GOV-01
| Cybersecurity & Data Protection Governance Program | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-01.1
| Steering Committee & Program Oversight | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-01.2
| Status Reporting To Governing Body | Cybersecurity & Data Protection Governance | N/A | 5 | |
GOV-01.3
| Commitment To Continual Improvements | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-02
| Publishing Cybersecurity & Data Protection Documentation | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-02.1
| Exception Management | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-03
| Periodic Review & Update of Cybersecurity & Data Protection Program | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-04
| Assigned Cybersecurity & Data Protection Responsibilities | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-04.1
| Stakeholder Accountability Structure | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-04.2
| Authoritative Chain of Command | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-05
| Measures of Performance | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-05.1
| Key Performance Indicators (KPIs) | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-05.2
| Key Risk Indicators (KRIs) | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-06
| Contacts With Authorities | Cybersecurity & Data Protection Governance | N/A | 5 | |
GOV-07
| Contacts With Groups & Associations | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-08
| Defining Business Context & Mission | Cybersecurity & Data Protection Governance | N/A | 5 | |
GOV-09
| Define Control Objectives | Cybersecurity & Data Protection Governance | N/A | 5 | |
GOV-10
| Data Governance | Cybersecurity & Data Protection Governance | N/A | 9 | |
GOV-11
| Purpose Validation | Cybersecurity & Data Protection Governance | N/A | 5 | |
GOV-12
| Forced Technology Transfer (FTT) | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-13
| State-Sponsored Espionage | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-14
| Business As Usual (BAU) Secure Practices | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-15
| Operationalizing Cybersecurity & Data Protection Practices | Cybersecurity & Data Protection Governance | N/A | 9 | |
GOV-15.1
| Select Controls | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-15.2
| Implement Controls | Cybersecurity & Data Protection Governance | N/A | 9 | |
GOV-15.3
| Assess Controls | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-15.4
| Authorize Technology Assets, Applications and/or Services (TAAS) | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-15.5
| Monitor Controls | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-16
| Materiality Determination | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-16.1
| Material Risks | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-16.2
| Material Threats | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-17
| Cybersecurity & Data Protection Status Reporting | Cybersecurity & Data Protection Governance | N/A | 8 | |
GOV-18
| Quality Management System (QMS) | Cybersecurity & Data Protection Governance | N/A | 4 | |
GOV-19
| Assurance | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-19.1
| Assurance Levels (AL) | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-19.2
| Assessment Objectives (AO) | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-20
| Mergers, Acquisitions & Divestitures (MA&D) | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-20.1
| Virtual Data Room (VDR) | Cybersecurity & Data Protection Governance | N/A | 6 | |
AAT-29.6
| Privileged Role & Delegation Boundaries | Artificial & Autonomous Technologies | N/A | 5 | |
AST-01
| Asset Governance | Asset Management | N/A | 10 | |
AST-01.1
| Asset-Service Dependencies | Asset Management | N/A | 5 | |
AST-01.2
| Stakeholder Identification & Involvement | Asset Management | N/A | 5 | |
AST-01.3
| Standardized Naming Convention | Asset Management | N/A | 5 | |
AST-01.4
| Approved Technologies | Asset Management | N/A | 7 | |
AST-02
| Asset Inventories | Asset Management | N/A | 10 | |
AST-02.1
| Updates During Installations / Removals | Asset Management | N/A | 7 | |
AST-02.2
| Automated Unauthorized Component Detection | Asset Management | N/A | 3 | |
AST-02.3
| Component Duplication Avoidance | Asset Management | N/A | 2 | |
AST-02.4
| Approved Baseline Deviations | Asset Management | N/A | 8 | |
AST-02.5
| Network Access Control (NAC) | Asset Management | N/A | 4 | |
AST-02.6
| Dynamic Host Configuration Protocol (DHCP) Server Logging | Asset Management | N/A | 3 | |
AST-02.7
| Software Licensing Restrictions | Asset Management | N/A | 8 | |
AST-02.8
| Data Action Mapping | Asset Management | N/A | 9 | |
AST-02.9
| Configuration Management Database (CMDB) | Asset Management | N/A | 5 | |
AST-02.10
| Automated Location
Tracking | Asset Management | N/A | 5 | |
AST-02.11
| Component Assignment | Asset Management | N/A | 3 | |
AST-03
| Asset Ownership Assignment | Asset Management | N/A | 8 | |
AST-03.1
| Accountability Information | Asset Management | N/A | 5 | |
AST-03.2
| Provenance | Asset Management | N/A | 8 | |
AST-04
| Network Diagrams & Data Flow Diagrams (DFDs) | Asset Management | N/A | 10 | |
AST-04.1
| Asset Scope Classification | Asset Management | N/A | 8 | |
AST-04.2
| Control Applicability Boundary Graphical Representation | Asset Management | N/A | 6 | |
AST-04.3
| Compliance-Specific Asset Identification | Asset Management | N/A | 6 | |
AST-05
| Security of Assets & Media | Asset Management | N/A | 8 | |
AST-05.1
| Management Approval For External Media Transfer | Asset Management | N/A | 8 | |
AST-06
| Unattended End-User Equipment | Asset Management | N/A | 9 | |
AST-06.1
| Asset Storage In Automobiles | Asset Management | N/A | 7 | |
AST-07
| Kiosks & Point of Interaction (PoI) Devices | Asset Management | N/A | 8 | |
AST-08
| Physical Tampering Detection | Asset Management | N/A | 9 | |
AST-09
| Secure Disposal, Destruction or Re-Use of Equipment | Asset Management | N/A | 10 | |
AST-10
| Return of Assets | Asset Management | N/A | 8 | |
AST-11
| Removal of Assets | Asset Management | N/A | 8 | |
AST-12
| Use of Personal Devices | Asset Management | N/A | 10 | |
AST-13
| Use of Third-Party Devices | Asset Management | N/A | 9 | |
AST-14
| Usage Parameters | Asset Management | N/A | 7 | |
AST-14.1
| Bluetooth & Wireless Devices | Asset Management | N/A | 7 | |
AST-14.2
| Infrared Communications | Asset Management | N/A | 5 | |
AST-15
| Logical Tampering Protection | Asset Management | N/A | 6 | |
AST-15.1
| Technology Asset Inspections | Asset Management | N/A | 6 | |
AST-16
| Bring Your Own Device (BYOD) Usage | Asset Management | N/A | 10 | |
AST-17
| Prohibited Equipment & Services | Asset Management | N/A | 9 | |
AST-18
| Roots of Trust Protection | Asset Management | N/A | 4 | |
AST-19
| Telecommunications Equipment | Asset Management | N/A | 9 | |
AST-20
| Video Teleconference (VTC) Security | Asset Management | N/A | 8 | |
AST-21
| Voice Over Internet Protocol (VoIP) Security | Asset Management | N/A | 8 | |
AST-22
| Microphones & Web Cameras | Asset Management | N/A | 8 | |
AST-23
| Multi-Function Devices (MFD) | Asset Management | N/A | 8 | |
AST-24
| Travel-Only Devices | Asset Management | N/A | 8 | |
AST-25
| Re-Imaging Devices After Travel | Asset Management | N/A | 8 | |
AST-26
| System Administrative Processes | Asset Management | N/A | 9 | |
AST-27
| Jump Server | Asset Management | N/A | 7 | |
AST-28
| Database Administrative Processes | Asset Management | N/A | 9 | |
AST-28.1
| Database Management System (DBMS) | Asset Management | N/A | 6 | |
AST-29
| Radio Frequency Identification (RFID) Security | Asset Management | N/A | 3 | |
AST-29.1
| Contactless Access Control Systems | Asset Management | N/A | 3 | |
AST-30
| Decommissioning | Asset Management | N/A | 4 | |
AST-31
| Asset Categorization | Asset Management | N/A | 9 | |
AST-31.1
| Categorize Artificial Intelligence (AI)-Related Technologies | Asset Management | N/A | 9 | |
AST-31.2
| High-Risk Asset Categorization | Asset Management | N/A | 9 | |
AST-31.3
| Asset Attributes | Asset Management | N/A | 5 | |
AST-32
| Automated Network Asset Discovery | Asset Management | N/A | 3 | |
BCD-01
| Business Continuity Management System (BCMS) | Business Continuity & Disaster Recovery | N/A | 10 | |
BCD-01.1
| Coordinate with Related Plans | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-01.2
| Coordinate With External Service Providers | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-01.3
| Transfer to Alternate Processing / Storage Site | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-01.4
| Recovery Time / Point Objectives (RTO / RPO) | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-01.5
| Recovery Operations Criteria | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-01.6
| Recovery Operations Communications | Business Continuity & Disaster Recovery | N/A | 3 | |
BCD-02
| Identify Critical Assets | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-02.1
| Resume All Missions & Business Functions | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-02.2
| Continue Essential Mission & Business Functions | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-02.3
| Resume Essential Missions & Business Functions | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-02.4
| Data Storage Location Reviews | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-03
| Contingency Training | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-03.1
| Simulated Events | Business Continuity & Disaster Recovery | N/A | 3 | |
BCD-03.2
| Automated Training Environments | Business Continuity & Disaster Recovery | N/A | 1 | |
BCD-04
| Contingency Plan Testing & Exercises | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-04.1
| Coordinated Testing with Related Plans | Business Continuity & Disaster Recovery | N/A | 3 | |
BCD-04.2
| Alternate Storage & Processing Sites | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-05
| Contingency Plan Root Cause Analysis (RCA) & Lessons Learned | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-06
| Ongoing Contingency Planning | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-06.1
| Contingency Planning Components | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-06.2
| Contingency Plan Update Notifications | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-07
| Alternative Security Measures | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-08
| Alternate Storage Site | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-08.1
| Separation from Primary Site | Business Continuity & Disaster Recovery | N/A | 7 | |
BCD-08.2
| Accessibility | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-09
| Alternate Processing Site | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-09.1
| Separation from Primary Site | Business Continuity & Disaster Recovery | N/A | 7 | |
BCD-09.2
| Accessibility | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-09.3
| Alternate Site Priority of Service | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-09.4
| Preparation for Use | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-09.5
| Inability to Return to Primary Site | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-10
| Telecommunications Services Availability | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-10.1
| Telecommunications Priority of Service Provisions | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-10.2
| Separation of Primary / Alternate Providers | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-10.3
| Provider Contingency Plan | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-10.4
| Alternate Communications Channels | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-11
| Data Backups | Business Continuity & Disaster Recovery | N/A | 10 | |
BCD-11.1
| Testing for Reliability & Integrity | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-11.2
| Separate Storage for Critical Information | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-11.3
| Recovery Images | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-11.4
| Cryptographic Protection | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-11.5
| Test Restoration Using Sampling | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-11.6
| Transfer to Alternate Storage Site | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-11.7
| Redundant Secondary System | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-11.8
| Dual Authorization For Backup Media Destruction | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-11.9
| Backup Access | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-11.10
| Backup Modification and/or Destruction | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-12
| Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-12.1
| Transaction Recovery | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-12.2
| Failover Capability | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-12.3
| Electronic Discovery (eDiscovery) | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-12.4
| Restore Within Time Period | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-13
| Backup & Restoration Hardware Protection | Business Continuity & Disaster Recovery | N/A | 8 | |
BCD-13.1
| Restoration Integrity Verification | Business Continuity & Disaster Recovery | N/A | 7 | |
BCD-14
| Isolated Recovery Environment | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-15
| Reserve Hardware | Business Continuity & Disaster Recovery | N/A | 7 | |
BCD-16
| AI & Autonomous Technologies Incidents | Business Continuity & Disaster Recovery | N/A | 10 | |
CHG-02.5
| Cryptographic Management | Change Management | N/A | 5 | |
CPL-01
| Statutory, Regulatory & Contractual Compliance | Compliance | N/A | 10 | |
CPL-01.1
| Non-Compliance Oversight | Compliance | N/A | 9 | |
CPL-01.2
| Compliance Scope | Compliance | N/A | 10 | |
CPL-01.3
| Ability To Demonstrate Conformity | Compliance | N/A | 8 | |
CPL-01.4
| Conformity Assessment | Compliance | N/A | 9 | |
CPL-01.5
| Declaration of Conformity | Compliance | N/A | 1 | |
CPL-02
| Cybersecurity & Data Protection Controls Oversight | Compliance | N/A | 10 | |
CPL-02.1
| Internal Audit Function | Compliance | N/A | 5 | |
CPL-02.2
| Periodic Audits | Compliance | N/A | 8 | |
CPL-02.3
| Corrective Action | Compliance | N/A | 7 | |
CPL-03
| Cybersecurity & Data Protection Assessments | Compliance | N/A | 10 | |
CPL-03.1
| Independent Assessors | Compliance | N/A | 6 | |
CPL-03.2
| Functional Review Of Cybersecurity & Data Protection Controls | Compliance | N/A | 8 | |
CPL-03.3
| Assessor Access | Compliance | N/A | 7 | |
CPL-03.4
| Assessment Methods | Compliance | N/A | 7 | |
CPL-03.5
| Assessment Rigor | Compliance | N/A | 7 | |
CPL-03.6
| Evidence Request List (ERL) | Compliance | N/A | 7 | |
CPL-03.7
| Evidence Sampling | Compliance | N/A | 7 | |
CPL-04
| Audit Activities | Compliance | N/A | 5 | |
CPL-05
| Legal Assessment of Investigative Inquires | Compliance | N/A | 2 | |
CPL-05.1
| Investigation Request Notifications | Compliance | N/A | 2 | |
CPL-05.2
| Investigation Access Restrictions | Compliance | N/A | 2 | |
CPL-06
| Government Surveillance | Compliance | N/A | 10 | |
CPL-07
| Grievances | Compliance | N/A | 5 | |
CPL-07.1
| Grievance Response | Compliance | N/A | 5 | |
CPL-08
| Localized Representation | Compliance | N/A | 2 | |
CPL-09
| Control Reciprocity | Compliance | N/A | 5 | |
CPL-10
| Control Inheritance | Compliance | N/A | 5 | |
CPL-11
| Dual Use Technology | Compliance | N/A | 8 | |
CPL-11.1
| USML or CCL Identification | Compliance | N/A | 8 | |
CPL-11.2
| Export-Controlled Access Restrictions | Compliance | N/A | 8 | |
CPL-11.3
| Export Activities Documentation | Compliance | N/A | 8 | |
CPL-08.1
| Representative Powers | Compliance | N/A | 2 | |
CFG-02.6
| Network Device Configuration File Synchronization | Configuration Management | N/A | 7 | |
MON-01
| Continuous Monitoring | Continuous Monitoring | N/A | 10 | |
MON-01.1
| Intrusion Detection & Prevention Systems (IDS & IPS) | Continuous Monitoring | N/A | 9 | |
MON-01.2
| Automated Tools for Real-Time Analysis | Continuous Monitoring | N/A | 9 | |
MON-01.3
| Inbound & Outbound Communications Traffic | Continuous Monitoring | N/A | 9 | |
MON-01.4
| System Generated Alerts | Continuous Monitoring | N/A | 7 | |
MON-01.5
| Wireless Intrusion Detection System (WIDS) | Continuous Monitoring | N/A | 5 | |
MON-01.6
| Host-Based Devices | Continuous Monitoring | N/A | 8 | |
MON-01.7
| File Integrity Monitoring (FIM) | Continuous Monitoring | N/A | 9 | |
MON-01.8
| Security Event Monitoring | Continuous Monitoring | N/A | 10 | |
MON-01.9
| Proxy Logging | Continuous Monitoring | N/A | 8 | |
MON-01.10
| Deactivated Account Activity | Continuous Monitoring | N/A | 9 | |
MON-01.11
| Automated Response to Suspicious Events | Continuous Monitoring | N/A | 5 | |
MON-01.12
| Automated Alerts | Continuous Monitoring | N/A | 5 | |
MON-01.13
| Alert Threshold Tuning | Continuous Monitoring | N/A | 5 | |
MON-01.14
| Individuals Posing Greater Risk | Continuous Monitoring | N/A | 5 | |
MON-01.15
| Privileged User Oversight | Continuous Monitoring | N/A | 5 | |
MON-01.16
| Analyze and Prioritize Monitoring Requirements | Continuous Monitoring | N/A | 5 | |
MON-01.17
| Real-Time Session Monitoring | Continuous Monitoring | N/A | 4 | |
MON-02
| Centralized Collection of Security Event Logs | Continuous Monitoring | N/A | 10 | |
MON-02.1
| Correlate Monitoring Information | Continuous Monitoring | N/A | 9 | |
MON-02.2
| Central Review & Analysis | Continuous Monitoring | N/A | 5 | |
MON-02.3
| Integration of Scanning & Other Monitoring Information | Continuous Monitoring | N/A | 5 | |
MON-02.4
| Correlation with Physical Monitoring | Continuous Monitoring | N/A | 5 | |
MON-02.5
| Permitted Actions | Continuous Monitoring | N/A | 5 | |
MON-02.6
| Audit Level Adjustments | Continuous Monitoring | N/A | 5 | |
MON-02.7
| System-Wide / Time-Correlated Audit Trail | Continuous Monitoring | N/A | 5 | |
MON-02.8
| Changes by Authorized Individuals | Continuous Monitoring | N/A | 5 | |
MON-02.9
| Inventory of Technology Asset Event Logging | Continuous Monitoring | N/A | 7 | |
MON-03
| Content of Event Logs | Continuous Monitoring | N/A | 10 | |
MON-03.1
| Sensitive Audit Information | Continuous Monitoring | N/A | 8 | |
MON-03.2
| Audit Trails | Continuous Monitoring | N/A | 10 | |
MON-03.3
| Privileged Functions Logging | Continuous Monitoring | N/A | 8 | |
MON-03.4
| Verbosity Logging for Boundary Devices | Continuous Monitoring | N/A | 5 | |
MON-03.5
| Limit Personal Data (PD) In Audit Records | Continuous Monitoring | N/A | 8 | |
MON-03.6
| Centralized Management of Planned Audit Record Content | Continuous Monitoring | N/A | 5 | |
MON-03.7
| Database Logging | Continuous Monitoring | N/A | 8 | |
MON-04
| Event Log Storage Capacity | Continuous Monitoring | N/A | 8 | |
MON-05
| Response To Event Log Processing Failures | Continuous Monitoring | N/A | 8 | |
MON-05.1
| Real-Time Alerts of Event Logging Failure | Continuous Monitoring | N/A | 6 | |
MON-05.2
| Event Log Storage Capacity Alerting | Continuous Monitoring | N/A | 5 | |
MON-06
| Monitoring Reporting | Continuous Monitoring | N/A | 7 | |
MON-06.1
| Query Parameter Audits of Personal Data (PD) | Continuous Monitoring | N/A | 3 | |
MON-06.2
| Trend Analysis Reporting | Continuous Monitoring | N/A | 5 | |
MON-07
| Time Stamps | Continuous Monitoring | N/A | 10 | |
MON-07.1
| Synchronization With Authoritative Time Source | Continuous Monitoring | N/A | 8 | |
MON-08
| Protection of Event Logs | Continuous Monitoring | N/A | 10 | |
MON-08.1
| Event Log Backup on Separate Physical Systems / Components | Continuous Monitoring | N/A | 5 | |
MON-08.2
| Access by Subset of Privileged Users | Continuous Monitoring | N/A | 8 | |
MON-08.3
| Cryptographic Protection of Event Log Information | Continuous Monitoring | N/A | 5 | |
MON-08.4
| Dual Authorization for Event Log Movement | Continuous Monitoring | N/A | 5 | |
MON-09
| Non-Repudiation | Continuous Monitoring | N/A | 8 | |
MON-09.1
| Identity Binding | Continuous Monitoring | N/A | 4 | |
MON-10
| Event Log Retention | Continuous Monitoring | N/A | 10 | |
MON-11
| Monitoring For Information Disclosure | Continuous Monitoring | N/A | 8 | |
MON-11.1
| Analyze Traffic for Covert Exfiltration | Continuous Monitoring | N/A | 5 | |
MON-11.2
| Unauthorized Network Services | Continuous Monitoring | N/A | 5 | |
MON-11.3
| Monitoring for Indicators of Compromise (IOC) | Continuous Monitoring | N/A | 5 | |
MON-12
| Session Audit | Continuous Monitoring | N/A | 7 | |
MON-13
| Alternate Event Logging Capability | Continuous Monitoring | N/A | 3 | |
MON-14
| Cross-Organizational Monitoring | Continuous Monitoring | N/A | 3 | |
MON-14.1
| Sharing of Event Logs | Continuous Monitoring | N/A | 5 | |
MON-15
| Covert Channel Analysis | Continuous Monitoring | N/A | 3 | |
MON-16
| Anomalous Behavior | Continuous Monitoring | N/A | 10 | |
MON-16.1
| Insider Threats | Continuous Monitoring | N/A | 8 | |
MON-16.2
| Third-Party Threats | Continuous Monitoring | N/A | 8 | |
MON-16.3
| Unauthorized Activities | Continuous Monitoring | N/A | 8 | |
MON-16.4
| Account Creation and Modification Logging | Continuous Monitoring | N/A | 7 | |
MON-17
| Event Log Analysis & Triage | Continuous Monitoring | N/A | 7 | |
MON-17.1
| Event Log Review Escalation Matrix | Continuous Monitoring | N/A | 7 | |
MON-18
| File Activity Monitoring (FAM) | Continuous Monitoring | N/A | 5 | |
CRY-01
| Use of Cryptographic Controls | Cryptographic Protections | N/A | 10 | |
CRY-01.1
| Alternate Physical Protection | Cryptographic Protections | N/A | 5 | |
CRY-01.2
| Export-Controlled Cryptography | Cryptographic Protections | N/A | 5 | |
CRY-01.3
| Pre/Post Transmission Handling | Cryptographic Protections | N/A | 5 | |
CRY-01.4
| Conceal / Randomize Communications | Cryptographic Protections | N/A | 5 | |
CRY-01.5
| Cryptographic Cipher Suites and Protocols Inventory | Cryptographic Protections | N/A | 9 | |
CRY-02
| Cryptographic Module Authentication | Cryptographic Protections | N/A | 8 | |
CRY-03
| Transmission Confidentiality | Cryptographic Protections | N/A | 10 | |
CRY-04
| Transmission Integrity | Cryptographic Protections | N/A | 10 | |
CRY-05
| Encrypting Data At Rest | Cryptographic Protections | N/A | 10 | |
CRY-05.1
| Storage Media | Cryptographic Protections | N/A | 8 | |
CRY-05.2
| Offline Storage | Cryptographic Protections | N/A | 5 | |
CRY-05.3
| Database Encryption | Cryptographic Protections | N/A | 8 | |
CRY-06
| Non-Console Administrative Access | Cryptographic Protections | N/A | 9 | |
CRY-07
| Wireless Access Authentication & Encryption | Cryptographic Protections | N/A | 9 | |
CRY-08
| Public Key Infrastructure (PKI) | Cryptographic Protections | N/A | 9 | |
CRY-08.1
| Availability | Cryptographic Protections | N/A | 9 | |
CRY-09
| Cryptographic Key Management | Cryptographic Protections | N/A | 10 | |
CRY-09.1
| Symmetric Keys | Cryptographic Protections | N/A | 9 | |
CRY-09.2
| Asymmetric Keys | Cryptographic Protections | N/A | 9 | |
CRY-09.3
| Cryptographic Key Loss or Change | Cryptographic Protections | N/A | 8 | |
CRY-09.4
| Control & Distribution of Cryptographic Keys | Cryptographic Protections | N/A | 9 | |
CRY-09.5
| Assigned Owners | Cryptographic Protections | N/A | 8 | |
CRY-09.6
| Third-Party Cryptographic Keys | Cryptographic Protections | N/A | 7 | |
CRY-09.7
| External System Cryptographic Key Control | Cryptographic Protections | N/A | 5 | |
CRY-10
| Transmission of Cybersecurity & Data Protection Attributes | Cryptographic Protections | N/A | 5 | |
CRY-11
| Certificate Authorities | Cryptographic Protections | N/A | 8 | |
CRY-12
| Certificate Monitoring | Cryptographic Protections | N/A | 5 | |
CRY-13
| Cryptographic Hash | Cryptographic Protections | N/A | 5 | |
DCH-01
| Data Protection | Data Classification & Handling | N/A | 10 | |
DCH-01.1
| Data Stewardship | Data Classification & Handling | N/A | 10 | |
DCH-01.2
| Sensitive / Regulated Data Protection | Data Classification & Handling | N/A | 9 | |
DCH-01.3
| Sensitive / Regulated Media Records | Data Classification & Handling | N/A | 6 | |
DCH-01.4
| Defining Access Authorizations for Sensitive / Regulated Data | Data Classification & Handling | N/A | 9 | |
DCH-02
| Data & Asset Classification | Data Classification & Handling | N/A | 10 | |
DCH-02.1
| Highest Classification Level | Data Classification & Handling | N/A | 8 | |
DCH-03
| Media Access | Data Classification & Handling | N/A | 8 | |
DCH-03.1
| Disclosure of Information | Data Classification & Handling | N/A | 10 | |
DCH-03.2
| Masking Displayed Data | Data Classification & Handling | N/A | 7 | |
DCH-03.3
| Controlled Release | Data Classification & Handling | N/A | 4 | |
DCH-04
| Media Marking | Data Classification & Handling | N/A | 7 | |
DCH-04.1
| Automated Marking | Data Classification & Handling | N/A | 2 | |
DCH-05
| Cybersecurity & Data Protection Attributes | Data Classification & Handling | N/A | 2 | |
DCH-05.1
| Dynamic Attribute Association | Data Classification & Handling | N/A | 2 | |
DCH-05.2
| Attribute Value Changes By Authorized Individuals | Data Classification & Handling | N/A | 8 | |
DCH-05.3
| Maintenance of Attribute Associations By System | Data Classification & Handling | N/A | 2 | |
DCH-05.4
| Association of Attributes By Authorized Individuals | Data Classification & Handling | N/A | 2 | |
DCH-05.5
| Attribute Displays for Output Devices | Data Classification & Handling | N/A | 8 | |
DCH-05.6
| Data Subject Attribute Associations | Data Classification & Handling | N/A | 2 | |
DCH-05.7
| Consistent Attribute Interpretation | Data Classification & Handling | N/A | 2 | |
DCH-05.8
| Identity Association Techniques & Technologies | Data Classification & Handling | N/A | 2 | |
DCH-05.9
| Attribute Reassignment | Data Classification & Handling | N/A | 7 | |
DCH-05.10
| Attribute Configuration By Authorized Individuals | Data Classification & Handling | N/A | 8 | |
DCH-05.11
| Audit Changes | Data Classification & Handling | N/A | 7 | |
DCH-06
| Media Storage | Data Classification & Handling | N/A | 8 | |
DCH-06.1
| Physically Secure All Media | Data Classification & Handling | N/A | 9 | |
DCH-06.2
| Sensitive Data Inventories | Data Classification & Handling | N/A | 9 | |
DCH-06.3
| Periodic Scans for Sensitive / Regulated Data | Data Classification & Handling | N/A | 7 | |
DCH-06.4
| Making Sensitive Data Unreadable In Storage | Data Classification & Handling | N/A | 9 | |
DCH-06.5
| Storing Authentication Data | Data Classification & Handling | N/A | 5 | |
DCH-07
| Media Transportation | Data Classification & Handling | N/A | 9 | |
DCH-07.1
| Custodians | Data Classification & Handling | N/A | 9 | |
DCH-07.2
| Encrypting Data In Storage Media | Data Classification & Handling | N/A | 5 | |
DCH-08
| Physical Media Disposal | Data Classification & Handling | N/A | 10 | |
DCH-09
| System Media Sanitization | Data Classification & Handling | N/A | 10 | |
DCH-09.1
| System Media Sanitization Documentation | Data Classification & Handling | N/A | 7 | |
DCH-09.2
| Equipment Testing | Data Classification & Handling | N/A | 5 | |
DCH-09.3
| Sanitization of Personal Data (PD) | Data Classification & Handling | N/A | 9 | |
DCH-09.4
| First Time Use Sanitization | Data Classification & Handling | N/A | 5 | |
DCH-09.5
| Dual Authorization for Sensitive Data Destruction | Data Classification & Handling | N/A | 5 | |
DCH-10
| Media Use | Data Classification & Handling | N/A | 8 | |
DCH-10.1
| Limitations on Use | Data Classification & Handling | N/A | 10 | |
DCH-10.2
| Prohibit Use Without Owner | Data Classification & Handling | N/A | 5 | |
DCH-11
| Data Reclassification | Data Classification & Handling | N/A | 8 | |
DCH-12
| Removable Media Security | Data Classification & Handling | N/A | 10 | |
DCH-13
| Use of External Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | N/A | 9 | |
DCH-13.1
| Limits of Authorized Use | Data Classification & Handling | N/A | 8 | |
DCH-13.2
| Portable Storage Devices | Data Classification & Handling | N/A | 9 | |
DCH-13.3
| Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | N/A | 10 | |
DCH-13.4
| Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | N/A | 5 | |
DCH-14
| Information Sharing | Data Classification & Handling | N/A | 9 | |
DCH-14.1
| Information Search & Retrieval | Data Classification & Handling | N/A | 5 | |
DCH-14.2
| Transfer Authorizations | Data Classification & Handling | N/A | 8 | |
DCH-14.3
| Data Access Mapping | Data Classification & Handling | N/A | 9 | |
DCH-15
| Publicly Accessible Content | Data Classification & Handling | N/A | 10 | |
DCH-16
| Data Mining Protection | Data Classification & Handling | N/A | 7 | |
DCH-17
| Ad-Hoc Transfers | Data Classification & Handling | N/A | 8 | |
DCH-18
| Media & Data Retention | Data Classification & Handling | N/A | 8 | |
DCH-18.1
| Minimize Sensitive / Regulated Data | Data Classification & Handling | N/A | 8 | |
DCH-18.2
| Limit Sensitive / Regulated Data In Testing, Training & Research | Data Classification & Handling | N/A | 8 | |
DCH-18.3
| Temporary Files Containing Personal Data (PD) | Data Classification & Handling | N/A | 5 | |
DCH-19
| Geographic Location of Data | Data Classification & Handling | N/A | 9 | |
DCH-20
| Archived Data Sets | Data Classification & Handling | N/A | 8 | |
DCH-21
| Information Disposal | Data Classification & Handling | N/A | 10 | |
DCH-22
| Data Quality Operations | Data Classification & Handling | N/A | 5 | |
DCH-22.1
| Updating & Correcting Personal Data (PD) | Data Classification & Handling | N/A | 6 | |
DCH-22.2
| Data Tags | Data Classification & Handling | N/A | 3 | |
DCH-22.3
| Primary Source Personal Data (PD) Collection | Data Classification & Handling | N/A | 8 | |
DCH-23
| De-Identification (Anonymization) | Data Classification & Handling | N/A | 8 | |
DCH-23.1
| De-Identify Dataset Upon Collection | Data Classification & Handling | N/A | 8 | |
DCH-23.2
| Archiving | Data Classification & Handling | N/A | 8 | |
DCH-23.3
| Release | Data Classification & Handling | N/A | 8 | |
DCH-23.4
| Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers | Data Classification & Handling | N/A | 8 | |
DCH-23.5
| Statistical Disclosure Control | Data Classification & Handling | N/A | 1 | |
DCH-23.6
| Differential Data Privacy | Data Classification & Handling | N/A | 1 | |
DCH-23.7
| Automated De-Identification of Sensitive Data | Data Classification & Handling | N/A | 1 | |
DCH-23.8
| Motivated Intruder | Data Classification & Handling | N/A | 3 | |
DCH-23.9
| Code Names | Data Classification & Handling | N/A | 1 | |
DCH-24
| Information Location | Data Classification & Handling | N/A | 10 | |
DCH-24.1
| Automated Tools to Support Information Location | Data Classification & Handling | N/A | 6 | |
DCH-25
| Transfer of Sensitive and/or Regulated Data | Data Classification & Handling | N/A | 10 | |
DCH-25.1
| Transfer Activity Limits | Data Classification & Handling | N/A | 7 | |
DCH-26
| Data Localization | Data Classification & Handling | N/A | 10 | |
DCH-27
| Data Rights Management (DRM) | Data Classification & Handling | N/A | 6 | |
END-03.2
| Governing Access Restriction for Change | Endpoint Security | N/A | 8 | |
HRS-01
| Human Resources Security Management | Human Resources Security | N/A | 10 | |
HRS-01.1
| Onboarding, Transferring & Offboarding Personnel | Human Resources Security | N/A | 9 | |
HRS-02
| Position Categorization | Human Resources Security | N/A | 8 | |
HRS-02.1
| Users With Elevated Privileges | Human Resources Security | N/A | 10 | |
HRS-02.2
| Probationary Periods | Human Resources Security | N/A | 1 | |
HRS-03
| Defined Roles & Responsibilities | Human Resources Security | N/A | 10 | |
HRS-03.1
| User Awareness | Human Resources Security | N/A | 9 | |
HRS-03.2
| Competency Requirements for Security-Related Positions | Human Resources Security | N/A | 9 | |
HRS-04
| Personnel Screening | Human Resources Security | N/A | 10 | |
HRS-04.1
| Roles With Special Protection Measures | Human Resources Security | N/A | 9 | |
HRS-04.2
| Formal Indoctrination | Human Resources Security | N/A | 7 | |
HRS-04.3
| Citizenship Requirements | Human Resources Security | N/A | 5 | |
HRS-04.4
| Citizenship Identification | Human Resources Security | N/A | 3 | |
HRS-05
| Terms of Employment | Human Resources Security | N/A | 10 | |
HRS-05.1
| Rules of Behavior | Human Resources Security | N/A | 10 | |
HRS-05.2
| Social Media & Social Networking Restrictions | Human Resources Security | N/A | 9 | |
HRS-05.3
| Technology Use Restrictions | Human Resources Security | N/A | 10 | |
HRS-05.4
| Use of Critical Technologies | Human Resources Security | N/A | 9 | |
HRS-05.5
| Use of Mobile Devices | Human Resources Security | N/A | 9 | |
HRS-05.6
| Security-Minded Dress Code | Human Resources Security | N/A | 1 | |
HRS-05.7
| Policy Familiarization & Acknowledgement | Human Resources Security | N/A | 8 | |
HRS-06
| Access Agreements | Human Resources Security | N/A | 10 | |
HRS-06.1
| Confidentiality Agreements | Human Resources Security | N/A | 10 | |
HRS-06.2
| Post-Employment Requirements Awareness | Human Resources Security | N/A | 5 | |
HRS-07
| Personnel Sanctions | Human Resources Security | N/A | 9 | |
HRS-07.1
| Workplace Investigations | Human Resources Security | N/A | 8 | |
HRS-07.2
| Updating Disciplinary Processes | Human Resources Security | N/A | 3 | |
HRS-07.3
| Preventative Access Restriction | Human Resources Security | N/A | 5 | |
HRS-08
| Personnel Transfer | Human Resources Security | N/A | 9 | |
HRS-09
| Personnel Termination | Human Resources Security | N/A | 9 | |
HRS-09.1
| Asset Collection | Human Resources Security | N/A | 9 | |
HRS-09.2
| High-Risk Terminations | Human Resources Security | N/A | 9 | |
HRS-09.3
| Post-Employment Requirements Notification | Human Resources Security | N/A | 8 | |
HRS-09.4
| Automated Employment Status Notifications | Human Resources Security | N/A | 5 | |
HRS-10
| Third-Party Personnel Security | Human Resources Security | N/A | 10 | |
HRS-11
| Separation of Duties (SoD) | Human Resources Security | N/A | 7 | |
HRS-12
| Incompatible Roles | Human Resources Security | N/A | 8 | |
HRS-12.1
| Two-Person Rule | Human Resources Security | N/A | 7 | |
HRS-13
| Identify Critical Skills & Gaps | Human Resources Security | N/A | 5 | |
HRS-13.1
| Remediate Identified Skills Deficiencies | Human Resources Security | N/A | 5 | |
HRS-13.2
| Identify Vital Cybersecurity & Data Privacy Staff | Human Resources Security | N/A | 5 | |
HRS-13.3
| Establish Redundancy for Vital Cybersecurity & Data Privacy Staff | Human Resources Security | N/A | 5 | |
HRS-13.4
| Perform Succession Planning | Human Resources Security | N/A | 5 | |
HRS-14
| Identifying Authorized Work Locations | Human Resources Security | N/A | 8 | |
HRS-14.1
| Communicating Authorized Work Locations | Human Resources Security | N/A | 8 | |
HRS-15
| Reporting Suspicious Activities | Human Resources Security | N/A | 7 | |
IAC-01
| Identity & Access Management (IAM) | Identification & Authentication | N/A | 10 | |
IAC-01.1
| Retain Access Records | Identification & Authentication | N/A | 3 | |
IAC-01.2
| Authenticate, Authorize and Audit (AAA) | Identification & Authentication | N/A | 9 | |
IAC-01.3
| User & Service Account Inventories | Identification & Authentication | N/A | 10 | |
IAC-02
| Identification & Authentication for Organizational Users | Identification & Authentication | N/A | 9 | |
IAC-02.1
| Group Authentication | Identification & Authentication | N/A | 7 | |
IAC-02.2
| Replay-Resistant Authentication | Identification & Authentication | N/A | 9 | |
IAC-02.3
| Acceptance of PIV Credentials | Identification & Authentication | N/A | 2 | |
IAC-02.4
| Out-of-Band Authentication (OOBA) | Identification & Authentication | N/A | 5 | |
IAC-03
| Identification & Authentication for Non-Organizational Users | Identification & Authentication | N/A | 9 | |
IAC-03.1
| Acceptance of PIV Credentials from Other Organizations | Identification & Authentication | N/A | 2 | |
IAC-03.2
| Acceptance of Third-Party Credentials | Identification & Authentication | N/A | 2 | |
IAC-03.3
| Use of FICAM-Issued Profiles | Identification & Authentication | N/A | 2 | |
IAC-03.4
| Disassociability | Identification & Authentication | N/A | 2 | |
IAC-03.5
| Acceptance of External Authenticators | Identification & Authentication | N/A | 4 | |
IAC-04
| Identification & Authentication for Devices | Identification & Authentication | N/A | 9 | |
IAC-04.1
| Device Attestation | Identification & Authentication | N/A | 5 | |
IAC-04.2
| Device Authorization Enforcement | Identification & Authentication | N/A | 5 | |
IAC-05
| Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS) | Identification & Authentication | N/A | 9 | |
IAC-05.1
| Sharing Identification & Authentication Information | Identification & Authentication | N/A | 5 | |
IAC-05.2
| Privileged Access by Non-Organizational Users | Identification & Authentication | N/A | 9 | |
IAC-06
| Multi-Factor Authentication (MFA) | Identification & Authentication | N/A | 9 | |
IAC-06.1
| Network Access to Privileged Accounts | Identification & Authentication | N/A | 9 | |
IAC-06.2
| Network Access to Non-Privileged Accounts | Identification & Authentication | N/A | 7 | |
IAC-06.3
| Local Access to Privileged Accounts | Identification & Authentication | N/A | 5 | |
IAC-06.4
| Out-of-Band Multi-Factor Authentication | Identification & Authentication | N/A | 5 | |
IAC-06.5
| Alternative Multi-Factor Authentication | Identification & Authentication | N/A | 5 | |
IAC-07
| User Provisioning & De-Provisioning | Identification & Authentication | N/A | 10 | |
IAC-07.1
| Change of Roles & Duties | Identification & Authentication | N/A | 10 | |
IAC-07.2
| Termination of Employment | Identification & Authentication | N/A | 10 | |
IAC-08
| Role-Based Access Control (RBAC) | Identification & Authentication | N/A | 9 | |
IAC-09
| Identifier Management (User Names) | Identification & Authentication | N/A | 9 | |
IAC-09.1
| User Identity (ID) Management | Identification & Authentication | N/A | 9 | |
IAC-09.2
| Identity User Status | Identification & Authentication | N/A | 7 | |
IAC-09.3
| Dynamic Management | Identification & Authentication | N/A | 5 | |
IAC-09.4
| Cross-Organization Management | Identification & Authentication | N/A | 5 | |
IAC-09.5
| Privileged Account Identifiers | Identification & Authentication | N/A | 9 | |
IAC-09.6
| Pairwise Pseudonymous Identifiers (PPID) | Identification & Authentication | N/A | 1 | |
IAC-10
| Authenticator Management | Identification & Authentication | N/A | 10 | |
IAC-10.1
| Password-Based Authentication | Identification & Authentication | N/A | 9 | |
IAC-10.2
| PKI-Based Authentication | Identification & Authentication | N/A | 9 | |
IAC-10.3
| In-Person or Trusted Third-Party Registration | Identification & Authentication | N/A | 9 | |
IAC-10.4
| Automated Support For Password Strength | Identification & Authentication | N/A | 5 | |
IAC-10.5
| Protection of Authenticators | Identification & Authentication | N/A | 10 | |
IAC-10.6
| No Embedded Unencrypted Static Authenticators | Identification & Authentication | N/A | 10 | |
IAC-10.7
| Hardware Token-Based Authentication | Identification & Authentication | N/A | 9 | |
IAC-10.8
| Default Authenticators | Identification & Authentication | N/A | 10 | |
IAC-10.9
| Multiple System Accounts | Identification & Authentication | N/A | 5 | |
IAC-10.10
| Expiration of Cached Authenticators | Identification & Authentication | N/A | 5 | |
IAC-10.11
| Password Managers | Identification & Authentication | N/A | 8 | |
IAC-10.12
| Biometric Authentication | Identification & Authentication | N/A | 5 | |
IAC-10.13
| Events Requiring Authenticator Change | Identification & Authentication | N/A | 9 | |
IAC-10.14
| Passkeys | Identification & Authentication | N/A | 8 | |
IAC-11
| Authenticator Feedback | Identification & Authentication | N/A | 6 | |
IAC-12
| Cryptographic Module Authentication | Identification & Authentication | N/A | 8 | |
IAC-12.1
| Hardware Security Modules (HSM) | Identification & Authentication | N/A | 3 | |
IAC-13
| Adaptive Identification & Authentication | Identification & Authentication | N/A | 5 | |
IAC-13.1
| Single Sign-On (SSO) Transparent Authentication | Identification & Authentication | N/A | 5 | |
IAC-13.2
| Federated Credential Management | Identification & Authentication | N/A | 4 | |
IAC-13.3
| Continuous Authentication | Identification & Authentication | N/A | 2 | |
IAC-14
| Re-Authentication | Identification & Authentication | N/A | 8 | |
IAC-15
| Account Management | Identification & Authentication | N/A | 10 | |
IAC-15.1
| Automated System Account Management (Directory Services) | Identification & Authentication | N/A | 5 | |
IAC-15.2
| Removal of Temporary / Emergency Accounts | Identification & Authentication | N/A | 9 | |
IAC-15.3
| Disable Inactive Accounts | Identification & Authentication | N/A | 10 | |
IAC-15.4
| Automated Audit Actions | Identification & Authentication | N/A | 5 | |
IAC-15.5
| Restrictions on Shared Groups / Accounts | Identification & Authentication | N/A | 10 | |
IAC-15.6
| Account Disabling for High Risk Individuals | Identification & Authentication | N/A | 10 | |
IAC-15.7
| System Account Reviews | Identification & Authentication | N/A | 10 | |
IAC-15.8
| Usage Conditions | Identification & Authentication | N/A | 5 | |
IAC-15.9
| Emergency Accounts | Identification & Authentication | N/A | 5 | |
IAC-16
| Privileged Account Management (PAM) | Identification & Authentication | N/A | 10 | |
IAC-16.1
| Privileged Account Inventories | Identification & Authentication | N/A | 10 | |
IAC-16.2
| Privileged Account Separation | Identification & Authentication | N/A | 4 | |
IAC-16.3
| Privileged Command Execution | Identification & Authentication | N/A | 5 | |
IAC-16.4
| Dedicated Privileged Account | Identification & Authentication | N/A | 7 | |
IAC-17
| Periodic Review of Account Privileges | Identification & Authentication | N/A | 10 | |
IAC-18
| User Responsibilities for Account Management | Identification & Authentication | N/A | 10 | |
IAC-19
| Credential Sharing | Identification & Authentication | N/A | 10 | |
IAC-20
| Access Enforcement | Identification & Authentication | N/A | 10 | |
IAC-20.1
| Access To Sensitive / Regulated Data | Identification & Authentication | N/A | 10 | |
IAC-20.2
| Database Access | Identification & Authentication | N/A | 10 | |
IAC-20.3
| Use of Privileged Utility Programs | Identification & Authentication | N/A | 9 | |
IAC-20.4
| Dedicated Administrative Machines | Identification & Authentication | N/A | 8 | |
IAC-20.5
| Dual Authorization for Privileged Commands | Identification & Authentication | N/A | 5 | |
IAC-20.6
| Revocation of Access Authorizations | Identification & Authentication | N/A | 9 | |
IAC-20.7
| Authorized System Accounts | Identification & Authentication | N/A | 9 | |
IAC-21
| Least Privilege | Identification & Authentication | N/A | 10 | |
IAC-21.1
| Authorize Access to Security Functions | Identification & Authentication | N/A | 9 | |
IAC-21.2
| Non-Privileged Access for Non-Security Functions | Identification & Authentication | N/A | 9 | |
IAC-21.3
| Management Approval For Privileged Accounts | Identification & Authentication | N/A | 10 | |
IAC-21.4
| Auditing Use of Privileged Functions | Identification & Authentication | N/A | 9 | |
IAC-21.5
| Prohibit Non-Privileged Users from Executing Privileged Functions | Identification & Authentication | N/A | 9 | |
IAC-21.6
| Network Access to Privileged Commands | Identification & Authentication | N/A | 5 | |
IAC-21.7
| Privilege Levels for Code Execution | Identification & Authentication | N/A | 5 | |
IAC-22
| Account Lockout | Identification & Authentication | N/A | 9 | |
IAC-23
| Concurrent Session Control | Identification & Authentication | N/A | 6 | |
IAC-24
| Session Lock | Identification & Authentication | N/A | 9 | |
IAC-24.1
| Pattern-Hiding Displays | Identification & Authentication | N/A | 9 | |
IAC-25
| Session Termination | Identification & Authentication | N/A | 9 | |
IAC-25.1
| User-Initiated Logouts / Message Displays | Identification & Authentication | N/A | 5 | |
IAC-26
| Permitted Actions Without Identification or Authorization | Identification & Authentication | N/A | 8 | |
IAC-27
| Reference Monitor | Identification & Authentication | N/A | 1 | |
IAC-28
| Identity Proofing (Identity Verification) | Identification & Authentication | N/A | 10 | |
IAC-28.1
| Management Approval For New or Changed Accounts | Identification & Authentication | N/A | 10 | |
IAC-28.2
| Identity Evidence | Identification & Authentication | N/A | 5 | |
IAC-28.3
| Identity Evidence Validation & Verification | Identification & Authentication | N/A | 5 | |
IAC-28.4
| In-Person Validation & Verification | Identification & Authentication | N/A | 5 | |
IAC-28.5
| Address Confirmation | Identification & Authentication | N/A | 1 | |
IAC-29
| Attribute-Based Access Control (ABAC) | Identification & Authentication | N/A | 5 | |
IAC-29.1
| Real-Time Access Decisions | Identification & Authentication | N/A | 3 | |
IAC-29.2
| Access Profile Rules | Identification & Authentication | N/A | 5 | |
IRO-01
| Incident Response Operations | Incident Response | N/A | 9 | |
IRO-02
| Incident Handling | Incident Response | N/A | 10 | |
IRO-02.1
| Automated Incident Handling Processes | Incident Response | N/A | 1 | |
IRO-02.2
| Insider Threat Response Capability | Incident Response | N/A | 5 | |
IRO-02.3
| Dynamic Reconfiguration | Incident Response | N/A | 5 | |
IRO-02.4
| Incident Classification & Prioritization | Incident Response | N/A | 5 | |
IRO-02.5
| Correlation with External Organizations | Incident Response | N/A | 5 | |
IRO-02.6
| Automatic Disabling of Technology Assets, Applications and/or Services (TAAS) | Incident Response | N/A | 6 | |
IRO-03
| Indicators of Compromise (IOC) | Incident Response | N/A | 8 | |
IRO-04
| Incident Response Plan (IRP) | Incident Response | N/A | 9 | |
IRO-04.1
| Data Breach | Incident Response | N/A | 8 | |
IRO-04.2
| IRP Update | Incident Response | N/A | 8 | |
IRO-04.3
| Continuous Incident Response Improvements | Incident Response | N/A | 3 | |
IRO-05
| Incident Response Training | Incident Response | N/A | 9 | |
IRO-05.1
| Simulated Incidents | Incident Response | N/A | 5 | |
IRO-05.2
| Automated Incident Response Training Environments | Incident Response | N/A | 5 | |
IRO-06
| Incident Response Testing | Incident Response | N/A | 9 | |
IRO-06.1
| Coordination with Related Plans | Incident Response | N/A | 7 | |
IRO-07
| Integrated Security Incident Response Team (ISIRT) | Incident Response | N/A | 9 | |
IRO-08
| Chain of Custody & Forensics | Incident Response | N/A | 9 | |
IRO-09
| Situational Awareness For Incidents | Incident Response | N/A | 8 | |
IRO-09.1
| Automated Tracking, Data Collection & Analysis | Incident Response | N/A | 1 | |
IRO-09.2
| Recurring Incident Analysis | Incident Response | N/A | 5 | |
IRO-10
| Incident Stakeholder Reporting | Incident Response | N/A | 9 | |
IRO-10.1
| Automated Reporting | Incident Response | N/A | 9 | |
IRO-10.2
| Cyber Incident Reporting for Sensitive / Regulated Data | Incident Response | N/A | 9 | |
IRO-10.3
| Vulnerabilities Related To Incidents | Incident Response | N/A | 8 | |
IRO-10.4
| Supply Chain Coordination | Incident Response | N/A | 7 | |
IRO-10.5
| Serious Incident Reporting | Incident Response | N/A | 5 | |
IRO-11
| Incident Reporting Assistance | Incident Response | N/A | 5 | |
IRO-11.1
| Automation Support of Availability of Information / Support | Incident Response | N/A | 1 | |
IRO-11.2
| Coordination With External Providers | Incident Response | N/A | 5 | |
IRO-12
| Sensitive / Regulated Data Spill Response | Incident Response | N/A | 8 | |
IRO-12.1
| Sensitive / Regulated Data Spill Responsible Personnel | Incident Response | N/A | 8 | |
IRO-12.2
| Sensitive / Regulated Data Spill Training | Incident Response | N/A | 8 | |
IRO-12.3
| Post-Sensitive / Regulated Data Spill Operations | Incident Response | N/A | 8 | |
IRO-12.4
| Sensitive / Regulated Data Exposure to Unauthorized Personnel | Incident Response | N/A | 8 | |
IRO-13
| Root Cause Analysis (RCA) & Lessons Learned | Incident Response | N/A | 8 | |
IRO-14
| Regulatory & Law Enforcement Contacts | Incident Response | N/A | 9 | |
IRO-15
| Detonation Chambers (Sandboxes) | Incident Response | N/A | 5 | |
IRO-16
| Public Relations & Reputation Repair | Incident Response | N/A | 6 | |
IAO-01
| Information Assurance (IA) Operations | Information Assurance | N/A | 10 | |
IAO-01.1
| Assessment Boundaries | Information Assurance | N/A | 9 | |
IAO-02
| Assessments | Information Assurance | N/A | 10 | |
IAO-02.1
| Assessor Independence | Information Assurance | N/A | 9 | |
IAO-02.2
| Specialized Assessments | Information Assurance | N/A | 9 | |
IAO-02.3
| Third-Party Assessments | Information Assurance | N/A | 9 | |
IAO-02.4
| Security Assessment Report (SAR) | Information Assurance | N/A | 7 | |
IAO-03
| System Security & Privacy Plan (SSPP) | Information Assurance | N/A | 7 | |
IAO-03.1
| Plan / Coordinate with Other Organizational Entities | Information Assurance | N/A | 5 | |
IAO-03.2
| Adequate Security for Sensitive / Regulated Data In Support of Contracts | Information Assurance | N/A | 7 | |
IAO-04
| Threat Analysis & Flaw Remediation During Development | Information Assurance | N/A | 10 | |
IAO-05
| Plan of Action & Milestones (POA&M) | Information Assurance | N/A | 9 | |
IAO-05.1
| Plan of Action & Milestones (POA&M) Automation | Information Assurance | N/A | 2 | |
IAO-06
| Technical Verification | Information Assurance | N/A | 8 | |
IAO-07
| Security Authorization | Information Assurance | N/A | 10 | |
NET-01
| Network Security Controls (NSC) | Network Security | N/A | 10 | |
NET-01.1
| Zero Trust Architecture (ZTA) | Network Security | N/A | 8 | |
NET-02
| Layered Network Defenses | Network Security | N/A | 9 | |
NET-02.1
| Denial of Service (DoS) Protection | Network Security | N/A | 9 | |
NET-02.2
| Guest Networks | Network Security | N/A | 6 | |
NET-02.3
| Cross Domain Solution (CDS) | Network Security | N/A | 6 | |
NET-03
| Boundary Protection | Network Security | N/A | 10 | |
NET-03.1
| Limit Network Connections | Network Security | N/A | 9 | |
NET-03.2
| External Telecommunications Services | Network Security | N/A | 7 | |
NET-03.3
| Prevent Discovery of Internal Information | Network Security | N/A | 7 | |
NET-03.4
| Personal Data (PD) | Network Security | N/A | 7 | |
NET-03.5
| Prevent Unauthorized Exfiltration | Network Security | N/A | 5 | |
NET-03.6
| Dynamic Isolation & Segregation (Sandboxing) | Network Security | N/A | 5 | |
NET-03.7
| Isolation of System Components | Network Security | N/A | 5 | |
NET-03.8
| Separate Subnet for Connecting to Different Security Domains | Network Security | N/A | 5 | |
NET-04
| Data Flow Enforcement – Access Control Lists (ACLs) | Network Security | N/A | 10 | |
NET-04.1
| Deny Traffic by Default & Allow Traffic by Exception | Network Security | N/A | 10 | |
NET-04.2
| Object Security Attributes | Network Security | N/A | 5 | |
NET-04.3
| Content Check for Encrypted Data | Network Security | N/A | 4 | |
NET-04.4
| Embedded Data Types | Network Security | N/A | 2 | |
NET-04.5
| Metadata | Network Security | N/A | 2 | |
NET-04.6
| Human Reviews | Network Security | N/A | 9 | |
NET-04.7
| Policy Decision Point (PDP) | Network Security | N/A | 5 | |
NET-04.8
| Data Type Identifiers | Network Security | N/A | 5 | |
NET-04.9
| Decomposition Into Policy-Related Subcomponents | Network Security | N/A | 5 | |
NET-04.10
| Detection of Unsanctioned Information | Network Security | N/A | 5 | |
NET-04.11
| Approved Solutions | Network Security | N/A | 5 | |
NET-04.12
| Cross Domain Authentication | Network Security | N/A | 5 | |
NET-04.13
| Metadata Validation | Network Security | N/A | 2 | |
NET-04.14
| Application Proxy | Network Security | N/A | 7 | |
NET-05
| Interconnection Security Agreements (ISAs) | Network Security | N/A | 9 | |
NET-05.1
| External System Connections | Network Security | N/A | 8 | |
NET-05.2
| Internal System Connections | Network Security | N/A | 7 | |
NET-06
| Network Segmentation (macrosegementation) | Network Security | N/A | 10 | |
NET-06.1
| Security Management Subnets | Network Security | N/A | 9 | |
NET-06.2
| Virtual Local Area Network (VLAN) Separation | Network Security | N/A | 9 | |
NET-06.3
| Sensitive / Regulated Data Enclave (Secure Zone) | Network Security | N/A | 10 | |
NET-06.4
| Segregation From Enterprise Services | Network Security | N/A | 4 | |
NET-06.5
| Direct Internet Access Restrictions | Network Security | N/A | 6 | |
NET-06.6
| Microsegmentation | Network Security | N/A | 2 | |
NET-06.7
| Software Defined Networking (SDN) | Network Security | N/A | 5 | |
NET-07
| Network Connection Termination | Network Security | N/A | 8 | |
NET-08
| Network Intrusion Detection / Prevention Systems (NIDS / NIPS) | Network Security | N/A | 9 | |
NET-08.1
| DMZ Networks | Network Security | N/A | 8 | |
NET-08.2
| Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) | Network Security | N/A | 8 | |
NET-08.3
| Host Containment | Network Security | N/A | 3 | |
NET-08.4
| Resource Containment | Network Security | N/A | 3 | |
NET-09
| Session Integrity | Network Security | N/A | 8 | |
NET-09.1
| Invalidate Session Identifiers at Logout | Network Security | N/A | 5 | |
NET-09.2
| Unique System-Generated Session Identifiers | Network Security | N/A | 3 | |
NET-10
| Domain Name Service (DNS) Resolution | Network Security | N/A | 10 | |
NET-10.1
| Architecture & Provisioning for Name / Address Resolution Service | Network Security | N/A | 9 | |
NET-10.2
| Secure Name / Address Resolution Service (Recursive or Caching Resolver) | Network Security | N/A | 9 | |
NET-10.3
| Sender Policy Framework (SPF) | Network Security | N/A | 8 | |
NET-10.4
| Domain Registrar Security | Network Security | N/A | 9 | |
NET-11
| Out-of-Band Channels | Network Security | N/A | 9 | |
NET-12
| Safeguarding Data Over Open Networks | Network Security | N/A | 8 | |
NET-12.1
| Wireless Link Protection | Network Security | N/A | 8 | |
NET-12.2
| End-User Messaging Technologies | Network Security | N/A | 9 | |
NET-13
| Electronic Messaging | Network Security | N/A | 10 | |
NET-14
| Remote Access | Network Security | N/A | 10 | |
NET-14.1
| Automated Monitoring & Control | Network Security | N/A | 1 | |
NET-14.2
| Protection of Confidentiality / Integrity Using Encryption | Network Security | N/A | 9 | |
NET-14.3
| Managed Access Control Points | Network Security | N/A | 9 | |
NET-14.4
| Remote Privileged Commands & Sensitive Data Access | Network Security | N/A | 8 | |
NET-14.5
| Work From Anywhere (WFA) - Telecommuting Security | Network Security | N/A | 10 | |
NET-14.6
| Third-Party Remote Access Governance | Network Security | N/A | 8 | |
NET-14.7
| Endpoint Security Validation | Network Security | N/A | 6 | |
NET-14.8
| Expeditious Disconnect / Disable Capability | Network Security | N/A | 8 | |
NET-15
| Wireless Networking | Network Security | N/A | 9 | |
NET-15.1
| Authentication & Encryption | Network Security | N/A | 9 | |
NET-15.2
| Disable Wireless Networking | Network Security | N/A | 5 | |
NET-15.3
| Restrict Configuration By Users | Network Security | N/A | 8 | |
NET-15.4
| Wireless Boundaries | Network Security | N/A | 5 | |
NET-15.5
| Rogue Wireless Detection | Network Security | N/A | 8 | |
NET-16
| Intranets | Network Security | N/A | 8 | |
NET-17
| Data Loss Prevention (DLP) | Network Security | N/A | 8 | |
NET-18
| DNS & Content Filtering | Network Security | N/A | 9 | |
NET-18.1
| Route Internal Traffic to Proxy Servers | Network Security | N/A | 9 | |
NET-18.2
| Visibility of Encrypted Communications | Network Security | N/A | 5 | |
NET-18.3
| Route Privileged Network Access | Network Security | N/A | 1 | |
NET-18.4
| Protocol Compliance Enforcement | Network Security | N/A | 5 | |
NET-18.5
| Domain Name Verification | Network Security | N/A | 8 | |
NET-18.6
| Internet Address Denylisting | Network Security | N/A | 8 | |
NET-18.7
| Bandwidth Control | Network Security | N/A | 2 | |
NET-18.8
| Authenticated Proxy | Network Security | N/A | 3 | |
NET-18.9
| Certificate Denylisting | Network Security | N/A | 7 | |
NET-19
| Content Disarm and Reconstruction (CDR) | Network Security | N/A | 6 | |
NET-20
| Email Content Protections | Network Security | N/A | 10 | |
NET-20.1
| Email Domain Reputation Protections | Network Security | N/A | 1 | |
NET-20.2
| Sender Denylisting | Network Security | N/A | 7 | |
NET-20.3
| Authenticated Received Chain (ARC) | Network Security | N/A | 2 | |
NET-20.4
| Domain-Based Message Authentication Reporting and Conformance (DMARC) | Network Security | N/A | 3 | |
NET-20.5
| User Digital Signatures for Outgoing Email | Network Security | N/A | 6 | |
NET-20.6
| Encryption for Outgoing Email | Network Security | N/A | 6 | |
NET-20.7
| Adaptive Email Protections | Network Security | N/A | 1 | |
NET-20.8
| Email Labeling | Network Security | N/A | 5 | |
NET-20.9
| User Threat Reporting | Network Security | N/A | 1 | |
PES-04.2
| Searches | Physical & Environmental Security | N/A | 1 | |
PES-05
| Monitoring Physical Access | Physical & Environmental Security | N/A | 7 | |
PES-05.2
| Monitoring Physical Access To Critical Systems | Physical & Environmental Security | N/A | 5 | |
PES-09.1
| Monitoring with Alarms / Notifications | Physical & Environmental Security | N/A | 8 | |
PRI-01
| Data Privacy Program | Data Privacy | N/A | 10 | |
PRI-01.1
| Chief Privacy Officer (CPO) | Data Privacy | N/A | 3 | |
PRI-01.2
| Privacy Act Statements | Data Privacy | N/A | 2 | |
PRI-01.3
| Dissemination of Data Privacy Program Information | Data Privacy | N/A | 5 | |
PRI-01.4
| Data Protection Officer (DPO) | Data Privacy | N/A | 7 | |
PRI-01.5
| Binding Corporate Rules (BCR) | Data Privacy | N/A | 5 | |
PRI-01.6
| Security of Personal Data (PD) | Data Privacy | N/A | 7 | |
PRI-01.7
| Limiting Personal Data (PD) Disclosures | Data Privacy | N/A | 7 | |
PRI-01.8
| Data Fiduciary | Data Privacy | N/A | 7 | |
PRI-01.9
| Personal Data (PD) Process Manager | Data Privacy | N/A | 5 | |
PRI-01.10
| Financial Incentives For Personal Data (PD) | Data Privacy | N/A | 3 | |
PRI-02
| Data Privacy Notice | Data Privacy | N/A | 7 | |
PRI-02.1
| Purpose Specification | Data Privacy | N/A | 7 | |
PRI-02.2
| Automated Data Management Processes | Data Privacy | N/A | 1 | |
PRI-02.3
| Computer Matching Agreements (CMA) | Data Privacy | N/A | 1 | |
PRI-02.4
| System of Records Notice (SORN) | Data Privacy | N/A | 1 | |
PRI-02.5
| System of Records Notice (SORN) Review Process | Data Privacy | N/A | 1 | |
PRI-02.6
| Privacy Act Exemptions | Data Privacy | N/A | 1 | |
PRI-02.7
| Real-Time or Layered Notice | Data Privacy | N/A | 2 | |
PRI-03
| Choice & Consent | Data Privacy | N/A | 7 | |
PRI-03.1
| Tailored Consent | Data Privacy | N/A | 1 | |
PRI-03.2
| Just-In-Time Notice & Updated Consent | Data Privacy | N/A | 1 | |
PRI-03.3
| Prohibition of Selling, Processing and/or Sharing Personal Data (PD) | Data Privacy | N/A | 5 | |
PRI-03.4
| Revoke Consent | Data Privacy | N/A | 3 | |
PRI-03.5
| Product or Service Delivery Restrictions | Data Privacy | N/A | 7 | |
PRI-03.6
| Authorized Agent | Data Privacy | N/A | 6 | |
PRI-03.7
| Active Participation By Data Subjects | Data Privacy | N/A | 3 | |
PRI-03.8
| Global Privacy Control (GPC) | Data Privacy | N/A | 5 | |
PRI-03.9
| Continued Use of Personal Data (PD) | Data Privacy | N/A | 5 | |
PRI-03.10
| Cease Processing, Storing and/or Sharing Personal Data (PD) | Data Privacy | N/A | 6 | |
PRI-03.11
| Communicating Processing Changes | Data Privacy | N/A | 5 | |
PRI-04
| Restrict Collection To Identified Purpose | Data Privacy | N/A | 7 | |
PRI-04.1
| Authority To Collect, Process, Store & Share Personal Data (PD) | Data Privacy | N/A | 7 | |
PRI-04.2
| Primary Sources | Data Privacy | N/A | 7 | |
PRI-04.3
| Identifiable Image Collection | Data Privacy | N/A | 7 | |
PRI-04.4
| Acquired Personal Data (PD) | Data Privacy | N/A | 6 | |
PRI-04.5
| Validate Collected Personal Data (PD) | Data Privacy | N/A | 1 | |
PRI-04.6
| Re-Validate Collected Personal Data (PD) | Data Privacy | N/A | 1 | |
PRI-04.7
| Personal Data (PD) Collection Methods | Data Privacy | N/A | 3 | |
PRI-05
| Personal Data (PD) Retention & Disposal | Data Privacy | N/A | 8 | |
PRI-05.1
| Internal Use of Personal Data (PD) For Testing, Training and Research | Data Privacy | N/A | 8 | |
PRI-05.2
| Personal Data (PD) Accuracy & Integrity | Data Privacy | N/A | 5 | |
PRI-05.3
| Data Masking | Data Privacy | N/A | 8 | |
PRI-05.4
| Usage Restrictions of Personal Data (PD) | Data Privacy | N/A | 8 | |
PRI-05.5
| Inventory of Personal Data (PD) | Data Privacy | N/A | 8 | |
PRI-05.6
| Personal Data (PD) Inventory Automation Support | Data Privacy | N/A | 1 | |
PRI-05.7
| Personal Data (PD) Categories | Data Privacy | N/A | 5 | |
PRI-05.8
| Personal Data (PD) Formats | Data Privacy | N/A | 4 | |
PRI-06
| Data Subject Empowerment | Data Privacy | N/A | 6 | |
PRI-06.1
| Correcting Inaccurate Personal Data (PD) | Data Privacy | N/A | 5 | |
PRI-06.2
| Notice of Correction or Processing Change | Data Privacy | N/A | 4 | |
PRI-06.3
| Appeal Adverse Decision | Data Privacy | N/A | 4 | |
PRI-06.4
| User Feedback Management | Data Privacy | N/A | 5 | |
PRI-06.5
| Right to Erasure | Data Privacy | N/A | 5 | |
PRI-06.6
| Data Portability | Data Privacy | N/A | 3 | |
PRI-06.7
| Personal Data (PD) Exports | Data Privacy | N/A | 5 | |
PRI-07
| Information Sharing With Third Parties | Data Privacy | N/A | 9 | |
PRI-07.1
| Data Privacy Requirements for Contractors & Service Providers | Data Privacy | N/A | 10 | |
PRI-07.2
| Joint Processing of Personal Data (PD) | Data Privacy | N/A | 5 | |
PRI-07.3
| Obligation To Inform Third-Parties | Data Privacy | N/A | 5 | |
PRI-07.4
| Reject Unauthenticated or Untrustworthy Disclosure Requests | Data Privacy | N/A | 5 | |
PRI-07.5
| Justification To Reject Disclosure Requests | Data Privacy | N/A | 5 | |
PRI-08
| Testing, Training & Monitoring | Data Privacy | N/A | 8 | |
PRI-09
| Personal Data (PD) Lineage | Data Privacy | N/A | 5 | |
PRI-10
| Data Quality Management | Data Privacy | N/A | 5 | |
PRI-10.1
| Automation | Data Privacy | N/A | 1 | |
PRI-10.2
| Data Analytics Bias | Data Privacy | N/A | 5 | |
PRI-11
| Data Tagging | Data Privacy | N/A | 3 | |
PRI-12
| Updating Personal Data (PD) | Data Privacy | N/A | 9 | |
PRI-12.1
| Enabling Data Subjects To Update Personal Data (PD) | Data Privacy | N/A | 4 | |
PRI-13
| Data Management Board | Data Privacy | N/A | 3 | |
PRI-14
| Documenting Data Processing Activities | Data Privacy | N/A | 8 | |
PRI-14.1
| Accounting of Disclosures | Data Privacy | N/A | 8 | |
PRI-14.2
| Notification of Disclosure Request To Data Subject | Data Privacy | N/A | 5 | |
PRI-15
| Register As A Data Controller and/or Data Processor | Data Privacy | N/A | 3 | |
PRI-16
| Potential Human Rights Abuses | Data Privacy | N/A | 10 | |
PRI-17
| Data Subject Communications | Data Privacy | N/A | 6 | |
PRI-17.1
| Conspicuous Link To Data Privacy Notice | Data Privacy | N/A | 4 | |
PRI-17.2
| Notice of Financial Incentive | Data Privacy | N/A | 2 | |
PRI-18
| Data Controller Communications | Data Privacy | N/A | 7 | |
PRM-02.1
| Prioritization To Address Evolving Risks & Threats | Project & Resource Management | N/A | 5 | |
RSK-01
| Risk Management Program | Risk Management | N/A | 10 | |
RSK-01.1
| Risk Framing | Risk Management | N/A | 9 | |
RSK-01.2
| Risk Management Resourcing | Risk Management | N/A | 8 | |
RSK-01.3
| Risk Tolerance | Risk Management | N/A | 9 | |
RSK-01.4
| Risk Threshold | Risk Management | N/A | 9 | |
RSK-01.5
| Risk Appetite | Risk Management | N/A | 9 | |
RSK-02
| Risk-Based Security Categorization | Risk Management | N/A | 9 | |
RSK-02.1
| Impact-Level Prioritization | Risk Management | N/A | 9 | |
RSK-03
| Risk Identification | Risk Management | N/A | 9 | |
RSK-03.1
| Risk Catalog | Risk Management | N/A | 5 | |
RSK-04
| Risk Assessment | Risk Management | N/A | 10 | |
RSK-04.1
| Risk Register | Risk Management | N/A | 10 | |
RSK-04.2
| Risk Assessment Methodology | Risk Management | N/A | 8 | |
RSK-05
| Risk Ranking | Risk Management | N/A | 9 | |
RSK-06
| Risk Remediation | Risk Management | N/A | 10 | |
RSK-06.1
| Risk Response | Risk Management | N/A | 9 | |
RSK-06.2
| Compensating Countermeasures | Risk Management | N/A | 9 | |
RSK-07
| Risk Assessment Update | Risk Management | N/A | 9 | |
RSK-08
| Business Impact Analysis (BIA) | Risk Management | N/A | 8 | |
RSK-09
| Supply Chain Risk Management (SCRM) Plan | Risk Management | N/A | 10 | |
RSK-09.1
| Supply Chain Risk Assessment | Risk Management | N/A | 9 | |
RSK-09.2
| AI & Autonomous Technologies Supply Chain Impacts | Risk Management | N/A | 8 | |
RSK-10
| Data Protection Impact Assessment (DPIA) | Risk Management | N/A | 9 | |
RSK-11
| Risk Monitoring | Risk Management | N/A | 9 | |
RSK-12
| Risk Culture | Risk Management | N/A | 4 | |
SEA-01
| Secure Engineering Principles | Secure Engineering & Architecture | N/A | 10 | |
SEA-01.1
| Centralized Management of Cybersecurity & Data Protection Controls | Secure Engineering & Architecture | N/A | 9 | |
SEA-01.2
| Achieving Resilience Requirements | Secure Engineering & Architecture | N/A | 4 | |
SEA-01.3
| Resilience Capabilities | Secure Engineering & Architecture | N/A | 5 | |
SEA-02
| Alignment With Enterprise Architecture | Secure Engineering & Architecture | N/A | 9 | |
SEA-02.1
| Standardized Terminology | Secure Engineering & Architecture | N/A | 3 | |
SEA-02.2
| Outsourcing Non-Essential Functions or Services | Secure Engineering & Architecture | N/A | 3 | |
SEA-02.3
| Technical Debt Reviews | Secure Engineering & Architecture | N/A | 9 | |
SEA-03
| Defense-In-Depth (DiD) Architecture | Secure Engineering & Architecture | N/A | 10 | |
SEA-03.1
| System Partitioning | Secure Engineering & Architecture | N/A | 8 | |
SEA-03.2
| Application Partitioning | Secure Engineering & Architecture | N/A | 8 | |
SEA-04
| Process Isolation | Secure Engineering & Architecture | N/A | 7 | |
SEA-04.1
| Security Function Isolation | Secure Engineering & Architecture | N/A | 7 | |
SEA-04.2
| Hardware Separation | Secure Engineering & Architecture | N/A | 7 | |
SEA-04.3
| Thread Separation | Secure Engineering & Architecture | N/A | 7 | |
SEA-04.4
| System Privileges Isolation | Secure Engineering & Architecture | N/A | 5 | |
SEA-05
| Information In Shared Resources | Secure Engineering & Architecture | N/A | 8 | |
SEA-06
| Prevent Program Execution | Secure Engineering & Architecture | N/A | 8 | |
SEA-07
| Predictable Failure Analysis | Secure Engineering & Architecture | N/A | 5 | |
SEA-07.1
| Technology Lifecycle Management | Secure Engineering & Architecture | N/A | 7 | |
SEA-07.2
| Fail Secure | Secure Engineering & Architecture | N/A | 8 | |
SEA-07.3
| Fail Safe | Secure Engineering & Architecture | N/A | 8 | |
SEA-08
| Non-Persistence | Secure Engineering & Architecture | N/A | 9 | |
SEA-08.1
| Refresh from Trusted Sources | Secure Engineering & Architecture | N/A | 5 | |
SEA-09
| Information Output Filtering | Secure Engineering & Architecture | N/A | 8 | |
SEA-09.1
| Limit Personal Data (PD) Dissemination | Secure Engineering & Architecture | N/A | 8 | |
SEA-10
| Memory Protection | Secure Engineering & Architecture | N/A | 8 | |
SEA-11
| Honeypots | Secure Engineering & Architecture | N/A | 3 | |
SEA-12
| Honeyclients | Secure Engineering & Architecture | N/A | 3 | |
SEA-13
| Heterogeneity | Secure Engineering & Architecture | N/A | 3 | |
SEA-13.1
| Virtualization Techniques | Secure Engineering & Architecture | N/A | 6 | |
SEA-14
| Concealment & Misdirection | Secure Engineering & Architecture | N/A | 2 | |
SEA-14.1
| Randomness | Secure Engineering & Architecture | N/A | 5 | |
SEA-14.2
| Change Processing & Storage Locations | Secure Engineering & Architecture | N/A | 5 | |
SEA-15
| Distributed Processing & Storage | Secure Engineering & Architecture | N/A | 4 | |
SEA-16
| Non-Modifiable Executable Programs | Secure Engineering & Architecture | N/A | 1 | |
SEA-17
| Secure Log-On Procedures | Secure Engineering & Architecture | N/A | 8 | |
SEA-18
| System Use Notification (Logon Banner) | Secure Engineering & Architecture | N/A | 9 | |
SEA-18.1
| Standardized Microsoft Windows Banner | Secure Engineering & Architecture | N/A | 9 | |
SEA-18.2
| Truncated Banner | Secure Engineering & Architecture | N/A | 9 | |
SEA-19
| Previous Logon Notification | Secure Engineering & Architecture | N/A | 3 | |
SEA-20
| Clock Synchronization | Secure Engineering & Architecture | N/A | 9 | |
SEA-21
| Application Container | Secure Engineering & Architecture | N/A | 5 | |
SEA-22
| Privileged Environments | Secure Engineering & Architecture | N/A | 5 | |
SAT-03.5
| Privileged Users | Security Awareness & Training | N/A | 9 | |
TDA-01
| Technology Development & Acquisition | Technology Development & Acquisition | N/A | 10 | |
TDA-01.1
| Product Management | Technology Development & Acquisition | N/A | 10 | |
TDA-01.2
| Integrity Mechanisms for Software / Firmware Updates | Technology Development & Acquisition | N/A | 5 | |
TDA-01.3
| Malware Testing Prior to Release | Technology Development & Acquisition | N/A | 9 | |
TDA-01.4
| DevSecOps | Technology Development & Acquisition | N/A | 6 | |
TDA-02
| Minimum Viable Product (MVP) Security Requirements | Technology Development & Acquisition | N/A | 9 | |
TDA-02.1
| Ports, Protocols & Services In Use | Technology Development & Acquisition | N/A | 8 | |
TDA-02.2
| Information Assurance Enabled Products | Technology Development & Acquisition | N/A | 2 | |
TDA-02.3
| Development Methods, Techniques & Processes | Technology Development & Acquisition | N/A | 5 | |
TDA-02.4
| Pre-Established Secure Configurations | Technology Development & Acquisition | N/A | 8 | |
TDA-02.5
| Identification & Justification of Ports, Protocols & Services | Technology Development & Acquisition | N/A | 8 | |
TDA-02.6
| Insecure Ports, Protocols & Services | Technology Development & Acquisition | N/A | 9 | |
TDA-02.7
| Cybersecurity & Data Privacy Representatives For Product Changes | Technology Development & Acquisition | N/A | 10 | |
TDA-02.8
| Minimizing Attack Surfaces | Technology Development & Acquisition | N/A | 9 | |
TDA-02.9
| Ongoing Product Security Support | Technology Development & Acquisition | N/A | 9 | |
TDA-02.10
| Product Testing & Reviews | Technology Development & Acquisition | N/A | 9 | |
TDA-02.11
| Disclosure of Vulnerabilities | Technology Development & Acquisition | N/A | 5 | |
TDA-02.12
| Products With Digital Elements | Technology Development & Acquisition | N/A | 6 | |
TDA-02.13
| Reporting Exploitable Vulnerabilities | Technology Development & Acquisition | N/A | 8 | |
TDA-02.14
| Logging Syntax | Technology Development & Acquisition | N/A | 8 | |
TDA-03
| Commercial Off-The-Shelf (COTS) Security Solutions | Technology Development & Acquisition | N/A | 5 | |
TDA-03.1
| Supplier Diversity | Technology Development & Acquisition | N/A | 3 | |
TDA-04
| Documentation Requirements | Technology Development & Acquisition | N/A | 8 | |
TDA-04.1
| Functional Properties | Technology Development & Acquisition | N/A | 8 | |
TDA-04.2
| Software Bill of Materials (SBOM) | Technology Development & Acquisition | N/A | 9 | |
TDA-05
| Developer Architecture & Design | Technology Development & Acquisition | N/A | 8 | |
TDA-05.1
| Physical Diagnostic & Test Interfaces | Technology Development & Acquisition | N/A | 5 | |
TDA-05.2
| Diagnostic & Test Interface Monitoring | Technology Development & Acquisition | N/A | 3 | |
TDA-06
| Secure Software Development Practices (SSDP) | Technology Development & Acquisition | N/A | 10 | |
TDA-06.1
| Criticality Analysis | Technology Development & Acquisition | N/A | 9 | |
TDA-06.2
| Threat Modeling | Technology Development & Acquisition | N/A | 7 | |
TDA-06.3
| Software Assurance Maturity Model (SAMM) | Technology Development & Acquisition | N/A | 9 | |
TDA-06.4
| Supporting Toolchain | Technology Development & Acquisition | N/A | 6 | |
TDA-06.5
| Software Design Review | Technology Development & Acquisition | N/A | 10 | |
TDA-06.6
| Software Design Root Cause Analysis | Technology Development & Acquisition | N/A | 5 | |
TDA-07
| Secure Development Environments | Technology Development & Acquisition | N/A | 9 | |
TDA-08
| Separation of Development, Testing and Operational Environments | Technology Development & Acquisition | N/A | 10 | |
TDA-08.1
| Secure Migration Practices | Technology Development & Acquisition | N/A | 8 | |
TDA-09
| Cybersecurity & Data Protection Testing Throughout Development | Technology Development & Acquisition | N/A | 9 | |
TDA-09.1
| Continuous Monitoring Plan | Technology Development & Acquisition | N/A | 9 | |
TDA-09.2
| Static Code Analysis | Technology Development & Acquisition | N/A | 9 | |
TDA-09.3
| Dynamic Code Analysis | Technology Development & Acquisition | N/A | 9 | |
TDA-09.4
| Malformed Input Testing | Technology Development & Acquisition | N/A | 7 | |
TDA-09.5
| Application Penetration Testing | Technology Development & Acquisition | N/A | 9 | |
TDA-09.6
| Secure Settings By Default | Technology Development & Acquisition | N/A | 9 | |
TDA-09.7
| Manual Code Review | Technology Development & Acquisition | N/A | 5 | |
TDA-10
| Use of Live Data | Technology Development & Acquisition | N/A | 9 | |
TDA-10.1
| Test Data Integrity | Technology Development & Acquisition | N/A | 8 | |
TDA-11
| Product Tampering and Counterfeiting (PTC) | Technology Development & Acquisition | N/A | 9 | |
TDA-11.1
| Anti-Counterfeit Training | Technology Development & Acquisition | N/A | 6 | |
TDA-11.2
| Component Disposal | Technology Development & Acquisition | N/A | 0 | |
TDA-12
| Customized Development of Critical Components | Technology Development & Acquisition | N/A | 8 | |
TDA-13
| Developer Screening | Technology Development & Acquisition | N/A | 9 | |
TDA-14
| Developer Configuration Management | Technology Development & Acquisition | N/A | 9 | |
TDA-14.1
| Software / Firmware Integrity Verification | Technology Development & Acquisition | N/A | 8 | |
TDA-14.2
| Hardware Integrity Verification | Technology Development & Acquisition | N/A | 5 | |
TDA-15
| Developer Threat Analysis & Flaw Remediation | Technology Development & Acquisition | N/A | 9 | |
TDA-16
| Developer-Provided Training | Technology Development & Acquisition | N/A | 9 | |
TDA-17
| Unsupported Technology Assets, Applications and/or Services (TAAS) | Technology Development & Acquisition | N/A | 10 | |
TDA-17.1
| Alternate Sources for Continued Support | Technology Development & Acquisition | N/A | 8 | |
TDA-18
| Input Data Validation | Technology Development & Acquisition | N/A | 9 | |
TDA-19
| Error Handling | Technology Development & Acquisition | N/A | 9 | |
TDA-20
| Access to Program Source Code | Technology Development & Acquisition | N/A | 9 | |
TDA-20.1
| Software Release Integrity Verification | Technology Development & Acquisition | N/A | 6 | |
TDA-20.2
| Archiving Software Releases | Technology Development & Acquisition | N/A | 8 | |
TDA-20.3
| Software Escrow | Technology Development & Acquisition | N/A | 7 | |
TDA-20.4
| Approved Code | Technology Development & Acquisition | N/A | 8 | |
TDA-21
| Product Conformity Governance | Technology Development & Acquisition | N/A | 9 | |
TDA-22
| Technical Documentation Artifacts | Technology Development & Acquisition | N/A | 7 | |
TDA-22.1
| Product-Specific Risk Assessment Artifacts | Technology Development & Acquisition | N/A | 4 | |
TPM-01
| Third-Party Management | Third-Party Management | N/A | 10 | |
TPM-01.1
| Third-Party Inventories | Third-Party Management | N/A | 8 | |
TPM-02
| Third-Party Criticality Assessments | Third-Party Management | N/A | 9 | |
TPM-03
| Supply Chain Risk Management (SCRM) | Third-Party Management | N/A | 9 | |
TPM-03.1
| Acquisition Strategies, Tools & Methods | Third-Party Management | N/A | 9 | |
TPM-03.2
| Limit Potential Harm | Third-Party Management | N/A | 9 | |
TPM-03.3
| Processes To Address Weaknesses or Deficiencies | Third-Party Management | N/A | 9 | |
TPM-03.4
| Adequate Supply | Third-Party Management | N/A | 9 | |
TPM-04
| Third-Party Services | Third-Party Management | N/A | 10 | |
TPM-04.1
| Third-Party Risk Assessments & Approvals | Third-Party Management | N/A | 9 | |
TPM-04.2
| External Connectivity Requirements - Identification of Ports, Protocols & Services | Third-Party Management | N/A | 7 | |
TPM-04.3
| Conflict of Interests | Third-Party Management | N/A | 8 | |
TPM-04.4
| Third-Party Processing, Storage and Service Locations | Third-Party Management | N/A | 10 | |
TPM-05
| Third-Party Contract Requirements | Third-Party Management | N/A | 10 | |
TPM-05.1
| Security Compromise Notification Agreements | Third-Party Management | N/A | 9 | |
TPM-05.2
| Contract Flow-Down Requirements | Third-Party Management | N/A | 9 | |
TPM-05.3
| Third-Party Authentication Practices | Third-Party Management | N/A | 8 | |
TPM-05.4
| Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix | Third-Party Management | N/A | 8 | |
TPM-05.5
| Third-Party Scope Review | Third-Party Management | N/A | 10 | |
TPM-05.6
| First-Party Declaration (1PD) | Third-Party Management | N/A | 7 | |
TPM-05.7
| Break Clauses | Third-Party Management | N/A | 9 | |
TPM-05.8
| Third-Party Attestation (3PA) | Third-Party Management | N/A | 5 | |
TPM-06
| Third-Party Personnel Security | Third-Party Management | N/A | 9 | |
TPM-07
| Monitoring for Third-Party Information Disclosure | Third-Party Management | N/A | 8 | |
TPM-08
| Review of Third-Party Services | Third-Party Management | N/A | 9 | |
TPM-09
| Third-Party Deficiency Remediation | Third-Party Management | N/A | 9 | |
TPM-10
| Managing Changes To Third-Party Services | Third-Party Management | N/A | 8 | |
TPM-11
| Third-Party Incident Response & Recovery Capabilities | Third-Party Management | N/A | 8 | |
VPM-06.3
| Privileged Access | Vulnerability & Patch Management | N/A | 9 | |