AWS NIST 800 53 Security Controls Mapping

AWS Enterprise Accelerator – Compliance:
Standardized Architecture for NIST-based Assurance Frameworks in the AW
November 17, 2017
This Quick Start supports the following frameworks:

· NIST SP 800-53
· CNSS Instruction 1253
· FedRAMP
· DoD Cloud Computing SRG
· NIST SP 800-171
· OMB TIC – FedRAMP Overlay (Pilot)
· NIST SP 800-122
This document describes the NIST SP 800-53 Security Controls* that are directly addressed by
package, including those for which there is an inheritance of security features from the AWS-m
services. This matrix also includes mappings to FedRAMP selection of the NIST Controls, which
systems, the NIST SP 800-171 CUI data protection requirements, the NIST SP 800-122 PII data pro
the OMB Trusted Internet Connection (TIC) capability requirements as described in the FedRA
program, CNSSI 1253 control selections, and the DoD Cloud Security Requirements Guide contro
1, Rel. 2 (18 March 2016)
In addition, there are columns of data that indicate which of the AWS Quick Start Cloudformation
Resource types within the template(s) are associated with the control. Given this information
statements within the AWS CloudFormation templates that address the control, in case there
modifications.
It is important to note that the details in the Quick Start for this Standardized Architecture for N
Frameworks in the AWS Cloud are not exhaustive. Customers should review, assess, and appro
supplement with other security features, to address the overall security posture of the workload(s)
Compliance:
e Frameworks in the AWS Cloud
ng frameworks:
53
ng SRG
P Overlay (Pilot)
are directly addressed by this AWS Quick Start

features from the AWS-managed products and
f the NIST Controls, which are specific to cloud
IST SP 800-122 PII data protection requirements,
as described in the FedRAMP TIC Overlay pilot
equirements Guide control selections (SRG) Ver.
Quick Start Cloudformation template(s) and AWS

ol. Given this information, one can locate the
the control, in case there is a desire to make
dardized Architecture for NIST-based Assurance

d review, assess, and approve these details, and
posture of the workload(s).
NIST SP 800-53 rev4 Controls
Priority
Control Control
Seq Family (Major) (Sub-parts) Title Description
ACCESS CONTROL AC-1 AC-1 ACCESS CONTROL The organization: P1

### POLICY AND
PROCEDURES
ACCESS CONTROL AC-1 AC-1a ACCESS CONTROL Develops, documents, and disseminates to P1
### POLICY AND [Assignment: organization-defined personnel or
PROCEDURES roles]:
ACCESS CONTROL AC-1 AC-1a.1 ACCESS CONTROL An access control policy that addresses purpose, P1
POLICY AND scope, roles, responsibilities, management
PROCEDURES commitment, coordination among organizational
### entities, and compliance; and
ACCESS CONTROL AC-1 AC-1a.2 ACCESS CONTROL Procedures to facilitate the implementation of P1
### POLICY AND the access control policy and associated access
PROCEDURES controls; and
ACCESS CONTROL AC-1 AC-1b ACCESS CONTROL Reviews and updates the current: P1
### POLICY AND
PROCEDURES
ACCESS CONTROL AC-1 AC-1b.1 ACCESS CONTROL Access control policy [Assignment: organization- P1
### POLICY AND defined frequency]; and
PROCEDURES
ACCESS CONTROL AC-1 AC-1b.2 ACCESS CONTROL Access control procedures [Assignment: P1
### POLICY AND organization-defined frequency].
PROCEDURES
ACCESS CONTROL AC-2 AC-2 ACCOUNT The organization: P1
MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2a ACCOUNT Identifies and selects the following types of P1
MANAGEMENT information system accounts to support
organizational missions/business functions:
[Assignment: organization-defined information
### system account types];
ACCESS CONTROL AC-2 AC-2b ACCOUNT Assigns account managers for information P1
MANAGEMENT system accounts;
###
ACCESS CONTROL AC-2 AC-2c ACCOUNT Establishes conditions for group and role P1
MANAGEMENT membership;
###
ACCESS CONTROL AC-2 AC-2d ACCOUNT Specifies authorized users of the information P1
MANAGEMENT system, group and role membership, and access
authorizations (i.e., privileges) and other
attributes (as required) for each account;
###
ACCESS CONTROL AC-2 AC-2e ACCOUNT Requires approvals by [Assignment: P1

MANAGEMENT organization-defined personnel or roles] for
requests to create information system accounts;
###
ACCESS CONTROL AC-2 AC-2f ACCOUNT Creates, enables, modifies, disables, and P1
MANAGEMENT removes information system accounts in
accordance with [Assignment: organization-
defined procedures or conditions];
###
ACCESS CONTROL AC-2 AC-2g ACCOUNT Monitors the use of information system P1
MANAGEMENT accounts;
###
ACCESS CONTROL AC-2 AC-2h ACCOUNT Notifies account managers: P1
MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2h.1 ACCOUNT When accounts are no longer required; P1
MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2h.2 ACCOUNT When users are terminated or transferred; and P1
MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2h.3 ACCOUNT When individual information system usage or P1
MANAGEMENT need-to-know changes;
###
ACCESS CONTROL AC-2 AC-2i ACCOUNT Authorizes access to the information system P1
MANAGEMENT based on:
###
ACCESS CONTROL AC-2 AC-2i.1 ACCOUNT A valid access authorization; P1

MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2i.2 ACCOUNT Intended system usage; and P1

MANAGEMENT
###
ACCESS CONTROL AC-2 AC-2i.3 ACCOUNT Other attributes as required by the organization P1
MANAGEMENT or associated missions/business functions;
###
ACCESS CONTROL AC-2 AC-2j ACCOUNT Reviews accounts for compliance with account P1
MANAGEMENT management requirements [Assignment:
organization-defined frequency]; and
###
ACCESS CONTROL AC-2 AC-2k ACCOUNT Establishes a process for reissuing shared/group P1
MANAGEMENT account credentials (if deployed) when
individuals are removed from the group.
###
ACCESS CONTROL AC-2 (1) AC-2 (1) AUTOMATED SYSTEM The organization employs automated
ACCOUNT mechanisms to support the management of
MANAGEMENT information system accounts.
###
ACCESS CONTROL AC-2 (2) AC-2 (2) REMOVAL OF The information system automatically [Selection:
TEMPORARY / removes; disables] temporary and emergency
EMERGENCY accounts after [Assignment: organization-defined
### ACCOUNTS time period for each type of account].
ACCESS CONTROL AC-2 (3) AC-2 (3) DISABLE INACTIVE The information system automatically disables
ACCOUNTS inactive accounts after [Assignment:
organization-defined time period].
###
ACCESS CONTROL AC-2 (4) AC-2 (4) AUTOMATED AUDIT The information system automatically audits
ACTIONS account creation, modification, enabling,
disabling, and removal actions, and notifies
### [Assignment: organization-defined personnel or
roles].
ACCESS CONTROL AC-2 (5) AC-2 (5) INACTIVITY LOGOUT The organization requires that users log out
when [Assignment: organization-defined time-
### period of expected inactivity or description of
when to log out].
ACCESS CONTROL AC-2 (6) AC-2 (6) DYNAMIC PRIVILEGE The information system implements the
MANAGEMENT following dynamic privilege management
capabilities: [Assignment: organization-defined
list of dynamic privilege management
capabilities].
###
ACCESS CONTROL AC-2 (7) AC-2 (7) ROLE-BASED The organization:

### SCHEMES
ACCESS CONTROL AC-2 (7) AC-2 (7)(a) ROLE-BASED Establishes and administers privileged user
SCHEMES accounts in accordance with a role-based access
scheme that organizes allowed information
### system access and privileges into roles;
ACCESS CONTROL AC-2 (7) AC-2 (7)(b) ROLE-BASED Monitors privileged role assignments; and
SCHEMES
###
ACCESS CONTROL AC-2 (7) AC-2 (7)(c) ROLE-BASED Takes [Assignment: organization-defined actions]
### SCHEMES when privileged role assignments are no longer
appropriate.
ACCESS CONTROL AC-2 (8) AC-2 (8) DYNAMIC ACCOUNT The information system creates [Assignment:
### CREATION organization-defined information system
accounts] dynamically.
ACCESS CONTROL AC-2 (9) AC-2 (9) RESTRICTIONS ON The organization only permits the use of
USE OF SHARED / shared/group accounts that meet [Assignment:
### GROUP ACCOUNTS organization-defined conditions for establishing
shared/group accounts].
ACCESS CONTROL AC-2 (10) AC-2 (10) SHARED / GROUP The information system terminates
ACCOUNT shared/group account credentials when
### CREDENTIAL members leave the group.
TERMINATION
ACCESS CONTROL AC-2 (11) AC-2 (11) USAGE CONDITIONS The information system enforces [Assignment:
organization-defined circumstances and/or
usage conditions] for [Assignment: organization-
### defined information system accounts].
ACCESS CONTROL AC-2 (12) AC-2 (12) ACCOUNT The organization:

### MONITORING /
ATYPICAL USAGE
ACCESS CONTROL AC-2 (12) AC-2 (12)(a) ACCOUNT Monitors information system accounts for
### MONITORING / [Assignment: organization-defined atypical
ATYPICAL USAGE usage]; and
ACCESS CONTROL AC-2 (12) AC-2 (12)(b) ACCOUNT Reports atypical usage of information system
### MONITORING / accounts to [Assignment: organization-defined
ATYPICAL USAGE personnel or roles].
ACCESS CONTROL AC-2 (13) AC-2 (13) DISABLE ACCOUNTS The organization disables accounts of users
FOR HIGH-RISK posing a significant risk within [Assignment:
### INDIVIDUALS organization-defined time period] of discovery of
the risk.
ACCESS CONTROL AC-3 AC-3 ACCESS The information system enforces approved P1
ENFORCEMENT authorizations for logical access to information
and system resources in accordance with
applicable access control policies.
###
ACCESS CONTROL AC-3 (1) AC-3 (1) RESTRICTED ACCESS [Withdrawn: Incorporated into AC-6].
### TO PRIVILEGED
FUNCTIONS
ACCESS CONTROL AC-3 (2) AC-3 (2) DUAL The information system enforces dual
AUTHORIZATION authorization for [Assignment: organization-
### defined privileged commands and/or other
organization-defined actions].
ACCESS CONTROL AC-3 (3) AC-3 (3) MANDATORY ACCESS The information system enforces [Assignment:
CONTROL organization-defined mandatory access control
### policy] over all subjects and objects where the
policy:
ACCESS CONTROL AC-3 (3) AC-3 (3)(a) MANDATORY ACCESS Is uniformly enforced across all subjects and
### CONTROL objects within the boundary of the information
system;
ACCESS CONTROL AC-3 (3) AC-3 (3)(b) MANDATORY ACCESS Specifies that a subject that has been granted
### CONTROL access to information is constrained from doing
any of the following;
ACCESS CONTROL AC-3 (3) AC-3 (3)(b)(1) MANDATORY ACCESS Passing the information to unauthorized subjects
### CONTROL or objects;
ACCESS CONTROL AC-3 (3) AC-3 (3)(b)(2) MANDATORY ACCESS Granting its privileges to other subjects;
### CONTROL
ACCESS CONTROL AC-3 (3) AC-3 (3)(b)(3) MANDATORY ACCESS Changing one or more security attributes on
### CONTROL subjects, objects, the information system, or
information system components;
ACCESS CONTROL AC-3 (3) AC-3 (3)(b)(4) MANDATORY ACCESS Choosing the security attributes and attribute
### CONTROL values to be associated with newly created or
modified objects; or
ACCESS CONTROL AC-3 (3) AC-3 (3)(b)(5) MANDATORY ACCESS Changing the rules governing access control; and
### CONTROL
ACCESS CONTROL AC-3 (3) AC-3 (3)(c) MANDATORY ACCESS Specifies that [Assignment: organization-defined
CONTROL subjects] may explicitly be granted [Assignment:
organization-defined privileges (i.e., they are
### trusted subjects)] such that they are not limited
by some or all of the above constraints.
ACCESS CONTROL AC-3 (4) AC-3 (4) DISCRETIONARY The information system enforces [Assignment:
ACCESS CONTROL organization-defined discretionary access control
policy] over defined subjects and objects where
the policy specifies that a subject that has been
granted access to information can do one or
more of the following:
###
ACCESS CONTROL AC-3 (4) AC-3 (4)(a) DISCRETIONARY Pass the information to any other subjects or
ACCESS CONTROL objects;
###
ACCESS CONTROL AC-3 (4) AC-3 (4)(b) DISCRETIONARY Grant its privileges to other subjects;
ACCESS CONTROL
###
ACCESS CONTROL AC-3 (4) AC-3 (4)(c) DISCRETIONARY Change security attributes on subjects, objects,
ACCESS CONTROL the information system, or the information
system's components;
###
ACCESS CONTROL AC-3 (4) AC-3 (4)(d) DISCRETIONARY Choose the security attributes to be associated
ACCESS CONTROL with newly created or revised objects; or
###
ACCESS CONTROL AC-3 (4) AC-3 (4)(e) DISCRETIONARY Change the rules governing access control.
ACCESS CONTROL
###
ACCESS CONTROL AC-3 (5) AC-3 (5) SECURITY-RELEVANT The information system prevents access to
INFORMATION [Assignment: organization-defined security-
### relevant information] except during secure, non-
operable system states.
ACCESS CONTROL AC-3 (6) AC-3 (6) PROTECTION OF USER [Withdrawn: Incorporated into MP-4 and SC-28].
### AND SYSTEM
INFORMATION
ACCESS CONTROL AC-3 (7) AC-3 (7) ROLE-BASED ACCESS The information system enforces a role-based
CONTROL access control policy over defined subjects and
objects and controls access based upon
[Assignment: organization-defined roles and
users authorized to assume such roles].
###
ACCESS CONTROL AC-3 (8) AC-3 (8) REVOCATION OF The information system enforces the revocation
ACCESS of access authorizations resulting from changes
AUTHORIZATIONS to the security attributes of subjects and objects
### based on [Assignment: organization-defined
rules governing the timing of revocations of
access authorizations].
ACCESS CONTROL AC-3 (9) AC-3 (9) CONTROLLED The information system does not release
### RELEASE information outside of the established system
boundary unless:
ACCESS CONTROL AC-3 (9) AC-3 (9)(a) CONTROLLED The receiving [Assignment: organization-defined
RELEASE information system or system component]
### provides [Assignment: organization-defined
security safeguards]; and
ACCESS CONTROL AC-3 (9) AC-3 (9)(b) CONTROLLED [Assignment: organization-defined security
RELEASE safeguards] are used to validate the
### appropriateness of the information designated
for release.
ACCESS CONTROL AC-3 (10) AC-3 (10) AUDITED OVERRIDE The organization employs an audited override of
OF ACCESS CONTROL automated access control mechanisms under
### MECHANISMS [Assignment: organization-defined conditions].
ACCESS CONTROL AC-4 AC-4 INFORMATION FLOW The information system enforces approved P1
ENFORCEMENT authorizations for controlling the flow of
information within the system and between
interconnected systems based on [Assignment:
organization-defined information flow control
### policies].
ACCESS CONTROL AC-4 (1) AC-4 (1) OBJECT SECURITY The information system uses [Assignment:
ATTRIBUTES organization-defined security attributes]
associated with [Assignment: organization-
defined information, source, and destination
### objects] to enforce [Assignment: organization-
defined information flow control policies] as a
basis for flow control decisions.
ACCESS CONTROL AC-4 (2) AC-4 (2) PROCESSING The information system uses protected
DOMAINS processing domains to enforce [Assignment:
### organization-defined information flow control
policies] as a basis for flow control decisions.
ACCESS CONTROL AC-4 (3) AC-4 (3) DYNAMIC The information system enforces dynamic
### INFORMATION FLOW information flow control based on [Assignment:
CONTROL organization-defined policies].
ACCESS CONTROL AC-4 (4) AC-4 (4) CONTENT CHECK The information system prevents encrypted
ENCRYPTED information from bypassing content-checking
INFORMATION mechanisms by [Selection (one or more):
decrypting the information; blocking the flow of
the encrypted information; terminating
### communications sessions attempting to pass
encrypted information; [Assignment:
organization-defined procedure or method]].
ACCESS CONTROL AC-4 (5) AC-4 (5) EMBEDDED DATA The information system enforces [Assignment:
### TYPES organization-defined limitations] on embedding
data types within other data types.
ACCESS CONTROL AC-4 (6) AC-4 (6) METADATA The information system enforces information
### flow control based on [Assignment: organization-
defined metadata].
ACCESS CONTROL AC-4 (7) AC-4 (7) ONE-WAY FLOW The information system enforces [Assignment:
### MECHANISMS organization-defined one-way information flows]
using hardware mechanisms.
ACCESS CONTROL AC-4 (8) AC-4 (8) SECURITY POLICY The information system enforces information
FILTERS flow control using [Assignment: organization-
defined security policy filters] as a basis for flow
### control decisions for [Assignment: organization-
defined information flows].
ACCESS CONTROL AC-4 (9) AC-4 (9) HUMAN REVIEWS The information system enforces the use of
human reviews for [Assignment: organization-
defined information flows] under the following
### conditions: [Assignment: organization-defined
conditions].
ACCESS CONTROL AC-4 (10) AC-4 (10) ENABLE / DISABLE The information system provides the capability
SECURITY POLICY for privileged administrators to enable/disable
FILTERS [Assignment: organization-defined security policy
### filters] under the following conditions:
[Assignment: organization-defined conditions].
ACCESS CONTROL AC-4 (11) AC-4 (11) CONFIGURATION OF The information system provides the capability
SECURITY POLICY for privileged administrators to configure
FILTERS [Assignment: organization-defined security policy
### filters] to support different security policies.
ACCESS CONTROL AC-4 (12) AC-4 (12) DATA TYPE The information system, when transferring
IDENTIFIERS information between different security domains,
uses [Assignment: organization-defined data
### type identifiers] to validate data essential for
information flow decisions.
ACCESS CONTROL AC-4 (13) AC-4 (13) DECOMPOSITION The information system, when transferring
INTO POLICY- information between different security domains,
RELEVANT decomposes information into [Assignment:
### SUBCOMPONENTS organization-defined policy-relevant
subcomponents] for submission to policy
enforcement mechanisms.
ACCESS CONTROL AC-4 (14) AC-4 (14) SECURITY POLICY The information system, when transferring
FILTER CONSTRAINTS information between different security domains,
implements [Assignment: organization-defined
### security policy filters] requiring fully enumerated
formats that restrict data structure and content.
ACCESS CONTROL AC-4 (15) AC-4 (15) DETECTION OF The information system, when transferring
UNSANCTIONED information between different security domains,
INFORMATION examines the information for the presence of
[Assignment: organized-defined unsanctioned
information] and prohibits the transfer of such
### information in accordance with the [Assignment:
organization-defined security policy].
ACCESS CONTROL AC-4 (16) AC-4 (16) INFORMATION [Withdrawn: Incorporated into AC-4].
TRANSFERS ON
### INTERCONNECTED
SYSTEMS
ACCESS CONTROL AC-4 (17) AC-4 (17) DOMAIN The information system uniquely identifies and
AUTHENTICATION authenticates source and destination points by
[Selection (one or more): organization, system,
### application, individual] for information transfer.
ACCESS CONTROL AC-4 (18) AC-4 (18) SECURITY ATTRIBUTE The information system binds security attributes
BINDING to information using [Assignment: organization-
### defined binding techniques] to facilitate
information flow policy enforcement.
ACCESS CONTROL AC-4 (19) AC-4 (19) VALIDATION OF The information system, when transferring
METADATA information between different security domains,
applies the same security policy filtering to
### metadata as it applies to data payloads.
ACCESS CONTROL AC-4 (20) AC-4 (20) APPROVED The organization employs [Assignment:
SOLUTIONS organization-defined solutions in approved
configurations] to control the flow of
### [Assignment: organization-defined information]
across security domains.
ACCESS CONTROL AC-4 (21) AC-4 (21) PHYSICAL / LOGICAL The information system separates information
SEPARATION OF flows logically or physically using [Assignment:
INFORMATION organization-defined mechanisms and/or
### FLOWS techniques] to accomplish [Assignment:
organization-defined required separations by
types of information].
ACCESS CONTROL AC-4 (22) AC-4 (22) ACCESS ONLY The information system provides access from a
single device to computing platforms,
applications, or data residing on multiple
### different security domains, while preventing any
information flow between the different security
domains.
ACCESS CONTROL AC-5 AC-5 SEPARATION OF The organization: P1

### DUTIES
ACCESS CONTROL AC-5 AC-5a SEPARATION OF Separates [Assignment: organization-defined P1
### DUTIES duties of individuals];
ACCESS CONTROL AC-5 AC-5b SEPARATION OF Documents separation of duties of individuals; P1
### DUTIES and
ACCESS CONTROL AC-5 AC-5c SEPARATION OF Defines information system access P1
### DUTIES authorizations to support separation of duties.
ACCESS CONTROL AC-6 AC-6 LEAST PRIVILEGE The organization employs the principle of least P1
privilege, allowing only authorized accesses for
users (or processes acting on behalf of users)
### which are necessary to accomplish assigned
tasks in accordance with organizational missions
and business functions.
ACCESS CONTROL AC-6 (1) AC-6 (1) AUTHORIZE ACCESS The organization explicitly authorizes access to
TO SECURITY [Assignment: organization-defined security
FUNCTIONS functions (deployed in hardware, software, and
### firmware) and security-relevant information].
ACCESS CONTROL AC-6 (2) AC-6 (2) NON-PRIVILEGED The organization requires that users of
ACCESS FOR information system accounts, or roles, with
NONSECURITY access to [Assignment: organization-defined
FUNCTIONS security functions or security-relevant
information], use non-privileged accounts or
### roles, when accessing nonsecurity functions.
ACCESS CONTROL AC-6 (3) AC-6 (3) NETWORK ACCESS TO The organization authorizes network access to
PRIVILEGED [Assignment: organization-defined privileged
COMMANDS commands] only for [Assignment: organization-
### defined compelling operational needs] and
documents the rationale for such access in the
security plan for the information system.
ACCESS CONTROL AC-6 (4) AC-6 (4) SEPARATE The information system provides separate
### PROCESSING processing domains to enable finer-grained
DOMAINS allocation of user privileges.
ACCESS CONTROL AC-6 (5) AC-6 (5) PRIVILEGED The organization restricts privileged accounts on
### ACCOUNTS the information system to [Assignment:
organization-defined personnel or roles].
ACCESS CONTROL AC-6 (6) AC-6 (6) PRIVILEGED ACCESS The organization prohibits privileged access to
BY NON- the information system by non-organizational
### ORGANIZATIONAL users.
USERS
ACCESS CONTROL AC-6 (7) AC-6 (7) REVIEW OF USER The organization:
### PRIVILEGES
ACCESS CONTROL AC-6 (7) AC-6 (7)(a) REVIEW OF USER Reviews [Assignment: organization-defined
PRIVILEGES frequency] the privileges assigned to
[Assignment: organization-defined roles or
### classes of users] to validate the need for such
privileges; and
ACCESS CONTROL AC-6 (7) AC-6 (7)(b) REVIEW OF USER Reassigns or removes privileges, if necessary, to
### PRIVILEGES correctly reflect organizational mission/business
needs.
ACCESS CONTROL AC-6 (8) AC-6 (8) PRIVILEGE LEVELS The information system prevents [Assignment:
FOR CODE organization-defined software] from executing at
### EXECUTION higher privilege levels than users executing the
software.
ACCESS CONTROL AC-6 (9) AC-6 (9) AUDITING USE OF The information system audits the execution of
PRIVILEGED privileged functions.
FUNCTIONS
###
ACCESS CONTROL AC-6 (10) AC-6 (10) PROHIBIT NON- The information system prevents non-privileged
PRIVILEGED USERS users from executing privileged functions to
FROM EXECUTING include disabling, circumventing, or altering
### PRIVILEGED implemented security
FUNCTIONS safeguards/countermeasures.
ACCESS CONTROL AC-7 AC-7 UNSUCCESSFUL The information system: P2

### LOGON ATTEMPTS
ACCESS CONTROL AC-7 AC-7a UNSUCCESSFUL Enforces a limit of [Assignment: organization- P2
LOGON ATTEMPTS defined number] consecutive invalid logon
### attempts by a user during a [Assignment:
organization-defined time period]; and
ACCESS CONTROL AC-7 AC-7b UNSUCCESSFUL Automatically [Selection: locks the account/node P2
LOGON ATTEMPTS for an [Assignment: organization-defined time
period]; locks the account/node until released by
an administrator; delays next logon prompt
according to [Assignment: organization-defined
### delay algorithm]] when the maximum number of
unsuccessful attempts is exceeded.
ACCESS CONTROL AC-7 (1) AC-7 (1) AUTOMATIC [Withdrawn: Incorporated into AC-7].
### ACCOUNT LOCK
ACCESS CONTROL AC-7 (2) AC-7 (2) PURGE / WIPE The information system purges/wipes
MOBILE DEVICE information from [Assignment: organization-
defined mobile devices] based on [Assignment:
organization-defined purging/wiping
### requirements/techniques] after [Assignment:
organization-defined number] consecutive,
unsuccessful device logon attempts.
ACCESS CONTROL AC-8 AC-8 SYSTEM USE The information system: P1

NOTIFICATION
###
ACCESS CONTROL AC-8 AC-8a SYSTEM USE Displays to users [Assignment: organization- P1
NOTIFICATION defined system use notification message or
banner] before granting access to the system
that provides privacy and security notices
consistent with applicable federal laws,
Executive Orders, directives, policies,
regulations, standards, and guidance and states
that:
###
ACCESS CONTROL AC-8 AC-8a.1 SYSTEM USE Users are accessing a U.S. Government P1
NOTIFICATION information system;
###
ACCESS CONTROL AC-8 AC-8a.2 SYSTEM USE Information system usage may be monitored, P1
NOTIFICATION recorded, and subject to audit;
###
ACCESS CONTROL AC-8 AC-8a.3 SYSTEM USE Unauthorized use of the information system is P1
NOTIFICATION prohibited and subject to criminal and civil
### penalties; and
ACCESS CONTROL AC-8 AC-8a.4 SYSTEM USE Use of the information system indicates consent P1
NOTIFICATION to monitoring and recording;
###
ACCESS CONTROL AC-8 AC-8b SYSTEM USE Retains the notification message or banner on P1
NOTIFICATION the screen until users acknowledge the usage
conditions and take explicit actions to log on to
### or further access the information system; and
ACCESS CONTROL AC-8 AC-8c SYSTEM USE For publicly accessible systems: P1
NOTIFICATION
###
ACCESS CONTROL AC-8 AC-8c.1 SYSTEM USE Displays system use information [Assignment: P1
NOTIFICATION organization-defined conditions], before granting
further access;
###
ACCESS CONTROL AC-8 AC-8c.2 SYSTEM USE Displays references, if any, to monitoring, P1
NOTIFICATION recording, or auditing that are consistent with
### privacy accommodations for such systems that
generally prohibit those activities; and
ACCESS CONTROL AC-8 AC-8c.3 SYSTEM USE Includes a description of the authorized uses of P1
NOTIFICATION the system.
###
ACCESS CONTROL AC-9 AC-9 PREVIOUS LOGON The information system notifies the user, upon P0
### (ACCESS) successful logon (access) to the system, of the
NOTIFICATION date and time of the last logon (access).
ACCESS CONTROL AC-9 (1) AC-9 (1) UNSUCCESSFUL The information system notifies the user, upon
LOGONS successful logon/access, of the number of
### unsuccessful logon/access attempts since the
last successful logon/access.
ACCESS CONTROL AC-9 (2) AC-9 (2) SUCCESSFUL / The information system notifies the user of the
UNSUCCESSFUL number of [Selection: successful
LOGONS logons/accesses; unsuccessful logon/access
### attempts; both] during [Assignment:
ACCESS CONTROL AC-9 (3) AC-9 (3) NOTIFICATION OF The information system notifies the user of
ACCOUNT CHANGES changes to [Assignment: organization-defined
security-related characteristics/parameters of
### the userï¿½s account] during [Assignment:
ACCESS CONTROL AC-9 (4) AC-9 (4) ADDITIONAL LOGON The information system notifies the user, upon
INFORMATION successful logon (access), of the following
additional information: [Assignment:
### organization-defined information to be included
in addition to the date and time of the last logon
(access)].
ACCESS CONTROL AC-10 AC-10 CONCURRENT The information system limits the number of P3
SESSION CONTROL concurrent sessions for each [Assignment:
organization-defined account and/or account
### type] to [Assignment: organization-defined
number].
ACCESS CONTROL AC-11 AC-11 SESSION LOCK The information system: P3

###
ACCESS CONTROL AC-11 AC-11a SESSION LOCK Prevents further access to the system by P3
initiating a session lock after [Assignment:
### organization-defined time period] of inactivity or
upon receiving a request from a user; and
ACCESS CONTROL AC-11 AC-11b SESSION LOCK Retains the session lock until the user P3
### reestablishes access using established
identification and authentication procedures.
ACCESS CONTROL AC-11 (1) AC-11 (1) PATTERN-HIDING The information system conceals, via the session
### DISPLAYS lock, information previously visible on the display
with a publicly viewable image.
ACCESS CONTROL AC-12 AC-12 SESSION The information system automatically terminates P2
TERMINATION a user session after [Assignment: organization-
### defined conditions or trigger events requiring
session disconnect].
ACCESS CONTROL AC-12 (1) AC-12 (1) USER-INITIATED The information system:
### LOGOUTS / MESSAGE
DISPLAYS
ACCESS CONTROL AC-12 (1) AC-12 (1)(a) USER-INITIATED Provides a logout capability for user-initiated
LOGOUTS / MESSAGE communications sessions whenever
DISPLAYS authentication is used to gain access to
### [Assignment: organization-defined information
resources]; and
ACCESS CONTROL AC-12 (1) AC-12 (1)(b) USER-INITIATED Displays an explicit logout message to users
### LOGOUTS / MESSAGE indicating the reliable termination of
DISPLAYS authenticated communications sessions.
ACCESS CONTROL AC-13 AC-13 SUPERVISION AND [Withdrawn: Incorporated into AC-2 and AU-6].
### REVIEW - ACCESS
CONTROL
ACCESS CONTROL AC-14 AC-14 PERMITTED ACTIONS The organization: P3
WITHOUT
### IDENTIFICATION OR
AUTHENTICATION
ACCESS CONTROL AC-14 AC-14a PERMITTED ACTIONS Identifies [Assignment: organization-defined user P3
WITHOUT actions] that can be performed on the
IDENTIFICATION OR information system without identification or
### AUTHENTICATION authentication consistent with organizational
missions/business functions; and
ACCESS CONTROL AC-14 AC-14b PERMITTED ACTIONS Documents and provides supporting rationale in P3
WITHOUT the security plan for the information system,
### IDENTIFICATION OR user actions not requiring identification or
AUTHENTICATION authentication.
### ACCESS CONTROL AC-14 (1) AC-14 (1) NECESSARY USES [Withdrawn: Incorporated into AC-14].
ACCESS CONTROL AC-15 AC-15 AUTOMATED [Withdrawn: Incorporated into MP-3].
### MARKING
ACCESS CONTROL AC-16 AC-16 SECURITY The organization: P0
### ATTRIBUTES
ACCESS CONTROL AC-16 AC-16a SECURITY Provides the means to associate [Assignment: P0
ATTRIBUTES organization-defined types of security attributes]
having [Assignment: organization-defined
### security attribute values] with information in
storage, in process, and/or in transmission;
ACCESS CONTROL AC-16 AC-16b SECURITY Ensures that the security attribute associations P0
### ATTRIBUTES are made and retained with the information;
ACCESS CONTROL AC-16 AC-16c SECURITY Establishes the permitted [Assignment: P0
ATTRIBUTES organization-defined security attributes] for
systems]; and
ACCESS CONTROL AC-16 AC-16d SECURITY Determines the permitted [Assignment: P0

### ATTRIBUTES organization-defined values or ranges] for each
of the established security attributes.
ACCESS CONTROL AC-16 (1) AC-16 (1) DYNAMIC ATTRIBUTE The information system dynamically associates
ASSOCIATION security attributes with [Assignment:
organization-defined subjects and objects] in
### accordance with [Assignment: organization-
defined security policies] as information is
created and combined.
ACCESS CONTROL AC-16 (2) AC-16 (2) ATTRIBUTE VALUE The information system provides authorized
CHANGES BY individuals (or processes acting on behalf of
### AUTHORIZED individuals) the capability to define or change
INDIVIDUALS the value of associated security attributes.
ACCESS CONTROL AC-16 (3) AC-16 (3) MAINTENANCE OF The information system maintains the
ATTRIBUTE association and integrity of [Assignment:
ASSOCIATIONS BY organization-defined security attributes] to
### INFORMATION [Assignment: organization-defined subjects and
SYSTEM objects].
ACCESS CONTROL AC-16 (4) AC-16 (4) ASSOCIATION OF The information system supports the association
ATTRIBUTES BY of [Assignment: organization-defined security
AUTHORIZED attributes] with [Assignment: organization-
### INDIVIDUALS defined subjects and objects] by authorized
individuals (or processes acting on behalf of
individuals).
ACCESS CONTROL AC-16 (5) AC-16 (5) ATTRIBUTE DISPLAYS The information system displays security
FOR OUTPUT DEVICES attributes in human-readable form on each
object that the system transmits to output
devices to identify [Assignment: organization-
identified special dissemination, handling, or
### distribution instructions] using [Assignment:
organization-identified human-readable,
standard naming conventions].
ACCESS CONTROL AC-16 (6) AC-16 (6) MAINTENANCE OF The organization allows personnel to associate,
ATTRIBUTE and maintain the association of [Assignment:
ASSOCIATION BY organization-defined security attributes] with
ORGANIZATION [Assignment: organization-defined subjects and
### objects] in accordance with [Assignment:
organization-defined security policies].
ACCESS CONTROL AC-16 (7) AC-16 (7) CONSISTENT The organization provides a consistent
ATTRIBUTE interpretation of security attributes transmitted
### INTERPRETATION between distributed information system
components.
ACCESS CONTROL AC-16 (8) AC-16 (8) ASSOCIATION The information system implements
TECHNIQUES / [Assignment: organization-defined techniques or
TECHNOLOGIES technologies] with [Assignment: organization-
### defined level of assurance] in associating security
attributes to information.
ACCESS CONTROL AC-16 (9) AC-16 (9) ATTRIBUTE The organization ensures that security attributes
REASSIGNMENT associated with information are reassigned only
via re-grading mechanisms validated using
### [Assignment: organization-defined techniques or
procedures].
ACCESS CONTROL AC-16 (10) AC-16 (10) ATTRIBUTE The information system provides authorized
CONFIGURATION BY individuals the capability to define or change the
AUTHORIZED type and value of security attributes available for
### INDIVIDUALS association with subjects and objects.
ACCESS CONTROL AC-17 AC-17 REMOTE ACCESS The organization: P1
###
ACCESS CONTROL AC-17 AC-17a REMOTE ACCESS Establishes and documents usage restrictions, P1
configuration/connection requirements, and
implementation guidance for each type of
remote access allowed; and
###
ACCESS CONTROL AC-17 AC-17b REMOTE ACCESS Authorizes remote access to the information P1
system prior to allowing such connections.
###
ACCESS CONTROL AC-17 (1) AC-17 (1) AUTOMATED The information system monitors and controls
MONITORING / remote access methods.
CONTROL
###
ACCESS CONTROL AC-17 (2) AC-17 (2) PROTECTION OF The information system implements
CONFIDENTIALITY / cryptographic mechanisms to protect the
INTEGRITY USING confidentiality and integrity of remote access
ENCRYPTION sessions.
###
ACCESS CONTROL AC-17 (3) AC-17 (3) MANAGED ACCESS The information system routes all remote
CONTROL POINTS accesses through [Assignment: organization-
defined number] managed network access
control points.
###
ACCESS CONTROL AC-17 (4) AC-17 (4) PRIVILEGED The organization:

### COMMANDS /
ACCESS
ACCESS CONTROL AC-17 (4) AC-17 (4)(a) PRIVILEGED Authorizes the execution of privileged
COMMANDS / commands and access to security-relevant
### ACCESS information via remote access only for
[Assignment: organization-defined needs]; and
ACCESS CONTROL AC-17 (4) AC-17 (4)(b) PRIVILEGED Documents the rationale for such access in the
### COMMANDS / security plan for the information system.
ACCESS
ACCESS CONTROL AC-17 (5) AC-17 (5) MONITORING FOR [Withdrawn: Incorporated into SI-4].
### UNAUTHORIZED
CONNECTIONS
ACCESS CONTROL AC-17 (6) AC-17 (6) PROTECTION OF The organization ensures that users protect
### INFORMATION information about remote access mechanisms
from unauthorized use and disclosure.
ACCESS CONTROL AC-17 (7) AC-17 (7) ADDITIONAL [Withdrawn: Incorporated into AC-3 (10)].
PROTECTION FOR
### SECURITY FUNCTION
ACCESS
ACCESS CONTROL AC-17 (8) AC-17 (8) DISABLE NONSECURE [Withdrawn: Incorporated into CM-7].
NETWORK
### PROTOCOLS
ACCESS CONTROL AC-17 (9) AC-17 (9) DISCONNECT / The organization provides the capability to
DISABLE ACCESS expeditiously disconnect or disable remote
access to the information system within
### [Assignment: organization-defined time period].
ACCESS CONTROL AC-18 AC-18 WIRELESS ACCESS The organization: P1

###
ACCESS CONTROL AC-18 AC-18a WIRELESS ACCESS Establishes usage restrictions, P1
configuration/connection requirements, and
### implementation guidance for wireless access;
and
ACCESS CONTROL AC-18 AC-18b WIRELESS ACCESS Authorizes wireless access to the information P1
### system prior to allowing such connections.
ACCESS CONTROL AC-18 (1) AC-18 (1) AUTHENTICATION The information system protects wireless access
AND ENCRYPTION to the system using authentication of [Selection
### (one or more): users; devices] and encryption.
ACCESS CONTROL AC-18 (2) AC-18 (2) MONITORING [Withdrawn: Incorporated into SI-4].
### UNAUTHORIZED
CONNECTIONS
ACCESS CONTROL AC-18 (3) AC-18 (3) DISABLE WIRELESS The organization disables, when not intended for
NETWORKING use, wireless networking capabilities internally
embedded within information system
### components prior to issuance and deployment.
ACCESS CONTROL AC-18 (4) AC-18 (4) RESTRICT The organization identifies and explicitly
### CONFIGURATIONS BY authorizes users allowed to independently
USERS configure wireless networking capabilities.
ACCESS CONTROL AC-18 (5) AC-18 (5) ANTENNAS / The organization selects radio antennas and
TRANSMISSION calibrates transmission power levels to reduce
POWER LEVELS the probability that usable signals can be
### received outside of organization-controlled
boundaries.
ACCESS CONTROL AC-19 AC-19 ACCESS CONTROL The organization: P1

### FOR MOBILE DEVICES
ACCESS CONTROL AC-19 AC-19a ACCESS CONTROL Establishes usage restrictions, configuration P1
FOR MOBILE DEVICES requirements, connection requirements, and
### implementation guidance for organization-
controlled mobile devices; and
ACCESS CONTROL AC-19 AC-19b ACCESS CONTROL Authorizes the connection of mobile devices to P1
### FOR MOBILE DEVICES organizational information systems.
ACCESS CONTROL AC-19 (1) AC-19 (1) USE OF WRITABLE / [Withdrawn: Incorporated into MP-7].
### PORTABLE STORAGE
DEVICES
ACCESS CONTROL AC-19 (2) AC-19 (2) USE OF PERSONALLY [Withdrawn: Incorporated into MP-7].
### OWNED PORTABLE
STORAGE DEVICES
ACCESS CONTROL AC-19 (3) AC-19 (3) USE OF PORTABLE [Withdrawn: Incorporated into MP-7].
STORAGE DEVICES
WITH NO
### IDENTIFIABLE OWNER
ACCESS CONTROL AC-19 (4) AC-19 (4) RESTRICTIONS FOR The organization:
### CLASSIFIED
INFORMATION
ACCESS CONTROL AC-19 (4) AC-19 (4)(a) RESTRICTIONS FOR Prohibits the use of unclassified mobile devices
CLASSIFIED in facilities containing information systems
INFORMATION processing, storing, or transmitting classified
### information unless specifically permitted by the
authorizing official; and
ACCESS CONTROL AC-19 (4) AC-19 (4)(b) RESTRICTIONS FOR Enforces the following restrictions on individuals
CLASSIFIED permitted by the authorizing official to use
INFORMATION unclassified mobile devices in facilities
### containing information systems processing,
storing, or transmitting classified information:
ACCESS CONTROL AC-19 (4) AC-19 (4)(b)(1) RESTRICTIONS FOR Connection of unclassified mobile devices to
### CLASSIFIED classified information systems is prohibited;
INFORMATION
ACCESS CONTROL AC-19 (4) AC-19 (4)(b)(2) RESTRICTIONS FOR Connection of unclassified mobile devices to
### CLASSIFIED unclassified information systems requires
INFORMATION approval from the authorizing official;
ACCESS CONTROL AC-19 (4) AC-19 (4)(b)(3) RESTRICTIONS FOR Use of internal or external modems or wireless
### CLASSIFIED interfaces within the unclassified mobile devices
INFORMATION is prohibited; and
ACCESS CONTROL AC-19 (4) AC-19 (4)(b)(4) RESTRICTIONS FOR Unclassified mobile devices and the information
CLASSIFIED stored on those devices are subject to random
INFORMATION reviews and inspections by [Assignment:
### organization-defined security officials], and if
classified information is found, the incident
handling policy is followed.
ACCESS CONTROL AC-19 (4) AC-19 (4)(c) RESTRICTIONS FOR Restricts the connection of classified mobile
CLASSIFIED devices to classified information systems in
### INFORMATION accordance with [Assignment: organization-
defined security policies].
ACCESS CONTROL AC-19 (5) AC-19 (5) FULL DEVICE / The organization employs [Selection: full-device
CONTAINER-BASED encryption; container encryption] to protect the
ENCRYPTION confidentiality and integrity of information on
### [Assignment: organization-defined mobile
devices].
ACCESS CONTROL AC-20 AC-20 USE OF EXTERNAL The organization establishes terms and P1
INFORMATION conditions, consistent with any trust
SYSTEMS relationships established with other
organizations owning, operating, and/or
maintaining external information systems,
allowing authorized individuals to:
###
ACCESS CONTROL AC-20 AC-20a USE OF EXTERNAL Access the information system from external P1
INFORMATION information systems; and
SYSTEMS
###
ACCESS CONTROL AC-20 AC-20b USE OF EXTERNAL Process, store, or transmit organization- P1
INFORMATION controlled information using external
SYSTEMS information systems.
###
ACCESS CONTROL AC-20 (1) AC-20 (1) LIMITS ON The organization permits authorized individuals
AUTHORIZED USE to use an external information system to access
the information system or to process, store, or
### transmit organization-controlled information
only when the organization:
ACCESS CONTROL AC-20 (1) AC-20 (1)(a) LIMITS ON Verifies the implementation of required security
AUTHORIZED USE controls on the external system as specified in
### the organization's information security policy
and security plan; or
ACCESS CONTROL AC-20 (1) AC-20 (1)(b) LIMITS ON Retains approved information system connection
AUTHORIZED USE or processing agreements with the
### organizational entity hosting the external
information system.
ACCESS CONTROL AC-20 (2) AC-20 (2) PORTABLE STORAGE The organization [Selection: restricts; prohibits]
DEVICES the use of organization-controlled portable
### storage devices by authorized individuals on
external information systems.
ACCESS CONTROL AC-20 (3) AC-20 (3) NON- The organization [Selection: restricts; prohibits]
ORGANIZATIONALLY the use of non-organizationally owned
OWNED SYSTEMS / information systems, system components, or
### COMPONENTS / devices to process, store, or transmit
DEVICES organizational information.
ACCESS CONTROL AC-20 (4) AC-20 (4) NETWORK The organization prohibits the use of
ACCESSIBLE STORAGE [Assignment: organization-defined network
### DEVICES accessible storage devices] in external
information systems.
ACCESS CONTROL AC-21 AC-21 INFORMATION The organization: P2

### SHARING
ACCESS CONTROL AC-21 AC-21a INFORMATION Facilitates information sharing by enabling P2
SHARING authorized users to determine whether access
authorizations assigned to the sharing partner
match the access restrictions on the information
### for [Assignment: organization-defined
information sharing circumstances where user
discretion is required]; and
ACCESS CONTROL AC-21 AC-21b INFORMATION Employs [Assignment: organization-defined P2

SHARING automated mechanisms or manual processes] to
### assist users in making information
sharing/collaboration decisions.
ACCESS CONTROL AC-21 (1) AC-21 (1) AUTOMATED The information system enforces information-
DECISION SUPPORT sharing decisions by authorized users based on
access authorizations of sharing partners and
### access restrictions on information to be shared.
ACCESS CONTROL AC-21 (2) AC-21 (2) INFORMATION The information system implements information
SEARCH AND search and retrieval services that enforce
### RETRIEVAL [Assignment: organization-defined information
sharing restrictions].
ACCESS CONTROL AC-22 AC-22 PUBLICLY ACCESSIBLE The organization: P3

### CONTENT
ACCESS CONTROL AC-22 AC-22a PUBLICLY ACCESSIBLE Designates individuals authorized to post P3
### CONTENT information onto a publicly accessible
information system;
ACCESS CONTROL AC-22 AC-22b PUBLICLY ACCESSIBLE Trains authorized individuals to ensure that P3
### CONTENT publicly accessible information does not contain
nonpublic information;
ACCESS CONTROL AC-22 AC-22c PUBLICLY ACCESSIBLE Reviews the proposed content of information P3
CONTENT prior to posting onto the publicly accessible
### information system to ensure that nonpublic
information is not included; and
ACCESS CONTROL AC-22 AC-22d PUBLICLY ACCESSIBLE Reviews the content on the publicly accessible P3
CONTENT information system for nonpublic information
### [Assignment: organization-defined frequency]
and removes such information, if discovered.
ACCESS CONTROL AC-23 AC-23 DATA MINING The organization employs [Assignment: P0
PROTECTION organization-defined data mining prevention and
detection techniques] for [Assignment:
### organization-defined data storage objects] to
adequately detect and protect against data
mining.
ACCESS CONTROL AC-24 AC-24 ACCESS CONTROL The organization establishes procedures to P0
DECISIONS ensure [Assignment: organization-defined access
### control decisions] are applied to each access
request prior to access enforcement.
ACCESS CONTROL AC-24 (1) AC-24 (1) TRANSMIT ACCESS The information system transmits [Assignment:
AUTHORIZATION organization-defined access authorization
INFORMATION information] using [Assignment: organization-
### defined security safeguards] to [Assignment:
organization-defined information systems] that
enforce access control decisions.
ACCESS CONTROL AC-24 (2) AC-24 (2) NO USER OR PROCESS The information system enforces access control
IDENTITY decisions based on [Assignment: organization-
defined security attributes] that do not include
### the identity of the user or process acting on
behalf of the user.
ACCESS CONTROL AC-25 AC-25 REFERENCE The information system implements a reference P0
MONITOR monitor for [Assignment: organization-defined
access control policies] that is tamperproof,
### always invoked, and small enough to be subject
to analysis and testing, the completeness of
which can be assured.
AUTHORITY AND AP-1 AP-1 Authority to Collect Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### PURPOSE Appendix J
AUTHORITY AND AP-2 AP-2 Purpose Specification Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### PURPOSE Appendix J
ACCOUNTABILITY, AR-1 AR-1 Governance and Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK Privacy Program Appendix J
MANAGEMENT
ACCOUNTABILITY, AR-2 AR-2 Privacy Impact and Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK Risk Assessment Appendix J
MANAGEMENT
ACCOUNTABILITY, AR-3 AR-3 Privacy Requirements Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
AUDIT, AND RISK for Contractors and Appendix J
### MANAGEMENT Service Providers
ACCOUNTABILITY, AR-4 AR-4 Privacy Monitoring Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK and Auditing Appendix J
MANAGEMENT
ACCOUNTABILITY, AR-5 AR-5 Privacy Awareness Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK and Training Appendix J
MANAGEMENT
ACCOUNTABILITY, AR-6 AR-6 Privacy Reporting Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK Appendix J
MANAGEMENT
ACCOUNTABILITY, AR-7 AR-7 Privacy-Enhanced Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK System Design and Appendix J
MANAGEMENT Development
ACCOUNTABILITY, AR-8 AR-8 Accounting of Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### AUDIT, AND RISK Disclosures Appendix J
MANAGEMENT
AWARENESS AND AT-1 AT-1 SECURITY The organization: P1
TRAINING AWARENESS AND
### TRAINING POLICY
AND PROCEDURES
AWARENESS AND AT-1 AT-1a SECURITY Develops, documents, and disseminates to P1

TRAINING AWARENESS AND [Assignment: organization-defined personnel or
### TRAINING POLICY roles]:
AND PROCEDURES
AWARENESS AND AT-1 AT-1a.1 SECURITY A security awareness and training policy that P1
TRAINING AWARENESS AND addresses purpose, scope, roles, responsibilities,
TRAINING POLICY management commitment, coordination among
### AND PROCEDURES organizational entities, and compliance; and
AWARENESS AND AT-1 AT-1a.2 SECURITY Procedures to facilitate the implementation of P1
TRAINING AWARENESS AND the security awareness and training policy and
### TRAINING POLICY associated security awareness and training
AND PROCEDURES controls; and
AWARENESS AND AT-1 AT-1b SECURITY Reviews and updates the current: P1
TRAINING AWARENESS AND
### TRAINING POLICY
AND PROCEDURES
AWARENESS AND AT-1 AT-1b.1 SECURITY Security awareness and training policy P1
TRAINING AWARENESS AND [Assignment: organization-defined frequency];
### TRAINING POLICY and
AND PROCEDURES
AWARENESS AND AT-1 AT-1b.2 SECURITY Security awareness and training procedures P1
TRAINING AWARENESS AND [Assignment: organization-defined frequency].
### TRAINING POLICY
AND PROCEDURES
AWARENESS AND AT-2 AT-2 SECURITY The organization provides basic security P1
TRAINING AWARENESS awareness training to information system users
TRAINING (including managers, senior executives, and
contractors):
###
AWARENESS AND AT-2 AT-2a SECURITY As part of initial training for new users; P1
TRAINING AWARENESS
TRAINING
###
AWARENESS AND AT-2 AT-2b SECURITY When required by information system changes; P1
TRAINING AWARENESS and
TRAINING
###
AWARENESS AND AT-2 AT-2c SECURITY [Assignment: organization-defined frequency] P1

TRAINING AWARENESS thereafter.
TRAINING
###
AWARENESS AND AT-2 (1) AT-2 (1) PRACTICAL EXERCISES The organization includes practical exercises in
### TRAINING security awareness training that simulate actual
cyber attacks.
AWARENESS AND AT-2 (2) AT-2 (2) INSIDER THREAT The organization includes security awareness
### TRAINING training on recognizing and reporting potential
indicators of insider threat.
AWARENESS AND AT-3 AT-3 ROLE-BASED The organization provides role-based security P1
TRAINING SECURITY TRAINING training to personnel with assigned security roles
and responsibilities:
###
AWARENESS AND AT-3 AT-3a ROLE-BASED Before authorizing access to the information P1
TRAINING SECURITY TRAINING system or performing assigned duties;
###
AWARENESS AND AT-3 AT-3b ROLE-BASED When required by information system changes; P1
TRAINING SECURITY TRAINING and
###
AWARENESS AND AT-3 AT-3c ROLE-BASED [Assignment: organization-defined frequency] P1
TRAINING SECURITY TRAINING thereafter.
###
AWARENESS AND AT-3 (1) AT-3 (1) ENVIRONMENTAL The organization provides [Assignment:
TRAINING CONTROLS organization-defined personnel or roles] with
initial and [Assignment: organization-defined
### frequency] training in the employment and
operation of environmental controls.
AWARENESS AND AT-3 (2) AT-3 (2) PHYSICAL SECURITY The organization provides [Assignment:
TRAINING CONTROLS organization-defined personnel or roles] with
initial and [Assignment: organization-defined
### frequency] training in the employment and
operation of physical security controls.
AWARENESS AND AT-3 (3) AT-3 (3) PRACTICAL EXERCISES The organization includes practical exercises in
### TRAINING security training that reinforce training
objectives.
AWARENESS AND AT-3 (4) AT-3 (4) SUSPICIOUS The organization provides training to its
TRAINING COMMUNICATIONS personnel on [Assignment: organization-defined
AND ANOMALOUS indicators of malicious code] to recognize
### SYSTEM BEHAVIOR suspicious communications and anomalous
behavior in organizational information systems.
AWARENESS AND AT-4 AT-4 SECURITY TRAINING The organization: P3

### TRAINING RECORDS
AWARENESS AND AT-4 AT-4a SECURITY TRAINING Documents and monitors individual information P3
TRAINING RECORDS system security training activities including basic
security awareness training and specific
### information system security training; and
AWARENESS AND AT-4 AT-4b SECURITY TRAINING Retains individual training records for P3
TRAINING RECORDS [Assignment: organization-defined time period].
###
AWARENESS AND AT-5 AT-5 CONTACTS WITH [Withdrawn: Incorporated into PM-15].
### TRAINING SECURITY GROUPS
AND ASSOCIATIONS
AUDIT AND AU-1 AU-1 AUDIT AND The organization: P1
ACCOUNTABILITY ACCOUNTABILITY
POLICY AND
PROCEDURES
###
AUDIT AND AU-1 AU-1a AUDIT AND Develops, documents, and disseminates to P1
ACCOUNTABILITY ACCOUNTABILITY [Assignment: organization-defined personnel or
POLICY AND roles]:
PROCEDURES
###
AUDIT AND AU-1 AU-1a.1 AUDIT AND An audit and accountability policy that addresses P1
ACCOUNTABILITY ACCOUNTABILITY purpose, scope, roles, responsibilities,
POLICY AND management commitment, coordination among
PROCEDURES organizational entities, and compliance; and
###
AUDIT AND AU-1 AU-1a.2 AUDIT AND Procedures to facilitate the implementation of P1
ACCOUNTABILITY ACCOUNTABILITY the audit and accountability policy and
POLICY AND associated audit and accountability controls; and
PROCEDURES
###
AUDIT AND AU-1 AU-1b AUDIT AND Reviews and updates the current: P1
ACCOUNTABILITY ACCOUNTABILITY
POLICY AND
PROCEDURES
###
AUDIT AND AU-1 AU-1b.1 AUDIT AND Audit and accountability policy [Assignment: P1
ACCOUNTABILITY ACCOUNTABILITY organization-defined frequency]; and
POLICY AND
PROCEDURES
###
AUDIT AND AU-1 AU-1b.2 AUDIT AND Audit and accountability procedures P1
ACCOUNTABILITY ACCOUNTABILITY [Assignment: organization-defined frequency].
POLICY AND
PROCEDURES
###
AUDIT AND AU-2 AU-2 AUDIT EVENTS The organization: P1

ACCOUNTABILITY
###
AUDIT AND AU-2 AU-2a AUDIT EVENTS Determines that the information system is P1
ACCOUNTABILITY capable of auditing the following events:
[Assignment: organization-defined auditable
events];
###
AUDIT AND AU-2 AU-2b AUDIT EVENTS Coordinates the security audit function with P1
ACCOUNTABILITY other organizational entities requiring audit-
related information to enhance mutual support
and to help guide the selection of auditable
events;
###
AUDIT AND AU-2 AU-2c AUDIT EVENTS Provides a rationale for why the auditable events P1
ACCOUNTABILITY are deemed to be adequate to support after-the-
fact investigations of security incidents; and
###
AUDIT AND AU-2 AU-2d AUDIT EVENTS Determines that the following events are to be P1
ACCOUNTABILITY audited within the information system:
[Assignment: organization-defined audited
events (the subset of the auditable events
defined in AU-2 a.) along with the frequency of
### (or situation requiring) auditing for each
identified event].
AUDIT AND AU-2 (1) AU-2 (1) COMPILATION OF [Withdrawn: Incorporated into AU-12].
ACCOUNTABILITY AUDIT RECORDS
### FROM MULTIPLE
SOURCES
AUDIT AND AU-2 (2) AU-2 (2) SELECTION OF AUDIT [Withdrawn: Incorporated into AU-12].
### ACCOUNTABILITY EVENTS BY
COMPONENT
AUDIT AND AU-2 (3) AU-2 (3) REVIEWS AND The organization reviews and updates the
ACCOUNTABILITY UPDATES audited events [Assignment: organization-
defined frequency].
###
AUDIT AND AU-2 (4) AU-2 (4) PRIVILEGED [Withdrawn: Incorporated into AC-6 (9)].
### ACCOUNTABILITY FUNCTIONS
AUDIT AND AU-3 AU-3 CONTENT OF AUDIT The information system generates audit records P1
ACCOUNTABILITY RECORDS containing information that establishes what
type of event occurred, when the event
occurred, where the event occurred, the source
of the event, the outcome of the event, and the
identity of any individuals or subjects associated
with the event.
###
AUDIT AND AU-3 (1) AU-3 (1) ADDITIONAL AUDIT The information system generates audit records
ACCOUNTABILITY INFORMATION containing the following additional information:
[Assignment: organization-defined additional,
more detailed information].
###
AUDIT AND AU-3 (2) AU-3 (2) CENTRALIZED The information system provides centralized
ACCOUNTABILITY MANAGEMENT OF management and configuration of the content to
PLANNED AUDIT be captured in audit records generated by
### RECORD CONTENT [Assignment: organization-defined information
system components].
AUDIT AND AU-4 AU-4 AUDIT STORAGE The organization allocates audit record storage P1
ACCOUNTABILITY CAPACITY capacity in accordance with [Assignment:
organization-defined audit record storage
requirements].
###
AUDIT AND AU-4 (1) AU-4 (1) TRANSFER TO The information system off-loads audit records
ACCOUNTABILITY ALTERNATE STORAGE [Assignment: organization-defined frequency]
### onto a different system or media than the
system being audited.
AUDIT AND AU-5 AU-5 RESPONSE TO AUDIT The information system: P1

### ACCOUNTABILITY PROCESSING
FAILURES
AUDIT AND AU-5 AU-5a RESPONSE TO AUDIT Alerts [Assignment: organization-defined P1
ACCOUNTABILITY PROCESSING personnel or roles] in the event of an audit
FAILURES processing failure; and
###
AUDIT AND AU-5 AU-5b RESPONSE TO AUDIT Takes the following additional actions: P1
ACCOUNTABILITY PROCESSING [Assignment: organization-defined actions to be
FAILURES taken (e.g., shut down information system,
### overwrite oldest audit records, stop generating
audit records)].
AUDIT AND AU-5 (1) AU-5 (1) AUDIT STORAGE The information system provides a warning to
ACCOUNTABILITY CAPACITY [Assignment: organization-defined personnel,
roles, and/or locations] within [Assignment:
organization-defined time period] when
allocated audit record storage volume reaches
### [Assignment: organization-defined percentage]
of repository maximum audit record storage
capacity.
AUDIT AND AU-5 (2) AU-5 (2) REAL-TIME ALERTS The information system provides an alert in
ACCOUNTABILITY [Assignment: organization-defined real-time
period] to [Assignment: organization-defined
personnel, roles, and/or locations] when the
### following audit failure events occur:
[Assignment: organization-defined audit failure
events requiring real-time alerts].
AUDIT AND AU-5 (3) AU-5 (3) CONFIGURABLE The information system enforces configurable
ACCOUNTABILITY TRAFFIC VOLUME network communications traffic volume
THRESHOLDS thresholds reflecting limits on auditing capacity
### and [Selection: rejects; delays] network traffic
above those thresholds.
AUDIT AND AU-5 (4) AU-5 (4) SHUTDOWN ON The information system invokes a [Selection: full
ACCOUNTABILITY FAILURE system shutdown; partial system shutdown;
degraded operational mode with limited
mission/business functionality available] in the
### event of [Assignment: organization-defined audit
failures], unless an alternate audit capability
exists.
AUDIT AND AU-6 AU-6 AUDIT REVIEW, The organization: P1
ACCOUNTABILITY ANALYSIS, AND
REPORTING
###
AUDIT AND AU-6 AU-6a AUDIT REVIEW, Reviews and analyzes information system audit P1
ACCOUNTABILITY ANALYSIS, AND records [Assignment: organization-defined
REPORTING frequency] for indications of [Assignment:
organization-defined inappropriate or unusual
activity]; and
###
AUDIT AND AU-6 AU-6b AUDIT REVIEW, Reports findings to [Assignment: organization- P1
ACCOUNTABILITY ANALYSIS, AND defined personnel or roles].
REPORTING
###
AUDIT AND AU-6 (1) AU-6 (1) PROCESS The organization employs automated
ACCOUNTABILITY INTEGRATION mechanisms to integrate audit review, analysis,
and reporting processes to support
organizational processes for investigation and
response to suspicious activities.
###
AUDIT AND AU-6 (2) AU-6 (2) AUTOMATED [Withdrawn: Incorporated into SI-4].
### ACCOUNTABILITY SECURITY ALERTS
AUDIT AND AU-6 (3) AU-6 (3) CORRELATE AUDIT The organization analyzes and correlates audit
ACCOUNTABILITY REPOSITORIES records across different repositories to gain
### organization-wide situational awareness.
AUDIT AND AU-6 (4) AU-6 (4) CENTRAL REVIEW The information system provides the capability
ACCOUNTABILITY AND ANALYSIS to centrally review and analyze audit records
### from multiple components within the system.
AUDIT AND AU-6 (5) AU-6 (5) INTEGRATION / The organization integrates analysis of audit
ACCOUNTABILITY SCANNING AND records with analysis of [Selection (one or more):
MONITORING vulnerability scanning information; performance
CAPABILITIES data; information system monitoring
information; [Assignment: organization-defined
### data/information collected from other sources]]
to further enhance the ability to identify
inappropriate or unusual activity.
AUDIT AND AU-6 (6) AU-6 (6) CORRELATION WITH The organization correlates information from
ACCOUNTABILITY PHYSICAL audit records with information obtained from
MONITORING monitoring physical access to further enhance
### the ability to identify suspicious, inappropriate,
unusual, or malevolent activity.
AUDIT AND AU-6 (7) AU-6 (7) PERMITTED ACTIONS The organization specifies the permitted actions
ACCOUNTABILITY for each [Selection (one or more): information
system process; role; user] associated with the
### review, analysis, and reporting of audit
information.
AUDIT AND AU-6 (8) AU-6 (8) FULL TEXT ANALYSIS The organization performs a full text analysis of
ACCOUNTABILITY OF PRIVILEGED audited privileged commands in a physically
COMMANDS distinct component or subsystem of the
### information system, or other information system
that is dedicated to that analysis.
AUDIT AND AU-6 (9) AU-6 (9) CORRELATION WITH The organization correlates information from
ACCOUNTABILITY INFORMATION FROM nontechnical sources with audit information to
NONTECHNICAL enhance organization-wide situational
### SOURCES awareness.
AUDIT AND AU-6 (10) AU-6 (10) AUDIT LEVEL The organization adjusts the level of audit
ACCOUNTABILITY ADJUSTMENT review, analysis, and reporting within the
information system when there is a change in
### risk based on law enforcement information,
intelligence information, or other credible
sources of information.
AUDIT AND AU-7 AU-7 AUDIT REDUCTION The information system provides an audit P2
### ACCOUNTABILITY AND REPORT reduction and report generation capability that:
GENERATION
AUDIT AND AU-7 AU-7a AUDIT REDUCTION Supports on-demand audit review, analysis, and P2
### ACCOUNTABILITY AND REPORT reporting requirements and after-the-fact
GENERATION investigations of security incidents; and
AUDIT AND AU-7 AU-7b AUDIT REDUCTION Does not alter the original content or time P2
### ACCOUNTABILITY AND REPORT ordering of audit records.
GENERATION
AUDIT AND AU-7 (1) AU-7 (1) AUTOMATIC The information system provides the capability
ACCOUNTABILITY PROCESSING to process audit records for events of interest
audit fields within audit records].
AUDIT AND AU-7 (2) AU-7 (2) AUTOMATIC SORT The information system provides the capability
ACCOUNTABILITY AND SEARCH to sort and search audit records for events of
interest based on the content of [Assignment:
### organization-defined audit fields within audit
records].
AUDIT AND AU-8 AU-8 TIME STAMPS The information system: P1

ACCOUNTABILITY
###
AUDIT AND AU-8 AU-8a SYNCHRONIZATION Uses internal system clocks to generate time
ACCOUNTABILITY WITH stamps for audit records; and
AUTHORITATIVE TIME
### SOURCE
AUDIT AND AU-8 AU-8b SYNCHRONIZATION Records time stamps for audit records that can
ACCOUNTABILITY WITH be mapped to Coordinated Universal Time (UTC)
AUTHORITATIVE TIME or Greenwich Mean Time (GMT) and meets
### SOURCE [Assignment: organization-defined granularity of
time measurement].
AUDIT AND AU-8 (1) AU-8 (1) SYNCHRONIZATION The information system:
ACCOUNTABILITY WITH
AUTHORITATIVE TIME
SOURCE
###
AUDIT AND AU-8 (1) AU-8 (1)(a) SYNCHRONIZATION Compares the internal information system clocks
ACCOUNTABILITY WITH [Assignment: organization-defined frequency]
AUTHORITATIVE TIME with [Assignment: organization-defined
SOURCE authoritative time source]; and
###
AUDIT AND AU-8 (1) AU-8 (1)(b) SYNCHRONIZATION Synchronizes the internal system clocks to the
ACCOUNTABILITY WITH authoritative time source when the time
AUTHORITATIVE TIME difference is greater than [Assignment:
SOURCE organization-defined time period].
###
AUDIT AND AU-8 (1) AU-8 (2) SECONDARY The information system identifies a secondary
ACCOUNTABILITY AUTHORITATIVE TIME authoritative time source that is located in a
SOURCE different geographic region than the primary
authoritative time source.
###
AUDIT AND AU-9 AU-9 PROTECTION OF The information system protects audit P1
ACCOUNTABILITY AUDIT INFORMATION information and audit tools from unauthorized
access, modification, and deletion.
###
AUDIT AND AU-9 (1) AU-9 (1) HARDWARE WRITE- The information system writes audit trails to
### ACCOUNTABILITY ONCE MEDIA hardware-enforced, write-once media.
AUDIT AND AU-9 (2) AU-9 (2) AUDIT BACKUP ON The information system backs up audit records
ACCOUNTABILITY SEPARATE PHYSICAL [Assignment: organization-defined frequency]
SYSTEMS / onto a physically different system or system
### COMPONENTS component than the system or component being
audited.
AUDIT AND AU-9 (3) AU-9 (3) CRYPTOGRAPHIC The information system implements
### ACCOUNTABILITY PROTECTION cryptographic mechanisms to protect the
integrity of audit information and audit tools.
AUDIT AND AU-9 (4) AU-9 (4) ACCESS BY SUBSET OF The organization authorizes access to
ACCOUNTABILITY PRIVILEGED USERS management of audit functionality to only
### [Assignment: organization-defined subset of
privileged users].
AUDIT AND AU-9 (5) AU-9 (5) DUAL The organization enforces dual authorization for
ACCOUNTABILITY AUTHORIZATION [Selection (one or more): movement; deletion] of
### [Assignment: organization-defined audit
information].
AUDIT AND AU-9 (6) AU-9 (6) READ ONLY ACCESS The organization authorizes read-only access to
ACCOUNTABILITY audit information to [Assignment: organization-
### defined subset of privileged users].
AUDIT AND AU-10 AU-10 NON-REPUDIATION The information system protects against an P2
ACCOUNTABILITY individual (or process acting on behalf of an
individual) falsely denying having performed
[Assignment: organization-defined actions to be
covered by non-repudiation].
###
AUDIT AND AU-10 (1) AU-10 (1) ASSOCIATION OF The information system:
### ACCOUNTABILITY IDENTITIES
AUDIT AND AU-10 (1) AU-10 (1)(a) ASSOCIATION OF Binds the identity of the information producer
### ACCOUNTABILITY IDENTITIES with the information to [Assignment:
organization-defined strength of binding]; and
AUDIT AND AU-10 (1) AU-10 (1)(b) ASSOCIATION OF Provides the means for authorized individuals to
### ACCOUNTABILITY IDENTITIES determine the identity of the producer of the
information.
AUDIT AND AU-10 (2) AU-10 (2) VALIDATE BINDING The information system:
### ACCOUNTABILITY OF INFORMATION
PRODUCER IDENTITY
AUDIT AND AU-10 (2) AU-10 (2)(a) VALIDATE BINDING Validates the binding of the information
ACCOUNTABILITY OF INFORMATION producer identity to the information at
### PRODUCER IDENTITY [Assignment: organization-defined frequency];
and
AUDIT AND AU-10 (2) AU-10 (2)(b) VALIDATE BINDING Performs [Assignment: organization-defined
### ACCOUNTABILITY OF INFORMATION actions] in the event of a validation error.
PRODUCER IDENTITY
AUDIT AND AU-10 (3) AU-10 (3) CHAIN OF CUSTODY The information system maintains
ACCOUNTABILITY reviewer/releaser identity and credentials within
### the established chain of custody for all
information reviewed or released.
AUDIT AND AU-10 (4) AU-10 (4) VALIDATE BINDING The information system:
### ACCOUNTABILITY OF INFORMATION
REVIEWER IDENTITY
AUDIT AND AU-10 (4) AU-10 (4)(a) VALIDATE BINDING Validates the binding of the information
ACCOUNTABILITY OF INFORMATION reviewer identity to the information at the
REVIEWER IDENTITY transfer or release points prior to
### release/transfer between [Assignment:
organization-defined security domains]; and
AUDIT AND AU-10 (4) AU-10 (4)(b) VALIDATE BINDING Performs [Assignment: organization-defined
### ACCOUNTABILITY OF INFORMATION actions] in the event of a validation error.
REVIEWER IDENTITY
AUDIT AND AU-10 (5) AU-10 (5) DIGITAL SIGNATURES [Withdrawn: Incorporated into SI-7].
### ACCOUNTABILITY
AUDIT AND AU-11 AU-11 AUDIT RECORD The organization retains audit records for P3
ACCOUNTABILITY RETENTION [Assignment: organization-defined time period
consistent with records retention policy] to
provide support for after-the-fact investigations
of security incidents and to meet regulatory and
organizational information retention
requirements.
###
AUDIT AND AU-11 (1) AU-11 (1) LONG-TERM The organization employs [Assignment:
ACCOUNTABILITY RETRIEVAL organization-defined measures] to ensure that
### CAPABILITY long-term audit records generated by the
information system can be retrieved.
AUDIT AND AU-12 AU-12 AUDIT GENERATION The information system: P1
ACCOUNTABILITY
###
AUDIT AND AU-12 AU-12a AUDIT GENERATION Provides audit record generation capability for
ACCOUNTABILITY the auditable events defined in AU-2 a. at
system components];
###
AUDIT AND AU-12 AU-12b AUDIT GENERATION Allows [Assignment: organization-defined

ACCOUNTABILITY personnel or roles] to select which auditable
events are to be audited by specific components
of the information system; and
###
AUDIT AND AU-12 AU-12c AUDIT GENERATION Generates audit records for the events defined in
ACCOUNTABILITY AU-2 d. with the content defined in AU-3.
###
AUDIT AND AU-12 (1) AU-12 (1) SYSTEM-WIDE / The information system compiles audit records
ACCOUNTABILITY TIME-CORRELATED from [Assignment: organization-defined
AUDIT TRAIL information system components] into a system-
wide (logical or physical) audit trail that is time-
correlated to within [Assignment: organization-
### defined level of tolerance for the relationship
between time stamps of individual records in the
audit trail].
AUDIT AND AU-12 (2) AU-12 (2) STANDARDIZED The information system produces a system-wide
ACCOUNTABILITY FORMATS (logical or physical) audit trail composed of audit
records in a standardized format.
###
AUDIT AND AU-12 (3) AU-12 (3) CHANGES BY The information system provides the capability
ACCOUNTABILITY AUTHORIZED for [Assignment: organization-defined individuals
INDIVIDUALS or roles] to change the auditing to be performed
on [Assignment: organization-defined
information system components] based on
### [Assignment: organization-defined selectable
event criteria] within [Assignment: organization-
defined time thresholds].
AUDIT AND AU-13 AU-13 MONITORING FOR The organization monitors [Assignment: P0
ACCOUNTABILITY INFORMATION organization-defined open source information
DISCLOSURE and/or information sites] [Assignment:
### organization-defined frequency] for evidence of
unauthorized disclosure of organizational
information.
AUDIT AND AU-13 (1) AU-13 (1) USE OF AUTOMATED The organization employs automated
ACCOUNTABILITY TOOLS mechanisms to determine if organizational
### information has been disclosed in an
unauthorized manner.
AUDIT AND AU-13 (2) AU-13 (2) REVIEW OF The organization reviews the open source
### ACCOUNTABILITY MONITORED SITES information sites being monitored [Assignment:
organization-defined frequency].
AUDIT AND AU-14 AU-14 SESSION AUDIT The information system provides the capability P0
### ACCOUNTABILITY for authorized users to select a user session to
capture/record or view/hear.
AUDIT AND AU-14 (1) AU-14 (1) SYSTEM START-UP The information system initiates session audits at
### ACCOUNTABILITY system start-up.
AUDIT AND AU-14 (2) AU-14 (2) CAPTURE/RECORD The information system provides the capability
ACCOUNTABILITY AND LOG CONTENT for authorized users to capture/record and log
### content related to a user session.
AUDIT AND AU-14 (3) AU-14 (3) REMOTE VIEWING / The information system provides the capability
ACCOUNTABILITY LISTENING for authorized users to remotely view/hear all
### content related to an established user session in
real time.
AUDIT AND AU-15 AU-15 ALTERNATE AUDIT The organization provides an alternate audit P0
ACCOUNTABILITY CAPABILITY capability in the event of a failure in primary
audit capability that provides [Assignment:
### organization-defined alternate audit
functionality].
AUDIT AND AU-16 AU-16 CROSS- The organization employs [Assignment: P0
ACCOUNTABILITY ORGANIZATIONAL organization-defined methods] for coordinating
AUDITING [Assignment: organization-defined audit
### information] among external organizations when
audit information is transmitted across
organizational boundaries.
AUDIT AND AU-16 (1) AU-16 (1) IDENTITY The organization requires that the identity of
### ACCOUNTABILITY PRESERVATION individuals be preserved in cross-organizational
audit trails.
AUDIT AND AU-16 (2) AU-16 (2) SHARING OF AUDIT The organization provides cross-organizational
ACCOUNTABILITY INFORMATION audit information to [Assignment: organization-
defined organizations] based on [Assignment:
### organization-defined cross-organizational sharing
agreements].
SECURITY CA-1 CA-1 SECURITY The organization: P1

ASSESSMENT AND ASSESSMENT AND
AUTHORIZATION AUTHORIZATION
### POLICY AND
PROCEDURES
SECURITY CA-1 CA-1a SECURITY Develops, documents, and disseminates to P1

ASSESSMENT AND ASSESSMENT AND [Assignment: organization-defined personnel or
AUTHORIZATION AUTHORIZATION roles]:
### POLICY AND
PROCEDURES
SECURITY CA-1 CA-1a.1 SECURITY A security assessment and authorization policy P1

ASSESSMENT AND ASSESSMENT AND that addresses purpose, scope, roles,
AUTHORIZATION AUTHORIZATION responsibilities, management commitment,
### POLICY AND coordination among organizational entities, and
PROCEDURES compliance; and
SECURITY CA-1 CA-1a.2 SECURITY Procedures to facilitate the implementation of P1

ASSESSMENT AND ASSESSMENT AND the security assessment and authorization policy
AUTHORIZATION AUTHORIZATION and associated security assessment and
### POLICY AND authorization controls; and
PROCEDURES
SECURITY CA-1 CA-1b SECURITY Reviews and updates the current: P1
ASSESSMENT AND ASSESSMENT AND
AUTHORIZATION AUTHORIZATION
### POLICY AND
PROCEDURES
SECURITY CA-1 CA-1b.1 SECURITY Security assessment and authorization policy P1

ASSESSMENT AND ASSESSMENT AND [Assignment: organization-defined frequency];
AUTHORIZATION AUTHORIZATION and
### POLICY AND
PROCEDURES
SECURITY CA-1 CA-1b.2 SECURITY Security assessment and authorization P1

ASSESSMENT AND ASSESSMENT AND procedures [Assignment: organization-defined
AUTHORIZATION AUTHORIZATION frequency].
### POLICY AND
PROCEDURES

ASSESSMENT AND ASSESSMENTS
AUTHORIZATION
###
SECURITY CA-2 CA-2a SECURITY Develops a security assessment plan that P2
ASSESSMENT AND ASSESSMENTS describes the scope of the assessment including:
AUTHORIZATION
###
SECURITY CA-2 CA-2a.1 SECURITY Security controls and control enhancements P2

ASSESSMENT AND ASSESSMENTS under assessment;
AUTHORIZATION
###
SECURITY CA-2 CA-2a.2 SECURITY Assessment procedures to be used to determine P2

ASSESSMENT AND ASSESSMENTS security control effectiveness; and
AUTHORIZATION
###
SECURITY CA-2 CA-2a.3 SECURITY Assessment environment, assessment team, and P2
ASSESSMENT AND ASSESSMENTS assessment roles and responsibilities;
AUTHORIZATION
###
SECURITY CA-2 CA-2b SECURITY Assesses the security controls in the information P2
ASSESSMENT AND ASSESSMENTS system and its environment of operation
AUTHORIZATION [Assignment: organization-defined frequency] to
determine the extent to which the controls are
implemented correctly, operating as intended,
and producing the desired outcome with respect
### to meeting established security requirements;
SECURITY CA-2 CA-2c SECURITY Produces a security assessment report that P2

ASSESSMENT AND ASSESSMENTS documents the results of the assessment; and
AUTHORIZATION
###
SECURITY CA-2 CA-2d SECURITY Provides the results of the security control P2
ASSESSMENT AND ASSESSMENTS assessment to [Assignment: organization-defined
AUTHORIZATION individuals or roles].
###
SECURITY CA-2 (1) CA-2 (1) INDEPENDENT The organization employs assessors or
ASSESSMENT AND ASSESSORS assessment teams with [Assignment:
### AUTHORIZATION organization-defined level of independence] to
conduct security control assessments.
SECURITY CA-2 (2) CA-2 (2) SPECIALIZED The organization includes as part of security
ASSESSMENT AND ASSESSMENTS control assessments, [Assignment: organization-
AUTHORIZATION defined frequency], [Selection: announced;
unannounced], [Selection (one or more): in-
depth monitoring; vulnerability scanning;
### malicious user testing; insider threat assessment;
performance/load testing; [Assignment:
organization-defined other forms of security
assessment]].
SECURITY CA-2 (3) CA-2 (3) EXTERNAL The organization accepts the results of an
ASSESSMENT AND ORGANIZATIONS assessment of [Assignment: organization-defined
AUTHORIZATION information system] performed by [Assignment:
organization-defined external organization]
### when the assessment meets [Assignment:
organization-defined requirements].
SECURITY CA-3 CA-3 SYSTEM The organization: P1
ASSESSMENT AND INTERCONNECTIONS
AUTHORIZATION
###
SECURITY CA-3 CA-3a SYSTEM Authorizes connections from the information P1
ASSESSMENT AND INTERCONNECTIONS system to other information systems through the
AUTHORIZATION use of Interconnection Security Agreements;
###
SECURITY CA-3 CA-3b SYSTEM Documents, for each interconnection, the P1
ASSESSMENT AND INTERCONNECTIONS interface characteristics, security requirements,
AUTHORIZATION and the nature of the information
communicated; and
###
SECURITY CA-3 CA-3c SYSTEM Reviews and updates Interconnection Security P1
ASSESSMENT AND INTERCONNECTIONS Agreements [Assignment: organization-defined
AUTHORIZATION frequency].
###
SECURITY CA-3 (1) CA-3 (1) UNCLASSIFIED The organization prohibits the direct connection
ASSESSMENT AND NATIONAL SECURITY of an [Assignment: organization-defined
AUTHORIZATION SYSTEM unclassified, national security system] to an
### CONNECTIONS external network without the use of
[Assignment: organization-defined boundary
protection device].
SECURITY CA-3 (2) CA-3 (2) CLASSIFIED The organization prohibits the direct connection
ASSESSMENT AND NATIONAL SECURITY of a classified, national security system to an
AUTHORIZATION SYSTEM external network without the use of
### CONNECTIONS [Assignment: organization-defined boundary
protection device].
SECURITY CA-3 (3) CA-3 (3) UNCLASSIFIED NON- The organization prohibits the direct connection
ASSESSMENT AND NATIONAL SECURITY of an [Assignment: organization-defined
AUTHORIZATION SYSTEM unclassified, non-national security system] to an
CONNECTIONS external network without the use of
[Assignment; organization-defined boundary
protection device].
###
SECURITY CA-3 (4) CA-3 (4) CONNECTIONS TO The organization prohibits the direct connection
ASSESSMENT AND PUBLIC NETWORKS of an [Assignment: organization-defined
### AUTHORIZATION information system] to a public network.
SECURITY CA-3 (5) CA-3 (5) RESTRICTIONS ON The organization employs [Selection: allow-all,
ASSESSMENT AND EXTERNAL SYSTEM deny-by-exception; deny-all, permit-by-
AUTHORIZATION CONNECTIONS exception] policy for allowing [Assignment:
organization-defined information systems] to
connect to external information systems.
###
SECURITY CA-4 CA-4 SECURITY [Withdrawn: Incorporated into CA-2].

### ASSESSMENT AND CERTIFICATION
AUTHORIZATION
SECURITY CA-5 CA-5 PLAN OF ACTION AND The organization: P3
ASSESSMENT AND MILESTONES
AUTHORIZATION
###
SECURITY CA-5 CA-5a PLAN OF ACTION AND Develops a plan of action and milestones for the P3
ASSESSMENT AND MILESTONES information system to document the
AUTHORIZATION organization's planned remedial actions to
correct weaknesses or deficiencies noted during
the assessment of the security controls and to
reduce or eliminate known vulnerabilities in the
### system; and
SECURITY CA-5 CA-5b PLAN OF ACTION AND Updates existing plan of action and milestones P3
ASSESSMENT AND MILESTONES [Assignment: organization-defined frequency]
AUTHORIZATION based on the findings from security controls
assessments, security impact analyses, and
continuous monitoring activities.
###
SECURITY CA-5 (1) CA-5 (1) AUTOMATION The organization employs automated
ASSESSMENT AND SUPPORT FOR mechanisms to help ensure that the plan of
AUTHORIZATION ACCURACY / action and milestones for the information system
### CURRENCY is accurate, up to date, and readily available.

### ASSESSMENT AND AUTHORIZATION
AUTHORIZATION
SECURITY CA-6 CA-6a SECURITY Assigns a senior-level executive or manager as P2
### ASSESSMENT AND AUTHORIZATION the authorizing official for the information
AUTHORIZATION system;
SECURITY CA-6 CA-6b SECURITY Ensures that the authorizing official authorizes P2
### ASSESSMENT AND AUTHORIZATION the information system for processing before
AUTHORIZATION commencing operations; and
SECURITY CA-6 CA-6c SECURITY Updates the security authorization [Assignment: P2
ASSESSMENT AND AUTHORIZATION organization-defined frequency].
AUTHORIZATION
###
SECURITY CA-7 CA-7 CONTINUOUS The organization develops a continuous P2
ASSESSMENT AND MONITORING monitoring strategy and implements a
AUTHORIZATION continuous monitoring program that includes:
###
SECURITY CA-7 CA-7a CONTINUOUS Establishment of [Assignment: organization- P2
ASSESSMENT AND MONITORING defined metrics] to be monitored;
AUTHORIZATION
###
SECURITY CA-7 CA-7b CONTINUOUS Establishment of [Assignment: organization- P2
ASSESSMENT AND MONITORING defined frequencies] for monitoring and
AUTHORIZATION [Assignment: organization-defined frequencies]
for assessments supporting such monitoring;
###
SECURITY CA-7 CA-7c CONTINUOUS Ongoing security control assessments in P2
ASSESSMENT AND MONITORING accordance with the organizational continuous
AUTHORIZATION monitoring strategy;
###
SECURITY CA-7 CA-7d CONTINUOUS Ongoing security status monitoring of P2
ASSESSMENT AND MONITORING organization-defined metrics in accordance with
AUTHORIZATION the organizational continuous monitoring
strategy;
###
SECURITY CA-7 CA-7e CONTINUOUS Correlation and analysis of security-related P2
ASSESSMENT AND MONITORING information generated by assessments and
AUTHORIZATION monitoring;
###
SECURITY CA-7 CA-7f CONTINUOUS Response actions to address results of the P2
ASSESSMENT AND MONITORING analysis of security-related information; and
AUTHORIZATION
###
SECURITY CA-7 CA-7g CONTINUOUS Reporting the security status of organization and P2
ASSESSMENT AND MONITORING the information system to [Assignment:
AUTHORIZATION organization-defined personnel or roles]
[Assignment: organization-defined frequency].
###
SECURITY CA-7 (1) CA-7 (1) INDEPENDENT The organization employs assessors or
ASSESSMENT AND ASSESSMENT assessment teams with [Assignment:
AUTHORIZATION organization-defined level of independence] to
### monitor the security controls in the information
system on an ongoing basis.
SECURITY CA-7 (2) CA-7 (2) TYPES OF [Withdrawn: Incorporated into CA-2].
### ASSESSMENT AND ASSESSMENTS
AUTHORIZATION
SECURITY CA-7 (3) CA-7 (3) TREND ANALYSES The organization employs trend analyses to
ASSESSMENT AND determine if security control implementations,
AUTHORIZATION the frequency of continuous monitoring
### activities, and/or the types of activities used in
the continuous monitoring process need to be
modified based on empirical data.
SECURITY CA-8 CA-8 PENETRATION The organization conducts penetration testing P2

ASSESSMENT AND TESTING [Assignment: organization-defined frequency] on
### AUTHORIZATION [Assignment: organization-defined information
systems or system components].
SECURITY CA-8 (1) CA-8 (1) INDEPENDENT The organization employs an independent
ASSESSMENT AND PENETRATION AGENT penetration agent or penetration team to
### AUTHORIZATION OR TEAM perform penetration testing on the information
system or system components.
SECURITY CA-8 (2) CA-8 (2) RED TEAM EXERCISES The organization employs [Assignment:
ASSESSMENT AND organization-defined red team exercises] to
AUTHORIZATION simulate attempts by adversaries to compromise
### organizational information systems in
defined rules of engagement].
SECURITY CA-9 CA-9 INTERNAL SYSTEM The organization: P2

### ASSESSMENT AND CONNECTIONS
AUTHORIZATION
SECURITY CA-9 CA-9a INTERNAL SYSTEM Authorizes internal connections of [Assignment: P2
ASSESSMENT AND CONNECTIONS organization-defined information system
### AUTHORIZATION components or classes of components] to the
information system; and
SECURITY CA-9 CA-9b INTERNAL SYSTEM Documents, for each internal connection, the P2
ASSESSMENT AND CONNECTIONS interface characteristics, security requirements,
### AUTHORIZATION and the nature of the information
communicated.
SECURITY CA-9 (1) CA-9 (1) SECURITY The information system performs security
ASSESSMENT AND COMPLIANCE CHECKS compliance checks on constituent system
### AUTHORIZATION components prior to the establishment of the
internal connection.
CONFIGURATION CM-1 CM-1 CONFIGURATION The organization: P1

MANAGEMENT MANAGEMENT
### POLICY AND
PROCEDURES
CONFIGURATION CM-1 CM-1a CONFIGURATION Develops, documents, and disseminates to P1

MANAGEMENT MANAGEMENT [Assignment: organization-defined personnel or
### POLICY AND roles]:
PROCEDURES
CONFIGURATION CM-1 CM-1a.1 CONFIGURATION A configuration management policy that P1

MANAGEMENT MANAGEMENT addresses purpose, scope, roles, responsibilities,
### PROCEDURES organizational entities, and compliance; and
CONFIGURATION CM-1 CM-1a.2 CONFIGURATION Procedures to facilitate the implementation of P1

MANAGEMENT MANAGEMENT the configuration management policy and
### POLICY AND associated configuration management controls;
PROCEDURES and
CONFIGURATION CM-1 CM-1b CONFIGURATION Reviews and updates the current: P1

MANAGEMENT MANAGEMENT
### POLICY AND
PROCEDURES
CONFIGURATION CM-1 CM-1b.1 CONFIGURATION Configuration management policy [Assignment: P1

MANAGEMENT MANAGEMENT organization-defined frequency]; and
### POLICY AND
PROCEDURES
CONFIGURATION CM-1 CM-1b.2 CONFIGURATION Configuration management procedures P1

MANAGEMENT MANAGEMENT [Assignment: organization-defined frequency].
### POLICY AND
PROCEDURES
CONFIGURATION CM-2 CM-2 BASELINE The organization develops, documents, and P1
MANAGEMENT CONFIGURATION maintains under configuration control, a current
baseline configuration of the information
system.
###
CONFIGURATION CM-2 (1) CM-2 (1) REVIEWS AND The organization reviews and updates the
### MANAGEMENT UPDATES baseline configuration of the information
system:
CONFIGURATION CM-2 (1) CM-2 (1)(a) REVIEWS AND [Assignment: organization-defined frequency];
### MANAGEMENT UPDATES
CONFIGURATION CM-2 (1) CM-2 (1)(b) REVIEWS AND When required due to [Assignment organization-
### MANAGEMENT UPDATES defined circumstances]; and
CONFIGURATION CM-2 (1) CM-2 (1)(c) REVIEWS AND As an integral part of information system
### MANAGEMENT UPDATES component installations and upgrades.
CONFIGURATION CM-2 (2) CM-2 (2) AUTOMATION The organization employs automated
MANAGEMENT SUPPORT FOR mechanisms to maintain an up-to-date,
ACCURACY / complete, accurate, and readily available
### CURRENCY baseline configuration of the information
system.
CONFIGURATION CM-2 (3) CM-2 (3) RETENTION OF The organization retains [Assignment:
MANAGEMENT PREVIOUS organization-defined previous versions of
### CONFIGURATIONS baseline configurations of the information
system] to support rollback.
CONFIGURATION CM-2 (4) CM-2 (4) UNAUTHORIZED [Withdrawn: Incorporated into CM-7].
### MANAGEMENT SOFTWARE
CONFIGURATION CM-2 (5) CM-2 (5) AUTHORIZED [Withdrawn: Incorporated into CM-7].
CONFIGURATION CM-2 (6) CM-2 (6) DEVELOPMENT AND The organization maintains a baseline
MANAGEMENT TEST ENVIRONMENTS configuration for information system
development and test environments that is
### managed separately from the operational
baseline configuration.
CONFIGURATION CM-2 (7) CM-2 (7) CONFIGURE The organization:

MANAGEMENT SYSTEMS,
COMPONENTS, OR
### DEVICES FOR HIGH-
RISK AREAS
CONFIGURATION CM-2 (7) CM-2 (7)(a) CONFIGURE Issues [Assignment: organization-defined

MANAGEMENT SYSTEMS, information systems, system components, or
COMPONENTS, OR devices] with [Assignment: organization-defined
### DEVICES FOR HIGH- configurations] to individuals traveling to
RISK AREAS locations that the organization deems to be of
significant risk; and
CONFIGURATION CM-2 (7) CM-2 (7)(b) CONFIGURE Applies [Assignment: organization-defined

MANAGEMENT SYSTEMS, security safeguards] to the devices when the
COMPONENTS, OR individuals return.
### DEVICES FOR HIGH-
RISK AREAS
MANAGEMENT CHANGE CONTROL
###
CONFIGURATION CM-3 CM-3a CONFIGURATION Determines the types of changes to the P1

MANAGEMENT CHANGE CONTROL information system that are configuration-
controlled;
###
CONFIGURATION CM-3 CM-3b CONFIGURATION Reviews proposed configuration-controlled P1

MANAGEMENT CHANGE CONTROL changes to the information system and approves
or disapproves such changes with explicit
consideration for security impact analyses;
###
CONFIGURATION CM-3 CM-3c CONFIGURATION Documents configuration change decisions P1
MANAGEMENT CHANGE CONTROL associated with the information system;
###
CONFIGURATION CM-3 CM-3d CONFIGURATION Implements approved configuration-controlled P1

MANAGEMENT CHANGE CONTROL changes to the information system;
###
CONFIGURATION CM-3 CM-3e CONFIGURATION Retains records of configuration-controlled P1

MANAGEMENT CHANGE CONTROL changes to the information system for
[Assignment: organization-defined time period];
###
CONFIGURATION CM-3 CM-3f CONFIGURATION Audits and reviews activities associated with P1
MANAGEMENT CHANGE CONTROL configuration-controlled changes to the
###
CONFIGURATION CM-3 CM-3g CONFIGURATION Coordinates and provides oversight for P1

MANAGEMENT CHANGE CONTROL configuration change control activities through
[Assignment: organization-defined configuration
change control element (e.g., committee, board)]
that convenes [Selection (one or more):
[Assignment: organization-defined frequency];
### [Assignment: organization-defined configuration
change conditions]].
CONFIGURATION CM-3 (1) CM-3 (1) AUTOMATED The organization employs automated
MANAGEMENT DOCUMENT / mechanisms to:
NOTIFICATION /
### PROHIBITION OF
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(a) AUTOMATED Document proposed changes to the information
MANAGEMENT DOCUMENT / system;
NOTIFICATION /
### PROHIBITION OF
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(b) AUTOMATED Notify [Assignment: organized-defined approval
MANAGEMENT DOCUMENT / authorities] of proposed changes to the
NOTIFICATION / information system and request change
### PROHIBITION OF approval;
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(c) AUTOMATED Highlight proposed changes to the information
MANAGEMENT DOCUMENT / system that have not been approved or
NOTIFICATION / disapproved by [Assignment: organization-
### PROHIBITION OF defined time period];
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(d) AUTOMATED Prohibit changes to the information system until
MANAGEMENT DOCUMENT / designated approvals are received;
NOTIFICATION /
### PROHIBITION OF
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(e) AUTOMATED Document all changes to the information system;
MANAGEMENT DOCUMENT / and
NOTIFICATION /
### PROHIBITION OF
CHANGES
CONFIGURATION CM-3 (1) CM-3 (1)(f) AUTOMATED Notify [Assignment: organization-defined

MANAGEMENT DOCUMENT / personnel] when approved changes to the
NOTIFICATION / information system are completed.
### PROHIBITION OF
CHANGES
CONFIGURATION CM-3 (2) CM-3 (2) TEST / VALIDATE / The organization tests, validates, and documents
MANAGEMENT DOCUMENT changes to the information system before
### CHANGES implementing the changes on the operational
system.
MANAGEMENT CHANGE mechanisms to implement changes to the
IMPLEMENTATION current information system baseline and deploys
### the updated baseline across the installed base.
CONFIGURATION CM-3 (4) CM-3 (4) SECURITY The organization requires an information
MANAGEMENT REPRESENTATIVE security representative to be a member of the
### [Assignment: organization-defined configuration
change control element].
CONFIGURATION CM-3 (5) CM-3 (5) AUTOMATED The information system implements
MANAGEMENT SECURITY RESPONSE [Assignment: organization-defined security
responses] automatically if baseline
### configurations are changed in an unauthorized
manner.
CONFIGURATION CM-3 (6) CM-3 (6) CRYPTOGRAPHY The organization ensures that cryptographic
MANAGEMENT MANAGEMENT mechanisms used to provide [Assignment:
### organization-defined security safeguards] are
under configuration management.
CONFIGURATION CM-4 CM-4 SECURITY IMPACT The organization analyzes changes to the P2
MANAGEMENT ANALYSIS information system to determine potential
### security impacts prior to change implementation.
CONFIGURATION CM-4 (1) CM-4 (1) SEPARATE TEST The organization analyzes changes to the
MANAGEMENT ENVIRONMENTS information system in a separate test
environment before implementation in an
### operational environment, looking for security
impacts due to flaws, weaknesses,
incompatibility, or intentional malice.
CONFIGURATION CM-4 (2) CM-4 (2) VERIFICATION OF The organization, after the information system is
MANAGEMENT SECURITY FUNCTIONS changed, checks the security functions to verify
that the functions are implemented correctly,
operating as intended, and producing the
### desired outcome with regard to meeting the
security requirements for the system.
CONFIGURATION CM-5 CM-5 ACCESS The organization defines, documents, approves, P1
MANAGEMENT RESTRICTIONS FOR and enforces physical and logical access
CHANGE restrictions associated with changes to the
### information system.
CONFIGURATION CM-5 (1) CM-5 (1) AUTOMATED ACCESS The information system enforces access
MANAGEMENT ENFORCEMENT / restrictions and supports auditing of the
AUDITING enforcement actions.
###
CONFIGURATION CM-5 (2) CM-5 (2) REVIEW SYSTEM The organization reviews information system
MANAGEMENT CHANGES changes [Assignment: organization-defined
frequency] and [Assignment: organization-
defined circumstances] to determine whether
unauthorized changes have occurred.
###
CONFIGURATION CM-5 (3) CM-5 (3) SIGNED The information system prevents the installation
MANAGEMENT COMPONENTS of [Assignment: organization-defined software
and firmware components] without verification
### that the component has been digitally signed
using a certificate that is recognized and
approved by the organization.
CONFIGURATION CM-5 (4) CM-5 (4) DUAL The organization enforces dual authorization for
MANAGEMENT AUTHORIZATION implementing changes to [Assignment:
### organization-defined information system
components and system-level information].
CONFIGURATION CM-5 (5) CM-5 (5) LIMIT PRODUCTION / The organization:

### MANAGEMENT OPERATIONAL
PRIVILEGES
CONFIGURATION CM-5 (5) CM-5 (5)(a) LIMIT PRODUCTION / Limits privileges to change information system
MANAGEMENT OPERATIONAL components and system-related information
### PRIVILEGES within a production or operational environment;
and
CONFIGURATION CM-5 (5) CM-5 (5)(b) LIMIT PRODUCTION / Reviews and reevaluates privileges [Assignment:
### MANAGEMENT OPERATIONAL organization-defined frequency].
PRIVILEGES
CONFIGURATION CM-5 (6) CM-5 (6) LIMIT LIBRARY The organization limits privileges to change
### MANAGEMENT PRIVILEGES software resident within software libraries.
CONFIGURATION CM-5 (7) CM-5 (7) AUTOMATIC [Withdrawn: Incorporated into SI-7].
MANAGEMENT IMPLEMENTATION OF
### SECURITY
SAFEGUARDS

MANAGEMENT SETTINGS
###
CONFIGURATION CM-6 CM-6a CONFIGURATION Establishes and documents configuration settings P1
MANAGEMENT SETTINGS for information technology products employed
within the information system using
[Assignment: organization-defined security
configuration checklists] that reflect the most
restrictive mode consistent with operational
requirements;
###
CONFIGURATION CM-6 CM-6b CONFIGURATION Implements the configuration settings; P1

MANAGEMENT SETTINGS
###
CONFIGURATION CM-6 CM-6c CONFIGURATION Identifies, documents, and approves any P1

MANAGEMENT SETTINGS deviations from established configuration
settings for [Assignment: organization-defined
information system components] based on
[Assignment: organization-defined operational
### requirements]; and
CONFIGURATION CM-6 CM-6d CONFIGURATION Monitors and controls changes to the P1
MANAGEMENT SETTINGS configuration settings in accordance with
organizational policies and procedures.
###
MANAGEMENT CENTRAL mechanisms to centrally manage, apply, and
MANAGEMENT / verify configuration settings for [Assignment:
### APPLICATION / organization-defined information system
VERIFICATION components].
CONFIGURATION CM-6 (2) CM-6 (2) RESPOND TO The organization employs [Assignment:
MANAGEMENT UNAUTHORIZED organization-defined security safeguards] to
CHANGES respond to unauthorized changes to
[Assignment: organization-defined configuration
settings].
###
CONFIGURATION CM-6 (3) CM-6 (3) UNAUTHORIZED [Withdrawn: Incorporated into SI-7].
### MANAGEMENT CHANGE DETECTION
CONFIGURATION CM-6 (4) CM-6 (4) CONFORMANCE [Withdrawn: Incorporated into CM-4].
### MANAGEMENT DEMONSTRATION
CONFIGURATION CM-7 CM-7 LEAST The organization: P1
MANAGEMENT FUNCTIONALITY
###
CONFIGURATION CM-7 CM-7a LEAST Configures the information system to provide P1
MANAGEMENT FUNCTIONALITY only essential capabilities; and
###
CONFIGURATION CM-7 CM-7b LEAST Prohibits or restricts the use of the following P1
MANAGEMENT FUNCTIONALITY functions, ports, protocols, and/or services:
[Assignment: organization-defined prohibited or
restricted functions, ports, protocols, and/or
services].
###
CONFIGURATION CM-7 (1) CM-7 (1) PERIODIC REVIEW The organization:

### MANAGEMENT
CONFIGURATION CM-7 (1) CM-7 (1)(a) PERIODIC REVIEW Reviews the information system [Assignment:
MANAGEMENT organization-defined frequency] to identify
### unnecessary and/or nonsecure functions, ports,
protocols, and services; and
CONFIGURATION CM-7 (1) CM-7 (1)(b) PERIODIC REVIEW Disables [Assignment: organization-defined
MANAGEMENT functions, ports, protocols, and services within
the information system deemed to be
unnecessary and/or nonsecure].
###
CONFIGURATION CM-7 (2) CM-7 (2) PREVENT PROGRAM The information system prevents program
MANAGEMENT EXECUTION execution in accordance with [Selection (one or
more): [Assignment: organization-defined
### policies regarding software program usage and
restrictions]; rules authorizing the terms and
conditions of software program usage].
CONFIGURATION CM-7 (3) CM-7 (3) REGISTRATION The organization ensures compliance with
MANAGEMENT COMPLIANCE [Assignment: organization-defined registration
### requirements for functions, ports, protocols, and
services].
CONFIGURATION CM-7 (4) CM-7 (4) UNAUTHORIZED The organization:

MANAGEMENT SOFTWARE /
BLACKLISTING
###
CONFIGURATION CM-7 (4) CM-7 (4)(a) UNAUTHORIZED Identifies [Assignment: organization-defined

MANAGEMENT SOFTWARE / software programs not authorized to execute on
BLACKLISTING the information system];
###
CONFIGURATION CM-7 (4) CM-7 (4)(b) UNAUTHORIZED Employs an allow-all, deny-by-exception policy to
MANAGEMENT SOFTWARE / prohibit the execution of unauthorized software
BLACKLISTING programs on the information system; and
###
CONFIGURATION CM-7 (4) CM-7 (4)(c) UNAUTHORIZED Reviews and updates the list of unauthorized
MANAGEMENT SOFTWARE / software programs [Assignment: organization-
BLACKLISTING defined frequency].
###
CONFIGURATION CM-7 (5) CM-7 (5) AUTHORIZED The organization:
MANAGEMENT SOFTWARE /
WHITELISTING
###
CONFIGURATION CM-7 (5) CM-7 (5)(a) AUTHORIZED Identifies [Assignment: organization-defined

MANAGEMENT SOFTWARE / software programs authorized to execute on the
WHITELISTING information system];
###
CONFIGURATION CM-7 (5) CM-7 (5)(b) AUTHORIZED Employs a deny-all, permit-by-exception policy
MANAGEMENT SOFTWARE / to allow the execution of authorized software
WHITELISTING programs on the information system; and
###
CONFIGURATION CM-7 (5) CM-7 (5)(c) AUTHORIZED Reviews and updates the list of authorized
MANAGEMENT SOFTWARE / software programs [Assignment: organization-
WHITELISTING defined frequency].
###
CONFIGURATION CM-8 CM-8 INFORMATION The organization: P1

MANAGEMENT SYSTEM COMPONENT
INVENTORY
###
CONFIGURATION CM-8 CM-8a INFORMATION Develops and documents an inventory of P1
MANAGEMENT SYSTEM COMPONENT information system components that:
INVENTORY
###
CONFIGURATION CM-8 CM-8a.1 INFORMATION Accurately reflects the current information P1

MANAGEMENT SYSTEM COMPONENT system;
INVENTORY
###
CONFIGURATION CM-8 CM-8a.2 INFORMATION Includes all components within the authorization P1
MANAGEMENT SYSTEM COMPONENT boundary of the information system;
INVENTORY
###
CONFIGURATION CM-8 CM-8a.3 INFORMATION Is at the level of granularity deemed necessary P1

MANAGEMENT SYSTEM COMPONENT for tracking and reporting; and
INVENTORY
###
CONFIGURATION CM-8 CM-8a.4 INFORMATION Includes [Assignment: organization-defined P1
MANAGEMENT SYSTEM COMPONENT information deemed necessary to achieve
INVENTORY effective information system component
accountability]; and
###
CONFIGURATION CM-8 CM-8b INFORMATION Reviews and updates the information system P1
MANAGEMENT SYSTEM COMPONENT component inventory [Assignment: organization-
INVENTORY defined frequency].
###
CONFIGURATION CM-8 (1) CM-8 (1) UPDATES DURING The organization updates the inventory of
MANAGEMENT INSTALLATIONS / information system components as an integral
REMOVALS part of component installations, removals, and
information system updates.
###
MANAGEMENT MAINTENANCE mechanisms to help maintain an up-to-date,
### complete, accurate, and readily available
inventory of information system components.
CONFIGURATION CM-8 (3) CM-8 (3) AUTOMATED The organization:

MANAGEMENT UNAUTHORIZED
### COMPONENT
DETECTION
CONFIGURATION CM-8 (3) CM-8 (3)(a) AUTOMATED Employs automated mechanisms [Assignment:
MANAGEMENT UNAUTHORIZED organization-defined frequency] to detect the
COMPONENT presence of unauthorized hardware, software,
### DETECTION and firmware components within the
CONFIGURATION CM-8 (3) CM-8 (3)(b) AUTOMATED Takes the following actions when unauthorized
MANAGEMENT UNAUTHORIZED components are detected: [Selection (one or
COMPONENT more): disables network access by such
### DETECTION components; isolates the components; notifies
[Assignment: organization-defined personnel or
roles]].
CONFIGURATION CM-8 (4) CM-8 (4) ACCOUNTABILITY The organization includes in the information
MANAGEMENT INFORMATION system component inventory information, a
means for identifying by [Selection (one or
### more): name; position; role], individuals
responsible/accountable for administering those
components.
CONFIGURATION CM-8 (5) CM-8 (5) NO DUPLICATE The organization verifies that all components
MANAGEMENT ACCOUNTING OF within the authorization boundary of the
### COMPONENTS information system are not duplicated in other
information system component inventories.
CONFIGURATION CM-8 (6) CM-8 (6) ASSESSED The organization includes assessed component
MANAGEMENT CONFIGURATIONS / configurations and any approved deviations to
### APPROVED current deployed configurations in the
DEVIATIONS information system component inventory.
CONFIGURATION CM-8 (7) CM-8 (7) CENTRALIZED The organization provides a centralized
MANAGEMENT REPOSITORY repository for the inventory of information
system components.
###
### MANAGEMENT LOCATION TRACKING mechanisms to support tracking of information
system components by geographic location.
CONFIGURATION CM-8 (9) CM-8 (9) ASSIGNMENT OF The organization:
### MANAGEMENT COMPONENTS TO
SYSTEMS
CONFIGURATION CM-8 (9) CM-8 (9)(a) ASSIGNMENT OF Assigns [Assignment: organization-defined
### MANAGEMENT COMPONENTS TO acquired information system components] to an
SYSTEMS information system; and
CONFIGURATION CM-8 (9) CM-8 (9)(b) ASSIGNMENT OF Receives an acknowledgement from the
### MANAGEMENT COMPONENTS TO information system owner of this assignment.
SYSTEMS
CONFIGURATION CM-9 CM-9 CONFIGURATION The organization develops, documents, and P1
### MANAGEMENT MANAGEMENT PLAN implements a configuration management plan
for the information system that:
CONFIGURATION CM-9 CM-9a CONFIGURATION Addresses roles, responsibilities, and P1
### MANAGEMENT MANAGEMENT PLAN configuration management processes and
procedures;
CONFIGURATION CM-9 CM-9b CONFIGURATION Establishes a process for identifying P1
MANAGEMENT MANAGEMENT PLAN configuration items throughout the system
### development life cycle and for managing the
configuration of the configuration items;
CONFIGURATION CM-9 CM-9c CONFIGURATION Defines the configuration items for the P1
MANAGEMENT MANAGEMENT PLAN information system and places the configuration
### items under configuration management; and
CONFIGURATION CM-9 CM-9d CONFIGURATION Protects the configuration management plan P1
### MANAGEMENT MANAGEMENT PLAN from unauthorized disclosure and modification.
CONFIGURATION CM-9 (1) CM-9 (1) ASSIGNMENT OF The organization assigns responsibility for
MANAGEMENT RESPONSIBILITY developing the configuration management
process to organizational personnel that are not
### directly involved in information system
development.
CONFIGURATION CM-10 CM-10 SOFTWARE USAGE The organization: P2

### MANAGEMENT RESTRICTIONS
CONFIGURATION CM-10 CM-10a SOFTWARE USAGE Uses software and associated documentation in P2
### MANAGEMENT RESTRICTIONS accordance with contract agreements and
copyright laws;
CONFIGURATION CM-10 CM-10b SOFTWARE USAGE Tracks the use of software and associated P2
### MANAGEMENT RESTRICTIONS documentation protected by quantity licenses to
control copying and distribution; and
CONFIGURATION CM-10 CM-10c SOFTWARE USAGE Controls and documents the use of peer-to-peer P2
MANAGEMENT RESTRICTIONS file sharing technology to ensure that this
capability is not used for the unauthorized
### distribution, display, performance, or
reproduction of copyrighted work.
CONFIGURATION CM-10 (1) CM-10 (1) OPEN SOURCE The organization establishes the following
MANAGEMENT SOFTWARE restrictions on the use of open source software:
### [Assignment: organization-defined restrictions].
CONFIGURATION CM-11 CM-11 USER-INSTALLED The organization: P1

CONFIGURATION CM-11 CM-11a USER-INSTALLED Establishes [Assignment: organization-defined P1
### MANAGEMENT SOFTWARE policies] governing the installation of software by
users;
CONFIGURATION CM-11 CM-11b USER-INSTALLED Enforces software installation policies through P1
### MANAGEMENT SOFTWARE [Assignment: organization-defined methods];
and
CONFIGURATION CM-11 CM-11c USER-INSTALLED Monitors policy compliance at [Assignment: P1
### MANAGEMENT SOFTWARE organization-defined frequency].
CONFIGURATION CM-11 (1) CM-11 (1) ALERTS FOR The information system alerts [Assignment:
MANAGEMENT UNAUTHORIZED organization-defined personnel or roles] when
### INSTALLATIONS the unauthorized installation of software is
detected.
CONFIGURATION CM-11 (2) CM-11 (2) PROHIBIT The information system prohibits user
MANAGEMENT INSTALLATION installation of software without explicit
### WITHOUT privileged status.
PRIVILEGED STATUS
CONTINGENCY CP-1 CP-1 CONTINGENCY The organization: P1

### PLANNING PLANNING POLICY
AND PROCEDURES
CONTINGENCY CP-1 CP-1a CONTINGENCY Develops, documents, and disseminates to P1
### PLANNING PLANNING POLICY [Assignment: organization-defined personnel or
AND PROCEDURES roles]:
CONTINGENCY CP-1 CP-1a.1 CONTINGENCY A contingency planning policy that addresses P1
PLANNING PLANNING POLICY purpose, scope, roles, responsibilities,
AND PROCEDURES management commitment, coordination among
### organizational entities, and compliance; and
CONTINGENCY CP-1 CP-1a.2 CONTINGENCY Procedures to facilitate the implementation of P1

### PLANNING PLANNING POLICY the contingency planning policy and associated
AND PROCEDURES contingency planning controls; and
CONTINGENCY CP-1 CP-1b CONTINGENCY Reviews and updates the current: P1
### PLANNING PLANNING POLICY
AND PROCEDURES
CONTINGENCY CP-1 CP-1b.1 CONTINGENCY Contingency planning policy [Assignment: P1
### PLANNING PLANNING POLICY organization-defined frequency]; and
AND PROCEDURES
CONTINGENCY CP-1 CP-1b.2 CONTINGENCY Contingency planning procedures [Assignment: P1
### PLANNING PLANNING POLICY organization-defined frequency].
AND PROCEDURES
CONTINGENCY CP-2 CP-2 CONTINGENCY PLAN The organization: P1
PLANNING
###
CONTINGENCY CP-2 CP-2a CONTINGENCY PLAN Develops a contingency plan for the information P1
PLANNING system that:
###
CONTINGENCY CP-2 CP-2a.1 CONTINGENCY PLAN Identifies essential missions and business P1
PLANNING functions and associated contingency
requirements;
###
CONTINGENCY CP-2 CP-2a.2 CONTINGENCY PLAN Provides recovery objectives, restoration P1
PLANNING priorities, and metrics;
###
CONTINGENCY CP-2 CP-2a.3 CONTINGENCY PLAN Addresses contingency roles, responsibilities, P1
PLANNING assigned individuals with contact information;
###
CONTINGENCY CP-2 CP-2a.4 CONTINGENCY PLAN Addresses maintaining essential missions and P1
PLANNING business functions despite an information
system disruption, compromise, or failure;
###
CONTINGENCY CP-2 CP-2a.5 CONTINGENCY PLAN Addresses eventual, full information system P1
PLANNING restoration without deterioration of the security
safeguards originally planned and implemented;
and
###
CONTINGENCY CP-2 CP-2a.6 CONTINGENCY PLAN Is reviewed and approved by [Assignment: P1
PLANNING organization-defined personnel or roles];
###
CONTINGENCY CP-2 CP-2b CONTINGENCY PLAN Distributes copies of the contingency plan to P1
PLANNING [Assignment: organization-defined key
contingency personnel (identified by name
and/or by role) and organizational elements];
###
CONTINGENCY CP-2 CP-2c CONTINGENCY PLAN Coordinates contingency planning activities with P1
PLANNING incident handling activities;
###
CONTINGENCY CP-2 CP-2d CONTINGENCY PLAN Reviews the contingency plan for the P1
PLANNING information system [Assignment: organization-
defined frequency];
###
CONTINGENCY CP-2 CP-2e CONTINGENCY PLAN Updates the contingency plan to address P1
PLANNING changes to the organization, information system,
or environment of operation and problems
encountered during contingency plan
implementation, execution, or testing;
###
CONTINGENCY CP-2 CP-2f CONTINGENCY PLAN Communicates contingency plan changes to P1
PLANNING [Assignment: organization-defined key
contingency personnel (identified by name
and/or by role) and organizational elements];
and
###
CONTINGENCY CP-2 CP-2g CONTINGENCY PLAN Protects the contingency plan from unauthorized P1
PLANNING disclosure and modification.
###
CONTINGENCY CP-2 (1) CP-2 (1) COORDINATE WITH The organization coordinates contingency plan
### PLANNING RELATED PLANS development with organizational elements
responsible for related plans.
CONTINGENCY CP-2 (2) CP-2 (2) CAPACITY PLANNING The organization conducts capacity planning so
PLANNING that necessary capacity for information
processing, telecommunications, and
### environmental support exists during contingency
operations.
CONTINGENCY CP-2 (3) CP-2 (3) RESUME ESSENTIAL The organization plans for the resumption of
PLANNING MISSIONS / BUSINESS essential missions and business functions within
### FUNCTIONS [Assignment: organization-defined time period]
of contingency plan activation.
CONTINGENCY CP-2 (4) CP-2 (4) RESUME ALL The organization plans for the resumption of all
PLANNING MISSIONS / BUSINESS missions and business functions within
### FUNCTIONS [Assignment: organization-defined time period]
of contingency plan activation.
CONTINGENCY CP-2 (5) CP-2 (5) CONTINUE The organization plans for the continuance of
PLANNING ESSENTIAL essential missions and business functions with
MISSIONS / BUSINESS little or no loss of operational continuity and
### FUNCTIONS sustains that continuity until full information
system restoration at primary processing and/or
storage sites.
CONTINGENCY CP-2 (6) CP-2 (6) ALTERNATE The organization plans for the transfer of
PLANNING PROCESSING / essential missions and business functions to
STORAGE SITE alternate processing and/or storage sites with
little or no loss of operational continuity and
sustains that continuity through information
### system restoration to primary processing and/or
storage sites.
CONTINGENCY CP-2 (7) CP-2 (7) COORDINATE WITH The organization coordinates its contingency
PLANNING EXTERNAL SERVICE plan with the contingency plans of external
### PROVIDERS service providers to ensure that contingency
requirements can be satisfied.
CONTINGENCY CP-2 (8) CP-2 (8) IDENTIFY CRITICAL The organization identifies critical information
### PLANNING ASSETS system assets supporting essential missions and
business functions.
CONTINGENCY CP-3 CP-3 CONTINGENCY The organization provides contingency training P2
### PLANNING TRAINING to information system users consistent with
assigned roles and responsibilities:
CONTINGENCY CP-3 CP-3a CONTINGENCY Within [Assignment: organization-defined time P2
### PLANNING TRAINING period] of assuming a contingency role or
responsibility;
CONTINGENCY CP-3 CP-3b CONTINGENCY When required by information system changes; P2
### PLANNING TRAINING and
CONTINGENCY CP-3 CP-3c CONTINGENCY [Assignment: organization-defined frequency] P2
### PLANNING TRAINING thereafter.
CONTINGENCY CP-3 (1) CP-3 (1) SIMULATED EVENTS The organization incorporates simulated events
PLANNING into contingency training to facilitate effective
### response by personnel in crisis situations.
CONTINGENCY CP-3 (2) CP-3 (2) AUTOMATED The organization employs automated
### PLANNING TRAINING mechanisms to provide a more thorough and
ENVIRONMENTS realistic contingency training environment.
CONTINGENCY CP-4 CP-4 CONTINGENCY PLAN The organization: P2
### PLANNING TESTING
CONTINGENCY CP-4 CP-4a CONTINGENCY PLAN Tests the contingency plan for the information P2
PLANNING TESTING system [Assignment: organization-defined
frequency] using [Assignment: organization-
defined tests] to determine the effectiveness of
the plan and the organizational readiness to
### execute the plan;
CONTINGENCY CP-4 CP-4b CONTINGENCY PLAN Reviews the contingency plan test results; and P2
CONTINGENCY CP-4 CP-4c CONTINGENCY PLAN Initiates corrective actions, if needed. P2
CONTINGENCY CP-4 (1) CP-4 (1) COORDINATE WITH The organization coordinates contingency plan
### PLANNING RELATED PLANS testing with organizational elements responsible
for related plans.
CONTINGENCY CP-4 (2) CP-4 (2) ALTERNATE The organization tests the contingency plan at
### PLANNING PROCESSING SITE the alternate processing site:
CONTINGENCY CP-4 (2) CP-4 (2)(a) ALTERNATE To familiarize contingency personnel with the
### PLANNING PROCESSING SITE facility and available resources; and
CONTINGENCY CP-4 (2) CP-4 (2)(b) ALTERNATE To evaluate the capabilities of the alternate
### PLANNING PROCESSING SITE processing site to support contingency
operations.
CONTINGENCY CP-4 (3) CP-4 (3) AUTOMATED The organization employs automated
### PLANNING TESTING mechanisms to more thoroughly and effectively
test the contingency plan.
CONTINGENCY CP-4 (4) CP-4 (4) FULL RECOVERY / The organization includes a full recovery and
PLANNING RECONSTITUTION reconstitution of the information system to a
### known state as part of contingency plan testing.
CONTINGENCY CP-5 CP-5 CONTINGENCY PLAN [Withdrawn: Incorporated into CP-2].

### PLANNING UPDATE
CONTINGENCY CP-6 CP-6 ALTERNATE STORAGE The organization: P1
### PLANNING SITE
CONTINGENCY CP-6 CP-6a ALTERNATE STORAGE Establishes an alternate storage site including P1
PLANNING SITE necessary agreements to permit the storage and
retrieval of information system backup
information; and
###
CONTINGENCY CP-6 CP-6b ALTERNATE STORAGE Ensures that the alternate storage site provides P1
### PLANNING SITE information security safeguards equivalent to
that of the primary site.
CONTINGENCY CP-6 (1) CP-6 (1) SEPARATION FROM The organization identifies an alternate storage
PLANNING PRIMARY SITE site that is separated from the primary storage
site to reduce susceptibility to the same threats.
###
CONTINGENCY CP-6 (2) CP-6 (2) RECOVERY TIME / The organization configures the alternate storage
PLANNING POINT OBJECTIVES site to facilitate recovery operations in
accordance with recovery time and recovery
point objectives.
###
CONTINGENCY CP-6 (3) CP-6 (3) ACCESSIBILITY The organization identifies potential accessibility
PLANNING problems to the alternate storage site in the
event of an area-wide disruption or disaster and
outlines explicit mitigation actions.
###
CONTINGENCY CP-7 CP-7 ALTERNATE The organization: P1

### PLANNING PROCESSING SITE
CONTINGENCY CP-7 CP-7a ALTERNATE Establishes an alternate processing site including P1
PLANNING PROCESSING SITE necessary agreements to permit the transfer and
resumption of [Assignment: organization-defined
information system operations] for essential
missions/business functions within [Assignment:
organization-defined time period consistent with
### recovery time and recovery point objectives]
when the primary processing capabilities are
unavailable;
CONTINGENCY CP-7 CP-7b ALTERNATE Ensures that equipment and supplies required to P1
PLANNING PROCESSING SITE transfer and resume operations are available at
the alternate processing site or contracts are in
place to support delivery to the site within the
organization-defined time period for
### transfer/resumption; and
CONTINGENCY CP-7 CP-7c ALTERNATE Ensures that the alternate processing site P1
PLANNING PROCESSING SITE provides information security safeguards
equivalent to those of the primary site.
###
CONTINGENCY CP-7 (1) CP-7 (1) SEPARATION FROM The organization identifies an alternate
PLANNING PRIMARY SITE processing site that is separated from the
primary processing site to reduce susceptibility
to the same threats.
###
CONTINGENCY CP-7 (2) CP-7 (2) ACCESSIBILITY The organization identifies potential accessibility
PLANNING problems to the alternate processing site in the
event of an area-wide disruption or disaster and
outlines explicit mitigation actions.
###
CONTINGENCY CP-7 (3) CP-7 (3) PRIORITY OF SERVICE The organization develops alternate processing
PLANNING site agreements that contain priority-of-service
provisions in accordance with organizational
### availability requirements (including recovery
time objectives).
CONTINGENCY CP-7 (4) CP-7 (4) PREPARATION FOR The organization prepares the alternate
PLANNING USE processing site so that the site is ready to be
### used as the operational site supporting essential
missions and business functions.
CONTINGENCY CP-7 (5) CP-7 (5) EQUIVALENT [Withdrawn: Incorporated into CP-7].
PLANNING INFORMATION
### SECURITY
SAFEGUARDS
CONTINGENCY CP-7 (6) CP-7 (6) INABILITY TO RETURN The organization plans and prepares for
### PLANNING TO PRIMARY SITE circumstances that preclude returning to the
primary processing site.
CONTINGENCY CP-8 CP-8 TELECOMMUNICATIO The organization establishes alternate P1
PLANNING NS SERVICES telecommunications services including necessary
agreements to permit the resumption of
system operations] for essential missions and
business functions within [Assignment:
organization-defined time period] when the
### primary telecommunications capabilities are
unavailable at either the primary or alternate
processing or storage sites.
CONTINGENCY CP-8 (1) CP-8 (1) PRIORITY OF SERVICE The organization:
PLANNING PROVISIONS
###
CONTINGENCY CP-8 (1) CP-8 (1)(a) PRIORITY OF SERVICE Develops primary and alternate
PLANNING PROVISIONS telecommunications service agreements that
contain priority-of-service provisions in
accordance with organizational availability
requirements (including recovery time
objectives); and
###
CONTINGENCY CP-8 (1) CP-8 (1)(b) PRIORITY OF SERVICE Requests Telecommunications Service Priority
PLANNING PROVISIONS for all telecommunications services used for
national security emergency preparedness in the
event that the primary and/or alternate
telecommunications services are provided by a
common carrier.
###
CONTINGENCY CP-8 (2) CP-8 (2) SINGLE POINTS OF The organization obtains alternate
PLANNING FAILURE telecommunications services to reduce the
likelihood of sharing a single point of failure with
primary telecommunications services.
###
CONTINGENCY CP-8 (3) CP-8 (3) SEPARATION OF The organization obtains alternate
PLANNING PRIMARY / telecommunications services from providers that
ALTERNATE are separated from primary service providers to
### PROVIDERS reduce susceptibility to the same threats.
CONTINGENCY CP-8 (4) CP-8 (4) PROVIDER The organization:

### PLANNING CONTINGENCY PLAN
CONTINGENCY CP-8 (4) CP-8 (4)(a) PROVIDER Requires primary and alternate
### PLANNING CONTINGENCY PLAN telecommunications service providers to have
contingency plans;
CONTINGENCY CP-8 (4) CP-8 (4)(b) PROVIDER Reviews provider contingency plans to ensure
### PLANNING CONTINGENCY PLAN that the plans meet organizational contingency
requirements; and
CONTINGENCY CP-8 (4) CP-8 (4)(c) PROVIDER Obtains evidence of contingency testing/training
### PLANNING CONTINGENCY PLAN by providers [Assignment: organization-defined
frequency].
CONTINGENCY CP-8 (5) CP-8 (5) ALTERNATE The organization tests alternate
PLANNING TELECOMMUNICATIO telecommunication services [Assignment:
### N SERVICE TESTING organization-defined frequency].
CONTINGENCY CP-9 CP-9 INFORMATION The organization: P1

PLANNING SYSTEM BACKUP
###
CONTINGENCY CP-9 CP-9a INFORMATION Conducts backups of user-level information P1

PLANNING SYSTEM BACKUP contained in the information system
[Assignment: organization-defined frequency
consistent with recovery time and recovery point
objectives];
###
CONTINGENCY CP-9 CP-9b INFORMATION Conducts backups of system-level information P1
PLANNING SYSTEM BACKUP contained in the information system
[Assignment: organization-defined frequency
consistent with recovery time and recovery point
objectives];
###
CONTINGENCY CP-9 CP-9c INFORMATION Conducts backups of information system P1

PLANNING SYSTEM BACKUP documentation including security-related
documentation [Assignment: organization-
defined frequency consistent with recovery time
and recovery point objectives]; and
###
CONTINGENCY CP-9 CP-9d INFORMATION Protects the confidentiality, integrity, and P1
PLANNING SYSTEM BACKUP availability of backup information at storage
locations.
###
CONTINGENCY CP-9 (1) CP-9 (1) TESTING FOR The organization tests backup information
PLANNING RELIABILITY / [Assignment: organization-defined frequency] to
### INTEGRITY verify media reliability and information integrity.
CONTINGENCY CP-9 (2) CP-9 (2) TEST RESTORATION The organization uses a sample of backup
PLANNING USING SAMPLING information in the restoration of selected
### information system functions as part of
contingency plan testing.
CONTINGENCY CP-9 (3) CP-9 (3) SEPARATE STORAGE The organization stores backup copies of
PLANNING FOR CRITICAL [Assignment: organization-defined critical
INFORMATION information system software and other security-
related information] in a separate facility or in a
### fire-rated container that is not collocated with
the operational system.
CONTINGENCY CP-9 (4) CP-9 (4) PROTECTION FROM [Withdrawn: Incorporated into CP-9].
### PLANNING UNAUTHORIZED
MODIFICATION
CONTINGENCY CP-9 (5) CP-9 (5) TRANSFER TO The organization transfers information system
PLANNING ALTERNATE STORAGE backup information to the alternate storage site
SITE [Assignment: organization-defined time period
and transfer rate consistent with the recovery
time and recovery point objectives].
###
CONTINGENCY CP-9 (6) CP-9 (6) REDUNDANT The organization accomplishes information
PLANNING SECONDARY SYSTEM system backup by maintaining a redundant
secondary system that is not collocated with the
primary system and that can be activated
without loss of information or disruption to
### operations.
CONTINGENCY CP-9 (7) CP-9 (7) DUAL The organization enforces dual authorization for
### PLANNING AUTHORIZATION the deletion or destruction of [Assignment:
organization-defined backup information].
CONTINGENCY CP-10 CP-10 INFORMATION The organization provides for the recovery and P1
PLANNING SYSTEM RECOVERY reconstitution of the information system to a
AND known state after a disruption, compromise, or
### RECONSTITUTION failure.
CONTINGENCY CP-10 (1) CP-10 (1) CONTINGENCY PLAN [Withdrawn: Incorporated into CP-4].
CONTINGENCY CP-10 (2) CP-10 (2) TRANSACTION The information system implements transaction
### PLANNING RECOVERY recovery for systems that are transaction-based.
CONTINGENCY CP-10 (3) CP-10 (3) COMPENSATING [Withdrawn: Addressed through tailoring
### PLANNING SECURITY CONTROLS procedures].
CONTINGENCY CP-10 (4) CP-10 (4) RESTORE WITHIN The organization provides the capability to
PLANNING TIME PERIOD restore information system components within
[Assignment: organization-defined restoration
time-periods] from configuration-controlled and
### integrity-protected information representing a
known, operational state for the components.
CONTINGENCY CP-10 (5) CP-10 (5) FAILOVER CAPABILITY [Withdrawn: Incorporated into SI-13].
### PLANNING
CONTINGENCY CP-10 (6) CP-10 (6) COMPONENT The organization protects backup and restoration
### PLANNING PROTECTION hardware, firmware, and software.
CONTINGENCY CP-11 CP-11 ALTERNATE The information system provides the capability P0
PLANNING COMMUNICATIONS to employ [Assignment: organization-defined
PROTOCOLS alternative communications protocols] in
support of maintaining continuity of operations.
###
CONTINGENCY CP-12 CP-12 SAFE MODE The information system, when [Assignment: P0
PLANNING organization-defined conditions] are detected,
enters a safe mode of operation with
### [Assignment: organization-defined restrictions of
safe mode of operation].
CONTINGENCY CP-13 CP-13 ALTERNATIVE The organization employs [Assignment: P0

PLANNING SECURITY organization-defined alternative or supplemental
MECHANISMS security mechanisms] for satisfying [Assignment:
organization-defined security functions] when
### the primary means of implementing the security
function is unavailable or compromised.
DATA QUALITY AND DI DI Data Quality and Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### INTEGRITY Integrity Appendix J
DATA QUALITY AND DI-1 DI-1 Data Quality Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### INTEGRITY Appendix J
DATA QUALITY AND DI-2 DI-2 Data Integrity and Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### INTEGRITY Data Integrity Board Appendix J
DATA QUALITY AND DM-1 DM-1 Minimization of Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
INTEGRITY Personally Appendix J
### Identifiable
Information
DATA QUALITY AND DM-2 DM-2 Data Retention and Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### INTEGRITY Disposal Appendix J
DATA QUALITY AND DM-3 DM-3 Minimization of PII Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
INTEGRITY Used in Testing, Appendix J
### Training and
Research
IDENTIFICATION IA-1 IA-1 IDENTIFICATION AND The organization: P1

AND AUTHENTICATION
AUTHENTICATION POLICY AND
### PROCEDURES
IDENTIFICATION IA-1 IA-1a IDENTIFICATION AND Develops, documents, and disseminates to P1

AND AUTHENTICATION [Assignment: organization-defined personnel or
AUTHENTICATION POLICY AND roles]:
### PROCEDURES
IDENTIFICATION IA-1 IA-1a.1 IDENTIFICATION AND An identification and authentication policy that P1
AND AUTHENTICATION addresses purpose, scope, roles, responsibilities,
AUTHENTICATION POLICY AND management commitment, coordination among
### PROCEDURES organizational entities, and compliance; and
IDENTIFICATION IA-1 IA-1a.2 IDENTIFICATION AND Procedures to facilitate the implementation of P1
AND AUTHENTICATION the identification and authentication policy and
AUTHENTICATION POLICY AND associated identification and authentication
### PROCEDURES controls; and
IDENTIFICATION IA-1 IA-1b IDENTIFICATION AND Reviews and updates the current: P1
AND AUTHENTICATION
### PROCEDURES
IDENTIFICATION IA-1 IA-1b.1 IDENTIFICATION AND Identification and authentication policy P1

AND AUTHENTICATION [Assignment: organization-defined frequency];
AUTHENTICATION POLICY AND and
### PROCEDURES
IDENTIFICATION IA-1 IA-1b.2 IDENTIFICATION AND Identification and authentication procedures P1

AND AUTHENTICATION [Assignment: organization-defined frequency].
### PROCEDURES
IDENTIFICATION IA-2 IA-2 IDENTIFICATION AND The information system uniquely identifies and P1
AND AUTHENTICATION authenticates organizational users (or processes
AUTHENTICATION (ORGANIZATIONAL acting on behalf of organizational users).
USERS)
###
IDENTIFICATION IA-2 (1) IA-2 (1) NETWORK ACCESS TO The information system implements multifactor
AND PRIVILEGED authentication for network access to privileged
AUTHENTICATION ACCOUNTS accounts.
###
AND NON-PRIVILEGED authentication for network access to non-
AUTHENTICATION ACCOUNTS privileged accounts.
###
IDENTIFICATION IA-2 (3) IA-2 (3) LOCAL ACCESS TO The information system implements multifactor
AND PRIVILEGED authentication for local access to privileged
###
IDENTIFICATION IA-2 (4) IA-2 (4) LOCAL ACCESS TO The information system implements multifactor
### AND NON-PRIVILEGED authentication for local access to non-privileged
IDENTIFICATION IA-2 (5) IA-2 (5) GROUP The organization requires individuals to be
AND AUTHENTICATION authenticated with an individual authenticator
### AUTHENTICATION when a group authenticator is employed.
AND PRIVILEGED authentication for network access to privileged
AUTHENTICATION ACCOUNTS - accounts such that one of the factors is provided
SEPARATE DEVICE by a device separate from the system gaining
### access and the device meets [Assignment:
organization-defined strength of mechanism
requirements].
AND NON-PRIVILEGED authentication for network access to non-
AUTHENTICATION ACCOUNTS - privileged accounts such that one of the factors
SEPARATE DEVICE is provided by a device separate from the system
### gaining access and the device meets
[Assignment: organization-defined strength of
mechanism requirements].
IDENTIFICATION IA-2 (8) IA-2 (8) NETWORK ACCESS TO The information system implements replay-
AND PRIVILEGED resistant authentication mechanisms for network
AUTHENTICATION ACCOUNTS - REPLAY access to privileged accounts.
### RESISTANT
IDENTIFICATION IA-2 (9) IA-2 (9) NETWORK ACCESS TO The information system implements replay-
AND NON-PRIVILEGED resistant authentication mechanisms for network
### AUTHENTICATION ACCOUNTS - REPLAY access to non-privileged accounts.
RESISTANT
IDENTIFICATION IA-2 (10) IA-2 (10) SINGLE SIGN-ON The information system provides a single sign-on
AND capability for [Assignment: organization-defined
### AUTHENTICATION information system accounts and services].
IDENTIFICATION IA-2 (11) IA-2 (11) REMOTE ACCESS - The information system implements multifactor
AND SEPARATE DEVICE authentication for remote access to privileged
AUTHENTICATION and non-privileged accounts such that one of the
factors is provided by a device separate from the
system gaining access and the device meets
[Assignment: organization-defined strength of
### mechanism requirements].
IDENTIFICATION IA-2 (12) IA-2 (12) ACCEPTANCE OF PIV The information system accepts and
AND CREDENTIALS electronically verifies Personal Identity
AUTHENTICATION Verification (PIV) credentials.
###
IDENTIFICATION IA-2 (13) IA-2 (13) OUT-OF-BAND The information system implements
AND AUTHENTICATION [Assignment: organization-defined out-of-band
### AUTHENTICATION authentication] under [Assignment: organization-
defined conditions].
IDENTIFICATION IA-3 IA-3 DEVICE The information system uniquely identifies and P1
AND IDENTIFICATION AND authenticates [Assignment: organization-defined
AUTHENTICATION AUTHENTICATION specific and/or types of devices] before
### establishing a [Selection (one or more): local;
remote; network] connection.
IDENTIFICATION IA-3 (1) IA-3 (1) CRYPTOGRAPHIC The information system authenticates
AND BIDIRECTIONAL [Assignment: organization-defined specific
AUTHENTICATION AUTHENTICATION devices and/or types of devices] before
establishing [Selection (one or more): local;
### remote; network] connection using bidirectional
authentication that is cryptographically based.
IDENTIFICATION IA-3 (2) IA-3 (2) CRYPTOGRAPHIC [Withdrawn: Incorporated into IA-3 (1)].
AND BIDIRECTIONAL
### AUTHENTICATION NETWORK
AUTHENTICATION
IDENTIFICATION IA-3 (3) IA-3 (3) DYNAMIC ADDRESS The organization:

### AND ALLOCATION
AUTHENTICATION
IDENTIFICATION IA-3 (3) IA-3 (3)(a) DYNAMIC ADDRESS Standardizes dynamic address allocation lease
AND ALLOCATION information and the lease duration assigned to
AUTHENTICATION devices in accordance with [Assignment:
### organization-defined lease information and lease
duration]; and
IDENTIFICATION IA-3 (3) IA-3 (3)(b) DYNAMIC ADDRESS Audits lease information when assigned to a
### AND ALLOCATION device.
AUTHENTICATION
IDENTIFICATION IA-3 (4) IA-3 (4) DEVICE ATTESTATION The organization ensures that device
AND identification and authentication based on
AUTHENTICATION attestation is handled by [Assignment:
### organization-defined configuration management
process].
IDENTIFICATION IA-4 IA-4 IDENTIFIER The organization manages information system P1

AND MANAGEMENT identifiers by:
AUTHENTICATION
###
IDENTIFICATION IA-4 IA-4a IDENTIFIER Receiving authorization from [Assignment: P1

AND MANAGEMENT organization-defined personnel or roles] to
AUTHENTICATION assign an individual, group, role, or device
### identifier;
IDENTIFICATION IA-4 IA-4b IDENTIFIER Selecting an identifier that identifies an P1
AND MANAGEMENT individual, group, role, or device;
AUTHENTICATION
###
IDENTIFICATION IA-4 IA-4c IDENTIFIER Assigning the identifier to the intended P1

AND MANAGEMENT individual, group, role, or device;
AUTHENTICATION
###
IDENTIFICATION IA-4 IA-4d IDENTIFIER Preventing reuse of identifiers for [Assignment: P1

AND MANAGEMENT organization-defined time period]; and
AUTHENTICATION
###
IDENTIFICATION IA-4 IA-4e IDENTIFIER Disabling the identifier after [Assignment: P1

AND MANAGEMENT organization-defined time period of inactivity].
AUTHENTICATION
###
IDENTIFICATION IA-4 (1) IA-4 (1) PROHIBIT ACCOUNT The organization prohibits the use of information
AND IDENTIFIERS AS system account identifiers that are the same as
### AUTHENTICATION PUBLIC IDENTIFIERS public identifiers for individual electronic mail
accounts.
IDENTIFICATION IA-4 (2) IA-4 (2) SUPERVISOR The organization requires that the registration
### AND AUTHORIZATION process to receive an individual identifier
AUTHENTICATION includes supervisor authorization.
IDENTIFICATION IA-4 (3) IA-4 (3) MULTIPLE FORMS OF The organization requires multiple forms of
### AND CERTIFICATION certification of individual identification be
AUTHENTICATION presented to the registration authority.
IDENTIFICATION IA-4 (4) IA-4 (4) IDENTIFY USER The organization manages individual identifiers
AND STATUS by uniquely identifying each individual as
AUTHENTICATION [Assignment: organization-defined characteristic
### identifying individual status].
IDENTIFICATION IA-4 (5) IA-4 (5) DYNAMIC The information system dynamically manages
### AND MANAGEMENT identifiers.
AUTHENTICATION
IDENTIFICATION IA-4 (6) IA-4 (6) CROSS- The organization coordinates with [Assignment:
AND ORGANIZATION organization-defined external organizations] for
### AUTHENTICATION MANAGEMENT cross-organization management of identifiers.
IDENTIFICATION IA-4 (7) IA-4 (7) IN-PERSON The organization requires that the registration
AND REGISTRATION process to receive an individual identifier be
### AUTHENTICATION conducted in person before a designated
registration authority.
IDENTIFICATION IA-5 IA-5 AUTHENTICATOR The organization manages information system P1

AND MANAGEMENT authenticators by:
AUTHENTICATION
###
IDENTIFICATION IA-5 IA-5a AUTHENTICATOR Verifying, as part of the initial authenticator P1
AND MANAGEMENT distribution, the identity of the individual, group,
AUTHENTICATION role, or device receiving the authenticator;
###
IDENTIFICATION IA-5 IA-5b AUTHENTICATOR Establishing initial authenticator content for P1

AND MANAGEMENT authenticators defined by the organization;
AUTHENTICATION
###
IDENTIFICATION IA-5 IA-5c AUTHENTICATOR Ensuring that authenticators have sufficient P1

AND MANAGEMENT strength of mechanism for their intended use;
AUTHENTICATION
###
IDENTIFICATION IA-5 IA-5d AUTHENTICATOR Establishing and implementing administrative P1
AND MANAGEMENT procedures for initial authenticator distribution,
AUTHENTICATION for lost/compromised or damaged
authenticators, and for revoking authenticators;
###
IDENTIFICATION IA-5 IA-5e AUTHENTICATOR Changing default content of authenticators prior P1

AND MANAGEMENT to information system installation;
AUTHENTICATION
###
IDENTIFICATION IA-5 IA-5f AUTHENTICATOR Establishing minimum and maximum lifetime P1

AND MANAGEMENT restrictions and reuse conditions for
AUTHENTICATION authenticators;
###
IDENTIFICATION IA-5 IA-5g AUTHENTICATOR Changing/refreshing authenticators [Assignment: P1
AND MANAGEMENT organization-defined time period by
AUTHENTICATION authenticator type];
###
IDENTIFICATION IA-5 IA-5h AUTHENTICATOR Protecting authenticator content from P1

AND MANAGEMENT unauthorized disclosure and modification;
AUTHENTICATION
###
IDENTIFICATION IA-5 IA-5i AUTHENTICATOR Requiring individuals to take, and having devices P1
AND MANAGEMENT implement, specific security safeguards to
AUTHENTICATION protect authenticators; and
###
IDENTIFICATION IA-5 IA-5j AUTHENTICATOR Changing authenticators for group/role accounts P1
AND MANAGEMENT when membership to those accounts changes.
AUTHENTICATION
###
IDENTIFICATION IA-5 (1) IA-5 (1) PASSWORD-BASED The information system, for password-based
AND AUTHENTICATION authentication:
AUTHENTICATION
###
IDENTIFICATION IA-5 (1) IA-5 (1)(a) PASSWORD-BASED Enforces minimum password complexity of
AND AUTHENTICATION [Assignment: organization-defined requirements
AUTHENTICATION for case sensitivity, number of characters, mix of
upper-case letters, lower-case letters, numbers,
and special characters, including minimum
requirements for each type];
###
IDENTIFICATION IA-5 (1) IA-5 (1)(b) PASSWORD-BASED Enforces at least the following number of
AND AUTHENTICATION changed characters when new passwords are
AUTHENTICATION created: [Assignment: organization-defined
number];
###
IDENTIFICATION IA-5 (1) IA-5 (1)(c) PASSWORD-BASED Stores and transmits only cryptographically-
AND AUTHENTICATION protected passwords;
AUTHENTICATION
###
IDENTIFICATION IA-5 (1) IA-5 (1)(d) PASSWORD-BASED Enforces password minimum and maximum
AND AUTHENTICATION lifetime restrictions of [Assignment:
AUTHENTICATION organization-defined numbers for lifetime
minimum, lifetime maximum];
###
IDENTIFICATION IA-5 (1) IA-5 (1)(e) PASSWORD-BASED Prohibits password reuse for [Assignment:
AND AUTHENTICATION organization-defined number] generations; and
AUTHENTICATION
###
IDENTIFICATION IA-5 (1) IA-5 (1)(f) PASSWORD-BASED Allows the use of a temporary password for
AND AUTHENTICATION system logons with an immediate change to a
AUTHENTICATION permanent password.
###
IDENTIFICATION IA-5 (2) IA-5 (2) PKI-BASED The information system, for PKI-based
AND AUTHENTICATION authentication:
AUTHENTICATION
###
IDENTIFICATION IA-5 (2) IA-5 (2)(a) PKI-BASED Validates certifications by constructing and
AND AUTHENTICATION verifying a certification path to an accepted trust
AUTHENTICATION anchor including checking certificate status
### information;
IDENTIFICATION IA-5 (2) IA-5 (2)(b) PKI-BASED Enforces authorized access to the corresponding
AND AUTHENTICATION private key;
AUTHENTICATION
###
IDENTIFICATION IA-5 (2) IA-5 (2)(c) PKI-BASED Maps the authenticated identity to the account
AND AUTHENTICATION of the individual or group; and
AUTHENTICATION
###
IDENTIFICATION IA-5 (2) IA-5 (2)(d) PKI-BASED Implements a local cache of revocation data to
AND AUTHENTICATION support path discovery and validation in case of
AUTHENTICATION inability to access revocation information via the
### network.
IDENTIFICATION IA-5 (3) IA-5 (3) IN-PERSON OR The organization requires that the registration
AND TRUSTED THIRD- process to receive [Assignment: organization-
AUTHENTICATION PARTY REGISTRATION defined types of and/or specific authenticators]
be conducted [Selection: in person; by a trusted
third party] before [Assignment: organization-
### defined registration authority] with authorization
by [Assignment: organization-defined personnel
or roles].
IDENTIFICATION IA-5 (4) IA-5 (4) AUTOMATED The organization employs automated tools to
AND SUPPORT FOR determine if password authenticators are
AUTHENTICATION PASSWORD sufficiently strong to satisfy [Assignment:
### STRENGTH organization-defined requirements].
DETERMINATION
IDENTIFICATION IA-5 (5) IA-5 (5) CHANGE The organization requires developers/installers
AND AUTHENTICATORS of information system components to provide
AUTHENTICATION PRIOR TO DELIVERY unique authenticators or change default
### authenticators prior to delivery/installation.
IDENTIFICATION IA-5 (6) IA-5 (6) PROTECTION OF The organization protects authenticators
AND AUTHENTICATORS commensurate with the security category of the
AUTHENTICATION information to which use of the authenticator
### permits access.
IDENTIFICATION IA-5 (7) IA-5 (7) NO EMBEDDED The organization ensures that unencrypted static
AND UNENCRYPTED authenticators are not embedded in applications
AUTHENTICATION STATIC or access scripts or stored on function keys.
### AUTHENTICATORS
IDENTIFICATION IA-5 (8) IA-5 (8) MULTIPLE The organization implements [Assignment:
AND INFORMATION organization-defined security safeguards] to
AUTHENTICATION SYSTEM ACCOUNTS manage the risk of compromise due to
### individuals having accounts on multiple
IDENTIFICATION IA-5 (9) IA-5 (9) CROSS- The organization coordinates with [Assignment:
AND ORGANIZATION organization-defined external organizations] for
### AUTHENTICATION CREDENTIAL cross-organization management of credentials.
MANAGEMENT
IDENTIFICATION IA-5 (10) IA-5 (10) DYNAMIC The information system dynamically provisions
### AND CREDENTIAL identities.
AUTHENTICATION ASSOCIATION
IDENTIFICATION IA-5 (11) IA-5 (11) HARDWARE TOKEN- The information system, for hardware token-
AND BASED based authentication, employs mechanisms that
AUTHENTICATION AUTHENTICATION satisfy [Assignment: organization-defined token
quality requirements].
###
IDENTIFICATION IA-5 (12) IA-5 (12) BIOMETRIC-BASED The information system, for biometric-based
AND AUTHENTICATION authentication, employs mechanisms that satisfy
### AUTHENTICATION [Assignment: organization-defined biometric
quality requirements].
IDENTIFICATION IA-5 (13) IA-5 (13) EXPIRATION OF The information system prohibits the use of
### AND CACHED cached authenticators after [Assignment:
AUTHENTICATION AUTHENTICATORS organization-defined time period].
IDENTIFICATION IA-5 (14) IA-5 (14) MANAGING CONTENT The organization, for PKI-based authentication,
AND OF PKI TRUST STORES employs a deliberate organization-wide
AUTHENTICATION methodology for managing the content of PKI
### trust stores installed across all platforms
including networks, operating systems,
browsers, and applications.
IDENTIFICATION IA-5 (15) IA-5 (15) FICAM-APPROVED The organization uses only FICAM-approved path
### AND PRODUCTS AND discovery and validation products and services.
AUTHENTICATION SERVICES
IDENTIFICATION IA-6 IA-6 AUTHENTICATOR The information system obscures feedback of P2
AND FEEDBACK authentication information during the
AUTHENTICATION authentication process to protect the
information from possible exploitation/use by
unauthorized individuals.
###
IDENTIFICATION IA-7 IA-7 CRYPTOGRAPHIC The information system implements mechanisms P1

AND MODULE for authentication to a cryptographic module
AUTHENTICATION AUTHENTICATION that meet the requirements of applicable federal
laws, Executive Orders, directives, policies,
### regulations, standards, and guidance for such
authentication.
IDENTIFICATION IA-8 IA-8 IDENTIFICATION AND The information system uniquely identifies and P1
AND AUTHENTICATION authenticates non-organizational users (or
AUTHENTICATION (NON- processes acting on behalf of non-organizational
ORGANIZATIONAL users).
USERS)
###
IDENTIFICATION IA-8 (1) IA-8 (1) ACCEPTANCE OF PIV The information system accepts and
AND CREDENTIALS FROM electronically verifies Personal Identity
### AUTHENTICATION OTHER AGENCIES Verification (PIV) credentials from other federal
agencies.
IDENTIFICATION IA-8 (2) IA-8 (2) ACCEPTANCE OF The information system accepts only FICAM-
### AND THIRD-PARTY approved third-party credentials.
AUTHENTICATION CREDENTIALS
IDENTIFICATION IA-8 (3) IA-8 (3) USE OF FICAM- The organization employs only FICAM-approved
AND APPROVED information system components in [Assignment:
### AUTHENTICATION PRODUCTS organization-defined information systems] to
accept third-party credentials.
IDENTIFICATION IA-8 (4) IA-8 (4) USE OF FICAM- The information system conforms to FICAM-
### AND ISSUED PROFILES issued profiles.
AUTHENTICATION
IDENTIFICATION IA-8 (5) IA-8 (5) ACCEPTANCE OF PIV-I The information system accepts and
### AND CREDENTIALS electronically verifies Personal Identity
AUTHENTICATION Verification-I (PIV-I) credentials.
IDENTIFICATION IA-9 IA-9 SERVICE The organization identifies and authenticates P0
AND IDENTIFICATION AND [Assignment: organization-defined information
AUTHENTICATION AUTHENTICATION system services] using [Assignment:
organization-defined security safeguards].
###
IDENTIFICATION IA-9 (1) IA-9 (1) INFORMATION The organization ensures that service providers
### AND EXCHANGE receive, validate, and transmit identification and
AUTHENTICATION authentication information.
IDENTIFICATION IA-9 (2) IA-9 (2) TRANSMISSION OF The organization ensures that identification and
AND DECISIONS authentication decisions are transmitted
AUTHENTICATION between [Assignment: organization-defined
### services] consistent with organizational policies.
IDENTIFICATION IA-10 IA-10 ADAPTIVE The organization requires that individuals P0

AND IDENTIFICATION AND accessing the information system employ
AUTHENTICATION AUTHENTICATION [Assignment: organization-defined supplemental
authentication techniques or mechanisms] under
### specific [Assignment: organization-defined
circumstances or situations].
IDENTIFICATION IA-11 IA-11 RE-AUTHENTICATION The organization requires users and devices to P0
AND re-authenticate when [Assignment: organization-
### AUTHENTICATION defined circumstances or situations requiring re-
authentication].
INDIVIDUAL IP-1 IP-1 Consent Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### PARTICIPATION Appendix J
AND REDRESS
INDIVIDUAL IP-2 IP-2 Individual Access Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
AND REDRESS
INDIVIDUAL IP-3 IP-3 Redress Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
AND REDRESS
INDIVIDUAL IP-4 IP-4 Complaint Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### PARTICIPATION Management Appendix J
AND REDRESS
INCIDENT IR-1 IR-1 INCIDENT RESPONSE The organization: P1
RESPONSE POLICY AND
PROCEDURES
###
INCIDENT IR-1 IR-1a INCIDENT RESPONSE Develops, documents, and disseminates to P1

### RESPONSE POLICY AND [Assignment: organization-defined personnel or
PROCEDURES roles]:
INCIDENT IR-1 IR-1a.1 INCIDENT RESPONSE An incident response policy that addresses P1
RESPONSE POLICY AND purpose, scope, roles, responsibilities,
PROCEDURES management commitment, coordination among
INCIDENT IR-1 IR-1a.2 INCIDENT RESPONSE Procedures to facilitate the implementation of P1

### RESPONSE POLICY AND the incident response policy and associated
PROCEDURES incident response controls; and
INCIDENT IR-1 IR-1b INCIDENT RESPONSE Reviews and updates the current: P1
### RESPONSE POLICY AND
PROCEDURES
INCIDENT IR-1 IR-1b.1 INCIDENT RESPONSE Incident response policy [Assignment: P1
### RESPONSE POLICY AND organization-defined frequency]; and
PROCEDURES
INCIDENT IR-1 IR-1b.2 INCIDENT RESPONSE Incident response procedures [Assignment: P1
### RESPONSE POLICY AND organization-defined frequency].
PROCEDURES
INCIDENT IR-2 IR-2 INCIDENT RESPONSE The organization provides incident response P2
RESPONSE TRAINING training to information system users consistent
with assigned roles and responsibilities:
###
INCIDENT IR-2 IR-2a INCIDENT RESPONSE Within [Assignment: organization-defined time P2

RESPONSE TRAINING period] of assuming an incident response role or
responsibility;
###
INCIDENT IR-2 IR-2b INCIDENT RESPONSE When required by information system changes; P2
RESPONSE TRAINING and
###
INCIDENT IR-2 IR-2c INCIDENT RESPONSE [Assignment: organization-defined frequency] P2
RESPONSE TRAINING thereafter.
###
INCIDENT IR-2 (1) IR-2 (1) SIMULATED EVENTS The organization incorporates simulated events
RESPONSE into incident response training to facilitate
### effective response by personnel in crisis
situations.
INCIDENT IR-2 (2) IR-2 (2) AUTOMATED The organization employs automated
RESPONSE TRAINING mechanisms to provide a more thorough and
### ENVIRONMENTS realistic incident response training environment.
INCIDENT IR-3 IR-3 INCIDENT RESPONSE The organization tests the incident response P2
RESPONSE TESTING capability for the information system
[Assignment: organization-defined frequency]
using [Assignment: organization-defined tests] to
determine the incident response effectiveness
and documents the results.
###
RESPONSE TESTING mechanisms to more thoroughly and effectively
### test the incident response capability.
INCIDENT IR-3 (2) IR-3 (2) COORDINATION The organization coordinates incident response
### RESPONSE WITH RELATED PLANS testing with organizational elements responsible
for related plans.
INCIDENT IR-4 IR-4 INCIDENT HANDLING The organization: P1
RESPONSE
###
INCIDENT IR-4 IR-4a INCIDENT HANDLING Implements an incident handling capability for P1
RESPONSE security incidents that includes preparation,
detection and analysis, containment, eradication,
and recovery;
###
INCIDENT IR-4 IR-4b INCIDENT HANDLING Coordinates incident handling activities with P1
RESPONSE contingency planning activities; and
###
INCIDENT IR-4 IR-4c INCIDENT HANDLING Incorporates lessons learned from ongoing P1
RESPONSE incident handling activities into incident
response procedures, training, and testing, and
implements the resulting changes accordingly.
###
RESPONSE INCIDENT HANDLING mechanisms to support the incident handling
### PROCESSES process.
INCIDENT IR-4 (2) IR-4 (2) DYNAMIC The organization includes dynamic
RESPONSE RECONFIGURATION reconfiguration of [Assignment: organization-
### defined information system components] as part
of the incident response capability.
INCIDENT IR-4 (3) IR-4 (3) CONTINUITY OF The organization identifies [Assignment:
RESPONSE OPERATIONS organization-defined classes of incidents] and
[Assignment: organization-defined actions to
### take in response to classes of incidents] to
ensure continuation of organizational missions
and business functions.
INCIDENT IR-4 (4) IR-4 (4) INFORMATION The organization correlates incident information
RESPONSE CORRELATION and individual incident responses to achieve an
### organization-wide perspective on incident
awareness and response.
INCIDENT IR-4 (5) IR-4 (5) AUTOMATIC The organization implements a configurable
RESPONSE DISABLING OF capability to automatically disable the
INFORMATION information system if [Assignment: organization-
### SYSTEM defined security violations] are detected.
INCIDENT IR-4 (6) IR-4 (6) INSIDER THREATS - The organization implements incident handling
### RESPONSE SPECIFIC capability for insider threats.
CAPABILITIES
INCIDENT IR-4 (7) IR-4 (7) INSIDER THREATS - The organization coordinates incident handling
RESPONSE INTRA- capability for insider threats across [Assignment:
### ORGANIZATION organization-defined components or elements of
COORDINATION the organization].
INCIDENT IR-4 (8) IR-4 (8) CORRELATION WITH The organization coordinates with [Assignment:
RESPONSE EXTERNAL organization-defined external organizations] to
ORGANIZATIONS correlate and share [Assignment: organization-
defined incident information] to achieve a cross-
### organization perspective on incident awareness
and more effective incident responses.
INCIDENT IR-4 (9) IR-4 (9) DYNAMIC RESPONSE The organization employs [Assignment:
RESPONSE CAPABILITY organization-defined dynamic response
### capabilities] to effectively respond to security
incidents.
INCIDENT IR-4 (10) IR-4 (10) SUPPLY CHAIN The organization coordinates incident handling
RESPONSE COORDINATION activities involving supply chain events with
### other organizations involved in the supply chain.
INCIDENT IR-5 IR-5 INCIDENT The organization tracks and documents P1

RESPONSE MONITORING information system security incidents.
###
RESPONSE TRACKING / DATA mechanisms to assist in the tracking of security
### COLLECTION / incidents and in the collection and analysis of
ANALYSIS incident information.
INCIDENT IR-6 IR-6 INCIDENT REPORTING The organization: P1
RESPONSE
###
INCIDENT IR-6 IR-6a INCIDENT REPORTING Requires personnel to report suspected security P1
RESPONSE incidents to the organizational incident response
capability within [Assignment: organization-
defined time period]; and
###
INCIDENT IR-6 IR-6b INCIDENT REPORTING Reports security incident information to P1

RESPONSE [Assignment: organization-defined authorities].
###
### RESPONSE REPORTING mechanisms to assist in the reporting of security
incidents.
INCIDENT IR-6 (2) IR-6 (2) VULNERABILITIES The organization reports information system
RESPONSE RELATED TO vulnerabilities associated with reported security
### INCIDENTS incidents to [Assignment: organization-defined
personnel or roles].
INCIDENT IR-6 (3) IR-6 (3) COORDINATION The organization provides security incident
RESPONSE WITH SUPPLY CHAIN information to other organizations involved in
the supply chain for information systems or
### information system components related to the
incident.
INCIDENT IR-7 IR-7 INCIDENT RESPONSE The organization provides an incident response P2
RESPONSE ASSISTANCE support resource, integral to the organizational
incident response capability that offers advice
and assistance to users of the information
system for the handling and reporting of security
### incidents.
INCIDENT IR-7 (1) IR-7 (1) AUTOMATION The organization employs automated
RESPONSE SUPPORT FOR mechanisms to increase the availability of
AVAILABILITY OF incident response-related information and
### INFORMATION / support.
SUPPORT
INCIDENT IR-7 (2) IR-7 (2) COORDINATION The organization:

### RESPONSE WITH EXTERNAL
PROVIDERS
INCIDENT IR-7 (2) IR-7 (2)(a) COORDINATION Establishes a direct, cooperative relationship
RESPONSE WITH EXTERNAL between its incident response capability and
### PROVIDERS external providers of information system
protection capability; and
INCIDENT IR-7 (2) IR-7 (2)(b) COORDINATION Identifies organizational incident response team
### RESPONSE WITH EXTERNAL members to the external providers.
PROVIDERS
INCIDENT IR-8 IR-8 INCIDENT RESPONSE The organization: P1
RESPONSE PLAN
###
INCIDENT IR-8 IR-8a INCIDENT RESPONSE Develops an incident response plan that: P1
RESPONSE PLAN
###
INCIDENT IR-8 IR-8a.1 INCIDENT RESPONSE Provides the organization with a roadmap for P1
RESPONSE PLAN implementing its incident response capability;
###
INCIDENT IR-8 IR-8a.2 INCIDENT RESPONSE Describes the structure and organization of the P1
RESPONSE PLAN incident response capability;
###
INCIDENT IR-8 IR-8a.3 INCIDENT RESPONSE Provides a high-level approach for how the P1
RESPONSE PLAN incident response capability fits into the overall
organization;
###
INCIDENT IR-8 IR-8a.4 INCIDENT RESPONSE Meets the unique requirements of the P1
RESPONSE PLAN organization, which relate to mission, size,
structure, and functions;
###
INCIDENT IR-8 IR-8a.5 INCIDENT RESPONSE Defines reportable incidents; P1

RESPONSE PLAN
###
INCIDENT IR-8 IR-8a.6 INCIDENT RESPONSE Provides metrics for measuring the incident P1
RESPONSE PLAN response capability within the organization;
###
INCIDENT IR-8 IR-8a.7 INCIDENT RESPONSE Defines the resources and management support P1
RESPONSE PLAN needed to effectively maintain and mature an
incident response capability; and
###
INCIDENT IR-8 IR-8a.8 INCIDENT RESPONSE Is reviewed and approved by [Assignment: P1

RESPONSE PLAN organization-defined personnel or roles];
###
INCIDENT IR-8 IR-8b INCIDENT RESPONSE Distributes copies of the incident response plan P1
RESPONSE PLAN to [Assignment: organization-defined incident
response personnel (identified by name and/or
by role) and organizational elements];
###
INCIDENT IR-8 IR-8c INCIDENT RESPONSE Reviews the incident response plan [Assignment: P1
RESPONSE PLAN organization-defined frequency];
###
INCIDENT IR-8 IR-8d INCIDENT RESPONSE Updates the incident response plan to address P1
RESPONSE PLAN system/organizational changes or problems
encountered during plan implementation,
execution, or testing;
###
INCIDENT IR-8 IR-8e INCIDENT RESPONSE Communicates incident response plan changes P1
RESPONSE PLAN to [Assignment: organization-defined incident
response personnel (identified by name and/or
by role) and organizational elements]; and
###
INCIDENT IR-8 IR-8f INCIDENT RESPONSE Protects the incident response plan from P1
RESPONSE PLAN unauthorized disclosure and modification.
###
INCIDENT IR-9 IR-9 INFORMATION The organization responds to information spills P0

### RESPONSE SPILLAGE RESPONSE by:
INCIDENT IR-9 IR-9a INFORMATION Identifying the specific information involved in P0
### RESPONSE SPILLAGE RESPONSE the information system contamination;
INCIDENT IR-9 IR-9b INFORMATION Alerting [Assignment: organization-defined P0
RESPONSE SPILLAGE RESPONSE personnel or roles] of the information spill using
### a method of communication not associated with
the spill;
INCIDENT IR-9 IR-9c INFORMATION Isolating the contaminated information system P0

### RESPONSE SPILLAGE RESPONSE or system component;
INCIDENT IR-9 IR-9d INFORMATION Eradicating the information from the P0
### RESPONSE SPILLAGE RESPONSE contaminated information system or
component;
INCIDENT IR-9 IR-9e INFORMATION Identifying other information systems or system P0
### RESPONSE SPILLAGE RESPONSE components that may have been subsequently
contaminated; and
INCIDENT IR-9 IR-9f INFORMATION Performing other [Assignment: organization- P0
### RESPONSE SPILLAGE RESPONSE defined actions].
INCIDENT IR-9 (1) IR-9 (1) RESPONSIBLE The organization assigns [Assignment:
RESPONSE PERSONNEL organization-defined personnel or roles] with
### responsibility for responding to information
spills.
INCIDENT IR-9 (2) IR-9 (2) TRAINING The organization provides information spillage
### RESPONSE response training [Assignment: organization-
defined frequency].
INCIDENT IR-9 (3) IR-9 (3) POST-SPILL The organization implements [Assignment:
RESPONSE OPERATIONS organization-defined procedures] to ensure that
organizational personnel impacted by
### information spills can continue to carry out
assigned tasks while contaminated systems are
undergoing corrective actions.
INCIDENT IR-9 (4) IR-9 (4) EXPOSURE TO The organization employs [Assignment:
RESPONSE UNAUTHORIZED organization-defined security safeguards] for
### PERSONNEL personnel exposed to information not within
assigned access authorizations.
INCIDENT IR-10 IR-10 INTEGRATED The organization establishes an integrated team P0
RESPONSE INFORMATION of forensic/malicious code analysts, tool
### SECURITY ANALYSIS developers, and real-time operations personnel.
TEAM
MAINTENANCE MA-1 MA-1 SYSTEM The organization: P1

MAINTENANCE
POLICY AND
PROCEDURES
###
MAINTENANCE MA-1 MA-1a SYSTEM Develops, documents, and disseminates to P1
MAINTENANCE [Assignment: organization-defined personnel or
POLICY AND roles]:
PROCEDURES
###
MAINTENANCE MA-1 MA-1a.1 SYSTEM A system maintenance policy that addresses P1
MAINTENANCE purpose, scope, roles, responsibilities,
PROCEDURES organizational entities, and compliance; and
###
MAINTENANCE MA-1 MA-1a.2 SYSTEM Procedures to facilitate the implementation of P1
MAINTENANCE the system maintenance policy and associated
POLICY AND system maintenance controls; and
PROCEDURES
###
MAINTENANCE MA-1 MA-1b SYSTEM Reviews and updates the current: P1
MAINTENANCE
POLICY AND
PROCEDURES
###
MAINTENANCE MA-1 MA-1b.1 SYSTEM System maintenance policy [Assignment: P1
MAINTENANCE organization-defined frequency]; and
POLICY AND
PROCEDURES
###
MAINTENANCE MA-1 MA-1b.2 SYSTEM System maintenance procedures [Assignment: P1
MAINTENANCE organization-defined frequency].
POLICY AND
PROCEDURES
###
MAINTENANCE MA-2 MA-2 CONTROLLED The organization: P2
MAINTENANCE
###
MAINTENANCE MA-2 MA-2a CONTROLLED Schedules, performs, documents, and reviews P2
MAINTENANCE records of maintenance and repairs on
information system components in accordance
with manufacturer or vendor specifications
and/or organizational requirements;
###
MAINTENANCE MA-2 MA-2b CONTROLLED Approves and monitors all maintenance P2
MAINTENANCE activities, whether performed on site or
remotely and whether the equipment is serviced
on site or removed to another location;
###
MAINTENANCE MA-2 MA-2c CONTROLLED Requires that [Assignment: organization-defined P2
MAINTENANCE personnel or roles] explicitly approve the
removal of the information system or system
components from organizational facilities for off-
site maintenance or repairs;
###
MAINTENANCE MA-2 MA-2d CONTROLLED Sanitizes equipment to remove all information P2
MAINTENANCE from associated media prior to removal from
organizational facilities for off-site maintenance
or repairs;
###
MAINTENANCE MA-2 MA-2e CONTROLLED Checks all potentially impacted security controls P2
MAINTENANCE to verify that the controls are still functioning
properly following maintenance or repair
actions; and
###
MAINTENANCE MA-2 MA-2f CONTROLLED Includes [Assignment: organization-defined P2
MAINTENANCE maintenance-related information] in
organizational maintenance records.
###
### MAINTENANCE MA-2 (1) MA-2 (1) RECORD CONTENT [Withdrawn: Incorporated into MA-2].
MAINTENANCE MA-2 (2) MA-2 (2) AUTOMATED The organization:
MAINTENANCE
ACTIVITIES
###
MAINTENANCE MA-2 (2) MA-2 (2)(a) AUTOMATED Employs automated mechanisms to schedule,
### MAINTENANCE conduct, and document maintenance and
ACTIVITIES repairs; and
MAINTENANCE MA-2 (2) MA-2 (2)(b) AUTOMATED Produces up-to date, accurate, and complete
MAINTENANCE records of all maintenance and repair actions
### ACTIVITIES requested, scheduled, in process, and
completed.
MAINTENANCE MA-3 MA-3 MAINTENANCE The organization approves, controls, and P3
TOOLS monitors information system maintenance tools.
###
MAINTENANCE MA-3 (1) MA-3 (1) INSPECT TOOLS The organization inspects the maintenance tools
carried into a facility by maintenance personnel
for improper or unauthorized modifications.
###
MAINTENANCE MA-3 (2) MA-3 (2) INSPECT MEDIA The organization checks media containing
diagnostic and test programs for malicious code
before the media are used in the information
system.
###
MAINTENANCE MA-3 (3) MA-3 (3) PREVENT The organization prevents the unauthorized
UNAUTHORIZED removal of maintenance equipment containing
REMOVAL organizational information by:
###
MAINTENANCE MA-3 (3) MA-3 (3)(a) PREVENT Verifying that there is no organizational
UNAUTHORIZED information contained on the equipment;
REMOVAL
###
MAINTENANCE MA-3 (3) MA-3 (3)(b) PREVENT Sanitizing or destroying the equipment;
UNAUTHORIZED
REMOVAL
###
MAINTENANCE MA-3 (3) MA-3 (3)(c) PREVENT Retaining the equipment within the facility; or
UNAUTHORIZED
REMOVAL
###
MAINTENANCE MA-3 (3) MA-3 (3)(d) PREVENT Obtaining an exemption from [Assignment:
UNAUTHORIZED organization-defined personnel or roles]
REMOVAL explicitly authorizing removal of the equipment
from the facility.
###
MAINTENANCE MA-3 (4) MA-3 (4) RESTRICTED TOOL The information system restricts the use of
### USE maintenance tools to authorized personnel only.
MAINTENANCE MA-4 MA-4 NONLOCAL The organization: P2
MAINTENANCE
###
MAINTENANCE MA-4 MA-4a NONLOCAL Approves and monitors nonlocal maintenance P2
MAINTENANCE and diagnostic activities;
###
MAINTENANCE MA-4 MA-4b NONLOCAL Allows the use of nonlocal maintenance and P2
MAINTENANCE diagnostic tools only as consistent with
organizational policy and documented in the
security plan for the information system;
###
MAINTENANCE MA-4 MA-4c NONLOCAL Employs strong authenticators in the P2
MAINTENANCE establishment of nonlocal maintenance and
diagnostic sessions;
###
MAINTENANCE MA-4 MA-4d NONLOCAL Maintains records for nonlocal maintenance and P2
MAINTENANCE diagnostic activities; and
###
MAINTENANCE MA-4 MA-4e NONLOCAL Terminates session and network connections P2
MAINTENANCE when nonlocal maintenance is completed.
###
MAINTENANCE MA-4 (1) MA-4 (1) AUDITING AND The organization:

### REVIEW
MAINTENANCE MA-4 (1) MA-4 (1)(a) AUDITING AND Audits nonlocal maintenance and diagnostic
### REVIEW sessions [Assignment: organization-defined audit
events]; and
MAINTENANCE MA-4 (1) MA-4 (1)(b) AUDITING AND Reviews the records of the maintenance and
### REVIEW diagnostic sessions.
MAINTENANCE MA-4 (2) MA-4 (2) DOCUMENT The organization documents in the security plan
NONLOCAL for the information system, the policies and
MAINTENANCE procedures for the establishment and use of
nonlocal maintenance and diagnostic
connections.
###
MAINTENANCE MA-4 (3) MA-4 (3) COMPARABLE The organization:
SECURITY /
SANITIZATION
###
MAINTENANCE MA-4 (3) MA-4 (3)(a) COMPARABLE Requires that nonlocal maintenance and
SECURITY / diagnostic services be performed from an
SANITIZATION information system that implements a security
capability comparable to the capability
implemented on the system being serviced; or
###
MAINTENANCE MA-4 (3) MA-4 (3)(b) COMPARABLE Removes the component to be serviced from the
SECURITY / information system prior to nonlocal
SANITIZATION maintenance or diagnostic services, sanitizes the
component (with regard to organizational
information) before removal from organizational
facilities, and after the service is performed,
inspects and sanitizes the component (with
regard to potentially malicious software) before
reconnecting the component to the information
system.
###
MAINTENANCE MA-4 (4) MA-4 (4) AUTHENTICATION / The organization protects nonlocal maintenance
SEPARATION OF sessions by:
### MAINTENANCE
SESSIONS
MAINTENANCE MA-4 (4) MA-4 (4)(a) AUTHENTICATION / Employing [Assignment: organization-defined

SEPARATION OF authenticators that are replay resistant]; and
### MAINTENANCE
SESSIONS
MAINTENANCE MA-4 (4) MA-4 (4)(b) AUTHENTICATION / Separating the maintenance sessions from other
SEPARATION OF network sessions with the information system by
### MAINTENANCE either:
SESSIONS
MAINTENANCE MA-4 (4) MA-4 (4)(b)(1) AUTHENTICATION / Physically separated communications paths; or
SEPARATION OF
### MAINTENANCE
SESSIONS
MAINTENANCE MA-4 (4) MA-4 (4)(b)(2) AUTHENTICATION / Logically separated communications paths based
SEPARATION OF upon encryption.
### MAINTENANCE
SESSIONS
MAINTENANCE MA-4 (5) MA-4 (5) APPROVALS AND The organization:

### NOTIFICATIONS
MAINTENANCE MA-4 (5) MA-4 (5)(a) APPROVALS AND Requires the approval of each nonlocal
### NOTIFICATIONS maintenance session by [Assignment:
organization-defined personnel or roles]; and
MAINTENANCE MA-4 (5) MA-4 (5)(b) APPROVALS AND Notifies [Assignment: organization-defined
### NOTIFICATIONS personnel or roles] of the date and time of
planned nonlocal maintenance.
MAINTENANCE MA-4 (6) MA-4 (6) CRYPTOGRAPHIC The information system implements
PROTECTION cryptographic mechanisms to protect the
integrity and confidentiality of nonlocal
maintenance and diagnostic communications.
###
MAINTENANCE MA-4 (7) MA-4 (7) REMOTE The information system implements remote
### DISCONNECT disconnect verification at the termination of
VERIFICATION nonlocal maintenance and diagnostic sessions.
MAINTENANCE MA-5 MA-5 MAINTENANCE The organization: P2
PERSONNEL
###
MAINTENANCE MA-5 MA-5a MAINTENANCE Establishes a process for maintenance personnel P2
PERSONNEL authorization and maintains a list of authorized
maintenance organizations or personnel;
###
MAINTENANCE MA-5 MA-5b MAINTENANCE Ensures that non-escorted personnel performing P2
PERSONNEL maintenance on the information system have
required access authorizations; and
###
MAINTENANCE MA-5 MA-5c MAINTENANCE Designates organizational personnel with P2
PERSONNEL required access authorizations and technical
competence to supervise the maintenance
activities of personnel who do not possess the
required access authorizations.
###
MAINTENANCE MA-5 (1) MA-5 (1) INDIVIDUALS The organization:
WITHOUT
APPROPRIATE ACCESS
###
MAINTENANCE MA-5 (1) MA-5 (1)(a) INDIVIDUALS Implements procedures for the use of
WITHOUT maintenance personnel that lack appropriate
APPROPRIATE ACCESS security clearances or are not U.S. citizens, that
include the following requirements:
###
MAINTENANCE MA-5 (1) MA-5 (1)(a)(1) INDIVIDUALS Maintenance personnel who do not have needed
WITHOUT access authorizations, clearances, or formal
APPROPRIATE ACCESS access approvals are escorted and supervised
during the performance of maintenance and
diagnostic activities on the information system
by approved organizational personnel who are
fully cleared, have appropriate access
authorizations, and are technically qualified;
###
MAINTENANCE MA-5 (1) MA-5 (1)(a)(2) INDIVIDUALS Prior to initiating maintenance or diagnostic
WITHOUT activities by personnel who do not have needed
APPROPRIATE ACCESS access authorizations, clearances or formal
access approvals, all volatile information storage
components within the information system are
sanitized and all nonvolatile storage media are
removed or physically disconnected from the
system and secured; and
###
MAINTENANCE MA-5 (1) MA-5 (1)(b) INDIVIDUALS Develops and implements alternate security
WITHOUT safeguards in the event an information system
APPROPRIATE ACCESS component cannot be sanitized, removed, or
disconnected from the system.
###
MAINTENANCE MA-5 (2) MA-5 (2) SECURITY The organization ensures that personnel
CLEARANCES FOR performing maintenance and diagnostic activities
CLASSIFIED SYSTEMS on an information system processing, storing, or
transmitting classified information possess
security clearances and formal access approvals
### for at least the highest classification level and for
all compartments of information on the system.
MAINTENANCE MA-5 (3) MA-5 (3) CITIZENSHIP The organization ensures that personnel
REQUIREMENTS FOR performing maintenance and diagnostic activities
CLASSIFIED SYSTEMS on an information system processing, storing, or
### transmitting classified information are U.S.
citizens.
MAINTENANCE MA-5 (4) MA-5 (4) FOREIGN NATIONALS The organization ensures that:
###
MAINTENANCE MA-5 (4) MA-5 (4)(a) FOREIGN NATIONALS Cleared foreign nationals (i.e., foreign nationals
with appropriate security clearances), are used
to conduct maintenance and diagnostic activities
on classified information systems only when the
systems are jointly owned and operated by the
### United States and foreign allied governments, or
owned and operated solely by foreign allied
governments; and
MAINTENANCE MA-5 (4) MA-5 (4)(b) FOREIGN NATIONALS Approvals, consents, and detailed operational
conditions regarding the use of foreign nationals
to conduct maintenance and diagnostic activities
### on classified information systems are fully
documented within Memoranda of Agreements.
MAINTENANCE MA-5 (5) MA-5 (5) NONSYSTEM- The organization ensures that non-escorted
RELATED personnel performing maintenance activities not
MAINTENANCE directly associated with the information system
### but in the physical proximity of the system, have
required access authorizations.
MAINTENANCE MA-6 MA-6 TIMELY The organization obtains maintenance support P2
MAINTENANCE and/or spare parts for [Assignment:
organization-defined information system
components] within [Assignment: organization-
defined time period] of failure.
###
MAINTENANCE MA-6 (1) MA-6 (1) PREVENTIVE The organization performs preventive
MAINTENANCE maintenance on [Assignment: organization-
defined information system components] at
### [Assignment: organization-defined time
intervals].
MAINTENANCE MA-6 (2) MA-6 (2) PREDICTIVE The organization performs predictive
MAINTENANCE maintenance on [Assignment: organization-
defined information system components] at
### [Assignment: organization-defined time
intervals].
MAINTENANCE MA-6 (3) MA-6 (3) AUTOMATED The organization employs automated
SUPPORT FOR mechanisms to transfer predictive maintenance
### PREDICTIVE data to a computerized maintenance
MAINTENANCE management system.
MEDIA MP-1 MP-1 MEDIA PROTECTION The organization: P1
PROTECTION POLICY AND
PROCEDURES
###
MEDIA MP-1 MP-1a MEDIA PROTECTION Develops, documents, and disseminates to P1

PROTECTION POLICY AND [Assignment: organization-defined personnel or
PROCEDURES roles]:
###
MEDIA MP-1 MP-1a.1 MEDIA PROTECTION A media protection policy that addresses P1
PROTECTION POLICY AND purpose, scope, roles, responsibilities,
organizational entities, and compliance; and
###
MEDIA MP-1 MP-1a.2 MEDIA PROTECTION Procedures to facilitate the implementation of P1

PROTECTION POLICY AND the media protection policy and associated
PROCEDURES media protection controls; and
###
MEDIA MP-1 MP-1b MEDIA PROTECTION Reviews and updates the current: P1
PROTECTION POLICY AND
PROCEDURES
###
MEDIA MP-1 MP-1b.1 MEDIA PROTECTION Media protection policy [Assignment: P1

PROTECTION POLICY AND organization-defined frequency]; and
PROCEDURES
###
MEDIA MP-1 MP-1b.2 MEDIA PROTECTION Media protection procedures [Assignment: P1
PROTECTION POLICY AND organization-defined frequency].
PROCEDURES
###
MEDIA MP-2 MP-2 MEDIA ACCESS The organization restricts access to [Assignment: P1
PROTECTION organization-defined types of digital and/or non-
digital media] to [Assignment: organization-
defined personnel or roles].
###
MEDIA MP-2 (1) MP-2 (1) AUTOMATED [Withdrawn: Incorporated into MP-4 (2)].
### PROTECTION RESTRICTED ACCESS
MEDIA MP-2 (2) MP-2 (2) CRYPTOGRAPHIC [Withdrawn: Incorporated into SC-28 (1)].
### PROTECTION PROTECTION
MEDIA MP-3 MP-3 MEDIA MARKING The organization: P2
PROTECTION
###
MEDIA MP-3 MP-3a MEDIA MARKING Marks information system media indicating the P2
PROTECTION distribution limitations, handling caveats, and
applicable security markings (if any) of the
information; and
###
MEDIA MP-3 MP-3b MEDIA MARKING Exempts [Assignment: organization-defined P2

PROTECTION types of information system media] from
marking as long as the media remain within
[Assignment: organization-defined controlled
areas].
###
MEDIA MP-4 MP-4 MEDIA STORAGE The organization: P1
PROTECTION
###
MEDIA MP-4 MP-4a MEDIA STORAGE Physically controls and securely stores P1
PROTECTION [Assignment: organization-defined types of
digital and/or non-digital media] within
[Assignment: organization-defined controlled
areas]; and
###
MEDIA MP-4 MP-4b MEDIA STORAGE Protects information system media until the P1
PROTECTION media are destroyed or sanitized using approved
equipment, techniques, and procedures.
###
MEDIA MP-4 (1) MP-4 (1) CRYPTOGRAPHIC [Withdrawn: Incorporated into SC-28 (1)].
### PROTECTION PROTECTION
MEDIA MP-4 (2) MP-4 (2) AUTOMATED The organization employs automated
PROTECTION RESTRICTED ACCESS mechanisms to restrict access to media storage
### areas and to audit access attempts and access
granted.
MEDIA MP-5 MP-5 MEDIA TRANSPORT The organization: P1
PROTECTION
###
MEDIA MP-5 MP-5a MEDIA TRANSPORT Protects and controls [Assignment: organization- P1
PROTECTION defined types of information system media]
during transport outside of controlled areas
using [Assignment: organization-defined security
safeguards];
###
MEDIA MP-5 MP-5b MEDIA TRANSPORT Maintains accountability for information system P1
PROTECTION media during transport outside of controlled
areas;
###
MEDIA MP-5 MP-5c MEDIA TRANSPORT Documents activities associated with the P1
PROTECTION transport of information system media; and
###
MEDIA MP-5 MP-5d MEDIA TRANSPORT Restricts the activities associated with the P1
PROTECTION transport of information system media to
authorized personnel.
###
MEDIA MP-5 (1) MP-5 (1) PROTECTION [Withdrawn: Incorporated into MP-5].
### PROTECTION OUTSIDE OF
CONTROLLED AREAS
MEDIA MP-5 (2) MP-5 (2) DOCUMENTATION OF [Withdrawn: Incorporated into MP-5].
### PROTECTION ACTIVITIES
MEDIA MP-5 (3) MP-5 (3) CUSTODIANS The organization employs an identified custodian
### PROTECTION during transport of information system media
outside of controlled areas.
MEDIA MP-5 (4) MP-5 (4) CRYPTOGRAPHIC The information system implements
PROTECTION PROTECTION cryptographic mechanisms to protect the
confidentiality and integrity of information
stored on digital media during transport outside
of controlled areas.
###
MEDIA MP-6 MP-6 MEDIA SANITIZATION The organization: P1

PROTECTION
###
MEDIA MP-6 MP-6a MEDIA SANITIZATION Sanitizes [Assignment: organization-defined P1
PROTECTION information system media] prior to disposal,
release out of organizational control, or release
for reuse using [Assignment: organization-
defined sanitization techniques and procedures]
in accordance with applicable federal and
organizational standards and policies; and
###
MEDIA MP-6 MP-6b MEDIA SANITIZATION Employs sanitization mechanisms with the P1
PROTECTION strength and integrity commensurate with the
security category or classification of the
information.
###
MEDIA MP-6 (1) MP-6 (1) REVIEW / APPROVE / The organization reviews, approves, tracks,
PROTECTION TRACK / documents, and verifies media sanitization and
DOCUMENT / VERIFY disposal actions.
###
MEDIA MP-6 (2) MP-6 (2) EQUIPMENT TESTING The organization tests sanitization equipment
PROTECTION and procedures [Assignment: organization-
defined frequency] to verify that the intended
sanitization is being achieved.
###
MEDIA MP-6 (3) MP-6 (3) NONDESTRUCTIVE The organization applies nondestructive
PROTECTION TECHNIQUES sanitization techniques to portable storage
devices prior to connecting such devices to the
information system under the following
circumstances: [Assignment: organization-
defined circumstances requiring sanitization of
portable storage devices].
###
MEDIA MP-6 (4) MP-6 (4) CONTROLLED [Withdrawn: Incorporated into MP-6].
### PROTECTION UNCLASSIFIED
INFORMATION
MEDIA MP-6 (5) MP-6 (5) CLASSIFIED [Withdrawn: Incorporated into MP-6].
### PROTECTION INFORMATION
MEDIA MP-6 (6) MP-6 (6) MEDIA DESTRUCTION [Withdrawn: Incorporated into MP-6].
### PROTECTION
MEDIA MP-6 (7) MP-6 (7) DUAL The organization enforces dual authorization for
PROTECTION AUTHORIZATION the sanitization of [Assignment: organization-
### defined information system media].
MEDIA MP-6 (8) MP-6 (8) REMOTE PURGING / The organization provides the capability to
PROTECTION WIPING OF purge/wipe information from [Assignment:
INFORMATION organization-defined information systems,
### system components, or devices] either remotely
or under the following conditions: [Assignment:
organization-defined conditions].
MEDIA MP-7 MP-7 MEDIA USE The organization [Selection: restricts; prohibits] P1
PROTECTION the use of [Assignment: organization-defined
types of information system media] on
systems or system components] using
safeguards].
###
MEDIA MP-7 (1) MP-7 (1) PROHIBIT USE The organization prohibits the use of portable
PROTECTION WITHOUT OWNER storage devices in organizational information
systems when such devices have no identifiable
owner.
###
MEDIA MP-7 (2) MP-7 (2) PROHIBIT USE OF The organization prohibits the use of
### PROTECTION SANITIZATION- sanitization-resistant media in organizational
RESISTANT MEDIA information systems.
MEDIA MP-8 MP-8 MEDIA The organization: P0
### PROTECTION DOWNGRADING
MEDIA MP-8 MP-8a MEDIA Establishes [Assignment: organization-defined P0
PROTECTION DOWNGRADING information system media downgrading process]
that includes employing downgrading
### mechanisms with [Assignment: organization-
defined strength and integrity];
MEDIA MP-8 MP-8b MEDIA Ensures that the information system media P0
PROTECTION DOWNGRADING downgrading process is commensurate with the
security category and/or classification level of
### the information to be removed and the access
authorizations of the potential recipients of the
downgraded information;
MEDIA MP-8 MP-8c MEDIA Identifies [Assignment: organization-defined P0

### PROTECTION DOWNGRADING information system media requiring
downgrading]; and
MEDIA MP-8 MP-8d MEDIA Downgrades the identified information system P0
### PROTECTION DOWNGRADING media using the established process.
MEDIA MP-8 (1) MP-8 (1) DOCUMENTATION OF The organization documents information system
### PROTECTION PROCESS media downgrading actions.
MEDIA MP-8 (2) MP-8 (2) EQUIPMENT TESTING The organization employs [Assignment:
PROTECTION organization-defined tests] of downgrading
equipment and procedures to verify correct
### performance [Assignment: organization-defined
frequency].
MEDIA MP-8 (3) MP-8 (3) CONTROLLED The organization downgrades information
PROTECTION UNCLASSIFIED system media containing [Assignment:
INFORMATION organization-defined Controlled Unclassified
### Information (CUI)] prior to public release in
accordance with applicable federal and
organizational standards and policies.
MEDIA MP-8 (4) MP-8 (4) CLASSIFIED The organization downgrades information
PROTECTION INFORMATION system media containing classified information
prior to release to individuals without required
### access authorizations in accordance with NSA
standards and policies.
PHYSICAL AND PE-1 PE-1 PHYSICAL AND The organization: P1

ENVIRONMENTAL ENVIRONMENTAL
PROTECTION PROTECTION POLICY
AND PROCEDURES
###
PHYSICAL AND PE-1 PE-1a PHYSICAL AND Develops, documents, and disseminates to P1
ENVIRONMENTAL ENVIRONMENTAL [Assignment: organization-defined personnel or
PROTECTION PROTECTION POLICY roles]:
AND PROCEDURES
###
PHYSICAL AND PE-1 PE-1a.1 PHYSICAL AND A physical and environmental protection policy P1
ENVIRONMENTAL ENVIRONMENTAL that addresses purpose, scope, roles,
PROTECTION PROTECTION POLICY responsibilities, management commitment,
AND PROCEDURES coordination among organizational entities, and
compliance; and
###
PHYSICAL AND PE-1 PE-1a.2 PHYSICAL AND Procedures to facilitate the implementation of P1
ENVIRONMENTAL ENVIRONMENTAL the physical and environmental protection policy
PROTECTION PROTECTION POLICY and associated physical and environmental
AND PROCEDURES protection controls; and
###
PHYSICAL AND PE-1 PE-1b PHYSICAL AND Reviews and updates the current: P1
ENVIRONMENTAL ENVIRONMENTAL
PROTECTION PROTECTION POLICY
AND PROCEDURES
###
PHYSICAL AND PE-1 PE-1b.1 PHYSICAL AND Physical and environmental protection policy P1
ENVIRONMENTAL ENVIRONMENTAL [Assignment: organization-defined frequency];
PROTECTION PROTECTION POLICY and
AND PROCEDURES
###
PHYSICAL AND PE-1 PE-1b.2 PHYSICAL AND Physical and environmental protection P1
ENVIRONMENTAL ENVIRONMENTAL procedures [Assignment: organization-defined
PROTECTION PROTECTION POLICY frequency].
AND PROCEDURES
###
PHYSICAL AND PE-2 PE-2 PHYSICAL ACCESS The organization: P1
ENVIRONMENTAL AUTHORIZATIONS
PROTECTION
###
PHYSICAL AND PE-2 PE-2a PHYSICAL ACCESS Develops, approves, and maintains a list of P1
ENVIRONMENTAL AUTHORIZATIONS individuals with authorized access to the facility
PROTECTION where the information system resides;
###
PHYSICAL AND PE-2 PE-2b PHYSICAL ACCESS Issues authorization credentials for facility P1
ENVIRONMENTAL AUTHORIZATIONS access;
PROTECTION
###
PHYSICAL AND PE-2 PE-2c PHYSICAL ACCESS Reviews the access list detailing authorized P1
ENVIRONMENTAL AUTHORIZATIONS facility access by individuals [Assignment:
PROTECTION organization-defined frequency]; and
###
PHYSICAL AND PE-2 PE-2d PHYSICAL ACCESS Removes individuals from the facility access list P1
ENVIRONMENTAL AUTHORIZATIONS when access is no longer required.
PROTECTION
###
PHYSICAL AND PE-2 (1) PE-2 (1) ACCESS BY The organization authorizes physical access to
### ENVIRONMENTAL POSITION / ROLE the facility where the information system resides
PROTECTION based on position or role.
PHYSICAL AND PE-2 (2) PE-2 (2) TWO FORMS OF The organization requires two forms of
ENVIRONMENTAL IDENTIFICATION identification from [Assignment: organization-
PROTECTION defined list of acceptable forms of identification]
### for visitor access to the facility where the
information system resides.
PHYSICAL AND PE-2 (3) PE-2 (3) RESTRICT The organization restricts unescorted access to
ENVIRONMENTAL UNESCORTED ACCESS the facility where the information system resides
PROTECTION to personnel with [Selection (one or more):
security clearances for all information contained
within the system; formal access authorizations
for all information contained within the system;
### need for access to all information contained
within the system; [Assignment: organization-
defined credentials]].
PHYSICAL AND PE-3 PE-3 PHYSICAL ACCESS The organization: P1

ENVIRONMENTAL CONTROL
PROTECTION
###
PHYSICAL AND PE-3 PE-3a PHYSICAL ACCESS Enforces physical access authorizations at P1
ENVIRONMENTAL CONTROL [Assignment: organization-defined entry/exit
PROTECTION points to the facility where the information
system resides] by;
###
PHYSICAL AND PE-3 PE-3a.1 PHYSICAL ACCESS Verifying individual access authorizations before P1
ENVIRONMENTAL CONTROL granting access to the facility; and
PROTECTION
###
PHYSICAL AND PE-3 PE-3a.2 PHYSICAL ACCESS Controlling ingress/egress to the facility using P1
ENVIRONMENTAL CONTROL [Selection (one or more): [Assignment:
PROTECTION organization-defined physical access control
systems/devices]; guards];
###
PHYSICAL AND PE-3 PE-3b PHYSICAL ACCESS Maintains physical access audit logs for P1
ENVIRONMENTAL CONTROL [Assignment: organization-defined entry/exit
PROTECTION points];
###
PHYSICAL AND PE-3 PE-3c PHYSICAL ACCESS Provides [Assignment: organization-defined P1
ENVIRONMENTAL CONTROL security safeguards] to control access to areas
PROTECTION within the facility officially designated as publicly
accessible;
###
PHYSICAL AND PE-3 PE-3d PHYSICAL ACCESS Escorts visitors and monitors visitor activity P1
ENVIRONMENTAL CONTROL [Assignment: organization-defined circumstances
PROTECTION requiring visitor escorts and monitoring];
###
PHYSICAL AND PE-3 PE-3e PHYSICAL ACCESS Secures keys, combinations, and other physical P1
ENVIRONMENTAL CONTROL access devices;
PROTECTION
###
PHYSICAL AND PE-3 PE-3f PHYSICAL ACCESS Inventories [Assignment: organization-defined P1

ENVIRONMENTAL CONTROL physical access devices] every [Assignment:
PROTECTION organization-defined frequency]; and
###
PHYSICAL AND PE-3 PE-3g PHYSICAL ACCESS Changes combinations and keys [Assignment: P1
ENVIRONMENTAL CONTROL organization-defined frequency] and/or when
PROTECTION keys are lost, combinations are compromised, or
individuals are transferred or terminated.
###
PHYSICAL AND PE-3 (1) PE-3 (1) INFORMATION The organization enforces physical access
ENVIRONMENTAL SYSTEM ACCESS authorizations to the information system in
PROTECTION addition to the physical access controls for the
facility at [Assignment: organization-defined
physical spaces containing one or more
components of the information system].
###
PHYSICAL AND PE-3 (2) PE-3 (2) FACILITY / The organization performs security checks
ENVIRONMENTAL INFORMATION [Assignment: organization-defined frequency] at
PROTECTION SYSTEM BOUNDARIES the physical boundary of the facility or
### information system for unauthorized exfiltration
of information or removal of information system
components.
PHYSICAL AND PE-3 (3) PE-3 (3) CONTINUOUS The organization employs guards and/or alarms
ENVIRONMENTAL GUARDS / ALARMS / to monitor every physical access point to the
### PROTECTION MONITORING facility where the information system resides 24
hours per day, 7 days per week.
PHYSICAL AND PE-3 (4) PE-3 (4) LOCKABLE CASINGS The organization uses lockable physical casings
ENVIRONMENTAL to protect [Assignment: organization-defined
### PROTECTION information system components] from
unauthorized physical access.
PHYSICAL AND PE-3 (5) PE-3 (5) TAMPER PROTECTION The organization employs [Assignment:
ENVIRONMENTAL organization-defined security safeguards] to
PROTECTION [Selection (one or more): detect; prevent]
### physical tampering or alteration of [Assignment:
organization-defined hardware components]
within the information system.
PHYSICAL AND PE-3 (6) PE-3 (6) FACILITY The organization employs a penetration testing
ENVIRONMENTAL PENETRATION process that includes [Assignment: organization-
PROTECTION TESTING defined frequency], unannounced attempts to
### bypass or circumvent security controls
associated with physical access points to the
facility.
PHYSICAL AND PE-4 PE-4 ACCESS CONTROL The organization controls physical access to P1
ENVIRONMENTAL FOR TRANSMISSION [Assignment: organization-defined information
PROTECTION MEDIUM system distribution and transmission lines]
within organizational facilities using [Assignment:
organization-defined security safeguards].
###
PHYSICAL AND PE-5 PE-5 ACCESS CONTROL The organization controls physical access to P2
ENVIRONMENTAL FOR OUTPUT DEVICES information system output devices to prevent
PROTECTION unauthorized individuals from obtaining the
output.
###
PHYSICAL AND PE-5 (1) PE-5 (1) ACCESS TO OUTPUT The organization:
### ENVIRONMENTAL BY AUTHORIZED
PROTECTION INDIVIDUALS
PHYSICAL AND PE-5 (1) PE-5 (1)(a) ACCESS TO OUTPUT Controls physical access to output from
### ENVIRONMENTAL BY AUTHORIZED [Assignment: organization-defined output
PROTECTION INDIVIDUALS devices]; and
PHYSICAL AND PE-5 (1) PE-5 (1)(b) ACCESS TO OUTPUT Ensures that only authorized individuals receive
### ENVIRONMENTAL BY AUTHORIZED output from the device.
PROTECTION INDIVIDUALS
PHYSICAL AND PE-5 (2) PE-5 (2) ACCESS TO OUTPUT The information system:
### ENVIRONMENTAL BY INDIVIDUAL
PROTECTION IDENTITY
PHYSICAL AND PE-5 (2) PE-5 (2)(a) ACCESS TO OUTPUT Controls physical access to output from
### ENVIRONMENTAL BY INDIVIDUAL [Assignment: organization-defined output
PROTECTION IDENTITY devices]; and
PHYSICAL AND PE-5 (2) PE-5 (2)(b) ACCESS TO OUTPUT Links individual identity to receipt of the output
### ENVIRONMENTAL BY INDIVIDUAL from the device.
PROTECTION IDENTITY
PHYSICAL AND PE-5 (3) PE-5 (3) MARKING OUTPUT The organization marks [Assignment:
ENVIRONMENTAL DEVICES organization-defined information system output
PROTECTION devices] indicating the appropriate security
### marking of the information permitted to be
output from the device.
PHYSICAL AND PE-6 PE-6 MONITORING The organization: P1
ENVIRONMENTAL PHYSICAL ACCESS
PROTECTION
###
PHYSICAL AND PE-6 PE-6a MONITORING Monitors physical access to the facility where the P1
ENVIRONMENTAL PHYSICAL ACCESS information system resides to detect and
PROTECTION respond to physical security incidents;
###
PHYSICAL AND PE-6 PE-6b MONITORING Reviews physical access logs [Assignment: P1
ENVIRONMENTAL PHYSICAL ACCESS organization-defined frequency] and upon
PROTECTION occurrence of [Assignment: organization-defined
events or potential indications of events]; and
###
PHYSICAL AND PE-6 PE-6c MONITORING Coordinates results of reviews and investigations P1
ENVIRONMENTAL PHYSICAL ACCESS with the organizational incident response
PROTECTION capability.
###
PHYSICAL AND PE-6 (1) PE-6 (1) INTRUSION ALARMS / The organization monitors physical intrusion
ENVIRONMENTAL SURVEILLANCE alarms and surveillance equipment.
PROTECTION EQUIPMENT
###
PHYSICAL AND PE-6 (2) PE-6 (2) AUTOMATED The organization employs automated
ENVIRONMENTAL INTRUSION mechanisms to recognize [Assignment:
PROTECTION RECOGNITION / organization-defined classes/types of intrusions]
### RESPONSES and initiate [Assignment: organization-defined
response actions].
PHYSICAL AND PE-6 (3) PE-6 (3) VIDEO SURVEILLANCE The organization employs video surveillance of
ENVIRONMENTAL [Assignment: organization-defined operational
PROTECTION areas] and retains video recordings for
### [Assignment: organization-defined time period].
PHYSICAL AND PE-6 (4) PE-6 (4) MONITORING The organization monitors physical access to the
ENVIRONMENTAL PHYSICAL ACCESS TO information system in addition to the physical
PROTECTION INFORMATION access monitoring of the facility as [Assignment:
SYSTEMS organization-defined physical spaces containing
one or more components of the information
system].
###
PHYSICAL AND PE-7 PE-7 VISITOR CONTROL [Withdrawn: Incorporated into PE-2 and PE-3].
### ENVIRONMENTAL
PROTECTION
PHYSICAL AND PE-8 PE-8 VISITOR ACCESS The organization: P3
ENVIRONMENTAL RECORDS
PROTECTION
###
PHYSICAL AND PE-8 PE-8a VISITOR ACCESS Maintains visitor access records to the facility P3
ENVIRONMENTAL RECORDS where the information system resides for
PROTECTION [Assignment: organization-defined time period];
and
###
PHYSICAL AND PE-8 PE-8b VISITOR ACCESS Reviews visitor access records [Assignment: P3
ENVIRONMENTAL RECORDS organization-defined frequency].
PROTECTION
###
PHYSICAL AND PE-8 (1) PE-8 (1) AUTOMATED The organization employs automated
ENVIRONMENTAL RECORDS mechanisms to facilitate the maintenance and
PROTECTION MAINTENANCE / review of visitor access records.
REVIEW
###
PHYSICAL AND PE-8 (2) PE-8 (2) PHYSICAL ACCESS [Withdrawn: Incorporated into PE-2].
### ENVIRONMENTAL RECORDS
PROTECTION
PHYSICAL AND PE-9 PE-9 POWER EQUIPMENT The organization protects power equipment and P1
ENVIRONMENTAL AND CABLING power cabling for the information system from
PROTECTION damage and destruction.
###
PHYSICAL AND PE-9 (1) PE-9 (1) REDUNDANT The organization employs redundant power
### ENVIRONMENTAL CABLING cabling paths that are physically separated by
PROTECTION [Assignment: organization-defined distance].
PHYSICAL AND PE-9 (2) PE-9 (2) AUTOMATIC The organization employs automatic voltage
### ENVIRONMENTAL VOLTAGE CONTROLS controls for [Assignment: organization-defined
PROTECTION critical information system components].
PHYSICAL AND PE-10 PE-10 EMERGENCY The organization: P1
ENVIRONMENTAL SHUTOFF
PROTECTION
###
PHYSICAL AND PE-10 PE-10a EMERGENCY Provides the capability of shutting off power to P1
ENVIRONMENTAL SHUTOFF the information system or individual system
PROTECTION components in emergency situations;
###
PHYSICAL AND PE-10 PE-10b EMERGENCY Places emergency shutoff switches or devices in P1
ENVIRONMENTAL SHUTOFF [Assignment: organization-defined location by
PROTECTION information system or system component] to
facilitate safe and easy access for personnel; and
###
PHYSICAL AND PE-10 PE-10c EMERGENCY Protects emergency power shutoff capability P1
ENVIRONMENTAL SHUTOFF from unauthorized activation.
PROTECTION
###
PHYSICAL AND PE-10 (1) PE-10 (1) ACCIDENTAL / [Withdrawn: Incorporated into PE-10].
### ENVIRONMENTAL UNAUTHORIZED
PROTECTION ACTIVATION
PHYSICAL AND PE-11 PE-11 EMERGENCY POWER The organization provides a short-term P1
ENVIRONMENTAL uninterruptible power supply to facilitate
PROTECTION [Selection (one or more): an orderly shutdown of
the information system; transition of the
information system to long-term alternate
power] in the event of a primary power source
loss.
###
PHYSICAL AND PE-11 (1) PE-11 (1) LONG-TERM The organization provides a long-term alternate
ENVIRONMENTAL ALTERNATE POWER power supply for the information system that is
PROTECTION SUPPLY - MINIMAL capable of maintaining minimally required
OPERATIONAL operational capability in the event of an
CAPABILITY extended loss of the primary power source.
###
PHYSICAL AND PE-11 (2) PE-11 (2) LONG-TERM The organization provides a long-term alternate
ENVIRONMENTAL ALTERNATE POWER power supply for the information system that is:
### PROTECTION SUPPLY - SELF-
CONTAINED
PHYSICAL AND PE-11 (2) PE-11 (2)(a) LONG-TERM Self-contained;

ENVIRONMENTAL ALTERNATE POWER
CONTAINED
PHYSICAL AND PE-11 (2) PE-11 (2)(b) LONG-TERM Not reliant on external power generation; and
ENVIRONMENTAL ALTERNATE POWER
CONTAINED
PHYSICAL AND PE-11 (2) PE-11 (2)(c) LONG-TERM Capable of maintaining [Selection: minimally
ENVIRONMENTAL ALTERNATE POWER required operational capability; full operational
### PROTECTION SUPPLY - SELF- capability] in the event of an extended loss of
CONTAINED the primary power source.
PHYSICAL AND PE-12 PE-12 EMERGENCY The organization employs and maintains P1
ENVIRONMENTAL LIGHTING automatic emergency lighting for the
PROTECTION information system that activates in the event of
a power outage or disruption and that covers
emergency exits and evacuation routes within
the facility.
###
PHYSICAL AND PE-12 (1) PE-12 (1) ESSENTIAL The organization provides emergency lighting for
ENVIRONMENTAL MISSIONS / BUSINESS all areas within the facility supporting essential
### PROTECTION FUNCTIONS missions and business functions.
PHYSICAL AND PE-13 PE-13 FIRE PROTECTION The organization employs and maintains fire P1
ENVIRONMENTAL suppression and detection devices/systems for
PROTECTION the information system that are supported by an
independent energy source.
###
PHYSICAL AND PE-13 (1) PE-13 (1) DETECTION DEVICES / The organization employs fire detection
ENVIRONMENTAL SYSTEMS devices/systems for the information system that
PROTECTION activate automatically and notify [Assignment:
organization-defined personnel or roles] and
[Assignment: organization-defined emergency
responders] in the event of a fire.
###
PHYSICAL AND PE-13 (2) PE-13 (2) SUPPRESSION The organization employs fire suppression
ENVIRONMENTAL DEVICES / SYSTEMS devices/systems for the information system that
PROTECTION provide automatic notification of any activation
to Assignment: organization-defined personnel
or roles] and [Assignment: organization-defined
emergency responders].
###
PHYSICAL AND PE-13 (3) PE-13 (3) AUTOMATIC FIRE The organization employs an automatic fire
ENVIRONMENTAL SUPPRESSION suppression capability for the information
PROTECTION system when the facility is not staffed on a
continuous basis.
###
PHYSICAL AND PE-13 (4) PE-13 (4) INSPECTIONS The organization ensures that the facility
ENVIRONMENTAL undergoes [Assignment: organization-defined
PROTECTION frequency] inspections by authorized and
### qualified inspectors and resolves identified
deficiencies within [Assignment: organization-
defined time period].
PHYSICAL AND PE-14 PE-14 TEMPERATURE AND The organization: P1

ENVIRONMENTAL HUMIDITY CONTROLS
PROTECTION
###
PHYSICAL AND PE-14 PE-14a TEMPERATURE AND Maintains temperature and humidity levels P1
ENVIRONMENTAL HUMIDITY CONTROLS within the facility where the information system
PROTECTION resides at [Assignment: organization-defined
acceptable levels]; and
###
PHYSICAL AND PE-14 PE-14b TEMPERATURE AND Monitors temperature and humidity levels P1
ENVIRONMENTAL HUMIDITY CONTROLS [Assignment: organization-defined frequency].
PROTECTION
###
PHYSICAL AND PE-14 (1) PE-14 (1) AUTOMATIC The organization employs automatic
ENVIRONMENTAL CONTROLS temperature and humidity controls in the facility
### PROTECTION to prevent fluctuations potentially harmful to the
information system.
PHYSICAL AND PE-14 (2) PE-14 (2) MONITORING WITH The organization employs temperature and
ENVIRONMENTAL ALARMS / humidity monitoring that provides an alarm or
PROTECTION NOTIFICATIONS notification of changes potentially harmful to
personnel or equipment.
###
PHYSICAL AND PE-15 PE-15 WATER DAMAGE The organization protects the information P1
ENVIRONMENTAL PROTECTION system from damage resulting from water
PROTECTION leakage by providing master shutoff or isolation
valves that are accessible, working properly, and
known to key personnel.
###
PHYSICAL AND PE-15 (1) PE-15 (1) AUTOMATION The organization employs automated
ENVIRONMENTAL SUPPORT mechanisms to detect the presence of water in
PROTECTION the vicinity of the information system and alerts
roles].
###
PHYSICAL AND PE-16 PE-16 DELIVERY AND The organization authorizes, monitors, and P2
ENVIRONMENTAL REMOVAL controls [Assignment: organization-defined types
PROTECTION of information system components] entering and
exiting the facility and maintains records of those
items.
###
PHYSICAL AND PE-17 PE-17 ALTERNATE WORK The organization: P2

ENVIRONMENTAL SITE
PROTECTION
###
PHYSICAL AND PE-17 PE-17a ALTERNATE WORK Employs [Assignment: organization-defined P2
ENVIRONMENTAL SITE security controls] at alternate work sites;
PROTECTION
###
PHYSICAL AND PE-17 PE-17b ALTERNATE WORK Assesses as feasible, the effectiveness of security P2
ENVIRONMENTAL SITE controls at alternate work sites; and
PROTECTION
###
PHYSICAL AND PE-17 PE-17c ALTERNATE WORK Provides a means for employees to communicate P2
ENVIRONMENTAL SITE with information security personnel in case of
PROTECTION security incidents or problems.
###
PHYSICAL AND PE-18 PE-18 LOCATION OF The organization positions information system P3
ENVIRONMENTAL INFORMATION components within the facility to minimize
PROTECTION SYSTEM potential damage from [Assignment:
COMPONENTS organization-defined physical and environmental
hazards] and to minimize the opportunity for
unauthorized access.
###
PHYSICAL AND PE-18 (1) PE-18 (1) FACILITY SITE The organization plans the location or site of the
ENVIRONMENTAL facility where the information system resides
PROTECTION with regard to physical and environmental
hazards and for existing facilities, considers the
### physical and environmental hazards in its risk
mitigation strategy.
PHYSICAL AND PE-19 PE-19 INFORMATION The organization protects the information P0
### ENVIRONMENTAL LEAKAGE system from information leakage due to
PROTECTION electromagnetic signals emanations.
PHYSICAL AND PE-19 (1) PE-19 (1) NATIONAL The organization ensures that information
ENVIRONMENTAL EMISSIONS / system components, associated data
PROTECTION TEMPEST POLICIES communications, and networks are protected in
AND PROCEDURES accordance with national emissions and
### TEMPEST policies and procedures based on the
security category or classification of the
information.
PHYSICAL AND PE-20 PE-20 ASSET MONITORING The organization: P0

### ENVIRONMENTAL AND TRACKING
PROTECTION
PHYSICAL AND PE-20 PE-20a ASSET MONITORING Employs [Assignment: organization-defined asset P0
ENVIRONMENTAL AND TRACKING location technologies] to track and monitor the
PROTECTION location and movement of [Assignment:
### organization-defined assets] within [Assignment:
organization-defined controlled areas]; and
PHYSICAL AND PE-20 PE-20b ASSET MONITORING Ensures that asset location technologies are P0
ENVIRONMENTAL AND TRACKING employed in accordance with applicable federal
### PROTECTION laws, Executive Orders, directives, regulations,
policies, standards, and guidance.
PLANNING PL-1 PL-1 SECURITY PLANNING The organization: P1

### POLICY AND
PROCEDURES
PLANNING PL-1 PL-1a SECURITY PLANNING Develops, documents, and disseminates to P1
PROCEDURES roles]:
PLANNING PL-1 PL-1a.1 SECURITY PLANNING A security planning policy that addresses P1
POLICY AND purpose, scope, roles, responsibilities,
PLANNING PL-1 PL-1a.2 SECURITY PLANNING Procedures to facilitate the implementation of P1

### POLICY AND the security planning policy and associated
PROCEDURES security planning controls; and
PLANNING PL-1 PL-1b SECURITY PLANNING Reviews and updates the current: P1
### POLICY AND
PROCEDURES
PLANNING PL-1 PL-1b.1 SECURITY PLANNING Security planning policy [Assignment: P1
### POLICY AND organization-defined frequency]; and
PROCEDURES
PLANNING PL-1 PL-1b.2 SECURITY PLANNING Security planning procedures [Assignment: P1
PROCEDURES
PLANNING PL-2 PL-2 SYSTEM SECURITY The organization: P1
### PLAN
PLANNING PL-2 PL-2a SYSTEM SECURITY Develops a security plan for the information P1
### PLAN system that:
PLANNING PL-2 PL-2a.1 SYSTEM SECURITY Is consistent with the organization's enterprise P1
### PLAN architecture;
PLANNING PL-2 PL-2a.2 SYSTEM SECURITY Explicitly defines the authorization boundary for P1
### PLAN the system;
PLANNING PL-2 PL-2a.3 SYSTEM SECURITY Describes the operational context of the P1
### PLAN information system in terms of missions and
business processes;
PLANNING PL-2 PL-2a.4 SYSTEM SECURITY Provides the security categorization of the P1
### PLAN information system including supporting
rationale;
PLANNING PL-2 PL-2a.5 SYSTEM SECURITY Describes the operational environment for the P1
### PLAN information system and relationships with or
connections to other information systems;
PLANNING PL-2 PL-2a.6 SYSTEM SECURITY Provides an overview of the security P1
### PLAN requirements for the system;
PLANNING PL-2 PL-2a.7 SYSTEM SECURITY Identifies any relevant overlays, if applicable; P1
### PLAN
PLANNING PL-2 PL-2a.8 SYSTEM SECURITY Describes the security controls in place or P1
PLAN planned for meeting those requirements
### including a rationale for the tailoring decisions;
and
PLANNING PL-2 PL-2a.9 SYSTEM SECURITY Is reviewed and approved by the authorizing P1
### PLAN official or designated representative prior to plan
implementation;
PLANNING PL-2 PL-2b SYSTEM SECURITY Distributes copies of the security plan and P1
PLAN communicates subsequent changes to the plan
### to [Assignment: organization-defined personnel
or roles];
PLANNING PL-2 PL-2c SYSTEM SECURITY Reviews the security plan for the information P1
### PLAN system [Assignment: organization-defined
frequency];
PLANNING PL-2 PL-2d SYSTEM SECURITY Updates the plan to address changes to the P1
PLAN information system/environment of operation or
problems identified during plan implementation
### or security control assessments; and
PLANNING PL-2 PL-2e SYSTEM SECURITY Protects the security plan from unauthorized P1
### PLAN disclosure and modification.
PLANNING PL-2 (1) PL-2 (1) CONCEPT OF [Withdrawn: Incorporated into PL-7].
### OPERATIONS
PLANNING PL-2 (2) PL-2 (2) FUNCTIONAL [Withdrawn: Incorporated into PL-8].
### ARCHITECTURE
PLANNING PL-2 (3) PL-2 (3) PLAN / COORDINATE The organization plans and coordinates security-
WITH OTHER related activities affecting the information
ORGANIZATIONAL system with [Assignment: organization-defined
ENTITIES individuals or groups] before conducting such
### activities in order to reduce the impact on other
organizational entities.
PLANNING PL-3 PL-3 SYSTEM SECURITY [Withdrawn: Incorporated into PL-2].

### PLAN UPDATE
PLANNING PL-4 PL-4 RULES OF BEHAVIOR The organization: P2
###
PLANNING PL-4 PL-4a RULES OF BEHAVIOR Establishes and makes readily available to P2
individuals requiring access to the information
system, the rules that describe their
### responsibilities and expected behavior with
regard to information and information system
usage;
PLANNING PL-4 PL-4b RULES OF BEHAVIOR Receives a signed acknowledgment from such P2
individuals, indicating that they have read,
understand, and agree to abide by the rules of
### behavior, before authorizing access to
information and the information system;
PLANNING PL-4 PL-4c RULES OF BEHAVIOR Reviews and updates the rules of behavior P2
[Assignment: organization-defined frequency];
### and
PLANNING PL-4 PL-4d RULES OF BEHAVIOR Requires individuals who have signed a previous P2
version of the rules of behavior to read and re-
### sign when the rules of behavior are
revised/updated.
PLANNING PL-4 (1) PL-4 (1) SOCIAL MEDIA AND The organization includes in the rules of
NETWORKING behavior, explicit restrictions on the use of social
### RESTRICTIONS media/networking sites and posting
organizational information on public websites.
PLANNING PL-5 PL-5 PRIVACY IMPACT [Withdrawn: Incorporated into Appendix J, AR-
### ASSESSMENT 2].
PLANNING PL-6 PL-6 SECURITY-RELATED [Withdrawn: Incorporated into PL-2].
### ACTIVITY PLANNING
PLANNING PL-7 PL-7 SECURITY CONCEPT The organization: P0
### OF OPERATIONS
PLANNING PL-7 PL-7a SECURITY CONCEPT Develops a security Concept of Operations P0
OF OPERATIONS (CONOPS) for the information system containing
at a minimum, how the organization intends to
### operate the system from the perspective of
information security; and
PLANNING PL-7 PL-7b SECURITY CONCEPT Reviews and updates the CONOPS [Assignment: P0
### OF OPERATIONS organization-defined frequency].
PLANNING PL-8 PL-8 INFORMATION The organization: P1
### SECURITY
ARCHITECTURE
PLANNING PL-8 PL-8a INFORMATION Develops an information security architecture for P1
### SECURITY the information system that:
ARCHITECTURE
PLANNING PL-8 PL-8a.1 INFORMATION Describes the overall philosophy, requirements, P1
SECURITY and approach to be taken with regard to
ARCHITECTURE protecting the confidentiality, integrity, and
### availability of organizational information;
PLANNING PL-8 PL-8a.2 INFORMATION Describes how the information security P1

### SECURITY architecture is integrated into and supports the
ARCHITECTURE enterprise architecture; and
PLANNING PL-8 PL-8a.3 INFORMATION Describes any information security assumptions P1
### SECURITY about, and dependencies on, external services;
ARCHITECTURE
PLANNING PL-8 PL-8b INFORMATION Reviews and updates the information security P1
SECURITY architecture [Assignment: organization-defined
### ARCHITECTURE frequency] to reflect updates in the enterprise
architecture; and
PLANNING PL-8 PL-8c INFORMATION Ensures that planned information security P1

SECURITY architecture changes are reflected in the security
ARCHITECTURE plan, the security Concept of Operations
### (CONOPS), and organizational
procurements/acquisitions.
PLANNING PL-8 (1) PL-8 (1) DEFENSE-IN-DEPTH The organization designs its security architecture
### using a defense-in-depth approach that:
PLANNING PL-8 (1) PL-8 (1)(a) DEFENSE-IN-DEPTH Allocates [Assignment: organization-defined

security safeguards] to [Assignment:
### organization-defined locations and architectural
layers]; and
PLANNING PL-8 (1) PL-8 (1)(b) DEFENSE-IN-DEPTH Ensures that the allocated security safeguards
### operate in a coordinated and mutually
reinforcing manner.
PLANNING PL-8 (2) PL-8 (2) SUPPLIER DIVERSITY The organization requires that [Assignment:
organization-defined security safeguards]
allocated to [Assignment: organization-defined
### locations and architectural layers] are obtained
from different suppliers.
PLANNING PL-9 PL-9 CENTRAL The organization centrally manages [Assignment: P0

### MANAGEMENT organization-defined security controls and
related processes].
PROGRAM PM-1 PM-1 INFORMATION The organization:
### MANAGEMENT SECURITY PROGRAM
PLAN
PROGRAM PM-1 PM-1a INFORMATION Develops and disseminates an organization-wide
### MANAGEMENT SECURITY PROGRAM information security program plan that:
PLAN
PROGRAM PM-1 PM-1a.1 INFORMATION Provides an overview of the requirements for the
MANAGEMENT SECURITY PROGRAM security program and a description of the
PLAN security program management controls and
### common controls in place or planned for
meeting those requirements;
PROGRAM PM-1 PM-1a.2 INFORMATION Includes the identification and assignment of

MANAGEMENT SECURITY PROGRAM roles, responsibilities, management
### PLAN commitment, coordination among organizational
entities, and compliance;
PROGRAM PM-1 PM-1a.3 INFORMATION Reflects coordination among organizational

MANAGEMENT SECURITY PROGRAM entities responsible for the different aspects of
### PLAN information security (i.e., technical, physical,
personnel, cyber-physical); and
PROGRAM PM-1 PM-1a.4 INFORMATION Is approved by a senior official with responsibility

MANAGEMENT SECURITY PROGRAM and accountability for the risk being incurred to
PLAN organizational operations (including mission,
### functions, image, and reputation), organizational
assets, individuals, other organizations, and the
Nation;
PROGRAM PM-1 PM-1b INFORMATION Reviews the organization-wide information

### MANAGEMENT SECURITY PROGRAM security program plan [Assignment: organization-
PLAN defined frequency];
PROGRAM PM-1 PM-1c INFORMATION Updates the plan to address organizational
MANAGEMENT SECURITY PROGRAM changes and problems identified during plan
### PLAN implementation or security control assessments;
and
PROGRAM PM-1 PM-1d INFORMATION Protects the information security program plan
### MANAGEMENT SECURITY PROGRAM from unauthorized disclosure and modification.
PLAN
PROGRAM PM-2 PM-2 SENIOR The organization appoints a senior information
MANAGEMENT INFORMATION security officer with the mission and resources to
SECURITY OFFICER coordinate, develop, implement, and maintain
### an organization-wide information security
program.
PROGRAM PM-3 PM-3 INFORMATION The organization:

### MANAGEMENT SECURITY RESOURCES
PROGRAM PM-3 PM-3a INFORMATION Ensures that all capital planning and investment
MANAGEMENT SECURITY RESOURCES requests include the resources needed to
implement the information security program and
### documents all exceptions to this requirement;
PROGRAM PM-3 PM-3b INFORMATION Employs a business case/Exhibit 300/Exhibit 53

### MANAGEMENT SECURITY RESOURCES to record the resources required; and
PROGRAM PM-3 PM-3c INFORMATION Ensures that information security resources are
### MANAGEMENT SECURITY RESOURCES available for expenditure as planned.
PROGRAM PM-4 PM-4 PLAN OF ACTION AND The organization:

### MANAGEMENT MILESTONES
PROCESS
PROGRAM PM-4 PM-4a PLAN OF ACTION AND Implements a process for ensuring that plans of
MANAGEMENT MILESTONES action and milestones for the security program
### PROCESS and associated organizational information
systems:
PROGRAM PM-4 PM-4a.1 PLAN OF ACTION AND Are developed and maintained;
### MANAGEMENT MILESTONES
PROCESS
PROGRAM PM-4 PM-4a.2 PLAN OF ACTION AND Document the remedial information security
MANAGEMENT MILESTONES actions to adequately respond to risk to
PROCESS organizational operations and assets, individuals,
### other organizations, and the Nation; and
PROGRAM PM-4 PM-4a.3 PLAN OF ACTION AND Are reported in accordance with OMB FISMA
### MANAGEMENT MILESTONES reporting requirements.
PROCESS
PROGRAM PM-4 PM-4b PLAN OF ACTION AND Reviews plans of action and milestones for
MANAGEMENT MILESTONES consistency with the organizational risk
### PROCESS management strategy and organization-wide
priorities for risk response actions.
PROGRAM PM-5 PM-5 INFORMATION The organization develops and maintains an

MANAGEMENT SYSTEM INVENTORY inventory of its information systems.
###
PROGRAM PM-6 PM-6 INFORMATION The organization develops, monitors, and reports
MANAGEMENT SECURITY MEASURES on the results of information security measures
### OF PERFORMANCE of performance.
PROGRAM PM-7 PM-7 ENTERPRISE The organization develops an enterprise

MANAGEMENT ARCHITECTURE architecture with consideration for information
security and the resulting risk to organizational
### operations, organizational assets, individuals,
other organizations, and the Nation.
PROGRAM PM-8 PM-8 CRITICAL The organization addresses information security

MANAGEMENT INFRASTRUCTURE issues in the development, documentation, and
PLAN updating of a critical infrastructure and key
### resources protection plan.
PROGRAM PM-9 PM-9 RISK MANAGEMENT The organization:

### MANAGEMENT STRATEGY
PROGRAM PM-9 PM-9a RISK MANAGEMENT Develops a comprehensive strategy to manage
MANAGEMENT STRATEGY risk to organizational operations and assets,
individuals, other organizations, and the Nation
### associated with the operation and use of
information systems;
PROGRAM PM-9 PM-9b RISK MANAGEMENT Implements the risk management strategy
### MANAGEMENT STRATEGY consistently across the organization; and
PROGRAM PM-9 PM-9c RISK MANAGEMENT Reviews and updates the risk management
MANAGEMENT STRATEGY strategy [Assignment: organization-defined
### frequency] or as required, to address
organizational changes.
PROGRAM PM-10 PM-10 SECURITY The organization:

### MANAGEMENT AUTHORIZATION
PROCESS
PROGRAM PM-10 PM-10a SECURITY Manages (i.e., documents, tracks, and reports)
MANAGEMENT AUTHORIZATION the security state of organizational information
PROCESS systems and the environments in which those
### systems operate through security authorization
processes;
PROGRAM PM-10 PM-10b SECURITY Designates individuals to fulfill specific roles and
### MANAGEMENT AUTHORIZATION responsibilities within the organizational risk
PROCESS management process; and
PROGRAM PM-10 PM-10c SECURITY Fully integrates the security authorization
### MANAGEMENT AUTHORIZATION processes into an organization-wide risk
PROCESS management program.
PROGRAM PM-11 PM-11 MISSION/BUSINESS The organization:
### MANAGEMENT PROCESS DEFINITION
PROGRAM PM-11 PM-11a MISSION/BUSINESS Defines mission/business processes with

MANAGEMENT PROCESS DEFINITION consideration for information security and the
resulting risk to organizational operations,
### organizational assets, individuals, other
organizations, and the Nation; and
PROGRAM PM-11 PM-11b MISSION/BUSINESS Determines information protection needs arising
MANAGEMENT PROCESS DEFINITION from the defined mission/business processes
and revises the processes as necessary, until
### achievable protection needs are obtained.
PROGRAM PM-12 PM-12 INSIDER THREAT The organization implements an insider threat
### MANAGEMENT PROGRAM program that includes a cross-discipline insider
threat incident handling team.
PROGRAM PM-13 PM-13 INFORMATION The organization establishes an information
### MANAGEMENT SECURITY security workforce development and
WORKFORCE improvement program.
PROGRAM PM-14 PM-14 TESTING, TRAINING, The organization:
### MANAGEMENT AND MONITORING
PROGRAM PM-14 PM-14a TESTING, TRAINING, Implements a process for ensuring that
MANAGEMENT AND MONITORING organizational plans for conducting security
testing, training, and monitoring activities
### associated with organizational information
systems:
PROGRAM PM-14 PM-14a.1 TESTING, TRAINING, Are developed and maintained; and
PROGRAM PM-14 PM-14a.2 TESTING, TRAINING, Continue to be executed in a timely manner;
PROGRAM PM-14 PM-14b TESTING, TRAINING, Reviews testing, training, and monitoring plans
MANAGEMENT AND MONITORING for consistency with the organizational risk
### management strategy and organization-wide
priorities for risk response actions.
PROGRAM PM-15 PM-15 CONTACTS WITH The organization establishes and institutionalizes
MANAGEMENT SECURITY GROUPS contact with selected groups and associations
### AND ASSOCIATIONS within the security community:
PROGRAM PM-15 PM-15a CONTACTS WITH To facilitate ongoing security education and
### MANAGEMENT SECURITY GROUPS training for organizational personnel;
AND ASSOCIATIONS
PROGRAM PM-15 PM-15b CONTACTS WITH To maintain currency with recommended
### MANAGEMENT SECURITY GROUPS security practices, techniques, and technologies;
AND ASSOCIATIONS and
PROGRAM PM-15 PM-15c CONTACTS WITH To share current security-related information
### MANAGEMENT SECURITY GROUPS including threats, vulnerabilities, and incidents.
AND ASSOCIATIONS
PROGRAM PM-16 PM-16 THREAT AWARENESS The organization implements a threat awareness
### MANAGEMENT PROGRAM program that includes a cross-organization
information-sharing capability.
PERSONNEL PS-1 PS-1 PERSONNEL SECURITY The organization: P1
### SECURITY POLICY AND
PROCEDURES
PERSONNEL PS-1 PS-1a PERSONNEL SECURITY Develops, documents, and disseminates to P1
### SECURITY POLICY AND [Assignment: organization-defined personnel or
PROCEDURES roles]:
PERSONNEL PS-1 PS-1a.1 PERSONNEL SECURITY A personnel security policy that addresses P1
SECURITY POLICY AND purpose, scope, roles, responsibilities,
PERSONNEL PS-1 PS-1a.2 PERSONNEL SECURITY Procedures to facilitate the implementation of P1

### SECURITY POLICY AND the personnel security policy and associated
PROCEDURES personnel security controls; and
PERSONNEL PS-1 PS-1b PERSONNEL SECURITY Reviews and updates the current: P1
### SECURITY POLICY AND
PROCEDURES
PERSONNEL PS-1 PS-1b.1 PERSONNEL SECURITY Personnel security policy [Assignment: P1
### SECURITY POLICY AND organization-defined frequency]; and
PROCEDURES
PERSONNEL PS-1 PS-1b.2 PERSONNEL SECURITY Personnel security procedures [Assignment: P1
### SECURITY POLICY AND organization-defined frequency].
PROCEDURES
PERSONNEL PS-2 PS-2 POSITION RISK The organization: P1
### SECURITY DESIGNATION
PERSONNEL PS-2 PS-2a POSITION RISK Assigns a risk designation to all organizational P1
### SECURITY DESIGNATION positions;
PERSONNEL PS-2 PS-2b POSITION RISK Establishes screening criteria for individuals P1
### SECURITY DESIGNATION filling those positions; and
PERSONNEL PS-2 PS-2c POSITION RISK Reviews and updates position risk designations P1
### SECURITY DESIGNATION [Assignment: organization-defined frequency].
PERSONNEL PS-3 PS-3 PERSONNEL The organization: P1

SECURITY SCREENING
###
PERSONNEL PS-3 PS-3a PERSONNEL Screens individuals prior to authorizing access to P1

SECURITY SCREENING the information system; and
###
PERSONNEL PS-3 PS-3b PERSONNEL Rescreens individuals according to [Assignment: P1

SECURITY SCREENING organization-defined conditions requiring
rescreening and, where rescreening is so
indicated, the frequency of such rescreening].
###
PERSONNEL PS-3 (1) PS-3 (1) CLASSIFIED The organization ensures that individuals
SECURITY INFORMATION accessing an information system processing,
storing, or transmitting classified information are
### cleared and indoctrinated to the highest
classification level of the information to which
they have access on the system.
PERSONNEL PS-3 (2) PS-3 (2) FORMAL The organization ensures that individuals
SECURITY INDOCTRINATION accessing an information system processing,
storing, or transmitting types of classified
information which require formal indoctrination,
### are formally indoctrinated for all of the relevant
types of information to which they have access
on the system.
PERSONNEL PS-3 (3) PS-3 (3) INFORMATION WITH The organization ensures that individuals
SECURITY SPECIAL PROTECTION accessing an information system processing,
### MEASURES storing, or transmitting information requiring
special protection:
PERSONNEL PS-3 (3) PS-3 (3)(a) INFORMATION WITH Have valid access authorizations that are
SECURITY SPECIAL PROTECTION demonstrated by assigned official government
### MEASURES duties; and
PERSONNEL PS-3 (3) PS-3 (3)(b) INFORMATION WITH Satisfy [Assignment: organization-defined
SECURITY SPECIAL PROTECTION additional personnel screening criteria].
### MEASURES
PERSONNEL PS-4 PS-4 PERSONNEL The organization, upon termination of individual P1

SECURITY TERMINATION employment:
###
PERSONNEL PS-4 PS-4a PERSONNEL Disables information system access within P1
SECURITY TERMINATION [Assignment: organization-defined time period];
###
PERSONNEL PS-4 PS-4b PERSONNEL Terminates/revokes any P1

SECURITY TERMINATION authenticators/credentials associated with the
individual;
###
PERSONNEL PS-4 PS-4c PERSONNEL Conducts exit interviews that include a P1

SECURITY TERMINATION discussion of [Assignment: organization-defined
information security topics];
###
PERSONNEL PS-4 PS-4d PERSONNEL Retrieves all security-related organizational P1

SECURITY TERMINATION information system-related property;
###
PERSONNEL PS-4 PS-4e PERSONNEL Retains access to organizational information and P1

SECURITY TERMINATION information systems formerly controlled by
terminated individual; and
###
PERSONNEL PS-4 PS-4f PERSONNEL Notifies [Assignment: organization-defined P1
SECURITY TERMINATION personnel or roles] within [Assignment:
###
PERSONNEL PS-4 (1) PS-4 (1) POST-EMPLOYMENT The organization:

### SECURITY REQUIREMENTS
PERSONNEL PS-4 (1) PS-4 (1)(a) POST-EMPLOYMENT Notifies terminated individuals of applicable,
SECURITY REQUIREMENTS legally binding post-employment requirements
### for the protection of organizational information;
and
PERSONNEL PS-4 (1) PS-4 (1)(b) POST-EMPLOYMENT Requires terminated individuals to sign an
SECURITY REQUIREMENTS acknowledgment of post-employment
### requirements as part of the organizational
termination process.
PERSONNEL PS-4 (2) PS-4 (2) AUTOMATED The organization employs automated
SECURITY NOTIFICATION mechanisms to notify [Assignment: organization-
### defined personnel or roles] upon termination of
an individual.

SECURITY TRANSFER
###
PERSONNEL PS-5 PS-5a PERSONNEL Reviews and confirms ongoing operational need P2
SECURITY TRANSFER for current logical and physical access
authorizations to information systems/facilities
### when individuals are reassigned or transferred to
other positions within the organization;
PERSONNEL PS-5 PS-5b PERSONNEL Initiates [Assignment: organization-defined P2
SECURITY TRANSFER transfer or reassignment actions] within
[Assignment: organization-defined time period
### following the formal transfer action];
PERSONNEL PS-5 PS-5c PERSONNEL Modifies access authorization as needed to P2

SECURITY TRANSFER correspond with any changes in operational need
due to reassignment or transfer; and
###
PERSONNEL PS-5 PS-5d PERSONNEL Notifies [Assignment: organization-defined P2

SECURITY TRANSFER personnel or roles] within [Assignment:
###
PERSONNEL PS-6 PS-6 ACCESS AGREEMENTS The organization: P3

### SECURITY
PERSONNEL PS-6 PS-6a ACCESS AGREEMENTS Develops and documents access agreements for P3
### SECURITY organizational information systems;
PERSONNEL PS-6 PS-6b ACCESS AGREEMENTS Reviews and updates the access agreements P3
### SECURITY [Assignment: organization-defined frequency];
and
PERSONNEL PS-6 PS-6c ACCESS AGREEMENTS Ensures that individuals requiring access to P3
### SECURITY organizational information and information
systems:
PERSONNEL PS-6 PS-6c.1 ACCESS AGREEMENTS Sign appropriate access agreements prior to P3
### SECURITY being granted access; and
PERSONNEL PS-6 PS-6c.2 ACCESS AGREEMENTS Re-sign access agreements to maintain access to P3
SECURITY organizational information systems when access
### agreements have been updated or [Assignment:
organization-defined frequency].
PERSONNEL PS-6 (1) PS-6 (1) INFORMATION [Withdrawn: Incorporated into PS-3].
### SECURITY REQUIRING SPECIAL
PROTECTION
PERSONNEL PS-6 (2) PS-6 (2) CLASSIFIED The organization ensures that access to classified
SECURITY INFORMATION information requiring special protection is
### REQUIRING SPECIAL granted only to individuals who:
PROTECTION
PERSONNEL PS-6 (2) PS-6 (2)(a) CLASSIFIED Have a valid access authorization that is
SECURITY INFORMATION demonstrated by assigned official government
### REQUIRING SPECIAL duties;
PROTECTION
PERSONNEL PS-6 (2) PS-6 (2)(b) CLASSIFIED Satisfy associated personnel security criteria; and
SECURITY INFORMATION
### REQUIRING SPECIAL
PROTECTION
PERSONNEL PS-6 (2) PS-6 (2)(c) CLASSIFIED Have read, understood, and signed a
SECURITY INFORMATION nondisclosure agreement.
### REQUIRING SPECIAL
PROTECTION
PERSONNEL PS-6 (3) PS-6 (3) POST-EMPLOYMENT The organization:

### SECURITY REQUIREMENTS
PERSONNEL PS-6 (3) PS-6 (3)(a) POST-EMPLOYMENT Notifies individuals of applicable, legally binding
### SECURITY REQUIREMENTS post-employment requirements for protection of
organizational information; and
PERSONNEL PS-6 (3) PS-6 (3)(b) POST-EMPLOYMENT Requires individuals to sign an acknowledgment
SECURITY REQUIREMENTS of these requirements, if applicable, as part of
### granting initial access to covered information.
PERSONNEL PS-7 PS-7 THIRD-PARTY The organization: P1

### SECURITY PERSONNEL SECURITY
PERSONNEL PS-7 PS-7a THIRD-PARTY Establishes personnel security requirements P1

### SECURITY PERSONNEL SECURITY including security roles and responsibilities for
third-party providers;
PERSONNEL PS-7 PS-7b THIRD-PARTY Requires third-party providers to comply with P1
### SECURITY PERSONNEL SECURITY personnel security policies and procedures
established by the organization;
PERSONNEL PS-7 PS-7c THIRD-PARTY Documents personnel security requirements; P1
PERSONNEL PS-7 PS-7d THIRD-PARTY Requires third-party providers to notify P1

SECURITY PERSONNEL SECURITY [Assignment: organization-defined personnel or
roles] of any personnel transfers or terminations
of third-party personnel who possess
organizational credentials and/or badges, or who
### have information system privileges within
[Assignment: organization-defined time period];
and
PERSONNEL PS-7 PS-7e THIRD-PARTY Monitors provider compliance. P1


### SECURITY SANCTIONS
PERSONNEL PS-8 PS-8a PERSONNEL Employs a formal sanctions process for P3
SECURITY SANCTIONS individuals failing to comply with established
### information security policies and procedures;
and
PERSONNEL PS-8 PS-8b PERSONNEL Notifies [Assignment: organization-defined P3

SECURITY SANCTIONS personnel or roles] within [Assignment:
organization-defined time period] when a formal
### employee sanctions process is initiated,
identifying the individual sanctioned and the
reason for the sanction.
RISK ASSESSMENT RA-1 RA-1 RISK ASSESSMENT The organization: P1

### POLICY AND
PROCEDURES
RISK ASSESSMENT RA-1 RA-1a RISK ASSESSMENT Develops, documents, and disseminates to P1
PROCEDURES roles]:
RISK ASSESSMENT RA-1 RA-1a.1 RISK ASSESSMENT A risk assessment policy that addresses purpose, P1
POLICY AND scope, roles, responsibilities, management
PROCEDURES commitment, coordination among organizational
### entities, and compliance; and
RISK ASSESSMENT RA-1 RA-1a.2 RISK ASSESSMENT Procedures to facilitate the implementation of P1
### POLICY AND the risk assessment policy and associated risk
PROCEDURES assessment controls; and
RISK ASSESSMENT RA-1 RA-1b RISK ASSESSMENT Reviews and updates the current: P1
### POLICY AND
PROCEDURES
RISK ASSESSMENT RA-1 RA-1b.1 RISK ASSESSMENT Risk assessment policy [Assignment: P1
### POLICY AND organization-defined frequency]; and
PROCEDURES
RISK ASSESSMENT RA-1 RA-1b.2 RISK ASSESSMENT Risk assessment procedures [Assignment: P1
PROCEDURES
RISK ASSESSMENT RA-2 RA-2 SECURITY The organization: P1
### CATEGORIZATION
RISK ASSESSMENT RA-2 RA-2a SECURITY Categorizes information and the information P1
CATEGORIZATION system in accordance with applicable federal
### laws, Executive Orders, directives, policies,
regulations, standards, and guidance;
RISK ASSESSMENT RA-2 RA-2b SECURITY Documents the security categorization results P1
### CATEGORIZATION (including supporting rationale) in the security
plan for the information system; and
RISK ASSESSMENT RA-2 RA-2c SECURITY Ensures that the authorizing official or P1
CATEGORIZATION authorizing official designated representative
### reviews and approves the security categorization
decision.
RISK ASSESSMENT RA-3 RA-3 RISK ASSESSMENT The organization: P1
###
RISK ASSESSMENT RA-3 RA-3a RISK ASSESSMENT Conducts an assessment of risk, including the P1
likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, disruption,
### modification, or destruction of the information
system and the information it processes, stores,
or transmits;
RISK ASSESSMENT RA-3 RA-3b RISK ASSESSMENT Documents risk assessment results in [Selection: P1
security plan; risk assessment report;
[Assignment: organization-defined document]];
###
RISK ASSESSMENT RA-3 RA-3c RISK ASSESSMENT Reviews risk assessment results [Assignment: P1
organization-defined frequency];
###
RISK ASSESSMENT RA-3 RA-3d RISK ASSESSMENT Disseminates risk assessment results to P1
roles]; and
###
RISK ASSESSMENT RA-3 RA-3e RISK ASSESSMENT Updates the risk assessment [Assignment: P1
organization-defined frequency] or whenever
there are significant changes to the information
system or environment of operation (including
the identification of new threats and
### vulnerabilities), or other conditions that may
impact the security state of the system.
RISK ASSESSMENT RA-4 RA-4 RISK ASSESSMENT [Withdrawn: Incorporated into RA-3].
### UPDATE
RISK ASSESSMENT RA-5 RA-5 VULNERABILITY The organization: P1
SCANNING
###
RISK ASSESSMENT RA-5 RA-5a VULNERABILITY Scans for vulnerabilities in the information P1
SCANNING system and hosted applications [Assignment:
organization-defined frequency and/or randomly
in accordance with organization-defined process]
### and when new vulnerabilities potentially
affecting the system/applications are identified
and reported;
RISK ASSESSMENT RA-5 RA-5b VULNERABILITY Employs vulnerability scanning tools and P1
SCANNING techniques that facilitate interoperability among
tools and automate parts of the vulnerability
### management process by using standards for:
RISK ASSESSMENT RA-5 RA-5b.1 VULNERABILITY Enumerating platforms, software flaws, and P1
SCANNING improper configurations;
###
RISK ASSESSMENT RA-5 RA-5b.2 VULNERABILITY Formatting checklists and test procedures; and P1
SCANNING
###
RISK ASSESSMENT RA-5 RA-5b.3 VULNERABILITY Measuring vulnerability impact; P1

SCANNING
###
RISK ASSESSMENT RA-5 RA-5c VULNERABILITY Analyzes vulnerability scan reports and results P1
SCANNING from security control assessments;
###
RISK ASSESSMENT RA-5 RA-5d VULNERABILITY Remediates legitimate vulnerabilities P1

SCANNING [Assignment: organization-defined response
times] in accordance with an organizational
### assessment of risk; and
RISK ASSESSMENT RA-5 RA-5e VULNERABILITY Shares information obtained from the P1
SCANNING vulnerability scanning process and security
control assessments with [Assignment:
organization-defined personnel or roles] to help
### eliminate similar vulnerabilities in other
information systems (i.e., systemic weaknesses
or deficiencies).
RISK ASSESSMENT RA-5 (1) RA-5 (1) UPDATE TOOL The organization employs vulnerability scanning
CAPABILITY tools that include the capability to readily update
### the information system vulnerabilities to be
scanned.
RISK ASSESSMENT RA-5 (2) RA-5 (2) UPDATE BY The organization updates the information system
FREQUENCY / PRIOR vulnerabilities scanned [Selection (one or more):
TO NEW SCAN / [Assignment: organization-defined frequency];
### WHEN IDENTIFIED prior to a new scan; when new vulnerabilities are
identified and reported].
RISK ASSESSMENT RA-5 (3) RA-5 (3) BREADTH / DEPTH OF The organization employs vulnerability scanning
COVERAGE procedures that can identify the breadth and
depth of coverage (i.e., information system
### components scanned and vulnerabilities
checked).
RISK ASSESSMENT RA-5 (4) RA-5 (4) DISCOVERABLE The organization determines what information
INFORMATION about the information system is discoverable by
adversaries and subsequently takes [Assignment:
### organization-defined corrective actions].
RISK ASSESSMENT RA-5 (5) RA-5 (5) PRIVILEGED ACCESS The information system implements privileged
access authorization to [Assignment:
organization-identified information system
### components] for selected [Assignment:
organization-defined vulnerability scanning
activities].
RISK ASSESSMENT RA-5 (6) RA-5 (6) AUTOMATED TREND The organization employs automated
ANALYSES mechanisms to compare the results of
### vulnerability scans over time to determine trends
in information system vulnerabilities.
RISK ASSESSMENT RA-5 (7) RA-5 (7) AUTOMATED [Withdrawn: Incorporated into CM-8].
DETECTION AND
NOTIFICATION OF
### UNAUTHORIZED
COMPONENTS
RISK ASSESSMENT RA-5 (8) RA-5 (8) REVIEW HISTORIC The organization reviews historic audit logs to
AUDIT LOGS determine if a vulnerability identified in the
information system has been previously
### exploited.
RISK ASSESSMENT RA-5 (9) RA-5 (9) PENETRATION [Withdrawn: Incorporated into CA-8].
### TESTING AND
ANALYSES
RISK ASSESSMENT RA-5 (10) RA-5 (10) CORRELATE The organization correlates the output from
SCANNING vulnerability scanning tools to determine the
### INFORMATION presence of multi-vulnerability/multi-hop attack
vectors.
RISK ASSESSMENT RA-6 RA-6 TECHNICAL The organization employs a technical P0

SURVEILLANCE surveillance countermeasures survey at
COUNTERMEASURES [Assignment: organization-defined locations]
SURVEY [Selection (one or more): [Assignment:
### organization-defined frequency]; [Assignment:
organization-defined events or indicators
occur]].
SYSTEM AND SA-1 SA-1 SYSTEM AND The organization: P1

SERVICES SERVICES
### ACQUISITION ACQUISITION POLICY
AND PROCEDURES
SYSTEM AND SA-1 SA-1a SYSTEM AND Develops, documents, and disseminates to P1
SERVICES SERVICES [Assignment: organization-defined personnel or
### ACQUISITION ACQUISITION POLICY roles]:
AND PROCEDURES
SYSTEM AND SA-1 SA-1a.1 SYSTEM AND A system and services acquisition policy that P1
SERVICES SERVICES addresses purpose, scope, roles, responsibilities,
ACQUISITION ACQUISITION POLICY management commitment, coordination among
SYSTEM AND SA-1 SA-1a.2 SYSTEM AND Procedures to facilitate the implementation of P1
SERVICES SERVICES the system and services acquisition policy and
### ACQUISITION ACQUISITION POLICY associated system and services acquisition
SYSTEM AND SA-1 SA-1b SYSTEM AND Reviews and updates the current: P1
SERVICES SERVICES
AND PROCEDURES
SYSTEM AND SA-1 SA-1b.1 SYSTEM AND System and services acquisition policy P1
SERVICES SERVICES [Assignment: organization-defined frequency];
### ACQUISITION ACQUISITION POLICY and
AND PROCEDURES
SYSTEM AND SA-1 SA-1b.2 SYSTEM AND System and services acquisition procedures P1
SERVICES SERVICES [Assignment: organization-defined frequency].
AND PROCEDURES
SYSTEM AND SA-2 SA-2 ALLOCATION OF The organization: P1

### SERVICES RESOURCES
ACQUISITION
SYSTEM AND SA-2 SA-2a ALLOCATION OF Determines information security requirements P1
SERVICES RESOURCES for the information system or information
### ACQUISITION system service in mission/business process
planning;
SYSTEM AND SA-2 SA-2b ALLOCATION OF Determines, documents, and allocates the P1
SERVICES RESOURCES resources required to protect the information
ACQUISITION system or information system service as part of
### its capital planning and investment control
process; and
SYSTEM AND SA-2 SA-2c ALLOCATION OF Establishes a discrete line item for information P1
### SERVICES RESOURCES security in organizational programming and
ACQUISITION budgeting documentation.
SYSTEM AND SA-3 SA-3 SYSTEM The organization: P1
### SERVICES DEVELOPMENT LIFE
ACQUISITION CYCLE
SYSTEM AND SA-3 SA-3a SYSTEM Manages the information system using P1
SERVICES DEVELOPMENT LIFE [Assignment: organization-defined system
### ACQUISITION CYCLE development life cycle] that incorporates
information security considerations;
SYSTEM AND SA-3 SA-3b SYSTEM Defines and documents information security P1
### SERVICES DEVELOPMENT LIFE roles and responsibilities throughout the system
ACQUISITION CYCLE development life cycle;
SYSTEM AND SA-3 SA-3c SYSTEM Identifies individuals having information security P1
### SERVICES DEVELOPMENT LIFE roles and responsibilities; and
ACQUISITION CYCLE
SYSTEM AND SA-3 SA-3d SYSTEM Integrates the organizational information P1
### SERVICES DEVELOPMENT LIFE security risk management process into system
ACQUISITION CYCLE development life cycle activities.
SYSTEM AND SA-4 SA-4 ACQUISITION The organization includes the following P1
SERVICES PROCESS requirements, descriptions, and criteria,
ACQUISITION explicitly or by reference, in the acquisition
contract for the information system, system
component, or information system service in
### accordance with applicable federal laws,
regulations, standards, guidelines, and
organizational mission/business needs:
SYSTEM AND SA-4 SA-4a ACQUISITION Security functional requirements; P1

SERVICES PROCESS
ACQUISITION
###
SYSTEM AND SA-4 SA-4b ACQUISITION Security strength requirements; P1

SERVICES PROCESS
ACQUISITION
###
SYSTEM AND SA-4 SA-4c ACQUISITION Security assurance requirements; P1
SERVICES PROCESS
ACQUISITION
###
SYSTEM AND SA-4 SA-4d ACQUISITION Security-related documentation requirements; P1

SERVICES PROCESS
ACQUISITION
###
SYSTEM AND SA-4 SA-4e ACQUISITION Requirements for protecting security-related P1

SERVICES PROCESS documentation;
ACQUISITION
###
SYSTEM AND SA-4 SA-4f ACQUISITION Description of the information system P1

SERVICES PROCESS development environment and environment in
ACQUISITION which the system is intended to operate; and
###
SYSTEM AND SA-4 SA-4g ACQUISITION Acceptance criteria. P1

SERVICES PROCESS
ACQUISITION
###
SYSTEM AND SA-4 (1) SA-4 (1) FUNCTIONAL The organization requires the developer of the
SERVICES PROPERTIES OF information system, system component, or
ACQUISITION SECURITY CONTROLS information system service to provide a
### description of the functional properties of the
security controls to be employed.
SYSTEM AND SA-4 (2) SA-4 (2) DESIGN / The organization requires the developer of the
SERVICES IMPLEMENTATION information system, system component, or
ACQUISITION INFORMATION FOR information system service to provide design and
SECURITY CONTROLS implementation information for the security
controls to be employed that includes: [Selection
(one or more): security-relevant external system
interfaces; high-level design; low-level design;
### source code or hardware schematics;
[Assignment: organization-defined
design/implementation information]] at
[Assignment: organization-defined level of
detail].
SYSTEM AND SA-4 (3) SA-4 (3) DEVELOPMENT The organization requires the developer of the
SERVICES METHODS / information system, system component, or
ACQUISITION TECHNIQUES / information system service to demonstrate the
PRACTICES use of a system development life cycle that
includes [Assignment: organization-defined
### state-of-the-practice system/security
engineering methods, software development
methods, testing/evaluation/validation
techniques, and quality control processes].
SYSTEM AND SA-4 (4) SA-4 (4) ASSIGNMENT OF [Withdrawn: Incorporated into CM-8 (9)].
### SERVICES COMPONENTS TO
ACQUISITION SYSTEMS
SYSTEM AND SA-4 (5) SA-4 (5) SYSTEM / The organization requires the developer of the
SERVICES COMPONENT / information system, system component, or
### ACQUISITION SERVICE information system service to:
CONFIGURATIONS
SYSTEM AND SA-4 (5) SA-4 (5)(a) SYSTEM / Deliver the system, component, or service with
SERVICES COMPONENT / [Assignment: organization-defined security
### ACQUISITION SERVICE configurations] implemented; and
CONFIGURATIONS
SYSTEM AND SA-4 (5) SA-4 (5)(b) SYSTEM / Use the configurations as the default for any
SERVICES COMPONENT / subsequent system, component, or service
### ACQUISITION SERVICE reinstallation or upgrade.
CONFIGURATIONS
SYSTEM AND SA-4 (6) SA-4 (6) USE OF The organization:

SERVICES INFORMATION
### ACQUISITION ASSURANCE
PRODUCTS
SYSTEM AND SA-4 (6) SA-4 (6)(a) USE OF Employs only government off-the-shelf (GOTS) or
SERVICES INFORMATION commercial off-the-shelf (COTS) information
ACQUISITION ASSURANCE assurance (IA) and IA-enabled information
PRODUCTS technology products that compose an NSA-
approved solution to protect classified
### information when the networks used to transmit
the information are at a lower classification level
than the information being transmitted; and
SYSTEM AND SA-4 (6) SA-4 (6)(b) USE OF Ensures that these products have been evaluated
SERVICES INFORMATION and/or validated by NSA or in accordance with
### ACQUISITION ASSURANCE NSA-approved procedures.
PRODUCTS
SYSTEM AND SA-4 (7) SA-4 (7) NIAP-APPROVED The organization:

### SERVICES PROTECTION
ACQUISITION PROFILES
SYSTEM AND SA-4 (7) SA-4 (7)(a) NIAP-APPROVED Limits the use of commercially provided
SERVICES PROTECTION information assurance (IA) and IA-enabled
ACQUISITION PROFILES information technology products to those
products that have been successfully evaluated
against a National Information Assurance
### partnership (NIAP)-approved Protection Profile
for a specific technology type, if such a profile
exists; and
SYSTEM AND SA-4 (7) SA-4 (7)(b) NIAP-APPROVED Requires, if no NIAP-approved Protection Profile
SERVICES PROTECTION exists for a specific technology type but a
ACQUISITION PROFILES commercially provided information technology
### product relies on cryptographic functionality to
enforce its security policy, that the cryptographic
module is FIPS-validated.
SYSTEM AND SA-4 (8) SA-4 (8) CONTINUOUS The organization requires the developer of the
SERVICES MONITORING PLAN information system, system component, or
ACQUISITION information system service to produce a plan for
the continuous monitoring of security control
### effectiveness that contains [Assignment:
organization-defined level of detail].
SYSTEM AND SA-4 (9) SA-4 (9) FUNCTIONS / PORTS / The organization requires the developer of the
SERVICES PROTOCOLS / information system, system component, or
ACQUISITION SERVICES IN USE information system service to identify early in
### the system development life cycle, the functions,
ports, protocols, and services intended for
organizational use.
SYSTEM AND SA-4 (10) SA-4 (10) USE OF APPROVED The organization employs only information
SERVICES PIV PRODUCTS technology products on the FIPS 201-approved
ACQUISITION products list for Personal Identity Verification
### (PIV) capability implemented within
organizational information systems.
SYSTEM AND SA-5 SA-5 INFORMATION The organization: P2
### SERVICES SYSTEM
ACQUISITION DOCUMENTATION
SYSTEM AND SA-5 SA-5a INFORMATION Obtains administrator documentation for the P2
SERVICES SYSTEM information system, system component, or
ACQUISITION DOCUMENTATION information system service that describes:
###
SYSTEM AND SA-5 SA-5a.1 INFORMATION Secure configuration, installation, and operation P2
SERVICES SYSTEM of the system, component, or service;
###
SYSTEM AND SA-5 SA-5a.2 INFORMATION Effective use and maintenance of security P2
### SERVICES SYSTEM functions/mechanisms; and
SYSTEM AND SA-5 SA-5a.3 INFORMATION Known vulnerabilities regarding configuration P2
### SERVICES SYSTEM and use of administrative (i.e., privileged)
ACQUISITION DOCUMENTATION functions;
SYSTEM AND SA-5 SA-5b INFORMATION Obtains user documentation for the information P2
### SERVICES SYSTEM system, system component, or information
ACQUISITION DOCUMENTATION system service that describes:
SYSTEM AND SA-5 SA-5b.1 INFORMATION User-accessible security functions/mechanisms P2
SERVICES SYSTEM and how to effectively use those security
### ACQUISITION DOCUMENTATION functions/mechanisms;
SYSTEM AND SA-5 SA-5b.2 INFORMATION Methods for user interaction, which enables P2
SERVICES SYSTEM individuals to use the system, component, or
ACQUISITION DOCUMENTATION service in a more secure manner; and
###
SYSTEM AND SA-5 SA-5b.3 INFORMATION User responsibilities in maintaining the security P2
SERVICES SYSTEM of the system, component, or service;
### ACQUISITION DOCUMENTATION
SYSTEM AND SA-5 SA-5c INFORMATION Documents attempts to obtain information P2

SERVICES SYSTEM system, system component, or information
ACQUISITION DOCUMENTATION system service documentation when such
### documentation is either unavailable or
nonexistent and takes [Assignment:
organization-defined actions] in response;
SYSTEM AND SA-5 SA-5d INFORMATION Protects documentation as required, in P2

### SERVICES SYSTEM accordance with the risk management strategy;
ACQUISITION DOCUMENTATION and
SYSTEM AND SA-5 SA-5e INFORMATION Distributes documentation to [Assignment: P2
### SERVICES SYSTEM organization-defined personnel or roles].
SYSTEM AND SA-5 (1) SA-5 (1) FUNCTIONAL [Withdrawn: Incorporated into SA-4 (1)].
SERVICES PROPERTIES OF
### ACQUISITION SECURITY CONTROLS
SYSTEM AND SA-5 (2) SA-5 (2) SECURITY-RELEVANT [Withdrawn: Incorporated into SA-4 (2)].
### SERVICES EXTERNAL SYSTEM
ACQUISITION INTERFACES
SYSTEM AND SA-5 (3) SA-5 (3) HIGH-LEVEL DESIGN [Withdrawn: Incorporated into SA-4 (2)].
### SERVICES
ACQUISITION
SYSTEM AND SA-5 (4) SA-5 (4) LOW-LEVEL DESIGN [Withdrawn: Incorporated into SA-4 (2)].
### SERVICES
ACQUISITION
SYSTEM AND SA-5 (5) SA-5 (5) SOURCE CODE [Withdrawn: Incorporated into SA-4 (2)].
### SERVICES
ACQUISITION
SYSTEM AND SA-6 SA-6 SOFTWARE USAGE [Withdrawn: Incorporated into CM-10 and SI-7].
### SERVICES RESTRICTIONS
ACQUISITION
SYSTEM AND SA-7 SA-7 USER-INSTALLED [Withdrawn: Incorporated into CM-11 and SI-7].
### SERVICES SOFTWARE
ACQUISITION
SYSTEM AND SA-8 SA-8 SECURITY The organization applies information system P1
SERVICES ENGINEERING security engineering principles in the
ACQUISITION PRINCIPLES specification, design, development,
implementation, and modification of the
information system.
###
SYSTEM AND SA-9 SA-9 EXTERNAL The organization: P1

### SERVICES INFORMATION
ACQUISITION SYSTEM SERVICES
SYSTEM AND SA-9 SA-9a EXTERNAL Requires that providers of external information P1
SERVICES INFORMATION system services comply with organizational
ACQUISITION SYSTEM SERVICES information security requirements and employ
controls] in accordance with applicable federal
### laws, Executive Orders, directives, policies,
regulations, standards, and guidance;
SYSTEM AND SA-9 SA-9b EXTERNAL Defines and documents government oversight P1
### SERVICES INFORMATION and user roles and responsibilities with regard
ACQUISITION SYSTEM SERVICES to external information system services; and
SYSTEM AND SA-9 SA-9c EXTERNAL Employs [Assignment: organization-defined P1
SERVICES INFORMATION processes, methods, and techniques] to monitor
ACQUISITION SYSTEM SERVICES security control compliance by external service
### providers on an ongoing basis.
SYSTEM AND SA-9 (1) SA-9 (1) RISK ASSESSMENTS / The organization:
SERVICES ORGANIZATIONAL
ACQUISITION APPROVALS
###
SYSTEM AND SA-9 (1) SA-9 (1)(a) RISK ASSESSMENTS / Conducts an organizational assessment of risk
SERVICES ORGANIZATIONAL prior to the acquisition or outsourcing of
ACQUISITION APPROVALS dedicated information security services; and
###
SYSTEM AND SA-9 (1) SA-9 (1)(b) RISK ASSESSMENTS / Ensures that the acquisition or outsourcing of
SERVICES ORGANIZATIONAL dedicated information security services is
ACQUISITION APPROVALS approved by [Assignment: organization-defined
### personnel or roles].
SYSTEM AND SA-9 (2) SA-9 (2) IDENTIFICATION OF The organization requires providers of
SERVICES FUNCTIONS / PORTS / [Assignment: organization-defined external
ACQUISITION PROTOCOLS / information system services] to identify the
### SERVICES functions, ports, protocols, and other services
required for the use of such services.
SYSTEM AND SA-9 (3) SA-9 (3) ESTABLISH / The organization establishes, documents, and
SERVICES MAINTAIN TRUST maintains trust relationships with external
ACQUISITION RELATIONSHIP WITH service providers based on [Assignment:
### PROVIDERS organization-defined security requirements,
properties, factors, or conditions defining
acceptable trust relationships].
SYSTEM AND SA-9 (4) SA-9 (4) CONSISTENT The organization employs [Assignment:
SERVICES INTERESTS OF organization-defined security safeguards] to
ACQUISITION CONSUMERS AND ensure that the interests of [Assignment:
### PROVIDERS organization-defined external service providers]
are consistent with and reflect organizational
interests.
SYSTEM AND SA-9 (5) SA-9 (5) PROCESSING, The organization restricts the location of
SERVICES STORAGE, AND [Selection (one or more): information processing;
ACQUISITION SERVICE LOCATION information/data; information system services]
to [Assignment: organization-defined locations]
requirements or conditions].
SYSTEM AND SA-10 SA-10 DEVELOPER The organization requires the developer of the P1
### SERVICES CONFIGURATION information system, system component, or
ACQUISITION MANAGEMENT information system service to:
SYSTEM AND SA-10 SA-10a DEVELOPER Perform configuration management during P1
SERVICES CONFIGURATION system, component, or service [Selection (one or
### ACQUISITION MANAGEMENT more): design; development; implementation;
operation];
SYSTEM AND SA-10 SA-10b DEVELOPER Document, manage, and control the integrity of P1
SERVICES CONFIGURATION changes to [Assignment: organization-defined
### ACQUISITION MANAGEMENT configuration items under configuration
management];
SYSTEM AND SA-10 SA-10c DEVELOPER Implement only organization-approved changes P1

### SERVICES CONFIGURATION to the system, component, or service;
ACQUISITION MANAGEMENT
SYSTEM AND SA-10 SA-10d DEVELOPER Document approved changes to the system, P1
### SERVICES CONFIGURATION component, or service and the potential security
ACQUISITION MANAGEMENT impacts of such changes; and
SYSTEM AND SA-10 SA-10e DEVELOPER Track security flaws and flaw resolution within P1
SERVICES CONFIGURATION the system, component, or service and report
ACQUISITION MANAGEMENT findings to [Assignment: organization-defined
### personnel].
SYSTEM AND SA-10 (1) SA-10 (1) SOFTWARE / The organization requires the developer of the
SERVICES FIRMWARE information system, system component, or
ACQUISITION INTEGRITY information system service to enable integrity
### VERIFICATION verification of software and firmware
components.
SYSTEM AND SA-10 (2) SA-10 (2) ALTERNATIVE The organization provides an alternate
SERVICES CONFIGURATION configuration management process using
ACQUISITION MANAGEMENT organizational personnel in the absence of a
### PROCESSES dedicated developer configuration management
team.
SYSTEM AND SA-10 (3) SA-10 (3) HARDWARE The organization requires the developer of the
SERVICES INTEGRITY information system, system component, or
### ACQUISITION VERIFICATION information system service to enable integrity
verification of hardware components.
SYSTEM AND SA-10 (4) SA-10 (4) TRUSTED The organization requires the developer of the
SERVICES GENERATION information system, system component, or
ACQUISITION information system service to employ tools for
comparing newly generated versions of security-
### relevant hardware descriptions and
software/firmware source and object code with
previous versions.
SYSTEM AND SA-10 (5) SA-10 (5) MAPPING INTEGRITY The organization requires the developer of the
SERVICES FOR VERSION information system, system component, or
ACQUISITION CONTROL information system service to maintain the
integrity of the mapping between the master
build data (hardware drawings and
### software/firmware code) describing the current
version of security-relevant hardware, software,
and firmware and the on-site master copy of the
data for the current version.
SYSTEM AND SA-10 (6) SA-10 (6) TRUSTED The organization requires the developer of the
SERVICES DISTRIBUTION information system, system component, or
ACQUISITION information system service to execute
procedures for ensuring that security-relevant
### hardware, software, and firmware updates
distributed to the organization are exactly as
specified by the master copies.
SYSTEM AND SA-11 SA-11 DEVELOPER SECURITY The organization requires the developer of the P1
### SERVICES TESTING AND information system, system component, or
ACQUISITION EVALUATION information system service to:
SYSTEM AND SA-11 SA-11a DEVELOPER SECURITY Create and implement a security assessment P1
### SERVICES TESTING AND plan;
ACQUISITION EVALUATION
SYSTEM AND SA-11 SA-11b DEVELOPER SECURITY Perform [Selection (one or more): unit; P1
SERVICES TESTING AND integration; system; regression]
### ACQUISITION EVALUATION testing/evaluation at [Assignment: organization-
defined depth and coverage];
SYSTEM AND SA-11 SA-11c DEVELOPER SECURITY Produce evidence of the execution of the P1
### SERVICES TESTING AND security assessment plan and the results of the
ACQUISITION EVALUATION security testing/evaluation;
SYSTEM AND SA-11 SA-11d DEVELOPER SECURITY Implement a verifiable flaw remediation process; P1
### SERVICES TESTING AND and
SYSTEM AND SA-11 SA-11e DEVELOPER SECURITY Correct flaws identified during security P1
### SERVICES TESTING AND testing/evaluation.
SYSTEM AND SA-11 (1) SA-11 (1) STATIC CODE The organization requires the developer of the
SERVICES ANALYSIS information system, system component, or
ACQUISITION information system service to employ static code
### analysis tools to identify common flaws and
document the results of the analysis.
SYSTEM AND SA-11 (2) SA-11 (2) THREAT AND The organization requires the developer of the
SERVICES VULNERABILITY information system, system component, or
ACQUISITION ANALYSES information system service to perform threat
### and vulnerability analyses and subsequent
testing/evaluation of the as-built system,
component, or service.
SYSTEM AND SA-11 (3) SA-11 (3) INDEPENDENT The organization:

SERVICES VERIFICATION OF
### ACQUISITION ASSESSMENT PLANS /
EVIDENCE
SYSTEM AND SA-11 (3) SA-11 (3)(a) INDEPENDENT Requires an independent agent satisfying
SERVICES VERIFICATION OF [Assignment: organization-defined independence
ACQUISITION ASSESSMENT PLANS / criteria] to verify the correct implementation of
### EVIDENCE the developer security assessment plan and the
evidence produced during security
testing/evaluation; and
SYSTEM AND SA-11 (3) SA-11 (3)(b) INDEPENDENT Ensures that the independent agent is either
SERVICES VERIFICATION OF provided with sufficient information to complete
### ACQUISITION ASSESSMENT PLANS / the verification process or granted the authority
EVIDENCE to obtain such information.
SYSTEM AND SA-11 (4) SA-11 (4) MANUAL CODE The organization requires the developer of the
SERVICES REVIEWS information system, system component, or
ACQUISITION information system service to perform a manual
code review of [Assignment: organization-
### defined specific code] using [Assignment:
organization-defined processes, procedures,
and/or techniques].
SYSTEM AND SA-11 (5) SA-11 (5) PENETRATION The organization requires the developer of the
SERVICES TESTING information system, system component, or
ACQUISITION information system service to perform
penetration testing at [Assignment: organization-
### defined breadth/depth] and with [Assignment:
organization-defined constraints].
SYSTEM AND SA-11 (6) SA-11 (6) ATTACK SURFACE The organization requires the developer of the
SERVICES REVIEWS information system, system component, or
### ACQUISITION information system service to perform attack
surface reviews.
SYSTEM AND SA-11 (7) SA-11 (7) VERIFY SCOPE OF The organization requires the developer of the
SERVICES TESTING / information system, system component, or
ACQUISITION EVALUATION information system service to verify that the
scope of security testing/evaluation provides
### complete coverage of required security controls
at [Assignment: organization-defined depth of
testing/evaluation].
SYSTEM AND SA-11 (8) SA-11 (8) DYNAMIC CODE The organization requires the developer of the
SERVICES ANALYSIS information system, system component, or
ACQUISITION information system service to employ dynamic
### code analysis tools to identify common flaws and
document the results of the analysis.
SYSTEM AND SA-12 SA-12 SUPPLY CHAIN The organization protects against supply chain P1
SERVICES PROTECTION threats to the information system, system
ACQUISITION component, or information system service by
employing [Assignment: organization-defined
### security safeguards] as part of a comprehensive,
defense-in-breadth information security
strategy.
SYSTEM AND SA-12 (1) SA-12 (1) ACQUISITION The organization employs [Assignment:
SERVICES STRATEGIES / organization-defined tailored acquisition
ACQUISITION TOOLS / METHODS strategies, contract tools, and procurement
### methods] for the purchase of the information
system, system component, or information
system service from suppliers.
SYSTEM AND SA-12 (2) SA-12 (2) SUPPLIER REVIEWS The organization conducts a supplier review
SERVICES prior to entering into a contractual agreement to
### ACQUISITION acquire the information system, system
component, or information system service.
SYSTEM AND SA-12 (3) SA-12 (3) TRUSTED SHIPPING [Withdrawn: Incorporated into SA-12 (1)].
### SERVICES AND WAREHOUSING
ACQUISITION
SYSTEM AND SA-12 (4) SA-12 (4) DIVERSITY OF [Withdrawn: Incorporated into SA-12 (13)].
### SERVICES SUPPLIERS
ACQUISITION
SYSTEM AND SA-12 (5) SA-12 (5) LIMITATION OF The organization employs [Assignment:
SERVICES HARM organization-defined security safeguards] to limit
ACQUISITION harm from potential adversaries identifying and
### targeting the organizational supply chain.
SYSTEM AND SA-12 (6) SA-12 (6) MINIMIZING [Withdrawn: Incorporated into SA-12 (1)].
### SERVICES PROCUREMENT TIME
ACQUISITION
SYSTEM AND SA-12 (7) SA-12 (7) ASSESSMENTS PRIOR The organization conducts an assessment of the
SERVICES TO SELECTION / information system, system component, or
ACQUISITION ACCEPTANCE / information system service prior to selection,
### UPDATE acceptance, or update.
SYSTEM AND SA-12 (8) SA-12 (8) USE OF ALL-SOURCE The organization uses all-source intelligence
SERVICES INTELLIGENCE analysis of suppliers and potential suppliers of
### ACQUISITION the information system, system component, or
information system service.
SYSTEM AND SA-12 (9) SA-12 (9) OPERATIONS The organization employs [Assignment:
SERVICES SECURITY organization-defined Operations Security
ACQUISITION (OPSEC) safeguards] in accordance with
classification guides to protect supply chain-
### related information for the information system,
system component, or information system
service.
SYSTEM AND SA-12 (10) SA-12 (10) VALIDATE AS The organization employs [Assignment:
SERVICES GENUINE AND NOT organization-defined security safeguards] to
ACQUISITION ALTERED validate that the information system or system
### component received is genuine and has not been
altered.
SYSTEM AND SA-12 (11) SA-12 (11) PENETRATION The organization employs [Selection (one or
SERVICES TESTING / ANALYSIS more): organizational analysis, independent
ACQUISITION OF ELEMENTS, third-party analysis, organizational penetration
PROCESSES, AND testing, independent third-party penetration
ACTORS testing] of [Assignment: organization-defined
### supply chain elements, processes, and actors]
associated with the information system, system
SYSTEM AND SA-12 (12) SA-12 (12) INTER- The organization establishes inter-organizational
SERVICES ORGANIZATIONAL agreements and procedures with entities
ACQUISITION AGREEMENTS involved in the supply chain for the information
### system, system component, or information
system service.
SYSTEM AND SA-12 (13) SA-12 (13) CRITICAL The organization employs [Assignment:
SERVICES INFORMATION organization-defined security safeguards] to
ACQUISITION SYSTEM ensure an adequate supply of [Assignment:
### COMPONENTS organization-defined critical information system
components].
SYSTEM AND SA-12 (14) SA-12 (14) IDENTITY AND The organization establishes and retains unique
SERVICES TRACEABILITY identification of [Assignment: organization-
ACQUISITION defined supply chain elements, processes, and
### actors] for the information system, system
SYSTEM AND SA-12 (15) SA-12 (15) PROCESSES TO The organization establishes a process to address
SERVICES ADDRESS weaknesses or deficiencies in supply chain
ACQUISITION WEAKNESSES OR elements identified during independent or
### DEFICIENCIES organizational assessments of such elements.
SYSTEM AND SA-13 SA-13 TRUSTWORTHINESS The organization: P0

### SERVICES
ACQUISITION
SYSTEM AND SA-13 SA-13a TRUSTWORTHINESS Describes the trustworthiness required in the P0
SERVICES [Assignment: organization-defined information
ACQUISITION system, information system component, or
### information system service] supporting its critical
missions/business functions; and
SYSTEM AND SA-13 SA-13b TRUSTWORTHINESS Implements [Assignment: organization-defined P0

### SERVICES assurance overlay] to achieve such
ACQUISITION trustworthiness.
SYSTEM AND SA-14 SA-14 CRITICALITY ANALYSIS The organization identifies critical information P0
SERVICES system components and functions by performing
ACQUISITION a criticality analysis for [Assignment:
organization-defined information systems,
information system components, or information
### system services] at [Assignment: organization-
defined decision points in the system
development life cycle].
SYSTEM AND SA-14 (1) SA-14 (1) CRITICAL [Withdrawn: Incorporated into SA-20].
SERVICES COMPONENTS WITH
ACQUISITION NO VIABLE
### ALTERNATIVE
SOURCING
SYSTEM AND SA-15 SA-15 DEVELOPMENT The organization: P2

SERVICES PROCESS,
### ACQUISITION STANDARDS, AND
TOOLS
SYSTEM AND SA-15 SA-15a DEVELOPMENT Requires the developer of the information P2
SERVICES PROCESS, system, system component, or information
### ACQUISITION STANDARDS, AND system service to follow a documented
TOOLS development process that:
SYSTEM AND SA-15 SA-15a.1 DEVELOPMENT Explicitly addresses security requirements; P2

SERVICES PROCESS,
TOOLS
SYSTEM AND SA-15 SA-15a.2 DEVELOPMENT Identifies the standards and tools used in the P2
SERVICES PROCESS, development process;
TOOLS
SYSTEM AND SA-15 SA-15a.3 DEVELOPMENT Documents the specific tool options and tool P2
SERVICES PROCESS, configurations used in the development process;
### ACQUISITION STANDARDS, AND and
TOOLS
SYSTEM AND SA-15 SA-15a.4 DEVELOPMENT Documents, manages, and ensures the integrity P2
SERVICES PROCESS, of changes to the process and/or tools used in
### ACQUISITION STANDARDS, AND development; and
TOOLS
SYSTEM AND SA-15 SA-15b DEVELOPMENT Reviews the development process, standards, P2
SERVICES PROCESS, tools, and tool options/configurations
ACQUISITION STANDARDS, AND [Assignment: organization-defined frequency] to
TOOLS determine if the process, standards, tools, and
### tool options/configurations selected and
employed can satisfy [Assignment: organization-
defined security requirements].
SYSTEM AND SA-15 (1) SA-15 (1) QUALITY METRICS The organization requires the developer of the
### SERVICES information system, system component, or
ACQUISITION information system service to:
SYSTEM AND SA-15 (1) SA-15 (1)(a) QUALITY METRICS Define quality metrics at the beginning of the
### SERVICES development process; and
ACQUISITION
SYSTEM AND SA-15 (1) SA-15 (1)(b) QUALITY METRICS Provide evidence of meeting the quality metrics
SERVICES [Selection (one or more): [Assignment:
ACQUISITION organization-defined frequency]; [Assignment:
### organization-defined program review
milestones]; upon delivery].
SYSTEM AND SA-15 (2) SA-15 (2) SECURITY TRACKING The organization requires the developer of the
SERVICES TOOLS information system, system component, or
ACQUISITION information system service to select and employ
### a security tracking tool for use during the
development process.
SYSTEM AND SA-15 (3) SA-15 (3) CRITICALITY ANALYSIS The organization requires the developer of the
SERVICES information system, system component, or
ACQUISITION information system service to perform a
criticality analysis at [Assignment: organization-
### defined breadth/depth] and at [Assignment:
organization-defined decision points in the
system development life cycle].
SYSTEM AND SA-15 (4) SA-15 (4) THREAT MODELING / The organization requires that developers
SERVICES VULNERABILITY perform threat modeling and a vulnerability
ACQUISITION ANALYSIS analysis for the information system at
### [Assignment: organization-defined
breadth/depth] that:
SYSTEM AND SA-15 (4) SA-15 (4)(a) THREAT MODELING / Uses [Assignment: organization-defined
SERVICES VULNERABILITY information concerning impact, environment of
### ACQUISITION ANALYSIS operations, known or assumed threats, and
acceptable risk levels];
SYSTEM AND SA-15 (4) SA-15 (4)(b) THREAT MODELING / Employs [Assignment: organization-defined tools
### SERVICES VULNERABILITY and methods]; and
ACQUISITION ANALYSIS
SYSTEM AND SA-15 (4) SA-15 (4)(c) THREAT MODELING / Produces evidence that meets [Assignment:
### SERVICES VULNERABILITY organization-defined acceptance criteria].
SYSTEM AND SA-15 (5) SA-15 (5) ATTACK SURFACE The organization requires the developer of the
SERVICES REDUCTION information system, system component, or
ACQUISITION information system service to reduce attack
### surfaces to [Assignment: organization-defined
thresholds].
SYSTEM AND SA-15 (6) SA-15 (6) CONTINUOUS The organization requires the developer of the
SERVICES IMPROVEMENT information system, system component, or
ACQUISITION information system service to implement an
### explicit process to continuously improve the
development process.
SYSTEM AND SA-15 (7) SA-15 (7) AUTOMATED The organization requires the developer of the
### SERVICES VULNERABILITY information system, system component, or
ACQUISITION ANALYSIS information system service to:
SYSTEM AND SA-15 (7) SA-15 (7)(a) AUTOMATED Perform an automated vulnerability analysis
### SERVICES VULNERABILITY using [Assignment: organization-defined tools];
SYSTEM AND SA-15 (7) SA-15 (7)(b) AUTOMATED Determine the exploitation potential for
### SERVICES VULNERABILITY discovered vulnerabilities;
SYSTEM AND SA-15 (7) SA-15 (7)(c) AUTOMATED Determine potential risk mitigations for
### SERVICES VULNERABILITY delivered vulnerabilities; and
SYSTEM AND SA-15 (7) SA-15 (7)(d) AUTOMATED Deliver the outputs of the tools and results of
### SERVICES VULNERABILITY the analysis to [Assignment: organization-
ACQUISITION ANALYSIS defined personnel or roles].
SYSTEM AND SA-15 (8) SA-15 (8) REUSE OF THREAT / The organization requires the developer of the
SERVICES VULNERABILITY information system, system component, or
ACQUISITION INFORMATION information system service to use threat
### modeling and vulnerability analyses from similar
systems, components, or services to inform the
current development process.
SYSTEM AND SA-15 (9) SA-15 (9) USE OF LIVE DATA The organization approves, documents, and
SERVICES controls the use of live data in development and
ACQUISITION test environments for the information system,
### system component, or information system
service.
SYSTEM AND SA-15 (10) SA-15 (10) INCIDENT RESPONSE The organization requires the developer of the
SERVICES PLAN information system, system component, or
### ACQUISITION information system service to provide an
incident response plan.
SYSTEM AND SA-15 (11) SA-15 (11) ARCHIVE The organization requires the developer of the
SERVICES INFORMATION information system or system component to
ACQUISITION SYSTEM / archive the system or component to be released
### COMPONENT or delivered together with the corresponding
evidence supporting the final security review.
SYSTEM AND SA-16 SA-16 DEVELOPER- The organization requires the developer of the P2
SERVICES PROVIDED TRAINING information system, system component, or
ACQUISITION information system service to provide
[Assignment: organization-defined training] on
### the correct use and operation of the
implemented security functions, controls, and/or
mechanisms.
SYSTEM AND SA-17 SA-17 DEVELOPER SECURITY The organization requires the developer of the P1
SERVICES ARCHITECTURE AND information system, system component, or
ACQUISITION DESIGN information system service to produce a design
### specification and security architecture that:
SYSTEM AND SA-17 SA-17a DEVELOPER SECURITY Is consistent with and supportive of the P1
SERVICES ARCHITECTURE AND organizationï¿½s security architecture which is
### ACQUISITION DESIGN established within and is an integrated part of
the organization's enterprise architecture;
SYSTEM AND SA-17 SA-17b DEVELOPER SECURITY Accurately and completely describes the P1
SERVICES ARCHITECTURE AND required security functionality, and the
### ACQUISITION DESIGN allocation of security controls among physical
and logical components; and
SYSTEM AND SA-17 SA-17c DEVELOPER SECURITY Expresses how individual security functions, P1
SERVICES ARCHITECTURE AND mechanisms, and services work together to
### ACQUISITION DESIGN provide required security capabilities and a
unified approach to protection.
SYSTEM AND SA-17 (1) SA-17 (1) FORMAL POLICY The organization requires the developer of the
### SERVICES MODEL information system, system component, or
SYSTEM AND SA-17 (1) SA-17 (1)(a) FORMAL POLICY Produce, as an integral part of the development
SERVICES MODEL process, a formal policy model describing the
ACQUISITION [Assignment: organization-defined elements of
### organizational security policy] to be enforced;
and
SYSTEM AND SA-17 (1) SA-17 (1)(b) FORMAL POLICY Prove that the formal policy model is internally
SERVICES MODEL consistent and sufficient to enforce the defined
### ACQUISITION elements of the organizational security policy
when implemented.
SYSTEM AND SA-17 (2) SA-17 (2) SECURITY-RELEVANT The organization requires the developer of the
### SERVICES COMPONENTS information system, system component, or
SYSTEM AND SA-17 (2) SA-17 (2)(a) SECURITY-RELEVANT Define security-relevant hardware, software, and
### SERVICES COMPONENTS firmware; and
ACQUISITION
SYSTEM AND SA-17 (2) SA-17 (2)(b) SECURITY-RELEVANT Provide a rationale that the definition for
### SERVICES COMPONENTS security-relevant hardware, software, and
ACQUISITION firmware is complete.
SYSTEM AND SA-17 (3) SA-17 (3) FORMAL The organization requires the developer of the
### SERVICES CORRESPONDENCE information system, system component, or
SYSTEM AND SA-17 (3) SA-17 (3)(a) FORMAL Produce, as an integral part of the development
SERVICES CORRESPONDENCE process, a formal top-level specification that
ACQUISITION specifies the interfaces to security-relevant
### hardware, software, and firmware in terms of
exceptions, error messages, and effects;
SYSTEM AND SA-17 (3) SA-17 (3)(b) FORMAL Show via proof to the extent feasible with
SERVICES CORRESPONDENCE additional informal demonstration as necessary,
ACQUISITION that the formal top-level specification is
### consistent with the formal policy model;
SYSTEM AND SA-17 (3) SA-17 (3)(c) FORMAL Show via informal demonstration, that the
SERVICES CORRESPONDENCE formal top-level specification completely covers
### ACQUISITION the interfaces to security-relevant hardware,
software, and firmware;
SYSTEM AND SA-17 (3) SA-17 (3)(d) FORMAL Show that the formal top-level specification is an
SERVICES CORRESPONDENCE accurate description of the implemented
### ACQUISITION security-relevant hardware, software, and
firmware; and
SYSTEM AND SA-17 (3) SA-17 (3)(e) FORMAL Describe the security-relevant hardware,
SERVICES CORRESPONDENCE software, and firmware mechanisms not
ACQUISITION addressed in the formal top-level specification
### but strictly internal to the security-relevant
hardware, software, and firmware.
SYSTEM AND SA-17 (4) SA-17 (4) INFORMAL The organization requires the developer of the
### SERVICES CORRESPONDENCE information system, system component, or
SYSTEM AND SA-17 (4) SA-17 (4)(a) INFORMAL Produce, as an integral part of the development
SERVICES CORRESPONDENCE process, an informal descriptive top-level
ACQUISITION specification that specifies the interfaces to
### security-relevant hardware, software, and
firmware in terms of exceptions, error messages,
and effects;
SYSTEM AND SA-17 (4) SA-17 (4)(b) INFORMAL Show via [Selection: informal demonstration,
SERVICES CORRESPONDENCE convincing argument with formal methods as
ACQUISITION feasible] that the descriptive top-level
### specification is consistent with the formal policy
model;
SYSTEM AND SA-17 (4) SA-17 (4)(c) INFORMAL Show via informal demonstration, that the
SERVICES CORRESPONDENCE descriptive top-level specification completely
### ACQUISITION covers the interfaces to security-relevant
hardware, software, and firmware;
SYSTEM AND SA-17 (4) SA-17 (4)(d) INFORMAL Show that the descriptive top-level specification
SERVICES CORRESPONDENCE is an accurate description of the interfaces to
### ACQUISITION security-relevant hardware, software, and
firmware; and
SYSTEM AND SA-17 (4) SA-17 (4)(e) INFORMAL Describe the security-relevant hardware,
SERVICES CORRESPONDENCE software, and firmware mechanisms not
ACQUISITION addressed in the descriptive top-level
### specification but strictly internal to the security-
relevant hardware, software, and firmware.
SYSTEM AND SA-17 (5) SA-17 (5) CONCEPTUALLY The organization requires the developer of the
### SERVICES SIMPLE DESIGN information system, system component, or
SYSTEM AND SA-17 (5) SA-17 (5)(a) CONCEPTUALLY Design and structure the security-relevant
SERVICES SIMPLE DESIGN hardware, software, and firmware to use a
ACQUISITION complete, conceptually simple protection
### mechanism with precisely defined semantics;
and
SYSTEM AND SA-17 (5) SA-17 (5)(b) CONCEPTUALLY Internally structure the security-relevant
### SERVICES SIMPLE DESIGN hardware, software, and firmware with specific
ACQUISITION regard for this mechanism.
SYSTEM AND SA-17 (6) SA-17 (6) STRUCTURE FOR The organization requires the developer of the
SERVICES TESTING information system, system component, or
ACQUISITION information system service to structure security-
### relevant hardware, software, and firmware to
facilitate testing.
SYSTEM AND SA-17 (7) SA-17 (7) STRUCTURE FOR The organization requires the developer of the
SERVICES LEAST PRIVILEGE information system, system component, or
ACQUISITION information system service to structure security-
### relevant hardware, software, and firmware to
facilitate controlling access with least privilege.
SYSTEM AND SA-18 SA-18 TAMPER RESISTANCE The organization implements a tamper P0
SERVICES AND DETECTION protection program for the information system,
### ACQUISITION system component, or information system
service.
SYSTEM AND SA-18 (1) SA-18 (1) MULTIPLE PHASES OF The organization employs anti-tamper
SERVICES SDLC technologies and techniques during multiple
ACQUISITION phases in the system development life cycle
### including design, development, integration,
operations, and maintenance.
SYSTEM AND SA-18 (2) SA-18 (2) INSPECTION OF The organization inspects [Assignment:
SERVICES INFORMATION organization-defined information systems,
ACQUISITION SYSTEMS, system components, or devices] [Selection (one
COMPONENTS, OR or more): at random; at [Assignment:
### DEVICES organization-defined frequency], upon
[Assignment: organization-defined indications of
need for inspection]] to detect tampering.
SYSTEM AND SA-19 SA-19 COMPONENT The organization: P0

### SERVICES AUTHENTICITY
ACQUISITION
SYSTEM AND SA-19 SA-19a COMPONENT Develops and implements anti-counterfeit policy P0
SERVICES AUTHENTICITY and procedures that include the means to detect
### ACQUISITION and prevent counterfeit components from
entering the information system; and
SYSTEM AND SA-19 SA-19b COMPONENT Reports counterfeit information system P0

SERVICES AUTHENTICITY components to [Selection (one or more): source
ACQUISITION of counterfeit component; [Assignment:
### organization-defined external reporting
organizations]; [Assignment: organization-
defined personnel or roles]].
SYSTEM AND SA-19 (1) SA-19 (1) ANTI-COUNTERFEIT The organization trains [Assignment:
SERVICES TRAINING organization-defined personnel or roles] to
ACQUISITION detect counterfeit information system
### components (including hardware, software, and
firmware).
SYSTEM AND SA-19 (2) SA-19 (2) CONFIGURATION The organization maintains configuration control
SERVICES CONTROL FOR over [Assignment: organization-defined
ACQUISITION COMPONENT information system components] awaiting
### SERVICE / REPAIR service/repair and serviced/repaired
components awaiting return to service.
SYSTEM AND SA-19 (3) SA-19 (3) COMPONENT The organization disposes of information system
SERVICES DISPOSAL components using [Assignment: organization-
### ACQUISITION defined techniques and methods].
SYSTEM AND SA-19 (4) SA-19 (4) ANTI-COUNTERFEIT The organization scans for counterfeit
### SERVICES SCANNING information system components [Assignment:
ACQUISITION organization-defined frequency].
SYSTEM AND SA-20 SA-20 CUSTOMIZED The organization re-implements or custom P0
SERVICES DEVELOPMENT OF develops [Assignment: organization-defined
### ACQUISITION CRITICAL critical information system components].
COMPONENTS
SYSTEM AND SA-21 SA-21 DEVELOPER The organization requires that the developer of P0
SERVICES SCREENING [Assignment: organization-defined information
### ACQUISITION system, system component, or information
system service]:
SYSTEM AND SA-21 SA-21a DEVELOPER Have appropriate access authorizations as P0

SERVICES SCREENING determined by assigned [Assignment:
### ACQUISITION organization-defined official government duties];
and
SYSTEM AND SA-21 SA-21b DEVELOPER Satisfy [Assignment: organization-defined P0

### SERVICES SCREENING additional personnel screening criteria].
ACQUISITION
SYSTEM AND SA-21 (1) SA-21 (1) VALIDATION OF The organization requires the developer of the
SERVICES SCREENING information system, system component, or
ACQUISITION information system service take [Assignment:
### organization-defined actions] to ensure that the
required access authorizations and screening
criteria are satisfied.
SYSTEM AND SA-22 SA-22 UNSUPPORTED The organization: P0

### SERVICES SYSTEM
ACQUISITION COMPONENTS
SYSTEM AND SA-22 SA-22a UNSUPPORTED Replaces information system components when P0
SERVICES SYSTEM support for the components is no longer
### ACQUISITION COMPONENTS available from the developer, vendor, or
manufacturer; and
SYSTEM AND SA-22 SA-22b UNSUPPORTED Provides justification and documents approval P0
SERVICES SYSTEM for the continued use of unsupported system
### ACQUISITION COMPONENTS components required to satisfy mission/business
needs.
SYSTEM AND SA-22 (1) SA-22 (1) ALTERNATIVE The organization provides [Selection (one or
SERVICES SOURCES FOR more): in-house support; [Assignment:
ACQUISITION CONTINUED organization-defined support from external
### SUPPORT providers]] for unsupported information system
components.
SYSTEM AND SC-1 SC-1 SYSTEM AND The organization: P1

COMMUNICATIONS COMMUNICATIONS
### PROTECTION PROTECTION POLICY
AND PROCEDURES
SYSTEM AND SC-1 SC-1a SYSTEM AND Develops, documents, and disseminates to P1
COMMUNICATIONS COMMUNICATIONS [Assignment: organization-defined personnel or
### PROTECTION PROTECTION POLICY roles]:
AND PROCEDURES
SYSTEM AND SC-1 SC-1a.1 SYSTEM AND A system and communications protection policy P1
COMMUNICATIONS COMMUNICATIONS that addresses purpose, scope, roles,
PROTECTION PROTECTION POLICY responsibilities, management commitment,
### AND PROCEDURES coordination among organizational entities, and
compliance; and
SYSTEM AND SC-1 SC-1a.2 SYSTEM AND Procedures to facilitate the implementation of P1
COMMUNICATIONS COMMUNICATIONS the system and communications protection
### PROTECTION PROTECTION POLICY policy and associated system and
AND PROCEDURES communications protection controls; and
SYSTEM AND SC-1 SC-1b SYSTEM AND Reviews and updates the current: P1
COMMUNICATIONS COMMUNICATIONS
### PROTECTION PROTECTION POLICY
AND PROCEDURES
SYSTEM AND SC-1 SC-1b.1 SYSTEM AND System and communications protection policy P1
COMMUNICATIONS COMMUNICATIONS [Assignment: organization-defined frequency];
### PROTECTION PROTECTION POLICY and
AND PROCEDURES
SYSTEM AND SC-1 SC-1b.2 SYSTEM AND System and communications protection P1
COMMUNICATIONS COMMUNICATIONS procedures [Assignment: organization-defined
### PROTECTION PROTECTION POLICY frequency].
AND PROCEDURES
SYSTEM AND SC-2 SC-2 APPLICATION The information system separates user P1
COMMUNICATIONS PARTITIONING functionality (including user interface services)
### PROTECTION from information system management
functionality.
SYSTEM AND SC-2 (1) SC-2 (1) INTERFACES FOR The information system prevents the
COMMUNICATIONS NON-PRIVILEGED presentation of information system
### PROTECTION USERS management-related functionality at an
interface for non-privileged users.
SYSTEM AND SC-3 SC-3 SECURITY FUNCTION The information system isolates security P1
COMMUNICATIONS ISOLATION functions from nonsecurity functions.
PROTECTION
###
SYSTEM AND SC-3 (1) SC-3 (1) HARDWARE The information system utilizes underlying
### COMMUNICATIONS SEPARATION hardware separation mechanisms to implement
PROTECTION security function isolation.
SYSTEM AND SC-3 (2) SC-3 (2) ACCESS / FLOW The information system isolates security
COMMUNICATIONS CONTROL FUNCTIONS functions enforcing access and information flow
### PROTECTION control from nonsecurity functions and from
other security functions.
SYSTEM AND SC-3 (3) SC-3 (3) MINIMIZE The organization minimizes the number of
COMMUNICATIONS NONSECURITY nonsecurity functions included within the
### PROTECTION FUNCTIONALITY isolation boundary containing security functions.
SYSTEM AND SC-3 (4) SC-3 (4) MODULE COUPLING The organization implements security functions
COMMUNICATIONS AND COHESIVENESS as largely independent modules that maximize
PROTECTION internal cohesiveness within modules and
### minimize coupling between modules.
SYSTEM AND SC-3 (5) SC-3 (5) LAYERED The organization implements security functions
COMMUNICATIONS STRUCTURES as a layered structure minimizing interactions
PROTECTION between layers of the design and avoiding any
### dependence by lower layers on the functionality
or correctness of higher layers.
SYSTEM AND SC-4 SC-4 INFORMATION IN The information system prevents unauthorized P1
COMMUNICATIONS SHARED RESOURCES and unintended information transfer via shared
PROTECTION system resources.
###
SYSTEM AND SC-4 (1) SC-4 (1) SECURITY LEVELS [Withdrawn: Incorporated into SC-4].
### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-4 (2) SC-4 (2) PERIODS PROCESSING The information system prevents unauthorized
COMMUNICATIONS information transfer via shared resources in
PROTECTION accordance with [Assignment: organization-
defined procedures] when system processing
### explicitly switches between different information
classification levels or security categories.
SYSTEM AND SC-5 SC-5 DENIAL OF SERVICE The information system protects against or limits P1
COMMUNICATIONS PROTECTION the effects of the following types of denial of
PROTECTION service attacks: [Assignment: organization-
defined types of denial of service attacks or
references to sources for such information] by
employing [Assignment: organization-defined
security safeguards].
###
SYSTEM AND SC-5 (1) SC-5 (1) RESTRICT INTERNAL The information system restricts the ability of
COMMUNICATIONS USERS individuals to launch [Assignment: organization-
### PROTECTION defined denial of service attacks] against other
SYSTEM AND SC-5 (2) SC-5 (2) EXCESS CAPACITY / The information system manages excess
COMMUNICATIONS BANDWIDTH / capacity, bandwidth, or other redundancy to
### PROTECTION REDUNDANCY limit the effects of information flooding denial of
service attacks.
SYSTEM AND SC-5 (3) SC-5 (3) DETECTION / The organization:

### COMMUNICATIONS MONITORING
PROTECTION
SYSTEM AND SC-5 (3) SC-5 (3)(a) DETECTION / Employs [Assignment: organization-defined
COMMUNICATIONS MONITORING monitoring tools] to detect indicators of denial of
### PROTECTION service attacks against the information system;
and
SYSTEM AND SC-5 (3) SC-5 (3)(b) DETECTION / Monitors [Assignment: organization-defined
COMMUNICATIONS MONITORING information system resources] to determine if
### PROTECTION sufficient resources exist to prevent effective
denial of service attacks.
SYSTEM AND SC-6 SC-6 RESOURCE The information system protects the availability P0
COMMUNICATIONS AVAILABILITY of resources by allocating [Assignment:
PROTECTION organization-defined resources] by [Selection
### (one or more); priority; quota; [Assignment:
organization-defined security safeguards]].
SYSTEM AND SC-7 SC-7 BOUNDARY The information system: P1
COMMUNICATIONS PROTECTION
PROTECTION
###
SYSTEM AND SC-7 SC-7a BOUNDARY Monitors and controls communications at the P1
COMMUNICATIONS PROTECTION external boundary of the system and at key
PROTECTION internal boundaries within the system;
###
SYSTEM AND SC-7 SC-7b BOUNDARY Implements subnetworks for publicly accessible P1
COMMUNICATIONS PROTECTION system components that are [Selection:
PROTECTION physically; logically] separated from internal
organizational networks; and
###
SYSTEM AND SC-7 SC-7c BOUNDARY Connects to external networks or information P1
COMMUNICATIONS PROTECTION systems only through managed interfaces
PROTECTION consisting of boundary protection devices
arranged in accordance with an organizational
security architecture.
###
SYSTEM AND SC-7 (1) SC-7 (1) PHYSICALLY [Withdrawn: Incorporated into SC-7].
### COMMUNICATIONS SEPARATED
PROTECTION SUBNETWORKS
SYSTEM AND SC-7 (2) SC-7 (2) PUBLIC ACCESS [Withdrawn: Incorporated into SC-7].
### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-7 (3) SC-7 (3) ACCESS POINTS The organization limits the number of external
### COMMUNICATIONS network connections to the information system.
PROTECTION
SYSTEM AND SC-7 (4) SC-7 (4) EXTERNAL The organization:
COMMUNICATIONS TELECOMMUNICATIO
PROTECTION NS SERVICES
###
SYSTEM AND SC-7 (4) SC-7 (4)(a) EXTERNAL Implements a managed interface for each
COMMUNICATIONS TELECOMMUNICATIO external telecommunication service;
###
SYSTEM AND SC-7 (4) SC-7 (4)(b) EXTERNAL Establishes a traffic flow policy for each managed
COMMUNICATIONS TELECOMMUNICATIO interface;
###
SYSTEM AND SC-7 (4) SC-7 (4)(c) EXTERNAL Protects the confidentiality and integrity of the
COMMUNICATIONS TELECOMMUNICATIO information being transmitted across each
PROTECTION NS SERVICES interface;
###
SYSTEM AND SC-7 (4) SC-7 (4)(d) EXTERNAL Documents each exception to the traffic flow
COMMUNICATIONS TELECOMMUNICATIO policy with a supporting mission/business need
PROTECTION NS SERVICES and duration of that need; and
###
SYSTEM AND SC-7 (4) SC-7 (4)(e) EXTERNAL Reviews exceptions to the traffic flow policy
COMMUNICATIONS TELECOMMUNICATIO [Assignment: organization-defined frequency]
PROTECTION NS SERVICES and removes exceptions that are no longer
supported by an explicit mission/business need.
###
SYSTEM AND SC-7 (5) SC-7 (5) DENY BY DEFAULT / The information system at managed interfaces
COMMUNICATIONS ALLOW BY denies network communications traffic by
PROTECTION EXCEPTION default and allows network communications
traffic by exception (i.e., deny all, permit by
exception).
###
SYSTEM AND SC-7 (6) SC-7 (6) RESPONSE TO [Withdrawn: Incorporated into SC-7 (18)].
### COMMUNICATIONS RECOGNIZED
PROTECTION FAILURES
SYSTEM AND SC-7 (7) SC-7 (7) PREVENT SPLIT The information system, in conjunction with a
COMMUNICATIONS TUNNELING FOR remote device, prevents the device from
PROTECTION REMOTE DEVICES simultaneously establishing non-remote
connections with the system and communicating
via some other connection to resources in
external networks.
###
SYSTEM AND SC-7 (8) SC-7 (8) ROUTE TRAFFIC TO The information system routes [Assignment:
COMMUNICATIONS AUTHENTICATED organization-defined internal communications
PROTECTION PROXY SERVERS traffic] to [Assignment: organization-defined
external networks] through authenticated proxy
servers at managed interfaces.
###
SYSTEM AND SC-7 (9) SC-7 (9) RESTRICT The information system:
COMMUNICATIONS THREATENING
PROTECTION OUTGOING
### COMMUNICATIONS
TRAFFIC
SYSTEM AND SC-7 (9) SC-7 (9)(a) RESTRICT Detects and denies outgoing communications
COMMUNICATIONS THREATENING traffic posing a threat to external information
PROTECTION OUTGOING systems; and
### COMMUNICATIONS
TRAFFIC
SYSTEM AND SC-7 (9) SC-7 (9)(b) RESTRICT Audits the identity of internal users associated
COMMUNICATIONS THREATENING with denied communications.
PROTECTION OUTGOING
### COMMUNICATIONS
TRAFFIC
SYSTEM AND SC-7 (10) SC-7 (10) PREVENT The organization prevents the unauthorized
### COMMUNICATIONS UNAUTHORIZED exfiltration of information across managed
PROTECTION EXFILTRATION interfaces.
SYSTEM AND SC-7 (11) SC-7 (11) RESTRICT INCOMING The information system only allows incoming
COMMUNICATIONS COMMUNICATIONS communications from [Assignment:
PROTECTION TRAFFIC organization-defined authorized sources] to be
### routed to [Assignment: organization-defined
authorized destinations].
SYSTEM AND SC-7 (12) SC-7 (12) HOST-BASED The organization implements [Assignment:
COMMUNICATIONS PROTECTION organization-defined host-based boundary
PROTECTION protection mechanisms] at [Assignment:
components].
SYSTEM AND SC-7 (13) SC-7 (13) ISOLATION OF The organization isolates [Assignment:
COMMUNICATIONS SECURITY TOOLS / organization-defined information security tools,
PROTECTION MECHANISMS / mechanisms, and support components] from
SUPPORT other internal information system components
COMPONENTS by implementing physically separate
### subnetworks with managed interfaces to other
components of the system.
SYSTEM AND SC-7 (14) SC-7 (14) PROTECTS AGAINST The organization protects against unauthorized
COMMUNICATIONS UNAUTHORIZED physical connections at [Assignment:
### PROTECTION PHYSICAL organization-defined managed interfaces].
CONNECTIONS
SYSTEM AND SC-7 (15) SC-7 (15) ROUTE PRIVILEGED The information system routes all networked,
COMMUNICATIONS NETWORK ACCESSES privileged accesses through a dedicated,
### PROTECTION managed interface for purposes of access control
and auditing.
SYSTEM AND SC-7 (16) SC-7 (16) PREVENT DISCOVERY The information system prevents discovery of
COMMUNICATIONS OF COMPONENTS / specific system components composing a
### PROTECTION DEVICES managed interface.
SYSTEM AND SC-7 (17) SC-7 (17) AUTOMATED The information system enforces adherence to
COMMUNICATIONS ENFORCEMENT OF protocol formats.
### PROTECTION PROTOCOL FORMATS
SYSTEM AND SC-7 (18) SC-7 (18) FAIL SECURE The information system fails securely in the
### COMMUNICATIONS event of an operational failure of a boundary
PROTECTION protection device.
SYSTEM AND SC-7 (19) SC-7 (19) BLOCKS The information system blocks both inbound and
COMMUNICATIONS COMMUNICATION outbound communications traffic between
PROTECTION FROM NON- [Assignment: organization-defined
### ORGANIZATIONALLY communication clients] that are independently
CONFIGURED HOSTS configured by end users and external service
providers.
SYSTEM AND SC-7 (20) SC-7 (20) DYNAMIC The information system provides the capability
COMMUNICATIONS ISOLATION / to dynamically isolate/segregate [Assignment:
PROTECTION SEGREGATION organization-defined information system
### components] from other components of the
system.
SYSTEM AND SC-7 (21) SC-7 (21) ISOLATION OF The organization employs boundary protection
COMMUNICATIONS INFORMATION mechanisms to separate [Assignment:
PROTECTION SYSTEM organization-defined information system
### COMPONENTS components] supporting [Assignment:
organization-defined missions and/or business
functions].
SYSTEM AND SC-7 (22) SC-7 (22) SEPARATE SUBNETS The information system implements separate
COMMUNICATIONS FOR CONNECTING TO network addresses (i.e., different subnets) to
### PROTECTION DIFFERENT SECURITY connect to systems in different security domains.
DOMAINS
SYSTEM AND SC-7 (23) SC-7 (23) DISABLE SENDER The information system disables feedback to
COMMUNICATIONS FEEDBACK ON senders on protocol format validation failure.
PROTECTION PROTOCOL
### VALIDATION FAILURE
SYSTEM AND SC-8 SC-8 TRANSMISSION The information system protects the [Selection P1
COMMUNICATIONS CONFIDENTIALITY (one or more): confidentiality; integrity] of
PROTECTION AND INTEGRITY transmitted information.
###
SYSTEM AND SC-8 (1) SC-8 (1) CRYPTOGRAPHIC OR The information system implements
COMMUNICATIONS ALTERNATE PHYSICAL cryptographic mechanisms to [Selection (one or
PROTECTION PROTECTION more): prevent unauthorized disclosure of
information; detect changes to information]
during transmission unless otherwise protected
by [Assignment: organization-defined alternative
physical safeguards].
###
SYSTEM AND SC-8 (2) SC-8 (2) PRE / POST The information system maintains the [Selection
COMMUNICATIONS TRANSMISSION (one or more): confidentiality; integrity] of
### PROTECTION HANDLING information during preparation for transmission
and during reception.
SYSTEM AND SC-8 (3) SC-8 (3) CRYPTOGRAPHIC The information system implements
COMMUNICATIONS PROTECTION FOR cryptographic mechanisms to protect message
PROTECTION MESSAGE EXTERNALS externals unless otherwise protected by
### [Assignment: organization-defined alternative
physical safeguards].
SYSTEM AND SC-8 (4) SC-8 (4) CONCEAL / The information system implements
COMMUNICATIONS RANDOMIZE cryptographic mechanisms to conceal or
PROTECTION COMMUNICATIONS randomize communication patterns unless
### otherwise protected by [Assignment:
organization-defined alternative physical
safeguards].
SYSTEM AND SC-9 SC-9 TRANSMISSION [Withdrawn: Incorporated into SC-8].

### COMMUNICATIONS CONFIDENTIALITY
PROTECTION
SYSTEM AND SC-10 SC-10 NETWORK The information system terminates the network P2
COMMUNICATIONS DISCONNECT connection associated with a communications
PROTECTION session at the end of the session or after
### [Assignment: organization-defined time period]
of inactivity.
SYSTEM AND SC-11 SC-11 TRUSTED PATH The information system establishes a trusted P0
COMMUNICATIONS communications path between the user and the
PROTECTION following security functions of the system:
### functions to include at a minimum, information
system authentication and re-authentication].
SYSTEM AND SC-11 (1) SC-11 (1) LOGICAL ISOLATION The information system provides a trusted
### COMMUNICATIONS communications path that is logically isolated
PROTECTION and distinguishable from other paths.
SYSTEM AND SC-12 SC-12 CRYPTOGRAPHIC KEY The organization establishes and manages P1
COMMUNICATIONS ESTABLISHMENT AND cryptographic keys for required cryptography
PROTECTION MANAGEMENT employed within the information system in
defined requirements for key generation,
### distribution, storage, access, and destruction].
SYSTEM AND SC-12 (1) SC-12 (1) AVAILABILITY The organization maintains availability of
### COMMUNICATIONS information in the event of the loss of
PROTECTION cryptographic keys by users.
SYSTEM AND SC-12 (2) SC-12 (2) SYMMETRIC KEYS The organization produces, controls, and
COMMUNICATIONS distributes symmetric cryptographic keys using
PROTECTION [Selection: NIST FIPS-compliant; NSA-approved]
### key management technology and processes.
SYSTEM AND SC-12 (3) SC-12 (3) ASYMMETRIC KEYS The organization produces, controls, and
COMMUNICATIONS distributes asymmetric cryptographic keys using
PROTECTION [Selection: NSA-approved key management
technology and processes; approved PKI Class 3
certificates or prepositioned keying material;
### approved PKI Class 3 or Class 4 certificates and
hardware security tokens that protect the
userï¿½s private key].
SYSTEM AND SC-12 (4) SC-12 (4) PKI CERTIFICATES [Withdrawn: Incorporated into SC-12].
### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-12 (5) SC-12 (5) PKI CERTIFICATES / [Withdrawn: Incorporated into SC-12].
### COMMUNICATIONS HARDWARE TOKENS
PROTECTION
SYSTEM AND SC-13 SC-13 CRYPTOGRAPHIC The information system implements P1
COMMUNICATIONS PROTECTION [Assignment: organization-defined cryptographic
PROTECTION uses and type of cryptography required for each
use] in accordance with applicable federal laws,
regulations, and standards.
###
SYSTEM AND SC-13 (1) SC-13 (1) FIPS-VALIDATED [Withdrawn: Incorporated into SC-13].
### COMMUNICATIONS CRYPTOGRAPHY
PROTECTION
SYSTEM AND SC-13 (2) SC-13 (2) NSA-APPROVED [Withdrawn: Incorporated into SC-13].
### COMMUNICATIONS CRYPTOGRAPHY
PROTECTION
SYSTEM AND SC-13 (3) SC-13 (3) INDIVIDUALS [Withdrawn: Incorporated into SC-13].
### COMMUNICATIONS WITHOUT FORMAL
PROTECTION ACCESS APPROVALS
SYSTEM AND SC-13 (4) SC-13 (4) DIGITAL SIGNATURES [Withdrawn: Incorporated into SC-13].
### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-14 SC-14 PUBLIC ACCESS [Withdrawn: Capability provided by AC-2, AC-3,
### COMMUNICATIONS PROTECTIONS AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].
PROTECTION
SYSTEM AND SC-15 SC-15 COLLABORATIVE The information system: P1
### COMMUNICATIONS COMPUTING DEVICES
PROTECTION
SYSTEM AND SC-15 SC-15a COLLABORATIVE Prohibits remote activation of collaborative P1
COMMUNICATIONS COMPUTING DEVICES computing devices with the following
PROTECTION exceptions: [Assignment: organization-defined
### exceptions where remote activation is to be
allowed]; and
SYSTEM AND SC-15 SC-15b COLLABORATIVE Provides an explicit indication of use to users P1
### COMMUNICATIONS COMPUTING DEVICES physically present at the devices.
PROTECTION
SYSTEM AND SC-15 (1) SC-15 (1) PHYSICAL The information system provides physical
### COMMUNICATIONS DISCONNECT disconnect of collaborative computing devices in
PROTECTION a manner that supports ease of use.
SYSTEM AND SC-15 (2) SC-15 (2) BLOCKING [Withdrawn: Incorporated into SC-7].
COMMUNICATIONS INBOUND /
### PROTECTION OUTBOUND
COMMUNICATIONS
TRAFFIC
SYSTEM AND SC-15 (3) SC-15 (3) DISABLING / The organization disables or removes
COMMUNICATIONS REMOVAL IN SECURE collaborative computing devices from
PROTECTION WORK AREAS [Assignment: organization-defined information
### systems or information system components] in
[Assignment: organization-defined secure work
areas].
SYSTEM AND SC-15 (4) SC-15 (4) EXPLICITLY INDICATE The information system provides an explicit
COMMUNICATIONS CURRENT indication of current participants in [Assignment:
### PROTECTION PARTICIPANTS organization-defined online meetings and
teleconferences].
SYSTEM AND SC-16 SC-16 TRANSMISSION OF The information system associates [Assignment: P0
COMMUNICATIONS SECURITY organization-defined security attributes] with
PROTECTION ATTRIBUTES information exchanged between information
### systems and between system components.
SYSTEM AND SC-16 (1) SC-16 (1) INTEGRITY The information system validates the integrity of
### COMMUNICATIONS VALIDATION transmitted security attributes.
PROTECTION
SYSTEM AND SC-17 SC-17 PUBLIC KEY The organization issues public key certificates P1
COMMUNICATIONS INFRASTRUCTURE under an [Assignment: organization-defined
### PROTECTION CERTIFICATES certificate policy] or obtains public key
certificates from an approved service provider.
SYSTEM AND SC-18 SC-18 MOBILE CODE The organization: P2

### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-18 SC-18a MOBILE CODE Defines acceptable and unacceptable mobile P2
### COMMUNICATIONS code and mobile code technologies;
PROTECTION
SYSTEM AND SC-18 SC-18b MOBILE CODE Establishes usage restrictions and P2
COMMUNICATIONS implementation guidance for acceptable mobile
### PROTECTION code and mobile code technologies; and
SYSTEM AND SC-18 SC-18c MOBILE CODE Authorizes, monitors, and controls the use of P2
### COMMUNICATIONS mobile code within the information system.
PROTECTION
SYSTEM AND SC-18 (1) SC-18 (1) IDENTIFY The information system identifies [Assignment:
COMMUNICATIONS UNACCEPTABLE CODE organization-defined unacceptable mobile code]
PROTECTION / TAKE CORRECTIVE and takes [Assignment: organization-defined
### ACTIONS corrective actions].
SYSTEM AND SC-18 (2) SC-18 (2) ACQUISITION / The organization ensures that the acquisition,
COMMUNICATIONS DEVELOPMENT / USE development, and use of mobile code to be
PROTECTION deployed in the information system meets
### [Assignment: organization-defined mobile code
requirements].
SYSTEM AND SC-18 (3) SC-18 (3) PREVENT The information system prevents the download
COMMUNICATIONS DOWNLOADING / and execution of [Assignment: organization-
### PROTECTION EXECUTION defined unacceptable mobile code].
SYSTEM AND SC-18 (4) SC-18 (4) PREVENT The information system prevents the automatic
COMMUNICATIONS AUTOMATIC execution of mobile code in [Assignment:
PROTECTION EXECUTION organization-defined software applications] and
### enforces [Assignment: organization-defined
actions] prior to executing the code.
SYSTEM AND SC-18 (5) SC-18 (5) ALLOW EXECUTION The organization allows execution of permitted
### COMMUNICATIONS ONLY IN CONFINED mobile code only in confined virtual machine
PROTECTION ENVIRONMENTS environments.
SYSTEM AND SC-19 SC-19 VOICE OVER The organization: P1
### COMMUNICATIONS INTERNET PROTOCOL
PROTECTION
SYSTEM AND SC-19 SC-19a VOICE OVER Establishes usage restrictions and P1
COMMUNICATIONS INTERNET PROTOCOL implementation guidance for Voice over Internet
PROTECTION Protocol (VoIP) technologies based on the
### potential to cause damage to the information
system if used maliciously; and
SYSTEM AND SC-19 SC-19b VOICE OVER Authorizes, monitors, and controls the use of P1
### COMMUNICATIONS INTERNET PROTOCOL VoIP within the information system.
PROTECTION
SYSTEM AND SC-20 SC-20 SECURE NAME / The information system: P1
COMMUNICATIONS ADDRESS
PROTECTION RESOLUTION SERVICE
(AUTHORITATIVE
SOURCE)
###
SYSTEM AND SC-20 SC-20a SECURE NAME / Provides additional data origin authentication P1
COMMUNICATIONS ADDRESS and integrity verification artifacts along with the
PROTECTION RESOLUTION SERVICE authoritative name resolution data the system
(AUTHORITATIVE returns in response to external name/address
SOURCE) resolution queries; and
###
SYSTEM AND SC-20 SC-20b SECURE NAME / Provides the means to indicate the security P1
COMMUNICATIONS ADDRESS status of child zones and (if the child supports
PROTECTION RESOLUTION SERVICE secure resolution services) to enable verification
(AUTHORITATIVE of a chain of trust among parent and child
SOURCE) domains, when operating as part of a
distributed, hierarchical namespace.
###
SYSTEM AND SC-20 (1) SC-20 (1) CHILD SUBSPACES [Withdrawn: Incorporated into SC-20].
### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-20 (2) SC-20 (2) DATA ORIGIN / The information system provides data origin and
### COMMUNICATIONS INTEGRITY integrity protection artifacts for internal
PROTECTION name/address resolution queries.
SYSTEM AND SC-21 SC-21 SECURE NAME / The information system requests and performs P1
COMMUNICATIONS ADDRESS data origin authentication and data integrity
PROTECTION RESOLUTION SERVICE verification on the name/address resolution
(RECURSIVE OR responses the system receives from
CACHING RESOLVER) authoritative sources.
###
SYSTEM AND SC-21 (1) SC-21 (1) DATA ORIGIN / [Withdrawn: Incorporated into SC-21].
### COMMUNICATIONS INTEGRITY
PROTECTION
SYSTEM AND SC-22 SC-22 ARCHITECTURE AND The information systems that collectively provide P1
COMMUNICATIONS PROVISIONING FOR name/address resolution service for an
PROTECTION NAME / ADDRESS organization are fault-tolerant and implement
RESOLUTION SERVICE internal/external role separation.
###
SYSTEM AND SC-23 SC-23 SESSION The information system protects the authenticity P1
COMMUNICATIONS AUTHENTICITY of communications sessions.
PROTECTION
###
SYSTEM AND SC-23 (1) SC-23 (1) INVALIDATE SESSION The information system invalidates session
COMMUNICATIONS IDENTIFIERS AT identifiers upon user logout or other session
### PROTECTION LOGOUT termination.
SYSTEM AND SC-23 (2) SC-23 (2) USER-INITIATED [Withdrawn: Incorporated into AC-12 (1)].
### COMMUNICATIONS LOGOUTS / MESSAGE
PROTECTION DISPLAYS
SYSTEM AND SC-23 (3) SC-23 (3) UNIQUE SESSION The information system generates a unique
COMMUNICATIONS IDENTIFIERS WITH session identifier for each session with
PROTECTION RANDOMIZATION [Assignment: organization-defined randomness
### requirements] and recognizes only session
identifiers that are system-generated.
SYSTEM AND SC-23 (4) SC-23 (4) UNIQUE SESSION [Withdrawn: Incorporated into SC-23 (3)].
### COMMUNICATIONS IDENTIFIERS WITH
PROTECTION RANDOMIZATION
SYSTEM AND SC-23 (5) SC-23 (5) ALLOWED The information system only allows the use of
COMMUNICATIONS CERTIFICATE [Assignment: organization-defined certificate
### PROTECTION AUTHORITIES authorities] for verification of the establishment
of protected sessions.
SYSTEM AND SC-24 SC-24 FAIL IN KNOWN The information system fails to a [Assignment: P1
COMMUNICATIONS STATE organization-defined known-state] for
PROTECTION [Assignment: organization-defined types of
failures] preserving [Assignment: organization-
defined system state information] in failure.
###
SYSTEM AND SC-25 SC-25 THIN NODES The organization employs [Assignment: P0
COMMUNICATIONS organization-defined information system
### PROTECTION components] with minimal functionality and
information storage.
SYSTEM AND SC-26 SC-26 HONEYPOTS The information system includes components P0
COMMUNICATIONS specifically designed to be the target of malicious
### PROTECTION attacks for the purpose of detecting, deflecting,
and analyzing such attacks.
SYSTEM AND SC-26 (1) SC-26 (1) DETECTION OF [Withdrawn: Incorporated into SC-35].
### COMMUNICATIONS MALICIOUS CODE
PROTECTION
SYSTEM AND SC-27 SC-27 PLATFORM- The information system includes: [Assignment: P0
### COMMUNICATIONS INDEPENDENT organization-defined platform-independent
PROTECTION APPLICATIONS applications].
SYSTEM AND SC-28 SC-28 PROTECTION OF The information system protects the [Selection P1
COMMUNICATIONS INFORMATION AT (one or more): confidentiality; integrity] of
PROTECTION REST [Assignment: organization-defined information
at rest].
###
SYSTEM AND SC-28 (1) SC-28 (1) CRYPTOGRAPHIC The information system implements
COMMUNICATIONS PROTECTION cryptographic mechanisms to prevent
PROTECTION unauthorized disclosure and modification of
### [Assignment: organization-defined information]
on [Assignment: organization-defined
information system components].
SYSTEM AND SC-28 (2) SC-28 (2) OFF-LINE STORAGE The organization removes from online storage
COMMUNICATIONS and stores off-line in a secure location
### PROTECTION [Assignment: organization-defined information].
SYSTEM AND SC-29 SC-29 HETEROGENEITY The organization employs a diverse set of P0
COMMUNICATIONS information technologies for [Assignment:
PROTECTION organization-defined information system
### components] in the implementation of the
information system.
SYSTEM AND SC-29 (1) SC-29 (1) VIRTUALIZATION The organization employs virtualization
COMMUNICATIONS TECHNIQUES techniques to support the deployment of a
PROTECTION diversity of operating systems and applications
### that are changed [Assignment: organization-
defined frequency].
SYSTEM AND SC-30 SC-30 CONCEALMENT AND The organization employs [Assignment: P0
COMMUNICATIONS MISDIRECTION organization-defined concealment and
PROTECTION misdirection techniques] for [Assignment:
### organization-defined information systems] at
[Assignment: organization-defined time periods]
to confuse and mislead adversaries.
SYSTEM AND SC-30 (1) SC-30 (1) VIRTUALIZATION [Withdrawn: Incorporated into SC-29 (1)].
### COMMUNICATIONS TECHNIQUES
PROTECTION
SYSTEM AND SC-30 (2) SC-30 (2) RANDOMNESS The organization employs [Assignment:
COMMUNICATIONS organization-defined techniques] to introduce
### PROTECTION randomness into organizational operations and
assets.
SYSTEM AND SC-30 (3) SC-30 (3) CHANGE PROCESSING The organization changes the location of
COMMUNICATIONS / STORAGE [Assignment: organization-defined processing
PROTECTION LOCATIONS and/or storage] [Selection: [Assignment:
### organization-defined time frequency]; at random
time intervals]].
SYSTEM AND SC-30 (4) SC-30 (4) MISLEADING The organization employs realistic, but
COMMUNICATIONS INFORMATION misleading information in [Assignment:
### components] with regard to its security state or
posture.
SYSTEM AND SC-30 (5) SC-30 (5) CONCEALMENT OF The organization employs [Assignment:
COMMUNICATIONS SYSTEM organization-defined techniques] to hide or
### PROTECTION COMPONENTS conceal [Assignment: organization-defined
SYSTEM AND SC-31 SC-31 COVERT CHANNEL The organization: P0

### COMMUNICATIONS ANALYSIS
PROTECTION
SYSTEM AND SC-31 SC-31a COVERT CHANNEL Performs a covert channel analysis to identify P0
COMMUNICATIONS ANALYSIS those aspects of communications within the
PROTECTION information system that are potential avenues
### for covert [Selection (one or more): storage;
timing] channels; and
SYSTEM AND SC-31 SC-31b COVERT CHANNEL Estimates the maximum bandwidth of those P0
### COMMUNICATIONS ANALYSIS channels.
PROTECTION
SYSTEM AND SC-31 (1) SC-31 (1) TEST COVERT The organization tests a subset of the identified
### COMMUNICATIONS CHANNELS FOR covert channels to determine which channels are
PROTECTION EXPLOITABILITY exploitable.
SYSTEM AND SC-31 (2) SC-31 (2) MAXIMUM The organization reduces the maximum
COMMUNICATIONS BANDWIDTH bandwidth for identified covert [Selection (one
### PROTECTION or more); storage; timing] channels to
[Assignment: organization-defined values].
SYSTEM AND SC-31 (3) SC-31 (3) MEASURE The organization measures the bandwidth of
COMMUNICATIONS BANDWIDTH IN [Assignment: organization-defined subset of
### PROTECTION OPERATIONAL identified covert channels] in the operational
ENVIRONMENTS environment of the information system.
SYSTEM AND SC-32 SC-32 INFORMATION The organization partitions the information P0
COMMUNICATIONS SYSTEM system into [Assignment: organization-defined
PROTECTION PARTITIONING information system components] residing in
separate physical domains or environments
circumstances for physical separation of
components].
SYSTEM AND SC-33 SC-33 TRANSMISSION [Withdrawn: Incorporated into SC-8].

### COMMUNICATIONS PREPARATION
PROTECTION INTEGRITY
SYSTEM AND SC-34 SC-34 NON-MODIFIABLE The information system at [Assignment: P0
### COMMUNICATIONS EXECUTABLE organization-defined information system
PROTECTION PROGRAMS components]:
SYSTEM AND SC-34 SC-34a NON-MODIFIABLE Loads and executes the operating environment P0
### COMMUNICATIONS EXECUTABLE from hardware-enforced, read-only media; and
PROTECTION PROGRAMS
SYSTEM AND SC-34 SC-34b NON-MODIFIABLE Loads and executes [Assignment: organization- P0
### COMMUNICATIONS EXECUTABLE defined applications] from hardware-enforced,
PROTECTION PROGRAMS read-only media.
SYSTEM AND SC-34 (1) SC-34 (1) NO WRITABLE The organization employs [Assignment:
COMMUNICATIONS STORAGE organization-defined information system
PROTECTION components] with no writeable storage that is
### persistent across component restart or power
on/off.
SYSTEM AND SC-34 (2) SC-34 (2) INTEGRITY The organization protects the integrity of
COMMUNICATIONS PROTECTION / READ- information prior to storage on read-only media
PROTECTION ONLY MEDIA and controls the media after such information
### has been recorded onto the media.
SYSTEM AND SC-34 (3) SC-34 (3) HARDWARE-BASED The organization:

### COMMUNICATIONS PROTECTION
PROTECTION
SYSTEM AND SC-34 (3) SC-34 (3)(a) HARDWARE-BASED Employs hardware-based, write-protect for
### COMMUNICATIONS PROTECTION [Assignment: organization-defined information
PROTECTION system firmware components]; and
SYSTEM AND SC-34 (3) SC-34 (3)(b) HARDWARE-BASED Implements specific procedures for [Assignment:
COMMUNICATIONS PROTECTION organization-defined authorized individuals] to
PROTECTION manually disable hardware write-protect for
### firmware modifications and re-enable the write-
protect prior to returning to operational mode.
SYSTEM AND SC-35 SC-35 HONEYCLIENTS The information system includes components P0
### COMMUNICATIONS that proactively seek to identify malicious
PROTECTION websites and/or web-based malicious code.
SYSTEM AND SC-36 SC-36 DISTRIBUTED The organization distributes [Assignment: P0
### COMMUNICATIONS PROCESSING AND organization-defined processing and storage]
PROTECTION STORAGE across multiple physical locations.
SYSTEM AND SC-36 SC-36 DISTRIBUTED The organization distributes [Assignment: P0
### COMMUNICATIONS PROCESSING AND organization-defined processing and storage]
PROTECTION STORAGE across multiple physical locations.
SYSTEM AND SC-36 (1) SC-36 (1) POLLING The organization employs polling techniques to
COMMUNICATIONS TECHNIQUES identify potential faults, errors, or compromises
PROTECTION to [Assignment: organization-defined distributed
### processing and storage components].
SYSTEM AND SC-37 SC-37 OUT-OF-BAND The organization employs [Assignment: P0

COMMUNICATIONS CHANNELS organization-defined out-of-band channels] for
PROTECTION the physical delivery or electronic transmission
of [Assignment: organization-defined
information, information system components, or
### devices] to [Assignment: organization-defined
individuals or information systems].
SYSTEM AND SC-37 (1) SC-37 (1) ENSURE DELIVERY / The organization employs [Assignment:
COMMUNICATIONS TRANSMISSION organization-defined security safeguards] to
PROTECTION ensure that only [Assignment: organization-
defined individuals or information systems]
### receive the [Assignment: organization-defined
information, information system components, or
devices].
SYSTEM AND SC-38 SC-38 OPERATIONS The organization employs [Assignment: P0

COMMUNICATIONS SECURITY organization-defined operations security
PROTECTION safeguards] to protect key organizational
### information throughout the system development
life cycle.
SYSTEM AND SC-39 SC-39 PROCESS ISOLATION The information system maintains a separate P1
COMMUNICATIONS execution domain for each executing process.
PROTECTION
###
SYSTEM AND SC-39 (1) SC-39 (1) HARDWARE The information system implements underlying
### COMMUNICATIONS SEPARATION hardware separation mechanisms to facilitate
PROTECTION process separation.
SYSTEM AND SC-39 (2) SC-39 (2) THREAD ISOLATION The information system maintains a separate
COMMUNICATIONS execution domain for each thread in
### PROTECTION [Assignment: organization-defined multi-
threaded processing].
SYSTEM AND SC-40 SC-40 WIRELESS LINK The information system protects external and P0
COMMUNICATIONS PROTECTION internal [Assignment: organization-defined
PROTECTION wireless links] from [Assignment: organization-
### defined types of signal parameter attacks or
references to sources for such attacks].
SYSTEM AND SC-40 (1) SC-40 (1) ELECTROMAGNETIC The information system implements
COMMUNICATIONS INTERFERENCE cryptographic mechanisms that achieve
PROTECTION [Assignment: organization-defined level of
### protection] against the effects of intentional
electromagnetic interference.
SYSTEM AND SC-40 (2) SC-40 (2) REDUCE DETECTION The information system implements
COMMUNICATIONS POTENTIAL cryptographic mechanisms to reduce the
PROTECTION detection potential of wireless links to
### [Assignment: organization-defined level of
reduction].
SYSTEM AND SC-40 (3) SC-40 (3) IMITATIVE OR The information system implements
COMMUNICATIONS MANIPULATIVE cryptographic mechanisms to identify and reject
PROTECTION COMMUNICATIONS wireless transmissions that are deliberate
### DECEPTION attempts to achieve imitative or manipulative
communications deception based on signal
parameters.
SYSTEM AND SC-40 (4) SC-40 (4) SIGNAL PARAMETER The information system implements
COMMUNICATIONS IDENTIFICATION cryptographic mechanisms to prevent the
PROTECTION identification of [Assignment: organization-
### defined wireless transmitters] by using the
transmitter signal parameters.
SYSTEM AND SC-41 SC-41 PORT AND I/O DEVICE The organization physically disables or removes P0
COMMUNICATIONS ACCESS [Assignment: organization-defined connection
PROTECTION ports or input/output devices] on [Assignment:
### organization-defined information systems or
SYSTEM AND SC-42 SC-42 SENSOR CAPABILITY The information system: P0

### COMMUNICATIONS AND DATA
PROTECTION
SYSTEM AND SC-42 SC-42a SENSOR CAPABILITY Prohibits the remote activation of environmental P0
COMMUNICATIONS AND DATA sensing capabilities with the following
PROTECTION exceptions: [Assignment: organization-defined
### exceptions where remote activation of sensors is
allowed]; and
SYSTEM AND SC-42 SC-42b SENSOR CAPABILITY Provides an explicit indication of sensor use to P0
### COMMUNICATIONS AND DATA [Assignment: organization-defined class of
PROTECTION users].
SYSTEM AND SC-42 (1) SC-42 (1) REPORTING TO The organization ensures that the information
COMMUNICATIONS AUTHORIZED system is configured so that data or information
PROTECTION INDIVIDUALS OR collected by the [Assignment: organization-
### ROLES defined sensors] is only reported to authorized
individuals or roles.
SYSTEM AND SC-42 (2) SC-42 (2) AUTHORIZED USE The organization employs the following
COMMUNICATIONS measures: [Assignment: organization-defined
PROTECTION measures], so that data or information collected
### by [Assignment: organization-defined sensors] is
only used for authorized purposes.
SYSTEM AND SC-42 (3) SC-42 (3) PROHIBIT USE OF The organization prohibits the use of devices
COMMUNICATIONS DEVICES possessing [Assignment: organization-defined
PROTECTION environmental sensing capabilities] in
### [Assignment: organization-defined facilities,
areas, or systems].
SYSTEM AND SC-43 SC-43 USAGE RESTRICTIONS The organization: P0

### COMMUNICATIONS
PROTECTION
SYSTEM AND SC-43 SC-43a USAGE RESTRICTIONS Establishes usage restrictions and P0
COMMUNICATIONS implementation guidance for [Assignment:
### components] based on the potential to cause
damage to the information system if used
maliciously; and
SYSTEM AND SC-43 SC-43b USAGE RESTRICTIONS Authorizes, monitors, and controls the use of P0
### COMMUNICATIONS such components within the information system.
PROTECTION
SYSTEM AND SC-44 SC-44 DETONATION The organization employs a detonation chamber P0
COMMUNICATIONS CHAMBERS capability within [Assignment: organization-
### PROTECTION defined information system, system component,
or location].
SECURITY SE-1 SE-1 Inventory of Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
Personally Appendix J
### Identifiable
Information
SECURITY SE-2 SE-2 Privacy Incident Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Response Appendix J
SYSTEM AND SI-1 SI-1 SYSTEM AND The organization: P1
INFORMATION INFORMATION
### INTEGRITY INTEGRITY POLICY
AND PROCEDURES
SYSTEM AND SI-1 SI-1a SYSTEM AND Develops, documents, and disseminates to P1
INFORMATION INFORMATION [Assignment: organization-defined personnel or
### INTEGRITY INTEGRITY POLICY roles]:
AND PROCEDURES
SYSTEM AND SC-1 SI-1a.1 SYSTEM AND A system and information integrity policy that P1
INFORMATION INFORMATION addresses purpose, scope, roles, responsibilities,
INTEGRITY INTEGRITY POLICY management commitment, coordination among
SYSTEM AND SC-1 SI-1a.2 SYSTEM AND Procedures to facilitate the implementation of P1
INFORMATION INFORMATION the system and information integrity policy and
### INTEGRITY INTEGRITY POLICY associated system and information integrity
SYSTEM AND SI-1 SI-1b SYSTEM AND Reviews and updates the current: P1
INFORMATION INFORMATION
INTEGRITY INTEGRITY POLICY
AND PROCEDURES
###
SYSTEM AND SC-1 SI-1b.1 SYSTEM AND System and information integrity policy P1
INFORMATION INFORMATION [Assignment: organization-defined frequency];
### INTEGRITY INTEGRITY POLICY and
AND PROCEDURES
SYSTEM AND SC-1 SI-1b.2 SYSTEM AND System and information integrity procedures P1
INFORMATION INFORMATION [Assignment: organization-defined frequency].
### INTEGRITY INTEGRITY POLICY
AND PROCEDURES
SYSTEM AND SI-2 SI-2 FLAW REMEDIATION The organization: P1
INFORMATION
INTEGRITY
###
SYSTEM AND SI-2 SI-2a FLAW REMEDIATION Identifies, reports, and corrects information P1
INFORMATION system flaws;
INTEGRITY
###
SYSTEM AND SI-2 SI-2b FLAW REMEDIATION Tests software and firmware updates related to P1
INFORMATION flaw remediation for effectiveness and potential
INTEGRITY side effects before installation;
###
SYSTEM AND SI-2 SI-2c FLAW REMEDIATION Installs security-relevant software and firmware P1
INFORMATION updates within [Assignment: organization-
INTEGRITY defined time period] of the release of the
updates; and
###
SYSTEM AND SI-2 SI-2d FLAW REMEDIATION Incorporates flaw remediation into the P1
INFORMATION organizational configuration management
INTEGRITY process.
###
SYSTEM AND SI-2 (1) SI-2 (1) CENTRAL The organization centrally manages the flaw
### INFORMATION MANAGEMENT remediation process.
INTEGRITY
SYSTEM AND SI-2 (2) SI-2 (2) AUTOMATED FLAW The organization employs automated
INFORMATION REMEDIATION mechanisms [Assignment: organization-defined
INTEGRITY STATUS frequency] to determine the state of information
### system components with regard to flaw
remediation.
SYSTEM AND SI-2 (3) SI-2 (3) TIME TO REMEDIATE The organization:
INFORMATION FLAWS /
INTEGRITY BENCHMARKS FOR
### CORRECTIVE ACTIONS
SYSTEM AND SI-2 (3) SI-2 (3)(a) TIME TO REMEDIATE Measures the time between flaw identification
INFORMATION FLAWS / and flaw remediation; and
SYSTEM AND SI-2 (3) SI-2 (3)(b) TIME TO REMEDIATE Establishes [Assignment: organization-defined
INFORMATION FLAWS / benchmarks] for taking corrective actions.
SYSTEM AND SI-2 (4) SI-2 (4) AUTOMATED PATCH [Withdrawn: Incorporated into SI-2].
### INFORMATION MANAGEMENT
INTEGRITY TOOLS
SYSTEM AND SI-2 (5) SI-2 (5) AUTOMATIC The organization installs [Assignment:
INFORMATION SOFTWARE / organization-defined security-relevant software
INTEGRITY FIRMWARE UPDATES and firmware updates] automatically to
system components].
SYSTEM AND SI-2 (6) SI-2 (6) REMOVAL OF The organization removes [Assignment:
INFORMATION PREVIOUS VERSIONS organization-defined software and firmware
### INTEGRITY OF SOFTWARE / components] after updated versions have been
FIRMWARE installed.
SYSTEM AND SI-3 SI-3 MALICIOUS CODE The organization: P1

INFORMATION PROTECTION
INTEGRITY
###
SYSTEM AND SI-3 SI-3a TIME TO REMEDIATE Employs malicious code protection mechanisms
INFORMATION FLAWS / at information system entry and exit points to
INTEGRITY BENCHMARKS FOR detect and eradicate malicious code;
CORRECTIVE ACTIONS
###
SYSTEM AND SI-3 SI-3b TIME TO REMEDIATE Updates malicious code protection mechanisms
INFORMATION FLAWS / whenever new releases are available in
INTEGRITY BENCHMARKS FOR accordance with organizational configuration
CORRECTIVE ACTIONS management policy and procedures;
###
SYSTEM AND SI-3 SI-3c TIME TO REMEDIATE Configures malicious code protection
INFORMATION FLAWS / mechanisms to:
CORRECTIVE ACTIONS
###
SYSTEM AND SI-3 SI-3c.1 TIME TO REMEDIATE Perform periodic scans of the information
INFORMATION FLAWS / system [Assignment: organization-defined
INTEGRITY BENCHMARKS FOR frequency] and real-time scans of files from
CORRECTIVE ACTIONS external sources at [Selection (one or more);
endpoint; network entry/exit points] as the files
are downloaded, opened, or executed in
accordance with organizational security policy;
and
###
SYSTEM AND SI-3 SI-3c.2 TIME TO REMEDIATE [Selection (one or more): block malicious code;
INFORMATION FLAWS / quarantine malicious code; send alert to
INTEGRITY BENCHMARKS FOR administrator; [Assignment: organization-defined
CORRECTIVE ACTIONS action]] in response to malicious code detection;
and
###
SYSTEM AND SI-3 SI-3d TIME TO REMEDIATE Addresses the receipt of false positives during
INFORMATION FLAWS / malicious code detection and eradication and the
INTEGRITY BENCHMARKS FOR resulting potential impact on the availability of
CORRECTIVE ACTIONS the information system.
###
SYSTEM AND SI-3 (1) SI-3 (1) CENTRAL The organization centrally manages malicious
### INFORMATION MANAGEMENT code protection mechanisms.
INTEGRITY
SYSTEM AND SI-3 (2) SI-3 (2) AUTOMATIC The information system automatically updates
### INFORMATION UPDATES malicious code protection mechanisms.
INTEGRITY
SYSTEM AND SI-3 (3) SI-3 (3) NON-PRIVILEGED [Withdrawn: Incorporated into AC-6 (10)].
### INFORMATION USERS
INTEGRITY
SYSTEM AND SI-3 (4) SI-3 (4) UPDATES ONLY BY The information system updates malicious code
### INFORMATION PRIVILEGED USERS protection mechanisms only when directed by a
INTEGRITY privileged user.
SYSTEM AND SI-3 (5) SI-3 (5) PORTABLE STORAGE [Withdrawn: Incorporated into MP-7].
### INFORMATION DEVICES
INTEGRITY
SYSTEM AND SI-3 (6) SI-3 (6) TESTING / The organization:
### INFORMATION VERIFICATION
INTEGRITY
SYSTEM AND SI-3 (6) SI-3 (6)(a) TESTING / Tests malicious code protection mechanisms
INFORMATION VERIFICATION [Assignment: organization-defined frequency] by
### INTEGRITY introducing a known benign, non-spreading test
case into the information system; and
SYSTEM AND SI-3 (6) SI-3 (6)(b) TESTING / Verifies that both detection of the test case and
### INFORMATION VERIFICATION associated incident reporting occur.
INTEGRITY
SYSTEM AND SI-3 (7) SI-3 (7) NONSIGNATURE- The information system implements
### INFORMATION BASED DETECTION nonsignature-based malicious code detection
INTEGRITY mechanisms.
SYSTEM AND SI-3 (8) SI-3 (8) DETECT The information system detects [Assignment:
INFORMATION UNAUTHORIZED organization-defined unauthorized operating
INTEGRITY COMMANDS system commands] through the kernel
application programming interface at
### system hardware components] and [Selection
(one or more): issues a warning; audits the
command execution; prevents the execution of
the command].
SYSTEM AND SI-3 (9) SI-3 (9) AUTHENTICATE The information system implements
INFORMATION REMOTE COMMANDS [Assignment: organization-defined security
### INTEGRITY safeguards] to authenticate [Assignment:
organization-defined remote commands].
SYSTEM AND SI-3 (10) SI-3 (10) MALICIOUS CODE The organization:
### INFORMATION ANALYSIS
INTEGRITY
SYSTEM AND SI-3 (10) SI-3 (10)(a) MALICIOUS CODE Employs [Assignment: organization-defined tools
INFORMATION ANALYSIS and techniques] to analyze the characteristics
### INTEGRITY and behavior of malicious code; and
SYSTEM AND SI-3 (10) SI-3 (10)(b) MALICIOUS CODE Incorporates the results from malicious code
### INFORMATION ANALYSIS analysis into organizational incident response
INTEGRITY and flaw remediation processes.
SYSTEM AND SI-4 SI-4 INFORMATION The organization: P1
INFORMATION SYSTEM
INTEGRITY MONITORING
###
SYSTEM AND SI-4 SI-4a INFORMATION Monitors the information system to detect: P1
INFORMATION SYSTEM
###
SYSTEM AND SI-4 SI-4a.1 INFORMATION Attacks and indicators of potential attacks in P1
INFORMATION SYSTEM accordance with [Assignment: organization-
INTEGRITY MONITORING defined monitoring objectives]; and
###
SYSTEM AND SI-4 SI-4a.2 INFORMATION Unauthorized local, network, and remote P1
INFORMATION SYSTEM connections;
###
SYSTEM AND SI-4 SI-4b INFORMATION Identifies unauthorized use of the information P1
INFORMATION SYSTEM system through [Assignment: organization-
INTEGRITY MONITORING defined techniques and methods];
###
SYSTEM AND SI-4 SI-4c INFORMATION Deploys monitoring devices: P1
INFORMATION SYSTEM
###
SYSTEM AND SI-4 SI-4c.1 INFORMATION Strategically within the information system to P1
INFORMATION SYSTEM collect organization-determined essential
INTEGRITY MONITORING information; and
###
SYSTEM AND SI-4 SI-4c.2 INFORMATION At ad hoc locations within the system to track P1
INFORMATION SYSTEM specific types of transactions of interest to the
INTEGRITY MONITORING organization;
###
SYSTEM AND SI-4 SI-4d INFORMATION Protects information obtained from intrusion- P1
INFORMATION SYSTEM monitoring tools from unauthorized access,
INTEGRITY MONITORING modification, and deletion;
###
SYSTEM AND SI-4 SI-4e INFORMATION Heightens the level of information system P1
INFORMATION SYSTEM monitoring activity whenever there is an
INTEGRITY MONITORING indication of increased risk to organizational
operations and assets, individuals, other
organizations, or the Nation based on law
enforcement information, intelligence
information, or other credible sources of
information;
###
SYSTEM AND SI-4 SI-4f INFORMATION Obtains legal opinion with regard to information P1
INFORMATION SYSTEM system monitoring activities in accordance with
INTEGRITY MONITORING applicable federal laws, Executive Orders,
directives, policies, or regulations; and
###
SYSTEM AND SI-4 SI-4g INFORMATION Provides [Assignment: organization-defined P1
INFORMATION SYSTEM information system monitoring information] to
INTEGRITY MONITORING [Assignment: organization-defined personnel or
roles] [Selection (one or more): as needed;
[Assignment: organization-defined frequency]].
###
SYSTEM AND SI-4 (1) SI-4 (1) SYSTEM-WIDE The organization connects and configures
INFORMATION INTRUSION individual intrusion detection tools into an
INTEGRITY DETECTION SYSTEM information system-wide intrusion detection
### system.
SYSTEM AND SI-4 (2) SI-4 (2) AUTOMATED TOOLS The organization employs automated tools to
### INFORMATION FOR REAL-TIME support near real-time analysis of events.
INTEGRITY ANALYSIS
SYSTEM AND SI-4 (3) SI-4 (3) AUTOMATED TOOL The organization employs automated tools to
INFORMATION INTEGRATION integrate intrusion detection tools into access
INTEGRITY control and flow control mechanisms for rapid
### response to attacks by enabling reconfiguration
of these mechanisms in support of attack
isolation and elimination.
SYSTEM AND SI-4 (4) SI-4 (4) INBOUND AND The information system monitors inbound and
INFORMATION OUTBOUND outbound communications traffic [Assignment:
INTEGRITY COMMUNICATIONS organization-defined frequency] for unusual or
### TRAFFIC unauthorized activities or conditions.
SYSTEM AND SI-4 (5) SI-4 (5) SYSTEM-GENERATED The information system alerts [Assignment:
INFORMATION ALERTS organization-defined personnel or roles] when
INTEGRITY the following indications of compromise or
### potential compromise occur: [Assignment:
organization-defined compromise indicators].
SYSTEM AND SI-4 (6) SI-4 (6) RESTRICT NON- [Withdrawn: Incorporated into AC-6 (10)].
### INFORMATION PRIVILEGED USERS
INTEGRITY
SYSTEM AND SI-4 (7) SI-4 (7) AUTOMATED The information system notifies [Assignment:
INFORMATION RESPONSE TO organization-defined incident response
INTEGRITY SUSPICIOUS EVENTS personnel (identified by name and/or by role)] of
detected suspicious events and takes
### [Assignment: organization-defined least-
disruptive actions to terminate suspicious
events].
SYSTEM AND SI-4 (8) SI-4 (8) PROTECTION OF [Withdrawn: Incorporated into SI-4].
### INFORMATION MONITORING
INTEGRITY INFORMATION
SYSTEM AND SI-4 (9) SI-4 (9) TESTING OF The organization tests intrusion-monitoring tools
### INFORMATION MONITORING TOOLS [Assignment: organization-defined frequency].
INTEGRITY
SYSTEM AND SI-4 (10) SI-4 (10) VISIBILITY OF The organization makes provisions so that
INFORMATION ENCRYPTED [Assignment: organization-defined encrypted
INTEGRITY COMMUNICATIONS communications traffic] is visible to [Assignment:
monitoring tools].
SYSTEM AND SI-4 (11) SI-4 (11) ANALYZE The organization analyzes outbound
INFORMATION COMMUNICATIONS communications traffic at the external boundary
INTEGRITY TRAFFIC ANOMALIES of the information system and selected
[Assignment: organization-defined interior points
### within the system (e.g., subnetworks,
subsystems)] to discover anomalies.
SYSTEM AND SI-4 (12) SI-4 (12) AUTOMATED ALERTS The organization employs automated
INFORMATION mechanisms to alert security personnel of the
INTEGRITY following inappropriate or unusual activities with
### security implications: [Assignment: organization-
defined activities that trigger alerts].
SYSTEM AND SI-4 (13) SI-4 (13) ANALYZE TRAFFIC / The organization:
### INFORMATION EVENT PATTERNS
INTEGRITY
SYSTEM AND SI-4 (13) SI-4 (13)(a) ANALYZE TRAFFIC / Analyzes communications traffic/event patterns
### INFORMATION EVENT PATTERNS for the information system;
INTEGRITY
SYSTEM AND SI-4 (13) SI-4 (13)(b) ANALYZE TRAFFIC / Develops profiles representing common traffic
### INFORMATION EVENT PATTERNS patterns and/or events; and
INTEGRITY
SYSTEM AND SI-4 (13) SI-4 (13)(c) ANALYZE TRAFFIC / Uses the traffic/event profiles in tuning system-
INFORMATION EVENT PATTERNS monitoring devices to reduce the number of
### INTEGRITY false positives and the number of false negatives.
SYSTEM AND SI-4 (14) SI-4 (14) WIRELESS INTRUSION The organization employs a wireless intrusion
INFORMATION DETECTION detection system to identify rogue wireless
INTEGRITY devices and to detect attack attempts and
### potential compromises/breaches to the
information system.
SYSTEM AND SI-4 (15) SI-4 (15) WIRELESS TO The organization employs an intrusion detection
INFORMATION WIRELINE system to monitor wireless communications
### INTEGRITY COMMUNICATIONS traffic as the traffic passes from wireless to
wireline networks.
SYSTEM AND SI-4 (16) SI-4 (16) CORRELATE The organization correlates information from
INFORMATION MONITORING monitoring tools employed throughout the
INTEGRITY INFORMATION information system.
###
SYSTEM AND SI-4 (17) SI-4 (17) INTEGRATED The organization correlates information from
INFORMATION SITUATIONAL monitoring physical, cyber, and supply chain
### INTEGRITY AWARENESS activities to achieve integrated, organization-
wide situational awareness.
SYSTEM AND SI-4 (18) SI-4 (18) ANALYZE TRAFFIC / The organization analyzes outbound
INFORMATION COVERT communications traffic at the external boundary
INTEGRITY EXFILTRATION of the information system (i.e., system
perimeter) and at [Assignment: organization-
### defined interior points within the system (e.g.,
subsystems, subnetworks)] to detect covert
exfiltration of information.
SYSTEM AND SI-4 (19) SI-4 (19) INDIVIDUALS POSING The organization implements [Assignment:
INFORMATION GREATER RISK organization-defined additional monitoring] of
INTEGRITY individuals who have been identified by
### [Assignment: organization-defined sources] as
posing an increased level of risk.
SYSTEM AND SI-4 (20) SI-4 (20) PRIVILEGED USERS The organization implements [Assignment:
### INFORMATION organization-defined additional monitoring] of
INTEGRITY privileged users.
SYSTEM AND SI-4 (21) SI-4 (21) PROBATIONARY The organization implements [Assignment:
INFORMATION PERIODS organization-defined additional monitoring] of
### INTEGRITY individuals during [Assignment: organization-
defined probationary period].
SYSTEM AND SI-4 (22) SI-4 (22) UNAUTHORIZED The information system detects network services
INFORMATION NETWORK SERVICES that have not been authorized or approved by
INTEGRITY [Assignment: organization-defined authorization
or approval processes] and [Selection (one or
### more): audits; alerts [Assignment: organization-
defined personnel or roles]].
SYSTEM AND SI-4 (23) SI-4 (23) HOST-BASED DEVICES The organization implements [Assignment:
INFORMATION organization-defined host-based monitoring
### INTEGRITY mechanisms] at [Assignment: organization-
defined information system components].
SYSTEM AND SI-4 (24) SI-4 (24) INDICATORS OF The information system discovers, collects,
### INFORMATION COMPROMISE distributes, and uses indicators of compromise.
INTEGRITY
SYSTEM AND SI-5 SI-5 SECURITY ALERTS, The organization: P1
INFORMATION ADVISORIES, AND
INTEGRITY DIRECTIVES
###
SYSTEM AND SI-5 SI-5a SECURITY ALERTS, Receives information system security alerts, P1
INFORMATION ADVISORIES, AND advisories, and directives from [Assignment:
INTEGRITY DIRECTIVES organization-defined external organizations] on
an ongoing basis;
###
SYSTEM AND SI-5 SI-5b SECURITY ALERTS, Generates internal security alerts, advisories, P1
INFORMATION ADVISORIES, AND and directives as deemed necessary;
INTEGRITY DIRECTIVES
###
SYSTEM AND SI-5 SI-5c SECURITY ALERTS, Disseminates security alerts, advisories, and P1
INFORMATION ADVISORIES, AND directives to: [Selection (one or more):
INTEGRITY DIRECTIVES [Assignment: organization-defined personnel or
roles]; [Assignment: organization-defined
elements within the organization]; [Assignment:
### organization-defined external organizations]];
and
SYSTEM AND SI-5 SI-5d SECURITY ALERTS, Implements security directives in accordance P1
INFORMATION ADVISORIES, AND with established time frames, or notifies the
INTEGRITY DIRECTIVES issuing organization of the degree of
noncompliance.
###
SYSTEM AND SI-5 (1) SI-5 (1) AUTOMATED ALERTS The organization employs automated
INFORMATION AND ADVISORIES mechanisms to make security alert and advisory
### INTEGRITY information available throughout the
organization.
SYSTEM AND SI-6 SI-6 SECURITY FUNCTION The information system: P1

### INFORMATION VERIFICATION
INTEGRITY
SYSTEM AND SI-6 SI-6a SECURITY FUNCTION Verifies the correct operation of [Assignment: P1
### INFORMATION VERIFICATION organization-defined security functions];
INTEGRITY
SYSTEM AND SI-6 SI-6b SECURITY FUNCTION Performs this verification [Selection (one or P1
INFORMATION VERIFICATION more): [Assignment: organization-defined
INTEGRITY system transitional states]; upon command by
### user with appropriate privilege; [Assignment:
organization-defined frequency]];
SYSTEM AND SI-6 SI-6c SECURITY FUNCTION Notifies [Assignment: organization-defined P1

INFORMATION VERIFICATION personnel or roles] of failed security verification
### INTEGRITY tests; and
SYSTEM AND SI-6 SI-6d SECURITY FUNCTION [Selection (one or more): shuts the information P1
INFORMATION VERIFICATION system down; restarts the information system;
INTEGRITY [Assignment: organization-defined alternative
### action(s)]] when anomalies are discovered.
SYSTEM AND SI-6 (1) SI-6 (1) NOTIFICATION OF [Withdrawn: Incorporated into SI-6].
### INFORMATION FAILED SECURITY
INTEGRITY TESTS
SYSTEM AND SI-6 (2) SI-6 (2) AUTOMATION The information system implements automated
INFORMATION SUPPORT FOR mechanisms to support the management of
### INTEGRITY DISTRIBUTED distributed security testing.
TESTING
SYSTEM AND SI-6 (3) SI-6 (3) REPORT The organization reports the results of security
### INFORMATION VERIFICATION function verification to [Assignment:
INTEGRITY RESULTS organization-defined personnel or roles].
SYSTEM AND SI-7 SI-7 SOFTWARE, The organization employs integrity verification P1
INFORMATION FIRMWARE, AND tools to detect unauthorized changes to
### INTEGRITY INFORMATION [Assignment: organization-defined software,
INTEGRITY firmware, and information].
SYSTEM AND SI-7 (1) SI-7 (1) INTEGRITY CHECKS The information system performs an integrity
INFORMATION check of [Assignment: organization-defined
INTEGRITY software, firmware, and information] [Selection
(one or more): at startup; at [Assignment:
organization-defined transitional states or
### security-relevant events]; [Assignment:
organization-defined frequency]].
SYSTEM AND SI-7 (2) SI-7 (2) AUTOMATED The organization employs automated tools that
INFORMATION NOTIFICATIONS OF provide notification to [Assignment:
INTEGRITY INTEGRITY organization-defined personnel or roles] upon
### VIOLATIONS discovering discrepancies during integrity
verification.
SYSTEM AND SI-7 (3) SI-7 (3) CENTRALLY- The organization employs centrally managed
### INFORMATION MANAGED INTEGRITY integrity verification tools.
INTEGRITY TOOLS
SYSTEM AND SI-7 (4) SI-7 (4) TAMPER-EVIDENT [Withdrawn: Incorporated into SA-12].
### INFORMATION PACKAGING
INTEGRITY
SYSTEM AND SI-7 (5) SI-7 (5) AUTOMATED The information system automatically [Selection
INFORMATION RESPONSE TO (one or more): shuts the information system
INTEGRITY INTEGRITY down; restarts the information system;
### VIOLATIONS implements [Assignment: organization-defined
security safeguards]] when integrity violations
are discovered.
SYSTEM AND SI-7 (6) SI-7 (6) CRYPTOGRAPHIC The information system implements
INFORMATION PROTECTION cryptographic mechanisms to detect
### INTEGRITY unauthorized changes to software, firmware, and
information.
SYSTEM AND SI-7 (7) SI-7 (7) INTEGRATION OF The organization incorporates the detection of
INFORMATION DETECTION AND unauthorized [Assignment: organization-defined
INTEGRITY RESPONSE security-relevant changes to the information
### system] into the organizational incident response
capability.
SYSTEM AND SI-7 (8) SI-7 (8) AUDITING CAPABILITY The information system, upon detection of a
INFORMATION FOR SIGNIFICANT potential integrity violation, provides the
INTEGRITY EVENTS capability to audit the event and initiates the
following actions: [Selection (one or more):
generates an audit record; alerts current user;
### alerts [Assignment: organization-defined
personnel or roles]; [Assignment: organization-
defined other actions]].
SYSTEM AND SI-7 (9) SI-7 (9) VERIFY BOOT The information system verifies the integrity of
### INFORMATION PROCESS the boot process of [Assignment: organization-
INTEGRITY defined devices].
SYSTEM AND SI-7 (10) SI-7 (10) PROTECTION OF The information system implements
INFORMATION BOOT FIRMWARE [Assignment: organization-defined security
INTEGRITY safeguards] to protect the integrity of boot
### firmware in [Assignment: organization-defined
devices].
SYSTEM AND SI-7 (11) SI-7 (11) CONFINED The organization requires that [Assignment:
INFORMATION ENVIRONMENTS organization-defined user-installed software]
### INTEGRITY WITH LIMITED execute in a confined physical or virtual machine
PRIVILEGES environment with limited privileges.
SYSTEM AND SI-7 (12) SI-7 (12) INTEGRITY The organization requires that the integrity of
INFORMATION VERIFICATION [Assignment: organization-defined user-installed
### INTEGRITY software] be verified prior to execution.
SYSTEM AND SI-7 (13) SI-7 (13) CODE EXECUTION IN The organization allows execution of binary or
INFORMATION PROTECTED machine-executable code obtained from sources
INTEGRITY ENVIRONMENTS with limited or no warranty and without the
provision of source code only in confined
physical or virtual machine environments and
### with the explicit approval of [Assignment:
organization-defined personnel or roles].
SYSTEM AND SI-7 (14) SI-7 (14) BINARY OR MACHINE The organization:
### INFORMATION EXECUTABLE CODE
INTEGRITY
SYSTEM AND SI-7 (14) SI-7 (14)(a) BINARY OR MACHINE Prohibits the use of binary or machine-
INFORMATION EXECUTABLE CODE executable code from sources with limited or no
### INTEGRITY warranty and without the provision of source
code; and
SYSTEM AND SI-7 (14) SI-7 (14)(b) BINARY OR MACHINE Provides exceptions to the source code
INFORMATION EXECUTABLE CODE requirement only for compelling
### INTEGRITY mission/operational requirements and with the
approval of the authorizing official.
SYSTEM AND SI-7 (15) SI-7 (15) CODE The information system implements
INFORMATION AUTHENTICATION cryptographic mechanisms to authenticate
### INTEGRITY [Assignment: organization-defined software or
firmware components] prior to installation.
SYSTEM AND SI-7 (16) SI-7 (16) TIME LIMIT ON The organization does not allow processes to
INFORMATION PROCESS EXECUTION execute without supervision for more than
### INTEGRITY W/O SUPERVISION [Assignment: organization-defined time period].
SYSTEM AND SI-8 SI-8 SPAM PROTECTION The organization: P2
INFORMATION
INTEGRITY
###
SYSTEM AND SI-8 SI-8a SPAM PROTECTION Employs spam protection mechanisms at P2
INFORMATION information system entry and exit points to
INTEGRITY detect and take action on unsolicited messages;
and
###
SYSTEM AND SI-8 SI-8b SPAM PROTECTION Updates spam protection mechanisms when new P2
INFORMATION releases are available in accordance with
INTEGRITY organizational configuration management policy
and procedures.
###
SYSTEM AND SI-8 (1) SI-8 (1) CENTRAL The organization centrally manages spam
### INFORMATION MANAGEMENT protection mechanisms.
INTEGRITY
SYSTEM AND SI-8 (2) SI-8 (2) AUTOMATIC The information system automatically updates
### INFORMATION UPDATES spam protection mechanisms.
INTEGRITY
SYSTEM AND SI-8 (3) SI-8 (3) CONTINUOUS The information system implements spam
INFORMATION LEARNING protection mechanisms with a learning capability
### INTEGRITY CAPABILITY to more effectively identify legitimate
communications traffic.
SYSTEM AND SI-9 SI-9 INFORMATION INPUT [Withdrawn: Incorporated into AC-2, AC-3, AC-5,
### INFORMATION RESTRICTIONS AC-6].
INTEGRITY
SYSTEM AND SI-10 SI-10 INFORMATION INPUT The information system checks the validity of P1
INFORMATION VALIDATION [Assignment: organization-defined information
### INTEGRITY inputs].
SYSTEM AND SI-10 (1) SI-10 (1) MANUAL OVERRIDE The information system:
### INFORMATION CAPABILITY
INTEGRITY
SYSTEM AND SI-10 (1) SI-10 (1)(a) MANUAL OVERRIDE Provides a manual override capability for input
### INFORMATION CAPABILITY validation of [Assignment: organization-defined
INTEGRITY inputs];
SYSTEM AND SI-10 (1) SI-10 (1)(b) MANUAL OVERRIDE Restricts the use of the manual override
### INFORMATION CAPABILITY capability to only [Assignment: organization-
INTEGRITY defined authorized individuals]; and
SYSTEM AND SI-10 (1) SI-10 (1)(c) MANUAL OVERRIDE Audits the use of the manual override capability.
### INFORMATION CAPABILITY
INTEGRITY
SYSTEM AND SI-10 (2) SI-10 (2) REVIEW / The organization ensures that input validation
INFORMATION RESOLUTION OF errors are reviewed and resolved within
### INTEGRITY ERRORS [Assignment: organization-defined time period].
SYSTEM AND SI-10 (3) SI-10 (3) PREDICTABLE The information system behaves in a predictable
INFORMATION BEHAVIOR and documented manner that reflects
### INTEGRITY organizational and system objectives when
invalid inputs are received.
SYSTEM AND SI-10 (4) SI-10 (4) REVIEW / TIMING The organization accounts for timing interactions
INFORMATION INTERACTIONS among information system components in
### INTEGRITY determining appropriate responses for invalid
inputs.
SYSTEM AND SI-10 (5) SI-10 (5) RESTRICT INPUTS TO The organization restricts the use of information
INFORMATION TRUSTED SOURCES inputs to [Assignment: organization-defined
### INTEGRITY AND APPROVED trusted sources] and/or [Assignment:
FORMATS organization-defined formats].
SYSTEM AND SI-11 SI-11 ERROR HANDLING The information system: P2

### INFORMATION
INTEGRITY
SYSTEM AND SI-11 SI-11a ERROR HANDLING Generates error messages that provide P2
INFORMATION information necessary for corrective actions
INTEGRITY without revealing information that could be
exploited by adversaries; and
###
SYSTEM AND SI-11 SI-11b ERROR HANDLING Reveals error messages only to [Assignment: P2
### INFORMATION organization-defined personnel or roles].
INTEGRITY
SYSTEM AND SI-12 SI-12 INFORMATION The organization handles and retains information P2
INFORMATION HANDLING AND within the information system and information
INTEGRITY RETENTION output from the system in accordance with
applicable federal laws, Executive Orders,
### directives, policies, regulations, standards, and
operational requirements.
SYSTEM AND SI-13 SI-13 PREDICTABLE The organization: P0

### INFORMATION FAILURE PREVENTION
INTEGRITY
SYSTEM AND SI-13 SI-13a PREDICTABLE Determines mean time to failure (MTTF) for P0
INFORMATION FAILURE PREVENTION [Assignment: organization-defined information
### INTEGRITY system components] in specific environments of
operation; and
SYSTEM AND SI-13 SI-13b PREDICTABLE Provides substitute information system P0

INFORMATION FAILURE PREVENTION components and a means to exchange active and
INTEGRITY standby components at [Assignment:
### organization-defined MTTF substitution criteria].
SYSTEM AND SI-13 (1) SI-13 (1) TRANSFERRING The organization takes information system
INFORMATION COMPONENT components out of service by transferring
INTEGRITY RESPONSIBILITIES component responsibilities to substitute
### components no later than [Assignment:
organization-defined fraction or percentage] of
mean time to failure.
SYSTEM AND SI-13 (2) SI-13 (2) TIME LIMIT ON [Withdrawn: Incorporated into SI-7 (16)].
INFORMATION PROCESS EXECUTION
INTEGRITY WITHOUT
### SUPERVISION
SYSTEM AND SI-13 (3) SI-13 (3) MANUAL TRANSFER The organization manually initiates transfers
INFORMATION BETWEEN between active and standby information system
INTEGRITY COMPONENTS components [Assignment: organization-defined
### frequency] if the mean time to failure exceeds
[Assignment: organization-defined time period].
SYSTEM AND SI-13 (4) SI-13 (4) STANDBY The organization, if information system
INFORMATION COMPONENT component failures are detected:
### INTEGRITY INSTALLATION /
NOTIFICATION
SYSTEM AND SI-13 (4) SI-13 (4)(a) STANDBY Ensures that the standby components are
INFORMATION COMPONENT successfully and transparently installed within
### INTEGRITY INSTALLATION / [Assignment: organization-defined time period];
NOTIFICATION and
SYSTEM AND SI-13 (4) SI-13 (4)(b) STANDBY [Selection (one or more): activates [Assignment:
INFORMATION COMPONENT organization-defined alarm]; automatically shuts
### INTEGRITY INSTALLATION / down the information system].
NOTIFICATION
SYSTEM AND SI-13 (5) SI-13 (5) FAILOVER CAPABILITY The organization provides [Selection: real-time;
INFORMATION near real-time] [Assignment: organization-
### INTEGRITY defined failover capability] for the information
system.
SYSTEM AND SI-14 SI-14 NON-PERSISTENCE The organization implements non-persistent P0
INFORMATION [Assignment: organization-defined information
INTEGRITY system components and services] that are
initiated in a known state and terminated
### [Selection (one or more): upon end of session of
use; periodically at [Assignment: organization-
defined frequency]].
SYSTEM AND SI-14 (1) SI-14 (1) REFRESH FROM The organization ensures that software and data
INFORMATION TRUSTED SOURCES employed during information system component
INTEGRITY and service refreshes are obtained from
### [Assignment: organization-defined trusted
sources].
SYSTEM AND SI-15 SI-15 INFORMATION The information system validates information P0
INFORMATION OUTPUT FILTERING output from [Assignment: organization-defined
INTEGRITY software programs and/or applications] to
### ensure that the information is consistent with
the expected content.
SYSTEM AND SI-16 SI-16 MEMORY The information system implements P1

INFORMATION PROTECTION [Assignment: organization-defined security
INTEGRITY safeguards] to protect its memory from
### unauthorized code execution.
SYSTEM AND SI-17 SI-17 FAIL-SAFE The information system implements P0

INFORMATION PROCEDURES [Assignment: organization-defined fail-safe
### INTEGRITY procedures] when [Assignment: organization-
defined failure conditions occur].
TRANSPERANCY TR-1 TR-1 Privacy Notice Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Appendix J
TRANSPERANCY TR-2 TR-2 System of Records Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Notices and Privacy Appendix J
Act Statements
TRANSPERANCY TR-3 TR-3 Dissemination of Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Privacy Program Appendix J
Information
USE LIMITATION UL UL Use Limitation Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Appendix J
USE LIMITATION UL-1 UL-1 Internal Use Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### Appendix J
USE LIMITATION UL-2 UL-2 Information Sharing Privacy Control. Refer to NIST SP 800-53 (Rev. 4)
### with Third Parties Appendix J
CNSS Instruction 1253 Control Selection zFedRAMP Control Selection
Control Baselines Confidentiality Integrity Availability

Moderate
Moderate
Moderate
Moderate
Moderate
FedRAMP Defined Assignment /
High
Low
High
High
High
High
Low
Low
Low
Low
Selection Parameters
X X X X X X X X X X X X X X X
X X X X X X X X X X X X X X X AC-1.b.1 [at least every 3 years]
AC-1.b.2 [at least annually]
X X X X X X X X X X X X
X X X X X X X X X X X X AC-2j [at least annually]
X X X X X X X X
X X X X X X X X [No more than 30 days for temporary

and emergency account types]
X X X X X X X X [90 days for user accounts]
X X + X X + X X X X
X + + X + + X + + X X X
+ + + + + + X X
+ + + + + + X X
+ + + + + + X X
+ + + + + + X X
+ + + + + + X X
+ + + + + + X
X X X X
X + + X + + X X X
X + + X + + X X X
X + + X + + X X X
X + + X + + X X
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
X X X X X X X X
X
X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X [all security functions]
X X X X
X X + X X + X X X X
+ + + + + + X
+ + + + + + X
+ + + + + + X
+ + + + + + X
X X + X X + X X X X
X X + X X + X X X X
X X X X X X X X X X X X X X X AC-7a [not more than three]

[fifteen minutes]
X X X X X X X X X X X X X X X AC-7b [locks the account/node for

thirty minutes]
X X X X X X X X X X X X Parameter: See Additional
Requirements and Guidance.
X X X X X X X X X X X X Parameter: See Additional
Requirements and Guidance.
X + X + X + X X X [three (3) sessions for privileged
access and two (2) sessions for non-
privileged access]
X X + X X + X X X X
X X + X X + X X X X AC-11a. [fifteen minutes]
X X + X X + X X X X
X X + X X X X
X X X X X X X X
+ + + + X
+ + + + X
+ + + + X
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
X X X X X X X X X X
X X X X X X X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
+ + +
+ + + + + + X X [no greater than 15 minutes]
X X + X X + X X X X
+ + + + + + X
X + + X + + X X
X X X X
X X X X X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X X X
+ + + + + +
X X X X X X
X X X X X X
X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X AC-22d. [at least quarterly]
+ +
X X X X X X X X X X X X X X X AT-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X AT-1.b.2 [at least annually]
X X X X X X X X X X X X X X X AT-2. [Assignment: organization-

defined frequency]
Parameter: [at least annually]

X X + X X + X X + X X X X
X X X X X X X X X X X X X X X AT-3c. [Assignment: organization-
defined frequency]
Parameter: [at least annually]
+ + + + + + + + +
+ + + + + + + + + X
X X X X X X X X X X X X X X X AT-4b. [Assignment: organization-

defined frequency]
Parameter: [At least one years]
X X X X X X X X X X X X X X X AU-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X AU-1.b.2 [at least annually]
X X X X X X X X X X X X AU-2a. [Successful and unsuccessful
account logon events, account
management events, object access,
policy change, privilege functions,
process tracking, and system events.
For Web applications: all
administrator activity, authentication
checks, authorization checks, data
deletions, data access, data changes,
and permission changes];
X X X X X X X X X X X X AU-2d. [organization-defined subset
of the auditable events defined in AU-
2 a. to be audited continually for each
identified event].M275
X X + X X + X X X X AU-2 (3). [Assignment: organization-

defined frequency]
Parameter: [annually or whenever

there is a change in the threat
environment]
X X + X X + X X X X AU-3 (1). [Assignment: organization-
defined additional, more detailed
information] Parameter: [session,
connection, transaction, or activity
duration; for client-server
transactions, the number of bytes
received and bytes sent; additional
informational messages to diagnose
or identify the event; characteristics
that describe or identify the object or
resource being acted upon]
X X X X
X X X X X X X X X
+ + + + + + + + +
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X AU-5b. [Assignment: Organization-

defined actions to be taken]
Parameter: [low-impact: overwrite

oldest audit records; moderate-
impact: shut down]
X + + X X
X X X
X X X X X X X X X X X X AU-6a. [Assignment: organization-

defined frequency]
Parameter: [at least weekly]
X X + X X + X X X X
X X + X X + X X X X
+ + + + + + X
X X X X
X X X X
+ + + + + + X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X X
X X X X X X X X
X X X X X X X X
X X + X X X X
X X + X X X X AU-8 (1). [http://tf.nist.gov/tf-

cgi/servers.cgi] <At least hourly>
X X + X X X X AU-8 (1). [http://tf.nist.gov/tf-
cgi/servers.cgi] <At least hourly>
X X X X AU-9 (2). [at least weekly]
X X X
X X + X X + X X X X
X + X X
X X X X X X X X X AU-11. [at least ninety days]
+ + +
X X X X X X X X X AU-12a. [all information system and

network components where audit
capability is deployed/available]
X X X X X X X X X
X X X X X X X X X
X + + X X
X + + X + + X X
+ + + + + +
+ + + + + +
+ + + + + +
+ + +
X X X X X X X X X X X X X X X CA-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X CA-1.b.2 [at least annually]
X X X X X X X X X X X X X X X CA-2b. [at least annually]
X X X X X X X X X X X X X X X CA-2d[individuals or roles to include
FedRAMP PMO]
X X + X X + X X + X X X X X Added to NIST Baseline for "Low"

FedRAMP baseline.
X X X X X X [at least annually]
X X [Any FedRAMP Accredited 3PAO]

[the conditions of a P-ATO in the
FedRAMP Repository]
X X X X X X X X X X X X CA-3c. 3 Years / Annually and on input
from FedRAMP
+ + +
X X Boundary Protections which meet the
Trusted Internet Connection (TIC)
requirements
X X + X X + X X X X
X X X X X X X X X X X X X X X CA-5b. [at least monthly]

X X X X X X X X X X X X X X X CA-6c. [at least every three years or

when a significant change occurs]
X X X X X X X X X X X X X X X CA-7d. [To meet Federal and
FedRAMP requirements]
X X X X X X X X X X
X
X X X X [at least annually]
X X
X X X X X X X X X X X X CM-1.b.1 [at least every 3 years]
X X X X X X X X X X X X CM-1.b.2 [at least annually]

X X X X X X X X X
X X + X X X X
X X + X X X X CM-2 (1) (a). [at least annually]
X X + X X X X CM-2 (1) (b). [to include when

directed by Authorizing Official]
X X + X X X X
X X X X
X X X X X X
X X X X X X
X X X X X
X X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X X X
+ + + X
+ + + X
X X X X X X X X X
X + X X
X X + X X X X
X + X X X
X + X X
X X X X
+ + + X X
+ + + X X
+ + + X X CM-5 (5) (b). [at least quarterly]
+ + +
X X X X X X X X X
X X X X X X X X X CM-6a. [See CM-6(a) Additional
FedRAMP Requirements and
Guidance]
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X + X X X
X X X
X X X X X X X X X X X X CM-7. [United States Government
Configuration Baseline (USGCB)]
X X + X X + X X X X
X X + X X + X X X X CM-7(1) [ At least Monthly]
X X + X X + X X X X CM-7. [United States Government

Configuration Baseline (USGCB)]
X X + X X + X X X X
+ + + + + +
X
X + + X + + X X X
X + + X + + X X X
X + + X + + X X X
X + + X + + X X X CM-7(5)[ at least Annually or when

there is a change.]
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X CM-8b. [at least monthly]
X X X X X X
X + + X X
X X + X X X X
X X + X X X X CM-8 (3) (a). [Continuously, using

automated mechanisms with a
maximum five-minute delay in
detection.]
X X + X X X X
X X X X
X X X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
+ + + X X
X X X X X X X X X X X X CM-11.c. [Continuously (via CM-7 (5))]
+ + X
+ + + + + +
X X X X X X X X X X X X X X X CP-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X CP-1.b.2 [at least annually]

X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X CP-2d. [at least annually]
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X CP-2d. [at least annually]
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X
X X X X
X X X X X X
X X X
X X X
X X X X X X
X X X X X X X X X
X X X X X X X X X CP-3.a. [ 10 days]
X X X X X X X X X
X X X X X X X X X CP-3.c. [at least annually]
X X X
X X X X X X X X X
X X X X X X X X X CP-4a. [at least annually for moderate

impact systems; at least every three
years for low impact systems]
[functional exercises for moderate
impact systems; classroom
exercises/table top written tests for
low impact systems]
X X X X X X X X X
X X X X X X X X X
X X X X X X
X X X
X X X
X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X
X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X
X X X
X X X
X X X
X X X
X X X X X X X X X X X X X X X CP-9a. [daily incremental; weekly full]

X X X X X X X X X X X X X X X CP-9b. [daily incremental; weekly full]
X X X X X X X X X X X X X X X CP-9c. [daily incremental; weekly full]

X X X X X X X X CP-9 (1). [at least annually]
X X X
X X X X
X + X X
X X X X X X X X X
X X X X X X X X
X X X X
X X X X X X X X X X X X IA-1.b.1 [at least every 3 years]
X X X X X X X X X X X X IA-1.b.2 [at least annually]
X X + X X + X X X X
X X X X X X X X
X + X + X X
+ + + + + + X X
X X + X X + X X X X
X + X + X X
X X + X X + X X X X The information system implements
multifactor authentication for remote
access to privileged and non-
privileged accounts such that one of
the factors is provided by a device
separate from the system gaining
access and the device meets
strength of mechanism
requirements].
X X + X X + X X X X
+ + + +
X X X X X X X X X X X X IA-4d. [at least two years
X X X X X X X X X X X X IA-4e. [ninety days for user

identifiers] (See additional
requirements and guidance.)
+ + + + + + X X IA-4 (4). [contractors; foreign
nationals]
X X X X X X X X X X X X IA-5g. [to include sixty days for
passwords]
X X X X X X X X X X X X IA-5g. [to include sixty days for
passwords]
X X X X X X X X X X X X IA-5 (1) (a). [case sensitive, minimum

of twelve characters, and at least one
each of upper-case letters, lower-case
letters, numbers, and special
characters]
X X X X X X X X X X X X IA-5 (1) (b). [at least one]
X X X X X X X X X X X X IA-5 (1) (a). [case sensitive, minimum

of twelve characters, and at least one
each of upper-case letters, lower-case
letters, numbers, and special
characters]
IA-5 (1) (b). [at least one]
IA-5 (1) (d). [one day minimum, sixty
day maximum]
IA-5 (1) (e). [twenty four]
X X X X X X X X X X X X IA-5 (1) (d). [one day minimum, sixty

day maximum]
X X X X X X X X X X X X IA-5 (1) (e). [twenty four]
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X IA-5 (3). [All hardware/biometric

(multifactor authenticators] [in
person]
+ + + + + + X X
X X
+ + + X X
+ + + + + + X
X X X X X X X X X
+ + + + + + X
+ + + + + +
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
+ +
+ +
X X X X X X X X X X X X X X X IR-1.b.1 [at least every 3 years]

X X X X X X X X X X X X X X X IR-1.b.2 [at least annually]
X X X X X X X X X X X X X X X IR-2b. [at least annually]

X X X X X
X X X X
X X + X X + X X + X X X X IR-3. [at least annually]
X X X X X X X X X X
X X X X X X X X X X
+ + + + + + X
X + + X + + X + + X X
+ + + + + + + + + X
+ + + + + + + + +
+ + + + + + + + + X
X X X X X
X X X X X X X X X X X X X X X IR-6a. [US-CERT incident reporting

timelines as specified in NIST Special
Publication 800-61 (as amended)]
X X X X X X X X X X
+ + + + + + + + +
X X X X X X X X X X
+ + + + + + + + + X X
+ + + + + + + + + X X
+ + + + + + + + + X X
X X X X X X X X X X X X X X X IR-8c. [at least annually]
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + + X X
+ + X X
+ + + X X
+ + + + + +
X X X X X X X X X X X X X X X MA-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X MA-1.b.2 [at least annually]
X X X X X
X X X X
X X X X
X X + X X X X
X X X X X X
X X + X X X X
X + + X X
X + + X X
X + + X X
X + + X X
X + + X X MA-3 (3) (d). [the information owner
explicitly authorizing removal of the
equipment from the facility]
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
+ +
+ +
+ +
X X X X X X
X + + X + + X X
X + + X + + X X
X + + X + + X X
+ + + + + + X
+ + +
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X X X X X X X MP-1.b.1 [at least every 3 years]

X X X X X X X X X X X X MP-1.b.2 [at least annually]
X X X X X X
X X X X X X
X X X X X X MP-3b. [no removable media types]

X X X X X X X X
X X X X X X X X MP-4a. [all types of digital and non-

digital media with sensitive
information] within [FedRAMP
Assignment: see additional FedRAMP
requirements and guidance];
X X X X X X X X
X X X X X X X X
X X X X X X X X MP-5a. [all media with sensitive

information] [prior to leaving
secure/controlled environment: for
digital media, encryption using a FIPS
140-2 validated encryption module;
for non-digital media, secured in
locked container]
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X X
X X X X X X X X X The organization: a. Sanitizes
information system media] prior to
disposal, release out of organizational
control, or release for reuse using
sanitization techniques and
procedures]
X X X X X X X X X The organization: a. Sanitizes

information system media] prior to
disposal, release out of organizational
control, or release for reuse using
sanitization techniques and
procedures]
X X X
X X X X [At least annually]

X X X
X X + X X X X
X X X X X X X X X X X X X X X PE-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X PE-1.b.2 [at least annually]

X X X X X X X X X X X X X X X PE-2c. [at least annually]

X X X X X X X X X X X X X X X PE-3a.2 [CSP defined physical access
control systems/devices AND guards]
X X X X X X X X X X X X X X X PE-3d. [in all circumstances within

restricted access area where the
information system resides]
X X X X X X X X X X X X X X X PE-3f. [at least annually]

X X X X X X X X X X X X X X X PE-3g. [at least annually]
X + + X + + X X
X X X X X X X X
X X X X X X
X X X X X X X X X X X X X X X PE-6b.[at least monthly]
X X X X X X X X X X
X X X X X
X X X X X X X X X X X X X X X PE-8a [for a minimum of one year]

X X X X X X X X X X X X X X X PE-8b. [at least monthly]
X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X X X X
X X X
X X X X X X X X X
X X X X X X X X X
X X X
X X X X
X X X X X X
+
X X X X X X X X X
X X X X X X X X X PE-14a. [consistent with American
Society of Heating, Refrigerating and
Air-conditioning Engineers (ASHRAE)
document entitled Thermal
Guidelines for Data Processing
Environments]
X X X X X X X X X PE-14b. [continuously]
X X
X X X X X X X X X
X X X
X X X X X X X X X X X X X X X PE-16. [all information system
components]
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X
X X X X X X X X X X X X X X X PL-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X PL-1.b.2 [at least annually]
X X X X X X X X X X X X X X X PL-2c. [at least annually]
X
X X X X X X X X X
X X X X X X X X X X X X X X X PL-4c. [At least every 3 years]
X X X X X X
X X + X X + X X + X X X
X X + X X + X X + X X X X PL-8b. [At least annually]
X X + X X + X X + X X X X PL-8b. [At least annually]
+ + + + + + + + +
+ + + + + + + + +
+ + + + + + + + +
+ + + + + + + + +
X X X X X X X X X X X X X X X PS-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X PS-1.b.2 [at least annually]
X X X X X X X X X X X X X X X PS-2c. [at least every three years]
X X X X X X X X X X X X PS-3b. [for national security

clearances; a reinvestigation is
required during the 5th year for top
secret security clearance, the 10th
year for secret security clearance, and
15th year for confidential security
clearance.
For moderate risk law enforcement

and high impact public trust level, a
reinvestigation is required during the
5th year. There is no reinvestigation
for other moderate risk positions or
any low risk positions]
X X
X X
X X PS-3 (3)(b). [personnel screening

criteria – as required by specific
information]
X X X X X X X X X X X X X X X PS-4.a. [same day]
+ + +
+ + +
+ + +
X X X X X
X X X X X X X X X X X X X X X PS-5. [within five days of the formal
transfer action (DoD 24 hours)]
X X X X X X X X X X X X X X X PS-5. [within five days of the formal

transfer action (DoD 24 hours)]
X X X X X X X X X X X X PS-6b. [at least annually]
X X X X X X X X X X X X PS-6b. [at least annually]

PS-6c.2. [at least annually]
X X X X X X X X X X X X PS-6c.2. [at least annually]

+ + +
+ + +
+ + +
X X X X X X X X X X X X PS-7d. organization-defined time

period – same day
X X X X X X X X X X X X X X X RA-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X RA-1.b.2 [at least annually]
X X X X X X X X X X X X X X X RA-3b. [security assessment report]
X X X X X X X X X X X X X X X RA-3c. [at least every three years or

X X X X X X X X X X X X X X X RA-3e. [at least every three years or
X X X X X X X X X X X X X X X RA-5a. [monthly operating

system/infrastructure; monthly web
applications and databases]
X X X X X X X X X X X X X X X RA-5d. [high-risk vulnerabilities

mitigated within thirty days from date
of discovery; moderate-risk
vulnerabilities mitigated within ninety
days from date of discovery]
X X + X X + X X + X X X X RA-5 (2). [prior to a new scan]
X X
X + + X + + X + + X X
X X + X X + X X + X X X X RA-5 (5). [operating systems / web

applications / databases] [all scans]
X X
X X
+ + + X
X X X X X X X X X X X X X X X SA-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X SA-1.b.2 [at least annually]
X X X X X X X X X X
X X X X X X X X X X [to include security-relevant external

system interfaces and high-level
design]
+
+
+ + +
X X SA-4 (8). [at least the minimum
requirement as defined in control CA-
7]
X X X X X X X X X X X X X X X SA-9a. [FedRAMP Security Controls

Baseline(s) if Federal information is
processed or stored within the
external system]
X X X X X X X X X X X X X X X SA-9c. [Federal/FedRAMP Continuous
Monitoring requirements must be
met for external systems where
Federal information is processed or
stored]
+ + + X X SA-9 (1) see Additional Requirement

and Guidance

and Guidance

and Guidance
X X + X X + X X + X X X X SA-9 (2). [All external systems where

Federal information is processed,
transmitted or stored]
X X SA-9 (4). [All external systems where
Federal information is processed,
transmitted or stored]
X X SA-9 (5). [information processing,

transmission, information data, AND
information services]
X X + X X X X
X X + X X X X SA-10a. [development,
implementation, AND operation]
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
+ + + X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X X X X X X X X X
X X
X X
X X
X + + X + + X + + X X
+ + +
+ + +
+ + +
+ + +
+ + +
+ + +
X + + X + + X + + X X
X + + X + + X + + X X
X + + X + + X + + X X
X + + X + + X + + X X
X + + X + + X + + X X
X + + X + + X + + X X
X + + X + + X + + X X
+ + +
+ + +
+ + +
+ + +
+ + +
+
+
+ + +
X X X X X
X X X X X
X X X X X
X X X X X
X X X X X
+ + +
+ + +
+ + +
+ + +
+ + +
+ + +
X X X X X X X X X X X X X X X SC-1.b.1 [at least every 3 years]

X X X X X X X X X X X X X X X SC-1.b.2 [at least annually]
X X X X X X X X
X X X X
X X X X X X
X X X X X X X
+ + +
+ +
+ +
+ +
+ +
X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X
X X + X X + X X X X SC-7 (4). [at least annually]
X X + X X + X X X X
X X + X X + X X X X
X + + X + + X X X
+ + +
+ + +
+ + +
+ + + X
+ + +
+ + + + + + + + + X X
+ + + + + + X X
+ + + + + +
X X X X X X
X X X X
X X + X X + X X X X SC-8. [confidentiality AND integrity]
X X + X X + X X X X SC-8 (1). [prevent unauthorized
disclosure of information AND detect
changes to information] [a hardened
or alarmed carrier Protective
Distribution System (PDS)]
+ + + +
X X X X X X X X SC-10. [no longer than 30 minutes for
RAS-based sessions or no longer than
60 minutes for non-interactive user
sessions]
X X X
X X SC-12 (2). [NIST FIPS-compliant]
X X
X X X X X X X X X X X X [FIPS-validated or NSA-approved
cryptography]
X X X X X X X X X
X X X X X X X X X SC-15a. [no exceptions]
X X X X X X X X X
X X + X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
X X + X X X X
+ + +
+ + +
+ + +
+ + +
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X + X X X X
+ + + X
+ + +
+ + +
X X X X
X X + X X + X X X X SC-28. [confidentiality AND integrity]
+ + + + + + X X
+ + + + + + + + +
X X X X X X X X X X X X X X X SI-1.b.1 [at least every 3 years]
X X X X X X X X X X X X X X X SI-1.b.2 [at least annually]

X X X X X X X X X
X X X X X X X X X
X X X X X X X X X
X X X X X X X X X SI-2c. [Within 30 days of release of

updates]
X X X X X X X X X
X + + X X
X X + X X X X SI-2 (2). [at least monthly]
+ + + X X
+ + + X X
+ + + X X
+ + +
X X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X SI-3.c.1 [at least weekly] [to include

endpoints]
X X X X X X X SI-3.c.2 [to include alerting
administrator or defined security
personnel]
X X X X X X X
X X + X X X X
X X + X X X X
X X
+ + +
+ + +
+ + +
+ + + + + + + + + X X
X X X X X X X X X X
X X + X X + X X + X X X X SI-4 (4). [continually]
+ + + + + +
+ + + + + + + + + X
+ + + + + + + + +
+ + + + + + + + + X X
+ + + + + + + + +
+ + + + + + + + + X X
+ + + + + + + + + X
+ + + + + + + + + X
+ + + + + + + + + X
+ + + + + + + + + X X
X X X X X X X X X
X X X X X X X X X SI-5a. [to include US-CERT]
X X X X X X X X X
X X X X X X X X X SI-5c. [to include system security

personnel and administrators with
configuration/patch-management
responsibilities]
X X X X X X X X X
X X X
X X X X
X X X X
X X X X SI-6b [to include upon system startup

and/or restart at least monthly]
X X X X SI-6c [to include system

administrators and security
personnel]
X X X X SI-6d [to include notification of

system administrators and security
personnel]
+
X X X X X X
X X X X X X SI-7 (1). [Selection to include security

relevant events and at least monthly]
X X X
X X X
X X X X X X
+ +
X + + X X
X + + X
X + + X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X + X X X X
+ +
X X + X X X X
X X + X X X X
X X + X X X X
X X X X X X
Add'l NIST Control
ontrol Selection DoD Cloud SRG Controls
Selection AWS Quick Start Arc
NIST SP NIST SP
800-122 800-171
(see green
cross-
Minimum
reference
Level 4
Level 5
section) Addressed By This
Additional FedRAMP Requirements & Guidance Quick Start
X No
X No
X No
X No
X No
X No
X No
X X Yes
X X Yes
X X No
X X No
X X No
X X No
X X No
X X Yes
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X Yes
X No
Requirement: The service provider defines the time X No

period for non-user accounts (e.g., accounts
associated with devices). The time periods are
approved and accepted by the Authorizing Official.
X No
X No
Indirectly
X No
X Yes
X Yes
X No
No
Required if shared/group accounts are deployed X No

No
No
X No
AC-2 (12)(a) Additional FedRAMP Requirements and X No

Guidance: Required for privileged accounts.
AC-2 (12)(b) Additional FedRAMP Requirements and X No

Guidance: Required for privileged accounts.
Contract/ Contract/ No
SLA SLA
X X X Yes
N/A
No
No
No
No
No
No
No
No
No
No
Contract/ Contract/ Yes

SLA SLA
Yes
Yes
Yes
Yes
Yes
No
N/A
Yes
No
No
No
No
No
X X Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
N/A
No
No
No
No
X No
No
X X No
X X X No
X X X No
X X X No
X X X No
X X No
AC-6 (2). Guidance: Examples of security functions X X No

include but are not limited to: establishing system
accounts, configuring access authorizations (i.e.,
permissions, privileges), setting events to be
audited, and setting intrusion detection parameters,
system programming, system and security
administration, other privileged functions.
No
No
X X No
No
X X No
X X No
X X No
X X No
X X Yes
X X Yes
X X No
X X No
X X No
N/A
No
X X No
Requirement: The service provider shall determine X X No
elements of the cloud environment that require the
System Use Notification control. The elements of
the cloud environment that require System Use
Notification are approved and accepted by the
Authorizing Official (AO).
Requirement: The service provider shall determine
how System Use Notification is going to be verified
and provide appropriate periodicity of the check.
The System Use Notification verification and
periodicity are approved and accepted by the AO.
Guidance: If performed as part of a Configuration
Baseline check, then the % of items requiring setting
that are checked and that pass (or fail) check can be
provided.
Requirement: If not performed as part of a
Configuration Baseline check, then there must be
documented agreement on how to provide results
of verification and the necessary periodicity of the
verification by the service provider. The
documented agreement on how to provide
verification of the results are approved and
accepted by the AO.
X X No
X X No
X X No
X X No
X X No
X X No
Requirement: The service provider shall determine X X No
elements of the cloud environment that require the
System Use Notification control. The elements of
the cloud environment that require System Use
Notification are approved and accepted by the
Authorizing Official (AO).
how System Use Notification is going to be verified
and provide appropriate periodicity of the check.
The System Use Notification verification and
periodicity are approved and accepted by the AO.
Guidance: If performed as part of a Configuration
Baseline check, then the % of items requiring setting
that are checked and that pass (or fail) check can be
provided.
Requirement: If not performed as part of a
Configuration Baseline check, then there must be
documented agreement on how to provide results
of verification and the necessary periodicity of the
verification by the service provider. The
documented agreement on how to provide
verification of the results are approved and
accepted by the AO.
X X No
X X No
No
No
No
No
No
X No
X X No
X X No
X X No
X X No
X X No
Contract/ No
SLA
No
No
N/A
X No
X No
X No
N/A
N/A
SLA SLA
SLA SLA
SLA SLA
SLA SLA
SLA SLA
No
No
No
No
No
SLA SLA
No
No
No
No
X X X No
X X No
X X No
X X Yes
X X Yes
X X Yes
X X No
X X No
X X No
N/A
X X No
N/A
N/A
X No
X X No
X X No
X X No
X X No
N/A
X X No
No
No
X X X No
X X X No
X X X No
N/A
N/A
N/A
No
No
No
No
No
No
No
No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
No
No
X X No
X X No
X X No
No
No
X X No
X X No
X X No
X X No
X X No
X X No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X X No
X X No
X X No
X X No
No
X X No
X X No
X X No
X X No
X X No
No
X X No
No
X X No
X No
X No
X No
N/A
X No
X No
X No
X No
X No
X No
X No
X X X Yes
X X X Yes
X X X No
X X X Yes
X X X Yes
N/A
N/A
Guidance: Annually or whenever changes in the X X Yes

threat environment are communicated to the
service provider by the Authorizing Official.
N/A
X X Yes
AU-3 (1). Requirement: The service provider defines X X No
audit record types. The audit record types are
Guidance: For client-server transactions, the
number of bytes sent and received gives
bidirectional transfer information that can be
helpful during an investigation or inquiry.
Yes
X Yes
X X No
X X Yes
X X Yes
X X No
Yes
Yes
No
No
X X X No
X X X No
X X X No
X No
N/A
X X No
X X No
No
No
No
No
No
X X No
X X No
X X No
X X No
X No
No
X X Indirectly
X X Yes
X X Yes
AU-8 (1). Requirement: The service provider selects X X Yes
primary and secondary time servers used by the
NIST Internet time service. The secondary server is
selected from a different geographic region than the
primary server.
Requirement: The service provider synchronizes the
system clocks of network computers that run
operating systems other than Windows to the
Windows Server Domain Controller emulator or to
the same time source for that server.
Guidance: Synchronization of system clocks
improves the accuracy of log analysis.

primary server.
primary server.
Yes
X X Yes
No
X Yes
Yes
X X No
No
No
Contract/ Yes
SLA
No
No
No
No
No
No
No
No
No
No
N/A
AU-11. Requirement: The service provider retains X Yes
audit records on-line for at least ninety days and
further preserves audit records off-line for a period
that is in accordance with NARA requirements.
No
X X Yes
X X Yes
X X Yes
X X Yes
X X Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
For JAB Authorization, must be an accredited 3PAO X No
Requirement: To include 'announced', 'vulnerability X No

scanning'
X No
X No
X No
X No
X No
X No
No
CA-3(3) Guidance: Refer to Appendix H – Cloud X No

Considerations of the TIC 2.0 Reference Architecture
document.
No
For JAB Authorization, CSPs shall include details of X Yes
this control in their Architecture Briefing
N/A
X X No
CA-5 Guidance: Requirement: POA&Ms must be X X No

provided at least monthly.
CA-5 Guidance: Requirement: POA&Ms must be X X No

provided at least monthly.
No
X No
X No
X No
CA-6c. Guidance: Significant change is defined in X No

NIST Special Publication 800-37 Revision 1, Appendix
F. The service provider describes the types of
changes to the information system or the
environment of operations that would impact the
risk posture. The types of changes are approved and
accepted by the Authorizing Official.
Operating System Scans: at least monthly X X No
Database and Web Application Scans: at least
monthly
All scans performed by Independent Assessor: at
least annually
CA-7 Guidance: CSPs must provide evidence of
closure and remediation of high vulnerabilities
within the timeframe for standard POA&M updates.
monthly
least annually
monthly
least annually
monthly
least annually
monthly
least annually
monthly
least annually
monthly
least annually
monthly
least annually
X No
N/A
No
X No
X No
No
X No
X No
X No
No
X No
X No
X No
X No
X No
X No
X No
X X Yes
X No
X No
X No
X No
X Yes
X No
N/A
N/A
No
X No
No
No
Requirement: The service provider establishes a X X No
central means of communicating major changes to
or developments in the information system or
environment of operations that may affect its
services to the federal government and associated
service consumers (e.g., electronic bulletin board,
web status page). The means of communication are




CM-3e Guidance: In accordance with record

retention policies and procedures.

No
No
No
No
No
No
No
No
No
X X No
No
X X No
X X No
X X No
No
X X Yes
X Yes
Yes
Guidance: If digital signatures/certificates are X No

unavailable, alternative cryptographic integrity
checks (hashes, self-signed certs, etc.) can be
utilized.
No
X No
X No
X No
X X No
N/A
X X No
CM-6a. Requirement: The service provider shall use X X No
the Center for Internet Security guidelines (Level 1)
to establish configuration settings or establishes its
own configuration settings if USGCB is not available.
CM-6a. Requirement: The service provider shall
ensure that checklists for configuration settings are
Security Content Automation Protocol (SCAP)
validated or SCAP compatible (if validated checklists
are not available).
CM-6a. Guidance: Information on the USGCB
checklists can be found at:
http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usg
cbfdcc .
X X No
X X No
X X No
X Indirectly
Yes
N/A
N/A
X X Yes
X X Yes
Requirement: The service provider shall use the X X Yes
Center for Internet Security guidelines (Level 1) to
establish list of prohibited or restricted functions,
ports, protocols, and/or services or establishes its
own list of prohibited or restricted functions, ports,
protocols, and/or services if USGCB is not available.
CM-7. Guidance: Information on the USGCB
cbfdcc.
(Partially derived from AC-17(8).)
X X No
X X No
Requirement: The service provider shall use the X X No

Center for Internet Security guidelines (Level 1) to
establish list of prohibited or restricted functions,
ports, protocols, and/or services or establishes its
own list of prohibited or restricted functions, ports,
protocols, and/or services if USGCB is not available.
CM-7. Guidance: Information on the USGCB
cbfdcc.
(Partially derived from AC-17(8).)
CM-7(2) Guidance: This control shall be X X No
implemented in a technical manner on the
information system to only allow programs to run
that adhere to the policy (i.e. white listing). This
control is not to be based off of strictly written
policy on what is allowed or not allowed to run.
No
X No
X No
X No
X No
X X No
X X No
X X No
X X No
CM-8 Requirement: must be provided at least X X Indirectly

monthly or when there is a change.



X X Indirectly
Indirectly
X No
X No
X No
Yes
X Indirectly
No
Indirectly
Indirectly
No
No
No
X No
X No
X No
X No
X No
No
X No
X No
X No
X No
X No
X X No
X X No
X X No
X X No
No
No
X No
X No
X No
X No
X No
X No
X No
Requirement: For JAB authorizations the X No
contingency lists include designated FedRAMP
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
personnel.
X No
X No
X No
No
No
Yes
No
X No
X No
X No
X No
X No
No
No
X No
CP-4a. Requirement: The service provider develops X No

test plans in accordance with NIST Special
Publication 800-34 (as amended); plans are
approved by the Authorizing Official prior to
initiating testing.
X No
X No
X No
No
No
No
No
No
N/A
X Yes
X Yes
X Indirectly
X Yes
Yes
X Yes
X Yes
CP-7a. Requirement: The service provider defines a X Yes

time period consistent with the recovery time
objectives and business impact analysis.
X Yes
X Yes
CP-7(1) Guidance: The service provider may X Yes

determine what is considered a sufficient degree of
separation between the primary and alternate
processing sites, based on the types of threats that
are of concern. For one particular type of threat (i.e.,
hostile cyber attack), the degree of separation
between sites will be less relevant.
X Yes
X Indirectly
Indirectly
N/A
No
CP-8. Requirement: The service provider defines a X No

time period consistent with the business impact
analysis.
X No
X No
X No
X No
No
No
No
No
No
No
CP-9. Requirement: The service provider shall X X Yes

determine what elements of the cloud environment
require the Information System Backup control.
how Information System Backup is going to be
verified and appropriate periodicity of the check.
CP-9. Requirement: The service provider shall X X Yes

CP-9a. Requirement: The service provider maintains
at least three backup copies of user-level
information (at least one of which is available
online) or provides an equivalent alternative.
CP-9. Requirement: The service provider shall X X Indirectly
CP-9b. Requirement: The service provider maintains
at least three backup copies of system-level
information (at least one of which is available
online) or provides an equivalent alternative.

CP-9c. Requirement: The service provider maintains
at least three backup copies of information system
documentation including security information (at
least one of which is available online) or provides an
equivalent alternative.
X No
No
X Indirectly
N/A
Indirectly
Yes
No
X No
N/A
X No
N/A
No
N/A
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X X X Indirectly
X X No
X X No
X X No
No
X No
No
No
X X No
X X X No
No
X No
Guidance: Include Common Access Card (CAC), i.e., X No

the DoD technical implementation of PIV/FIPS
201/HSPD-12.
No
X No
SLA SLA
N/A
No
No
No
No
X X No
X X No
X X No
X X No
X X No
IA-4e. Requirement: The service provider defines X X No

time period of inactivity for device identifiers.
No
No
No
X No
No
No
No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X Indirectly
X X Indirectly
X X No
X X Indirectly
X X No
X X No
X X Indirectly
X No
X No
X No
X No
X No
X No
IA--5(4) Additional FedRAMP Requirements and X No

Guidance: Guidance: If automated mechanisms
which enforce password authenticator strength at
creation are not used, automated mechanisms must
be used to audit strength of created password
authenticators
No
X No
X No
No
No
No
X Indirectly
No
X X No
No
No
X X Yes
X Indirectly
X Indirectly
X No
X No
X No
X No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X X No
X X No
X X No
X X No
No
No
IR-3. Requirement: The service provider defines X X No

tests and/or exercises in accordance with NIST
Special Publication 800-61 (as amended).
Requirement: For JAB Authorization, the service
provider provides test plans to the Authorizing
Official (AO) annually.
Requirement: Test plans are approved and accepted

by the Authorizing Official prior to test commencing.
No
X X No
IR-4/A13. Requirement: The service provider X X No
ensures that individuals conducting incident
handling meet personnel security requirements
commensurate with the criticality/sensitivity of the
information being processed, stored, and
transmitted by the information system.



X No
No
X X No
X X No
No
X X No
X X No
X X No
No
No
X X No
X X No
X X No
Requirement: Reports security incident information X X No

according to FedRAMP Incident Communications
Procedure.
X X No
X No
X X No
No
X X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
IR-8(b) Additional FedRAMP Requirements and X No

Guidance: The service provider defines a list of
incident response personnel (identified by name
and/or by role) and organizational elements. The
incident response list includes designated FedRAMP
personnel.
X No
X No
IR-8(e) Additional FedRAMP Requirements and X No

Guidance: The service provider defines a list of
incident response personnel (identified by name
and/or by role) and organizational elements. The
incident response list includes designated FedRAMP
personnel.
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
No
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
N/A
Indirectly
No
No
X X Indirectly
X X Indirectly
X X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
No
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
No
No
No
X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
No
No
No
No
No
No
No
No
X X Indirectly
No
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
Requirement: Only MA-5 (1)(a)(1) is required by X Indirectly
FedRAMP Moderate Baseline
No
No
No
No
No
No
X Indirectly
No
No
No
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X X X Indirectly
N/A
N/A
X X X Indirectly
X X X Indirectly
MP-3b. Guidance: Second parameter not-applicable X X X Indirectly

X X X Indirectly
MP-4a Additional FedRAMP Requirements and X X X Indirectly

Guidance: Requirement: The service provider
defines controlled areas within facilities where the
information and information system reside.
X X X Indirectly
N/A
No
X X X Indirectly
X X X Indirectly
X X X Indirectly
X X X Indirectly
X X X Indirectly
N/A
N/A
No
X X Indirectly
X X X Indirectly
X X X Indirectly
X X X Indirectly
Indirectly
Guidance: Equipment and procedures may be tested X Indirectly

or validated for effectiveness
Indirectly
N/A
N/A
N/A
No
No
X X Indirectly
X X Indirectly
No
No
No
No
No
No
No
No
No
No
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
No
No
No
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
No
No
No
No
No
X Indirectly
X X Indirectly
No
No
No
No
No
No
No
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X Indirectly
No
No
Indirectly
N/A
X Indirectly
X Indirectly
X Indirectly
Indirectly
N/A
X Indirectly
No
No
X Indirectly
X Indirectly
X Indirectly
X Indirectly
N/A
X Indirectly
Indirectly
No
No
No
No
X Indirectly
No
X Indirectly
Indirectly
X Indirectly
X Indirectly
No
X Indirectly
PE-14a. Requirements: The service provider X Indirectly
measures temperature at server inlets and humidity
levels by dew point.
X Indirectly
No
X Indirectly
X Indirectly
Indirectly
X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
X X Indirectly
Indirectly
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
N/A
N/A
No
N/A
X No
X No
X No
X No
X No
X No
N/A
N/A
No
No
No
X No
X No
X No
X No
X No
X No
X No
X No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Indirectly
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X X No
X X No
X X No
No
No
X No
X No
X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
Contract/ X No
SLA
X No
X No
No
X X No
X X No
X X No
X X No
X X No
X No
X No
X No
X No
X No
X No
N/A
No
No
No
No
X No
X No
Contract/ X No
SLA
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X X No
X X No
X X No
Guidance: Significant change is defined in NIST X X No

Special Publication 800-37 Revision 1, Appendix F.
RA-3d. Requirement: to include the Authorizing X X No

Official; for JAB authorizations to include FedRAMP
Guidance: Significant change is defined in NIST X X No
Special Publication 800-37 Revision 1, Appendix F.
N/A
X X No
RA-5a. Requirement: an accredited independent X X No

assessor scans operating systems/infrastructure,
web applications, and databases once annually.
X X No
X X No
X X No
X X No
X X No
X X No
X X No
RA-5e. Requirement: to include the Risk Executive;
for JAB authorizations to include FedRAMP
X No
X No
X No
No
X X No
RA-5(6) Guidance: include in Continuous Monitoring X No

ISSO digest/report to Authorizing Official
N/A
RA-5 (8). Requirements: This enhancement is X No
required for all high vulnerability scan findings.
Guidance: While scanning tools may lable findings as
high or critical, the intent of the control is based
around NIST's definition of high vulnerability.
N/A
No
No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
X No
SA-4. Guidance: The use of Common Criteria X No

(ISO/IEC 15408) evaluated products is strongly
preferred.
See http://www.niap-ccevs.org/vpl or
http://www.commoncriteriaportal.org/products.ht
ml.

preferred.
ml.

preferred.
ml.
preferred.
ml.

preferred.
ml.

preferred.
ml.

preferred.
ml.

preferred.
ml.
X No
X No
No
N/A
No
No
No
No
No
No
X No
No
No
SA-4 (8) Guidance: CSP must use the same security X No

standards regardless of where the system
component or information system service is
aquired.
X No
X No
X Yes
X Yes
X Yes
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X Indirectly
X No
X Indirectly
X Indirectly
N/A
N/A
N/A
N/A
N/A
N/A
N/A
X X No
X No
X No
X No
X No
SA-9 (1). Requirement: The service provider X No

documents all existing outsourced security services
and conducts a risk assessment of future outsourced
security services. For JAB authorizations, future
planned outsourced services are approved and
accepted by the JAB.


X No
No
X No
X No
X No
X No
X No
X No
X No
SA-10e. Requirement: for JAB authorizations, track X No
security flaws and flaw resolution within the system,
component, or service and report findings to
organization-defined personnel, to include
FedRAMP.
X No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
Requirement: SA-11 (1) or SA-11 (8) or both X No

Requirement: The service provider documents in the
Continuous Monitoring Plan, how newly developed
code for the information system is reviewed.
X No
No
No
No
No
No
No
No
Requirement: SA-11 (1) or SA-11 (8) or both X No

Requirement: The service provider documents in the
Continuous Monitoring Plan, how newly developed
code for the information system is reviewed.
X X No
No
No
N/A
N/A
No
N/A
No
No
No
No
No
No
No
No
No
No
No
No
No
N/A
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
X X No
X X No
X X No
No
No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
X No
X No
X X Yes
No
Yes
No
No
No
No
No
X X Indirectly
N/A
No
Yes
No
No
No
No
No
X No
X X Yes
X X Yes
X X Yes
X X Yes
N/A
N/A
X No
X No
X No
X No
X No
X No
X No
X X Yes
N/A
X X No
X No
No
No
No
X X No
Contract/ X No
SLA
X No
SC-7 (13). Requirement: The service provider defines X No

key information security tools, mechanisms, and
support components associated with system and
security administration and isolates those tools,
mechanisms, and support components from other
internal information system components via
physically or logically separate subnets.
SLA SLA
No
No
No
X No
No
No
No
No
No
X X X Yes
X X Yes
X No
No
No
N/A
X X No
No
No
SC-12 Guidance: Federally approved cryptography X X Yes
No
X No
X No
N/A
N/A
X X Yes
N/A
N/A
N/A
N/A
N/A
X X No
X X No
X X No
No
N/A
No
No
No
No
X No
X X No
X X No
X X No
X X No
No
No
Contract/ No
SLA
Contract/ No
SLA
No
X X No
X X No
X X No
X No
X No
X No
N/A
No
X No
N/A
X No
X X Yes
X X No
N/A
X X No
N/A
X No
Yes
No
No
N/A
No
SC-28. Guidance: The organization supports the X X X Yes
capability to use cryptographic mechanisms to
protect information at rest.
X No
No
No
No
No
N/A
No
No
No
No
No
No
No
No
No
No
No
N/A
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
X Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X X No
X No
X No
X X No
X X No
X X No
X X No
X X No
No
X No
X No
X No
X No
N/A
No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X X No
X No
X No
N/A
No
N/A
No
No
No
X No
No
No
X No
X No
X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X X X No
X No
X No
No
X X No
SI-4(5) Guidance: In accordance with the incident X No

response plan.
N/A
No
N/A
No
No
No
X X No
No
No
No
No
X No
No
X No
No
No
X X No
X X No
No
X X No
X No
No
X X No
X X No
X X No
X X No
X X No
No
X No
X No
X No
X No
X No
N/A
No
No
X No
X No
No
No
N/A
No
No
X No
No
No
No
No
No
No
No
No
No
No
No
X No
X No
X No
X No
X No
No
N/A
X Indirectly
No
No
No
No
No
X X No
No
No
X Indirectly
X Indirectly
X Indirectly
X No
No
No
No
No
N/A
No
No
No
No
No
No
No
No
X Indirectly
No
No
No
No
No
No
No
WS Quick Start Architecture Comments for NIST SP 800-53 Controls
AWS Quick Start

Category: Category: Security Control Implementation
Influence Responsibility
Description
Organizational (Header) Customer (Header)
Organizational Customer
Organizational (Header) Shared (Header) See control subpart details below.
Organizational Shared In this architecture, a baseline set of AWS Identity and Access Management
(IAM) groups and roles are created, with associated access policies, to support
alignment of user accounts to personnel functions related to
infrastructure/platform management (e.g. Billing, EC2/VPC/RDS systems
administration, I.T. auditing, etc.)
Organizational Shared In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled,
which provides the audit trail capability for the organization to monitor the use
of AWS Identity and Access Management (IAM) accounts. An Amazon S3 bucket
centrally contains the CloudTrail audit logs. Amazon CloudWatch Alarm is
configured to send an alert when an API call is made to create, update or delete a
Network ACL/Security Group, when Root user activity detected, when multiple
API actions or login attempts fail, when IAM Configuration changes are detected,
when new IAM access key was created and when changes to the CloudTrail log
configuration is detected
Information Systems Shared In this architecture, AWS Identity and Access Management (IAM) is the
automated mechanism for managing AWS (infrastructure) user accounts and
access policies; AWS CloudTrail is the automated mechanism for logging activity
of IAM users.
Information Systems Customer

Information Systems Shared AWS built-in features of Identity and Access Management (IAM) and Amazon S3
access control mechanisms include the following dynamic privilege management
capabilities: Access policies applied to a user/group/role immediately take effect
without requiring the user/group/role session to be refreshed; Deletion of a
user/group/role immediately terminate access for that user/group/role, to
include active sessions; Access control changes to Amazon S3 buckets and
objects immediately take effect and apply to active sessions.
Organizational Shared In this architecture, a baseline set of AWS Identity and Access Management
(IAM) groups and roles are created to support alignment of user accounts to
personnel roles at various levels of privilege related to infrastructure/platform
management (e.g. Billing, EC2/VPC/RDS systems administration, I.T. auditing,
etc.)
Organizational Shared In this architecture, AWS Cloudtrail logging is enabled, which records all API calls
related to assignments of users or EC2 instances to groups and roles within AWS
Identity and Access Management (IAM). These logs are available for use by
organizational monitoring mechanisms or personnel.
Information Systems Not Selected
Information Systems Shared In this architecture, AWS Identify and Access Management (IAM) and Amazon S3
enforce access to the AWS infrastructure and data in S3 buckets. A baseline set
of IAM groups are created, with associated access policies to support alignment
of user accounts to personnel functions related to infrastructure/platform
management (e.g. Billing, EC2/VPC/RDS systems administration, I.T. auditing,
etc.) Login/API access is restricted to those users for whom the organization has
authorized and created or federated IAM user accounts, and assigned the
appropriate IAM group and/or role membership. Amazon S3 buckets have
specific access control policies assigned to restrict access to those IAM users who
are assigned the appropriate IAM roles/groups.
Withdrawn Withdrawn
Information Systems Not Selected (Header)

(Header)

Information Systems Shared In this architecture, Amazon S3 buckets and EC2 instances are employed, which
provide discretionary access control mechanisms.
AWS built-in features of AWS Identity and Access Management (IAM) enforce
disretionary access control policies upon IAM entities operating on and within
AWS services at the infrastruture/storage service layers. Amazon S3 includes S3
resources (buckets, objects, and related sub-resources, for example, lifecycle
configuration and website configuration) that are private: only the resource
owner (an AWS IAM user/role that created it) can access the resource. The
resource owner can optionally grant access permissions to oth+S61ers by writing
an access policy.
AWS built-in features of Amazon EC2 isntances include a baseline Linux

Operating system that provides industry standard discretionary access control
within the filesystem(s).
provide discretionary access control mechanisms that allow object owners and
those with read access to pass information to other subjects or objects.
AWS built-in features of AWS Identity and Access Management (IAM) permit
privileged users to control policy assigned to other IAM users, which allows the
privileged user to pass AWS service information to other IAM users by granting
the appropriate access.
AWS built-in features of Amazon S3 allow IAM users with read access to data
objects stored in S3 (based on S3 access policies) to pass data (by transfer out of
band) to other subjects or objects, but cannot grant direct access to the objects
within S3, unless those users also have S3 bucket configuration access to update
or create additional access control policies.
AWS built-in features of Amazon EC2 instances include a baseline Linux
within the filesystem(s) that allow file owners to grant file access to other users
provide discretionary access control mechanisms that allow S3 bucket owners,
object/file owners and those with read access to grante certain privileges to
other subjects.
privileged users to control policy assigned to other IAM users, which allows the
privileged user to pass their AWS privileges to other IAM users.
AWS built-in features of Amazon S3 allow bucket owners (which are users
defined in AWS Identity and Access Management) to set bucket policies to grant
privieges to other IAM users. Users who only having access to data stored in S3
withou bucket policy permissions do not have the ability to grant their privileges
to others.
AWS built-in features of Amazon EC2 instances include a baseline Linux
within the filesystem(s) that allow file owners to grant the same level of file
access to other users, to include write operations.
object/file owners and those with write access to change certain security
attributes on subjectsm objects, the information system, and/or the system
components.
privileged users to control policy assigned to other IAM users and manipulate the
configuration of AWS services within the AWS account, including security
settings.
AWS built-in features of Amazon S3 allow bucket and object owners to change
the security attributes of those buckets and objects.
AWS built-in features of Amazon S3 allow bucket owners (which are users
defined in AWS Identity and Access Management) to set change security
attributes of S3 buckets through the manipulation of S3 bucket policies.
AWS built-in features of Amazon EC2 instances include a baseline Linux operating
system that provides industry standard discretionary access control within the
filesystem(s) that allow file owners change the security attributes on those files,
and for privilged users to manpulate the operating system configuration and
security attributes on all
files.AG11AG11AG11AG11AG11AG11AG18AG60AG62AG64AG112AG169AG167A
G64
object/file owners and those with write access to choose certain security
attributes on newly created or revised objects.
privileged users to set access control policies assigned to newly created or
revised IAM users and manipulate the configuration of newly instantiated or
modified AWS services within the AWS account, including security settings.
AWS built-in features of Amazon EC2 instances include a baseline Linux operating
system that provides industry standard discretionary access control within the
filesystem(s) that allow file owners change the security attributes on all owned
files, and for privileged users to manpulate the operating system configuration
and security attributes on all files and users
AWS built-in features of Amazon S3 Amazon S3 allow bucket and object owners
to choose the security attributes to be associated with newly created or revised
objects through the use of user and bucket policies.
object/file owners to change the rules governing access control with AWS policy
statements.
AWS built-in features of AWS Identity and Access Management (IAM) and
Amazon S3 allow privileged IAM users and S3 bucket/object owners to change
Amazon S3 bucket policies, AWS Identity and Access Management (IAM) user
access control policies, bucket ACLs, and object ACLs.

Withdrawn Withdrawn
Information Systems Shared In this architecture, a baseline set of IAM groups and roles are created, with
associated access policies, to support alignment of user accounts to personnel
functions and roles related to infrastructure/platform management (e.g. Billing,
EC2/VPC/RDS systems administration, I.T. auditing, etc.) Login/API access is
restricted to those users or EC2 Instances for whom the organization has
authorized and created or federated IAM user accounts, and provided
membership in IAM groups/roles which have specific access control policies
assigned, which limit the infrastructure activities that can be performed and the
infrastructure information that can be accessed. S3 bucket policies specify access
control for users and roles for whom the organization has authorized S3 access,
and created or federated IAM user accounts.
AWS built-in features of AWS Identify and Access Management (IAM) and
Amazon S3 enforce role-based access to the AWS infrastructure and S3 buckets
based on access control policies assigned to users/roles/groups.
Information Systems Customer (removed)

(Header)
Organizational Not Selected

Information Systems Shared In this Architecture, information flow is enforced through route tables that
specify which subnets in each VPC are accessible through network and NAT
gateways, AWS Security Groups that restrict network ports/protocol access to
EC2/RDS instances and Elastic Load Balancers, and Amazon S3 buckets that are
configured with access control policies.


Withdrawn Withdrawn


Information Systems Shared In this architecture, AWS CloudTrail is enabled to provide the audit trail of
privileged user functions by logging all IAM user activities and API calls. This
architecture has AWS CloudWatch alarms pre-configured to notify subscribers of
an SNS topic If these security-relevant activities are detected: when an API call is
made to create, update or delete a Network ACL/Security Group, when any Root
user activity detected, when multiple API actions or login attempts fail, when
IAM Configuration changes are detected, when new IAM access key was created
and when changes to the CloudTrail log configuration is detected
Information Systems Shared In this architecture, AWS Identity and Access Management (IAM) groups are
created, which include access control policies which prevent non-privileged IAM
users from executing privileged infrastructure functions, to include disabling,
circumventing, or altering implemented security safeguards and
countermeasures.
Information Systems Customer (Header)

(Header)
Withdrawn Withdrawn

(Header)


(Header)


(Header)

(Header)
Withdrawn Withdrawn

Withdrawn Withdrawn
Withdrawn Withdrawn
Organizational (Header) Not Selected (Header)



Information Systems Shared In this architecture, the following remote access methods are: AWS console
access, AWS API access, SSH login access to the Bastion host, RETURN traffic to
private subnets through NAT Gateway or EC2-based NAT instances (in AWS
Regions where Managed NAT Gateways are not yet available), and user access to
the web application. The AWS console and API access methods are controlled by
AWS Identity and Access Management (IAM), SSH login access is controlled by
authorized SSH keys and network boundary protection (Security groups, network
ACLs and routing rules) and user access to web application is protected by
network boundary protection (Security groups and routing rules). AWS
CloudTrail is enabled to facilitate monitoring of user access to the infrastructure,
S3 bucket logging is enabled to facilitate monitoring of access to data stored in
S3, and login logs on the bastion host facilitate monitoring of user access to the
EC2 instances within the network.
Information Systems Shared In this architecture, Amazon S3 and AWS Elastic Load Balances (ELB) endpoints
are configured to use TLS for S3 object and web access. SSH is employed for
Bastion host access and sessions between the bastion host and internal network
nodes, including any EC2-based NAT instances (in AWS Regions where Managed
NAT Gateways are not yet available). TLS/SSH ports and protocols are enforced
by Security Group policies.
AWS built-in features employ TLS for Console access, CLI, and API endpoints for
AWS service access,
Information Systems Shared In this architecture, all remote accesses are routed through managed network
access control points. The Internet Gateway (IGW) within each VPC is the primary
access point for all public subnets within the VPC. Web-based access are routed
through AWS Elastic Load Balancer (ELB) TLS endpoints. A Bastion host provides
an additional managed access point through which all interactive logins must
occur via SSH. Return traffic to internet connection requests from private subnets
are routed through a NAT Gateway or an EC2-based NAT instance (in AWS
Regions where Managed NAT Gateways are not yet available)
Withdrawn Withdrawn

Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn





Privacy Control Not Selected




Withdrawn Withdrawn


Organizational Shared In this architecture, AWS CloudTrail, S3 bucket logging, Elastic Load Balancer
(ELB) Logging, and RDS MySQL error logging are employed, which support the
capability for audit of organizationally defined events by logging all security-
relevant user/API activities and S3 data access activities.
(ELB) Logging, and RDS MySQL error logging are employed to provide the audit
data necessary to determine what activities have occurred within the
infrastructure.
(ELB) Logging, and RDS MySQL error logging are employed to provide the
capability for audit of organizationally defined events by logging security-relevant
events and errors related to IAM user and API activities, S3 data access, network
access, and RDS database errors.
Withdrawn Withdrawn
Withdrawn Withdrawn
(ELB) Logging, and RDS MySQL error logging are employed, which support the
capability for auditing of updated organizationally defined events by logging
events and activities for newly available AWS products and features which may
be added to the architecture or AWS capabilities; Amazon CloudWatch is
employed, which provides the capability to provide near real time alerts of
updated audit events.
Withdrawn Withdrawn
Information Systems Shared In this architecture, AWS CloudTrail, S3 bucket logging, Elastic Load Balancer
(ELB) Logging, and RDS MySQL error logging are employed, which generate audit
records that include the level of detail specified in the control. CloudTrail logs
provide information on activities related to the manipulation of the
infrastructure; S3 bucket logs provide data on activities related to the access or
manipulation of data stored in S3; ELB logs provide information about requests or
connections; RDS Database MySQL error logs record errors encountered by the
database engine. In addition, the MySQL general query log can be enabled by
the customer organization to capture when clients connect or disconnect and
SQL statement received from clients.
General information about AWS native logging is documented at:

https://aws.amazon.com/answers/logging/aws-native-security-logging-
capabilities/
Details about CloudTrail logs are documented at
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-
reference.html
Details about S3 bucket logs are documented at
http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Details about ELB logs are available at
http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-
balancer-access-logs.html
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-
collection.html
Details about RDS logs are documented at
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.ht
ml
Information Systems Shared In this architecture, AWS CloudTrail and Amazon CloudWatch make up the
centralized automated system for management and configuration of Audit
recording and content for the infrastructure; Amazon S3 provides the centralized
storage of audit records.
Organizational Shared In this architecture, Amazon S3 buckets are established for storage of AWS
CloudTrail audit records, S3 Bucket logs, Elastic Load Balancer logs, etc., which
provide dynamic capacity growth to accommodate organizationally defined
storage capacity requirements
Information Systems Shared (Header) See control subpart details below.

(Header)
Information Systems Shared In this architecture, AWS CloudTrail is enabled, which provides the basis for audit
processing within the infrastructure.
AWS built-in features include customer alerting of CloudTrail and other service
failures through the AWS Service Health Dashboard
(http://status.aws.amazon.com) and through optional RSS feeds subscribed to by
customers, as well as through email and other direct alerts to root account
owners for events deemed critical enough for direct contact, per AWS internal
Incident Response and corporate communications processes.

Information Systems Shared In this architecture, infrastructure audit data is stored in an Amazon S3 bucket,
which provides dynamic capacity growth to accommodate organizationally
defined storage capacity requirements, which precludes the record storage
volume from reaching any realistic organizational-defined percentage of
maximum storage capacity.
Information Systems Shared In this architecture, Amazon CloudWatch alarms are configured to send an alert
to the customer-provided email address when any CloudTrail configuration
change is detected within 1-5 minutes. In addition, an AWS Config rule is applied
which detects if AWS CloudTrail is disabled, and sends an alert to the provided
customer provided email address in near-real time.

Withdrawn Withdrawn

(Header)


(Header)
(ELB) Logging, and RDS MySQL error logging are employed.
AWS built-in features of native logging use AWS region internal clocks to time
stamp all log entries.
(ELB) Logging, and RDS MySQL error logging are employed.
AWS built-in features of native logging provide time stamps as specified in the
ISO 8601 standard. ISO 8601 represents local time (with the location
unspecified), as UTC, or as an offset from UTC.
(Header)
(ELB) Logging, and RDS MySQL error logging are employed, and the initial EC2
instances launched (bastion host, application servers, proxy servers, and EC2-
based NAT instances in AWS Regions where Managed NAT Gateways are not yet
available) use Amazon Linux AMIs, which have NTP configured by default to sync
time with pool.ntp.org servers (these NTP servers are not owned, managed, or
guaranteed by AWS. For more information, see http://www.pool.ntp.org/en/ )
AWS built-in features of native logging use time stamps provided by AWS region
internal system clocks that are continuously synchronized across the region.
(ELB) Logging, and RDS MySQL error logging are employed, and the initial EC2
instances launched (bastion host, application servers, proxy servers, and EC2-
based NAT instances in AWS Regions where Managed NAT Gateways are not yet
available) use Amazon Linux AMIs, which have NTP configured by default to sync
time with pool.ntp.org servers (these NTP servers are not owned, managed, or
guaranteed by AWS. For more information, see http://www.pool.ntp.org/en/ )
AWS built-in features of native logging use time stamps provided by AWS region
internal system clocks that are continuously synchronized across the region.
Information Systems Shared In this architecture, the bastion host, application servers, proxy servers, and EC2-
based NAT instances (in AWS Regions where Managed NAT Gateways are not yet
available) use pool.ntp.org servers, which are distributed across the world.
AWS built-in features include internal NTP servers used by all AWS Services and
logging mechanisms that are distributed across multiple Availability Zones and
that are synchronized with multiple geographic time sources.
Information Systems Shared In this architecture, access to audit data and tools are restricted to only
personnel assigned by the organization to IAM groups and roles which are
associated with access control policies for such access. In addition, server side
encryption of Audit bucket, S3 bucket policies are configured to restrict access to
those appropriate IAM groups/roles, and with read-only permissions.

Information Systems Shared In this architecture, infrastructure audit data (logs) are stored in Amazon S3
which is distributed across physical storage devices in multiple Availability Zones
and data centers within those availability zones.
Information Systems Shared In this architecture, the audit data S3 bucket has server-side encryption enabled,
read-only access control policies applied, versioning enabled so that original
content is retained and bucket logging enabled to log changes.
Information Systems Shared In this architecture, AWS CloudTrail and Amazon S3 bucket logging are enabled
to record AWS account user activity in order to enforce nonrepudiation.
AWS built-in features of AWS CloudTrail and Amazon S3 Bucket logs record
events to the level of each individual (or process acting on behalf of an
individual) to protect against repudiation of actions performed within the AWS
infrastructure. CloudTrail data is stored with read-only permissions and cannot
be modified by any non-privileged person or process.

(Header)

(Header)

(Header)
Withdrawn Withdrawn
Organizational Shared In this architecture, AWS CloudTrail logs are stored in an Amazon S3 bucket,
which dynamically allocates storage capacity to support continuous collection
and storage of CloudTrail log data with indefinite retention capability, but with 7
year retention specified, and migration to Amazon Glacier after 90 days in AWS
regions where Glacier is available.

(Header)
(ELB) Logging, and RDS MySQL error logging are enabled, but initial EC2
instances launched by this deployment (bastion host, application servers, proxy
servers, and any EC2-based NAT servers) DO NOT have any auditing enabled
within the OS, as these are in place for example purposes only.
AWS built-in features of logging mechanisms povide the audit record generation
capability for the auditable events defined in AU-2a. by logging all security-
relevant IAM user and API activities which address AWS infrastructure
components (AWS Products and services), ELB
(ELB) Logging, and RDS MySQL error logging are enabled AWS Cloudtrail is
enabled to log all available API events automatically within the AWS
infrastructure and Amazon S3 bucket logging is enabled to log bucket activity.
AWS built-in features of Identity and Access Management (IAM) allows policy to
be applied to privileged users for administrator/audit access, allowing them to
modify Amazon CloudWatch alarms, AWS Config rules, and Amazon S3 bucket
logging to select the Cloudtrail and S3 events that are to cause notification,
alerting and automated reaction.
(ELB) Logging, and RDS MySQL error logging are enabled. However, the initial EC2
instances launched by this deployment (bastion host, application servers, proxy
servers, and any EC2-based NAT servers) DO NOT have any auditing enabled
within the OS, as these are in place for example purposes only.
AWS built-in features of native logging generates audit records with the content
defined in AU-3.

capabilities/
reference.html
collection.html
ml
(ELB) Logging, and RDS MySQL error logging are enabled to support centrally
stored system logs in standardized formats.
AWS built-in features of AWS of native logging records include time stamps
specified by the ISO 8601 standard. ISO 8601 represents local time (with the
location unspecified), as UTC, or as an offset from UTC.
(ELB) Logging, and RDS MySQL error logging are enabled to support centrally
stored system logs in standardized formats.
AWS built-in features of native logging include standardized formatting of

records for the system, centrally stored within the AWS service, in-region.
CloudTrail, ELB, and S3 logs are stored in S3 buckets, while RDS database logs are
stored within the database service.

capabilities/
reference.html
collection.html
ml




Information Systems Shared In this architecture, a deny-all, permit-by-exception policy is employed within
security groups and network ACLs, where communication between network
nodes within and across subnets is only permitted via ports and protocols that
are required. In addition, route tables prevent inbound access to internal private
subnets unless it is return traffic to outbound traffic initiated internally through a
NAT Gateway or an EC2-based NAT instance (in AWS Regions where Managed
NAT Gateways are not yet available).
Withdrawn Withdrawn

Withdrawn Withdrawn
Organizational Shared In this architecture, AWS services and components are deployed and configured
via AWS CloudFormation templates, which are structured JSON or YAML
documents that establish the baseline configuration for the system infrastructure
(infrastructure as code). Supplemental documentation within the package that
deploys this system include a baseline architecture diagram and a security
controls matrix.
Information Systems Shared In this architecture, AWS CloudFormation is an automated AWS deployment
service that uses structured JSON or YAML documents to establish and maintain
the baseline configuration for the system (infrastructure as code).
Withdrawn Withdrawn
Withdrawn Withdrawn

(Header)



Organizational Shared In this architecture, AWS Identity and Access Management (IAM) and Amazon
S3 Bucket policies are configured to enforce access. AWS CloudTrail is enabled to
log all enforcement actions for audit review, and Amazon CloudWatch Alarms are
configured to alert on failed IAM user login attempts.
Information Systems Shared In this architecture, a baseline set of AWS Identity and Access Management roles
and groups are configured with access restriction policies associated with a set of
basic systems management roles for privileged users that that the organization
authorizes for such access; AWS Cloudtrail is enabled which logs all IAM access
enforcement actions.
Organizational Shared In this architecture, Amazon CloudWatch alarms and AWS Config Rules (in
regions where available) are configured, which provide basic automated review
mechanisms for system changes in near real time, and are pre-configured to
notify subscribers of an SNS topic If these security-relevant changed: IAM
Configuration changes detected, New IAM access key created, CloudTrail log
configuration changes detected, creation, update or deletion of a Security Group
or Network ACL, unrestricted-sash-access and unrestricted ports (no
source/destination restrictions)

Withdrawn Withdrawn

Information Systems Shared AWS built-in features of its services incorporate automated mechanisms to
centrally manage, apply and verify configuration setting for ALL system
components via AWS APIs and interactive interfaces to those APIs though the
AWS Management Console or Command line interface.
Organizational Shared In this architecture, AWS CloudTrail is enabled to log changes to the
infrastructure and AWS Identity and Access Management (IAM) configuration,
and associated Amazon CloudWatch alarms are set to alert on logged IAM
configuration changes. In addition, AWS Config and Config rules are employed to
detect and alert these security-relevant changes: IAM Configuration changes
detected, New IAM access key created, CloudTrail log configuration changes
detected, creation, update or deletion of a Security Group or Network ACL,
unrestricted-sash-access and unrestricted ports (no source/destination
restrictions)
Withdrawn Withdrawn
Withdrawn Withdrawn

Information Systems Shared In this architecture, only essential capabilities for a multi-tiered web service are
configured. AWS Identity and Access Management (IAM) baseline Groups and
Roles are configured to support restricted access to AWS resources by privileged
users and non-person entities (EC2 systems operating with a role) authorized and
assigned by the organization.
Information Systems Shared In this architecture, ports, protocols, and services are restricted to those that are
required for a multi-tiered web service, via AWS security group rules.
Organizational (Header) Customer (Header) (removed)
Organizational Customer (removed)


Organizational Shared AWS built-in features dynamically build and maintain an inventory of system
components (infrastructure inventory)
Organizational Shared AWS built-in features provide an accurate, real-time inventory of all
infrastructure system and network components within the customer account and
provides a single view for granularity for tracking and reporting.
Organizational Shared AWS built-in features provide an accurate, real-time inventory of all
infrastructure system and network components within the AWS account, and
AWS CloudFormation creates a unique set of stack names, and associated
resource names incorporate the stack name, for tracking components deployed
by Cloudformation templates that align with an authorization boundary.
Organizational Shared AWS built-in features provide a level of granularity for tracking and reporting on
all infrastructure system and network components and configuration settings for
those components.
Organizational Shared AWS built-in features provide all available information about all infrastructure
system and network components to achieve effective component accountability.
Organizational Shared AWS built-in features provides a dynamically updated inventory of all
infrastructure system and network components within the customer account.
The AWS management console and AWS API calls support the capability for the
organization to review the inventory.
Organizational Shared AWS built-in features provide an accurate, real-time inventory which is updated
dynamically upon installation, removal or update of infrastructure components.
Information Systems Shared AWS built-in features provide an accurate, real-time inventory of all
infrastructure system and network components within the AWS account, and
AWS CloudFormation creates a unique set of stack names; the stack names are
incorporated into the associated resource names.
Organizational Shared In this architecture, AWS Identity and Access Management (IAM) groups have
policies associated with them that detail the infrastructure components and
features that can be administered by the IAM users in those groups. It is the
customer organization's responsibility to ensure only those who are
accountable/responsible are put into those groups.
Organizational Shared AWS built-in features provide a single internal system inventory of components
within the AWS infrastructure.

Organizational Shared AWS built-in features include an inventory of all virtual infrastructure
components of the system, including networks and network nodes, EC2 and RDS
instances (hosts), as well as routing tables, access control lists and policies,
users/groups/roles. Any product, service, entity, or configuration option that
AWS offers is inherently identifiable through either the AWS console or AWS
CLI/API Access for centralized view and control.
Organizational Shared AWS built-in features include centralized inventory capabilities that provide
region location information for all components.
Organizational Shared In this architecture, the use of EC2, RDS database, and Amazon S3 storage
employing redundancy via multiple AWS Availability Zones (AZs) are elemental to
organizational plans for transfer of processing and storage alternate sites, as this
architecture constitutes an inherent alternate storage and processing capability
that dynamically provides transfer and resumption of system operations.
Withdrawn Withdrawn
Organizational Shared In this architecture, multiple AWS availability zones (AZs) are employed. This
constitutes an inherent alternate storage site capability for data stored in
Amazon S3 and Amazon RDS databases. S3 uses multiple availability zones by
default, and the RDS databases deployed within this architecture are configured
to be replicated across multiple availability zones.
Organizational Shared AWS built-in features of Amazon S3 storage and Amazon RDS replication
incorporate multiple AWS availability zones, which provide identical security
safeguards.
Organizational Shared In this architecture, Amazon S3, EC2 instances, and RDS databases are replicated
across multiple Availability Zones, which constitutes an inherent multi-storage
site capability to mitigate network, power, and hardware outages within a single
site.
Organizational Shared In this architecture, Amazon S3, EC2 instances, and RDS databases are replicated
across Availability Zones, which constitutes an inherent multi-storage site
capability that is dynamic and provides immediate recovery time and recovery
point.
Organizational Shared In this architecture, both the primary and alternate storage sites are virtualized
through the use of multiple availability zones for Amazon EC2 and Amazon RDS
instances, and the use of Amazon S3 storage, which inherently employs multiple
availability zones. There is no physical accessability to the AWS facilities available
to customers, and the logicial accessibility capabilities are identical for each
availability zone across the public internet or via AWS direct connect.
Organizational Shared In this architecture, multiple AWS availability zones (AZs) are employed for EC2
and RDS instances, using Elastic Load Balancing to facilitate live failover
redundancy for web and application servers, and RDS database replication for
database failover. This constitutes an inherent alternate processing site
capability to dynamically provide transfer and resumption of operations.
Organizational Shared In this architecture, the multiple AWS availability zones employed are of identical
capability, dynamically in place, and available to support resumption of
operations in real time.
Organizational Shared In this architecture, the multiple AWS availability zones employed are of identical
capability, and provide identical security safeguards.
Organizational Shared In this architecture, the replication of EC2 and RDS instances across multiple
Availability Zones constitutes an inherent multi-processing site capability to
mitigate network, power, and hardware outages. To address organizational
requirements related to major regional disasters, AWS supports the ability for
the customer to place processing systems in multiple geographic regions.
Organizational Shared In this architecture, both the primary and alternate processing sites are
virtualized through the use of multiple availability zones for Amazon EC2 and
Amazon RDS instances, and the use of Amazon S3 storage, which inherently
employs multiple availability zones. There is no physical accessability to the AWS
facilities available to customers, and the logicial accessibility capabilities are
identical for each availability zone across the public internet or via AWS direct
connect.
Organizational Shared AWS built-in features include multiple availability zones and regions that
inherently provide priority of service provisions identical to the others.
Organizational Shared AWS built-in features include multiple availability zones and regions that are
ready to be used as the operational site supporting essential missions and
business functions
Withdrawn Withdrawn
Organizational Shared In this architecture, user data is limited to that which is stored in the Amazon
RDS database. RDS is fully backed up by a daily snapshot as well as through
transaction logging conducted by AWS as part of this managed service. Full
database recovery from snapshot or point-in-time can be initiated from the RDS
console/API.
Organizational Shared AWS built-in features automatically backs up system-level information limited to
infrastructure CONFIGURATION information within the AWS account. While
individual running EC2 instances and attached EBS volumnes are NOT backed
up, they can be reconstituted from Amazon Machine Images (AMIs) provided by
AWS (which are backed up by AWS) and user data scripts included in
CloudFormation templates. Once deployed, the CloudFormation template
contents are backed up by AWS R488within the CloudFormation service. These
AWS backups of AWS services are transparent to the customer as part of AWS
backend processes.
Organizational Shared AWS built-in features back up online administrator and developer
documentation, limited to that which is published at
https://aws.amazon.com/documentation.
Organizational Shared AWS built-in features protect the confidentiality, integrity, and availability of
information that AWS services back up. This information includes the service
configuration information within an account, AWS online administrator and
developer documentation, and AWS CloudFormation stacks for templates once
deployed into an account. R612
Organizational Shared AWS built-in features store AWS-managed information in Amazon S3, which
constitutes an inherent live backup via replication across a minimum of three
availability zones. This technique employs separate storage devices distributed
across separate virtual and physical locations. AWS-managed information
includes the service configuration information within an account, AWS online
administrator and developer documentation, and AWS CloudFormation stacks
for templates once deployed into an account.
Withdrawn Withdrawn
Organizational Shared AWS built-in features store AWS-managed information in Amazon S3, which
transfers information to alternate storage dynamically via replication across a
minimum of three availability zones. This technique employs separate storage
devices distributed across separate virtual and physical locations. AWS-managed
information includes the service configuration information within an account,
AWS online administrator and developer documentation, and AWS
CloudFormation stacks for templates once deployed into an account.
Information Systems Shared In this architecture, EC2 and RDS instances are replicated across two Availability
Zones for redundancy.
AWS built-in features of Amazon S3 storage technology replicates data across a

minimum of three availability zones for redundancy
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Information Systems Shared AWS built-in features of Identity and Access Management (IAM) provides the
capability for uniquely identifying and authenticating users and processes acting
on their behalf to both organizational and non-organizational users operating
within the AWS account and infrastructure, providing privileges based on the
credentials, group memberships, and access policies assigned to them. The
customer organization, at its discretion, provides individual user accounts and
privileges to both organizational non-organizational users in addition to
organizational users.




Withdrawn Withdrawn



(Header)
Information Systems Shared AWS built-in features of Identity and Access Management (IAM) provides
minimum password complexity enforcement, but the characteristics to enforce
must be manually configured by the customer. Refer to
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_
account-policy.html
Information Systems Shared AWS built-in features of AWS Identity and Access Management (IAM) and the
AWS Console store passwords on AWS systems in a cryptographically-protected
format and only support TLS connectivity to the console web site to protect
passwords in transit via encyption.

Information Systems Shared AWS built-in features of AWS Identity and Access Management (IAM) provides
the capability to require new password to be entered upon login. The customer
organization, at its discretion, configures IAM to enforce that requirement.

(Header)


Information Systems Shared AWS built-in features of AWS Identity and Access Management (IAM) provides
the capability for Hardware MFA using Gemalto SafeNet IDProve 100 and 700
OTP Tokens which are compliant to OATH open standard (time based - 6 digits)
Expected battery life is 3-5 years or approximately 15,000 - 20,000 clicks. These
products are handheld devices that provide strong authentication by generating
a unique password that is valid for only one attempt and for 30 seconds.
It is the customer organization's responsibility to implement Hardware MFA.
Refer to http://aws.amazon.com/iam/details/mfa/ and
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
Information Systems Shared In this architecture, All EC2 instances (bastion host, web/proxy servers,
application servers) employ SSH for interactive login, and when a key passphrase
is prompted for, the SSH prompting mechanism obscures the feedback by
default.
AWS built-in features obscure keystroke feedback for password input during
AWS console login with AWS Identity and Access Management (IAM) user
credentials, and when the CloudFormation console prompts for an initial
database password during Quick Start template deployment.
Information Systems Shared AWS built-in features of AWS Identity and Access Management (IAM)
authentication employs cryptographic modules that meet requirements as
specified and assessed in the AWS FedRAMP authorization package.
Information Systems Shared AWS built-in features of AWS Identity and Access Management (IAM) provide the
capability for uniquely identifying and authenticating users and processes acting
on their behalf to both organizational and non-organizational users, providing
privileges based on the credentials, group memberships, and access policies
assigned to them.
The customer organization at its discretion provides user accounts and privileges
to both organizational non-organizational users in addition to organizational
users.





Organizational (Header) Inherited (Header) This System Maintenance control associated with hardware components within
AWS is generally either partially or fully inherited from the AWS physical
infrastructure, while the customer organization is responsible for any part of
the control that is applicable to customer-controlled equipment and facilities,
and the customer's configurable portion of the AWS logical infrastructure,
including the Operating systems on EC2 instances and the customer's
applications.
For the U.S. East, U.S. West, and GovCloud regions, this control is inherited
from pre-existing Agency Authority to Operate (ATO) or JAB provisional
Authority to Operate under the Federal Risk and Authorization Management
Program (FedRAMP).
Refer to the AWS FedRAMP SSP artifacts, including the Control Implementation
Summary and Customer Responsibility Matrix, available from the AWS
Compliance Team. http://aws.amazon.com/compliance/fedramp/
Organizational Inherited This System Maintenance control associated with hardware components within
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
applications.
Program (FedRAMP).
Information Systems Non-FedRAMP
Organizational Non-FedRAMP
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Information Systems Inherited This System Maintenance control associated with hardware components within
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).

applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Organizational (Header) Non-FedRAMP (Header)
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Information Systems Non-FedRAMP (Header)

(Header)

applications.
Program (FedRAMP).

applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).

applications.
Program (FedRAMP).

Organizational (Header) Inherited (Header) This Media Protection control associated with hardware components within AWS
is generally either partially or fully inherited from the AWS physical
applications.
Program (FedRAMP).
Organizational Inherited This Media Protection control associated with hardware components within AWS
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
Withdrawn Withdrawn
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn

applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
Withdrawn Withdrawn
Information Systems Inherited This Media Protection control associated with hardware components within AWS
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn

applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Organizational (Header) Inherited (Header) This Physical Environment control associated with hardware components within
applications.
Program (FedRAMP).
Organizational Inherited This Physical Environment control associated with hardware components within
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).

applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Information Systems Non-FedRAMP (Header)

(Header)
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Information Systems Inherited This Physical Environment control associated with hardware components within
applications.
Program (FedRAMP).
Withdrawn Withdrawn
Facility Inherited This Physical Environment control associated with hardware components within
applications.
Program (FedRAMP).
Facility Non-FedRAMP
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Withdrawn Withdrawn
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
Facility (Header) Non-FedRAMP (Header)
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).
applications.
Program (FedRAMP).

Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn



Organizational Shared AWS built-in features include an Inventory of all virtual infrastructure
components of the system, including networks and network nodes, EC2 and RDS
instances (hosts), as well as routing tables, access control lists and policies,
users/groups/roles. Any product, service, entity, or configuration option that
AWS offers is inherently identifiable through either the AWS console or AWS
CLI/API Access for centralized view and control.





Withdrawn Withdrawn

Withdrawn Withdrawn

(Header)

Withdrawn Withdrawn
Withdrawn Withdrawn
Facility Not Selected

Withdrawn Withdrawn


Information Systems Shared In this architecture, documentation of the infrastructure configuration in the
form of AWS CloudFormation templates in JSON or YAML format, architecture
diagrams, deployment user guide and security controls implementation details is
included.
AWS built-in features include online documentation for management of the
infrastructure at http://aws.amazon.com/documentation/
Information Systems Shared In this architecture, documentation of security configuration in the form of AWS
CloudFormation templates in JSON format, architecture diagrams, deployment
user guide and a security controls matrix with implementation details is included.
AWS built-in features include online documentation for security-related

configuration of the infrastructure at http://aws.amazon.com/documentation/
Information Systems Shared AWS built-in features include online documentation related to the effective use
and maintenance of security functions and mechanisms of the infrastructure at
http://aws.amazon.com/documentation/
Information Systems Shared AWS built-in features include online documentation that covers known issues
related to configuration and use of administrative functions, located at
https://aws.amazon.com/security/security-resources/
Information Systems Shared AWS built-in features include online documentation of AWS services at
http://aws.amazon.com/documentation/
Information Systems Shared AWS built-in features include online documentation for AWS account users at
http://aws.amazon.com/documentation/ such as user Guides, API reference
guides, CLI reference guides and developer reference guides to provide
information on how to effectively use security functions.
Information Systems Shared AWS built-in features include online documentation for AWS account users
within the infrastructure at http://aws.amazon.com/documentation/ such as
user Guides, API reference guides, CLI reference guides and developer reference
guides to provide information on how to access AWS services and components in
a more secure manner.
Information Systems Shared AWS built-in features include online documentation for AWS account users at
https://aws.amazon.com/security/security-resources/ that provides information
related to security responsibilities of customers using AWS services.
Organizational Shared AWS built-in features include online documentation that is protected by AWS
from unauthorized modification or deletion within AWS system.
Organizational Shared AWS built-in features include online documentation located at

http://aws.amazon.com/documentation/ that is publicly available.
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn



(Header)

Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn


Withdrawn Withdrawn








Information Systems Shared In this architecture, baselines of AWS Identity and Access Management (IAM)
groups and roles are established with associated policies to provide various levels
of user privileges for conducting infrastructure management and security policy
filter management.
Information Systems Shared In this architecture, a separate Management VPC is established for containing
subnets for security and system management services and nodes that the
customer may choose to deploy (such as Security Management servers Directory
Service servers, SEIM servers, etc.). A bastion login host is created to facilitate
secured SSH login for systems administration of EC2 instances.

Information Systems Shared AWS built-in features erase data stored or processed on AWS shared resources
(storage, memory, CPU) before those resources are re-provisioned to other users
or accounts.
Withdrawn Withdrawn

Information Systems Shared In this architecture, a multi-tiered network layout is incororated, and the
following AWS services, features and configurations are employed to protect
against denial of service: 1) minimizing the attack surface area by only exposing
the required systems to the public network via non-routable private subnets for
back-end servers and restricting network access via security groups and refined
routing tables; 2) employing auto-scaling and elastic load balancing of instances
to dynamically adjust to a higher number of running instances available to absorb
an attack (within organization-specified constraints), and 3) safeguarding
exposed resources through the configuration of security groups to prevent access
to unauthorized ports and protocols.


(Header)
Information Systems Shared In this architecture, network communications to, from, and between VPCs,
subnets and S3 buckets are controlled as follows: AWS Route Tables specify
which subnets in each VPC are accessible through gateways and which are
isolated/private. AWS Security Groups provide stateful inbound/outbound
port/protocol restrictions, Amazon Simple Storage Service (Amazon S3) buckets
support access control restrictions based on network source/destination.
Information Systems Shared In this architecture, subnetworks for publicly accessible system components are
logically separated from internal private subnetworks via AWS security groups,
refined routing tables, and NACLs.
Information Systems Shared In this architecture, connection to external networks is possible only through
Internet Gateways (IGWs) or NAT gateways (in regions where supported by AWS
VPC) and are restricted based on ports/protocols via AWS Security groups, and
default subnet rules provided by NACLs.
Withdrawn Withdrawn
Withdrawn Withdrawn

Information Systems Shared In this architecture, Security Groups assigned to network nodes/interfaces
specify implicit deny, and all accessible ports have an explicit rule for ingress via
supported ports and protocols.
Withdrawn Withdrawn

(Header)



Information Systems Shared In this architecture, transmitted information is protected via a combination of
network access control mechanisms (for data confidentiality) and encryption
features (for both confidentiality and integrity). Network access controls include
the use of security groups with restricted port/protocol "allow" rules (with deny-
by-default for unnames ports/protocols) to ensure network communicaton is
restricted to be only between approved nodes. Amazon S3 is configured so that
object access can only be conducted over TLS and the Elastic Load Balancer (ELB)
at the web layer uses an encrypted endpoint (HTTPS). The bastion host, EC2
instances and associated security groups are configured for SSH login access only.
Information Systems Shared In this architecture, Amazon S3 is configured so that object access can only be
conducted over TLS and the Elastic Load Balancer (ELB) at the web layer uses an
encrypted endpoint (HTTPS). The bastion host, EC2 instances and associated
security groups are configured for SSH login access only. In addition, this
architecture employs Security Groups at the web layer that restrict network
traffic to port 443 (HTTPS) for end user access.
AWS built-in features employ TLS for AWS Management Console sessions, AWS
API calls, and AWS Command Line Interface connections.

Withdrawn Withdrawn

Information Systems Shared In this architecture, initial private/public SSH keys stored in Identity and Access
Management (IAM) are supplied to EC2 instances upon launch, and the public
key portion is managed within the AWS EC2 service. In addition, server-side
encryption encryption is used for Amazon S3 storage and Amazon RDS databases,
using key management provided by AWS for the storage buckets and RDS
databases.
Withdrawn Withdrawn
Withdrawn Withdrawn
Information Systems Shared In this architecture, encryption mechanisms are employed for data at rest and in
transit. For data at rest, AES-256 Server Side encryption is employed for data
stored in S3, and RDS databases. For data in transit, to protect against exposure
of any cleartext data transmitted deliberately (upload/download) or incidentally
during interactive systems management operations, Amazon S3 object access can
only be conducted over encrypted sessions via TLS; the bastion host, EC2
instances and associated security groups are configured for encrypted SSH
sessions only. For web user access, the Elastic Load Balancer (ELB) employs a
TLS endpoint.
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn
Withdrawn Withdrawn

(Header)
Withdrawn Withdrawn


(Header)
Withdrawn Withdrawn

Withdrawn Withdrawn
Information Systems Shared In this architecture, encryption mechanisms are employed to protect the
authenticity of communications sessions. Amazon S3 object access can only be
conducted over encrypted sessions via TLS; the bastion host, EC2 instances and
associated security groups are configured for interactive sessions to be
conducted only over encrypted SSH. For web user access, the Elastic Load
Balancer (ELB) employs a TLS endpoint.
Withdrawn Withdrawn
Withdrawn Withdrawn

Information Systems Shared In this architecture, application availability and data integrity/availability
mechanisms address multiple failure scenarios, including RDS database failure,
Web/Appserver failures, or availability zone failures, through the use of multiple
availability zones, database replication, elastic load balancing, auto-scaling, and
storage using Amazon S3 with inherent durability/redundancy. The Amazon RDS
database provides a maintenance status available via the AWS console or API/CLI
call which provides oeprational and failure state information. Refer to
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstanc
e.Status.html
Withdrawn Withdrawn

Information Systems Shared
In this architecture, a combination of access control mechanisms and

cryptographic mechanisms are employed to protect confidentiality and integrity
(to include alteration and destruction) of data at rest. Amazon S3 storage buckets
include access control policies which restrict data read/write/delete to
authorized AWS IAM roles/groups, with a default-deny permissions model. A
baseline set of IAM policies are in place for associated job functions for those
authorized IAM users assigned to the IAM roles/groups. AES-256 Server Side
encryption is employed for data stored in S3 and RDS databases. In addition,
versioning is enabled on S3 buckets so that original content is retained upon any
data object changes for potential comparison, and bucket logging is enabled to
log changes.

Withdrawn Withdrawn

Withdrawn Withdrawn

(Header)

Information Systems Shared In this architecture, the AMIs that make up the operating systems deployed on
EC2 instances maintain separate execution domains/address spaces for executing
processes within the customer operating environment.
AWS built-in features of the hypervisors that support the infrastructure maintain
separate execution domains/address spaces for executing processes.


(Header)



Withdrawn Withdrawn


(Header)

Withdrawn Withdrawn
Withdrawn Withdrawn


(Header)

Withdrawn Withdrawn
Withdrawn Withdrawn





(Header)
Withdrawn Withdrawn

Withdrawn Withdrawn




Withdrawn Withdrawn
Information Systems Shared AWS built-in features of the AWS Management Console perform input validation
on data entered into all fields during an interactive AWS user account login
process, and the AWS CloudFormation console performs parameter validation
during deployment of AWS CloudFormation templates.
(Header)

(Header)
Information Systems Shared AWS built-in features generate error messages for all API calls and console
actions which provide information necessary for corrective action. These
messages are only displayed users who are authenticated via AWS Identity and
Access Management (IAM) for both interactive console(GUI) sessions or remote
CLI/API over authenticated sessions. All transmission of error messages across
the network are over encrypted TLS connections to protect the content during
transit.
Information Systems Shared AWS built-in features only reveal AWS infrastructure error messages to AWS
Identity and Access Management (IAM) users who have authenticated and for
whom the appropriate IAM policies have been applied.

Withdrawn Withdrawn

Information Systems Shared AWS built-in features of hypervisors that support this infrastructure and the
baseline AMIs for the operating systems deployed on EC2 instances incorporate
industry-standard memory protection safeguards to protect against unauthorized
code execution. AWS hypervisors and AMI are periodically patched to maintain
currency with industry standards.


Cross-references to Other Compliance Frameworks
Trusted Internet Connection Initiative (TIC) Capabiliti
TIC
NIST SP 800-171
Capability TIC Capability Summary
3.1.1Limit information system access to authorized
users, processes acting on behalf of authorized users,
or devices (including other information systems).
3.1.2Limit information system access to the types of
transactions and functions that authorized users are
permitted to execute.













3.1.3Control the flow of CUI in accordance with TS.PF.01 Secure all TIC traffic
approved authorizations.
3.1.4Separate the duties of individuals to reduce the
risk of malevolent activity without collusion.
3.1.5Employ the principle of least privilege, including
for specific security functions and privileged accounts.
3.1.5Employ the principle of least privilege, including TM.AU.01 User Authentication

3.1.6Use non-privileged accounts or roles when TM.AU.01 User Authentication

accessing nonsecurity functions.
3.1.5Employ the principle of least privilege, including
3.1.7Prevent non-privileged users from executing

privileged functions and audit the execution of such
functions.
3.1.7Prevent non-privileged users from executing
privileged functions and audit the execution of such
functions.
3.1.8Limit unsuccessful logon attempts.
3.1.9Provide privacy and security notices consistent TM.COM.02 TIC and Customer
with applicable CUI rules.
3.1.10 Use session lock with pattern-hiding displays to
prevent access/viewing of data after period of
inactivity.
inactivity.

inactivity.
inactivity.
3.1.11 Terminate (automatically) a user session after
a defined condition.
3.1.1Limit information system access to authorized TS.RA.01 Agency-User Remote Access
3.1.12 Monitor and control remote access sessions.
3.1.13 Employ cryptographic mechanisms to protect TS.RA.01 Agency-User Remote Access
the confidentiality of remote access sessions.
3.1.14 Route remote access via managed access
control points.
3.1.15 Authorize remote execution of privileged

commands and remote access to security- relevant
information.
information.

information.
3.1.16 Authorize wireless access prior to allowing
such connections.
such connections.

such connections.
3.1.17 Protect wireless access using authentication
and encryption.
3.1.18 Control connection of mobile devices.

3.1.19 Encrypt CUI on mobile devices.
3.1.20 Verify and control/limit connections to and use TS.RA.02 External Dedicated Access
of external information systems.
TS.RA.03 Extranet Dedicated Access
3.1.20 Verify and control/limit connections to and use


3.1.21 Limit use of organizational portable storage

devices on external information systems.
3.1.22 Control information posted or processed on
publicly accessible information systems.




3.2.1Ensure that managers, systems administrators,
and users of organizational information systems are
made aware of the security risks associated with their
activities and of the applicable policies, standards, and
procedures related to the security of organizational
3.2.2Ensure that organizational personnel are
adequately trained to carry out their assigned
information security-related duties and
responsibilities.
responsibilities.

responsibilities.

responsibilities.
3.2.3Provide security awareness training on
recognizing and reporting potential indicators of
insider threat.
responsibilities.

responsibilities.

responsibilities.
responsibilities.
TM.DS.03 Data Ownership
TM.DS.04 Data Attribution & Retrieval
TO.MON.04 Log Sharing
TS.INS.01 NCPS

TS.INS.01 NCPS

TS.INS.01 NCPS

TS.INS.01 NCPS

TS.INS.01 NCPS

TS.INS.01 NCPS

TS.INS.01 NCPS
3.3.1Create, protect, and retain information system TO.MON.04 Log Sharing

audit records to the extent needed to enable the
monitoring, analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate information
system activity.
3.3.2Ensure that the actions of individual information
system users can be uniquely traced to those users so
they can be held accountable for their actions.
system activity.

system activity.

system activity.
system activity.
3.3.3Review and update audited events.

3.3.1Create, protect, and retain information system TM.LOG.02 Time Stamping
system activity.
3.3.1Create, protect, and retain information system TS.CF.13 DNS Filtering
monitoring, analysis, investigation, and reporting of TS.PF.06 Asymmetric Routing
system activity.
TM.DS.01 Storage Capacity
3.3.4Alert in the event of an audit process failure.

3.3.1Create, protect, and retain information system TS.INS.01 NCPS
system activity.

system activity.

system activity.
TO.MON.03 Audit Access
TS.INS.01 NCPS
3.3.5Correlate audit review, analysis, and reporting

processes for investigation and response to indications
of inappropriate, suspicious, or unusual activity.
3.3.6Provide audit reduction and report generation to
support on-demand analysis and reporting.

3.3.7Provide an information system capability that

compares and synchronizes internal system clocks with
an authoritative source to generate time stamps for
audit records.

audit records.

audit records.
3.3.7Provide an information system capability that TM.LOG.01 NTP Server
audit records.

audit records.
audit records.
3.3.8Protect audit information and audit tools from

unauthorized access, modification, and deletion.
3.3.9Limit management of audit functionality to a
subset of privileged users.
TM.LOG.03 Session Traceability
TM.LOG.04 Log Retention
3.3.1Create, protect, and retain information system
system activity.

system activity.

system activity.
system activity.
3.12.1 Periodically assess the security controls in TO.MON.02 Vulnerability Scanning
organizational information systems to determine if the
controls are effective in their application.
3.12.2 Develop and implement plans of action
designed to correct deficiencies and reduce or
eliminate vulnerabilities in organizational information
systems.
3.12.3 Monitor information system security controls
on an ongoing basis to ensure the continued
effectiveness of the controls.
systems.

systems.

systems.
systems.

systems.

systems.
systems.
TM.COM.02 TIC and Customer
TS.RA.02 External Dedicated Access




3.12.1 Periodically assess the security controls in
systems.

systems.

systems.
3.12.1 Periodically assess the security controls in TO.REP.01 Customer Service Metrics
controls are effective in their application. TO.REP.02 Operational Metrics
designed to correct deficiencies and reduce or TO.REP.03 Customer Notification
systems.
systems.
systems.
systems.
systems.
systems.
systems.
systems.
3.4.1Establish and maintain baseline configurations
and inventories of organizational information systems
(including hardware, software, firmware, and
documentation) throughout the respective system
development life cycles.
3.4.2Establish and enforce security configuration
settings for information technology products employed
in organizational information systems.
3.4.3Track, review, TO.MG.02 Change & Configuration
approve/disapprove, and audit changes to information Management
systems.

systems.

systems.
systems.

systems.

systems.
systems.

systems.
3.4.4Analyze the security impact of changes prior to
implementation.
3.4.5Define, document, approve, and enforce physical
and logical access restrictions associated with changes
to the information system.


3.4.6 Employ the principle of least functionality by TM.TC.02 Least Functionality

configuring the information system to provide only
essential capabilities.
3.4.7Restrict, disable, and prevent the use of

nonessential functions, ports, protocols, and services.


3.4.8Apply deny-by-exception (blacklist) policy to

prevent the use of unauthorized software or deny-all,
permit-by-exception
(whitelisting) policy to allow the execution of
authorized software.

permit-by-exception

permit-by-exception

permit-by-exception
permit-by-exception

permit-by-exception

permit-by-exception

permit-by-exception
3.4.1Establish and maintain baseline configurations TO.MG.01 System Inventory

(including hardware, software, firmware, and TO.MG.07 Network Inventory




TO.MG.02 Change & Configuration
Management

Management

Management

Management
Management
3.4.9Control and monitor user- installed software.

TM.DS.02 Back up Data
TM.TC.07 Response Acces
TO.MG.04 Contingency Planning














TM.TC.01 Route Diversity
TO.MG.05 TSP
TO.MG.05 TSP
TO.MG.05 TSP

3.8.9Protect the confidentiality of backup CUI at
storage locations.

storage locations.
storage locations.

storage locations.
storage locations.
TM.TC.03 IPv6
TM.AU.01 User Authentication

3.5.1Identify information system users, processes TM.AU.01 User Authentication

acting on behalf of users, or devices.
3.5.2Authenticate (or verify) the identities of those
users, processes, or devices, as a prerequisite to
allowing access to organizational information systems.
3.5.3Use multifactor TM.AU.01 User Authentication

authentication for local and network access to
privileged accounts and for network access to non-
privileged accounts.
privileged accounts and for network access to non- TS.RA.01 Agency-User Remote Access

privileged accounts and for network access to non-
3.5.4Employ replay-resistant authentication TM.AU.01 User Authentication
mechanisms for network access to privileged and non-
3.5.4Employ replay-resistant authentication

mechanisms for network access to privileged and non-

3.5.5Prevent reuse of identifiers for a defined period. TM.AU.01 User Authentication
3.5.6Disable identifiers after a defined period of
inactivity.

inactivity.
inactivity.

inactivity.

inactivity.

inactivity.

3.5.2Authenticate (or verify) the identities of those TS.CF.10 Reduce the use of clear-text
users, processes, or devices, as a prerequisite to management protocols






3.5.7Enforce a minimum password complexity and TM.AU.01 User Authentication

change of characters when new passwords are
created.
3.5.8Prohibit password reuse for a specified number of
generations.
3.5.9Allow temporary password use for system logons
with an immediate change to a permanent password.
3.5.10 Store and transmit only encrypted
representation of passwords.

created.
generations.
created.
generations.

created.
generations.

created.
generations.
created.
generations.

created.
generations.



3.5.11 Obscure feedback of authentication TM.AU.01 User Authentication
information.

TS.CF.09 Crypto-graphically authenticated
protocols
TM.TC.06 TIC Staffing
3.6.1Establish an operational incident-handling
capability for organizational information systems that
includes adequate preparation, detection, analysis,
containment, recovery, and user response activities.
3.6.2Track, document, and report incidents to
appropriate organizational officials and/or authorities.


3.6.3Test the organizational incident response TO.MON.05 Operational Exercises

capability.
3.6.3Test the organizational incident response

capability.



3.6.1Establish an operational incident-handling TO.REP.04 Incident Reporting


TM.TC.05 Response Authority
TO.RES.01 Response Timeframe




3.7.1Perform maintenance on organizational TO.MG.06 Maintenance Scheduling
3.7.2Provide effective controls on the tools,
techniques, mechanisms, and personnel used to
conduct system maintenance.
3.7.3Ensure equipment removed for off-site
maintenance is sanitized of any CUI.
3.7.1Perform maintenance on organizational
3.7.4Check media containing diagnostic and test
programs for malicious code before the media are
used in the information system.
3.7.5Require multifactor authentication to establish
nonlocal maintenance sessions via external network
connections and terminate such connections when
nonlocal maintenance is complete.
3.7.6Supervise the maintenance activities of
maintenance personnel without required access
authorization.
authorization.
authorization.
authorization.
3.8.1Protect (i.e., physically control and securely store)
information system media containing CUI, both paper
and digital.
3.8.2Limit access to CUI on information system media
to authorized users.
3.8.3Sanitize or destroy information system media
containing CUI before disposal or release for reuse.
3.8.4Mark media with necessary CUI markings and
distribution limitations.

and digital.

and digital.
and digital.
3.8.5Control access to media containing CUI and
maintain accountability for media during transport


3.8.6Implement cryptographic mechanisms to protect
the confidentiality of information stored on digital
media during transport outside of controlled areas
unless otherwise protected by alternative physical
safeguards.

and digital.
and digital.

and digital.
3.8.7Control the use of
removable media on information system components.
3.8.8Prohibit the use of portable storage devices when

such devices have no identifiable owner.
TM.PC.01 TIC Facility



3.10.1 Limit physical access to organizational TM.PC.01 TIC Facility
information systems, equipment, and the respective
operating environments to authorized individuals.
3.10.2 Protect and monitor the physical facility and
support infrastructure for those information systems.
3.10.3 Escort visitors and monitor visitor activity.


3.10.3 Escort visitors and monitor visitor activity. TM.PC.01 TIC Facility
3.10.4 Maintain audit logs of physical access.
3.10.5 Control and manage physical access devices. TM.PC.04 Dedicated TIC Spaces






TM.PC.05 Facility Resiliency



3.10.6 Enforce safeguarding measures for CUI at TM.PC.01 TIC Facility

alternate work sites (e.g., telework sites).


3.9.1Screen individuals prior to authorizing access to
information systems containing CUI.
3.9.2Ensure that CUI and information systems
containing CUI are protected during and after
personnel actions such as terminations and transfers.










3.11.1 Periodically assess the risk to organizational
operations (including mission, functions, image, or
reputation), organizational assets, and individuals,
resulting from the operation of organizational
information systems and the associated processing,
storage, or transmission of CUI.




3.11.2 Scan for vulnerabilities in the information

system and applications periodically and when new
vulnerabilities affecting the system are identified.
3.11.3 Remediate vulnerabilities in accordance with
assessments of risk.







3.13.1 Monitor, control, and protect organizational
communications (i.e., information transmitted or
received by organizational information systems) at the
external boundaries and key internal boundaries of the
3.13.2 Employ architectural designs, software
development techniques, and systems engineering
principles that promote effective information security
within organizational information systems.
3.13.3 Separate user functionality from information
system management functionality (e.g., privileged user
functions).
3.13.4 Prevent unauthorized and unintended
information transfer via shared system resources.
TO.RES.03 Denial of Service Response
3.13.1 Monitor, control, and protect organizational TS.CF.01 Application Layer Filtering
received by organizational information systems) at the TS.CF.02 Web Session Filtering
information systems. TS.CF.03 Web Firewall
development techniques, and systems engineering TS.CF.04 Mail Filtering
within organizational information systems. TS.CF.13 DNS Filtering
3.13.5 Implement subnetworks for publicly accessible
system components that are physically or logically TS.INS.01 NCPS
separated from internal networks.
TS.PF.01 Secure all TIC traffic
TS.PF.03 Stateless Filtering
TS.PF.04 Stateful Filtering




3.13.6 Deny network TS.PF.02 Default Deny
communications traffic by default and allow network
communications traffic by exception (i.e., deny all, TS.PF.05 Filter by Source Address
permit by exception).
3.13.7 Prevent remote devices from simultaneously TS.RA.01 Agency-User Remote Access
establishing non-remote connections with the
information system and communicating via some other TS.RA.03 Extranet Dedicated Access
connection to resources in external networks.
TS.CF.01 Application Layer Filtering
TS.CF.02 Web Session Filtering
TS.CF.03 Web Firewal

3.13.8 Implement cryptographic mechanisms to
prevent unauthorized disclosure of CUI during
transmission unless otherwise protected by alternative
physical safeguards.
3.13.8 Implement cryptographic mechanisms to TS.CF.06 Mail Forgery Detection
prevent unauthorized disclosure of CUI during
transmission unless otherwise protected by alternative TS.CF.07 Digitally Signing Mail
physical safeguards.
3.13.9 Terminate network connections associated
with communications sessions at the end of the
sessions or after a defined period of inactivity.
3.13.10 Establish and manage
cryptographic keys for cryptography employed in the
information system.
3.13.11 Employ FIPS-validated cryptography when
used to protect the confidentiality of CUI.
3.13.12 Prohibit remote activation of collaborative

computing devices and provide indication of devices in
use to users present at the device.

3.13.13 Control and monitor the use of mobile code.

3.13.14 Control and monitor the use of Voice over
Internet Protocol (VoIP) technologies.


TM.TC.04 DNS Authoritative Servers
TS.CF.13 DNS Filtering
3.13.15 Protect the authenticity of communications
sessions.
3.13.16 Protect the confidentiality of CUI at rest.
3.14.1 Identify, report, and correct information and
information system flaws in a timely manner.
3.14.2 Provide protection from malicious code at
appropriate locations within organizational
3.14.3 Monitor information system security alerts and
advisories and take appropriate actions in response.
3.14.1 Identify, report, and correct information and TO.RES.02 Response Guidance
3.14.1 Identify, report, and correct information and TS.CF.04 Mail Filtering
3.14.4 Update malicious code protection mechanisms
when new releases are available.
3.14.5 Perform periodic scans of the information
system and real-time scans of files from external
sources as files are downloaded, opened, or executed.
3.14.6 Monitor the information system, including TM.DS.03 Data Ownership
inbound and outbound communications traffic, to
detect attacks and indicators of potential attacks. TS.CF.05 Agency Specific Mail Filters
3.14.7 Identify unauthorized use of the information
system. TS.CF.08 Mail Quarantine
TS.CF.11 Encrypted Traffic Inspection
TS.CF.12 User Authentication











TS.INS.02 IDS/NIDS
3.14.6 Monitor the information system, including
detect attacks and indicators of potential attacks.
TO.MON.01 Situational Awareness



TS.CF.04 Mail Filtering

Other Compliance Frameworks
Trusted Internet Connection Initiative (TIC) Capabilities Version 2.0
TIC Capability MAIN CloudFormation

TIC Capability Definition Related Requirements and Guidance Stack/Template
N/A
N/A
N/A
N/A
N/A
N/A
N/A
See control subpart details
below.
This stack does not directly

implement this control
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A

N/A


N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A


N/A
N/A

N/A
N/A
N/A
N/A
N/A
All external connections are routed through a TIC This stack does not directly
access point, scanned and filtered by TIC systems implement this control
and components according to the TICAP's
documented policy, which includes critical security
policies when published by US-CERT. The definition
of "external connection" is in accordance with the
TIC Reference Architecture, Appendix A (Definition
of External Connection).
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
TIC systems and components comply with NIST SP AC-6(2). Guidance: Related guidance may be found in AC-6(1) N/A
800-53 identification and authentication controls for and FedRAMP Test Cases v2.0.
high impact systems (FIPS 199). Administrative
access to TIC access point devices requires multi-
factor authentication (OMB M-11-11).
TIC systems and components comply with NIST SP AC-6(2). Guidance: Related guidance may be found in AC-6(1) N/A
800-53 identification and authentication controls for and FedRAMP Test Cases v2.0.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
The Multi-Service TICAP secures and authenticates N/A

the administrative communications (i.e., customer
service) between the TICAP operator and each TICAP
client.
client.

client.

client.
client.

client.

client.

client.
client.

client.

client.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access point supports telework/remote N/A
access for TICAP client authorized staff and users
using ad-hoc Virtual Private Networks (VPNs)
through external connections, including the
Internet. This capability is not intended to include
permanent VPN connections for remote branch
offices or similar locations. In addition to supporting
the requirements of OMB M-06-16, “Protection of
Sensitive Agency Information," the following
baseline capabilities are supported for
telework/remote access at the TIC Access Point:
1. The VPN connection terminates behind NCPS and
full suite of TIC capabilities which means all
outbound traffic to/from the VPN users to external
connections, including the Internet, can be
inspected by NCPS.
2. The VPN connection terminates in front of TICAP-
managed security controls including, but not limited
to, a firewall and IDPS to allow traffic to/from
remote access users to internal networks to be
inspected.
3. NIST FIPS 140-2 validated cryptography is used to
implement encryption on all VPN connections (see
NIST SP 800-46 Rev1).
4. Split tunneling is not allowed (see NIST SP 800-46
Rev1). Any VPN connection that allows split
tunneling is considered an external connection, and
terminates in front of NCPS.
5. Multi-factor authentication is used (see NIST SP
800-46 Rev1, OMB M-11-11).
6. VPN concentrators and Virtual-
Desktop/Application Gateways use hardened
appliances maintained as TICAP network security
boundary devices.
inspected by NCPS.
inspected.
800-46 Rev1, OMB M-11-11).
boundary devices.
inspected by NCPS.
inspected.
800-46 Rev1, OMB M-11-11).
boundary devices.
The TIC access point supports telework/remote AWS::EC2::KeyPair::KeyNam
access for TICAP client authorized staff and users e
inspected by NCPS.
inspected.
800-46 Rev1, OMB M-11-11).
boundary devices.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access point supports dedicated external N/A

connections to external partners (e.g., non-TIC
federal agencies, externally connected networks at
business partners, state/local governments) with a
documented mission requirement and approval.
This includes, but not limited to, permanent VPN
over external connections, including the Internet,
and dedicated private line connections to other
external networks. The following baseline
capabilities are supported for external dedicated
VPN and private line connections at the TIC Access
Point:
1. The connection terminates in front of NCPS to
allow traffic to/from the external connections to be
inspected.
2. The connection terminates in front of the full
suite of TIC capabilities to allow traffic to/from
external connections to be inspected.
3. VPN connections use NIST FIPS 140-2 validated
cryptography over shared public networks, including
the Internet.
4. Connections terminated in front of NCPS may use
split tunneling.
The TIC access point supports dedicated extranet

connections to internal partners (e.g., TIC federal
agencies, closed networks at business partners,
state/local governments) with a documented
mission requirement and approval. This includes,
but not limited to, permanent VPN over external
connections, including the Internet, and dedicated
private line connections to other internal networks.
The following baseline capabilities are supported for
extranet dedicated VPN and private line connections
Point:
inspected.
the Internet.
split tunneling.

Point:
inspected.
the Internet.
split tunneling.

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The Multi-Service TICAP documents in the AU-1 Requirements: N/A

agreement with the customer agency that the * The service provider will make cloud-based log data (as
customer agency retains ownership of its data defined in AU-3) for all external network accesses available to
collected by the TICAP. the agency so it can be analyzed by tenants and potentially
US-CERT, as part of SC-7 defined controls. External access is
The Multi-Service TICAP identifies and can retrieve defined as access to the D/A cloud service instance that does
each customer agency's data for the customer not route through it TICAP. For instance, direct web-based
agency, without divulging any other agency's data. access or mobile access.
* The SLA should provide that the cloud-based log data is
The TICAP monitors and logs all network services owned by the customer and that it is the customer's
where possible, including but not limited to, DNS, responsibility to provide audit logs to DHS and US-CERT.
DHCP, system and network devices, web servers,
Active Directory, Firewalls, NTP, and other
Information Assurance devices/tools. These logs can
be made available to US-CERT on request.
The TIC access point participates in the National
Cyber Protection System (NCPS, operationally
known as Einstein).

known as Einstein).

known as Einstein).

known as Einstein).

known as Einstein).

known as Einstein).

known as Einstein).
The TICAP monitors and logs all network services See control subpart details
where possible, including but not limited to, DNS, below.
The TICAP monitors and logs all network services This stack does not directly
where possible, including but not limited to, DNS, implement this control
The TICAP monitors and logs all network services N/A

where possible, including but not limited to, DNS,
N/A
N/A

N/A
All TIC access point event recording clocks are AU-3. Requirement: The service provider shall make available This stack does not directly
synchronized to within 3 seconds relative to the ability to configure and collect audit records pertaining to implement this control
Coordinated Universal Time (UTC). All TICAP log their instance of the service, including automatic transfer of
timestamps include the date and time, with at least such records.
to-the-second granularity. Log timestamps that do
not use Coordinated Universal Time (UTC) include a For IaaS cloud service instances, the content of these audit
clearly marked time zone designation. The intent is records shall include, at a minimum, for all users: source IP
to facilitate incident analysis between TICAPs and address, destination IP address, login time, logout time, login
TIC networks and devices. date, logout date, user ID, login success, login failure. Audit
records shall log privileged events performed by agency
administrator of the service instance including new users
created, users locked-out, and changes to administrative
settings. Where possible, network layer data elements
including, but not limited to source port number, destination
port number, network protocol (TCP,UDP, etc.), ICMP
type/code, packet length, timestamp and duration, sensor ID
information, and TCP flag information shall be included.
For PaaS cloud service instances, the content of these audit
records shall include, at a minimum, for all users: source IP
address, destination IP address (where applicable), login time,
logout time, login date, logout date, user ID, login success,
login failure. Audit records shall log privileged events
performed by agency administrator of the service instance
including new users created, users locked-out, and changes to
administrative settings. Where possible, network layer data
elements including, but not limited to source port number,
destination port number, network protocol (TCP,UDP, etc.),
ICMP type/code, packet length, timestamp and duration,
sensor ID information, and TCP flag information shall be
included.
For SaaS cloud service instances, the content of these audit

records shall include, at a minimum, for all users: source IP
The TIC access point filters DNS queries, and N/A
performs validation of DNS Security Extensions
(DNSSEC) signed domains, for TICAP clients. The
TICAP configures DNS resolving/recursive (also
known as caching) name servers in accordance with,
but not limited to, the following recommendations
from NIST SP 800-81 Revision 1 (Draft):
1. The TICAP deploys separate recursive name
servers from authoritative name servers to prevent
cache poisoning.
2. The TICAP filters DNS queries for known malicious
domains.
3. The TICAP logs at least the query, answer and
client identifier.
The TIC access point stateful inspection devices
correctly process traffic returning through
asymmetric routes to a different TIC stateful
inspection device; or documents how return traffic
is always routed to the same TIC access point
stateful inspection device.

Each TIC access point must be able to perform real- Service provider has storage capacity to retain at least 24- This stack does not directly
time header and content capture of all inbound and hours of records as defined in AU-3. implement this control
outbound traffic for administrative, legal, audit or
other operational purposes. The TICAP has storage
capacity to retain at least 24 hours of data
generated at full TIC operating capacity. The TICAP is
able to selectively filter and store a subset of
inbound and outbound traffic.
N/A

below.

N/A

N/A
N/A
The TIC access point participates in the National N/A
known as Einstein).
The TIC access point participates in the National The D/A submits data made available in their cloud services N/A
Cyber Protection System (NCPS, operationally instance as described in AU-3(1) to DHS through automated
known as Einstein). means [at least hourly]
The TIC access point participates in the National The D/A submits data made available in their cloud services N/A
Cyber Protection System (NCPS, operationally instance as described in AU-3(1) to DHS through automated
known as Einstein). means [at least hourly]
The TICAP provides access for government * Provide access for government authorized audits N/A
authorized auditing of the TIC access point, including
all TIC systems and components. Authorized
assessment teams are provided access to previous
audit results of TIC systems and components,
including but not limited to, C&A and ICD
documentation.

known as Einstein).
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

below.


Each TIC access point has a Network Time Protocol See control subpart details
(NTP) Stratum 1 system as a stable Primary below.
Reference Time Server (PRTS) synchronized within
0.25 seconds relative to Coordinated Universal Time
(UTC). The primary synchronization method is an
out-of-band NIST/USNO national reference time
source (Stratum 0) such as the Global Positioning
System (GPS) or WWV radio clock. See the TIC
Reference Architecture, Appendix F for additional
information.
Each TIC access point has a Network Time Protocol This stack does not directly
(NTP) Stratum 1 system as a stable Primary implement this control
information.
Each TIC access point has a Network Time Protocol This stack does not directly
(NTP) Stratum 1 system as a stable Primary implement this control
information.


N/A

N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP provides online access to at least 7 days AU-11: Requirement All service provider event recording logs This stack does not directly
of session traceability and audit ability by capturing remain on-line for 7 days. implement this control
and storing logs / files from installed TIC equipment
including, but not limited to firewalls, routers,
servers and other designated devices. The TICAP
maintains the logs needed to establish an audit trail
of administrator, user and transaction activity and
sufficient to reconstruct security-relevant events
occurring on, performed by and passing through TIC
systems and components. Note: This capability is
intended for immediate, online access in order to
trace session connections and analyze security-
relevant events. In addition, TM.LOG.04 requires
retaining logs for an additional period of time either
online or offline.
The TICAP follows a documented procedure for log

retention and disposal, including, but not limited to,
administrative logs, session connection logs and
application transaction logs. Record retention and
disposal schedules are in accordance with the
National Archives and Records Administration
existing General Records Schedules, in particular
Schedule 12, “Communications Records” and
Schedule 20, “Electronic Records;” or NARA
approved agency-specific schedule. Note: This
capability is intended for the management and
operation of the TICAP itself, and does not require
the TICAP infer or implement retention policies
based on the content of TICAP client
communications. The originator and recipient of
communications through a TICAP remain
responsible for their own retention and disposal
policies.
N/A
below.



N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
At a minimum, the TICAP annually conducts and N/A

documents a security review of the TIC access point
and undertakes the necessary actions to mitigate
risk to an acceptable level (FISMA, FIPS 199 and FIPS
200). Vulnerability scanning of the TIC architecture
is a component of the security review.




N/A
N/A
N/A
The Multi-Service TICAP secures and authenticates Dedicated external connections to cloud services should be N/A
the administrative communications (i.e., customer configured in accordance with the TIC reference architecture.
client.
The TIC access point supports dedicated external

Point:
inspected.
the Internet.
split tunneling.

client.

Point:
inspected.
the Internet.
split tunneling.

client.

Point:
inspected.
the Internet.
split tunneling.

client.

Point:
inspected.
the Internet.
split tunneling.

N/A
N/A

Point:
inspected.
the Internet.
split tunneling.
N/A
The TIC access point supports dedicated external This stack does not directly
connections to external partners (e.g., non-TIC implement this control
Point:
inspected.
the Internet.
split tunneling.

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP collects customer service metrics about N/A
the TIC access point, and reports them to its
customers, DHS, and/or OMB as required. Examples
of customer service metrics include, but are not
limited to, performance within SLA provisions, issue
identification, issue resolution, customer
satisfaction, and quality of service.
The TICAP collects operational metrics about the TIC

access point, and reports them to its customers,
DHS, and/or OMB as requested. Examples of
operational metrics include, but are not limited to,
performance within SLA provisions, network activity
data (including normal and peak usage), and
improvement to customer security posture.
The Multi-Service TICAP reports threats, alerts, and

computer security-related incidents and suspicious
activities that affect a subscribing agency to the
subscribing agency.


subscribing agency.


subscribing agency.


subscribing agency.


subscribing agency.


subscribing agency.


subscribing agency.


subscribing agency.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AWS::CloudFormation::Stack
AWS::EC2::KeyPair::KeyNam
e
N/A
N/A
N/A
N/A
AWS::CloudFormation::Stack
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP follows a formal configuration N/A
management and change management process to
maintain a proper baseline.





N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A


N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A


N/A
N/A
TIC systems and components in the TIC access point See control subpart details
are configured according to the principal of "least below.
functionality," in that they provide only essential
capabilities and specifically prohibit or restrict the
use of non-essential functions, ports, protocols,
and/or services.
TIC systems and components in the TIC access point AWS::CloudFormation::Stack
are configured according to the principal of "least AWS::EC2::KeyPair::KeyNam
functionality," in that they provide only essential e
and/or services.
TIC systems and components in the TIC access point AWS::EC2::KeyPair::KeyNam
are configured according to the principal of "least e
functionality," in that they provide only essential
and/or services.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP develops, documents, and maintains a See control subpart details
current inventory of all TIC information systems and below.
components, including relevant ownership
information.
The TICAP maintains a complete map, or other

inventory, of all customer agency networks
connected to the TIC access point. The TICAP
validates the inventory through the use of network
mapping devices. Static translation tables and
appropriate points of contact are provided to US-
CERT on a quarterly basis, to allow in-depth incident
analysis.
The TICAP develops, documents, and maintains a This stack does not directly
current inventory of all TIC information systems and implement this control
information.

analysis.
information.

analysis.
information.

analysis.
information.

analysis.
information.

analysis.
information.

analysis.

N/A
N/A
N/A


N/A

N/A
N/A
N/A


N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
In the event of a TICAP system failure or CP-2 Requirement: Service provider operations personnel N/A
compromise, the TICAP has the capability to restore have 24x7 physical or remote access to management systems,
operations to a previous clean state. Backups of which control the service devices. Using this access,
configurations and data are maintained off-site in operations personnel can terminate, troubleshoot or repair
accordance with the TICAP continuity of operations external connections, including to the Internet, as required.
plan.
TICAP Operations personnel have 24x7 physical or

remote access to TIC management systems which
control the TIC access point devices. Using this
access, TICAP operations personnel can terminate,
troubleshoot or repair external connections,
including to the Internet, as required.
The TICAP maintains an Information Systems

Contingency Plan (ISCP) that provides procedures
for the assessment and recovery of TIC systems and
components following a disruption. The contingency
plan should be structured and implemented in
accordance with NIST SP 800-34 Rev 1.
plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


plan.


N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

below.




below.




N/A
N/A
The TIC access point follows the National N/A

Communications System (NCS) recommendations
for Route Diversity, including at least two physically
separate points of entry at the TIC access point and
physically separate cabling paths to an external
telecommunications provider or Internet provider
facility.
facility.
The TICAP has telecommunications service priority

(TSP) configured for external connections, including
to the Internet, to provide for priority restoration of
telecommunication services.

facility.

facility.

The TIC access point follows the National CP-8(2) Requirement: The service provider follows the N/A
Communications System (NCS) recommendations National Communications System (NCS) recommendations for
for Route Diversity, including at least two physically Route Diversity, including at least two physically separate
separate points of entry at the TIC access point and points of entry and physically separate cabling paths to an
physically separate cabling paths to an external external telecommunications provider or Internet provider
telecommunications provider or Internet provider facility.
facility.
N/A
N/A
N/A
N/A
N/A
N/A

below.


N/A
N/A

N/A

N/A
In the event of a TICAP system failure or N/A

compromise, the TICAP has the capability to restore
operations to a previous clean state. Backups of
configurations and data are maintained off-site in
accordance with the TICAP continuity of operations
plan.
N/A
N/A
N/A
N/A
N/A
N/A
All TIC systems and components of the TIC access CP-11 Requirement: All service provider systems and N/A
point support both IPv4 and IPv6 protocols in components support both IPv4 and IPv6 protocols for tenants
accordance with OMB Memorandum M-05-22 and in accordance with OMB Memorandum M-05-22 and Federal
Federal CIO memorandum “Transition to IPv6.” CIO memorandum “Transition to IPv6.”
- The TICAP supports both IPv4 and IPv6 addresses • The service provider has the capability to support both IPv4
and can transit both native IPv4 and native IPv6 and IPv6 addresses for tenants and can transit both native
traffic (i.e. dual-stack) between external connections IPv4 and native IPv6 traffic (i.e. dual-stack) between external
and agency internal networks. The TICAP may also connections . The service provider may also support other
support other IPv6 transit methods such as IPv6 transit methods such as tunneling or translation. The
tunneling or translation. service provider has the capacity to activate these IPv6
- The TICAP ensures that TIC access point systems capabilities upon request of the D/A client.
implement IPv6 capabilities (native, tunneling or • The service provider ensures that systems have the capacity
translation), without compromising IPv4 capabilities to implement IPv6 capabilities (native, tunneling or
or security. IPv6 security capabilities should achieve translation) for tenants, without compromising IPv4
at least functional parity with IPv4 security capabilities or security. IPv6 security capabilities should
capabilities. achieve at least functional parity with IPv4 security
capabilities.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
TIC systems and components comply with NIST SP N/A

800-53 identification and authentication controls for





TIC systems and components comply with NIST SP This stack does not directly
800-53 identification and authentication controls for implement this control

The TIC access point supports telework/remote
inspected by NCPS.
inspected.
N/A
N/A
N/A
N/A

N/A
N/A

N/A

N/A
N/A
N/A
N/A
N/A
N/A





N/A
N/A
N/A
N/A
N/A
N/A
TIC systems and components comply with NIST SP IA-5 Guidance: The service provider will support mechanisms N/A
800-53 identification and authentication controls for for tenant management over encrypted channels.
The TIC access point limits and documents the use
of unauthenticated, clear text protocols for TIC
management and will phase out such protocols or
enable cryptographic authentication where
technically and operationally feasible.



TIC systems and components comply with NIST SP See control subpart details
800-53 identification and authentication controls for below.






N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP validates routing protocol information IA-9 Recommended: The service provider validates routing N/A
using authenticated protocols. The TICAP configures protocol information using authenticated protocols. Border
Border Gateway Protocol (BGP) sessions in Gateway Protocol (BGP) sessions are configured in
accordance with, but not limited to, the following accordance with, but not limited to, the following
recommendation from NIST SP 800-54: BGP sessions recommendation from NIST SP 800-54: BGP sessions are
are protected with the MD5 signature option. NIST protected with the MD5 signature option.
and DHS are collaborating on additional BGP
robustness mechanisms, and plan to publish future
deployment recommendations and guidance.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC management location, such as a Network IR-1 Requirement: The service provider system management N/A
Operations Center (NOC) and/or Security Operations location is staffed 24x7. On-scene personnel are capable of
Center (SOC), is staffed 24x7. On-scene personnel supporting incident response.
are qualified and authorized to initiate appropriate
technical responses, including when external access
is disrupted.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC Access Provider participates in operational N/A

exercises that assess the security posture of the TIC.
The lessons learned from operational exercises are
incorporated into network defenses and operational
procedures for both the TICAP and its customers.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP reports incidents to US-CERT in CSPs follow FedRAMP guidance on reporting and interfacing N/A
accordance with federal laws, regulations and with US-CERT. Agencies follow M-15-01.
guidance.
guidance.
guidance.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP maintains normal delegations and CSPs follow FedRAMP guidance on reporting and interfacing N/A
devolution of authority to ensure essential incident with US-CERT. Agencies follow M-15-01.
response performance to a no-notice event. This
includes, but is not limited to, terminating, limiting
or modifying access to external connections,
including to the Internet, based on documented
criteria, including when advised by US-CERT.
The TICAP has a documented and operational

incident response plan in place that defines actions
to be taken during a declared incident. In the event
of a declared incident or notification from US-CERT,
TICAP operations personnel immediately activate
incident response plan(s). TICAP operations
personnel report operational status to US-CERT
within two hours and continue to report based on
US-CERT direction.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

The TICAP employs a formal technical review This stack does not directly
process to schedule, conduct, document and implement this control
communicate maintenance and repairs. The TICAP
maintains maintenance records for TIC systems and
components. The intent of this capability is to
minimize downtime and operational impact of
scheduled maintenance and outages.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A




N/A
N/A



N/A
N/A


N/A
N/A
N/A



N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access points comply with NIST SP 800-53 This stack does not directly
physical security controls for high impact systems implement this control
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
N/A
N/A
N/A
The TIC access points comply with NIST SP 800-53 PE-3 Recommended for Moderate-impact deployments: The This stack does not directly
physical security controls for high impact systems cloud systems and management functions are secured by implement this control
(FIPS 199). physical access controls to ensure that systems and
components are accessible only by authorized personnel.
The TIC access points and TIC management Examples of dedicated spaces include, but are not limited to,
functions, such as NOC/SOC, are located in spaces secured racks, cages, rooms, and buildings.
dedicated for exclusive use or support of the U.S.
Government. The space is secured by physical
access controls to ensure that TIC systems and
components are accessible only by authorized
personnel. Examples of dedicated spaces include,
but are not limited to, secured racks, cages, rooms,
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.
and buildings.

N/A
N/A
N/A
N/A
N/A
(FIPS 199).
(FIPS 199).
N/A
N/A
N/A
N/A
N/A
N/A
N/A
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
N/A
N/A
The TIC access points comply with NIST SP 800-53 N/A

physical security controls for high impact systems
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).

N/A
(FIPS 199).
N/A
N/A
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
N/A
(FIPS 199).
The TIC access point is equipped for uninterrupted

operations for at least 24 hours in the event of a
power outage, and conforms to specific physical
standards including, but not limited to:
- Electrical systems meet or exceed the building,
operating and maintenance standards as specified
by the GSA Public Buildings Service Standards, PBS-
100.
- TIC systems and components are connected to
uninterruptable power in order to maintain mission
and business-essential functions including, but not
limited to, TIC systems, support systems and
powered telecommunications facilities, including at
the DEMARC or MPOE.
- Uninterruptable power systems, HVAC and lighting
are connected to an on-site, automatic,
standby/emergency generator capable of operating
continuously (without refueling) for at least 24
hours.
PE-11(1) Requirement: This stack does not directly
The nature of cloud based systems can enable availability and implement this control
resiliency capabilities to support uninterrupted operations as
described in this requirement. The service provider shall
document and demonstrate such capabilities for cloud-based
equivalencies that support the requirement.
N/A
N/A
N/A
N/A
(FIPS 199).
N/A
(FIPS 199).

(FIPS 199).
(FIPS 199).
N/A
(FIPS 199).
(FIPS 199).
(FIPS 199).
N/A

(FIPS 199).

(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).
(FIPS 199).

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

client.

client.

client.

client.

client.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
below.
All template contents
All template contents





N/A


N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A

N/A
N/A
N/A
N/A
N/A
SC-4 Recommended for Low-impact deployments: The cloud This stack does not directly
systems and management functions are located in logically implement this control
isolated spaces dedicated for exclusive. The space is secured
by access controls to ensure that systems and components
are accessible only by authorized personnel. Examples of
dedicated logically isolated spaces include, but are not limited
to, hypervisor protections to isolate guests in hosts, ensuring
previous guest memory is not accessible by concurrent or
subsequent guests, network communication isolation
between customers and cloud management via VLAN/VXLAN
or similar logical network separation in end hosts as well as
interconnecting switches.
N/A
N/A
The TICAP manages filters, excess capacity, SC-5 Requirements: This stack does not directly
bandwidth or other redundancy to limit the effects * Service provider mitigates the impact of non-targeted client implement this control
of information flooding types of denial of service from a DOS attack on another client
attacks on the organization’s internal networks and * Services provider manages files, excess capacity, bandwidth
TICAP services. The TICAP has agreements with or other redundancy to limited the effects of information
external network operators to reduce the flooding types of denial of service attacks.
susceptibility and respond to information flooding
types of denial of service attacks. The Multi-Service Related guidance may be found in SC-5, FedRAMP Test Cases
TICAP mitigates the impact on non-targeted TICAP v2.0.
clients from a DOS attack on a particular TICAP
client. This may included diverting information
flooding types of denial of service attacks targeting a
particular TICAP client in order to maintain service
to other TICAP clients.
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access point uses a combination of SC-7 Requirements: See control subpart details
application firewalls (stateful application protocol * The service provider will make cloud-based log data (as below.
analysis), application-proxy gateways, and other defined in AU-3) for external network accesses to the D/A
available technical means to implement inbound resources available to the agency so it can be analyzed by the
and outbound application layer filtering. The TICAP tenant and potentially US-CERT.
will develop and implement a risk-based policy on * The service provider implements (using malicious address
filtering or proxying new protocols and domain information from the client D/A and US-CERT):
1) stateless blocking of unallowed [SC-7(5)] outbound
The TIC access point filters outbound web sessions connections without being limited by connection state tables
from TICAP clients based on, but not limited to: web of systems and components. Attributes inspected by
content, active content, destination URL pattern, stateless blocks include, but are not limited to:
and IP address. Web filters have the capability of • Direction (inbound, outbound, interface)
blocking malware, fake software updates, fake • Source and destination IPv4/IPv6 addresses and network
antivirus offers, phishing offers and masks
botnets/keyloggers calling home. • Network protocols (TCP, UDP, ICMP, etc.)
• Source and destination port numbers (TCP, UDP)
The TIC access point filters inbound web sessions to • Message codes (ICMP)
web servers at the HTTP/HTTPS/SOAP/XML- 2) filters DNS queries for known malicious domains
RPC/Web Service application layers from, but not By default, the service provider blocks unsolicited inbound
limited to, cross site scripting (XSS), SQL injection connections. For authorized outbound connections, the
flaws, session tampering, buffer overflows and service provider implements stateful inspection that tracks
malicious web crawlers. the state of all outbound connections and blocks packets,
which deviate, from standard protocol state transitions.
The TIC access point performs malware scanning, Protocols supported by stateful inspection devices include,
filters content, and blocks spam-sending servers as but are not limited to:
specified by NIST 800-45, "Guidelines for Electronic • ICMP (errors matched to original protocol header)
Mail Security," for inbound and outbound mail. • TCP (using protocol state transitions)
These TIC access point protections are in addition to • UDP (using timeouts)
malware scanning and content filtering performed • Other Internet protocols (using timeouts)
by the agency's mail servers and end-user's host • Stateless network filtering attributes
systems. The TICAP takes agency specified actions For web based services, the service provider filters inbound
for potentially malicious or undesirable mail, web sessions to web servers at the HTTP/HTTPS/SOAP/XML-
including at least the following actions: block RPC/Web Service application layers from, but not limited to,
messages, tag undesirable content, sanitize cross site scripting (XSS), SQL injection flaws, session
The TIC access point uses a combination of SC-7 Requirements: This stack does not directly
application firewalls (stateful application protocol * The service provider will make cloud-based log data (as implement this control
N/A
N/A
N/A
The TIC access point supports dedicated extranet N/A

at the TIC Access Point:
1. The connection terminates behind NCPS and full
suite of TIC capabilities which means all outbound
traffic to/from the extranet connections to external
connections, including the Internet, is inspected by
NCPS.
2. The connection terminates in front of TICAP-
extranet connections to internal networks, including
other extranet connections, to be inspected.
the Internet.
4. Split tunneling is not allowed. Any VPN
connection that allows split tunneling is considered
an external connection, and must terminate in front
of NCPS.
TICAP clients may support dedicated extranet

connections with internal partners using equivalent
agency-managed security controls at non-TIC Access
Point locations. The agency-level NOC/SOC is
responsible for maintaining the inventory of
NCPS.
the Internet.
of NCPS.

NCPS.
the Internet.
of NCPS.

NCPS.
the Internet.
of NCPS.

NCPS.
the Internet.
of NCPS.

NCPS.
the Internet.
of NCPS.

By default, the TIC access point blocks network Intent: This is about blocking rogue devices from within the This stack does not directly
protocols, ports and services. The TIC access point CSP's network, more specifically from within the D/A's implement this control
only allows necessary network protocols, ports or instance within the CSP. Depending on the service offering,
services with a documented mission requirement this may be a tenant or CSP responsibility.
and approval.
The TIC access point only permits outbound
connections from previously defined TICAP clients
using Egress Source Address Verification. It is
recommended that inbound filtering rules block
traffic from packet source addresses assigned to
internal networks and special use addresses (IPv4-
RFC5735, IPv6-RFC5156).
N/A
inspected by NCPS.
inspected.
800-46 Rev1, OMB M-11-11).
boundary devices.
The TIC access point uses a combination of N/A
application firewalls (stateful application protocol
analysis), application-proxy gateways, and other
available technical means to implement inbound
and outbound application layer filtering. The TICAP
will develop and implement a risk-based policy on
filtering or proxying new protocols
The TIC access point filters outbound web sessions

from TICAP clients based on, but not limited to: web
content, active content, destination URL pattern,
and IP address. Web filters have the capability of
blocking malware, fake software updates, fake
antivirus offers, phishing offers and
botnets/keyloggers calling home.
The TIC access point filters inbound web sessions to

web servers at the HTTP/HTTPS/SOAP/XML-
RPC/Web Service application layers from, but not
limited to, cross site scripting (XSS), SQL injection
flaws, session tampering, buffer overflows and
malicious web crawlers.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

For email received from other agency mail domains For cloud-based email services, CSPs provide the capability This stack does not directly
known to have domain-level sender authentication for domain-level sender authentication (for example signing implement this control
(for example Domain Keys Identified Mail or Sender and verifying with Domain Keys Identified Mail or Sender
Policy Framework) the TIC access point includes the Policy Framework), agencies have the responsibly to enable
results of the domain-level sender forgery analysis it.
when determining potentially suspicious or
undesirable email. This capability is intended to
support domain-level sender authentication, but
does not necessarily confirm a particular sender or
message is trustworthy. Scoring criteria for this
capability will be aligned with the National Strategy
for Trusted Identities in Cyberspace (NSTIC). The
TICAP takes agency specific actions for email
determined to be suspicious or undesirable.
For email sent to other agency mail domains, the
TICAP ensures the messages have been digitally
signed at the Domain Level (for example Domain
Keys Identified Mail) in order to allow receiving
agencies to verify the source and integrity of email.
This capability is intended to support domain-level
sender authentication, but does not necessarily
confirm a particular sender or message is
trustworthy. Signing procedures will be in alignment
with the National Strategy for Trusted Identities in
Cyberspace, and may occur at the bureau or agency
sub-component level instead of the TIC access point.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access point supports hosted DNS services, N/A
including DNSSEC, for TICAP client domains. The
TICAP configures DNS services in accordance with,
from NIST SP 800-81 Rev 1:
1. The TICAP deploys separate authoritative name
servers from caching (also known as
resolving/recursive) name servers or an alternative
architecture preventing cache poisoning.
2. The TICAP implements DNSSEC by meeting NIST
SP 800-81 Rev 1 for key generation, key storage, key
publishing, zone signing and signature verification.
The TIC access point filters DNS queries, and

cache poisoning.
domains.
client identifier.

cache poisoning.
domains.
client identifier.

cache poisoning.
domains.
client identifier.
N/A
N/A

cache poisoning.
domains.
client identifier.
N/A

cache poisoning.
domains.
client identifier.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
TIC operations personnel acknowledge, implement, CSPs follow FedRAMP guidance on reporting and interfacing N/A
and document tactical threat and vulnerability with US-CERT. Agencies follow M-15-01.
mitigation guidance provided by US-CERT.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TIC access point performs malware scanning, N/A

filters content, and blocks spam-sending servers as
specified by NIST 800-45, "Guidelines for Electronic
Mail Security," for inbound and outbound mail.
These TIC access point protections are in addition to
malware scanning and content filtering performed
by the agency's mail servers and end-user's host
systems. The TICAP takes agency specified actions
for potentially malicious or undesirable mail,
including at least the following actions: block
messages, tag undesirable content, sanitize
malicious content, and deliver normally. Multi-
Service TICAPs tailor their malware and content
filtering services for individual agency mail domains.



N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The Multi-Service TICAP documents in the SI-4 Recommended: For email services, it is recommended N/A
agreement with the customer agency that the the service enable quarantine functionality for mail
customer agency retains ownership of its data categorized as potentially suspicious while the agency's mail
collected by the TICAP. domain reviews and decides what action to take. The
agency's mail domain can take at least the following actions:
The TIC access point uses an agency-specified block the message, deliver the message, sanitize malicious
custom-processing list with at least the content and tag undesirable content.
combinations of senders, recipients, network IP
addresses or host names. The agency specified SI-4(10) Requirement: The service provider documentation
custom-processing list has custom TICAP malware includes a description of defensive measures taken to protect
and content filtering actions. Mail allowed by an clients from malicious content or unauthorized data
agency-specified custom-processing list is still exfiltration.
scanned by the TICAP for malware or undesirable
content and tagged if found. Multi-Service TICAPs
tailor their malware and content filtering services
for individual agency mail domains.
The TICAP quarantines mail categorized as

potentially suspicious while the agency's mail
domain reviews and decides what action to take.
The agency's mail domain can take at least the
following actions: block the message, deliver the
message, sanitize malicious content and tag
undesirable content. Note: this is intended to be an
additional option which agency mail operators can
specify with capability TS.CF.04. It does not require
agencies to quarantine potentially suspicious mail.
The TICAP has a documented procedure or plan that

explains how it inspects and analyzes encrypted
traffic. The document includes a description of
defensive measures taken to protect TICAP clients
from malicious content or unauthorized data
exfiltration when traffic is encrypted. The TIC access






















The TIC access point passes all inbound/outbound SI-4(1) Requirement: The service provider passes all N/A
network traffic through Network Intrusion Detection inbound/outbound network traffic through Network Intrusion
Systems (NIDS) configured with custom signatures, Detection Systems (NIDS) configured with custom signatures,
including signatures for the application layer. This including signatures for the application layer. This includes,
includes, but is not limited to, critical signatures but is not limited to, critical signatures published by US-CERT.
published by US-CERT.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
The TICAP maintains situational awareness of the N/A

TIC and its supported networks as needed to
support customer security requirements. Situational
awareness can be achieved by correlating data from
multiple sources, multiple vendors, and multiple
types of data by using, for example, Security
Incident & Event Management (SIEM) tools.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

below.

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
AWS Quick Start CloudFormation Template Mapping
MANAGEMENT VPC PRODUCTION VPC CONFIG-RULES

IAM CloudFormation LOGGING CloudFormation
Stack/Template CloudFormation CloudFormation Stack/Template CloudFormation
Stack/Template Stack/Template Stack/Template
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

See control subpart details See control subpart details See control subpart details See control subpart details See control subpart details
below. below. below. below. below.
AWS::IAM::Group This stack does not directly This stack does not directly This stack does not directly This stack does not directly
AWS::IAM::InstanceProfile implement this control implement this control implement this control implement this control
AWS::IAM::ManagedPolicy
AWS::IAM::Role
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
This stack does not directly This stack does not directly This stack does not directly AWS::CloudTrail::Trail This stack does not directly
implement this control implement this control implement this control AWS::CloudWatch::Alarm implement this control
AWS::SNS::Topic
AWS::S3::Bucket
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Group This stack does not directly This stack does not directly AWS::IAM::InstanceProfile This stack does not directly
AWS::IAM::InstanceProfile implement this control implement this control AWS::IAM::Role implement this control
AWS::IAM::ManagedPolicy AWS::CloudTrail::Trail
AWS::IAM::Role AWS::CloudWatch::Alarm
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
This stack does not directly This stack does not directly This stack does not directly This stack does not directly This stack does not directly
implement this control implement this control implement this control implement this control implement this control
N/A N/A N/A N/A N/A
AWS::IAM::Role
implement this control implement this control implement this control AWS::S3::Bucket implement this control
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Group This stack does not directly This stack does not directly AWS::IAM::InstanceProfile AWS::IAM::InstanceProfile
AWS::IAM::InstanceProfile implement this control implement this control AWS::IAM::Role AWS::IAM::Role
AWS::IAM::ManagedPolicy AWS::S3::BucketPolicy
AWS::IAM::Role AWS::S3::Bucket
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
AWS::IAM::Group AWS::EC2::Instance This stack does not directly AWS::IAM::InstanceProfile This stack does not directly
AWS::IAM::InstanceProfile implement this control AWS::IAM::Role implement this control
AWS::IAM::Policy AWS::S3::Bucket
AWS::IAM::Role
AWS::IAM::Role
AWS::IAM::Role
AWS::IAM::Role
AWS::IAM::Role
AWS::IAM::Role
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
AWS::IAM::Role
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::SecurityGroup AWS::EC2::SecurityGroup AWS::S3::Bucket This stack does not directly
implement this control AWS::EC2::Route AWS::EC2::Route AWS::S3::BucketPolicy implement this control
AWS::EC2::RouteTable AWS::EC2::RouteTable
AWS::EC2::SubnetRouteTabl AWS::EC2::SubnetRouteTabl
eAssociation eAssociation
AWS::EC2::NetworkInterface AWS::EC2::NetworkInterface
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::SNS::Topic
AWS::S3::Bucket
AWS::IAM::Role
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Group AWS::EC2::Instance AWS::EC2::Route AWS::IAM::InstanceProfile This stack does not directly
AWS::IAM::InstanceProfile AWS::EC2::Route AWS::EC2::RouteTable AWS::IAM::Role implement this control
AWS::IAM::ManagedPolicy AWS::EC2::RouteTable AWS::EC2::SubnetRouteTabl AWS::S3::Bucket
AWS::IAM::Role AWS::EC2::SubnetRouteTabl eAssociation AWS::CloudTrail::Trail
eAssociation AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroup AWS::EC2::NetworkAcl
AWS::EC2::NatGateway AWS::EC2::NetworkAclEntry
AWS::EC2::VPCGatewayAtta AWS::EC2::VPCGatewayAtta
chment chment
THIS stack does not directly AWS::EC2::Instance THIS stack does not directly AWS::S3::Bucket THIS stack does not directly
implement this control implement this control implement this control
This stack does not directly AWS::EC2::VPC AWS::EC2::VPC This stack does not directly This stack does not directly
implement this control AWS::EC2::VPCGatewayAtta AWS::EC2::VPCGatewayAtta implement this control implement this control
chment chment
AWS::EC2::InternetGateway AWS::EC2::InternetGateway
AWS::EC2::VPCPeeringConn AWS::EC2::NatGateway
ection AWS::EC2::EIP
AWS::EC2::NatGateway AWS::EC2::Route
AWS::EC2::Instance AWS::EC2::RouteTable
AWS::EC2::NetworkInterface AWS::EC2::SubnetRouteTabl
AWS::EC2::EIP eAssociation
AWS::EC2::EIPAssociation
AWS::EC2::Route
AWS::EC2::RouteTable
AWS::EC2::SubnetRouteTabl
eAssociation
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::SNS::Topic
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
AWS::S3::Bucket
This stack does not directly This stack does not directly This stack does not directly AWS::S3::Bucket This stack does not directly
implement this control implement this control implement this control AWS::S3::BucketPolicy implement this control
N/A N/A N/A N/A N/A
implement this control implement this control implement this control implement this control
N/A N/A N/A N/A N/A

This stack does not directly This stack does not directly This stack does not directly AWS::CloudTrail::Trail AWS::Config::ConfigRule
implement this control implement this control implement this control AWS::CloudWatch::Alarm AWS::Lambda::Function
AWS::SNS::Topic
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
implement this control implement this control implement this control AWS::CloudTrail::Trail implement this control
implement this control implement this control implement this control AWS::CloudTrail::Trail implement this control
AWS::IAM::Role
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Role This stack does not directly This stack does not directly AWS::IAM::Role This stack does not directly
AWS::IAM::Group implement this control implement this control AWS::Cloudtrail::Trail implement this control
AWS::S3::Bucket
AWS::S3::BucketPolicy
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

AWS::CloudTrail::Trail
AWS::IAM::ManagedPolicy AWS::CloudTrail::Trail
AWS::IAM::Policy AWS::CloudWatch::Alarm
AWS::IAM::Role AWS::SNS::Topic
AWS::S3::Bucket
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly AWS::EC2::SecurityGroup AWS::EC2::SecurityGroup This stack does not directly This stack does not directly
implement this control AWS::EC2::Instance AWS::EC2::NetworkAcl implement this control implement this control
AWS::EC2::NetworkInterface AWS::EC2::NetworkAclEntry
AWS::EC2::NatGateway AWS::EC2::NatGateway
chment chment
AWS::EC2::NetworkInterface
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

AWS::IAM::Group AWS::CloudFormation::Stack AWS::EC2::AvailabilityZone AWS::CloudTrail::Trail AWS::Config::ConfigRule
AWS::IAM::InstanceProfile AWS::EC2::DHCPOptions AWS::EC2::DHCPOptions AWS::CloudWatch::Alarm AWS::IAM::InstanceProfile
AWS::IAM::ManagedPolicy AWS::EC2::EIP AWS::EC2::EIP AWS::IAM::InstanceProfile AWS::IAM::Policy
AWS::IAM::Role AWS::EC2::EIPAssociation AWS::EC2::InternetGateway AWS::IAM::Role AWS::IAM::Role
AWS::EC2::Instance AWS::EC2::NatGateway AWS::Logs::LogGroup AWS::Lambda::Function
AWS::EC2::InternetGateway AWS::EC2::NetworkAcl AWS::Logs::MetricFilter AWS::Lambda::Permission
AWS::EC2::NatGateway AWS::EC2::NetworkAclEntry AWS::S3::Bucket
AWS::EC2::NetworkInterface AWS::EC2::Route AWS::S3::BucketPolicy
AWS::EC2::Route AWS::EC2::RouteTable AWS::SNS::Topic
AWS::EC2::RouteTable AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroup AWS::EC2::Subnet
AWS::EC2::Subnet AWS::EC2::SubnetNetworkA
AWS::EC2::SubnetRouteTabl clAssociation
eAssociation AWS::EC2::SubnetRouteTabl
AWS::EC2::VPC eAssociation
AWS::EC2::VPCDHCPOptions AWS::EC2::VPC
Association AWS::EC2::VPCDHCPOptions
AWS::EC2::VPCGatewayAtta Association
chment AWS::EC2::VPCGatewayAtta
AWS::EC2::VPCPeeringConn chment
ection
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly This stack does not directly This stack does not directly This stack does not directly AWS::Config::ConfigRule
implement this control implement this control implement this control implement this control AWS::Lambda::Function
AWS::Lambda::Permission
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

AWS::IAM::Group This stack does not directly This stack does not directly AWS::IAM::InstanceProfile AWS::IAM::InstanceProfile
AWS::IAM::InstanceProfile implement this control implement this control AWS::IAM::Role AWS::IAM::Policy
AWS::IAM::ManagedPolicy AWS::IAM::Role
AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::ManagedPolicy AWS::Cloudtrail::Trail
AWS::IAM::Policy AWS::CloudWatch::Alarm
AWS::IAM::Role AWS::SNS::Topic
AWS::SNS::Topic AWS::Lambda::Permission
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
AWS::SNS::Topic
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Group AWS::CloudFormation::Stack AWS::EC2::AvailabilityZone AWS::CloudTrail::Trail AWS::Config::ConfigRule
AWS::IAM::InstanceProfile AWS::EC2::DHCPOptions AWS::EC2::DHCPOptions AWS::CloudWatch::Alarm AWS::IAM::InstanceProfile
AWS::IAM::ManagedPolicy AWS::EC2::EIP AWS::EC2::EIP AWS::IAM::InstanceProfile AWS::IAM::Policy
AWS::IAM::Role AWS::EC2::EIPAssociation AWS::EC2::InternetGateway AWS::IAM::Role AWS::IAM::Role
AWS::EC2::Instance AWS::EC2::NatGateway AWS::Logs::LogGroup AWS::Lambda::Function
AWS::EC2::InternetGateway AWS::EC2::NetworkAcl AWS::Logs::MetricFilter AWS::Lambda::Permission
AWS::EC2::NatGateway AWS::EC2::NetworkAclEntry AWS::S3::Bucket
AWS::EC2::NetworkInterface AWS::EC2::Route AWS::S3::BucketPolicy
AWS::EC2::Route AWS::EC2::RouteTable AWS::SNS::Topic
AWS::EC2::RouteTable AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroup AWS::EC2::Subnet
AWS::EC2::Subnet AWS::EC2::SubnetNetworkA
AWS::EC2::SubnetRouteTabl clAssociation
eAssociation AWS::EC2::SubnetRouteTabl
AWS::EC2::VPC eAssociation
AWS::EC2::VPCDHCPOptions AWS::EC2::VPC
Association AWS::EC2::VPCDHCPOptions
AWS::EC2::VPCGatewayAtta Association
chment AWS::EC2::VPCGatewayAtta
AWS::EC2::VPCPeeringConn chment
ection
THIS stack does not directly AWS::EC2::SecurityGroup AWS::EC2::SecurityGroup THIS stack does not directly THIS stack does not directly
implement this control AWS::EC2::Instance AWS::EC2::NetworkInterface implement this control implement this control
AWS::EC2::NetworkInterface AWS::EC2::NetworkAcl
AWS::EC2::NetworkAclEntry
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
AWS::IAM::Role
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::AvailabilityZone AWS::EC2::AvailabilityZone AWS::S3::Bucket This stack does not directly
implement this control AWS::EC2::Subnet AWS::EC2::Subnet implement this control
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::Instance This stack does not directly This stack does not directly This stack does not directly
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

All template contents All template contents All template contents All template contents All template contents
All template contents All template contents All template contents All template contents All template contents
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
AWS::IAM::Role implement this control implement this control implement this control implement this control
N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::VPC This stack does not directly This stack does not directly This stack does not directly
implement this control AWS::EC2::Subnet implement this control implement this control implement this control
AWS::EC2::Instance
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly AWS::EC2::Subnet AWS::EC2::Subnet This stack does not directly This stack does not directly
implement this control AWS::EC2::Route AWS::EC2::Route implement this control implement this control
AWS::EC2::SecurityGroup AWS::EC2::SecurityGroup
AWS::EC2::EIP AWS::EC2::EIP
AWS::EC2::EIPAssociation AWS::EC2::EIPAssociation
chment chment
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly AWS::EC2::Subnet AWS::EC2::Subnet AWS::S3::BucketPolicy This stack does not directly
implement this control AWS::EC2::Route AWS::EC2::Route AWS::S3::Bucket implement this control
chment chment
AWS::EC2::NetworkInterface AWS::EC2::NetworkAcl
AWS::EC2::EIP AWS::EC2::NetworkAclEntry
AWS::EC2::EIPAssociation AWS::EC2::NetworkInterface
AWS::EC2::NatGateway AWS::EC2::EIP
AWS::EC2::VPCGatewayAtta AWS::EC2::EIPAssociation
chment AWS::EC2::NatGateway
AWS::EC2::VPCGatewayAtta
chment
chment chment
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::SecurityGroup AWS::EC2::SecurityGroup This stack does not directly This stack does not directly
implement this control AWS::EC2::NetworkInterface AWS::EC2::NetworkInterface implement this control implement this control
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::Instance AWS::EC2::SecurityGroup AWS::S3::Bucket This stack does not directly
implement this control AWS::EC2::SecurityGroup AWS::EC2::NetworkInterface AWS::S3::BucketPolicy implement this control
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly AWS::EC2::Instance This stack does not directly AWS::S3::Bucket This stack does not directly
implement this control implement this control AWS::S3::BucketPolicy implement this control
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
This stack does not directly AWS::EC2::Instance AWS::EC2::SecurityGroup This stack does not directly This stack does not directly
implement this control AWS::EC2::SecurityGroup AWS::EC2::NetworkInterface implement this control implement this control
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

AWS::IAM::Group This stack does not directly This stack does not directly AWS::S3::Bucket This stack does not directly
AWS::IAM::InstanceProfile implement this control implement this control AWS::S3::BucketPolicy implement this control
AWS::IAM::Role
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

This stack does not directly AWS::EC2::Instance This stack does not directly This stack does not directly This stack does not directly
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A
N/A N/A N/A N/A N/A

NAT-INSTANCE APPLICATION
CloudFormation CloudFormation
Stack/Template Stack/Template
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
See control subpart details See control subpart details
below. below.
This stack does not directly This stack does not directly
implement this control implement this control
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
This stack does not directly AWS::S3::BucketPolicy

implement this control AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::Instance AWS::S3::BucketPolicy
AWS::S3::Bucket
AWS::AutoScaling::LaunchCo
nfiguration
AWS::EC2::Instance

N/A N/A
N/A N/A

AWS::IAM::InstanceProfile
AWS::IAM::Role
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::EIP AWS::RDS::DBSubnetGroup
AWS::EC2::EIPAssociation AWS::EC2::Subnet::Id
AWS::EC2::Instance AWS::EC2::SecurityGroup
AWS::EC2::NetworkInterface AWS::S3::BucketPolicy
AWS::EC2::Route AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
This stack does not directly AWS::S3::Bucket

N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::EIP AWS::EC2::Instance
AWS::EC2::EIPAssociation AWS::IAM::InstanceProfile
AWS::EC2::Instance AWS::IAM::Role
AWS::EC2::NetworkInterface AWS::S3::Bucket
AWS::EC2::Route AWS::EC2::SecurityGroup
AWS::RDS::DBInstance
AWS::RDS::DBSubnetGroup
AWS::EC2::Instance AWS::EC2::Instance
AWS::S3::Bucket
AWS::EC2::SecurityGroup
AWS::ElasticLoadBalancing::
LoadBalancer
AWS::EC2::Instance AWS::EC2::VPC::Id
AWS::EC2::NetworkInterface AWS::EC2::Instance
AWS::EC2::EIP AWS::EC2::SecurityGroup
AWS::EC2::EIPAssociation AWS::RDS::DBSubnetGroup
AWS::EC2::Route AWS::ElasticLoadBalancing::
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
implement this control AWS::RDS::DBInstance
N/A N/A

N/A N/A
N/A N/A
N/A N/A
N/A N/A

N/A N/A

below. below.
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
This stack does not directly AWS::ElasticLoadBalancing::

implement this control LoadBalancer

below. below.
AWS::EC2::Instance AWS::S3::Bucket
AWS::EC2::AvailabilityZone
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
below. below.


N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::EIP AWS::EC2::SecurityGroup
AWS::EC2::EIPAssociation AWS::EC2::Instance
AWS::EC2::Instance AWS::EC2::Subnet::Id
AWS::EC2::NetworkInterface AWS::RDS::DBInstance
AWS::EC2::Route AWS::RDS::DBSubnetGroup
LoadBalancer
nfiguration
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::EIP AWS::AutoScaling::AutoScali
AWS::EC2::EIPAssociation ngGroup
AWS::EC2::Instance AWS::AutoScaling::LaunchCo
AWS::EC2::NetworkInterface nfiguration
AWS::EC2::Route AWS::AutoScaling::ScalingPo
licy
AWS::CloudWatch::Alarm
AWS::EC2::Instance
AWS::EC2::Subnet::Id
AWS::EC2::VPC::Id
LoadBalancer
AWS::IAM::Role
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
This stack does not directly AWS::IAM::InstanceProfile
implement this control AWS::IAM::Role
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
AWS::EC2::EIP AWS::AutoScaling::AutoScali
AWS::EC2::EIPAssociation ngGroup
AWS::EC2::NetworkInterface nfiguration
AWS::EC2::Route AWS::AutoScaling::ScalingPo
licy
AWS::CloudWatch::Alarm
AWS::EC2::Instance
AWS::EC2::VPC::Id
LoadBalancer
AWS::IAM::Role
AWS::S3::Bucket
AWS::EC2::Instance AWS::EC2::SecurityGroup
AWS::EC2::Instance
nfiguration
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
This stack does not directly AWS::EC2::AvailabilityZone

implement this control AWS::AutoScaling::AutoScali
ngGroup
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
ngGroup
AWS::S3::Bucket

ngGroup
AWS::S3::Bucket
ngGroup
AWS::S3::Bucket

ngGroup
AWS::S3::Bucket

below. below.
ngGroup
AWS::S3::Bucket
ngGroup
AWS::S3::Bucket

ngGroup
AWS::S3::Bucket

ngGroup
AWS::S3::Bucket

ngGroup
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
This stack does not directly AWS::RDS::DBInstance

N/A N/A
N/A N/A
N/A N/A
ngGroup
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
This stack does not directly AWS::AutoScaling::LaunchCo

implement this control nfiguration
AWS::EC2::Instance
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
below. below.
All template contents All template contents
All template contents All template contents
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::Instance AWS::RDS::DBSubnetGroup
AWS::EC2::NetworkInterface AWS::ElasticLoadBalancing::
AWS::EC2::EIPAssociation LoadBalancer
AWS::EC2::Route AWS::EC2::Instance
AWS::AutoScaling::AutoScali
ngGroup
nfiguration
AWS::AutoScaling::ScalingPo
licy
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
below. below.
AWS::EC2::Instance AWS::RDS::DBSubnetGroup
AWS::EC2::NetworkInterface AWS::EC2::Instance
AWS::EC2::EIPAssociation AWS::AutoScaling::AutoScali
AWS::EC2::Route ngGroup
nfiguration
AWS::S3::Bucket
AWS::EC2::NetworkInterface AWS::RDS::DBSubnetGroup
AWS::EC2::Route AWS::EC2::Instance
AWS::AutoScaling::AutoScali
ngGroup
nfiguration
AWS::EC2::Route AWS::RDS::DBInstance
AWS::EC2::Instance
nfiguration
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
AWS::EC2::Instance
nfiguration
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

implement this control AWS::S3::BucketPolicy
nfiguration
AWS::EC2::Instance
LoadBalancer
nfiguration
AWS::EC2::Instance
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
nfiguration
AWS::EC2::Instance
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
nfiguration
AWS::EC2::Instance
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
nfiguration
AWS::EC2::Instance
LoadBalancer
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
ngGroup
AWS::S3::Bucket
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
nfiguration
AWS::EC2::Instance
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A

below. below.
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
N/A N/A
Topic Areas
Seq
NIST SP 800-53 rev4 Controls
Family
Control (Major)
Control (Sub-parts)
Title
Description
Priority
Low
Control Baselines Moderate
High
CNSS Instruction 1253

Control Selection
March 2014
Low
Confidentiality Moderate
High
Low
Integrity Moderate
High
Low
Availability Moderate
High
zFedRAMP Controls
Version 2.1
Low
Moderate
High
FedRAMP Defined Assignment /

Selection Parameters
Additional FedRAMP
Requirements & Guidance
DoD Cloud SRG Controls
Ver 1, Rel 218
Minimum
Level 4
Level 5
NIST 800-122
NIST 800-171 - June 2015

(incl updates January 14, 2016)
Quick Start Architecture

Comments for NIST SP 800-
53 Controls
Addressed By This Quick Start

Category: Influence
Category: Responsibility
AWS Quick Start Control

Implementation
Cross-references to Other
Compliance Frameworks
NIST 800-171 - June 2015
(incl updates January 14, 2016)
Trusted Internet Connection

Initiative (TIC)
Capability
Summary
TIC Capabilities Definition
Version 2.0
Related
Requirements
and Guidance
CloudFormation Template
Mapping
MAIN CloudFormation
Stack/Template
IAM CloudFormation
Stack/Template
MANAGEMENT VPC
CloudFormation Stack/Template
PRODUCTION VPC
CloudFormation Stack/Template
LOGGING CloudFormation
Stack/Template
CONFIG-RULES CloudFormation
Stack/Template
NAT-INSTANCE CloudFormation
Stack/Template
APPLICATION CloudFormation
Stack/Template
Comments
Sequence Number used for identifying items when sorted
NIST Special Publication 800-53 represents a comprehensive security controls catalog

developed by NIST, the Department of Defense, the Intelligence Community, and the
Committee on National Security Systems. Security controls and control enhancements
address areas such as: mobile and cloud computing; applications security; trustworthiness,
assurance, and resiliency of information systems; insider threat; supply chain security; and
advanced persistent threats.
This section is the NIST 800-53 family of controls
These sections are for control identification
This section is the title of the control

This section is the detailed description of the requirement
This section is the recommended priority code associated with each control to assist in
making sequencing decisions for implementation
This section indicates the initial security control baselines by NIST (i.e., low, moderate, and
high)
Committee on National Security Systems (CNSS) Instruction No. 1253 is a companion

document to the NIST publications. CNSS selects NIST SP 800-53 security controls to meet
the requirements of National Security Systems and provides a common foundation for
information security.
This section indicates the initial security control baselines by CNSSI 1253. Each security
objective (confidentiality, integrity, or availability) has the impact value (low, moderate, or
high) indicated as follows:
X: This control is associated with the indicated impact value
+: This control reflects the additional CNSS specifications by impact value for all NSS
The Federal Risk and Authorization Management Program (FedRAMP) provides for adopting
cloud services with standardized security requirements for assessing Cloud Service Providers
(CSPs), acceptable contract language for acquisition, and packages for leveraging cloud
services government-wide. FedRAMP assists government agencies in meeting and complying
with FISMA requirements by addressing complexities and challenges for complying with
FISMA.
This section indicates the initial security control baselines by for FedRAMP. Each security
objective has the impact value (low, moderate, or high) indicated.
This section provides FedRAMP details needed for the assignment
This section provides the requirements and guidelines necessary to address the indicated
control
The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG)
outlines security controls and requirements for cloud-based solutions within DoD. The SRG
provides DoD Cloud Service Providers (CSPs) guidance for service offerings, establishes how
to assess CSP security posture, defines policies, requirements, and architectures for cloud
services implementation, and provides guidance in planning and using CSPs.
This section indicates the initial security control baselines for DoD SRG. Each objective has
the impact value (minimum, level 4 or level 5) indicated as follows:
X: This control is associated with the indicated impact value

Contract/SLA: This control designates controls to optionally address in a contract or SLA
which are above FedRAMP included by default.
The NIST Special Publication 800-122 assists Federal agencies in protecting the
confidentiality of Personlly Identifiable Information (PII).
The NIST Special Publication 800D42-171 (Protecting Controlled Unclassified Information in

Nonfederal Information Systems and Organizations) provides government agencies with
recommended requirements for protecting the confidentiality of Controlled Unclassified
Information (CUI). This column maps which NIST SP 800-53 controls are selected by NIST SP
800-171.
This section provides input for recommended architecture comments and categories
addressing the NIST SP 800-53 controls. This also includes categorization to help sorting
based in ownership and type of control
This section provides a sorting capability for which organization addresses the security
control. Labels are as follows:
Yes: This AWS Quick Start reference implementation has features which cover or are
configured to support this security control as described in the AWS Quick Start Control
Implementation column
No: This security control is not addressed by this AWS Quick Start reference implementation
This section provides sorting category where the influence of the security controls resides:
Facility: This control is primarily addressing facility needs such as physical access, power, etc.
Information Systems: This technical control is a list of requirements for controls or sub-parts
for information systems and applications
Information Systems (Header): This technical control is a header which indicates that sub-
parts follow that are associated with information systems and applications
Organizational: This control is a list of requirements for controls or sub-parts requiring
organizations to perform a function such as policy creation, process management, actions
needed to be taken on information (reviews, document or systems, etc.)
Organizational (Header): This control is a header which list sub-parts implemented by
organizations
Privacy Control: This control is part of the new Privacy Control Catalog addition to NIST SP
800-53 rev 4, Appendix J, intended to address the privacy needs.
Withdrawn: These controls have been withdrawn in NIST SP800-53 rev 4
This section provides a sorting category where the responsibility for ownership of the
security controls are assigned, managed or implemented:
Customer: This control is a requirement that a customer must address
Customer (Header): This control is a header which list sub-parts that customer must address
Non-FedRAMP: This control is not selected by FedRAMP for Cloud Service Providers
Non-FedRAMP (Header): This control is a header which list sub-parts that are not selected
by FedRAMP for Cloud Service Providers
Not Selected: This control is not selected by NIST SP 800-53 rev 4 nor any other frameworks
covered in this document
Not Selected (Header): This control is a header which list sub-parts that are not selected by
NIST SP 800-53 rev 4 nor any other frameworks covered under this document
Shared: This control has shared requirements which AWS addresses in full or in part at the
workload infrastrucutre layer (VPC and AWS account), for which the customer also has
requirements which must be addressed (such as application or operating system layer
requirements)
Shared (Header): This control is a header which lists sub-parts with shared requirements
addressed by AWS in full or in part at the workload infrastrucutre layer (VPC and AWS
account), but that the customer has requirements which must be addressed
Withdrawn: These controls have been withdrawn in NIST SP800-53 revision 4
In this section, AWS provides a synopsis of the implemented configurations for controls at
the infrastructure layer for workloads/customer accounts, as well as information on controls
inherited from the Cloud back-end infrastructure.
This section provide a mapping to other framework control identifiers that are related to
NIST SP 800-53 rev
The NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in
Nonfederal Information Systems and Organizations) provides government agencies with
recommended requirements for protecting the confidentiality of Controlled Unclassified
Information (CUI). This column maps NIST SP 800-53 controls to the requirement identifiers
in Chapter 3 of NIST SP 800-171.
The Trusted Internet Connection initiative (TIC) is mandated in an Office of Management and
Budget (OMB) Memorandum meant to optimize individual external connections, including
internet points of presence used by the Government.
This section specifically addresses the FedRAMP TIC Overlay Pilot. This pilot updates TIC’s
current reference architecture. The overlay enables users to directly connect to Federal
cloud system without utilizing a TIC Access Provider (TICAP) or Managed Trusted IP Service
(MTIPS).
This section is the identifier for the TIC requirement

This section is the title of requirement
This section is the detailed description of the requirement
This section references related requirements and guidance
Which CloudFormation Template(s) implement or affect the control
If this template applies, it will indicate the AWS Resource types associated or applicable with
the control
Date
6/24/2016
6/24/2016
6/24/2016
6/24/2016
6/24/2016
6/24/2016
6/24/2016
6/24/2016
11/6/2017
11/17/2017
11/17/2017
Change Log
Added "Control (Major)" column
Updated CNSS Instruction 1253 Control section to indicate selection of sub-parts with a major control
Removed Sequence ID 741, which was a duplicate of Sequence ID 742
Added "Addressed By This Quick Start" column
Added "Category: Influence" column
Added "Category: Responsibility" column
Created Glossary worksheet to describe all columns
Created Change Record worksheet to log this and future updates
Added NIST SP 800-122 mapping
Updated "AWS Quick Start Security Control Implementation Descriptions" to better distinguish between
controls directly addressed with this reference architecture and those that are addressed by AWS built-in
features.
Updated "Addressed By This Quick Start" coumn to add the "Indirectly" category to distiguish controls
which are inherited from AWS or provided by built-in features from those controls which are in the Quick
Start Architecture

AWS NIST 800 53 Security Controls Mapping

Uploaded by

Copyright:

Available Formats

AWS NIST 800 53 Security Controls Mapping

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS NIST 800 53 Security Controls Mapping

Uploaded by

Copyright:

Available Formats

AWS Enterprise Accelerator – Compliance:

Standardized Architecture for NIST-based Assurance Frameworks in the AW

November 17, 2017

This Quick Start supports the following frameworks:

e Frameworks in the AWS Cloud

are directly addressed by this AWS Quick Start

Quick Start Cloudformation template(s) and AWS

dardized Architecture for NIST-based Assurance

ACCESS CONTROL AC-1 AC-1 ACCESS CONTROL The organization: P1

ACCESS CONTROL AC-2 AC-2e ACCOUNT Requires approvals by [Assignment: P1

ACCESS CONTROL AC-2 AC-2i.1 ACCOUNT A valid access authorization; P1

ACCESS CONTROL AC-2 AC-2i.2 ACCOUNT Intended system usage; and P1

ACCESS CONTROL AC-2 (7) AC-2 (7) ROLE-BASED The organization:

ACCESS CONTROL AC-2 (12) AC-2 (12) ACCOUNT The organization:

ACCESS CONTROL AC-5 AC-5 SEPARATION OF The organization: P1

ACCESS CONTROL AC-7 AC-7 UNSUCCESSFUL The information system: P2

ACCESS CONTROL AC-8 AC-8 SYSTEM USE The information system: P1

ACCESS CONTROL AC-11 AC-11 SESSION LOCK The information system: P3

ACCESS CONTROL AC-16 AC-16d SECURITY Determines the permitted [Assignment: P0

ACCESS CONTROL AC-17 (4) AC-17 (4) PRIVILEGED The organization:

ACCESS CONTROL AC-18 AC-18 WIRELESS ACCESS The organization: P1

ACCESS CONTROL AC-19 AC-19 ACCESS CONTROL The organization: P1

ACCESS CONTROL AC-21 AC-21 INFORMATION The organization: P2

ACCESS CONTROL AC-21 AC-21b INFORMATION Employs [Assignment: organization-defined P2

ACCESS CONTROL AC-22 AC-22 PUBLICLY ACCESSIBLE The organization: P3

AWARENESS AND AT-1 AT-1a SECURITY Develops, documents, and disseminates to P1

AWARENESS AND AT-2 AT-2c SECURITY [Assignment: organization-defined frequency] P1

AWARENESS AND AT-4 AT-4 SECURITY TRAINING The organization: P3

AUDIT AND AU-2 AU-2 AUDIT EVENTS The organization: P1

AUDIT AND AU-5 AU-5 RESPONSE TO AUDIT The information system: P1

AUDIT AND AU-8 AU-8 TIME STAMPS The information system: P1

AUDIT AND AU-12 AU-12b AUDIT GENERATION Allows [Assignment: organization-defined

SECURITY CA-1 CA-1 SECURITY The organization: P1

SECURITY CA-1 CA-1a SECURITY Develops, documents, and disseminates to P1

SECURITY CA-1 CA-1a.1 SECURITY A security assessment and authorization policy P1

SECURITY CA-1 CA-1a.2 SECURITY Procedures to facilitate the implementation of P1

SECURITY CA-1 CA-1b.1 SECURITY Security assessment and authorization policy P1

SECURITY CA-1 CA-1b.2 SECURITY Security assessment and authorization P1

SECURITY CA-2 CA-2 SECURITY The organization: P2

SECURITY CA-2 CA-2a.1 SECURITY Security controls and control enhancements P2

SECURITY CA-2 CA-2a.2 SECURITY Assessment procedures to be used to determine P2

SECURITY CA-2 CA-2c SECURITY Produces a security assessment report that P2

SECURITY CA-4 CA-4 SECURITY [Withdrawn: Incorporated into CA-2].

SECURITY CA-6 CA-6 SECURITY The organization: P2

SECURITY CA-8 CA-8 PENETRATION The organization conducts penetration testing P2

SECURITY CA-9 CA-9 INTERNAL SYSTEM The organization: P2

CONFIGURATION CM-1 CM-1 CONFIGURATION The organization: P1

CONFIGURATION CM-1 CM-1a CONFIGURATION Develops, documents, and disseminates to P1

CONFIGURATION CM-1 CM-1a.1 CONFIGURATION A configuration management policy that P1

CONFIGURATION CM-1 CM-1a.2 CONFIGURATION Procedures to facilitate the implementation of P1

CONFIGURATION CM-1 CM-1b CONFIGURATION Reviews and updates the current: P1

CONFIGURATION CM-1 CM-1b.1 CONFIGURATION Configuration management policy [Assignment: P1

CONFIGURATION CM-1 CM-1b.2 CONFIGURATION Configuration management procedures P1

CONFIGURATION CM-2 (7) CM-2 (7) CONFIGURE The organization:

CONFIGURATION CM-2 (7) CM-2 (7)(a) CONFIGURE Issues [Assignment: organization-defined

CONFIGURATION CM-2 (7) CM-2 (7)(b) CONFIGURE Applies [Assignment: organization-defined

CONFIGURATION CM-3 CM-3a CONFIGURATION Determines the types of changes to the P1

CONFIGURATION CM-3 CM-3b CONFIGURATION Reviews proposed configuration-controlled P1

CONFIGURATION CM-3 CM-3d CONFIGURATION Implements approved configuration-controlled P1

CONFIGURATION CM-3 CM-3e CONFIGURATION Retains records of configuration-controlled P1