Access Control (AC)
Controls that govern how users access systems and data, including authentication methods, role-based permissions, session limits, and remote access protocols.
Awareness and Training (AT)
Ensures all users receive appropriate training on security responsibilities, acceptable use policies, and recognizing cybersecurity threats like phishing or malware.
Audit and Accountability (AU)
Provides guidance on logging system activities, reviewing audit records, and ensuring accountability for actions performed within IT systems.
Security Assessment and Authorization (CA)
Covers processes for evaluating, authorizing, and monitoring information systems to ensure they meet security requirements prior to and during operation.
Configuration Management (CM)
Focuses on establishing secure configurations for systems, controlling changes, and documenting hardware/software inventory to reduce vulnerabilities.
Contingency Planning (CP)
Defines strategies for maintaining and restoring operations during and after a disruption, including data backup, recovery, and continuity plans.
Identification and Authentication (IA)
Describes how individuals and devices are identified and authenticated before being granted access to information systems.
Incident Response (IR)
Establishes procedures for detecting, responding to, and recovering from security incidents, including roles, responsibilities, and communication protocols.
Maintenance (MA)
Covers the secure execution of system maintenance activities, both on-site and remotely, to ensure operational integrity without introducing risk.
Media Protection (MP)
Outlines how to safeguard sensitive information stored on physical or digital media throughout its lifecycle, from creation to disposal.
Physical and Environmental Protection (PE)
Addresses physical safeguards to protect IT assets and facilities from unauthorized access, environmental hazards, and physical damage.
Planning (PL)
Involves the development of security-related plans, including strategic and system-specific documentation, to guide and support IT governance.
Program Management (PM)
Provides high-level, organization-wide governance, budgeting, and strategic planning necessary to manage information security risk and compliance.
Personnel Security (PS)
Provides controls related to screening, training, and managing personnel who access systems to prevent insider threats and unauthorized activity.
Risk Assessment (RA)
Focuses on identifying, analyzing, and managing risks to IT systems and data to prioritize mitigation strategies based on impact.
System and Services Acquisition (SA)
Ensures that security requirements are integrated into the planning, development, and procurement of systems and services, including third-party contracts.
System and Communications Protection (SC)
Covers network security, data encryption, and secure communications to protect the confidentiality and integrity of information in transit or at rest.
System and Information Integrity (SI)
Describes how to detect, report, and correct system flaws or vulnerabilities and ensure data integrity through monitoring and antivirus controls.
Supply Chain Risk Management (SR)
Ensures the identification, assessment, and mitigation of risks associated with third-party vendors, products, and services to protect the integrity and security of its information systems throughout their entire lifecycle.