GOV-01
| Cybersecurity & Data Protection Governance Program | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 10 | |
GOV-01.1
| Steering Committee & Program Oversight | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-01.2
| Status Reporting To Governing Body | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 5 | |
GOV-01.3
| Commitment To Continual Improvements | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-02
| Publishing Cybersecurity & Data Protection Documentation | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-02.1
| Exception Management | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-03
| Periodic Review & Update of Cybersecurity & Data Protection Program | Cybersecurity & Data Protection Governance | N/A | 7 | |
GOV-04
| Assigned Cybersecurity & Data Protection Responsibilities | Cybersecurity & Data Protection Governance | N/A | 10 | |
GOV-04.1
| Stakeholder Accountability Structure | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-04.2
| Authoritative Chain of Command | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-05
| Measures of Performance | Cybersecurity & Data Protection Governance | N/A | 6 | |
GOV-05.1
| Key Performance Indicators (KPIs) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 6 | |
GOV-05.2
| Key Risk Indicators (KRIs) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 6 | |
GOV-06
| Contacts With Authorities | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 5 | |
GOV-07
| Contacts With Groups & Associations | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-08
| Defining Business Context & Mission | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 5 | |
GOV-09
| Define Control Objectives | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 5 | |
GOV-10
| Data Governance | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 9 | |
GOV-11
| Purpose Validation | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 5 | |
GOV-12
| Forced Technology Transfer (FTT) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 10 | |
GOV-13
| State-Sponsored Espionage | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 10 | |
GOV-14
| Business As Usual (BAU) Secure Practices | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 6 | |
GOV-15
| Operationalizing Cybersecurity & Data Protection Practices | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 9 | |
GOV-15.1
| Select Controls | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-15.2
| Implement Controls | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 9 | |
GOV-15.3
| Assess Controls | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-15.4
| Authorize Technology Assets, Applications and/or Services (TAAS) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-15.5
| Monitor Controls | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-16
| Materiality Determination | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-16.1
| Material Risks | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-16.2
| Material Threats | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-17
| Cybersecurity & Data Protection Status Reporting | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 8 | |
GOV-18
| Quality Management System (QMS) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 4 | |
GOV-19
| Assurance | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-19.1
| Assurance Levels (AL) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-19.2
| Assessment Objectives (AO) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 7 | |
GOV-20
| Mergers, Acquisitions & Divestitures (MA&D) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 6 | |
GOV-20.1
| Virtual Data Room (VDR) | Cybersecurity & Data Protection Governance | Section 3.1 Section 3.1: Role of the Board of Directors and Senior Management - The Board and senior management ... | 6 | |
AST-01
| Asset Governance | Asset Management | N/A | 10 | |
AST-01.1
| Asset-Service Dependencies | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-01.2
| Stakeholder Identification & Involvement | Asset Management | N/A | 5 | |
AST-01.3
| Standardized Naming Convention | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-01.4
| Approved Technologies | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-02
| Asset Inventories | Asset Management | N/A | 10 | |
AST-02.1
| Updates During Installations / Removals | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-02.2
| Automated Unauthorized Component Detection | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
AST-02.3
| Component Duplication Avoidance | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
AST-02.4
| Approved Baseline Deviations | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-02.5
| Network Access Control (NAC) | Asset Management | N/A | 4 | |
AST-02.6
| Dynamic Host Configuration Protocol (DHCP) Server Logging | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
AST-02.7
| Software Licensing Restrictions | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-02.8
| Data Action Mapping | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-02.9
| Configuration Management Database (CMDB) | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-02.10
| Automated Location
Tracking | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-02.11
| Component Assignment | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
AST-03
| Asset Ownership Assignment | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-03.1
| Accountability Information | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-03.2
| Provenance | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-04
| Network Diagrams & Data Flow Diagrams (DFDs) | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
AST-04.1
| Asset Scope Classification | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-04.2
| Control Applicability Boundary Graphical Representation | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
AST-04.3
| Compliance-Specific Asset Identification | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
AST-05
| Security of Assets & Media | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-05.1
| Management Approval For External Media Transfer | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-06
| Unattended End-User Equipment | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-06.1
| Asset Storage In Automobiles | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-07
| Kiosks & Point of Interaction (PoI) Devices | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-08
| Physical Tampering Detection | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-09
| Secure Disposal, Destruction or Re-Use of Equipment | Asset Management | N/A | 10 | |
AST-10
| Return of Assets | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-11
| Removal of Assets | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-12
| Use of Personal Devices | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
AST-13
| Use of Third-Party Devices | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-14
| Usage Parameters | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-14.1
| Bluetooth & Wireless Devices | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-14.2
| Infrared Communications | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-15
| Logical Tampering Protection | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
AST-15.1
| Technology Asset Inspections | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
AST-16
| Bring Your Own Device (BYOD) Usage | Asset Management | N/A | 10 | |
AST-17
| Prohibited Equipment & Services | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-18
| Roots of Trust Protection | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 4 | |
AST-19
| Telecommunications Equipment | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-20
| Video Teleconference (VTC) Security | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-21
| Voice Over Internet Protocol (VoIP) Security | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-22
| Microphones & Web Cameras | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-23
| Multi-Function Devices (MFD) | Asset Management | N/A | 8 | |
AST-24
| Travel-Only Devices | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-25
| Re-Imaging Devices After Travel | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
AST-26
| System Administrative Processes | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-27
| Jump Server | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
AST-28
| Database Administrative Processes | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-28.1
| Database Management System (DBMS) | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
AST-29
| Radio Frequency Identification (RFID) Security | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
AST-29.1
| Contactless Access Control Systems | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
AST-30
| Decommissioning | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 4 | |
AST-31
| Asset Categorization | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-31.1
| Categorize Artificial Intelligence (AI)-Related Technologies | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-31.2
| High-Risk Asset Categorization | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
AST-31.3
| Asset Attributes | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
AST-32
| Automated Network Asset Discovery | Asset Management | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
BCD-01
| Business Continuity Management System (BCMS) | Business Continuity & Disaster Recovery | N/A | 10 | |
BCD-01.1
| Coordinate with Related Plans | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-01.2
| Coordinate With External Service Providers | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-01.3
| Transfer to Alternate Processing / Storage Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-01.4
| Recovery Time / Point Objectives (RTO / RPO) | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-01.5
| Recovery Operations Criteria | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 6 | |
BCD-01.6
| Recovery Operations Communications | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 3 | |
BCD-02
| Identify Critical Assets | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-02.1
| Resume All Missions & Business Functions | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-02.2
| Continue Essential Mission & Business Functions | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-02.3
| Resume Essential Missions & Business Functions | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-02.4
| Data Storage Location Reviews | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-03
| Contingency Training | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-03.1
| Simulated Events | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 3 | |
BCD-03.2
| Automated Training Environments | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 1 | |
BCD-04
| Contingency Plan Testing & Exercises | Business Continuity & Disaster Recovery | N/A | 6 | |
BCD-04.1
| Coordinated Testing with Related Plans | Business Continuity & Disaster Recovery | N/A | 3 | |
BCD-04.2
| Alternate Storage & Processing Sites | Business Continuity & Disaster Recovery | N/A | 5 | |
BCD-05
| Contingency Plan Root Cause Analysis (RCA) & Lessons Learned | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-06
| Ongoing Contingency Planning | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-06.1
| Contingency Planning Components | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-06.2
| Contingency Plan Update Notifications | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-07
| Alternative Security Measures | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-08
| Alternate Storage Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-08.1
| Separation from Primary Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 7 | |
BCD-08.2
| Accessibility | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-09
| Alternate Processing Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-09.1
| Separation from Primary Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 7 | |
BCD-09.2
| Accessibility | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-09.3
| Alternate Site Priority of Service | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 6 | |
BCD-09.4
| Preparation for Use | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-09.5
| Inability to Return to Primary Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-10
| Telecommunications Services Availability | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 6 | |
BCD-10.1
| Telecommunications Priority of Service Provisions | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 6 | |
BCD-10.2
| Separation of Primary / Alternate Providers | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-10.3
| Provider Contingency Plan | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-10.4
| Alternate Communications Channels | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-11
| Data Backups | Business Continuity & Disaster Recovery | N/A | 10 | |
BCD-11.1
| Testing for Reliability & Integrity | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-11.2
| Separate Storage for Critical Information | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-11.3
| Recovery Images | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-11.4
| Cryptographic Protection | Business Continuity & Disaster Recovery | N/A | 9 | |
BCD-11.5
| Test Restoration Using Sampling | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-11.6
| Transfer to Alternate Storage Site | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-11.7
| Redundant Secondary System | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-11.8
| Dual Authorization For Backup Media Destruction | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-11.9
| Backup Access | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-11.10
| Backup Modification and/or Destruction | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-12
| Technology Assets, Applications and/or Services (TAAS) Recovery & Reconstitution | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-12.1
| Transaction Recovery | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 9 | |
BCD-12.2
| Failover Capability | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-12.3
| Electronic Discovery (eDiscovery) | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-12.4
| Restore Within Time Period | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-13
| Backup & Restoration Hardware Protection | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 8 | |
BCD-13.1
| Restoration Integrity Verification | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 7 | |
BCD-14
| Isolated Recovery Environment | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 5 | |
BCD-15
| Reserve Hardware | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 7 | |
BCD-16
| AI & Autonomous Technologies Incidents | Business Continuity & Disaster Recovery | Section 8.2 Section 8.2: System Recoverability - Systems should be recoverable within defined recovery time obje... | 10 | |
CAP-01
| Capacity & Performance Management | Capacity & Performance Planning | N/A | 8 | |
CAP-02
| Resource Priority | Capacity & Performance Planning | Section 7.3 Section 7.3: Technology Refresh Management - Technology assets should be regularly reviewed and refr... | 8 | |
CAP-03
| Capacity Planning | Capacity & Performance Planning | N/A | 8 | |
CAP-04
| Performance Monitoring | Capacity & Performance Planning | Section 7.3 Section 7.3: Technology Refresh Management - Technology assets should be regularly reviewed and refr... | 7 | |
CAP-05
| Elastic Expansion | Capacity & Performance Planning | Section 7.3 Section 7.3: Technology Refresh Management - Technology assets should be regularly reviewed and refr... | 5 | |
CAP-06
| Regional Delivery | Capacity & Performance Planning | Section 7.3 Section 7.3: Technology Refresh Management - Technology assets should be regularly reviewed and refr... | 1 | |
CHG-01
| Change Management Program | Change Management | N/A | 10 | |
CHG-02
| Configuration Change Control | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 8 | |
CHG-02.1
| Prohibition Of Changes | Change Management | N/A | 10 | |
CHG-02.2
| Test, Validate & Document Changes | Change Management | N/A | 9 | |
CHG-02.3
| Cybersecurity & Data Protection Representative for Asset Lifecycle Changes | Change Management | N/A | 7 | |
CHG-02.4
| Automated Security Response | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 5 | |
CHG-02.5
| Cryptographic Management | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 5 | |
CHG-03
| Security Impact Analysis for Changes | Change Management | N/A | 9 | |
CHG-04
| Access Restriction For Change | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 8 | |
CHG-04.1
| Automated Access Enforcement / Auditing | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 3 | |
CHG-04.2
| Signed Components | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 3 | |
CHG-04.3
| Dual Authorization for Change | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 6 | |
CHG-04.4
| Permissions To Implement Changes | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 6 | |
CHG-04.5
| Library Privileges | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 8 | |
CHG-05
| Stakeholder Notification of Changes | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 9 | |
CHG-06
| Control Functionality Verification | Change Management | N/A | 9 | |
CHG-06.1
| Report Verification Results | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 5 | |
CHG-07
| Emergency Changes | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 9 | |
CHG-07.1
| Documenting Emergency Changes | Change Management | Section 7.5 Section 7.5: Change Management - Changes to technology systems should be managed through formal chan... | 7 | |
CLD-01
| Cloud Services | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 10 | |
CLD-01.1
| Cloud Infrastructure Onboarding | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-01.2
| Cloud Infrastructure Offboarding | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-02
| Cloud Security Architecture | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-03
| Cloud Infrastructure Security Subnet | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 6 | |
CLD-04
| Application Programming Interface (API) Security | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-04.1
| API Gateway | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 7 | |
CLD-05
| Virtual Machine Images | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-06
| Multi-Tenant Environments | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-06.1
| Customer Responsibility Matrix (CRM) | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-06.2
| Multi-Tenant Event Logging Capabilities | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-06.3
| Multi-Tenant Forensics Capabilities | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-06.4
| Multi-Tenant Incident Response Capabilities | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-07
| Data Handling & Portability | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 4 | |
CLD-08
| Standardized Virtualization Formats | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 4 | |
CLD-09
| Geolocation Requirements for Processing, Storage and Service Locations | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 10 | |
CLD-10
| Sensitive Data In Public Cloud Providers | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 6 | |
CLD-11
| Cloud Access Security Broker (CASB) | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 7 | |
CLD-12
| Side Channel Attack Prevention | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 3 | |
CLD-13
| Hosted Assets, Applications & Services | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-13.1
| Authorized Individuals For Hosted Assets, Applications & Services | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-13.2
| Sensitive / Regulated Data On Hosted Assets, Applications & Services | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 9 | |
CLD-14
| Prohibition On Unverified Hosted Assets, Applications & Services | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 8 | |
CLD-15
| Software Defined Storage (SDS) | Cloud Security | Section 11.4 Section 11.4: Virtualisation Security - Virtualization environments should be secured with appropria... | 3 | |
CPL-01
| Statutory, Regulatory & Contractual Compliance | Compliance | N/A | 10 | |
CPL-01.1
| Non-Compliance Oversight | Compliance | N/A | 9 | |
CPL-01.2
| Compliance Scope | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 10 | |
CPL-01.3
| Ability To Demonstrate Conformity | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-01.4
| Conformity Assessment | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 9 | |
CPL-01.5
| Declaration of Conformity | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 1 | |
CPL-02
| Cybersecurity & Data Protection Controls Oversight | Compliance | N/A | 10 | |
CPL-02.1
| Internal Audit Function | Compliance | N/A | 5 | |
CPL-02.2
| Periodic Audits | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-02.3
| Corrective Action | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-03
| Cybersecurity & Data Protection Assessments | Compliance | N/A | 10 | |
CPL-03.1
| Independent Assessors | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 6 | |
CPL-03.2
| Functional Review Of Cybersecurity & Data Protection Controls | Compliance | N/A | 8 | |
CPL-03.3
| Assessor Access | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-03.4
| Assessment Methods | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-03.5
| Assessment Rigor | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-03.6
| Evidence Request List (ERL) | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-03.7
| Evidence Sampling | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 7 | |
CPL-04
| Audit Activities | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 5 | |
CPL-05
| Legal Assessment of Investigative Inquires | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 2 | |
CPL-05.1
| Investigation Request Notifications | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 2 | |
CPL-05.2
| Investigation Access Restrictions | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 2 | |
CPL-06
| Government Surveillance | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 10 | |
CPL-07
| Grievances | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 5 | |
CPL-07.1
| Grievance Response | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 5 | |
CPL-08
| Localized Representation | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 2 | |
CPL-09
| Control Reciprocity | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 5 | |
CPL-10
| Control Inheritance | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 5 | |
CPL-11
| Dual Use Technology | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-11.1
| USML or CCL Identification | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-11.2
| Export-Controlled Access Restrictions | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-11.3
| Export Activities Documentation | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 8 | |
CPL-08.1
| Representative Powers | Compliance | Section 3.2 Section 3.2: Policies, Standards and Procedures - Financial institutions should establish comprehens... | 2 | |
CFG-01
| Configuration Management Program | Configuration Management | N/A | 9 | |
CFG-01.1
| Assignment of Responsibility | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 5 | |
CFG-02
| Secure Baseline Configurations | Configuration Management | N/A | 10 | |
CFG-02.1
| Reviews & Updates | Configuration Management | N/A | 8 | |
CFG-02.2
| Automated Central Management & Verification | Configuration Management | N/A | 7 | |
CFG-02.3
| Retention Of Previous Configurations | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 3 | |
CFG-02.4
| Development & Test Environment Configurations | Configuration Management | N/A | 5 | |
CFG-02.5
| Configure Technology Assets, Applications and/or Services (TAAS) for High-Risk Areas | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 8 | |
CFG-02.6
| Network Device Configuration File Synchronization | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
CFG-02.7
| Approved Configuration Deviations | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 9 | |
CFG-02.8
| Respond To Unauthorized Changes | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 9 | |
CFG-02.9
| Baseline Tailoring | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 9 | |
CFG-03
| Least Functionality | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 10 | |
CFG-03.1
| Periodic Review | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 8 | |
CFG-03.2
| Prevent Unauthorized Software Execution | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
CFG-03.3
| Explicitly Allow / Deny Applications | Configuration Management | N/A | 5 | |
CFG-03.4
| Split Tunneling | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 8 | |
CFG-04
| Software Usage Restrictions | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 9 | |
CFG-04.1
| Open Source Software | Configuration Management | N/A | 9 | |
CFG-04.2
| Unsupported Internet Browsers & Email Clients | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
CFG-05
| User-Installed Software | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 10 | |
CFG-05.1
| Unauthorized Installation Alerts | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 8 | |
CFG-05.2
| Restrict Roles Permitted To Install Software | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 9 | |
CFG-06
| Configuration Enforcement | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
CFG-06.1
| Integrity Assurance & Enforcement (IAE) | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 3 | |
CFG-07
| Zero-Touch Provisioning (ZTP) | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 8 | |
CFG-08
| Sensitive / Regulated Data Access Enforcement | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
CFG-08.1
| Sensitive / Regulated Data Actions | Configuration Management | Section 7.2 Section 7.2: Configuration Management - Configuration items should be identified, controlled, and ma... | 7 | |
MON-01
| Continuous Monitoring | Continuous Monitoring | N/A | 10 | |
MON-01.1
| Intrusion Detection & Prevention Systems (IDS & IPS) | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 9 | |
MON-01.2
| Automated Tools for Real-Time Analysis | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 9 | |
MON-01.3
| Inbound & Outbound Communications Traffic | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 9 | |
MON-01.4
| System Generated Alerts | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-01.5
| Wireless Intrusion Detection System (WIDS) | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.6
| Host-Based Devices | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-01.7
| File Integrity Monitoring (FIM) | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 9 | |
MON-01.8
| Security Event Monitoring | Continuous Monitoring | N/A | 10 | |
MON-01.9
| Proxy Logging | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-01.10
| Deactivated Account Activity | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 9 | |
MON-01.11
| Automated Response to Suspicious Events | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.12
| Automated Alerts | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.13
| Alert Threshold Tuning | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.14
| Individuals Posing Greater Risk | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.15
| Privileged User Oversight | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.16
| Analyze and Prioritize Monitoring Requirements | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-01.17
| Real-Time Session Monitoring | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 4 | |
MON-02
| Centralized Collection of Security Event Logs | Continuous Monitoring | N/A | 10 | |
MON-02.1
| Correlate Monitoring Information | Continuous Monitoring | N/A | 9 | |
MON-02.2
| Central Review & Analysis | Continuous Monitoring | N/A | 5 | |
MON-02.3
| Integration of Scanning & Other Monitoring Information | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.4
| Correlation with Physical Monitoring | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.5
| Permitted Actions | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.6
| Audit Level Adjustments | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.7
| System-Wide / Time-Correlated Audit Trail | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.8
| Changes by Authorized Individuals | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-02.9
| Inventory of Technology Asset Event Logging | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-03
| Content of Event Logs | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 10 | |
MON-03.1
| Sensitive Audit Information | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-03.2
| Audit Trails | Continuous Monitoring | N/A | 10 | |
MON-03.3
| Privileged Functions Logging | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-03.4
| Verbosity Logging for Boundary Devices | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-03.5
| Limit Personal Data (PD) In Audit Records | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-03.6
| Centralized Management of Planned Audit Record Content | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-03.7
| Database Logging | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-04
| Event Log Storage Capacity | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-05
| Response To Event Log Processing Failures | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-05.1
| Real-Time Alerts of Event Logging Failure | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 6 | |
MON-05.2
| Event Log Storage Capacity Alerting | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-06
| Monitoring Reporting | Continuous Monitoring | N/A | 7 | |
MON-06.1
| Query Parameter Audits of Personal Data (PD) | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 3 | |
MON-06.2
| Trend Analysis Reporting | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-07
| Time Stamps | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 10 | |
MON-07.1
| Synchronization With Authoritative Time Source | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-08
| Protection of Event Logs | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 10 | |
MON-08.1
| Event Log Backup on Separate Physical Systems / Components | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-08.2
| Access by Subset of Privileged Users | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-08.3
| Cryptographic Protection of Event Log Information | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-08.4
| Dual Authorization for Event Log Movement | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-09
| Non-Repudiation | Continuous Monitoring | N/A | 8 | |
MON-09.1
| Identity Binding | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 4 | |
MON-10
| Event Log Retention | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 10 | |
MON-11
| Monitoring For Information Disclosure | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-11.1
| Analyze Traffic for Covert Exfiltration | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-11.2
| Unauthorized Network Services | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-11.3
| Monitoring for Indicators of Compromise (IOC) | Continuous Monitoring | N/A | 5 | |
MON-12
| Session Audit | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-13
| Alternate Event Logging Capability | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 3 | |
MON-14
| Cross-Organizational Monitoring | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 3 | |
MON-14.1
| Sharing of Event Logs | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
MON-15
| Covert Channel Analysis | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 3 | |
MON-16
| Anomalous Behavior | Continuous Monitoring | N/A | 10 | |
MON-16.1
| Insider Threats | Continuous Monitoring | N/A | 8 | |
MON-16.2
| Third-Party Threats | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-16.3
| Unauthorized Activities | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 8 | |
MON-16.4
| Account Creation and Modification Logging | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-17
| Event Log Analysis & Triage | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-17.1
| Event Log Review Escalation Matrix | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 7 | |
MON-18
| File Activity Monitoring (FAM) | Continuous Monitoring | Section 4.5 Section 4.5: Risk Monitoring, Review and Reporting - Technology risks should be continuously monitor... | 5 | |
CRY-01
| Use of Cryptographic Controls | Cryptographic Protections | N/A | 10 | |
CRY-01.1
| Alternate Physical Protection | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-01.2
| Export-Controlled Cryptography | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-01.3
| Pre/Post Transmission Handling | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-01.4
| Conceal / Randomize Communications | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-01.5
| Cryptographic Cipher Suites and Protocols Inventory | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-02
| Cryptographic Module Authentication | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-03
| Transmission Confidentiality | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 10 | |
CRY-04
| Transmission Integrity | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 10 | |
CRY-05
| Encrypting Data At Rest | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 10 | |
CRY-05.1
| Storage Media | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-05.2
| Offline Storage | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-05.3
| Database Encryption | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-06
| Non-Console Administrative Access | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-07
| Wireless Access Authentication & Encryption | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-08
| Public Key Infrastructure (PKI) | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-08.1
| Availability | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-09
| Cryptographic Key Management | Cryptographic Protections | N/A | 10 | |
CRY-09.1
| Symmetric Keys | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-09.2
| Asymmetric Keys | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 9 | |
CRY-09.3
| Cryptographic Key Loss or Change | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-09.4
| Control & Distribution of Cryptographic Keys | Cryptographic Protections | N/A | 9 | |
CRY-09.5
| Assigned Owners | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-09.6
| Third-Party Cryptographic Keys | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 7 | |
CRY-09.7
| External System Cryptographic Key Control | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-10
| Transmission of Cybersecurity & Data Protection Attributes | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-11
| Certificate Authorities | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 8 | |
CRY-12
| Certificate Monitoring | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
CRY-13
| Cryptographic Hash | Cryptographic Protections | Section 10.1 Section 10.1: Cryptographic Algorithm and Protocol - Cryptographic algorithms and protocols should b... | 5 | |
DCH-01
| Data Protection | Data Classification & Handling | N/A | 10 | |
DCH-01.1
| Data Stewardship | Data Classification & Handling | N/A | 10 | |
DCH-01.2
| Sensitive / Regulated Data Protection | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-01.3
| Sensitive / Regulated Media Records | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
DCH-01.4
| Defining Access Authorizations for Sensitive / Regulated Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-02
| Data & Asset Classification | Data Classification & Handling | N/A | 10 | |
DCH-02.1
| Highest Classification Level | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-03
| Media Access | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-03.1
| Disclosure of Information | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-03.2
| Masking Displayed Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-03.3
| Controlled Release | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 4 | |
DCH-04
| Media Marking | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-04.1
| Automated Marking | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05
| Cybersecurity & Data Protection Attributes | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.1
| Dynamic Attribute Association | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.2
| Attribute Value Changes By Authorized Individuals | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-05.3
| Maintenance of Attribute Associations By System | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.4
| Association of Attributes By Authorized Individuals | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.5
| Attribute Displays for Output Devices | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-05.6
| Data Subject Attribute Associations | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.7
| Consistent Attribute Interpretation | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.8
| Identity Association Techniques & Technologies | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 2 | |
DCH-05.9
| Attribute Reassignment | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-05.10
| Attribute Configuration By Authorized Individuals | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-05.11
| Audit Changes | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-06
| Media Storage | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-06.1
| Physically Secure All Media | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-06.2
| Sensitive Data Inventories | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-06.3
| Periodic Scans for Sensitive / Regulated Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-06.4
| Making Sensitive Data Unreadable In Storage | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-06.5
| Storing Authentication Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-07
| Media Transportation | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-07.1
| Custodians | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-07.2
| Encrypting Data In Storage Media | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-08
| Physical Media Disposal | Data Classification & Handling | N/A | 10 | |
DCH-09
| System Media Sanitization | Data Classification & Handling | N/A | 10 | |
DCH-09.1
| System Media Sanitization Documentation | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-09.2
| Equipment Testing | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-09.3
| Sanitization of Personal Data (PD) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-09.4
| First Time Use Sanitization | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-09.5
| Dual Authorization for Sensitive Data Destruction | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-10
| Media Use | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-10.1
| Limitations on Use | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-10.2
| Prohibit Use Without Owner | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-11
| Data Reclassification | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-12
| Removable Media Security | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-13
| Use of External Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-13.1
| Limits of Authorized Use | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-13.2
| Portable Storage Devices | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-13.3
| Protecting Sensitive / Regulated Data on External Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-13.4
| Non-Organizationally Owned Technology Assets, Applications and/or Services (TAAS) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-14
| Information Sharing | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-14.1
| Information Search & Retrieval | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-14.2
| Transfer Authorizations | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-14.3
| Data Access Mapping | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-15
| Publicly Accessible Content | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-16
| Data Mining Protection | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-17
| Ad-Hoc Transfers | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-18
| Media & Data Retention | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-18.1
| Minimize Sensitive / Regulated Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-18.2
| Limit Sensitive / Regulated Data In Testing, Training & Research | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-18.3
| Temporary Files Containing Personal Data (PD) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 5 | |
DCH-19
| Geographic Location of Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 9 | |
DCH-20
| Archived Data Sets | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-21
| Information Disposal | Data Classification & Handling | N/A | 10 | |
DCH-22
| Data Quality Operations | Data Classification & Handling | N/A | 5 | |
DCH-22.1
| Updating & Correcting Personal Data (PD) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
DCH-22.2
| Data Tags | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
DCH-22.3
| Primary Source Personal Data (PD) Collection | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23
| De-Identification (Anonymization) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23.1
| De-Identify Dataset Upon Collection | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23.2
| Archiving | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23.3
| Release | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23.4
| Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 8 | |
DCH-23.5
| Statistical Disclosure Control | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 1 | |
DCH-23.6
| Differential Data Privacy | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 1 | |
DCH-23.7
| Automated De-Identification of Sensitive Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 1 | |
DCH-23.8
| Motivated Intruder | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 3 | |
DCH-23.9
| Code Names | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 1 | |
DCH-24
| Information Location | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-24.1
| Automated Tools to Support Information Location | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
DCH-25
| Transfer of Sensitive and/or Regulated Data | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-25.1
| Transfer Activity Limits | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 7 | |
DCH-26
| Data Localization | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 10 | |
DCH-27
| Data Rights Management (DRM) | Data Classification & Handling | Section 3.3 Section 3.3: Management of Information Assets - Information assets should be properly identified, cl... | 6 | |
EMB-01
| Embedded Technology Security Program | Embedded Technology | N/A | 10 | |
EMB-02
| Internet of Things (IOT) | Embedded Technology | N/A | 9 | |
EMB-03
| Operational Technology (OT) | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 9 | |
EMB-04
| Interface Security | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 4 | |
EMB-05
| Embedded Technology Configuration Monitoring | Embedded Technology | N/A | 6 | |
EMB-06
| Prevent Alterations | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 6 | |
EMB-07
| Embedded Technology Maintenance | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 6 | |
EMB-08
| Resilience To Outages | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 2 | |
EMB-09
| Power Level Monitoring | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 4 | |
EMB-10
| Embedded Technology Reviews | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 8 | |
EMB-11
| Message Queuing Telemetry Transport (MQTT) Security | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 7 | |
EMB-12
| Restrict Communications | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 8 | |
EMB-13
| Authorized Communications | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 8 | |
EMB-14
| Operating Environment Certification | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 9 | |
EMB-15
| Safety Assessment | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 9 | |
EMB-16
| Certificate-Based Authentication | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 5 | |
EMB-17
| Chip-To-Cloud Security | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 6 | |
EMB-18
| Real-Time Operating System (RTOS) Security | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 5 | |
EMB-19
| Safe Operations | Embedded Technology | Section 11.5 Section 11.5: Internet of Things - IoT devices should be subject to security controls including secu... | 9 | |
END-01
| Endpoint Device Management (EDM) | Endpoint Security | N/A | 10 | |
END-01.1
| Unified Endpoint Device Management (UEDM) | Endpoint Security | N/A | 6 | |
END-02
| Endpoint Protection Measures | Endpoint Security | N/A | 9 | |
END-03
| Prohibit Installation Without Privileged Status | Endpoint Security | N/A | 9 | |
END-03.1
| Software Installation Alerts | Endpoint Security | N/A | 8 | |
END-03.2
| Governing Access Restriction for Change | Endpoint Security | Section 6.5 Section 6.5: Management of End User Computing and Applications - End user computing and applications... | 8 | |
END-04
| Malicious Code Protection (Anti-Malware) | Endpoint Security | N/A | 10 | |
END-04.1
| Automatic Antimalware Signature Updates | Endpoint Security | N/A | 9 | |
END-04.2
| Documented Protection Measures | Endpoint Security | N/A | 3 | |
END-04.3
| Centralized Management of Antimalware Technologies | Endpoint Security | N/A | 8 | |
END-04.4
| Heuristic / Nonsignature-Based Detection | Endpoint Security | N/A | 8 | |
END-04.5
| Malware Protection Mechanism Testing | Endpoint Security | N/A | 5 | |
END-04.6
| Evolving Malware Threats | Endpoint Security | N/A | 3 | |
END-04.7
| Always On Protection | Endpoint Security | N/A | 9 | |
END-05
| Software Firewall | Endpoint Security | N/A | 9 | |
END-06
| Endpoint File Integrity Monitoring (FIM) | Endpoint Security | N/A | 8 | |
END-06.1
| Integrity Checks | Endpoint Security | N/A | 6 | |
END-06.2
| Endpoint Detection & Response (EDR) | Endpoint Security | N/A | 9 | |
END-06.3
| Automated Notifications of Integrity Violations | Endpoint Security | N/A | 5 | |
END-06.4
| Automated Response to Integrity Violations | Endpoint Security | N/A | 5 | |
END-06.5
| Boot Process Integrity | Endpoint Security | N/A | 5 | |
END-06.6
| Protection of Boot Firmware | Endpoint Security | N/A | 5 | |
END-06.7
| Binary or Machine-Executable Code | Endpoint Security | N/A | 5 | |
END-06.8
| Extended Detection & Response (XDR) | Endpoint Security | N/A | 5 | |
END-07
| Host Intrusion Detection and Prevention Systems (HIDS / HIPS) | Endpoint Security | N/A | 9 | |
END-08
| Phishing & Spam Protection | Endpoint Security | N/A | 10 | |
END-08.1
| Central Management | Endpoint Security | N/A | 5 | |
END-08.2
| Automatic Spam and Phishing Protection Updates | Endpoint Security | N/A | 8 | |
END-09
| Trusted Path | Endpoint Security | N/A | 9 | |
END-10
| Mobile Code | Endpoint Security | N/A | 4 | |
END-11
| Thin Nodes | Endpoint Security | N/A | 4 | |
END-12
| Port & Input / Output (I/O) Device Access | Endpoint Security | N/A | 6 | |
END-13
| Sensor Capability | Endpoint Security | N/A | 7 | |
END-13.1
| Authorized Use | Endpoint Security | N/A | 8 | |
END-13.2
| Notice of Collection | Endpoint Security | N/A | 6 | |
END-13.3
| Collection Minimization | Endpoint Security | N/A | 8 | |
END-13.4
| Sensor Delivery Verification | Endpoint Security | N/A | 4 | |
END-14
| Collaborative Computing Devices | Endpoint Security | N/A | 9 | |
END-14.1
| Disabling / Removal In Secure Work Areas | Endpoint Security | N/A | 5 | |
END-14.2
| Explicitly Indicate Current Participants | Endpoint Security | N/A | 5 | |
END-14.3
| Participant Identity Verification | Endpoint Security | N/A | 7 | |
END-14.4
| Participant Connection Management | Endpoint Security | N/A | 5 | |
END-14.5
| Malicious Link & File Protections | Endpoint Security | N/A | 7 | |
END-14.6
| Explicit Indication Of Use | Endpoint Security | N/A | 6 | |
END-15
| Hypervisor Access | Endpoint Security | N/A | 9 | |
END-16
| Restrict Access To Security Functions | Endpoint Security | N/A | 7 | |
END-16.1
| Host-Based Security Function Isolation | Endpoint Security | N/A | 7 | |
HRS-01
| Human Resources Security Management | Human Resources Security | N/A | 10 | |
HRS-01.1
| Onboarding, Transferring & Offboarding Personnel | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-02
| Position Categorization | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-02.1
| Users With Elevated Privileges | Human Resources Security | N/A | 10 | |
HRS-02.2
| Probationary Periods | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 1 | |
HRS-03
| Defined Roles & Responsibilities | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-03.1
| User Awareness | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-03.2
| Competency Requirements for Security-Related Positions | Human Resources Security | N/A | 9 | |
HRS-04
| Personnel Screening | Human Resources Security | N/A | 10 | |
HRS-04.1
| Roles With Special Protection Measures | Human Resources Security | N/A | 9 | |
HRS-04.2
| Formal Indoctrination | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 7 | |
HRS-04.3
| Citizenship Requirements | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-04.4
| Citizenship Identification | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 3 | |
HRS-05
| Terms of Employment | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-05.1
| Rules of Behavior | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-05.2
| Social Media & Social Networking Restrictions | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-05.3
| Technology Use Restrictions | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-05.4
| Use of Critical Technologies | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-05.5
| Use of Mobile Devices | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-05.6
| Security-Minded Dress Code | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 1 | |
HRS-05.7
| Policy Familiarization & Acknowledgement | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-06
| Access Agreements | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-06.1
| Confidentiality Agreements | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-06.2
| Post-Employment Requirements Awareness | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-07
| Personnel Sanctions | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-07.1
| Workplace Investigations | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-07.2
| Updating Disciplinary Processes | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 3 | |
HRS-07.3
| Preventative Access Restriction | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-08
| Personnel Transfer | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-09
| Personnel Termination | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-09.1
| Asset Collection | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-09.2
| High-Risk Terminations | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 9 | |
HRS-09.3
| Post-Employment Requirements Notification | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-09.4
| Automated Employment Status Notifications | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-10
| Third-Party Personnel Security | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 10 | |
HRS-11
| Separation of Duties (SoD) | Human Resources Security | N/A | 7 | |
HRS-12
| Incompatible Roles | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-12.1
| Two-Person Rule | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 7 | |
HRS-13
| Identify Critical Skills & Gaps | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-13.1
| Remediate Identified Skills Deficiencies | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-13.2
| Identify Vital Cybersecurity & Data Privacy Staff | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-13.3
| Establish Redundancy for Vital Cybersecurity & Data Privacy Staff | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-13.4
| Perform Succession Planning | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 5 | |
HRS-14
| Identifying Authorized Work Locations | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-14.1
| Communicating Authorized Work Locations | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 8 | |
HRS-15
| Reporting Suspicious Activities | Human Resources Security | Section 3.5 Section 3.5: Competency and Background Review - Personnel involved in technology operations should p... | 7 | |
IAC-01
| Identity & Access Management (IAM) | Identification & Authentication | N/A | 10 | |
IAC-01.1
| Retain Access Records | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 3 | |
IAC-01.2
| Authenticate, Authorize and Audit (AAA) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-01.3
| User & Service Account Inventories | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-02
| Identification & Authentication for Organizational Users | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-02.1
| Group Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 7 | |
IAC-02.2
| Replay-Resistant Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-02.3
| Acceptance of PIV Credentials | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-02.4
| Out-of-Band Authentication (OOBA) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-03
| Identification & Authentication for Non-Organizational Users | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-03.1
| Acceptance of PIV Credentials from Other Organizations | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-03.2
| Acceptance of Third-Party Credentials | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-03.3
| Use of FICAM-Issued Profiles | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-03.4
| Disassociability | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-03.5
| Acceptance of External Authenticators | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 4 | |
IAC-04
| Identification & Authentication for Devices | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-04.1
| Device Attestation | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-04.2
| Device Authorization Enforcement | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-05
| Identification & Authentication for Third-Party Technology Assets, Applications and/or Services (TAAS) | Identification & Authentication | N/A | 9 | |
IAC-05.1
| Sharing Identification & Authentication Information | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-05.2
| Privileged Access by Non-Organizational Users | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-06
| Multi-Factor Authentication (MFA) | Identification & Authentication | N/A | 9 | |
IAC-06.1
| Network Access to Privileged Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-06.2
| Network Access to Non-Privileged Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 7 | |
IAC-06.3
| Local Access to Privileged Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-06.4
| Out-of-Band Multi-Factor Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-06.5
| Alternative Multi-Factor Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-07
| User Provisioning & De-Provisioning | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-07.1
| Change of Roles & Duties | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-07.2
| Termination of Employment | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-08
| Role-Based Access Control (RBAC) | Identification & Authentication | N/A | 9 | |
IAC-09
| Identifier Management (User Names) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-09.1
| User Identity (ID) Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-09.2
| Identity User Status | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 7 | |
IAC-09.3
| Dynamic Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-09.4
| Cross-Organization Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-09.5
| Privileged Account Identifiers | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-09.6
| Pairwise Pseudonymous Identifiers (PPID) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 1 | |
IAC-10
| Authenticator Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-10.1
| Password-Based Authentication | Identification & Authentication | N/A | 9 | |
IAC-10.2
| PKI-Based Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-10.3
| In-Person or Trusted Third-Party Registration | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-10.4
| Automated Support For Password Strength | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-10.5
| Protection of Authenticators | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-10.6
| No Embedded Unencrypted Static Authenticators | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-10.7
| Hardware Token-Based Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-10.8
| Default Authenticators | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-10.9
| Multiple System Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-10.10
| Expiration of Cached Authenticators | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-10.11
| Password Managers | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-10.12
| Biometric Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-10.13
| Events Requiring Authenticator Change | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-10.14
| Passkeys | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-11
| Authenticator Feedback | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 6 | |
IAC-12
| Cryptographic Module Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-12.1
| Hardware Security Modules (HSM) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 3 | |
IAC-13
| Adaptive Identification & Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-13.1
| Single Sign-On (SSO) Transparent Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-13.2
| Federated Credential Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 4 | |
IAC-13.3
| Continuous Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 2 | |
IAC-14
| Re-Authentication | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-15
| Account Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-15.1
| Automated System Account Management (Directory Services) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-15.2
| Removal of Temporary / Emergency Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-15.3
| Disable Inactive Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-15.4
| Automated Audit Actions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-15.5
| Restrictions on Shared Groups / Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-15.6
| Account Disabling for High Risk Individuals | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-15.7
| System Account Reviews | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-15.8
| Usage Conditions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-15.9
| Emergency Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-16
| Privileged Account Management (PAM) | Identification & Authentication | N/A | 10 | |
IAC-16.1
| Privileged Account Inventories | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-16.2
| Privileged Account Separation | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 4 | |
IAC-16.3
| Privileged Command Execution | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-16.4
| Dedicated Privileged Account | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 7 | |
IAC-17
| Periodic Review of Account Privileges | Identification & Authentication | N/A | 10 | |
IAC-18
| User Responsibilities for Account Management | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-19
| Credential Sharing | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-20
| Access Enforcement | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-20.1
| Access To Sensitive / Regulated Data | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-20.2
| Database Access | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-20.3
| Use of Privileged Utility Programs | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-20.4
| Dedicated Administrative Machines | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-20.5
| Dual Authorization for Privileged Commands | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-20.6
| Revocation of Access Authorizations | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-20.7
| Authorized System Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-21
| Least Privilege | Identification & Authentication | N/A | 10 | |
IAC-21.1
| Authorize Access to Security Functions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-21.2
| Non-Privileged Access for Non-Security Functions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-21.3
| Management Approval For Privileged Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-21.4
| Auditing Use of Privileged Functions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-21.5
| Prohibit Non-Privileged Users from Executing Privileged Functions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-21.6
| Network Access to Privileged Commands | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-21.7
| Privilege Levels for Code Execution | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-22
| Account Lockout | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-23
| Concurrent Session Control | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 6 | |
IAC-24
| Session Lock | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-24.1
| Pattern-Hiding Displays | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-25
| Session Termination | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 9 | |
IAC-25.1
| User-Initiated Logouts / Message Displays | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-26
| Permitted Actions Without Identification or Authorization | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 8 | |
IAC-27
| Reference Monitor | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 1 | |
IAC-28
| Identity Proofing (Identity Verification) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-28.1
| Management Approval For New or Changed Accounts | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 10 | |
IAC-28.2
| Identity Evidence | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-28.3
| Identity Evidence Validation & Verification | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-28.4
| In-Person Validation & Verification | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-28.5
| Address Confirmation | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 1 | |
IAC-29
| Attribute-Based Access Control (ABAC) | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IAC-29.1
| Real-Time Access Decisions | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 3 | |
IAC-29.2
| Access Profile Rules | Identification & Authentication | Section 9.1 Section 9.1: User Access Management - User access should be managed through formal processes includi... | 5 | |
IRO-01
| Incident Response Operations | Incident Response | N/A | 9 | |
IRO-02
| Incident Handling | Incident Response | N/A | 10 | |
IRO-02.1
| Automated Incident Handling Processes | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 1 | |
IRO-02.2
| Insider Threat Response Capability | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-02.3
| Dynamic Reconfiguration | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-02.4
| Incident Classification & Prioritization | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-02.5
| Correlation with External Organizations | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-02.6
| Automatic Disabling of Technology Assets, Applications and/or Services (TAAS) | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 6 | |
IRO-03
| Indicators of Compromise (IOC) | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-04
| Incident Response Plan (IRP) | Incident Response | N/A | 9 | |
IRO-04.1
| Data Breach | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-04.2
| IRP Update | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-04.3
| Continuous Incident Response Improvements | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 3 | |
IRO-05
| Incident Response Training | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-05.1
| Simulated Incidents | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-05.2
| Automated Incident Response Training Environments | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-06
| Incident Response Testing | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-06.1
| Coordination with Related Plans | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 7 | |
IRO-07
| Integrated Security Incident Response Team (ISIRT) | Incident Response | N/A | 9 | |
IRO-08
| Chain of Custody & Forensics | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-09
| Situational Awareness For Incidents | Incident Response | N/A | 8 | |
IRO-09.1
| Automated Tracking, Data Collection & Analysis | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 1 | |
IRO-09.2
| Recurring Incident Analysis | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-10
| Incident Stakeholder Reporting | Incident Response | N/A | 9 | |
IRO-10.1
| Automated Reporting | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-10.2
| Cyber Incident Reporting for Sensitive / Regulated Data | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-10.3
| Vulnerabilities Related To Incidents | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-10.4
| Supply Chain Coordination | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 7 | |
IRO-10.5
| Serious Incident Reporting | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-11
| Incident Reporting Assistance | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-11.1
| Automation Support of Availability of Information / Support | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 1 | |
IRO-11.2
| Coordination With External Providers | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-12
| Sensitive / Regulated Data Spill Response | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-12.1
| Sensitive / Regulated Data Spill Responsible Personnel | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-12.2
| Sensitive / Regulated Data Spill Training | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-12.3
| Post-Sensitive / Regulated Data Spill Operations | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-12.4
| Sensitive / Regulated Data Exposure to Unauthorized Personnel | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 8 | |
IRO-13
| Root Cause Analysis (RCA) & Lessons Learned | Incident Response | N/A | 8 | |
IRO-14
| Regulatory & Law Enforcement Contacts | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 9 | |
IRO-15
| Detonation Chambers (Sandboxes) | Incident Response | Section 7.7 Section 7.7: Incident Management - Technology incidents should be promptly detected, responded to, a... | 5 | |
IRO-16
| Public Relations & Reputation Repair | Incident Response | N/A | 6 | |
IAO-01
| Information Assurance (IA) Operations | Information Assurance | N/A | 10 | |
IAO-01.1
| Assessment Boundaries | Information Assurance | N/A | 9 | |
IAO-02
| Assessments | Information Assurance | N/A | 10 | |
IAO-02.1
| Assessor Independence | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 9 | |
IAO-02.2
| Specialized Assessments | Information Assurance | N/A | 9 | |
IAO-02.3
| Third-Party Assessments | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 9 | |
IAO-02.4
| Security Assessment Report (SAR) | Information Assurance | N/A | 7 | |
IAO-03
| System Security & Privacy Plan (SSPP) | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 7 | |
IAO-03.1
| Plan / Coordinate with Other Organizational Entities | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 5 | |
IAO-03.2
| Adequate Security for Sensitive / Regulated Data In Support of Contracts | Information Assurance | N/A | 7 | |
IAO-04
| Threat Analysis & Flaw Remediation During Development | Information Assurance | N/A | 10 | |
IAO-05
| Plan of Action & Milestones (POA&M) | Information Assurance | N/A | 9 | |
IAO-05.1
| Plan of Action & Milestones (POA&M) Automation | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 2 | |
IAO-06
| Technical Verification | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 8 | |
IAO-07
| Security Authorization | Information Assurance | Section 8.1 Section 8.1: System Availability - Critical systems should be designed and operated to meet availabi... | 10 | |
MDM-04
| Mobile Device Tampering | Mobile Device Management | N/A | 9 | |
MDM-06
| Personally-Owned Mobile Devices | Mobile Device Management | N/A | 8 | |
MDM-07
| Organization-Owned Mobile Devices | Mobile Device Management | N/A | 8 | |
NET-01
| Network Security Controls (NSC) | Network Security | N/A | 10 | |
NET-01.1
| Zero Trust Architecture (ZTA) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-02
| Layered Network Defenses | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-02.1
| Denial of Service (DoS) Protection | Network Security | N/A | 9 | |
NET-02.2
| Guest Networks | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-02.3
| Cross Domain Solution (CDS) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-03
| Boundary Protection | Network Security | N/A | 10 | |
NET-03.1
| Limit Network Connections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-03.2
| External Telecommunications Services | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-03.3
| Prevent Discovery of Internal Information | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-03.4
| Personal Data (PD) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-03.5
| Prevent Unauthorized Exfiltration | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-03.6
| Dynamic Isolation & Segregation (Sandboxing) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-03.7
| Isolation of System Components | Network Security | N/A | 5 | |
NET-03.8
| Separate Subnet for Connecting to Different Security Domains | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04
| Data Flow Enforcement – Access Control Lists (ACLs) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-04.1
| Deny Traffic by Default & Allow Traffic by Exception | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-04.2
| Object Security Attributes | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.3
| Content Check for Encrypted Data | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 4 | |
NET-04.4
| Embedded Data Types | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-04.5
| Metadata | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-04.6
| Human Reviews | Network Security | N/A | 9 | |
NET-04.7
| Policy Decision Point (PDP) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.8
| Data Type Identifiers | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.9
| Decomposition Into Policy-Related Subcomponents | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.10
| Detection of Unsanctioned Information | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.11
| Approved Solutions | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.12
| Cross Domain Authentication | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-04.13
| Metadata Validation | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-04.14
| Application Proxy | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-05
| Interconnection Security Agreements (ISAs) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-05.1
| External System Connections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-05.2
| Internal System Connections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-06
| Network Segmentation (macrosegementation) | Network Security | N/A | 10 | |
NET-06.1
| Security Management Subnets | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-06.2
| Virtual Local Area Network (VLAN) Separation | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-06.3
| Sensitive / Regulated Data Enclave (Secure Zone) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-06.4
| Segregation From Enterprise Services | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 4 | |
NET-06.5
| Direct Internet Access Restrictions | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-06.6
| Microsegmentation | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-06.7
| Software Defined Networking (SDN) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-07
| Network Connection Termination | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-08
| Network Intrusion Detection / Prevention Systems (NIDS / NIPS) | Network Security | N/A | 9 | |
NET-08.1
| DMZ Networks | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-08.2
| Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-08.3
| Host Containment | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 3 | |
NET-08.4
| Resource Containment | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 3 | |
NET-09
| Session Integrity | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-09.1
| Invalidate Session Identifiers at Logout | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-09.2
| Unique System-Generated Session Identifiers | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 3 | |
NET-10
| Domain Name Service (DNS) Resolution | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-10.1
| Architecture & Provisioning for Name / Address Resolution Service | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-10.2
| Secure Name / Address Resolution Service (Recursive or Caching Resolver) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-10.3
| Sender Policy Framework (SPF) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-10.4
| Domain Registrar Security | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-11
| Out-of-Band Channels | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-12
| Safeguarding Data Over Open Networks | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-12.1
| Wireless Link Protection | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-12.2
| End-User Messaging Technologies | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-13
| Electronic Messaging | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-14
| Remote Access | Network Security | N/A | 10 | |
NET-14.1
| Automated Monitoring & Control | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 1 | |
NET-14.2
| Protection of Confidentiality / Integrity Using Encryption | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-14.3
| Managed Access Control Points | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-14.4
| Remote Privileged Commands & Sensitive Data Access | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-14.5
| Work From Anywhere (WFA) - Telecommuting Security | Network Security | N/A | 10 | |
NET-14.6
| Third-Party Remote Access Governance | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-14.7
| Endpoint Security Validation | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-14.8
| Expeditious Disconnect / Disable Capability | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-15
| Wireless Networking | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-15.1
| Authentication & Encryption | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-15.2
| Disable Wireless Networking | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-15.3
| Restrict Configuration By Users | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-15.4
| Wireless Boundaries | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-15.5
| Rogue Wireless Detection | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-16
| Intranets | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-17
| Data Loss Prevention (DLP) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-18
| DNS & Content Filtering | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-18.1
| Route Internal Traffic to Proxy Servers | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 9 | |
NET-18.2
| Visibility of Encrypted Communications | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-18.3
| Route Privileged Network Access | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 1 | |
NET-18.4
| Protocol Compliance Enforcement | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-18.5
| Domain Name Verification | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-18.6
| Internet Address Denylisting | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 8 | |
NET-18.7
| Bandwidth Control | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-18.8
| Authenticated Proxy | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 3 | |
NET-18.9
| Certificate Denylisting | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-19
| Content Disarm and Reconstruction (CDR) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-20
| Email Content Protections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 10 | |
NET-20.1
| Email Domain Reputation Protections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 1 | |
NET-20.2
| Sender Denylisting | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 7 | |
NET-20.3
| Authenticated Received Chain (ARC) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 2 | |
NET-20.4
| Domain-Based Message Authentication Reporting and Conformance (DMARC) | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 3 | |
NET-20.5
| User Digital Signatures for Outgoing Email | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-20.6
| Encryption for Outgoing Email | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 6 | |
NET-20.7
| Adaptive Email Protections | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 1 | |
NET-20.8
| Email Labeling | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 5 | |
NET-20.9
| User Threat Reporting | Network Security | Section 9.3 Section 9.3: Remote Access Management - Remote access should be secured through strong authenticatio... | 1 | |
PES-01
| Physical & Environmental Protections | Physical & Environmental Security | N/A | 9 | |
PES-02
| Physical Access Authorizations | Physical & Environmental Security | N/A | 7 | |
PES-03
| Physical Access Control | Physical & Environmental Security | N/A | 10 | |
PES-03.1
| Controlled Ingress & Egress Points | Physical & Environmental Security | N/A | 9 | |
PES-03.2
| Lockable Physical Casings | Physical & Environmental Security | N/A | 5 | |
PES-03.4
| Access To Critical Systems | Physical & Environmental Security | N/A | 5 | |
PES-04
| Physical Security of Offices, Rooms & Facilities | Physical & Environmental Security | N/A | 10 | |
PES-04.1
| Working in Secure Areas | Physical & Environmental Security | N/A | 10 | |
PES-05
| Monitoring Physical Access | Physical & Environmental Security | N/A | 7 | |
PES-05.2
| Monitoring Physical Access To Critical Systems | Physical & Environmental Security | N/A | 5 | |
PES-06
| Visitor Control | Physical & Environmental Security | N/A | 9 | |
PES-07
| Supporting Utilities | Physical & Environmental Security | N/A | 9 | |
PES-08
| Fire Protection | Physical & Environmental Security | N/A | 7 | |
PES-08.1
| Fire Detection Devices | Physical & Environmental Security | N/A | 9 | |
PES-10
| Delivery & Removal | Physical & Environmental Security | N/A | 8 | |
PRI-01
| Data Privacy Program | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 10 | |
PRI-01.1
| Chief Privacy Officer (CPO) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-01.2
| Privacy Act Statements | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 2 | |
PRI-01.3
| Dissemination of Data Privacy Program Information | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-01.4
| Data Protection Officer (DPO) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-01.5
| Binding Corporate Rules (BCR) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-01.6
| Security of Personal Data (PD) | Data Privacy | N/A | 7 | |
PRI-01.7
| Limiting Personal Data (PD) Disclosures | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-01.8
| Data Fiduciary | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-01.9
| Personal Data (PD) Process Manager | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-01.10
| Financial Incentives For Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-02
| Data Privacy Notice | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-02.1
| Purpose Specification | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-02.2
| Automated Data Management Processes | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-02.3
| Computer Matching Agreements (CMA) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-02.4
| System of Records Notice (SORN) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-02.5
| System of Records Notice (SORN) Review Process | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-02.6
| Privacy Act Exemptions | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-02.7
| Real-Time or Layered Notice | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 2 | |
PRI-03
| Choice & Consent | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-03.1
| Tailored Consent | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-03.2
| Just-In-Time Notice & Updated Consent | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-03.3
| Prohibition of Selling, Processing and/or Sharing Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-03.4
| Revoke Consent | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-03.5
| Product or Service Delivery Restrictions | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-03.6
| Authorized Agent | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 6 | |
PRI-03.7
| Active Participation By Data Subjects | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-03.8
| Global Privacy Control (GPC) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-03.9
| Continued Use of Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-03.10
| Cease Processing, Storing and/or Sharing Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 6 | |
PRI-03.11
| Communicating Processing Changes | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-04
| Restrict Collection To Identified Purpose | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-04.1
| Authority To Collect, Process, Store & Share Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-04.2
| Primary Sources | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-04.3
| Identifiable Image Collection | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRI-04.4
| Acquired Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 6 | |
PRI-04.5
| Validate Collected Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-04.6
| Re-Validate Collected Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-04.7
| Personal Data (PD) Collection Methods | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-05
| Personal Data (PD) Retention & Disposal | Data Privacy | N/A | 8 | |
PRI-05.1
| Internal Use of Personal Data (PD) For Testing, Training and Research | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-05.2
| Personal Data (PD) Accuracy & Integrity | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-05.3
| Data Masking | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-05.4
| Usage Restrictions of Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-05.5
| Inventory of Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-05.6
| Personal Data (PD) Inventory Automation Support | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-05.7
| Personal Data (PD) Categories | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-05.8
| Personal Data (PD) Formats | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 4 | |
PRI-06
| Data Subject Empowerment | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 6 | |
PRI-06.1
| Correcting Inaccurate Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-06.2
| Notice of Correction or Processing Change | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 4 | |
PRI-06.3
| Appeal Adverse Decision | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 4 | |
PRI-06.4
| User Feedback Management | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-06.5
| Right to Erasure | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-06.6
| Data Portability | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-06.7
| Personal Data (PD) Exports | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-07
| Information Sharing With Third Parties | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 9 | |
PRI-07.1
| Data Privacy Requirements for Contractors & Service Providers | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 10 | |
PRI-07.2
| Joint Processing of Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-07.3
| Obligation To Inform Third-Parties | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-07.4
| Reject Unauthenticated or Untrustworthy Disclosure Requests | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-07.5
| Justification To Reject Disclosure Requests | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-08
| Testing, Training & Monitoring | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-09
| Personal Data (PD) Lineage | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-10
| Data Quality Management | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-10.1
| Automation | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 1 | |
PRI-10.2
| Data Analytics Bias | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-11
| Data Tagging | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-12
| Updating Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 9 | |
PRI-12.1
| Enabling Data Subjects To Update Personal Data (PD) | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 4 | |
PRI-13
| Data Management Board | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-14
| Documenting Data Processing Activities | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-14.1
| Accounting of Disclosures | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 8 | |
PRI-14.2
| Notification of Disclosure Request To Data Subject | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 5 | |
PRI-15
| Register As A Data Controller and/or Data Processor | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 3 | |
PRI-16
| Potential Human Rights Abuses | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 10 | |
PRI-17
| Data Subject Communications | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 6 | |
PRI-17.1
| Conspicuous Link To Data Privacy Notice | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 4 | |
PRI-17.2
| Notice of Financial Incentive | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 2 | |
PRI-18
| Data Controller Communications | Data Privacy | Section 9.2 Section 9.2: Privileged Access Management - Privileged access should be subject to enhanced controls... | 7 | |
PRM-01
| Cybersecurity & Data Protection Portfolio Management | Project & Resource Management | N/A | 8 | |
PRM-01.1
| Strategic Plan & Objectives | Project & Resource Management | N/A | 5 | |
PRM-01.2
| Targeted Capability Maturity Levels | Project & Resource Management | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
PRM-02
| Cybersecurity & Data Protection Resource Management | Project & Resource Management | N/A | 8 | |
PRM-02.1
| Prioritization To Address Evolving Risks & Threats | Project & Resource Management | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
PRM-03
| Allocation of Resources | Project & Resource Management | N/A | 8 | |
PRM-04
| Cybersecurity & Data Protection In Project Management | Project & Resource Management | N/A | 10 | |
PRM-05
| Cybersecurity & Data Protection Requirements Definition | Project & Resource Management | N/A | 9 | |
PRM-06
| Business Process Definition | Project & Resource Management | N/A | 7 | |
PRM-07
| Secure Development Life Cycle (SDLC) Management | Project & Resource Management | N/A | 10 | |
PRM-08
| Manage Organizational Knowledge | Project & Resource Management | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
RSK-01
| Risk Management Program | Risk Management | N/A | 10 | |
RSK-01.1
| Risk Framing | Risk Management | N/A | 9 | |
RSK-01.2
| Risk Management Resourcing | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 8 | |
RSK-01.3
| Risk Tolerance | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 9 | |
RSK-01.4
| Risk Threshold | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 9 | |
RSK-01.5
| Risk Appetite | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 9 | |
RSK-02
| Risk-Based Security Categorization | Risk Management | N/A | 9 | |
RSK-02.1
| Impact-Level Prioritization | Risk Management | N/A | 9 | |
RSK-03
| Risk Identification | Risk Management | N/A | 9 | |
RSK-03.1
| Risk Catalog | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 5 | |
RSK-04
| Risk Assessment | Risk Management | N/A | 10 | |
RSK-04.1
| Risk Register | Risk Management | N/A | 10 | |
RSK-04.2
| Risk Assessment Methodology | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 8 | |
RSK-05
| Risk Ranking | Risk Management | N/A | 9 | |
RSK-06
| Risk Remediation | Risk Management | N/A | 10 | |
RSK-06.1
| Risk Response | Risk Management | N/A | 9 | |
RSK-06.2
| Compensating Countermeasures | Risk Management | N/A | 9 | |
RSK-07
| Risk Assessment Update | Risk Management | N/A | 9 | |
RSK-08
| Business Impact Analysis (BIA) | Risk Management | N/A | 8 | |
RSK-09
| Supply Chain Risk Management (SCRM) Plan | Risk Management | N/A | 10 | |
RSK-09.1
| Supply Chain Risk Assessment | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 9 | |
RSK-09.2
| AI & Autonomous Technologies Supply Chain Impacts | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 8 | |
RSK-10
| Data Protection Impact Assessment (DPIA) | Risk Management | N/A | 9 | |
RSK-11
| Risk Monitoring | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 9 | |
RSK-12
| Risk Culture | Risk Management | Section 4.1 Section 4.1: Risk Management Framework - A comprehensive technology risk management framework should... | 4 | |
SEA-01
| Secure Engineering Principles | Secure Engineering & Architecture | N/A | 10 | |
SEA-01.1
| Centralized Management of Cybersecurity & Data Protection Controls | Secure Engineering & Architecture | N/A | 9 | |
SEA-01.2
| Achieving Resilience Requirements | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 4 | |
SEA-01.3
| Resilience Capabilities | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-02
| Alignment With Enterprise Architecture | Secure Engineering & Architecture | N/A | 9 | |
SEA-02.1
| Standardized Terminology | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-02.2
| Outsourcing Non-Essential Functions or Services | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-02.3
| Technical Debt Reviews | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-03
| Defense-In-Depth (DiD) Architecture | Secure Engineering & Architecture | N/A | 10 | |
SEA-03.1
| System Partitioning | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-03.2
| Application Partitioning | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-04
| Process Isolation | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 7 | |
SEA-04.1
| Security Function Isolation | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 7 | |
SEA-04.2
| Hardware Separation | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 7 | |
SEA-04.3
| Thread Separation | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 7 | |
SEA-04.4
| System Privileges Isolation | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-05
| Information In Shared Resources | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-06
| Prevent Program Execution | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-07
| Predictable Failure Analysis | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-07.1
| Technology Lifecycle Management | Secure Engineering & Architecture | N/A | 7 | |
SEA-07.2
| Fail Secure | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-07.3
| Fail Safe | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-08
| Non-Persistence | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-08.1
| Refresh from Trusted Sources | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-09
| Information Output Filtering | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-09.1
| Limit Personal Data (PD) Dissemination | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-10
| Memory Protection | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-11
| Honeypots | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-12
| Honeyclients | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-13
| Heterogeneity | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-13.1
| Virtualization Techniques | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 6 | |
SEA-14
| Concealment & Misdirection | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 2 | |
SEA-14.1
| Randomness | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-14.2
| Change Processing & Storage Locations | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-15
| Distributed Processing & Storage | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 4 | |
SEA-16
| Non-Modifiable Executable Programs | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 1 | |
SEA-17
| Secure Log-On Procedures | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 8 | |
SEA-18
| System Use Notification (Logon Banner) | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-18.1
| Standardized Microsoft Windows Banner | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-18.2
| Truncated Banner | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-19
| Previous Logon Notification | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 3 | |
SEA-20
| Clock Synchronization | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 9 | |
SEA-21
| Application Container | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
SEA-22
| Privileged Environments | Secure Engineering & Architecture | Section 5.4 Section 5.4: System Development Life Cycle and Security-By-Design - Security should be integrated th... | 5 | |
OPS-01
| Operations Security | Security Operations | N/A | 8 | |
OPS-01.1
| Standardized Operating Procedures (SOP) | Security Operations | Section 12 Section 12: Cyber Security Operations - Cyber security operations should include continuous monitori... | 9 | |
OPS-02
| Security Concept Of Operations (CONOPS) | Security Operations | Section 12 Section 12: Cyber Security Operations - Cyber security operations should include continuous monitori... | 9 | |
OPS-03
| Service Delivery
(Business Process Support) | Security Operations | N/A | 7 | |
OPS-04
| Security Operations Center (SOC) | Security Operations | N/A | 8 | |
OPS-05
| Secure Practices Guidelines | Security Operations | Section 12 Section 12: Cyber Security Operations - Cyber security operations should include continuous monitori... | 7 | |
OPS-06
| Security Orchestration, Automation, and Response (SOAR) | Security Operations | Section 12 Section 12: Cyber Security Operations - Cyber security operations should include continuous monitori... | 5 | |
OPS-07
| Shadow Information Technology Detection | Security Operations | Section 12 Section 12: Cyber Security Operations - Cyber security operations should include continuous monitori... | 8 | |
SAT-01
| Cybersecurity & Data Protection-Minded Workforce | Security Awareness & Training | N/A | 8 | |
SAT-01.1
| Maintaining Workforce Development Relevancy | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 6 | |
SAT-02
| Cybersecurity & Data Protection Awareness Training | Security Awareness & Training | N/A | 8 | |
SAT-02.1
| Simulated Cyber Attack Scenario Training | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 3 | |
SAT-02.2
| Social Engineering & Mining | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 5 | |
SAT-03
| Role-Based Cybersecurity & Data Protection Training | Security Awareness & Training | N/A | 8 | |
SAT-03.1
| Practical Exercises | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 3 | |
SAT-03.2
| Suspicious Communications & Anomalous System Behavior | Security Awareness & Training | N/A | 9 | |
SAT-03.3
| Sensitive / Regulated Data Storage, Handling & Processing | Security Awareness & Training | N/A | 9 | |
SAT-03.4
| Vendor Cybersecurity & Data Protection Training | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 7 | |
SAT-03.5
| Privileged Users | Security Awareness & Training | N/A | 9 | |
SAT-03.6
| Cyber Threat Environment | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 8 | |
SAT-03.7
| Continuing Professional Education (CPE) - Cybersecurity & Data Protection Personnel | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 8 | |
SAT-03.8
| Continuing Professional Education (CPE) - DevOps Personnel | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 8 | |
SAT-03.9
| Counterintelligence Training | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 1 | |
SAT-04
| Cybersecurity & Data Protection Training Records | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 9 | |
SAT-05
| Cybersecurity Knowledge Sharing | Security Awareness & Training | Section 3.6 Section 3.6: Security Awareness and Training - Regular security awareness programs and training shou... | 3 | |
TDA-01
| Technology Development & Acquisition | Technology Development & Acquisition | N/A | 10 | |
TDA-01.1
| Product Management | Technology Development & Acquisition | N/A | 10 | |
TDA-01.2
| Integrity Mechanisms for Software / Firmware Updates | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-01.3
| Malware Testing Prior to Release | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-01.4
| DevSecOps | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 6 | |
TDA-02
| Minimum Viable Product (MVP) Security Requirements | Technology Development & Acquisition | N/A | 9 | |
TDA-02.1
| Ports, Protocols & Services In Use | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-02.2
| Information Assurance Enabled Products | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 2 | |
TDA-02.3
| Development Methods, Techniques & Processes | Technology Development & Acquisition | N/A | 5 | |
TDA-02.4
| Pre-Established Secure Configurations | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-02.5
| Identification & Justification of Ports, Protocols & Services | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-02.6
| Insecure Ports, Protocols & Services | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-02.7
| Cybersecurity & Data Privacy Representatives For Product Changes | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 10 | |
TDA-02.8
| Minimizing Attack Surfaces | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-02.9
| Ongoing Product Security Support | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-02.10
| Product Testing & Reviews | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-02.11
| Disclosure of Vulnerabilities | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-02.12
| Products With Digital Elements | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 6 | |
TDA-02.13
| Reporting Exploitable Vulnerabilities | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-02.14
| Logging Syntax | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-03
| Commercial Off-The-Shelf (COTS) Security Solutions | Technology Development & Acquisition | N/A | 5 | |
TDA-03.1
| Supplier Diversity | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 3 | |
TDA-04
| Documentation Requirements | Technology Development & Acquisition | N/A | 8 | |
TDA-04.1
| Functional Properties | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-04.2
| Software Bill of Materials (SBOM) | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-05
| Developer Architecture & Design | Technology Development & Acquisition | N/A | 8 | |
TDA-05.1
| Physical Diagnostic & Test Interfaces | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-05.2
| Diagnostic & Test Interface Monitoring | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 3 | |
TDA-06
| Secure Software Development Practices (SSDP) | Technology Development & Acquisition | N/A | 10 | |
TDA-06.1
| Criticality Analysis | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-06.2
| Threat Modeling | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 7 | |
TDA-06.3
| Software Assurance Maturity Model (SAMM) | Technology Development & Acquisition | N/A | 9 | |
TDA-06.4
| Supporting Toolchain | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 6 | |
TDA-06.5
| Software Design Review | Technology Development & Acquisition | N/A | 10 | |
TDA-06.6
| Software Design Root Cause Analysis | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-07
| Secure Development Environments | Technology Development & Acquisition | N/A | 9 | |
TDA-08
| Separation of Development, Testing and Operational Environments | Technology Development & Acquisition | N/A | 10 | |
TDA-08.1
| Secure Migration Practices | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-09
| Cybersecurity & Data Protection Testing Throughout Development | Technology Development & Acquisition | N/A | 9 | |
TDA-09.1
| Continuous Monitoring Plan | Technology Development & Acquisition | N/A | 9 | |
TDA-09.2
| Static Code Analysis | Technology Development & Acquisition | N/A | 9 | |
TDA-09.3
| Dynamic Code Analysis | Technology Development & Acquisition | N/A | 9 | |
TDA-09.4
| Malformed Input Testing | Technology Development & Acquisition | N/A | 7 | |
TDA-09.5
| Application Penetration Testing | Technology Development & Acquisition | N/A | 9 | |
TDA-09.6
| Secure Settings By Default | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-09.7
| Manual Code Review | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-10
| Use of Live Data | Technology Development & Acquisition | N/A | 9 | |
TDA-10.1
| Test Data Integrity | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-11
| Product Tampering and Counterfeiting (PTC) | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-11.1
| Anti-Counterfeit Training | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 6 | |
TDA-11.2
| Component Disposal | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 0 | |
TDA-12
| Customized Development of Critical Components | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-13
| Developer Screening | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-14
| Developer Configuration Management | Technology Development & Acquisition | N/A | 9 | |
TDA-14.1
| Software / Firmware Integrity Verification | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-14.2
| Hardware Integrity Verification | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 5 | |
TDA-15
| Developer Threat Analysis & Flaw Remediation | Technology Development & Acquisition | N/A | 9 | |
TDA-16
| Developer-Provided Training | Technology Development & Acquisition | N/A | 9 | |
TDA-17
| Unsupported Technology Assets, Applications and/or Services (TAAS) | Technology Development & Acquisition | N/A | 10 | |
TDA-17.1
| Alternate Sources for Continued Support | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-18
| Input Data Validation | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-19
| Error Handling | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-20
| Access to Program Source Code | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-20.1
| Software Release Integrity Verification | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 6 | |
TDA-20.2
| Archiving Software Releases | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-20.3
| Software Escrow | Technology Development & Acquisition | N/A | 7 | |
TDA-20.4
| Approved Code | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 8 | |
TDA-21
| Product Conformity Governance | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 9 | |
TDA-22
| Technical Documentation Artifacts | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 7 | |
TDA-22.1
| Product-Specific Risk Assessment Artifacts | Technology Development & Acquisition | Section 5.1 Section 5.1: Project Management Framework - A structured project management framework should govern ... | 4 | |
TPM-01
| Third-Party Management | Third-Party Management | N/A | 10 | |
TPM-01.1
| Third-Party Inventories | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-02
| Third-Party Criticality Assessments | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-03
| Supply Chain Risk Management (SCRM) | Third-Party Management | N/A | 9 | |
TPM-03.1
| Acquisition Strategies, Tools & Methods | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-03.2
| Limit Potential Harm | Third-Party Management | N/A | 9 | |
TPM-03.3
| Processes To Address Weaknesses or Deficiencies | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-03.4
| Adequate Supply | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-04
| Third-Party Services | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 10 | |
TPM-04.1
| Third-Party Risk Assessments & Approvals | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-04.2
| External Connectivity Requirements - Identification of Ports, Protocols & Services | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 7 | |
TPM-04.3
| Conflict of Interests | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-04.4
| Third-Party Processing, Storage and Service Locations | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 10 | |
TPM-05
| Third-Party Contract Requirements | Third-Party Management | N/A | 10 | |
TPM-05.1
| Security Compromise Notification Agreements | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-05.2
| Contract Flow-Down Requirements | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-05.3
| Third-Party Authentication Practices | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-05.4
| Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-05.5
| Third-Party Scope Review | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 10 | |
TPM-05.6
| First-Party Declaration (1PD) | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 7 | |
TPM-05.7
| Break Clauses | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-05.8
| Third-Party Attestation (3PA) | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 5 | |
TPM-06
| Third-Party Personnel Security | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-07
| Monitoring for Third-Party Information Disclosure | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-08
| Review of Third-Party Services | Third-Party Management | N/A | 9 | |
TPM-09
| Third-Party Deficiency Remediation | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 9 | |
TPM-10
| Managing Changes To Third-Party Services | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
TPM-11
| Third-Party Incident Response & Recovery Capabilities | Third-Party Management | Section 3.4 Section 3.4: Management of Third Party Services - Third-party service providers should be subject to... | 8 | |
THR-01
| Threat Intelligence Program | Threat Management | N/A | 8 | |
THR-02
| Indicators of Exposure (IOE) | Threat Management | N/A | 8 | |
THR-03
| Threat Intelligence Feeds | Threat Management | N/A | 8 | |
THR-03.1
| Threat Intelligence Reporting | Threat Management | N/A | 8 | |
THR-04
| Insider Threat Program | Threat Management | N/A | 8 | |
THR-05
| Insider Threat Awareness | Threat Management | N/A | 8 | |
THR-06
| Vulnerability Disclosure Program (VDP) | Threat Management | N/A | 8 | |
THR-06.1
| Security Disclosure Contact Information | Threat Management | N/A | 1 | |
THR-07
| Threat Hunting | Threat Management | N/A | 4 | |
THR-08
| Tainting | Threat Management | N/A | 1 | |
THR-09
| Threat Catalog | Threat Management | N/A | 5 | |
THR-10
| Threat Analysis | Threat Management | N/A | 7 | |
THR-11
| Behavioral Baselining | Threat Management | N/A | 5 | |
VPM-01
| Vulnerability & Patch Management Program (VPMP) | Vulnerability & Patch Management | N/A | 9 | |
VPM-01.1
| Attack Surface Scope | Vulnerability & Patch Management | N/A | 5 | |
VPM-02
| Vulnerability Remediation Process | Vulnerability & Patch Management | N/A | 10 | |
VPM-03
| Vulnerability Ranking | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 8 | |
VPM-03.1
| Vulnerability Exploitation Analysis | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 5 | |
VPM-04
| Continuous Vulnerability Remediation Activities | Vulnerability & Patch Management | N/A | 8 | |
VPM-04.1
| Stable Versions | Vulnerability & Patch Management | N/A | 8 | |
VPM-04.2
| Flaw Remediation with Personal Data (PD) | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 8 | |
VPM-04.3
| Deferred Patching Decisions | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 2 | |
VPM-05
| Software & Firmware Patching | Vulnerability & Patch Management | N/A | 10 | |
VPM-05.1
| Centralized Management of Flaw Remediation Processes | Vulnerability & Patch Management | N/A | 9 | |
VPM-05.2
| Automated Remediation Status | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-05.3
| Time To Remediate / Benchmarks For Corrective Action | Vulnerability & Patch Management | N/A | 6 | |
VPM-05.4
| Automated Software & Firmware Updates | Vulnerability & Patch Management | N/A | 5 | |
VPM-05.5
| Removal of Previous Versions | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 5 | |
VPM-05.6
| Pre-Deployment Patch Testing | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 7 | |
VPM-05.7
| Out-of-Cycle Patching | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 7 | |
VPM-05.8
| Software Patch Integrity | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06
| Vulnerability Scanning | Vulnerability & Patch Management | N/A | 9 | |
VPM-06.1
| Update Tool Capability | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 8 | |
VPM-06.2
| Breadth / Depth of Coverage | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 8 | |
VPM-06.3
| Privileged Access | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06.4
| Trend Analysis | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06.5
| Review Historical event logs | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06.6
| External Vulnerability Assessment Scans | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06.7
| Internal Vulnerability Assessment Scans | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 9 | |
VPM-06.8
| Acceptable Discoverable Information | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 5 | |
VPM-06.9
| Correlate Scanning Information | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 5 | |
VPM-07
| Penetration Testing | Vulnerability & Patch Management | N/A | 9 | |
VPM-07.1
| Independent Penetration Agent or Team | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 6 | |
VPM-08
| Technical Surveillance Countermeasures Security | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 1 | |
VPM-09
| Reviewing Vulnerability Scanner Usage | Vulnerability & Patch Management | Section 7.4 Section 7.4: Patch Management - Security patches and updates should be promptly evaluated, tested, a... | 3 | |
VPM-10
| Red Team Exercises | Vulnerability & Patch Management | N/A | 3 | |
WEB-01
| Web Security | Web Security | N/A | 8 | |
WEB-01.1
| Unauthorized Code | Web Security | N/A | 9 | |
WEB-02
| Use of Demilitarized Zones (DMZ) | Web Security | N/A | 9 | |
WEB-03
| Web Application Firewall (WAF) | Web Security | N/A | 8 | |
WEB-04
| Client-Facing Web Services | Web Security | N/A | 10 | |
WEB-05
| Cookie Management | Web Security | N/A | 5 | |
WEB-06
| Strong Customer Authentication (SCA) | Web Security | N/A | 8 | |
WEB-07
| Web Security Standard | Web Security | N/A | 9 | |
WEB-08
| Web Application Framework | Web Security | N/A | 9 | |
WEB-09
| Validation & Sanitization | Web Security | N/A | 9 | |
WEB-10
| Secure Web Traffic | Web Security | N/A | 9 | |
WEB-11
| Output Encoding | Web Security | N/A | 9 | |
WEB-12
| Web Browser Security | Web Security | N/A | 9 | |
WEB-13
| Website Change Detection | Web Security | N/A | 8 | |
WEB-14
| Publicly Accessible Content Reviews | Web Security | N/A | 7 | |