ATTACHMENT
With reference to paragraph 15 of the Agreement, adequate security shall include, at minimum, implementation security and privacy controls in accordance with:
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5* (“Rev 5”), Security and Privacy Controls for Information Systems and Organizations.
In September 2020, the National Institute of Standards and Technology (NIST), published an update, Revision 5, to NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. SP 800-53 Revision 5 is part of the NIST Special Publication 800-series that reports on the NIST Information Technology Laboratory’s (ITL) computer security-related research, guidelines, and outreach. The publication provides a comprehensive set of security controls, three security control baselines (low, moderate, and high impact), and guidance for tailoring the appropriate baseline to specific needs according to the organization's missions, environments of operation, and technologies used.
A separate guideline, SP 800-53B, Control Baselines for Information Systems and Organizations, provides specific guidelines that facilitate periodic assessment of security controls to ensure that controls have been implemented correctly, are operating as intended, and are meeting the organization's security requirements.
NIST SP 800-53 Rev 5 - Families
AC - Access Control (23)
AT - Awareness and Training (5)
AU - Audit and Accountability (15)
CA – Assessment, Authorization, and Monitoring (8)
CM - Configuration Management (14)
CP - Contingency Planning (12)
IA - Identification and Authentication (12)
IR - Incident Response (9)
MA – Maintenance (7)
MP - Media Protection (8)
PE - Physical and Environmental Protection (22)
PL – Planning (8)
PM – Program Management (32)
PS - Personnel Security (9)
PT – PII Processing and Transparency (8)
RA - Risk Assessment (9)
SA - System and Services Acquisition (16)
SC - System and Communications Protection (47)
SI - System and Information Integrity (22)
SR – Supply Chain Risk Management (12)
The 20 Families are broken into 322 Controls
(Note: There will be overlap in numbers between the baselines)
188 are High Impact
177 are Moderate Impact, and
131 are Low Impact
The following pages provide a breakdown of each control and the assigned impact level. Detailed requirements for each control can be found at: NIST Risk Management Framework | CSRC
Further understanding can be acquired from the NIST Special Publication 800-53, Rev 5, found at: http://csrc.nist.gov/publications/PubsSPs.html
No. |
Control Name |
Low-Impact |
Moderate-Impact |
High-Impact |
Privacy Control Baseline |
ACCESS CONTROL |
|||||
POLICY AND PROCEDURES |
AC-1 |
AC-1 |
AC-1 |
AC-1 |
|
ACCOUNT MANAGEMENT |
AC-2 |
AC-2 (1) (2) (3) (4) (5) (13) |
AC-2 (1) (2) (3) (4) (5) (11) (12) (13) |
|
|
ACCESS ENFORCEMENT |
AC-3 |
AC-3 |
AC-3 |
AC-3 (14) |
|
INFORMATION FLOW ENFORCEMENT |
|
AC-4 |
AC-4 (4) |
|
|
SEPARATION OF DUTIES |
|
AC-5 |
AC-5 |
|
|
LEAST PRIVILEGE |
|
AC-6 (1) (2) (5) (7) (9) (10) |
AC-6 (1) (2) (3) (5) (7) (9) (10) |
|
|
UNSUCCESSFUL LOGON ATTEMPTS |
AC-7 |
AC-7 |
AC-7 |
|
|
SYSTEM USE NOTIFICATION |
AC-8 |
AC-8 |
AC-8 |
|
|
PREVIOUS LOGON NOTIFICATION |
|
|
|
|
|
CONCURRENT SESSION CONTROL |
|
|
AC-10 |
|
|
DEVICE LOCK |
|
AC-11 (1) |
AC-11 (1) |
|
|
SESSION TERMINATION |
|
AC-12 |
AC-12 |
|
|
SUPERVISION AND REVIEW — ACCESS CONTROL |
|
|
|
|
|
PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION |
AC-14 |
AC-14 |
AC-14 |
|
|
AUTOMATED MARKING |
|
|
|
|
|
SECURITY AND PRIVACY ATTRIBUTES |
|
|
|
|
|
REMOTE ACCESS |
AC-17 |
AC-17 (1) (2) (3) (4) |
AC-17 (1) (2) (3) (4) |
|
|
WIRELESS ACCESS |
AC-18 |
AC-18 (1) (3) |
AC-18 (1) (3) (4) (5) |
|
|
ACCESS CONTROL FOR MOBILE DEVICES |
AC-19 |
AC-19 (5) |
AC-19 (5) |
|
|
USE OF EXTERNAL SYSTEMS |
AC-20 |
AC-20 (1) (2) |
AC-20 (1) (2) |
|
|
INFORMATION SHARING |
|
AC-21 |
AC-21 |
|
|
PUBLICLY ACCESSIBLE CONTENT |
AC-22 |
AC-22 |
AC-22 |
|
|
DATA MINING PROTECTION |
|
|
|
|
|
ACCESS CONTROL DECISIONS |
|
|
|
|
|
REFERENCE MONITOR |
|
|
|
|
|
AWARENESS AND TRAINING |
|||||
POLICY AND PROCEDURES |
AT-1 |
AT-1 |
AT-1 |
AT-1 |
|
LITERACY TRAINING AND AWARENESS |
AT-2 (2) |
AT-2 (2) (3) |
AT-2 (2) (3) |
AT-2 |
|
ROLE-BASED TRAINING |
AT-3 |
AT-3 |
AT-3 |
AT-3 (5) |
|
TRAINING RECORDS |
AT-4 |
AT-4 |
AT-4 |
AT-4 |
|
CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS |
|
|
|
|
|
TRAINING FEEDBACK |
|
|
|
|
|
AUDIT AND ACCOUNTABILITY |
|||||
POLICY AND PROCEDURES |
AU-1 |
AU-1 |
AU-1 |
AU-1 |
|
EVENT LOGGING |
AU-2 |
AU-2 |
AU-2 |
AU-2 |
|
CONTENT OF AUDIT RECORDS |
AU-3 |
AU-3 (1) |
AU-3 (1) |
AU-3 (3) |
|
AUDIT LOG STORAGE CAPACITY |
AU-4 |
AU-4 |
AU-4 |
|
|
RESPONSE TO AUDIT LOGGING PROCESS FAILURES |
AU-5 |
AU-5 |
AU-5 (1) (2) |
|
|
AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING |
AU-6 |
AU-6 (1) (3) |
AU-6 (1) (3) (5) (6) |
|
|
AUDIT RECORD REDUCTION AND REPORT GENERATION |
|
AU-7 (1) |
AU-7 (1) |
|
|
TIME STAMPS |
AU-8 |
AU-8 |
AU-8 |
|
|
PROTECTION OF AUDIT INFORMATION |
AU-9 |
AU-9 (4) |
AU-9 (2) (3) (4) |
|
|
NON-REPUDIATION |
|
|
AU-10 |
|
|
AUDIT RECORD RETENTION |
AU-11 |
AU-11 |
AU-11 |
AU-11 |
|
AUDIT RECORD GENERATION |
AU-12 |
AU-12 |
AU-12 (1) (3) |
|
|
MONITORING FOR INFORMATION DISCLOSURE |
|
|
|
|
|
SESSION AUDIT |
|
|
|
|
|
ALTERNATE AUDIT LOGGING CAPABILITY |
|
|
|
|
|
CROSS-ORGANIZATIONAL AUDIT LOGGING |
|
|
|
|
|
ASSESSMENT, AUTHORIZATION AND MONITORING |
|||||
POLICY AND PROCEDURES |
CA-1 |
CA-1 |
CA-1 |
CA-1 |
|
CONTROL ASSESSMENTS |
CA-2 |
CA-2 (1) |
CA-2 (1) (2) |
CA-2 |
|
INFORMATION EXCHANGE |
CA-3 |
CA-3 |
CA-3 (6) |
|
|
SECURITY CERTIFICATION |
|
|
|
|
|
PLAN OF ACTION AND MILESTONES |
CA-5 |
CA-5 |
CA-5 |
CA-5 |
|
AUTHORIZATION |
CA-6 |
CA-6 |
CA-6 |
CA-6 |
|
CONTINUOUS MONITORING |
CA-7 (4) |
CA-7 (1) (4) |
CA-7 (1) (4) |
CA-7 (4) |
|
PENETRATION TESTING |
|
|
CA-8 (1) |
|
|
INTERNAL SYSTEM CONNECTIONS |
CA-9 |
CA-9 |
CA-9 |
|
|
CONFIGURATION MANAGEMENT |
|||||
POLICY AND PROCEDURES |
CM-1 |
CM-1 |
CM-1 |
CM-1 |
|
BASELINE CONFIGURATION |
CM-2 |
CM-2 (2) (3) (7) |
CM-2 (2) (3) (7) |
|
|
CONFIGURATION CHANGE CONTROL |
|
CM-3 (2) (4) |
CM-3 (1) (2) (4) (6) |
|
|
IMPACT ANALYSES |
CM-4 |
CM-4 (2) |
CM-4 (1) (2) |
CM-4 |
|
ACCESS RESTRICTIONS FOR CHANGE |
CM-5 |
CM-5 |
CM-5 (1) |
|
|
CONFIGURATION SETTINGS |
CM-6 |
CM-6 |
CM-6 (1) (2) |
|
|
LEAST FUNCTIONALITY |
CM-7 |
CM-7 (1) (2) (5) |
CM-7 (1) (2) (5) |
|
|
SYSTEM COMPONENT INVENTORY |
CM-8 |
CM-8 (1) (3) |
CM-8 (1) (2) (3) (4) |
|
|
CONFIGURATION MANAGEMENT PLAN |
|
CM-9 |
CM-9 |
|
|
SOFTWARE USAGE RESTRICTIONS |
CM-10 |
CM-10 |
CM-10 |
|
|
USER-INSTALLED SOFTWARE |
CM-11 |
CM-11 |
CM-11 |
|
|
INFORMATION LOCATION |
|
CM-12 (1) |
CM-12 (1) |
|
|
DATA ACTION MAPPING |
|
|
|
|
|
SIGNED COMPONENTS |
|
|
|
|
|
CONTINGENCY PLANNING |
|||||
POLICY AND PROCEDURES |
CP-1 |
CP-1 |
CP-1 |
|
|
CONTINGENCY PLAN |
CP-2 |
CP-2 (1) (3) (8) |
CP-2 (1) (2) (3) (5) (8) |
|
|
CONTINGENCY TRAINING |
CP-3 |
CP-3 |
CP-3 (1) |
|
|
CONTINGENCY PLAN TESTING |
CP-4 |
CP-4 (1) |
CP-4 (1) (2) |
|
|
CONTINGENCY PLAN UPDATE |
|
|
|
|
|
ALTERNATE STORAGE SITE |
|
CP-6 (1) (3) |
CP-6 (1) (2) (3) |
|
|
ALTERNATE PROCESSING SITE |
|
CP-7 (1) (2) (3) |
CP-7 (1) (2) (3) (4) |
|
|
TELECOMMUNICATIONS SERVICES |
|
CP-8 (1) (2) |
CP-8 (1) (2) (3) (4) |
|
|
SYSTEM BACKUP |
CP-9 |
CP-9 (1) (8) |
CP-9 (1) (2) (3) (5) (8) |
|
|
SYSTEM RECOVERY AND RECONSTITUTION |
CP-10 |
CP-10 (2) |
CP-10 (2) (4) |
|
|
ALTERNATE COMMUNICATIONS PROTOCOLS |
|
|
|
|
|
SAFE MODE |
|
|
|
|
|
ALTERNATIVE SECURITY MECHANISMS |
|
|
|
|
|
IDENTIFICATION AND AUTHENTICATION |
|||||
POLICY AND PROCEDURES |
IA-1 |
IA-1 |
IA-1 |
|
|
IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) |
IA-2 (1) (2) (8) (12) |
IA-2 (1) (2) (8) (12) |
IA-2 (1) (2) (5) (8) (12) |
|
|
DEVICE IDENTIFICATION AND AUTHENTICATION |
|
IA-3 |
IA-3 |
|
|
IDENTIFIER MANAGEMENT |
IA-4 |
IA-4 (4) |
IA-4 (4) |
|
|
AUTHENTICATOR MANAGEMENT |
IA-5 (1) |
IA-5 (1) (2) (6) |
IA-5 (1) (2) (6) |
|
|
AUTHENTICATION FEEDBACK |
IA-6 |
IA-6 |
IA-6 |
|
|
CRYPTOGRAPHIC MODULE AUTHENTICATION |
IA-7 |
IA-7 |
IA-7 |
|
|
IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) |
IA-8 (1) (2) (4) |
IA-8 (1) (2) (4) |
IA-8 (1) (2) (4) |
|
|
SERVICE IDENTIFICATION AND AUTHENTICATION |
|
|
|
|
|
ADAPTIVE AUTHENTICATION |
|
|
|
|
|
RE-AUTHENTICATION |
IA-11 |
IA-11 |
IA-11 |
|
|
IDENTITY PROOFING |
|
IA-12 (2) (3) (5) |
IA-12 (2) (3) (4) (5) |
|
|
INCIDENT RESPONSE |
|||||
POLICY AND PROCEDURES |
IR-1 |
IR-1 |
IR-1 |
IR-1 |
|
INCIDENT RESPONSE TRAINING |
IR-2 |
IR-2 |
IR-2 (1) (2) |
IR-2 (3) |
|
INCIDENT RESPONSE TESTING |
|
IR-3 (2) |
IR-3 (2) |
IR-3 |
|
INCIDENT HANDLING |
IR-4 |
IR-4 (1) |
IR-4 (1) (4) (11) |
IR-4 |
|
INCIDENT MONITORING |
IR-5 |
IR-5 |
IR-5 (1) |
IR-5 |
|
INCIDENT REPORTING |
IR-6 |
IR-6 (1) (3) |
IR-6 (1) (3) |
IR-6 |
|
INCIDENT RESPONSE ASSISTANCE |
IR-7 |
IR-7 (1) |
IR-7 (1) |
IR-7 |
|
INCIDENT RESPONSE PLAN |
IR-8 |
IR-8 |
IR-8 |
IR-8 (1) |
|
INFORMATION SPILLAGE RESPONSE |
|
|
|
|
|
INTEGRATED INFORMATION SECURITY ANALYSIS TEAM |
|
|
|
|
|
MAINTENANCE |
|||||
POLICY AND PROCEDURES |
MA-1 |
MA-1 |
MA-1 |
|
|
CONTROLLED MAINTENANCE |
MA-2 |
MA-2 |
MA-2 (2) |
|
|
MAINTENANCE TOOLS |
|
MA-3 (1) (2) (3) |
MA-3 (1) (2) (3) |
|
|
NONLOCAL MAINTENANCE |
MA-4 |
MA-4 |
MA-4 (3) |
|
|
MAINTENANCE PERSONNEL |
MA-5 |
MA-5 |
MA-5 (1) |
|
|
TIMELY MAINTENANCE |
|
MA-6 |
MA-6 |
|
|
FIELD MAINTENANCE |
|
|
|
|
|
MEDIA PROTECTION |
|||||
POLICY AND PROCEDURES |
MP-1 |
MP-1 |
MP-1 |
MP-1 |
|
MEDIA ACCESS |
MP-2 |
MP-2 |
MP-2 |
|
|
MEDIA MARKING |
|
MP-3 |
MP-3 |
|
|
MEDIA STORAGE |
|
MP-4 |
MP-4 |
|
|
MEDIA TRANSPORT |
|
MP-5 |
MP-5 |
|
|
MEDIA SANITIZATION |
MP-6 |
MP-6 |
MP-6 (1) (2) (3) |
MP-6 |
|
MEDIA USE |
MP-7 |
MP-7 |
MP-7 |
|
|
MEDIA DOWNGRADING |
|
|
|
|
|
PHYSICAL AND ENVIRONMENTAL PROTECTION |
|||||
POLICY AND PROCEDURES |
PE-1 |
PE-1 |
PE-1 |
|
|
PHYSICAL ACCESS AUTHORIZATIONS |
PE-2 |
PE-2 |
PE-2 |
|
|
PHYSICAL ACCESS CONTROL |
PE-3 |
PE-3 |
PE-3 (1) |
|
|
ACCESS CONTROL FOR TRANSMISSION |
|
PE-4 |
PE-4 |
|
|
ACCESS CONTROL FOR OUTPUT DEVICES |
|
PE-5 |
PE-5 |
|
|
MONITORING PHYSICAL ACCESS |
PE-6 |
PE-6 (1) |
PE-6 (1) (4) |
|
|
VISITOR CONTROL |
|
|
|
|
|
VISITOR ACCESS RECORDS |
PE-8 |
PE-8 |
PE-8 (1) |
PE-8 (3) |
|
POWER EQUIPMENT AND CABLING |
|
PE-9 |
PE-9 |
|
|
EMERGENCY SHUTOFF |
|
PE-10 |
PE-10 |
|
|
EMERGENCY POWER |
|
PE-11 |
PE-11 (1) |
|
|
EMERGENCY LIGHTING |
PE-12 |
PE-12 |
PE-12 |
|
|
FIRE PROTECTION |
PE-13 |
PE-13 (1) |
PE-13 (1) (2) |
|
|
ENVIRONMENTAL CONTROLS |
PE-14 |
PE-14 |
PE-14 |
|
|
WATER DAMAGE PROTECTION |
PE-15 |
PE-15 |
PE-15 (1) |
|
|
DELIVERY AND REMOVAL |
PE-16 |
PE-16 |
PE-16 |
|
|
ALTERNATE WORK SITE |
|
PE-17 |
PE-17 |
|
|
LOCATION OF SYSTEM COMPONENTS |
|
|
PE-18 |
|
|
INFORMATION LEAKAGE |
|
|
|
|
|
ASSET MONITORING AND TRACKING |
|
|
|
|
|
ELECTROMAGNETIC PULSE PROTECTION |
|
|
|
|
|
COMPONENT MARKING |
|
|
|
|
|
FACILITY LOCATION |
|
|
|
|
|
PLANNING |
|||||
POLICY AND PROCEDURES |
PL-1 |
PL-1 |
PL-1 |
PL-1 |
|
SYSTEM SECURITY AND PRIVACY PLANS |
PL-2 |
PL-2 |
PL-2 |
PL-2 |
|
SYSTEM SECURITY PLAN UPDATE |
|
|
|
|
|
RULES OF BEHAVIOR |
PL-4 (1) |
PL-4 (1) |
PL-4 (1) |
PL-4 (1) |
|
PRIVACY IMPACT ASSESSMENT |
|
|
|
|
|
SECURITY-RELATED ACTIVITY PLANNING |
|
|
|
|
|
CONCEPT OF OPERATIONS |
|
|
|
|
|
SECURITY AND PRIVACY ARCHITECTURES |
|
PL-8 |
PL-8 |
PL-8 |
|
CENTRAL MANAGEMENT |
|
|
|
PL-9 |
|
BASELINE SELECTION |
PL-10 |
PL-10 |
PL-10 |
|
|
BASELINE TAILORING |
PL-11 |
PL-11 |
PL-11 |
|
|
PROGRAM MANAGEMENT |
|||||
INFORMATION SECURITY PROGRAM PLAN |
|
|
|
|
|
INFORMATION SECURITY PROGRAM LEADERSHIP ROLE |
|
|
|
|
|
INFORMATION SECURITY AND PRIVACY RESOURCES |
|
|
|
PM-3 |
|
PLAN OF ACTION AND MILESTONES PROCESS |
|
|
|
PM-4 |
|
SYSTEM INVENTORY |
|
|
|
PM-5 (1) |
|
MEASURES OF PERFORMANCE |
|
|
|
PM-6 |
|
ENTERPRISE ARCHITECTURE |
|
|
|
PM-7 |
|
CRITICAL INFRASTRUCTURE PLAN |
|
|
|
PM-8 |
|
RISK MANAGEMENT STRATEGY |
|
|
|
PM-9 |
|
AUTHORIZATION PROCESS |
|
|
|
PM-10 |
|
MISSION AND BUSINESS PROCESS DEFINITION |
|
|
|
PM-11 |
|
INSIDER THREAT PROGRAM |
|
|
|
|
|
SECURITY AND PRIVACY WORKFORCE |
|
|
|
PM-13 |
|
TESTING, TRAINING, AND MONITORING |
|
|
|
PM-14 |
|
SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS |
|
|
|
|
|
THREAT AWARENESS PROGRAM |
|
|
|
|
|
PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS |
|
|
|
PM-17 |
|
PRIVACY PROGRAM PLAN |
|
|
|
PM-18 |
|
PRIVACY PROGRAM LEADERSHIP ROLE |
|
|
|
PM-19 |
|
DISSEMINATION OF PRIVACY PROGRAM INFORMATION |
|
|
|
PM-20 (1) |
|
ACCOUNTING OF DISCLOSURES |
|
|
|
PM-21 |
|
PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT |
|
|
|
PM-22 |
|
DATA GOVERNANCE BODY |
|
|
|
|
|
DATA INTEGRITY BOARD |
|
|
|
PM-24 |
|
MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING, TRAINING, AND RESEARCH |
|
|
|
PM-25 |
|
COMPLAINT MANAGEMENT |
|
|
|
PM-26 |
|
PRIVACY REPORTING |
|
|
|
PM-27 |
|
RISK FRAMING |
|
|
|
PM-28 |
|
RISK MANAGEMENT PROGRAM LEADERSHIP ROLES |
|
|
|
|
|
SUPPLY CHAIN RISK MANAGEMENT STRATEGY |
|
|
|
|
|
CONTINUOUS MONITORING STRATEGY |
|
|
|
PM-31 |
|
PURPOSING |
|
|
|
|
|
PERSONNEL SECURITY |
|||||
POLICY AND PROCEDURES |
PS-1 |
PS-1 |
PS-1 |
|
|
POSITION RISK DESIGNATION |
PS-2 |
PS-2 |
PS-2 |
|
|
PERSONNEL SCREENING |
PS-3 |
PS-3 |
PS-3 |
|
|
PERSONNEL TERMINATION |
PS-4 |
PS-4 |
PS-4 (2) |
|
|
PERSONNEL TRANSFER |
PS-5 |
PS-5 |
PS-5 |
|
|
ACCESS AGREEMENTS |
PS-6 |
PS-6 |
PS-6 |
PS-6 |
|
EXTERNAL PERSONNEL SECURITY |
PS-7 |
PS-7 |
PS-7 |
|
|
PERSONNEL SANCTIONS |
PS-8 |
PS-8 |
PS-8 |
|
|
POSITION DESCRIPTIONS |
PS-9 |
PS-9 |
PS-9 |
|
|
PII PROCESSING AND TRANSPARENCY |
|||||
POLICY AND PROCEDURES |
|
|
|
PT-1 |
|
AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION |
|
|
|
PT-2 |
|
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES |
|
|
|
PT-3 |
|
CONSENT |
|
|
|
PT-4 |
|
PRIVACY NOTICE |
|
|
|
PT-5 (2) |
|
SYSTEM OF RECORDS NOTICE |
|
|
|
PT-6 (1) (2) |
|
SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION |
|
|
|
PT-7 (1) (2) |
|
COMPUTER MATCHING REQUIREMENTS |
|
|
|
PT-8 |
|
RISK ASSESSMENT |
|||||
POLICY AND PROCEDURES |
RA-1 |
RA-1 |
RA-1 |
RA-1 |
|
SECURITY CATEGORIZATION |
RA-2 |
RA-2 |
RA-2 |
|
|
RISK ASSESSMENT |
RA-3 (1) |
RA-3 (1) |
RA-3 (1) |
RA-3 |
|
RISK ASSESSMENT UPDATE |
|
|
|
|
|
VULNERABILITY MONITORING AND SCANNING |
RA-5 (2) (11) |
RA-5 (2) (5) (11) |
RA-5 (2) (4) (5) (11) |
|
|
TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY |
|
|
|
|
|
RISK RESPONSE |
RA-7 |
RA-7 |
RA-7 |
RA-7 |
|
PRIVACY IMPACT ASSESSMENTS |
|
|
|
RA-8 |
|
CRITICALITY ANALYSIS |
|
RA-9 |
RA-9 |
|
|
THREAT HUNTING |
|
|
|
|
|
SYSTEM AND SERVICES AQUISITION |
|||||
POLICY AND PROCEDURES |
SA-1 |
SA-1 |
SA-1 |
SA-1 |
|
ALLOCATION OF RESOURCES |
SA-2 |
SA-2 |
SA-2 |
SA-2 |
|
SYSTEM DEVELOPMENT LIFE CYCLE |
SA-3 |
SA-3 |
SA-3 |
SA-3 |
|
ACQUISITION PROCESS |
SA-4 (10) |
SA-4 (1) (2) (9) (10) |
SA-4 (1) (2) (5) (9) (10) |
SA-4 |
|
SYSTEM DOCUMENTATION |
SA-5 |
SA-5 |
SA-5 |
|
|
SOFTWARE USAGE RESTRICTIONS |
|
|
|
|
|
USER-INSTALLED SOFTWARE |
|
|
|
|
|
SECURITY AND PRIVACY ENGINEERING PRINCIPLES |
SA-8 |
SA-8 |
SA-8 |
SA-8 (33) |
|
EXTERNAL SYSTEM SERVICES |
SA-9 |
SA-9 (2) |
SA-9 (2) |
SA-9 |
|
DEVELOPER CONFIGURATION MANAGEMENT |
|
SA-10 |
SA-10 |
|
|
DEVELOPER TESTING AND EVALUATION |
|
SA-11 |
SA-11 |
SA-11 |
|
SUPPLY CHAIN PROTECTION |
|
|
|
|
|
TRUSTWORTHINESS |
|
|
|
|
|
CRITICALITY ANALYSIS |
|
|
|
|
|
DEVELOPMENT PROCESS, STANDARDS, AND TOOLS |
|
SA-15 (3) |
SA-15 (3) |
|
|
DEVELOPER-PROVIDED TRAINING |
|
|
SA-16 |
|
|
DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN |
|
|
SA-17 |
|
|
TAMPER RESISTANCE AND DETECTION |
|
|
|
|
|
COMPONENT AUTHENTICITY |
|
|
|
|
|
CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS |
|
|
|
|
|
DEVELOPER SCREENING |
|
|
SA-21 |
|
|
UNSUPPORTED SYSTEM COMPONENTS |
SA-22 |
SA-22 |
SA-22 |
|
|
SPECIALIZATION |
|
|
|
|
|
SYSTEM AND COMMUNICATIONS PROTECTION |
|||||
POLICY AND PROCEDURES |
SC-1 |
SC-1 |
SC-1 |
|
|
SEPARATION OF SYSTEM AND USER FUNCTIONALITY |
|
SC-2 |
SC-2 |
|
|
SECURITY FUNCTION ISOLATION |
|
|
SC-3 |
|
|
INFORMATION IN SHARED SYSTEM RESOURCES |
|
SC-4 |
SC-4 |
|
|
DENIAL-OF-SERVICE PROTECTION |
SC-5 |
SC-5 |
SC-5 |
|
|
RESOURCE AVAILABILITY |
|
|
|
|
|
BOUNDARY PROTECTION |
SC-7 |
SC-7 (3) (4) (5) (7) (8) |
SC-7 (3) (4) (5) (7) (8) (18) (21) |
SC-7 (24) |
|
TRANSMISSION CONFIDENTIALITY AND INTEGRITY |
|
SC-8 (1) |
SC-8 (1) |
|
|
TRANSMISSION CONFIDENTIALITY |
|
|
|
|
|
NETWORK DISCONNECT |
|
SC-10 |
SC-10 |
|
|
TRUSTED PATH |
|
|
|
|
|
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
SC-12 |
SC-12 |
SC-12 (1) |
|
|
CRYPTOGRAPHIC PROTECTION |
SC-13 |
SC-13 |
SC-13 |
|
|
PUBLIC ACCESS PROTECTIONS |
|
|
|
|
|
COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS |
SC-15 |
SC-15 |
SC-15 |
|
|
TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES |
|
|
|
|
|
PUBLIC KEY INFRASTRUCTURE CERTIFICATES |
|
SC-17 |
SC-17 |
|
|
MOBILE CODE |
|
SC-18 |
SC-18 |
|
|
VOICE OVER INTERNET PROTOCOL |
|
|
|
|
|
SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) |
SC-20 |
SC-20 |
SC-20 |
|
|
SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) |
SC-21 |
SC-21 |
SC-21 |
|
|
ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE |
SC-22 |
SC-22 |
SC-22 |
|
|
SESSION AUTHENTICITY |
|
SC-23 |
SC-23 |
|
|
FAIL IN KNOWN STATE |
|
|
SC-24 |
|
|
THIN NODES |
|
|
|
|
|
DECOYS |
|
|
|
|
|
PLATFORM-INDEPENDENT APPLICATIONS |
|
|
|
|
|
PROTECTION OF INFORMATION AT REST |
|
SC-28 (1) |
SC-28 (1) |
|
|
HETEROGENEITY |
|
|
|
|
|
CONCEALMENT AND MISDIRECTION |
|
|
|
|
|
COVERT CHANNEL ANALYSIS |
|
|
|
|
|
SYSTEM PARTITIONING |
|
|
|
|
|
TRANSMISSION PREPARATION INTEGRITY |
|
|
|
|
|
NON-MODIFIABLE EXECUTABLE PROGRAMS |
|
|
|
|
|
EXTERNAL MALICIOUS CODE IDENTIFICATION |
|
|
|
|
|
DISTRIBUTED PROCESSING AND STORAGE |
|
|
|
|
|
OUT-OF-BAND CHANNELS |
|
|
|
|
|
OPERATIONS SECURITY |
|
|
|
|
|
PROCESS ISOLATION |
SC-39 |
SC-39 |
SC-39 |
|
|
WIRELESS LINK PROTECTION |
|
|
|
|
|
PORT AND I/O DEVICE ACCESS |
|
|
|
|
|
SENSOR CAPABILITY AND DATA |
|
|
|
|
|
USAGE RESTRICTIONS |
|
|
|
|
|
DETONATION CHAMBERS |
|
|
|
|
|
SYSTEM TIME SYNCHRONIZATION |
|
|
|
|
|
CROSS DOMAIN POLICY ENFORCEMENT |
|
|
|
|
|
ALTERNATE COMMUNICATIONS PATHS |
|
|
|
|
|
SENSOR RELOCATION |
|
|
|
|
|
HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT |
|
|
|
|
|
SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT |
|
|
|
|
|
HARDWARE-BASED PROTECTION |
|
|
|
|
|
SYSTEM AND INFORMATION INTEGRITY |
|||||
POLICY AND PROCEDURES |
SI-1 |
SI-1 |
SI-1 |
SI-1 |
|
FLAW REMEDIATION |
SI-2 |
SI-2 (2) |
SI-2 (2) |
|
|
MALICIOUS CODE PROTECTION |
SI-3 |
SI-3 |
SI-3 |
|
|
SYSTEM MONITORING |
SI-4 |
SI-4 (2) (4) (5) |
SI-4 (2) (4) (5) (10) (12) (14) (20) (22) |
|
|
SECURITY ALERTS, ADVISORIES, AND DIRECTIVES |
SI-5 |
SI-5 |
SI-5 (1) |
|
|
SECURITY AND PRIVACY FUNCTION VERIFICATION |
|
|
SI-6 |
|
|
SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY |
|
SI-7 (1) (7) |
SI-7 (1) (2) (5) (7) (15) |
|
|
SPAM PROTECTION |
|
SI-8 (2) |
SI-8 (2) |
|
|
INFORMATION INPUT RESTRICTIONS |
|
|
|
|
|
INFORMATION INPUT VALIDATION |
|
SI-10 |
SI-10 |
|
|
ERROR HANDLING |
|
SI-11 |
SI-11 |
|
|
INFORMATION MANAGEMENT AND RETENTION |
SI-12 |
SI-12 |
SI-12 |
SI-12 (1) (2) (3) |
|
PREDICTABLE FAILURE PREVENTION |
|
|
|
|
|
NON-PERSISTENCE |
|
|
|
|
|
INFORMATION OUTPUT FILTERING |
|
|
|
|
|
MEMORY PROTECTION |
|
SI-16 |
SI-16 |
|
|
FAIL-SAFE PROCEDURES |
|
|
|
|
|
PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS |
|
|
|
SI-18 (4) |
|
DE-IDENTIFICATION |
|
|
|
SI-19 |
|
TAINTING |
|
|
|
|
|
INFORMATION REFRESH |
|
|
|
|
|
INFORMATION DIVERSITY |
|
|
|
|
|
INFORMATION FRAGMENTATION |
|
|
|
|
|
SUPPLY CHAIN RISK MANAGEMENT |
|||||
POLICY AND PROCEDURES |
SR-1 |
SR-1 |
SR-1 |
|
|
SUPPLY CHAIN RISK MANAGEMENT PLAN |
SR-2 (1) |
SR-2 (1) |
SR-2 (1) |
|
|
SUPPLY CHAIN CONTROLS AND PROCESSES |
SR-3 |
SR-3 |
SR-3 |
|
|
PROVENANCE |
|
|
|
|
|
ACQUISITION STRATEGIES, TOOLS, AND METHODS |
SR-5 |
SR-5 |
SR-5 |
|
|
SUPPLIER ASSESSMENTS AND REVIEWS |
|
SR-6 |
SR-6 |
|
|
SUPPLY CHAIN OPERATIONS SECURITY |
|
|
|
|
|
NOTIFICATION AGREEMENTS |
SR-8 |
SR-8 |
SR-8 |
|
|
TAMPER RESISTANCE AND DETECTION |
|
|
SR-9 (1) |
|
|
INSPECTION OF SYSTEMS OR COMPONENTS |
SR-10 |
SR-10 |
SR-10 |
|
|
COMPONENT AUTHENTICITY |
SR-11 (1) (2) |
SR-11 (1) (2) |
SR-11 (1) (2) |
|
|
COMPONENT DISPOSAL |
SR-12 |
SR-12 |
SR-12 |
|
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | U.S. Department of Education |
File Modified | 0000-00-00 |
File Created | 2022-09-27 |