Cybersecurity Control Standards - Appendix A
Contact for Interpretation: Office of Information Security
Appendix A – Optional Controls
Purpose: Appendix A contains optional or advisory controls based on best practices in the National Institute of Standards and Technology (NIST) Framework. Nothing in Appendix A should be considered mandatory or required. This is a resource guide to best practices and is supplemental information.
- AC-2(1) Automated System Account Management
- AC-2(2) Automated Temporary and Emergency Account Management
- AC-2(3) Disable Accounts
- AC-2(4) Automated Audit Actions
- AC-2(5) Inactivity Logout
- AC-2(6) Dynamic Privilege Management
- AC-2(8) Dynamic Account Management
- AC-2(9) Restrictions on Use of Shared and Group Accounts
- AC-2(10) Shared and Group Account Credential Change
- Withdrawn: Incorporated into AC-2k
- AC-2(11) Usage Conditions
- AC-2(12) Account Monitoring for Atypical Usage
- AC-2(13) Disable Accounts for High-risk Individuals
- AC-4 Information Flow Enforcement
- AC-4(1) Object Security and Privacy Attributes
- AC-4(2) Processing Domains
- AC-4(3) Dynamic Information Flow Control
- AC-4(4) Flow Control of Encrypted Information
- AC-4(5) Embedded Data Types
- AC-4(6) Metadata
- AC-4(7) One-way Flow Mechanisms
- AC-4(8) Security and Privacy Policy Filters
- AC-4(9) Human Reviews
- AC-4(10) Enable and Disable Security or Privacy Policy Filters
- AC-4(11) Configuration of Security or Privacy Policy Filters
- AC-4(12) Data Type Identifiers
- AC-4(13) Decomposition into Policy-relevant Subcomponents
- AC-4(14) Security or Privacy Policy Filter Constraints
- AC-4(15) Detection of Unsanctioned Information
- AC-4(16) Information Transfers on Interconnected Systems
- Withdrawn: Incorporated into AC-4
- AC-4(17) Domain Authentication
- AC-4(18) Security Attribute Binding
- Withdrawn: Incorporated into AC-16
- AC-4(19) Validation of Metadata
- AC-4(20) Approved Solutions
- AC-4(21) Physical or Logical Separation of Information Flows
- AC-4(22) Access Only
- AC-4(23) Modify Non-releasable Information
- AC-4(24) Internal Normalized Format
- AC-4(25) Data Sanitization
- AC-4(26) Audit Filtering Actions
- AC-4(27) Redundant/independent Filtering Mechanisms
- AC-4(28) Linear Filter Pipelines
- AC-4(29) Filter Orchestration Engines
- AC-4(30) Filter Mechanisms Using Multiple Processes
- AC-4(31) Failed Content Transfer Prevention
- AC-4(32) Process Requirements for Information Transfer
- AC-6(1) Authorize Access to Security Functions
- AC-6(2) Non-privileged Access for Nonsecurity Functions
- AC-6(3) Network Access to Privileged Commands
- AC-6(4) Separate Processing Domains
- AC-6(5) Privileged Accounts
- AC-6(6) Privileged Access by Non-organizational Users
- AC-6(7) Review of User Privileges
- AC-6(8) Privilege Levels for Code Execution
- AC-6(9) Log Use of Privileged Functions
- AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions
- AC-7(1) Automatic Account Lock
- Withdrawn: Incorporated into AC-7
- AC-7(2) Purge or Wipe Mobile Device
- AC-7(3) Biometric Attempt Limiting
- AC-7(4) Use of Alternate Authentication Factor
- AC-9 Previous Logon Notification
- AC-9(1) Unsuccessful Logons
- AC-9(2) Successful and Unsuccessful Logons
- AC-9(3) Notification of Account Changes
- AC-9(4) Additional Logon Information
- AC-10 Concurrent Session Control
- AC-11(1) Pattern-hiding Displays
- AC-12 Session Termination
- AC-12(1) User-initiated Logouts
- AC-12(2) Termination Message
- AC-12(3) Timeout Warning Message
- AC-14(1) Necessary Uses
- Withdrawn: Incorporated into AC-14
- AC-15 Automated Marking
- Withdrawn: Incorporated into MP-3
- AC-16 Security and Privacy Attributes
- AC-16(1) Dynamic Attribute Association
- AC-16(2) Attribute Value Changes by Authorized Individuals
- AC-16(3) Maintenance of Attribute Associations by System
- AC-16(4) Association of Attributes by Authorized Individuals
- AC-16(5) Attribute Displays on Objects to Be Output
- AC-16(6) Maintenance of Attribute Association
- AC-16(7) Consistent Attribute Interpretation
- AC-16(8) Association Techniques and Technologies
- AC-16(9) Attribute Reassignment - Regrading Mechanisms
- AC-16(10) Attribute Configuration by Authorized Individuals
- AC-17(1) Monitoring and Control
- AC-17(2) Protection of Confidentiality and Integrity Using Encryption
- AC-17(3) Managed Access Control Points
- AC-17(4) Privileged Commands and Access
- AC-17(5) Monitoring for Unauthorized Connections
- Withdrawn: Incorporated into SI-4
- AC-17(6) Protection of Mechanism Information
- AC-17(7) Additional Protection for Security Function Access
- Withdrawn: Incorporated into AC-3(10)
- AC-17(8) Disable Nonsecure Network Protocols
- Withdrawn: Incorporated into CM-7
- AC-17(9) Disconnect or Disable Access
- AC-17(10) Authenticate Remote Commands
- AC-18(1) Authentication and Encryption
- AC-18(2) Monitoring Unauthorized Connections
- Withdrawn: Incorporated into SI-4
- AC-18(3) Disable Wireless Networking
- AC-18(4) Restrict Configurations by Users
- AC-18(5) Antennas and Transmission Power Levels
- AC-19(1) Use of Writable and Portable Storage Devices
- Withdrawn: Incorporated into MP-7
- AC-19(2) Use of Personally Owned Portable Storage Devices
- Withdrawn: Incorporated into MP-7
- AC-19(3) Use of Portable Storage Devices with No Identifiable Owner
- Withdrawn: Incorporated into MP-7
- AC-19(4) Restrictions for Classified Information
- AC-19(5) Full Device or Container-based Encryption
- AC-20(1) Limits on Authorized Use
- AC-20(2) Portable Storage Devices - Restricted Use
- AC-20(3) Non-organizationally Owned Systems - Restricted Use
- AC-20(4) Network Accessible Storage Devices - Prohibited Use
- AC-20(5) Portable Storage Devices - Prohibited Use
- AC-21 Information Sharing
- AC-21(1) Automated Decision Support
- AC-21(2) Information Search and Retrieval
- AC-23 Data Mining Protection
- AC-24 Access Control Decisions
- AC-24(1) Transmit Access Authorization Information
- AC-24(2) No User or Process Identity
- AC-25 Reference Monitor
- AT-2(1) Practical Exercises
- AT-2(2) Insider Threat
- AT-2(3) Social Engineering and Mining
- AT-2(4) Suspicious Communications and Anomalous System Behavior
- AT-2(5) Advanced Persistent Threat
- AT-2(6) Cyber Threat Environment
- AT-3(1) Environmental Controls
- AT-3(2) Physical Security Controls
- AT-3(3) Practical Exercises
- AT-3(4) Suspicious Communications and Anomalous System Behavior
- Withdrawn: Moved to AT-2(4)
- AT-3(5) Processing Personally Identifiable Information
- AT-5 Contacts with Security Groups and Associations
- Withdrawn: Incorporated into PM-15
- AT-6 Training Feedback
- AU-2(1) Compilation of Audit Records from Multiple Sources
- Withdrawn: Incorporated into AU-12
- AU-2(2) Selection of Audit Events by Component
- Withdrawn: Incorporated into AU-12
- AU-2(3) Reviews and Updates
- Withdrawn: Incorporated into AU-2
- AU-2(4) Privileged Functions
- Withdrawn: Incorporated into AC-6(9)
- AU-3(1) Additional Audit Information
- AU-3(2) Centralized Management of Planned Audit Record Content
- Withdrawn: Incorporated into PL-9
- AU-3(3) Limit Personally Identifiable Information Elements
- AU-4(1) Transfer to Alternate Storage
- AU-5(1) Storage Capacity Warning
- AU-5(2) Real-time Alerts
- AU-5(3) Configurable Traffic Volume Thresholds
- AU-5(4) Shutdown on Failure
- AU-5(5) Alternate Audit Logging Capability
- AU-6(1) Automated Process Integration
- AU-6(2) Automated Security Alerts
- Withdrawn: Incorporated into SI-4
- AU-6(3) Correlate Audit Record Repositories
- AU-6(4) Central Review and Analysis
- AU-6(5) Integrated Analysis of Audit Records
- AU-6(6) Correlation with Physical Monitoring
- AU-6(7) Permitted Actions
- AU-6(8) Full Text Analysis of Privileged Commands
- AU-6(9) Correlation with Information from Nontechnical Sources
- AU-6(10) Audit Level Adjustment
- Withdrawn: Incorporated into AU-6
- AU-7 Audit Record Reduction and Report Generation
- AU-7(1) Automatic Processing
- AU-7(2) Automatic Sort and Search
- Withdrawn: Incorporated into AU-7(1)
- AU-8(1) Synchronization with Authoritative Time Source
- Withdrawn: Moved to SC-45(1)
- AU-8(2) Secondary Authoritative Time Source
- Withdrawn: Moved to SC-45(2)
- AU-9(1) Hardware Write-once Media
- AU-9(2) Store on Separate Physical Systems or Components
- AU-9(3) Cryptographic Protection
- AU-9(4) Access by Subset of Privileged Users
- AU-9(5) Dual Authorization
- AU-9(6) Read-only Access
- AU-9(7) Store on Component with Different Operating System
- AU-10(1) Association of Identities
- AU-10(2) Validate Binding of Information Producer Identity
- AU-10(3) Chain of Custody
- AU-10(4) Validate Binding of Information Reviewer Identity
- AU-10(5) Digital Signatures
- Withdrawn: Incorporated into SI-7
- AU-11(1) Long-term Retrieval Capability
- AU-12(1) System-wide and Time-correlated Audit Trail
- AU-12(2) Standardized Formats
- AU-12(3) Changes by Authorized Individuals
- AU-12(4) Query Parameter Audits of Personally Identifiable Information
- AU-13 Monitoring for Information Disclosure
- AU-13(1) Use of Automated Tools
- AU-13(2) Review of Monitored Sites
- AU-13(3) Unauthorized Replication of Information
- AU-14 Session Audit
- AU-14(1) System Start-up
- AU-14(2) Capture and Record Content
- Withdrawn: Incorporated into AU-14
- AU-14(3) Remote Viewing and Listening
- AU-15 Alternate Audit Logging Capability
- Withdrawn: Moved to AU-5(5)
- AU-16 Cross-organizational Audit Logging
- AU-16(1) Identity Preservation
- AU-16(2) Sharing of Audit Information
- AU-16(3) Disassociability
- CA-2(1) Independent Assessors
- CA-2(2) Specialized Assessments
- CA-2(3) Leveraging Results from External Organizations
- CA-3(1) Unclassified National Security System Connections
- Withdrawn: Moved to SC-7(25)
- CA-3(2) Classified National Security System Connections
- Withdrawn: Moved to SC-7(26)
- CA-3(3) Unclassified Non-national Security System Connections
- Withdrawn: Moved to SC-7(27)
- CA-3(4) Connections to Public Networks
- Withdrawn: Moved to SC-7(28)
- CA-3(5) Restrictions on External System Connections
- Withdrawn: Moved to SC-7(5)
- CA-3(6) Transfer Authorizations
- CA-3(7) Transitive Information Exchanges
- CA-4 Security Certification
- Withdrawn: Incorporated into CA-2
- CA-5(1) Automation Support for Accuracy and Currency
- CA-6(1) Joint Authorization - Intra-organization
- CA-6(2) Joint Authorization - Inter-organization
- CA-7(1) Independent Assessment
- CA-7(2) Independent Assessment
- Withdrawn: Incorporated into CA-2
- CA-7(3) Trend Analyses
- CA-7(5) Consistency Analysis
- CA-7(6) Automation Support for Monitoring
- CA-8(1) Independent Penetration Testing Agent or Team
- CA-8(2) Red Team Exercises
- CA-8(3) Facility Penetration Testing
- CA-9(1) Compliance Checks
- CM-2(1) Reviews and Updates
- Withdrawn: Incorporated into CM-2
- CM-2(2) Automation Support for Accuracy and Currency
- CM-2(3) Retention of Previous Configurations
- CM-2(4) Unauthorized Software
- Withdrawn: Incorporated into CM-7(4)
- CM-2(5) Authorized Software
- Withdrawn: Incorporated into CM-7(5)
- CM-2(6) Development and Test Environments
- CM-2(7) Configure Systems and Components for High-risk Areas
- CM-3(1) Automated Documentation, Notification, and Prohibition of Changes
- CM-3(3) Automated Change Implementation
- CM-3(4) Security and Privacy Representatives
- CM-3(5) Automated Security Response
- CM-3(6) Cryptography Management
- CM-3(7) Review System Changes
- CM-3(8) Prevent or Restrict Configuration Changes
- CM-4(1) Separate Test Environments
- CM-4(2) Verification of Controls
- CM-5(1) Automated Access Enforcement and Audit Records
- CM-5(2) Review System Changes
- Withdrawn: Incorporated into CM-3(7)
- CM-5(3) Signed Components
- Withdrawn: Moved to CM-14
- CM-5(4) Dual Authorization
- CM-5(5) Privilege Limitation for Production and Operation
- CM-5(6) Limit Library Privileges
- CM-5(7) Automatic Implementation of Security Safeguards
- Withdrawn: Incorporated into SI-7
- CM-6(1) Automated Management, Application, and Verification
- CM-6(2) Respond to Unauthorized Changes
- CM-6(3) Unauthorized Change Detection
- Withdrawn: Incorporated into SI-7
- CM-6(4) Conformance Demonstration
- Withdrawn: Incorporated into CM-4
- CM-7(1) Periodic Review
- CM-7(2) Prevent Program Execution
- CM-7(3) Registration Compliance
- CM-7(4) Unauthorized Software - Deny-by-exception
- CM-7(5) Authorized Software - Allow-by-exception
- CM-7(6) Confined Environments with Limited Privileges
- CM-7(7) Code Execution in Protected Environments
- CM-7(8) Binary or Machine Executable Code
- CM-7(9) Prohibiting The Use of Unauthorized Hardware
- CM-8(1) Updates During Installation and Removal
- CM-8(2) Automated Maintenance
- CM-8(3) Automated Unauthorized Component Detection
- CM-8(4) Accountability Information
- CM-8(5) No Duplicate Accounting of Components
- Withdrawn: Incorporated into CM-8
- CM-8(6) Assessed Configurations and Approved Deviations
- CM-8(7) Centralized Repository
- CM-8(8) Automated Location Tracking
- CM-8(9) Assignment of Components to Systems
- CM-9 Configuration Management Plan
- CM-9(1) Assignment of Responsibility
- CM-10(1) Open-source Software
- CM-11(1) Alerts for Unauthorized Installations
- Withdrawn: Incorporated into CM-8(3)
- CM-11(2) Software Installation with Privileged Status
- CM-11(3) Automated Enforcement and Monitoring
- CM-12 Information Location
- CM-12(1) Automated Tools to Support Information Location
- CM-13 Data Action Mapping
- CM-14 Signed Components
- CP-2(2) Capacity Planning
- CP-2(3) Resume Mission and Business Functions
- CP-2(4) Resume All Mission and Business Functions
- Withdrawn: Incorporated into CP-2(3)
- CP-2(5) Continue Mission and Business Functions
- Withdrawn: Incorporated into CP-2
- CP-2(6) Alternate Processing and Storage Sites
- CP-2(7) Coordinate with External Service Providers
- CP-2(8) Identify Critical Assets
- CP-3(1) Simulated Events
- CP-3(2) Mechanisms Used in Training Environments
- CP-4(1) Coordinate with Related Plans
- CP-4(2) Alternate Processing Site
- CP-4(3) Automated Testing
- CP-4(4) Full Recovery and Reconstitution
- CP-4(5) Self-challenge
- CP-5 Contingency Plan Update
- CP-6(1) Separation from Primary Site
- CP-6(2) Recovery Time and Recovery Point Objectives
- CP-6(3) Accessibility
- CP-7 Alternate Processing Site
- CP-7(1) Separation from Primary Site
- CP-7(2) Accessibility
- CP-7(3) Priority of Service
- CP-7(4) Preparation for Use
- CP-7(5) Equivalent Information Security Safeguards
- Withdrawn: Incorporated into CP-7
- CP-7(6) Inability to Return to Primary Site
- CP-8 Telecommunications Services
- CP-8(1) Priority of Service Provisions
- CP-8(2) Single Points of Failure
- CP-8(3) Separation of Primary and Alternate Providers
- CP-8(4) Provider Contingency Plan
- CP-8(5) Alternate Telecommunication Service Testing
- CP-9(1) Testing for Reliability and Integrity
- CP-9(2) Test Restoration Using Sampling
- CP-9(4) Protection from Unauthorized Modification
- Withdrawn: Incorporated into CP-9
- CP-9(5) Transfer to Alternate Storage Site
- CP-9(6) Redundant Secondary System
- CP-9(7) Dual Authorization for Deletion or Destruction
- CP-9(8) Cryptographic Protection
- CP-10(1) Contingency Plan Testing
- Withdrawn: Incorporated into CP-4
- CP-10(2) Transaction Recovery
- CP-10(3) Compensating Security Controls
- Withdrawn: Control Addressed through tailoring.
- CP-10(4) Restore Within Time Period
- CP-10(5) Failover Capability
- Withdrawn: Incorporated into SI-13
- CP-10(6) Component Protection
- CP-12 Safe Mode
- CP-13 Alternative Security Mechanisms
- IA-2(3) Local Access to Privileged Accounts
- Withdrawn: Incorporated into IA-2(1)
- IA-2(4) Local Access to Non-privileged Accounts
- Withdrawn: Incorporated into IA-2(2)
- IA-2(5) Individual Authentication with Group Authentication
- IA-2(6) Access to Accounts -separate Device
- IA-2(7) Network Access to Non-privileged Accounts - Separate Device
- Withdrawn: Incorporated into IA-2(6)
- IA-2(8) Access to Accounts - Replay Resistant
- IA-2(9) Network Access to Non-privileged Accounts - Replay Resistant
- Withdrawn: Incorporated into IA-2(8)
- IA-2(10) Single Sign-on
- IA-2(11) Remote Access - Separate Device
- Withdrawn: Incorporated into IA-2(6)
- IA-2(12) Acceptance of PIV Credentials
- IA-2(13) Out-of-band Authentication
- IA-3 Device Identification and Authentication
- IA-3(1) Cryptographic Bidirectional Authentication
- IA-3(2) Cryptographic Bidirectional Network Authentication
- Withdrawn: Incorporated into IA-3(1)
- IA-3(3) Dynamic Address Allocation
- IA-3(4) Device Attestation
- IA-4(1) Prohibit Account Identifiers as Public Identifiers
- IA-4(2) Supervisor Authorization
- Withdrawn: Incorporated into IA-12(1)
- IA-4(3) Multiple Forms of Certification
- Withdrawn: Incorporated into IA-12(2)
- IA-4(4) Identify User Status
- IA-4(5) Dynamic Management
- IA-4(6) Cross-organization Management
- IA-4(7) In-person Registration
- Withdrawn: Incorporated into IA-12(4)
- IA-4(8) Pairwise Pseudonymous Identifiers
- IA-4(9) Attribute Maintenance and Protection
- IA-5(1) Password-based Authentication
- IA-5(2) Public Key-based Authentication
- IA-5(3) In-person or Trusted External Party Registration
- Withdrawn: Incorporated into IA-12(4)
- IA-5(4) Automated Support for Password Strength Determination
- Withdrawn: Incorporated into IA-5(1)
- IA-5(5) Change Authenticators Prior to Delivery
- IA-5(6) Protection of Authenticators
- IA-5(7) No Embedded Unencrypted Static Authenticators
- IA-5(8) Multiple System Accounts
- IA-5(9) Federated Credential Management
- IA-5(10) Dynamic Credential Binding
- IA-5(11) Hardware Token-based Authentication
- IA-5(12) Biometric Authentication Performance
- IA-5(13) Expiration of Cached Authenticators
- IA-5(14) Managing Content of PKI Trust Stores
- IA-5(15) Gsa-approved Products and Services
- IA-5(16) In-person or Trusted External Party Authenticator Issuance
- IA-5(17) Presentation Attack Detection for Biometric Authenticators
- IA-5(18) Password Managers
- IA-8(1) Acceptance of PIV Credentials from Other Agencies
- IA-8(2) Acceptance of External Authenticators
- IA-8(3) Use of Ficam-approved Products
- Withdrawn: Incorporated into IA-8(2)
- IA-8(4) Use of Defined Profiles
- IA-8(5) Acceptance of PIV-I Credentials
- IA-8(6) Disassociability
- IA-9 Service Identification and Authentication
- IA-9(1) Information Exchange
- Withdrawn: Incorporated into IA-9
- IA-9(2) Transmission of Decisions
- Withdrawn: Incorporated into IA-9
- IA-10 Adaptive Authentication
- IA-12(1) Supervisor Authorization
- IA-12(2) Identity Evidence
- IA-12(3) Identity Evidence Validation and Verification
- IA-12(4) In-person Validation and Verification
- IA-12(5) Address Confirmation
- IA-12(6) Accept Externally-proofed Identities
- IR-2(1) Simulated Events
- IR-2(2) Automated Training Environments
- IR-2(3) Breach
- IR-3(1) Automated Testing
- IR-3(2) Coordination with Related Plans
- IR-3(3) Continuous Improvement
- IR-4(1) Automated Incident Handling Processes
- IR-4(2) Dynamic Reconfiguration
- IR-4(3) Continuity of Operations
- IR-4(4) Information Correlation
- IR-4(5) Automatic Disabling of System
- IR-4(6) Insider Threats
- IR-4(7) Insider Threats - Intra-organization Coordination
- IR-4(8) Correlation with External Organizations
- IR-4(9) Dynamic Response Capability
- IR-4(10) Supply Chain Coordination
- IR-4(11) Integrated Incident Response Team
- IR-4(12) Malicious Code and Forensic Analysis
- IR-4(13) Behavior Analysis
- IR-4(14) Security Operations Center
- IR-4(15) Public Relations and Reputation Repair
- IR-5(1) Automated Tracking, Data Collection, and Analysis
- IR-6(1) Automated Reporting
- IR-6(2) Vulnerabilities Related to Incidents
- IR-6(3) Supply Chain Coordination
- IR-7(1) Automation Support for Availability of Information and Support
- IR-7(2) Coordination with External Providers
- IR-8(1) Breaches
- IR-9(1) Responsible Personnel
- Withdrawn: Incorporated into IR-9
- IR-9(2) Training
- IR-9(3) Post-spill Operations
- IR-9(4) Exposure to Unauthorized Personnel
- IR-10 Integrated Information Security Analysis Team
- Withdrawn: Moved to IR-4(11)
- MA-2(1) Record Content
- Withdrawn: Incorporated into MA-2
- MA-2(2) Automated Maintenance Activities
- MA-3 Maintenance Tools
- MA-3(1) Inspect Tools
- MA-3(2) Inspect Media
- MA-3(3) Prevent Unauthorized Removal
- MA-3(4) Restricted Tool Use
- MA-3(5) Execution with Privilege
- MA-3(6) Software Updates and Patches
- MA-4(1) Logging and Review
- MA-4(2) Document Nonlocal Maintenance
- MA-4(3) Comparable Security and Sanitization
- MA-4(4) Authentication and Separation of Maintenance Sessions
- MA-4(5) Approvals and Notifications
- MA-4(6) Cryptographic Protection
- MA-4(7) Disconnect Verification
- MA-5(1) Individuals Without Appropriate Access
- MA-5(2) Security Clearances for Classified Systems
- MA-5(3) Citizenship Requirements for Classified Systems
- MA-5(4) Foreign Nationals
- MA-5(5) Non-system Maintenance
- MA-6 Timely Maintenance
- MA-6(1) Preventive Maintenance
- MA-6(2) Predictive Maintenance
- MA-6(3) Automated Support for Predictive Maintenance
- MA-7 Field Maintenance
- MP-4 Media Storage
- MP-4(1) Cryptographic Protection
- Withdrawn: Incorporated into SC-28(1)
- MP-4(2) Automated Restricted Access
- MP-5 Media Transport
- MP-5(1) Protection Outside of Controlled Areas
- Withdrawn: Incorporated into MP-5
- MP-5(2) Documentation of Activities
- Withdrawn: Incorporated into MP-5
- MP-5(3) Custodians
- MP-5(4) Cryptographic Protection
- Withdrawn: Incorporated into SC-28(1)
- MP-6(1) Review, Approve, Track, Document, and Verify
- MP-6(2) Equipment Testing
- MP-6(3) Nondestructive Techniques
- MP-6(4) Controlled Unclassified Information
- Withdrawn: Incorporated into MP-6
- MP-6(5) Classified Information
- Withdrawn: Incorporated into MP-6
- MP-6(6) Media Destruction
- Withdrawn: Incorporated into MP-6
- MP-6(7) Dual Authorization
- MP-6(8) Remote Purging or Wiping of Information
- MP-7(1) Prohibit Use Without Owner
- Withdrawn: Incorporated into MP-7
- MP-7(2) Prohibit Use of Sanitization-resistant Media
- MP-8 Media Downgrading
- MP-8(1) Documentation of Process
- MP-8(2) Equipment Testing
- MP-8(3) Controlled Unclassified Information
- MP-8(4) Classified Information
- PE-2(1) Access by Position or Role
- PE-2(2) Two Forms of Identification
- PE-2(3) Restrict Unescorted Access
- PE-3(1) System Access
- PE-3(2) Facility and Systems
- PE-3(3) Continuous Guards
- PE-3(4) Lockable Casings
- PE-3(5) Tamper Protection
- PE-3(6) Facility Penetration Testing
- Withdrawn: Incorporated into CA-8
- PE-3(7) Physical Barriers
- PE-3(8) Access Control Vestibules
- PE-4 Access Control for Transmission
- PE-5 Access Control for Output Devices
- PE-5(1) Access to Output by Authorized Individuals
- Withdrawn: Incorporated into PE-5
- PE-5(2) Link to Individual Identity
- PE-5(3) Marking Output Devices
- Withdrawn: Incorporated into PE-22
- PE-6(1) Intrusion Alarms and Surveillance Equipment
- PE-6(2) Automated Intrusion Recognition and Responses
- PE-6(3) Video Surveillance
- PE-6(4) Monitoring Physical Access to Systems
- PE-7 Visitor Control
- PE-8(1) Automated Records Maintenance and Review
- PE-8(2) Physical Access Records
- Withdrawn: Incorporated into PE-2
- PE-8(3) Limit Personally Identifiable Information Elements
- PE-9 Power Equipment and Cabling
- PE-9(1) Redundant Cabling
- PE-9(2) Automatic Voltage Controls
- PE-10 Emergency Shutoff
- PE-10(1) Accidental and Unauthorized Activation
- Withdrawn: Incorporated into PE-10
- PE-11 Emergency Power
- PE-11(1) Alternate Power Supply - Minimal Operational Capability
- PE-11(2) Alternate Power Supply - Self-contained
- PE-12(1) Essential Mission and Business Functions
- PE-13(1) Detection Systems - Automatic Activation and Notification
- PE-13(2) Suppression Systems - Automatic Activation and Notification
- PE-13(3) Automatic Fire Suppression
- Withdrawn: Incorporated into PE-13(2)
- PE-13(4) Inspections
- PE-14(1) Automatic Controls
- PE-14(2) Monitoring with Alarms and Notifications
- PE-15(1) Automation Support
- PE-18 Location of System Components
- PE-18(1) Facility Site
- Withdrawn: Moved to PE-23
- PE-19 Information Leakage
- PE-19(1) National Emissions Policies and Procedures
- PE-20 Asset Monitoring and Tracking
- PE-21 Electromagnetic Pulse Protection
- PE-22 Component Marking
- PE-23 Facility Location
- PL-2(1) Concept of Operations
- Withdrawn: Incorporated into PL-7
- PL-2(2) Functional Architecture
- Withdrawn: Incorporated into PL-8
- PL-2(3) Plan and Coordinate with Other Organizational Entities
- Withdrawn: Incorporated into PL-2
- PL-3 System Security Plan Update
- Withdrawn: Incorporated into PL-2
- PL-4(1) Social Media and External Site/application Usage Restrictions
- PL-5 Privacy Impact Assessment
- Withdrawn: Incorporated into RA-8
- PL-6 Security-related Activity Planning
- Withdrawn: Incorporated into PL-2
- PL-7 Concept of Operations
- PL-8 Security and Privacy Architectures
- PL-8(1) Defense in Depth
- PL-8(2) Supplier Diversity
- PL-9 Central Management
- PL-10 Baseline Selection
- PL-11 Baseline Tailoring
- PM-5(1) Inventory of Personally Identifiable Information
- PM-8 Critical Infrastructure Plan
- PM-11 Mission and Business Process Definition
- PM-12 Insider Threat Program
- PM-13 Security and Privacy Workforce
- PM-16(1) Automated Means for Sharing Threat Intelligence
- PM-17 Protecting Controlled Unclassified Information on External Systems
- PM-18 Privacy Program Plan
- PM-19 Privacy Program Leadership Role
- PM-20 Dissemination of Privacy Program Information
- PM-20(1) Privacy Policies on Websites, Applications, and Digital Services
- PM-21 Accounting of Disclosures
- PM-22 Personally Identifiable Information Quality Management
- PM-23 Data Governance Body
- PM-24 Data Integrity Board
- PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
- PM-26 Complaint Management
- PM-27 Privacy Reporting
- PM-28 Risk Framing
- PM-29 Risk Management Program Leadership Roles
- PM-30 Supply Chain Risk Management Strategy
- PM-30(1) Suppliers of Critical or Mission-essential Items
- PM-31 Continuous Monitoring Strategy
- PM-32 Purposing
- PS-3(2) Formal Indoctrination
- PS-3(3) Information Requiring Special Protective Measures
- PS-3(4) Citizenship Requirements
- PS-4(1) Post-employment Requirements
- PS-4(2) Automated Actions
- PS-6(1) Information Requiring Special Protection
- Withdrawn: Incorporated into PS-3
- PS-6(2) Classified Information Requiring Special Protection
- PS-6(3) Post-employment Requirements
- PS-9 Position Descriptions
- PT-2 Authority to Process Personally Identifiable Information
- PT-2(1) Data Tagging
- PT-2(2) Automation
- PT-3(1) Data Tagging
- PT-3(2) Automation
- PT-4 Consent
- PT-4(1) Tailored Consent
- PT-4(2) Just-in-time Consent
- PT-4(3) Revocation
- PT-5 Privacy Notice
- PT-5(1) Just-in-time Notice
- PT-5(2) Privacy Act Statements
- PT-6 System of Records Notice
- PT-6(1) Routine Uses
- PT-6(2) Exemption Rules
- PT-7 Specific Categories of Personally Identifiable Information
- PT-7(1) Social Security Numbers
- PT-7(2) First Amendment Information
- PT-8 Computer Matching Requirements
- RA-3(2) Use of All-source Intelligence
- RA-3(3) Dynamic Threat Awareness
- RA-3(4) Predictive Cyber Analytics
- RA-4 Risk Assessment Update
- Withdrawn: Incorporated into RA-3
- RA-5(1) Update Tool Capability
- Withdrawn: Incorporated into RA-5
- RA-5(2) Update Vulnerabilities to Be Scanned
- RA-5(3) Breadth and Depth of Coverage
- RA-5(4) Discoverable Information
- RA-5(5) Privileged Access
- RA-5(6) Automated Trend Analyses
- RA-5(7) Automated Detection and Notification of Unauthorized Components
- Withdrawn: Incorporated into CM-8
- RA-5(8) Review Historic Audit Logs
- RA-5(9) Penetration Testing and Analyses
- Withdrawn: Incorporated into CA-8
- RA-5(10) Correlate Scanning Information
- RA-5(11) Public Disclosure Program
- RA-6 Technical Surveillance Countermeasures Survey
- RA-8 Privacy Impact Assessments
- RA-9 Criticality Analysis
- RA-10 Threat Hunting
- SA-3(1) Manage Preproduction Environment
- SA-3(2) Use of Live or Operational Data
- SA-3(3) Technology Refresh
- SA-4(1) Functional Properties of Controls
- SA-4(2) Design and Implementation Information for Controls
- SA-4(3) Development Methods, Techniques, and Practices
- SA-4(4) Assignment of Components to Systems
- Withdrawn: Incorporated into CM-8(9)
- SA-4(5) System, Component, and Service Configurations
- SA-4(6) Use of Information Assurance Products
- SA-4(7) Niap-approved Protection Profiles
- SA-4(8) Continuous Monitoring Plan for Controls
- SA-4(9) Functions, Ports, Protocols, and Services in Use
- SA-4(10) Use of Approved PIV Products
- SA-4(11) System of Records
- SA-4(12) Data Ownership
- SA-5(1) Functional Properties of Security Controls
- Withdrawn: Incorporated into SA-4(1)
- SA-5(2) Security-relevant External System Interfaces
- Withdrawn: Incorporated into SA-4(2)
- SA-5(3) High-level Design
- Withdrawn: Incorporated into SA-4(2)
- SA-5(4) Low-level Design
- Withdrawn: Incorporated into SA-4(2)
- SA-5(5) Source Code
- Withdrawn: Incorporated into SA-4(2)
- SA-6 Software Usage Restrictions
- SA-7 User-installed Software
- SA-8(1) Clear Abstractions
- SA-8(2) Least Common Mechanism
- SA-8(3) Modularity and Layering
- SA-8(4) Partially Ordered Dependencies
- SA-8(5) Efficiently Mediated Access
- SA-8(6) Minimized Sharing
- SA-8(7) Reduced Complexity
- SA-8(8) Secure Evolvability
- SA-8(9) Trusted Components
- SA-8(10) Hierarchical Trust
- SA-8(11) Inverse Modification Threshold
- SA-8(12) Hierarchical Protection
- SA-8(13) Minimized Security Elements
- SA-8(14) Least Privilege
- SA-8(15) Predicate Permission
- SA-8(16) Self-reliant Trustworthiness
- SA-8(17) Secure Distributed Composition
- SA-8(18) Trusted Communications Channels
- SA-8(19) Continuous Protection
- SA-8(20) Secure Metadata Management
- SA-8(21) Self-analysis
- SA-8(22) Accountability and Traceability
- SA-8(23) Secure Defaults
- SA-8(24) Secure Failure and Recovery
- SA-8(25) Economic Security
- SA-8(26) Performance Security
- SA-8(27) Human Factored Security
- SA-8(28) Acceptable Security
- SA-8(29) Repeatable and Documented Procedures
- SA-8(30) Procedural Rigor
- SA-8(31) Secure System Modification
- SA-8(32) Sufficient Documentation
- SA-8(33) Minimization
- SA-9(1) Risk Assessments and Organizational Approvals
- SA-9(2) Identification of Functions, Ports, Protocols, and Services
- SA-9(3) Establish and Maintain Trust Relationship with Providers
- SA-9(4) Consistent Interests of Consumers and Providers
- SA-9(5) Processing, Storage, and Service Location
- SA-9(6) Organization-controlled Cryptographic Keys
- SA-9(7) Organization-controlled Integrity Checking
- SA-9(8) Processing and Storage Location - U.S. Jurisdiction
- SA-10(1) Software and Firmware Integrity Verification
- SA-10(2) Alternative Configuration Management Processes
- SA-10(3) Hardware Integrity Verification
- SA-10(4) Trusted Generation
- SA-10(5) Mapping Integrity for Version Control
- SA-10(6) Trusted Distribution
- SA-10(7) Security and Privacy Representatives
- SA-11(1) Static Code Analysis
- SA-11(2) Threat Modeling and Vulnerability Analyses
- SA-11(3) Independent Verification of Assessment Plans and Evidence
- SA-11(4) Manual Code Reviews
- SA-11(5) Penetration Testing
- SA-11(6) Attack Surface Reviews
- SA-11(7) Verify Scope of Testing and Evaluation
- SA-11(8) Dynamic Code Analysis
- SA-11(9) Interactive Application Security Testing
- SA-12 Supply Chain Protection
- Withdrawn: Incorporated into SR
- SA-12(1) Acquisition Strategies / Tools / Methods
- Withdrawn: Moved to SR-5
- SA-12(2) Supplier Reviews
- Withdrawn: Moved to SR-6
- SA-12(3) Trusted Shipping and Warehousing
- Withdrawn: Incorporated into SR-3
- SA-12(4) Diversity of Suppliers
- Withdrawn: Moved to SR-3(1)
- SA-12(5) Limitation of Harm
- Withdrawn: Moved to SR-3(2)
- SA-12(6) Minimizing Procurement Time
- Withdrawn: Incorporated into SR-5(1)
- SA-12(7) Assessments Prior to Selection / Acceptance / Update
- Withdrawn: Moved to SR-5(2)
- SA-12(8) Use of All-source Intelligence
- Withdrawn: Incorporated into RA-3(2)
- SA-12(9) Operations Security
- Withdrawn: Moved to SR-7
- SA-12(10) Validate as Genuine and Not Altered
- Withdrawn: Moved to SR-4(3)
- SA-12(11) Penetration Testing / Analysis of Elements, Processes, and Actors
- Withdrawn: Moved to SR-6(1)
- SA-12(12) Inter-organizational Agreements
- Withdrawn: Moved to SR-8
- SA-12(13) Critical Information System Components
- SA-12(14) Identity and Traceability
- SA-12(15) Processes to Address Weaknesses or Deficiencies
- Withdrawn: Incorporated into SR-3
- SA-13 Trustworthiness
- Withdrawn: Incorporated into SA-8
- SA-14 Criticality Analysis
- Withdrawn: Incorporated into RA-9
- SA-14(1) Critical Components with No Viable Alternative Sourcing
- Withdrawn: Incorporated into SA-20
- SA-15 Development Process, Standards, and Tools
- SA-15(1) Quality Metrics
- SA-15(2) Security and Privacy Tracking Tools
- SA-15(3) Criticality Analysis
- SA-15(4) Threat Modeling and Vulnerability Analysis
- Withdrawn: Incorporated into SA-11(2)
- SA-15(5) Attack Surface Reduction
- SA-15(6) Continuous Improvement
- SA-15(7) Automated Vulnerability Analysis
- SA-15(8) Reuse of Threat and Vulnerability Information
- SA-15(9) Use of Live Data
- Withdrawn: Incorporated into SA-3(2)
- SA-15(10) Incident Response Plan
- SA-15(11) Archive System or Component
- SA-15(12) Minimize Personally Identifiable Information
- SA-16 Developer-provided Training
- SA-17 Developer Security and Privacy Architecture and Design
- SA-17(1) Formal Policy Model
- SA-17(2) Security-relevant Components
- SA-17(3) Formal Correspondence
- SA-17(4) Informal Correspondence
- SA-17(5) Conceptually Simple Design
- SA-17(6) Structure for Testing
- SA-17(7) Structure for Least Privilege
- SA-17(8) Orchestration
- SA-17(9) Design Diversity
- SA-18 Tamper Resistance and Detection
- Withdrawn: Moved to SR-9
- SA-18(1) Multiple Phases of System Development Life Cycle
- Withdrawn: Moved to SR-9(1)
- SA-18(2) Inspection of Systems or Components
- Withdrawn: Moved to SR-10
- SA-19 Component Authenticity
- Withdrawn: Moved to SR-11
- SA-19(1) Anti-counterfeit Training
- Withdrawn: Moved to SR-11(1)
- SA-19(2) Configuration Control for Component Service and Repair
- Withdrawn: Moved to SR-11(2)
- SA-19(3) Component Disposal
- Withdrawn: Moved to SR-12
- SA-19(4) Anti-counterfeit Scanning
- Withdrawn: Moved to SR-11(3)
- SA-20 Customized Development of Critical Components
- SA-21 Developer Screening
- SA-21(1) Validation of Screening
- Withdrawn: Incorporated into SA-21
- SA-22(1) Alternative Sources for Continued Support
- Withdrawn: Incorporated into SA-22
- SA-23 Specialization
- SC-2 Separation of System and User Functionality
- SC-2(1) Interfaces for Non-privileged Users
- SC-2(2) Disassociability
- SC-3 Security Function Isolation
- SC-3(1) Hardware Separation
- SC-3(2) Access and Flow Control Functions
- SC-3(3) Minimize Nonsecurity Functionality
- SC-3(4) Module Coupling and Cohesiveness
- SC-3(5) Layered Structures
- SC-4 Information in Shared System Resources
- SC-4(1) Security Levels
- Withdrawn: Incorporated into SC-4
- SC-4(2) Multilevel or Periods Processing
- SC-5(1) Restrict Ability to Attack Other Systems
- SC-5(2) Capacity, Bandwidth, and Redundancy
- SC-5(3) Detection and Monitoring
- SC-6 Resource Availability
- SC-7(1) Physically Separated Subnetworks
- Withdrawn: Incorporated into SC-7
- SC-7(2) Public Access
- Withdrawn: Incorporated into SC-7
- SC-7(3) Access Points
- SC-7(4) External Telecommunications Services
- SC-7(5) Deny by Default - Allow by Exception
- SC-7(6) Response to Recognized Failures
- Withdrawn: Incorporated into SC-7(18)
- SC-7(7) Split Tunneling for Remote Devices
- SC-7(8) Route Traffic to Authenticated Proxy Servers
- SC-7(9) Restrict Threatening Outgoing Communications Traffic
- SC-7(10) Prevent Exfiltration
- SC-7(11) Restrict Incoming Communications Traffic
- SC-7(12) Host-based Protection
- SC-7(13) Isolation of Security Tools, Mechanisms, and Support Components
- SC-7(14) Protect Against Unauthorized Physical Connections
- SC-7(15) Networked Privileged Accesses
- SC-7(16) Prevent Discovery of System Components
- SC-7(17) Automated Enforcement of Protocol Formats
- SC-7(18) Fail Secure
- SC-7(19) Block Communication from Non-organizationally Configured Hosts
- SC-7(20) Dynamic Isolation and Segregation
- SC-7(21) Isolation of System Components
- SC-7(22) Separate Subnets for Connecting to Different Security Domains
- SC-7(23) Disable Sender Feedback on Protocol Validation Failure
- SC-7(24) Personally Identifiable Information
- SC-7(25) Unclassified National Security System Connections
- SC-7(26) Classified National Security System Connections
- SC-7(27) Unclassified Non-national Security System Connections
- SC-7(28) Connections to Public Networks
- SC-7(29) Separate Subnets to Isolate Functions
- SC-8(1) Cryptographic Protection
- SC-8(2) Pre- and Post-transmission Handling
- SC-8(3) Cryptographic Protection for Message Externals
- SC-8(4) Conceal or Randomize Communications
- SC-8(5) Protected Distribution System
- SC-9 Transmission Confidentiality
- Withdrawn: Incorporated into SC-8
- SC-10 Network Disconnect
- SC-11 Trusted Path
- SC-11(1) Irrefutable Communications Path
- SC-12(1) Availability
- SC-12(2) Symmetric Keys
- SC-12(3) Asymmetric Keys
- SC-12(4) PKI Certificates
- Withdrawn: Incorporated into SC-12(3)
- SC-12(5) PKI Certificates / Hardware Tokens
- Withdrawn: Incorporated into SC-12(3)
- SC-12(6) Physical Control of Keys
- SC-13(1) Fips-validated Cryptography
- Withdrawn: Incorporated into SC-13
- SC-13(2) Nsa-approved Cryptography
- Withdrawn: Incorporated into SC-13
- SC-13(3) Individuals Without Formal Access Approvals
- Withdrawn: Incorporated into SC-13
- SC-13(4) Digital Signatures
- Withdrawn: Incorporated into SC-13
- SC-14 Public Access Protections
- SC-15(1) Physical or Logical Disconnect
- SC-15(2) Blocking Inbound and Outbound Communications Traffic
- Withdrawn: Incorporated into SC-7
- SC-15(3) Disabling and Removal in Secure Work Areas
- SC-15(4) Explicitly Indicate Current Participants
- SC-16 Transmission of Security and Privacy Attributes
- SC-16(1) Integrity Verification
- SC-16(2) Anti-spoofing Mechanisms
- SC-16(3) Cryptographic Binding
- SC-17 Public Key Infrastructure Certificates
- SC-18 Mobile Code
- SC-18(1) Identify Unacceptable Code and Take Corrective Actions
- SC-18(2) Acquisition, Development, and Use
- SC-18(3) Prevent Downloading and Execution
- SC-18(4) Prevent Automatic Execution
- SC-18(5) Allow Execution Only in Confined Environments
- SC-19 Voice Over Internet Protocol
- Withdrawn: Control Technology-specific; addressed as any other technology or protocol.
- SC-20(1) Child Subspaces
- Withdrawn: Incorporated into SC-20
- SC-20(2) Data Origin and Integrity
- SC-21(1) Data Origin and Integrity
- Withdrawn: Incorporated into SC-21
- SC-23 Session Authenticity
- SC-23(1) Invalidate Session Identifiers at Logout
- SC-23(2) User-initiated Logouts and Message Displays
- Withdrawn: Incorporated into AC-12(1)
- SC-23(3) Unique System-generated Session Identifiers
- SC-23(4) Unique Session Identifiers with Randomization
- Withdrawn: Incorporated into SC-23(3)
- SC-23(5) Allowed Certificate Authorities
- SC-24 Fail in Known State
- SC-25 Thin Nodes
- SC-26 Decoys
- SC-26(1) Detection of Malicious Code
- Withdrawn: Incorporated into SC-35
- SC-27 Platform-independent Applications
- SC-28 Protection of Information at Rest
- SC-28(1) Cryptographic Protection
- SC-28(2) Offline Storage
- SC-28(3) Cryptographic Keys
- SC-29 Heterogeneity
- SC-29(1) Virtualization Techniques
- SC-30 Concealment and Misdirection
- SC-30(1) Virtualization Techniques
- Withdrawn: Incorporated into SC-29(1)
- SC-30(2) Randomness
- SC-30(3) Change Processing and Storage Locations
- SC-30(4) Misleading Information
- SC-30(5) Concealment of System Components
- SC-31 Covert Channel Analysis
- SC-31(1) Test Covert Channels for Exploitability
- SC-31(2) Maximum Bandwidth
- SC-31(3) Measure Bandwidth in Operational Environments
- SC-32 System Partitioning
- SC-32(1) Separate Physical Domains for Privileged Functions
- SC-33 Transmission Preparation Integrity
- Withdrawn: Incorporated into SC-8
- SC-34 Non-modifiable Executable Programs
- SC-34(1) No Writable Storage
- SC-34(2) Integrity Protection on Read-only Media
- SC-34(3) Hardware-based Protection
- Withdrawn: Moved to SC-51
- SC-35 External Malicious Code Identification
- SC-36 Distributed Processing and Storage
- SC-36(1) Polling Techniques
- SC-36(2) Synchronization
- SC-37 Out-of-band Channels
- SC-37(1) Ensure Delivery and Transmission
- SC-38 Operations Security
- SC-39(1) Hardware Separation
- SC-39(2) Separate Execution Domain Per Thread
- SC-40 Wireless Link Protection
- SC-40(1) Electromagnetic Interference
- SC-40(2) Reduce Detection Potential
- SC-40(3) Imitative or Manipulative Communications Deception
- SC-40(4) Signal Parameter Identification
- SC-41 Port and I/O Device Access
- SC-42 Sensor Capability and Data
- SC-42(1) Reporting to Authorized Individuals or Roles
- SC-42(2) Authorized Use
- SC-42(3) Prohibit Use of Devices
- Withdrawn: Incorporated into SC-42
- SC-42(4) Notice of Collection
- SC-42(5) Collection Minimization
- SC-43 Usage Restrictions
- SC-44 Detonation Chambers
- SC-45 System Time Synchronization
- SC-45(1) Synchronization with Authoritative Time Source
- SC-45(2) Secondary Authoritative Time Source
- SC-46 Cross Domain Policy Enforcement
- SC-47 Alternate Communications Paths
- SC-48 Sensor Relocation
- SC-48(1) Dynamic Relocation of Sensors or Monitoring Capabilities
- SC-49 Hardware-enforced Separation and Policy Enforcement
- SC-50 Software-enforced Separation and Policy Enforcement
- SC-51 Hardware-based Protection
- SI-2(1) Central Management
- Withdrawn: Incorporated into PL-9
- SI-2(2) Automated Flaw Remediation Status
- SI-2(3) Time to Remediate Flaws and Benchmarks for Corrective Actions
- SI-2(4) Automated Patch Management Tools
- SI-2(5) Automatic Software and Firmware Updates
- SI-2(6) Removal of Previous Versions of Software and Firmware
- SI-3(1) Central Management
- Withdrawn: Incorporated into PL-9
- SI-3(2) Automatic Updates
- Withdrawn: Incorporated into SI-3
- SI-3(3) Non-privileged Users
- Withdrawn: Incorporated into AC-6(10)
- SI-3(4) Updates Only by Privileged Users
- SI-3(5) Portable Storage Devices
- Withdrawn: Incorporated into MP-7
- SI-3(6) Testing and Verification
- SI-3(7) Nonsignature-based Detection
- Withdrawn: Incorporated into SI-3
- SI-3(8) Detect Unauthorized Commands
- SI-3(9) Authenticate Remote Commands
- Withdrawn: Moved to AC-17(10)
- SI-3(10) Malicious Code Analysis
- SI-4(1) System-wide Intrusion Detection System
- SI-4(2) Automated Tools and Mechanisms for Real-time Analysis
- SI-4(3) Automated Tool and Mechanism Integration
- SI-4(4) Inbound and Outbound Communications Traffic
- SI-4(5) System-generated Alerts
- SI-4(6) Restrict Non-privileged Users
- Withdrawn: Incorporated into AC-6(10)
- SI-4(7) Automated Response to Suspicious Events
- SI-4(8) Protection of Monitoring Information
- Withdrawn: Incorporated into SI-4
- SI-4(9) Testing of Monitoring Tools and Mechanisms
- SI-4(10) Visibility of Encrypted Communications
- SI-4(11) Analyze Communications Traffic Anomalies
- SI-4(12) Automated Organization-generated Alerts
- SI-4(13) Analyze Traffic and Event Patterns
- SI-4(14) Wireless Intrusion Detection
- SI-4(15) Wireless to Wireline Communications
- SI-4(16) Correlate Monitoring Information
- SI-4(17) Integrated Situational Awareness
- SI-4(18) Analyze Traffic and Covert Exfiltration
- SI-4(19) Risk for Individuals
- SI-4(20) Privileged Users
- SI-4(21) Probationary Periods
- SI-4(22) Unauthorized Network Services
- SI-4(23) Host-based Devices
- SI-4(24) Indicators of Compromise
- SI-4(25) Optimize Network Traffic Analysis
- SI-5(1) Automated Alerts and Advisories
- SI-6 Security and Privacy Function Verification
- SI-6(1) Notification of Failed Security Tests
- Withdrawn: Incorporated into SI-6
- SI-6(2) Automation Support for Distributed Testing
- SI-6(3) Report Verification Results
- SI-7 Software, Firmware, and Information Integrity
- SI-7(1) Integrity Checks
- SI-7(2) Automated Notifications of Integrity Violations
- SI-7(3) Centrally Managed Integrity Tools
- SI-7(4) Tamper-evident Packaging
- Withdrawn: Incorporated into SR-9
- SI-7(5) Automated Response to Integrity Violations
- SI-7(6) Cryptographic Protection
- SI-7(7) Integration of Detection and Response
- SI-7(8) Auditing Capability for Significant Events
- SI-7(9) Verify Boot Process
- SI-7(10) Protection of Boot Firmware
- SI-7(11) Confined Environments with Limited Privileges
- Withdrawn: Moved to CM-7(6)
- SI-7(12) Integrity Verification
- SI-7(13) Code Execution in Protected Environments
- Withdrawn: Moved to CM-7(7)
- SI-7(14) Binary or Machine Executable Code
- Withdrawn: Moved to CM-7(8)
- SI-7(15) Code Authentication
- SI-7(16) Time Limit on Process Execution Without Supervision
- SI-7(17) Runtime Application Self-protection
- SI-8 Spam Protection
- SI-8(1) Central Management
- Withdrawn: Incorporated into PL-9
- SI-8(2) Automatic Updates
- SI-8(3) Continuous Learning Capability
- SI-9 Information Input Restrictions
- SI-10(1) Manual Override Capability
- SI-10(2) Review and Resolve Errors
- SI-10(3) Predictable Behavior
- SI-10(4) Timing Interactions
- SI-10(5) Restrict Inputs to Trusted Sources and Approved Formats
- SI-10(6) Injection Prevention
- SI-11 Error Handling
- SI-12(1) Limit Personally Identifiable Information Elements
- SI-12(2) Minimize Personally Identifiable Information in Testing, Training, and Research
- SI-12(3) Information Disposal
- SI-13 Predictable Failure Prevention
- SI-13(1) Transferring Component Responsibilities
- SI-13(2) Time Limit on Process Execution Without Supervision
- Withdrawn: Incorporated into SI-7(16)
- SI-13(3) Manual Transfer Between Components
- SI-13(4) Standby Component Installation and Notification
- SI-13(5) Failover Capability
- SI-14 Non-persistence
- SI-14(1) Refresh from Trusted Sources
- SI-14(2) Non-persistent Information
- SI-14(3) Non-persistent Connectivity
- SI-15 Information Output Filtering
- SI-16 Memory Protection
- SI-17 Fail-safe Procedures
- SI-18 Personally Identifiable Information Quality Operations
- SI-18(1) Automation Support
- SI-18(2) Data Tags
- SI-18(3) Collection
- SI-18(4) Individual Requests
- SI-18(5) Notice of Correction or Deletion
- SI-19 De-identification
- SI-19(1) Collection
- SI-19(2) Archiving
- SI-19(3) Release
- SI-19(4) Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
- SI-19(5) Statistical Disclosure Implementation
- SI-19(6) Differential Privacy
- SI-19(7) Validated Algorithms and Software
- SI-19(8) Motivated Intruder
- SI-20 Tainting
- SI-21 Information Refresh
- SI-22 Information Diversity
- SI-23 Information Fragmentation
Revision History
- Updated: June 18, 2024
- Updated: May 31, 2025
- Next Scheduled Review: May 31, 2026