The organization limits information system access to authorized users.

• Policy and Procedures - AC-1

  a. Develop; document; and disseminate to defined personnel or roles an access control policy that addresses purpose; scope; roles; responsibilities; and compliance; and procedures to facilitate implementation; b. Designate an official to manage the policy; c. Review and update the policy and procedures defined frequency.

• Account Management - AC-2

  a. Define and document the types of accounts allowed and prohibited; b. Assign account managers; c. Require prerequisites for group/role membership; d. Specify authorized users; e. Require approvals for account creation; f. Create; enable; modify; disable; and remove accounts; g. Monitor account use.

• Automated System Account Management - AC-2(1)

  Support the management of system accounts using organization-defined automated mechanisms.

• Automated Temporary and Emergency Account Management - AC-2(2)

  Automatically remove or disable temporary and emergency accounts after organization-defined time period.

• Disable Accounts - AC-2(3)

  Disable accounts within defined time period when the accounts have expired; are no longer associated with a user; are in violation of policy; or have been inactive.

• Automated Audit Actions - AC-2(4)

  Automatically audit account creation; modification; enabling; disabling; and removal actions.

• Inactivity Logout - AC-2(5)

  Require that users log out when organization-defined time period of expected inactivity or description of when to log out.

• Disable Accounts for High-Risk Individuals - AC-2(13)

  Disable accounts of individuals within defined time period of discovery of significant risks.

• Access Enforcement - AC-3

  Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

• Information Flow Enforcement - AC-4

  Enforce approved authorizations for controlling the flow of information within the system and between connected systems.

• Separation of Duties - AC-5

  Identify and document duties of individuals requiring separation; and define system access authorizations to support separation of duties.

• Least Privilege - AC-6

  Employ the principle of least privilege; allowing only authorized accesses for users (or processes) that are necessary to accomplish assigned organizational tasks.

• Authorize Access to Security Functions - AC-6(1)

  Authorize access for defined individuals or roles to security functions (hardware; software; firmware) and security-relevant information.

• Non-Privileged Access to Nonsecurity Functions - AC-6(2)

  Require that users of system accounts with access to security functions use non-privileged accounts or roles when accessing nonsecurity functions.

• Privileged Accounts - AC-6(5)

  Restrict privileged accounts on the system to organization-defined personnel or roles.

• Review of User Privileges - AC-6(7)

  Review the privileges assigned to defined roles or classes of users at defined frequency to validate the need for such privileges.

• Log Use of Privileged Functions - AC-6(9)

  Log the execution of privileged functions.

• Prohibit Non-Privileged Users from Executing Privileged Functions - AC-6(10)

  Prevent non-privileged users from executing privileged functions.

• Unsuccessful Logon Attempts - AC-7

  Enforce a limit of consecutive invalid logon attempts by a user during a defined time period; and automatically lock the account/node.

• Purge or Wipe Mobile Device - AC-7(2)

  Purge or wipe information from mobile devices after organization-defined number of consecutive; unsuccessful device logon attempts.

• System Use Notification - AC-8

  Display system use notification message or banner before granting access that states the system is monitored; unauthorized use is prohibited; and use indicates consent.

• Concurrent Session Control - AC-10

  Limit the number of concurrent sessions for each account and/or account type to defined number.

• Device Lock - AC-11

  Prevent further access to the system by initiating a device lock after defined time period of inactivity or requiring user to initiate lock.

• Pattern-Hiding Displays - AC-11(1)

  Conceal; via the device lock; information previously visible on the display with a publicly viewable image.

• Session Termination - AC-12

  Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

• Permitted Actions Without Identification or Authentication - AC-14

  Identify user actions that can be performed on the system without identification or authentication; and document supporting rationale.

• Remote Access - AC-17

  Establish and document usage restrictions; configuration/connection requirements; and implementation guidance for remote access; and authorize each type of remote access.

• Monitoring and Control - AC-17(1)

  Employ automated mechanisms to monitor and control remote access methods.

• Protection of Confidentiality and Integrity Using Encryption - AC-17(2)

  Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

• Managed Access Control Points - AC-17(3)

  Route remote accesses through authorized and managed network access control points.

• Privileged Commands and Access - AC-17(4)

  Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence.

• Disconnect or Disable Access - AC-17(9)

  Provide the capability to disconnect or disable remote access to the system within organization-defined time period.

• Wireless Access - AC-18

  Establish configuration requirements; connection requirements; and implementation guidance for wireless access; and authorize each type of wireless access.

• Authentication and Encryption - AC-18(1)

  Protect wireless access to the system using authentication of users/devices and encryption.

• Disable Wireless Networking - AC-18(3)

  Disable; when not intended for use; wireless networking capabilities embedded within system components prior to issuance and deployment.

• Access Control For Mobile Devices - AC-19

  Establish configuration requirements; connection requirements; and implementation guidance for organization-controlled mobile devices.

• Full Device or Container-Based Encryption - AC-19(5)

  Employ full-device encryption or container-based encryption to protect the confidentiality and integrity of information on mobile devices.

• Use of External Systems - AC-20

  Establish terms and conditions or identify controls consistent with trust relationships for accessing the system from external systems.

• Limits on Authorized Use - AC-20(1)

  Permit authorized individuals to use an external system to access the system only after verification of controls or retention of approved agreements.

• Portable Storage Devices - Restricted Use - AC-20(2)

  Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.

• Information Sharing - AC-21

  Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions.

• Publicly Accessible Content - AC-22

  Designate individuals authorized to make information publicly accessible; train them; and review content prior to posting.

The organization ensures that managers and users of information systems are made aware of the security risks.

• Policy and Procedures - AT-1

  Develop; document; and disseminate an awareness and training policy and procedures.

• Literacy Training and Awareness - AT-2

  Provide security and privacy literacy training to system users as part of initial training and defined frequency thereafter.

• Insider Threat - AT-2(2)

  Provide literacy training on recognizing and reporting potential indicators of insider threat.

• Social Engineering and Mining - AT-2(3)

  Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

• Role-Based Training - AT-3

  Provide role-based security and privacy training to personnel with assigned security roles and responsibilities.

• Processing Personally Identifiable Information - AT-3(5)

  Provide personnel with initial and periodic training in the employment and operation of personally identifiable information processing and transparency controls.

• Training Records - AT-4

  Document and monitor information security and privacy training activities; and retain individual training records.

The organization creates; protects; and retains information system audit records.

• Policy and Procedures - AU-1

  Develop; document; and disseminate an audit and accountability policy and procedures.

• Event Logging - AU-2

  Identify the types of events that the system is capable of logging and specify event types for logging within the system.

• Content of Audit Records - AU-3

  Ensure that audit records contain information that establishes what type of event occurred; when; where; source; outcome; and identity.

• Additional Audit Information - AU-3(1)

  Generate audit records containing organization-defined additional information.

• Limit Personally Identifiable Information Elements - AU-3(3)

  Limit personally identifiable information contained in audit records to elements identified in the privacy risk assessment.

• Audit Log Storage Capacity - AU-4

  Allocate audit log storage capacity to accommodate organization-defined audit log retention requirements.

• Response to Audit Logging Process Failures - AU-5

  Alert defined personnel in the event of an audit logging process failure and take additional actions.

• Storage Capacity Warning - AU-5(1)

  Provide a warning to defined personnel within defined time period when allocated audit log storage volume reaches defined percentage.

• Audit Record Review; Analysis; and Reporting - AU-6

  Review and analyze system audit records at defined frequency for indications of inappropriate or unusual activity.

• Automated Process Integration - AU-6(1)

  Integrate audit record review; analysis; and reporting processes using automated mechanisms.

• Correlate Audit Report Repositories - AU-6(3)

  Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

• Audit Record Reduction and Report Generation - AU-7

  Provide an audit record reduction and report generation capability that supports on-demand review and does not alter original content.

• Automatic Processing - AU-7(1)

  Provide and implement the capability to process; sort; and search audit records for events of interest.

• Time Stamps - AU-8

  Use internal system clocks to generate time stamps for audit records that meet defined granularity and use Coordinated Universal Time (UTC).

• Protection of Audit Information - AU-9

  Protect audit information and audit logging tools from unauthorized access; modification; and deletion.

• Access by Subset of Privileged Users - AU-9(4)

  Authorize access to management of audit logging functionality to only a subset of privileged users.

• Audit Record Retention - AU-11

  Retain audit records for defined time period to provide support for after-the-fact investigations and meet regulatory requirements.

• Audit Record Generation - AU-12

  Provide audit record generation capability for the event types the system is capable of auditing.

• Cross-organizational Audit Logging - AU-16

  Employ methods for coordinating audit information among external organizations when audit information is transmitted across boundaries.

The organization assesses the security controls in the information system.

• Policy and Procedures - CA-1

  Develop; document; and disseminate an assessment; authorization; and monitoring policy and procedures.

• Control Assessments - CA-2

  Select appropriate assessor; develop assessment plan; assess controls; and produce assessment report.

• Independent Assessors - CA-2(1)

  Employ independent assessors or assessment teams to conduct control assessments.

• Specialized Assessments - CA-2(2)

  Include specialized assessments (e.g. penetration testing; vulnerability scanning) as part of control assessments.

• Information Exchange - CA-3

  Approve and manage the exchange of information between the system and other systems using agreements.

• Plan of Action and Milestones - CA-5

  Develop a plan of action and milestones (POA&M) to document planned remediation actions for weaknesses.

• Authorization - CA-6

  Assign a senior official as the authorizing official; ensure they accept risk and authorize the system to operate.

• Continuous Monitoring - CA-7

  Develop a system-level continuous monitoring strategy and implement continuous monitoring.

• Independent Assessment - CA-7(1)

  Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

• Penetration Testing - CA-8

  Conduct penetration testing at defined frequency on defined systems.

• Independent Penetration Testing Agent or Team - CA-8(1)

  Employ an independent penetration testing agent or team to perform penetration testing.

• Internal System Connections - CA-9

  Authorize internal connections of system components to the system and document interface characteristics.

The organization establishes and maintains the integrity of information system products and systems.

• Policy and Procedures - CM-1

  Develop; document; and disseminate a configuration management policy and procedures.

• Baseline Configuration - CM-2

  Develop; document; and maintain a current baseline configuration of the system.

• Automation Support for Accuracy and Currency - CM-2(2)

  Maintain the currency; completeness; accuracy; and availability of the baseline configuration using automated mechanisms.

• Retention of Previous Configurations - CM-2(3)

  Retain defined number of previous versions of baseline configurations to support rollback.

• Configure Systems and Components for High-Risk Areas - CM-2(7)

  Issue systems with specific configurations to individuals traveling to high-risk locations.

• Configuration Change Control - CM-3

  Determine types of changes; review and approve changes; document decisions; and implement approved changes.

• Testing; Validation; and Documentation of Changes - CM-3(2)

  Test; validate; and document changes to the system before finalizing the implementation.

• Security and Privacy Representatives - CM-3(4)

  Require security and privacy representatives to be members of the configuration change control element.

• Impact Analyses - CM-4

  Analyze changes to the system to determine potential security and privacy impacts prior to implementation.

• Verification of Controls - CM-4(2)

  Verify that impacted controls are implemented correctly and operating as intended after system changes.

• Access Restrictions for Change - CM-5

  Define; document; approve; and enforce physical and logical access restrictions associated with changes.

• Configuration Settings - CM-6

  Establish and document configuration settings that reflect the most restrictive mode consistent with operational requirements.

• Least Functionality - CM-7

  Configure the system to provide only mission essential capabilities and prohibit unauthorized functions/ports.

• Periodic Review - CM-7(1)

  Review the system periodically to identify and disable unnecessary functions; ports; protocols; and services.

• Prevent Program Execution - CM-7(2)

  Prevent program execution in accordance with policies regarding software usage.

• Authorized Software - CM-7(5)

  Identify authorized software and employ a deny-all; permit-by-exception policy.

• System Component Inventory - CM-8

  Develop and document an inventory of system components that accurately reflects the system.

• Updates During Installation and Removal - CM-8(1)

  Update the inventory of system components as part of component installations; removals; and system updates.

• Automated Unauthorized Component Detection - CM-8(3)

  Detect the presence of unauthorized components using automated mechanisms and take action.

• Configuration Management Plan - CM-9

  Develop; document; and implement a configuration management plan.

• Software Usage Restrictions - CM-10

  Use software in accordance with contract agreements and copyright laws; and track use.

• Open-Source Software - CM-10(1)

  Establish restrictions on the use of open-source software.

• User-Installed Software - CM-11

  Establish policies governing installation of software by users and enforce them.

• Information Location - CM-12

  Identify and document the location of information and system components.

• Automated Tools to Support Information Location - CM-12(1)

  Use automated tools to identify information by type on system components.

The organization establishes; maintains; and effectively implements plans for emergency response; backup operations; and post-disaster recovery.

• Policy and Procedures - CP-1

  Develop; document; and disseminate a contingency planning policy and procedures.

• Contingency Plan - CP-2

  Develop a contingency plan that identifies essential functions; recovery objectives; and roles.

• Coordinate with Related Plans - CP-2(1)

  Coordinate contingency plan development with organizational elements responsible for related plans.

• Resume Mission and Business Functions - CP-2(3)

  Plan for the resumption of mission and business functions within defined time period.

• Identify Critical Assets - CP-2(8)

  Identify critical system assets supporting mission and business functions.

• Contingency Training - CP-3

  Provide contingency training to system users consistent with assigned roles.

• Contingency Plan Testing - CP-4

  Test the contingency plan to determine effectiveness and readiness.

• Coordinate with Related Plans - CP-4(1)

  Coordinate contingency plan testing with organizational elements responsible for related plans.

• Alternate Storage Site - CP-6

  Establish an alternate storage site including necessary agreements.

• Separation from Primary Site - CP-6(1)

  Identify an alternate storage site that is sufficiently separated from the primary site.

• Accessibility - CP-6(3)

  Identify potential accessibility problems to the alternate storage site.

• Alternate Processing Site - CP-7

  Establish an alternate processing site.

• Separation from Primary Site - CP-7(1)

  Identify an alternate processing site that is sufficiently separated from the primary site.

• Accessibility - CP-7(2)

  Identify potential accessibility problems to alternate processing sites.

• Priority of Service - CP-7(3)

  Develop alternate processing site agreements that contain priority-of-service provisions.

• Telecommunications Services - CP-8

  Establish alternate telecommunications services.

• Priority of Service Provisions - CP-8(1)

  Develop telecommunications service agreements that contain priority-of-service provisions.

• Single Points of Failure - CP-8(2)

  Obtain alternate telecommunications services to reduce likelihood of sharing a single point of failure.

• System Backup - CP-9

  Conduct backups of user-level and system-level information.

• Testing for Reliability and Integrity - CP-9(1)

  Test backup information to verify media reliability and information integrity.

• Cryptographic Protection - CP-9(8)

  Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of backup information.

• System Recovery and Reconstitution - CP-10

  Provide for the recovery and reconstitution of the system to a known state.

• Transaction Recovery - CP-10(2)

  Implement transaction recovery for systems that are transaction-based.

The organization identifies information system users; processes acting on behalf of users; or devices and authenticates (or verifies) the identities of those users; processes; or devices.

• Policy and Procedures - IA-1

  Develop; document; and disseminate an identification and authentication policy and procedures.

• Identification and Authentication (Organizational Users) - IA-2

  Uniquely identify and authenticate organizational users.

• Multi-Factor Authentication to Privileged Accounts - IA-2(1)

  Implement multi-factor authentication for access to privileged accounts.

• Multi-Factor Authentication to Non-Privileged Accounts - IA-2(2)

  Implement multi-factor authentication for access to non-privileged accounts.

• Access to Accounts - Separate Device - IA-2(6)

  Implement multi-factor authentication where one factor is provided by a separate device.

• Access to Accounts - Replay Resistant - IA-2(8)

  Implement replay-resistant authentication mechanisms.

• Device Identification and Authentication - IA-3

  Uniquely identify and authenticate devices before establishing a connection.

• Identifier Management - IA-4

  Manage system identifiers by receiving authorization; selecting identifiers; assigning them; and preventing reuse.

• Identify User Status - IA-4(4)

  Manage individual identifiers by uniquely identifying each individual as having a specific status (e.g. contractor).

• Authenticator Management - IA-5

  Manage system authenticators including verification; initial content; strength; and protection.

• Password-Based Authentication - IA-5(1)

  Enforce password complexity; lifetime; and protection rules; and block compromised passwords.

• Public Key-Based Authentication - IA-5(2)

  Enforce authorized access to private keys and map identity for public key-based authentication.

• Protection of Authenticators - IA-5(6)

  Protect authenticators commensurate with the security category of the information.

• Authentication Feedback - IA-6

  Obscure feedback of authentication information during the authentication process.

• Cryptographic Module Authentication - IA-7

  Implement mechanisms for authentication to a cryptographic module.

• Identification and Authentication (Non-Organizational Users) - IA-8

  Uniquely identify and authenticate non-organizational users.

• Acceptance of External Authenticators - IA-8(2)

  Accept only external authenticators that are NIST-compliant.

• Use of Defined Profiles - IA-8(4)

  Conform to profiles for identity management.

• Re-Authentication - IA-11

  Require users to re-authenticate when defined circumstances occur.

• Identity Proofing - IA-12

  Identity proof users that require accounts.

• Identity Evidence - IA-12(2)

  Require evidence of individual identification.

• Identity Evidence Validation and Verification - IA-12(3)

  Require that presented identity evidence be validated and verified.

• Address Confirmation - IA-12(5)

  Require that a code be delivered out-of-band to verify the user's address.

The organization establishes an operational incident handling capability.

• Policy and Procedures - IR-1

  Develop; document; and disseminate an incident response policy and procedures.

• Incident Response Training - IR-2

  Provide incident response training to system users consistent with roles.

• Breach - IR-2(3)

  Provide incident response training on how to identify and respond to a breach.

• Incident Response Testing - IR-3

  Test the effectiveness of the incident response capability.

• Coordination with Related Plans - IR-3(2)

  Coordinate incident response testing with organizational elements responsible for related plans.

• Incident Handling - IR-4

  Implement an incident handling capability that includes preparation; detection; analysis; containment; eradication; and recovery.

• Automated Incident Handling Processes - IR-4(1)

  Support the incident handling process using automated mechanisms.

• Incident Monitoring - IR-5

  Track and document incidents.

• Incident Reporting - IR-6

  Require personnel to report suspected incidents and report information to authorities.

• Automated Reporting - IR-6(1)

  Report incidents using automated mechanisms.

• Supply Chain Coordination - IR-6(3)

  Provide incident information to supply chain partners related to the incident.

• Incident Response Assistance - IR-7

  Provide an incident response support resource.

• Automation Support for Availability of Information and Support - IR-7(1)

  Increase the availability of incident response information using automated mechanisms.

• Incident Response Plan - IR-8

  Develop an incident response plan.

• Breaches - IR-8(1)

  Include process for breaches involving PII in the IR Plan.

• Information Spillage Response - IR-9

  Respond to information spills.

The organization performs periodic and timely maintenance on information systems.

• Policy and Procedures - MA-1

  Develop; document; and disseminate a maintenance policy and procedures.

• Controlled Maintenance - MA-2

  Schedule; document; and review records of maintenance; approve and monitor activities.

• Maintenance Tools - MA-3

  Approve; control; and monitor the use of system maintenance tools.

• Inspect Tools - MA-3(1)

  Inspect maintenance tools for improper modifications.

• Inspect Media - MA-3(2)

  Check media containing diagnostic programs for malicious code.

• Prevent Unauthorized Removal - MA-3(3)

  Prevent removal of maintenance equipment containing organizational information.

• Nonlocal Maintenance - MA-4

  Approve and monitor nonlocal maintenance; allow only consistent with policy; use strong auth.

• Maintenance Personnel - MA-5

  Establish process for maintenance personnel authorization and maintain list.

• Timely Maintenance - MA-6

  Obtain maintenance support within defined time period of failure.

The organization protects information system media.

• Policy and Procedures - MP-1

  Develop; document; and disseminate a media protection policy and procedures.

• Media Access - MP-2

  Restrict access to media to authorized personnel.

• Media Marking - MP-3

  Mark system media indicating distribution limitations.

• Media Storage - MP-4

  Physically control and securely store media.

• Media Transport - MP-5

  Protect and control media during transport outside controlled areas.

• Media Sanitization - MP-6

  Sanitize media prior to disposal or reuse.

• Review; Approve; Track; Document; and Verify - MP-6(1)

  Review; approve; track; document; and verify media sanitization actions.

• Media Use - MP-7

  Restrict or prohibit use of specific media types.

The organization protects information systems from physical and environmental threats.

• Policy and Procedures - PE-1

  Develop; document; and disseminate a physical and environmental protection policy.

• Physical Access Authorizations - PE-2

  Maintain list of authorized individuals and issue credentials.

• Physical Access Control - PE-3

  Enforce physical access authorizations at entry/exit points.

• Access Control for Transmission - PE-4

  Control physical access to transmission lines.

• Access Control for Output Devices - PE-5

  Control physical access to output devices.

• Monitoring Physical Access - PE-6

  Monitor physical access to the facility.

• Intrusion Alarms and Surveillance Equipment - PE-6(1)

  Monitor physical access using alarms and surveillance.

• Visitor Access Records - PE-8

  Maintain visitor access records.

• Power Equipment and Cabling - PE-9

  Protect power equipment and cabling.

• Emergency Shutoff - PE-10

  Provide capability of shutting off power in emergency.

• Emergency Power - PE-11

  Provide UPS to facilitate orderly shutdown.

• Emergency Lighting - PE-12

  Employ automatic emergency lighting.

• Fire Protection - PE-13

  Employ fire detection and suppression systems.

• Detection Systems - Automatic Activation and Notification - PE-13(1)

  Employ fire detection systems that activate automatically and notify.

• Suppression Systems - Automatic Activation and Notification - PE-13(2)

  Employ fire suppression systems that activate automatically.

• Inspections - PE-13(4)

  Ensure facility undergoes fire protection inspections.

• Environmental Controls - PE-14

  Maintain temperature and humidity levels.

• Monitoring with Alarms and Notifications - PE-14(2)

  Employ environmental monitoring with alarms.

• Water Damage Protection - PE-15

  Protect from water damage with shutoff valves.

• Delivery and Removal - PE-16

  Authorize and control system components entering/exiting facility.

• Alternate Work Site - PE-17

  Determine alternate work sites and employ controls.

• Location of System Components - PE-18

  Position components to minimize potential damage and unauthorized access.

The organization develops; documents; periodically updates; and implements security plans for organizational information systems.

• Policy and Procedures - PL-1

  Develop; document; and disseminate a planning policy and procedures.

• System Security and Privacy Plans - PL-2

  Develop security and privacy plans for the system.

• Rules of Behavior - PL-4

  Establish rules of behavior for individuals accessing the system.

• Social Media and External Site/Application Usage Restrictions - PL-4(1)

  Include restrictions on social media use in rules of behavior.

• Security and Privacy Architectures - PL-8

  Develop security and privacy architectures for the system.

• Central Management - PL-9

  Centrally manage organization-defined controls.

• Baseline Selection - PL-10

  Select a control baseline for the system.

• Baseline Tailoring - PL-11

  Tailor the selected control baseline.

The organization manages its information security program.

• Information Security Program Plan - PM-1

  Develop and disseminate an organization-wide information security program plan.

• Information Security Program Leadership Role - PM-2

  Appoint a senior agency information security officer.

• Plan of Action and Milestones Process - PM-4

  Implement a process for POA&Ms.

• System Inventory - PM-5

  Develop and update an inventory of organizational systems.

• Critical Infrastructure Plan - PM-8

  Address security in critical infrastructure protection plan.

• Risk Management Strategy - PM-9

  Develop a comprehensive risk management strategy.

• Authorization Process - PM-10

  Manage security state through authorization processes.

• Testing; Training; and Monitoring - PM-14

  Implement process for testing; training; and monitoring.

• Privacy Program Plan - PM-18

  Develop and disseminate a privacy program plan.

• Privacy Program Leadership Role - PM-19

  Appoint a senior agency official for privacy.

• Accounting of Disclosures - PM-21

  Develop and maintain accounting of PII disclosures.

• Personally Identifiable Information Quality Management - PM-22

  Develop policies for PII accuracy.

• Minimization of PII in Testing - PM-25

  Develop policies to minimize PII use in testing.

• Privacy Reporting - PM-27

  Develop privacy reports.

• Continuous Monitoring Strategy - PM-31

  Develop organization-wide continuous monitoring strategy.

The organization ensures that individuals occupying positions of responsibility are trustworthy and meet established security criteria.

• Policy and Procedures - PS-1

  Develop; document; and disseminate a personnel security policy and procedures.

• Position Risk Designation - PS-2

  Assign risk designation to all positions.

• Personnel Screening - PS-3

  Screen individuals prior to authorizing access.

• Personnel Termination - PS-4

  Disable access and retrieve property upon termination.

• Personnel Transfer - PS-5

  Review access when individuals transfer positions.

• Access Agreements - PS-6

  Develop and document access agreements.

• External Personnel Security - PS-7

  Establish personnel security requirements for external providers.

• Personnel Sanctions - PS-8

  Employ formal sanctions process.

• Position Descriptions - PS-9

  Incorporate security roles into position descriptions.

The organization protects personally identifiable information (PII).

• Policy and Procedures - PT-1

  Develop; document; and disseminate PII policy and procedures.

• Authority to Process PII - PT-2

  Determine and document authority to process PII.

• PII Processing Purposes - PT-3

  Identify and document purposes for processing PII.

• Privacy Notice - PT-5

  Provide notice to individuals about PII processing.

• Specific Categories of PII - PT-7

  Apply processing conditions for specific categories of PII.

• Social Security Numbers - PT-7(1)

  Eliminate unnecessary collection of SSNs.

The organization assesses risk to organizational operations.

• Policy and Procedures - RA-1

  Develop; document; and disseminate a risk assessment policy and procedures.

• Security Categorization - RA-2

  Categorize the system and information.

• Risk Assessment - RA-3

  Conduct a risk assessment.

• Supply Chain Risk Assessment - RA-3(1)

  Assess supply chain risks.

• Vulnerability Monitoring and Scanning - RA-5

  Monitor and scan for vulnerabilities.

• Update Vulnerabilities to Be Scanned - RA-5(2)

  Update system vulnerabilities to be scanned.

• Breadth and Depth of Coverage - RA-5(3)

  Define breadth and depth of scanning.

• Privileged Access - RA-5(5)

  Implement privileged access for scanning.

• Review Historic Audit Logs - RA-5(8)

  Review historic logs for past exploitation.

• Risk Response - RA-7

  Respond to findings from assessments.

• Privacy Impact Assessments - RA-8

  Conduct PIAs.

The organization allocates resources and manages the system development life cycle.

• Policy and Procedures - SA-1

  Develop; document; and disseminate a system and services acquisition policy.

• Allocation of Resources - SA-2

  Determine and allocate resources for security.

• System Development Life Cycle - SA-3

  Manage system using SDLC that incorporates security.

• Acquisition Process - SA-4

  Include security requirements in acquisition contracts.

• Functional Properties of Controls - SA-4(1)

  Require developer to describe functional properties of controls.

• Design and Implementation Information - SA-4(2)

  Require developer to provide design info.

• Functions; Ports; Protocols; Services - SA-4(9)

  Require developer to identify functions; ports; protocols; services.

• Use of Approved PIV Products - SA-4(10)

  Employ FIPS 201-approved PIV products.

• System Documentation - SA-5

  Obtain or develop administrator and user documentation.

• Security and Privacy Engineering Principles - SA-8

  Apply engineering principles in design.

• External System Services - SA-9

  Require providers to comply with security requirements.

• Identification of Functions/Ports - SA-9(2)

  Require providers to identify functions; ports; protocols.

• Processing Location - SA-9(5)

  Restrict location of processing/storage.

• Developer Configuration Management - SA-10

  Require developer to perform CM.

• Developer Testing and Evaluation - SA-11

  Require developer to perform testing.

• Threat Modeling - SA-11(2)

  Require developer to perform threat modeling.

• Development Process; Standards; Tools - SA-15

  Require developer to follow documented process.

The organization monitors; controls; and protects organizational communications.

• Policy and Procedures - SC-1

  Develop; document; and disseminate a SC policy and procedures.

• Separation of System and User Functionality - SC-2

  Separate user functionality from system management.

• Information in Shared System Resources - SC-4

  Prevent unauthorized information transfer via shared resources.

• Denial-of-Service Protection - SC-5

  Protect against denial-of-service events.

• Boundary Protection - SC-7

  Monitor and control communications at boundaries.

• Access Points - SC-7(3)

  Limit external connections.

• External Telecommunications Services - SC-7(4)

  Implement managed interface for external services.

• Deny by Default - SC-7(5)

  Deny traffic by default; allow by exception.

• Split Tunneling - SC-7(7)

  Prevent split tunneling.

• Route Traffic to Authenticated Proxy - SC-7(8)

  Route traffic through authenticated proxy.

• Boundary Protection (PII) - SC-7(24)

  Apply processing rules to PII at boundaries.

• Transmission Confidentiality and Integrity - SC-8

  Protect confidentiality/integrity of transmitted info.

• Cryptographic Protection - SC-8(1)

  Implement crypto to prevent disclosure/modification.

• Network Disconnect - SC-10

  Terminate connection at end of session or inactivity.

• Cryptographic Key Establishment and Management - SC-12

  Establish and manage cryptographic keys.

• Cryptographic Protection - SC-13

  Implement cryptography.

• Collaborative Computing Devices - SC-15

  Prohibit remote activation of collaborative devices.

• PKI Certificates - SC-17

  Issue certificates from approved PKI.

• Mobile Code - SC-18

  Define and control mobile code.

• Secure Name/Address Resolution (Authoritative) - SC-20

  Provide additional artifacts for name resolution.

• Secure Name/Address Resolution (Recursive) - SC-21

  Perform data origin authentication on responses.

• Architecture for Name Resolution - SC-22

  Ensure fault-tolerant name resolution.

• Session Authenticity - SC-23

  Protect authenticity of sessions.

• Protection of Information at Rest - SC-28

  Protect information at rest.

• Cryptographic Protection (Rest) - SC-28(1)

  Implement crypto for data at rest.

• Process Isolation - SC-39

  Maintain separate execution domains.

• Synchronization with Authoritative Time - SC-45(1)

  Synchronize clocks.

The organization identifies; reports; and corrects information and system flaws.

• Policy and Procedures - SI-1

  Develop; document; and disseminate SI policy and procedures.

• Flaw Remediation - SI-2

  Identify; report; and correct system flaws.

• Automated Flaw Remediation Status - SI-2(2)

  Determine update status using automation.

• Malicious Code Protection - SI-3

  Implement malicious code protection.

• System Monitoring - SI-4

  Monitor system to detect attacks.

• Automated Analysis - SI-4(2)

  Employ automated tools for analysis.

• Inbound/Outbound Traffic - SI-4(4)

  Monitor traffic for unusual activity.

• System-Generated Alerts - SI-4(5)

  Alert personnel on compromise indicators.

• Host-Based Devices - SI-4(23)

  Implement host-based monitoring.

• Security Alerts; Advisories; and Directives - SI-5

  Receive and respond to alerts.

• Software and Information Integrity - SI-7

  Employ integrity verification tools.

• Integrity Checks - SI-7(1)

  Perform integrity checks.

• Automated Notifications - SI-7(2)

  Notify on integrity violations.

• Integration of Detection and Response - SI-7(7)

  Incorporate detection into IR.

• Spam Protection - SI-8

  Employ spam protection.

• Automatic Updates - SI-8(2)

  Automatically update spam protection.

• Information Input Validation - SI-10

  Check validity of inputs.

• Error Handling - SI-11

  Generate error messages without revealing info.

• Information Management and Retention - SI-12

  Manage and retain information.

• Minimize PII - SI-12(2)

  Minimize PII in testing.

• Information Disposal - SI-12(3)

  Dispose of information securely.

• Memory Protection - SI-16

  Protect system memory.

• De-Identification - SI-19

  Remove PII from datasets.

The organization manages supply chain risks.

• Policy and Procedures - SR-1

  Develop; document; and disseminate SCRM policy.

• Supply Chain Risk Management Plan - SR-2

  Develop a SCRM plan.

• Establish SCRM Team - SR-2(1)

  Establish a SCRM team.

• Supply Chain Controls and Processes - SR-3

  Establish process to address supply chain weaknesses.

• Acquisition Strategies - SR-5

  Employ acquisition strategies to mitigate risk.

• Supplier Assessments - SR-6

  Assess and review supplier risks.

• Notification Agreements - SR-8

  Establish agreements for notification of compromises.

• Inspection of Systems - SR-10

  Inspect systems for tampering.

• Component Authenticity - SR-11

  Develop anti-counterfeit policy.

• Anti-Counterfeit Training - SR-11(1)

  Train personnel to detect counterfeits.

• Configuration Control for Service - SR-11(2)

  Maintain configuration control during service.

• Component Disposal - SR-12

  Dispose of components securely.