attack surface reduction_ x
SA-15(6) _development process, standards, and tools continuous improvement_ x
SA-15(7) _development process, standards, and tools automated vulnerability analysis_ x
SA-15(8) _development process, standards, and tools reuse of threat / vulnerability information_ x
SA-15(9) _development process, standards, and tools use of live data_ x
SA-15(10) _development process, standards, and tools incident response plan_ x
SA-15(11) _development process, standards, and tools archive information system / component_ x
SA-16 Developer-Provided Training x x
SA-17 Developer Security Architecture and Design x x
SA-17(1) _developer security architecture and design formal policy model_ x
SA-17(2) _developer security architecture and design security-relevant components_ x
SA-17(3) _developer security architecture and design formal correspondence_ x
SA-17(4) _developer security architecture and design informal correspondence_ x
SA-17(5) _developer security architecture and design conceptually simple design_ x
SA-17(6) _developer security architecture and design structure for testing_ x
SA-17(7) _developer security architecture and design structure for least privilege_ x
SA-18 Tamper Resistance and Detection x
SA-18(1) _tamper resistance and detection multiple phases of sdlc_ x
SA-18(2) _tamper resistance and detection inspection of information systems, components, or devices_ x
SA-19 Component Authenticity x
SA-19(1) _component authenticity anti-counterfeit training_ x
SA-19(2) _component authenticity configuration control for component service / repair_ x
SA-19(3) _component authenticity component disposal_ x
SA-19(4) _component authenticity anti-counterfeit scanning_ x
SA-20 Customized Development of Critical Components x
SA-21 Developer Screening x
SA-21(1) _developer screening validation of screening_ x
SA-22 Unsupported System Components x
SA-22(1) _unsupported system components alternative sources for continued support_ x

TABLE D-18: SUMMARY — SYSTEM AND COMMUNICATIONS PROTECTION CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
SC-1 System and Communications Protection Policy and Procedures x x x x
SC-2 Application Partitioning x x x
SC-2(1) _application partitioning interfaces for non-privileged users_ x
SC-3 Security Function Isolation x x
SC-3(1) _security function isolation hardware separation_ x
SC-3(2) _security function isolation access / flow control functions_ x
SC-3(3) _security function isolation minimize nonsecurity functionality_ x
SC-3(4) _security function isolation module coupling and cohesiveness_ x
SC-3(5) _security function isolation layered structures_ x
SC-4 Information in Shared Resources x x
SC-4(1) _information in shared resources security levels_ x Incorporated into SC-4.
SC-4(2) _information in shared resources periods processing_
SC-5 Denial of Service Protection x x x
SC-5(1) _denial of service protection restrict internal users_
SC-5(2) _denial of service protection excess capacity / bandwidth / redundancy_
SC-5(3) _denial of service protection detection / monitoring_
SC-6 Resource Availability x
SC-7 Boundary Protection x x x
SC-7(1) _boundary protection physically separated subnetworks_ x Incorporated into SC-7.
SC-7(2) _boundary protection public access_ x Incorporated into SC-7.
SC-7(3) _boundary protection access points_ x x
SC-7(4) _boundary protection external telecommunications services_ x x
SC-7(5) _boundary protection deny by default / allow by exception_ x x
SC-7(6) _boundary protection response to recognized failures_ x Incorporated into SC-7(18).
SC-7(7) _boundary protection prevent split tunneling for remote devices_ x x
SC-7(8) _boundary protection route traffic to authenticated proxy servers_ x
SC-7(9) _boundary protection restrict threatening outgoing communications traffic_
SC-7(10) _boundary protection prevent unauthorized exfiltration_
SC-7(11) _boundary protection restrict incoming communications traffic_
SC-7(12) _boundary protection host-based protection_
SC-7(13) _boundary protection isolation of security tools / mechanisms / support components_
SC-7(14) _boundary protection protects against unauthorized physical connections_
SC-7(15) _boundary protection route privileged network accesses_
SC-7(16) _boundary protection prevent discovery of components / devices_
SC-7(17) _boundary protection automated enforcement of protocol formats_
SC-7(18) _boundary protection fail secure_ x x
SC-7(19) _boundary protection blocks communication from non-organizationally configured hosts_
SC-7(20) _boundary protection dynamic isolation / segregation_
SC-7(21) _boundary protection isolation of information system components_ x x
SC-7(22) _boundary protection separate subnets for connecting to different security domains_ x
SC-7(23) _boundary protection disable sender feedback on protocol validation failure_
SC-8 Transmission Confidentiality and Integrity x x
SC-8(1) _transmission confidentiality and integrity cryptographic or alternate physical protection_ x x
SC-8(2) _transmission confidentiality and integrity pre / post transmission handling_
SC-8(3) _transmission confidentiality and integrity cryptographic protection for message externals_
SC-8(4) _transmission confidentiality and integrity conceal / randomize communications_
SC-9 Transmission Confidentiality x Incorporated into SC-8.
SC-10 Network Disconnect x x
SC-11 Trusted Path x
SC-11(1) _trusted path logical isolation_ x
SC-12 Cryptographic Key Establishment and Management x x x
SC-12(1) _cryptographic key establishment and management availability_ x
SC-12(2) _cryptographic key establishment and management symmetric keys_
SC-12(3) _cryptographic key establishment and management asymmetric keys_
SC-12(4) _cryptographic key establishment and management pki certificates_ x Incorporated into SC-12.
SC-12(5) _cryptographic key establishment and management pki certificates / hardware tokens_ x Incorporated into SC-12.
SC-13 Cryptographic Protection x x x
SC-13(1) _cryptographic protection fips-validated cryptography_ x Incorporated into SC-13.
SC-13(2) _cryptographic protection nsa-approved cryptography_ x Incorporated into SC-13.
SC-13(3) _cryptographic protection individuals without formal access approvals_ x Incorporated into SC-13.
SC-13(4) _cryptographic protection digital signatures_ x Incorporated into SC-13.
SC-14 Public Access Protections x Capability provided by AC-2, AC-3, AC-5, SI-3, SI-4, SI-5, SI-7, SI-10.
SC-15 Collaborative Computing Devices x x x
SC-15(1) _collaborative computing devices physical disconnect_
SC-15(2) _collaborative computing devices blocking inbound / outbound communications traffic_ x Incorporated into SC-7.
SC-15(3) _collaborative computing devices disabling / removal in secure work areas_
SC-15(4) _collaborative computing devices explicitly indicate current participants_
SC-16 Transmission of Security Attributes
SC-16(1) _transmission of security attributes integrity validation_
SC-17 Public Key Infrastructure Certificates x x
SC-18 Mobile Code x x
SC-18(1) _mobile code identify unacceptable code / take corrective actions_
SC-18(2) _mobile code acquisition / development / use_
SC-18(3) _mobile code prevent downloading / execution_
SC-18(4) _mobile code prevent automatic execution_
SC-18(5) _mobile code allow execution only in confined environments_
SC-19 Voice Over Internet Protocol x x
SC-20 Secure Name /Address Resolution Service x x x
SC-20(1) _secure name / address resolution service (authoritative source) child subspaces_ x Incorporated into SC-20.
SC-20(2) _secure name / address resolution service (authoritative source) data origin / integrity_
SC-21 Secure Name /Address Resolution Service x x x
SC-21(1) _secure name / address resolution service (recursive or caching resolver) data origin / integrity_ x Incorporated into SC-21.
SC-22 Architecture and Provisioning for x x x
SC-23 Session Authenticity x x
SC-23(1) _session authenticity invalidate session identifiers at logout_
SC-23(2) _session authenticity user-initiated logouts / message displays_ x Incorporated into AC-12(1).
SC-23(3) _session authenticity unique session identifiers with randomization_
SC-23(4) _session authenticity unique session identifiers with randomization_ x Incorporated into SC-23(3).
SC-23(5) _session authenticity allowed certificate authorities_
SC-24 Fail in Known State x x
SC-25 Thin Nodes
SC-26 Honeypots
SC-26(1) _honeypots detection of malicious code_ x Incorporated into SC-35.
SC-27 Platform-Independent Applications
SC-28 Protection of Information at Rest x x
SC-28(1) _protection of information at rest cryptographic protection_
SC-28(2) _protection of information at rest off-line storage_
SC-29 Heterogeneity x
SC-29(1) _heterogeneity virtualization techniques_ x
SC-30 Concealment and Misdirection x
SC-30(1) _concealment and misdirection virtualization techniques_ x Incorporated into SC-29(1).
SC-30(2) _concealment and misdirection randomness_ x
SC-30(3) _concealment and misdirection change processing / storage locations_ x
SC-30(4) _concealment and misdirection misleading information_ x
SC-30(5) _concealment and misdirection concealment of system components_ x
SC-31 Covert Channel Analysis x
SC-31(1) _covert channel analysis test covert channels for exploitability_ x
SC-31(2) _covert channel analysis maximum bandwidth_ x
SC-31(3) _covert channel analysis measure bandwidth in operational environments_ x
SC-32 Information System Partitioning x
SC-33 Transmission Preparation Integrity x Incorporated into SC-8.
SC-34 Non-Modifiable Executable Programs x
SC-34(1) _non-modifiable executable programs no writable storage_ x
SC-34(2) _non-modifiable executable programs integrity protection / read-only media_ x
SC-34(3) _non-modifiable executable programs hardware-based protection_ x
SC-35 Honeyclients
SC-36 Distributed Processing and Storage x
SC-36(1) _distributed processing and storage polling techniques_ x
SC-37 Out-of-Band Channels x
SC-37(1) _out-of-band channels ensure delivery / transmission_ x
SC-38 Operations Security x
SC-39 Process Isolation x x x x
SC-39(1) _process isolation hardware separation_ x
SC-39(2) _process isolation thread isolation_ x
SC-40 Wireless Link Protection
SC-40(1) _wireless link protection electromagnetic interference_
SC-40(2) _wireless link protection reduce detection potential_
SC-40(3) _wireless link protection imitative or manipulative communications deception_
SC-40(4) _wireless link protection signal parameter identification_
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-42(1) _sensor capability and data reporting to authorized individuals or roles_
SC-42(2) _sensor capability and data authorized use_
SC-42(3) _sensor capability and data prohibit use of devices_
SC-43 Usage Restrictions
SC-44 Detonation Chambers

TABLE D-19: SUMMARY — SYSTEM AND INFORMATION INTEGRITY CONTROLS

CNTL control name withdrawn assurance control baselines
low mod high
SI-1 System and Information Integrity Policy and Procedures x x x x
SI-2 Flaw Remediation x x x
SI-2(1) _flaw remediation central management_ x
SI-2(2) _flaw remediation automated flaw remediation status_ x x
SI-2(3) _flaw remediation time to remediate flaws / benchmarks for corrective actions_
SI-2(4) _flaw remediation automated patch management tools_ x Incorporated into SI-2.
SI-2(5) _flaw remediation automatic software / firmware updates_
SI-2(6) _flaw remediation removal of previous versions of software / firmware_
SI-3 Malicious Code Protection x x x
SI-3(1) _malicious code protection central management_ x x
SI-3(2) _malicious code protection automatic updates_ x x
SI-3(3) _malicious code protection non-privileged users_ x Incorporated into AC-6(10).
SI-3(4) _malicious code protection updates only by privileged users_
SI-3(5) _malicious code protection portable storage devices_ x Incorporated into MP-7.
SI-3(6) _malicious code protection testing / verification_
SI-3(7) _malicious code protection nonsignature-based detection_
SI-3(8) _malicious code protection detect unauthorized commands_
SI-3(9) _malicious code protection authenticate remote commands_
SI-3(10) _malicious code protection malicious code analysis_
SI-4 Information System Monitoring x x x x
SI-4(1) _information system monitoring system-wide intrusion detection system_ x
SI-4(2) _information system monitoring automated tools for real-time analysis_ x x x
SI-4(3) _information system monitoring automated tool integration_ x
SI-4(4) _information system monitoring inbound and outbound communications traffic_ x x x
SI-4(5) _information system monitoring system-generated alerts_ x x x
SI-4(6) _information system monitoring restrict non-privileged users_ x Incorporated into AC-6(10).
SI-4(7) _information system monitoring automated response to suspicious events_ x
SI-4(8) _information system monitoring protection of monitoring information_ x Incorporated into SI-4.
SI-4(9) _information system monitoring testing of monitoring tools_ x
SI-4(10) _information system monitoring visibility of encrypted communications_ x
SI-4(11) _information system monitoring analyze communications traffic anomalies_ x
SI-4(12) _information system monitoring automated alerts_ x
SI-4(13) _information system monitoring analyze traffic / event patterns_ x
SI-4(14) _information system monitoring wireless intrusion detection_ x
SI-4(15) _information system monitoring wireless to wireline communications_ x
SI-4(16) _information system monitoring correlate monitoring information_ x
SI-4(17) _information system monitoring integrated situational awareness_ x
SI-4(18) _information system monitoring analyze traffic / covert exfiltration_ x
SI-4(19) _information system monitoring individuals posing greater risk_ x
SI-4(20) _information system monitoring privileged user_ x
SI-4(21) _information system monitoring probationary periods_ x
SI-4(22) _information system monitoring unauthorized network services_ x
SI-4(23) _information system monitoring host-based devices_ x
SI-4(24) _information system monitoring indicators of compromise_ x
SI-5 Security Alerts, Advisories, and Directives x x x x
SI-5(1) _security alerts, advisories, and directives automated alerts and advisories_ x x
SI-6 Security Function Verification x x
SI-6(1) _security function verification notification of failed security tests_ x Incorporated into SI-6.
SI-6(2) _security function verification automation support for distributed testing_
SI-6(3) _security function verification report verification results_
SI-7 Software, Firmware, and Information Integrity x x x
SI-7(1) _software, firmware, and information integrity integrity checks_ x x x
SI-7(2) _software, firmware, and information integrity automated notifications of integrity violations_ x x
SI-7(3) _software, firmware, and information integrity centrally managed integrity tools_ x
SI-7(4) _software, firmware, and information integrity tamper-evident packaging_ x Incorporated into SA-12.
SI-7(5) _software, firmware, and information integrity automated response to integrity violations_ x x
SI-7(6) _software, firmware, and information integrity cryptographic protection_ x
SI-7(7) _software, firmware, and information integrity integration of detection and response_ x x x
SI-7(8) _software, firmware, and information integrity auditing capability for significant events_ x
SI-7(9) _software, firmware, and information integrity verify boot process_ x
SI-7(10) _software, firmware, and information integrity protection of boot firmware_ x
SI-7(11) _software, firmware, and information integrity confined environments with limited privileges_ x
SI-7(12) _software, firmware, and information integrity integrity verification_ x
SI-7(13) _software, firmware, and information integrity code execution in protected environments_ x
SI-7(14) _software, firmware, and information integrity binary or machine executable code_ x x
SI-7(15) _software, firmware, and information integrity code authentication_ x
SI-7(16) _software, firmware, and information integrity time limit on process execution without supervision_ x
SI-8 Spam Protection x x
SI-8(1) _spam protection central management_ x x
SI-8(2) _spam protection automatic updates_ x x
SI-8(3) _spam protection continuous learning capability_
SI-9 Information Input Restrictions x Incorporated into AC-2, AC-3, AC-5, AC-6.
SI-10 Information Input Validation x x x
SI-10(1) _information input validation manual override capability_ x
SI-10(2) _information input validation review / resolution of errors_ x
SI-10(3) _information input validation predictable behavior_ x
SI-10(4) _information input validation review / timing interactions_ x
SI-10(5) _information input validation review / restrict inputs to trusted sources and approved formats_ x
SI-11 Error Handling x x
SI-12 Information Handling and Retention x x x
SI-13 Predictable Failure Prevention x
SI-13(1) _predictable failure prevention transferring component responsibilities_ x
SI-13(2) _predictable failure prevention time limit on process execution without supervision_ x Incorporated into SI-7(16).
SI-13(3) _predictable failure prevention manual transfer between components_ x
SI-13(4) _predictable failure prevention standby component installation / notification_ x
SI-13(5) _predictable failure prevention failover capability_ x
SI-14 Non-Persistence x
SI-14(1) _non-persistence refresh from trusted sources_ x
SI-15 Information Output Filtering x
SI-16 Memory Protection x x x
SI-17 Fail-Safe Procedures x

adjustments to security control baselines

allocation of security controls and assignment of priority sequencing codes

With each revision to SP 800-53, minor adjustments may occur with the security control baselines including, for example, allocating additional controls and/or control enhancements, eliminating selected controls/enhancements, and changing sequencing priority codes (P-codes). These changes reflect: (i) the ongoing receipt and analysis of threat information; (ii) the periodic reexamination of the initial assumptions that generated the security control baselines; (iii) the desire for common security control baseline starting points for national security and non-national security systems to achieve community-wide convergence (relying subsequently on specific overlays to describe any adjustments from the common starting points); and (iv) the periodic reassessment of priority codes to appropriately balance the workload of security control implementation. Over time, as the security control catalog expands to address the continuing challenges from a dynamic and growing threat space that is increasingly sophisticated, organizations will come to rely to a much greater degree on overlays to provide the needed specialization for their security plans.

appendix e

90. A complete description of all security controls is provided in Appendices F and G. In addition, separate documents for individual security control baselines (listed as Annexes 1, 2, and 3) are available at
91. The hierarchical nature applies to the security requirements of each control (i.e., the base control plus all of its enhancements) at the low-impact, moderate-impact, and high-impact level in that the control requirements at a particular impact level (e.g., CP-4 Contingency Plan Testing—Moderate: CP-4(1)) meets a stronger set of security requirements for that control than the next lower impact level of the same control (e.g., CP-4 Contingency Plan Testing—Low: CP-4).
92. The security control baselines in Table D-2 are the initial baselines selected by organizations prior to conducting the tailoring activities described in Section 3.2. The control baselines and priority codes are only applicable to non-national security systems. Security control baselines for national security systems are included in CNSS Instruction 1253.
93. The security control baselines in Tables D-3 through D-19 are only applicable to non-national security systems.Security control baselines for national security systems are included in CNSS Instruction 1253.

results matching ""

    No results matching ""