2024-06-11

By Not Exists

NIST 800-53 ALL

NIST 800-53 is a comprehensive framework by the National Institute of Standards and Technology that provides guidelines for securing federal information systems. It includes a catalog of security and privacy controls organized into families, helping organizations implement robust risk management and compliance measures.

Controls:

Access control safeguards are implemented to ensure that only authorized individuals and systems have access to the information system and its resources. The primary goal is to prevent unauthorized access and limit access to only those with the necessary permissions based on their roles and responsibilities within the organization. Effective access control mechanisms contribute to the confidentiality, integrity, and availability of the information system and its data

Policy and Procedures (AC-1)- Main Control

The Access Control Policy and Procedures control (AC-1) focuses on the establishment and documentation of a comprehensive set of policies and procedures that govern the management of access to information systems and resources. This control ensures that access to sensitive data, applications, and systems is appropriately authorized, managed, and audited, thereby reducing the risk of unauthorized access and potential security breaches.
Account Management (AC-2)- Main Control

The Account Management control (AC-2) focuses on the establishment and enforcement of policies and procedures for the management of user accounts within an information system. This control ensures that user accounts are created, modified, and terminated in a secure and consistent manner, reducing the risk of unauthorized access and minimizing potential security vulnerabilities.
Account Management | Automated System Account Management (AC-2(1))

The Automated System Account Management subcontrol (AC-2(1)) focuses on the establishment and enforcement of automated procedures for the management of system and application accounts. This control ensures that the creation, modification, and termination of accounts within automated systems are handled consistently and securely, reducing the risk of unauthorized access and improving operational efficiency.
Account Management | Automated Temporary and Emergency Account Management (AC-2(2))

The Automated Temporary and Emergency Account Management subcontrol (AC-2(2)) focuses on the establishment and management of automated procedures for the creation and deactivation of temporary and emergency user accounts. This control ensures that temporary and emergency accounts are created only when needed, with strict controls in place to manage their lifecycle and mitigate potential security risks.
Account Management | Disable Accounts (AC-2(3))

The Disable Accounts subcontrol (AC-2(3)) focuses on the establishment of procedures for promptly disabling user accounts that are no longer needed or that have been compromised. This control ensures that inactive or compromised accounts are disabled to prevent unauthorized access, reducing the risk of security breaches and maintaining the integrity of the information system.
Account Management | Automated Audit Actions (AC-2(4))

The Automated Audit Actions subcontrol (AC-2(4)) focuses on the implementation of automated mechanisms to facilitate auditing of account management actions. This control ensures that account-related activities, such as account creation, modification, and deactivation, are logged and monitored automatically, enhancing accountability and helping to detect and respond to unauthorized or suspicious activities.
Account Management | Inactivity Logout (AC-2(5))

The Inactivity Logout subcontrol (AC-2(5)) focuses on automatically terminating user sessions after a defined period of inactivity. This control ensures that user accounts are logged out and access is revoked when users are inactive for a specified time, reducing the risk of unauthorized access and improving the overall security posture.
Account Management | Dynamic Privilege Management (AC-2(6))

The Dynamic Privilege Management subcontrol (AC-2(6)) focuses on the implementation of mechanisms that allow for the dynamic adjustment of user privileges based on changing roles, responsibilities, and job functions. This control ensures that users have the appropriate level of access at all times, reducing the risk of over-privileged accounts and unauthorized access.
Account Management | Privileged User Accounts (AC-2(7))

The Privileged User Accounts subcontrol (AC-2(7)) focuses on the management and monitoring of privileged user accounts, which have elevated access rights within an information system. This control ensures that privileged accounts are identified, strictly controlled, and subject to enhanced oversight, reducing the risk of misuse and unauthorized access.
Account Management | Dynamic Account Management (AC-2(8))

The Dynamic Account Management subcontrol (AC-2(8)) focuses on the implementation of mechanisms that allow for the dynamic adjustment of user accounts based on changing roles, responsibilities, and attributes. This control ensures that user accounts are created, modified, and terminated based on evolving organizational needs, reducing the risk of unauthorized access and improving operational efficiency.
Account Management | Restrictions on Use of Shared and Group Accounts (AC-2(9))

The Restrictions on Use of Shared and Group Accounts subcontrol (AC-2(9)) focuses on limiting the use of shared and group accounts within an information system. This control ensures that the use of shared and group accounts is restricted to authorized individuals and specific purposes, reducing the risk of unauthorized access and enhancing accountability.
Account Management | Shared and Group Account Credential Change (AC-2(10))

The Shared and Group Account Credential Change subcontrol (AC-2(10)) focuses on ensuring that the credentials associated with shared and group accounts are changed on a regular basis. This control ensures that the passwords or credentials used by shared and group accounts are periodically updated, reducing the risk of unauthorized access and enhancing security.
Account Management | Usage Conditions (AC-2(11))

The Usage Conditions subcontrol (AC-2(11)) focuses on defining and enforcing specific usage conditions for user accounts. This control ensures that user accounts are used only for authorized purposes and within defined boundaries, reducing the risk of misuse or unauthorized access.
Account Management | Account Monitoring for Atypical Usage (AC-2(12))

The Account Monitoring for Atypical Usage subcontrol (AC-2(12)) focuses on the continuous monitoring of user account activities to detect and respond to atypical usage patterns. This control ensures that user account behaviors are analyzed for anomalies, potential misuse, or unauthorized access, enhancing security and reducing the risk of breaches.
Account Management | Disable Accounts for High-risk Individuals (AC-2(13))

The Disable Accounts for High-risk Individuals subcontrol (AC-2(13)) focuses on promptly disabling user accounts for individuals with a higher risk profile. This control ensures that accounts associated with high-risk individuals, such as terminated employees or contractors, are promptly disabled to prevent unauthorized access and potential security breaches.
Access Enforcement (AC-3)- Main Control

The Access Enforcement control (AC-3) focuses on enforcing access control policies and mechanisms to ensure that only authorized individuals are granted access to information systems and resources. This control ensures that access decisions are made based on established rules and criteria, reducing the risk of unauthorized access and ensuring the security and confidentiality of sensitive information.
Access Enforcement | Restricted Access to Privileged Functions (AC-3(1))

The Restricted Access to Privileged Functions subcontrol (AC-3(1)) focuses on limiting and controlling access to privileged functions within an information system. This control ensures that only authorized individuals with specific roles and responsibilities are granted access to perform high-level administrative or privileged operations, reducing the risk of unauthorized actions and potential security breaches.
Access Enforcement | Dual Authorization (AC-3(2))

The Dual Authorization subcontrol (AC-3(2)) focuses on requiring dual authorization or approval for certain high-risk or sensitive operations within an information system. This control ensures that critical actions are reviewed and approved by multiple authorized individuals, reducing the risk of unauthorized or malicious activities.
Access Enforcement | Mandatory Access Control (AC-3(3))

The Mandatory Access Control subcontrol (AC-3(3)) focuses on implementing mandatory access control mechanisms to enforce and regulate access permissions based on security labels or attributes. This control ensures that access decisions are made by the system based on predefined security policies, reducing the risk of unauthorized access and enforcing data confidentiality and integrity.
Access Enforcement | Discretionary Access Control (AC-3(4))

The Discretionary Access Control subcontrol (AC-3(4)) focuses on granting or restricting access permissions based on the discretion of data owners or resource custodians. This control allows individuals with ownership or control over resources to determine who can access those resources, enhancing accountability and supporting flexible access management.
Access Enforcement | Security-relevant Information (AC-3(5))

The Security-relevant Information subcontrol (AC-3(5)) focuses on providing users with necessary security-related information before granting access to information systems. This control ensures that individuals are aware of security policies, procedures, and guidelines before accessing sensitive resources, enhancing security awareness and promoting responsible access behaviors.
Access Enforcement | Protection of User and System Information (AC-3(6))

The Protection of User and System Information subcontrol (AC-3(6)) focuses on safeguarding user and system information during the access process. This control ensures that sensitive user credentials and system information are protected from unauthorized access or disclosure, reducing the risk of identity theft, data breaches, and unauthorized system modification.
Access Enforcement | Role-based Access Control (AC-3(7))

The Role-based Access Control subcontrol (AC-3(7)) focuses on implementing access controls based on predefined roles and responsibilities within the organization. This control ensures that individuals are granted access privileges based on their assigned roles, reducing the risk of unauthorized access and supporting efficient access management.
Access Enforcement | Revocation of Access Authorizations (AC-3(8))

The Revocation of Access Authorizations subcontrol (AC-3(8)) focuses on promptly removing access privileges when they are no longer needed or authorized. This control ensures that individuals have their access revoked in a timely manner, reducing the risk of unauthorized access and preventing potential security breaches.
Access Enforcement | Controlled Release (AC-3(9))

The Controlled Release subcontrol (AC-3(9)) focuses on carefully managing and controlling the release of information or system resources to individuals or organizations. This control ensures that information is released only to authorized recipients and that proper safeguards are in place to prevent unauthorized disclosure or misuse.
Access Enforcement | Audited Override of Access Control Mechanisms (AC-3(10))

The Audited Override of Access Control Mechanisms subcontrol (AC-3(10)) focuses on allowing authorized individuals to override access control mechanisms in exceptional cases while ensuring that such overrides are logged and audited. This control ensures that access control overrides are transparent, monitored, and used only when necessary.
Access Enforcement | Restrict Access to Specific Information Types (AC-3(11))

The Restrict Access to Specific Information Types subcontrol (AC-3(11)) focuses on limiting access to specific types of information based on data classification or sensitivity. This control ensures that individuals are granted access only to the information types that are relevant to their job roles and responsibilities
Access Enforcement | Assert and Enforce Application Access (AC-3(12))

The Assert and Enforce Application Access subcontrol (AC-3(12)) focuses on ensuring that applications assert the identity of users and enforce access controls before granting access to resources. This control ensures that applications play an active role in enforcing access controls to prevent unauthorized access and protect sensitive data.
Access Enforcement | Attribute-based Access Control (AC-3(13))

The Attribute-based Access Control subcontrol (AC-3(13)) focuses on granting or restricting access to resources based on specific attributes associated with users, objects, or the environment. This control enables fine-grained access management by considering multiple attributes beyond just roles and permissions.
Access Enforcement | Individual Access (AC-3(14))

The Individual Access subcontrol (AC-3(14)) focuses on granting access to individuals based on their unique identities. This control ensures that each individual is granted access based on their personal attributes and credentials, and that access is not shared or compromised.
Access Enforcement | Discretionary and Mandatory Access Control (AC-3(15))

The Discretionary and Mandatory Access Control subcontrol (AC-3(15)) focuses on implementing both discretionary access control (DAC) and mandatory access control (MAC) mechanisms to enforce access controls based on user permissions and system policies. This control ensures that authorized users have appropriate access and that data and resources are protected according to predefined security levels.
Information Flow Enforcement (AC-4)- Main Control

The Information Flow Enforcement control (AC-4) focuses on implementing mechanisms to control and enforce the flow of information between interconnected systems and components. This control ensures that information is properly categorized, labeled, and controlled as it moves across different levels of security, preventing unauthorized or unintended information disclosure.
Information Flow Enforcement | Object Security and Privacy Attributes (AC-4(1))

The Object Security and Privacy Attributes subcontrol (AC-4(1)) focuses on associating security and privacy attributes with objects, such as data files or resources, to enforce proper handling and control as they move across systems and components. This control ensures that sensitive information is appropriately categorized and controlled during information flow.
Information Flow Enforcement | Processing Domains (AC-4(2))

The Processing Domains subcontrol (AC-4(2)) focuses on separating and controlling the processing of different types of information or activities within distinct processing domains. This control ensures that information with varying security levels or processing requirements is appropriately isolated and managed.
Information Flow Enforcement | Dynamic Information Flow Control (AC-4(3))

The Dynamic Information Flow Control subcontrol (AC-4(3)) focuses on implementing mechanisms that dynamically control the flow of information based on changing circumstances, such as the user's actions or environmental conditions. This control ensures that information is handled appropriately and securely in real-time.
Information Flow Enforcement | Flow Control of Encrypted Information (AC-4(4))

The Flow Control of Encrypted Information subcontrol (AC-4(4)) focuses on enforcing the appropriate flow of encrypted information based on its security attributes and associated controls. This control ensures that encrypted data is handled and transmitted securely while adhering to access controls.
Information Flow Enforcement | Embedded Data Types (AC-4(5))

The Embedded Data Types subcontrol (AC-4(5)) focuses on enforcing controls for embedded data types within information flows. This control ensures that data contained within other types of data, such as images or documents, is properly controlled and protected as it flows through systems.
Information Flow Enforcement | Metadata (AC-4(6))

The Metadata subcontrol (AC-4(6)) focuses on associating metadata with data and resources to support effective information flow enforcement. This control ensures that metadata, such as data labels or classifications, is used to guide and enforce proper handling and control of information flows.
Information Flow Enforcement | One-way Flow Mechanisms (AC-4(7))

The One-way Flow Mechanisms subcontrol (AC-4(7)) focuses on implementing mechanisms that establish one-way data flows to enforce information flow restrictions. This control ensures that data can move from a source to a destination, but not in the reverse direction, to prevent unauthorized disclosures.
Information Flow Enforcement | Security and Privacy Policy Filters (AC-4(8))

The Security and Privacy Policy Filters subcontrol (AC-4(8)) focuses on implementing security and privacy policy filters that control the flow of information based on predefined policies. This control ensures that information flows adhere to established security and privacy requirements.
Information Flow Enforcement | Human Reviews (AC-4(9))

The Human Reviews subcontrol (AC-4(9)) focuses on incorporating human reviews into the information flow enforcement process. This control ensures that human oversight is involved in reviewing and approving information flows to prevent unauthorized disclosures.
Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters (AC-4(10))

The Enable and Disable Security or Privacy Policy Filters subcontrol (AC-4(10)) focuses on providing the capability to enable or disable security or privacy policy filters that control information flow. This control ensures that authorized personnel can adjust the enforcement of policy filters based on changing circumstances.
Information Flow Enforcement | Configuration of Security or Privacy Policy Filters (AC-4(11))

The Configuration of Security or Privacy Policy Filters subcontrol (AC-4(11)) focuses on configuring security or privacy policy filters to enforce information flow restrictions. This control ensures that policy filters are properly configured and aligned with security and privacy requirements.
Information Flow Enforcement | Data Type Identifiers (AC-4(12))

The Data Type Identifiers subcontrol (AC-4(12)) focuses on utilizing data type identifiers to guide and enforce information flow restrictions. This control ensures that data is properly categorized and controlled based on its data type.
Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents (AC-4(13))

The Decomposition into Policy-relevant Subcomponents subcontrol (AC-4(13)) focuses on breaking down information flows into policy-relevant subcomponents for effective control and enforcement. This control ensures that information flows are granularly analyzed and controlled based on specific policy requirements.
Information Flow Enforcement | Security or Privacy Policy Filter Constraints (AC-4(14))

The Security or Privacy Policy Filter Constraints subcontrol (AC-4(14)) focuses on implementing constraints for security or privacy policy filters to ensure that information flow enforcement aligns with organizational requirements. This control ensures that policy filters are effectively constrained to prevent unintended or unauthorized information flows.
Information Flow Enforcement | Detection of Unsanctioned Information (AC-4(15))

The Detection of Unsanctioned Information subcontrol (AC-4(15)) focuses on implementing mechanisms to detect and respond to the flow of unsanctioned information. This control ensures that unauthorized or unapproved information flows are promptly identified and addressed.
Information Flow Enforcement | Information Transfers on Interconnected Systems (AC-4(16)),Security and Privacy Function Verification | Notification of Failed Security Tests (SI-6(1)),Supervision and Review — Access Control (AC-13)- Main Control,Time Stamp

The Information Transfers on Interconnected Systems subcontrol (AC-4(16)) focuses on controlling the flow of information between interconnected systems to prevent unauthorized or unintended transfers. This control ensures that information is only transferred between interconnected systems in a secure and authorized manner.
Information Flow Enforcement | Domain Authentication (AC-4(17))

The Security and Privacy Function Verification control SI-6(1) focuses on notifying appropriate personnel when security tests fail to meet specified criteria. This control ensures that failed security tests are promptly addressed and necessary corrective actions are taken.
Information Flow Enforcement | Security Attribute Binding (AC-4(18))

The Security Attribute Binding subcontrol (AC-4(18)) focuses on establishing and maintaining the binding between security attributes and information flows. This control ensures that security attributes are consistently associated with information flows to enable proper access control and enforcement.
Information Flow Enforcement | Validation of Metadata (AC-4(19))

The Validation of Metadata subcontrol (AC-4(19)) focuses on ensuring the accuracy and integrity of metadata associated with information flows. This control ensures that metadata, which provides context and attributes to information, is validated to prevent unauthorized or incorrect information flows.
Information Flow Enforcement | Approved Solutions (AC-4(20))

The Approved Solutions subcontrol (AC-4(20)) focuses on ensuring that only approved solutions are used to control information flows and enforce access controls. This control ensures that solutions used for information flow enforcement are reviewed and authorized to meet security and access control requirements.
Information Flow Enforcement | Physical or Logical Separation of Information Flows (AC-4(21))

The Physical or Logical Separation of Information Flows subcontrol (AC-4(21)) focuses on implementing physical or logical barriers to separate and control different information flows. This control ensures that information flows are segregated to prevent unauthorized or unintended interactions and maintain the security and integrity of sensitive data.
Information Flow Enforcement | Access Only (AC-4(22))

The Access Only subcontrol (AC-4(22)) focuses on restricting information flows to authorized users or processes with specific access needs. This control ensures that only those with a legitimate need can access and interact with information, minimizing the risk of unauthorized access and data leakage.
Information Flow Enforcement | Modify Non-releasable Information (AC-4(23))

The Modify Non-releasable Information subcontrol (AC-4(23)) focuses on preventing unauthorized modification of non-releasable information during information flows. This control ensures that sensitive or restricted information remains unaltered when shared or transferred between entities.
Information Flow Enforcement | Internal Normalized Format (AC-4(24))

The Internal Normalized Format subcontrol (AC-4(24)) focuses on using an internal normalized format for information flows to ensure consistency and integrity when exchanging data between systems. This control ensures that data is presented in a consistent and standardized format during information flows.
Information Flow Enforcement | Data Sanitization (AC-4(25))

The Data Sanitization subcontrol (AC-4(25)) focuses on removing sensitive or classified information from data before it is released or shared. This control ensures that information flows do not inadvertently expose sensitive data to unauthorized recipients.
Information Flow Enforcement | Audit Filtering Actions (AC-4(26))

The Audit Filtering Actions subcontrol (AC-4(26)) focuses on selectively capturing and auditing specific information flow-related actions to reduce the volume of audit logs generated. This control ensures that audit logs are manageable and relevant for detecting unauthorized or suspicious activities.
Information Flow Enforcement | Redundant/independent Filtering Mechanisms (AC-4(27))

The Redundant/Independent Filtering Mechanisms subcontrol (AC-4(27)) focuses on implementing multiple, separate filtering mechanisms to ensure the effectiveness of information flow enforcement. This control ensures that redundant and independent filtering mechanisms are in place to enhance the reliability and resilience of access controls.
Information Flow Enforcement | Linear Filter Pipelines (AC-4(28))

The Linear Filter Pipelines subcontrol (AC-4(28)) focuses on implementing a sequence of linear filtering mechanisms to enforce information flow controls. This control ensures that information flows are subjected to a series of filtering stages to enhance access control and data protection.
Information Flow Enforcement | Filter Orchestration Engines (AC-4(29))

The Filter Orchestration Engines subcontrol (AC-4(29)) focuses on utilizing filter orchestration engines to manage and coordinate multiple filtering mechanisms for information flow enforcement. This control ensures that various filters work together cohesively to enhance access control and data protection.
Information Flow Enforcement | Filter Mechanisms Using Multiple Processes (AC-4(30))

The Filter Mechanisms Using Multiple Processes subcontrol (AC-4(30)) focuses on implementing filter mechanisms using multiple processes to enhance access control and data protection for information flows. This control ensures that separate processes are employed for different filtering stages, improving security and reliability.
Information Flow Enforcement | Failed Content Transfer Prevention (AC-4(31))

The Failed Content Transfer Prevention subcontrol (AC-4(31)) focuses on preventing the transfer of content that has failed filtering or validation processes during information flows. This control ensures that content that does not meet security and integrity criteria is not allowed to be transferred.
Information Flow Enforcement | Process Requirements for Information Transfer (AC-4(32))

The Process Requirements for Information Transfer subcontrol (AC-4(32)) focuses on establishing and enforcing specific process requirements for transferring information between different systems or entities. This control ensures that information flows adhere to defined processes to maintain security and integrity.
Separation of Duties (AC-5)- Main Control

The Separation of Duties control (AC-5) aims to prevent conflicts of interest and ensure accountability by enforcing the principle of separation of duties. This control requires that tasks and responsibilities related to access control are distributed among different individuals or roles to minimize the risk of unauthorized actions or fraud.
Least Privilege (AC-6) - Main Control

The Least Privilege control (AC-6) focuses on ensuring that individuals and processes are granted only the minimum level of access necessary to perform their authorized tasks. This control helps mitigate the risk of unauthorized access and potential misuse of privileges.
Least Privilege | Authorize Access to Security Functions (AC-6(1))

The Authorize Access to Security Functions subcontrol (AC-6(1)) focuses on ensuring that only authorized individuals have access to security functions and capabilities. This control helps prevent unauthorized changes to security settings and configurations.
Least Privilege | Non-privileged Access for Nonsecurity Functions (AC-6(2))

The Non-privileged Access for Nonsecurity Functions subcontrol (AC-6(2)) emphasizes the importance of providing non-privileged access to individuals performing nonsecurity functions. This control helps prevent unnecessary elevation of privileges and reduces the risk of unauthorized actions.
Least Privilege | Network Access to Privileged Commands (AC-6(3))

The Network Access to Privileged Commands subcontrol (AC-6(3)) focuses on restricting network access to privileged commands. This control helps prevent unauthorized individuals from executing privileged commands remotely over the network.
Least Privilege | Separate Processing Domains (AC-6(4))

The Separate Processing Domains subcontrol (AC-6(4)) emphasizes the need to establish separate processing domains for different types of activities or tasks. This control helps prevent unauthorized access to sensitive information and reduces the impact of security incidents.
Least Privilege | Privileged Accounts (AC-6(5))

The Privileged Accounts subcontrol (AC-6(5)) focuses on managing and controlling privileged accounts with elevated access privileges. This control aims to reduce the risk of unauthorized use and potential misuse of privileged accounts.
Least Privilege | Privileged Access by Non-organizational Users (AC-6(6))

The Privileged Access by Non-organizational Users subcontrol (AC-6(6)) focuses on managing and controlling privileged access granted to non-organizational users, such as contractors or third-party individuals. This control aims to mitigate the risks associated with granting elevated privileges to external entities.
Least Privilege | Review of User Privileges (AC-6(7))

The Review of User Privileges subcontrol (AC-6(7)) focuses on conducting regular reviews of user privileges to ensure that individuals have only the necessary access rights and privileges required to perform their duties. This control helps maintain the principle of least privilege and reduces the risk of unauthorized access.
Least Privilege | Privilege Levels for Code Execution (AC-6(8))

The Privilege Levels for Code Execution subcontrol (AC-6(8)) focuses on enforcing specific privilege levels for executing code, applications, or scripts. This control aims to reduce the risk of unauthorized code execution with elevated privileges.
Least Privilege | Log Use of Privileged Functions (AC-6(9))

The Log Use of Privileged Functions subcontrol (AC-6(9)) focuses on logging the use of privileged functions and activities to provide an audit trail of actions performed with elevated privileges. This control helps enhance accountability, transparency, and oversight of privileged actions.
Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions (AC-6(10))

The Prohibit Non-privileged Users from Executing Privileged Functions subcontrol (AC-6(10)) focuses on preventing non-privileged users from executing privileged functions, thereby limiting the potential for unauthorized or accidental misuse of elevated privileges.
Unsuccessful Logon Attempts (AC-7)- Main Control

The Unsuccessful Logon Attempts control (AC-7) focuses on monitoring and limiting the number of unsuccessful logon attempts to prevent unauthorized access to information systems. This control helps protect against brute force attacks and unauthorized access attempts.
Unsuccessful Logon Attempts | Automatic Account Lock (AC-7(1))

The Automatic Account Lock subcontrol (AC-7(1)) focuses on automatically locking user accounts after a specified number of consecutive unsuccessful logon attempts. This control helps mitigate the risk of unauthorized access due to brute force attacks or repeated login attempts.
Unsuccessful Logon Attempts | Purge or Wipe Mobile Device (AC-7(2))

The Purge or Wipe Mobile Device subcontrol (AC-7(2)) focuses on purging or wiping the data on a mobile device after a specified number of consecutive unsuccessful logon attempts. This control helps prevent unauthorized access to sensitive information stored on mobile devices.
Unsuccessful Logon Attempts | Biometric Attempt Limiting (AC-7(3))

The Biometric Attempt Limiting subcontrol (AC-7(3)) focuses on limiting the number of consecutive unsuccessful logon attempts using biometric authentication methods. This control helps prevent unauthorized access to systems and data through biometric-based authentication mechanisms.
Unsuccessful Logon Attempts | Use of Alternate Authentication Factor (AC-7(4))

The Use of Alternate Authentication Factor subcontrol (AC-7(4)) focuses on requiring the use of an alternate authentication factor after a specified number of consecutive unsuccessful logon attempts. This control enhances security by introducing an additional layer of authentication to prevent unauthorized access.
System Use Notification (AC-8)- Main Control

The System Use Notification control (AC-8) focuses on providing users with appropriate notification and warnings regarding the use of information systems before accessing them. This control helps users understand their responsibilities and the conditions under which they are allowed to access and use the systems.
Previous Logon Notification (AC-9)- Main Control

The Previous Logon Notification control (AC-9) focuses on providing users with notifications about their previous successful and unsuccessful logon attempts to information systems. This control enhances user awareness of potential unauthorized access and helps users identify and report any suspicious activities related to their accounts.
Previous Logon Notification | Unsuccessful Logons (AC-9(1))

The Previous Logon Notification | Unsuccessful Logons subcontrol (AC-9(1)) focuses on providing users with notifications about their previous unsuccessful logon attempts to information systems. This control enhances user awareness of potential unauthorized access attempts and encourages users to take appropriate actions to secure their accounts.
Previous Logon Notification | Successful and Unsuccessful Logons (AC-9(2))

The Previous Logon Notification | Successful and Unsuccessful Logons subcontrol (AC-9(2)) focuses on providing users with notifications about both their previous successful and unsuccessful logon attempts to information systems. This control enhances user awareness of all logon activities related to their accounts and encourages them to take appropriate actions to secure their accounts.
Previous Logon Notification | Notification of Account Changes (AC-9(3))

The Previous Logon Notification | Notification of Account Changes subcontrol (AC-9(3)) focuses on providing users with notifications about changes made to their user accounts, including modifications to privileges, roles, and access rights. This control enhances user awareness of any account changes and helps users promptly identify and report unauthorized or suspicious modifications.
Previous Logon Notification | Additional Logon Information (AC-9(4))

The Previous Logon Notification | Additional Logon Information subcontrol (AC-9(4)) focuses on providing users with additional information about their previous logon activities beyond basic logon attempt details. This control enhances user awareness of their account usage and helps them recognize any unusual or unauthorized logon activities.
Concurrent Session Control (AC-10)- Main Control

The Concurrent Session Control (AC-10) focuses on managing and controlling the number of active and concurrent user sessions within an information system. This control helps prevent unauthorized or excessive access to information resources and ensures that users have appropriate levels of access and accountability.
Device Lock (AC-11)- Main Control

The Device Lock (AC-11) control focuses on ensuring that information systems and devices are automatically locked or secured when not in use to prevent unauthorized access and protect sensitive information from exposure. This control aims to reduce the risk of unauthorized access and data breaches that may occur if devices are left unattended or unlocked.
Device Lock | Pattern-hiding Displays (AC-11(1))

The Device Lock | Pattern-hiding Displays (AC-11(1)) control focuses on preventing unauthorized individuals from observing or deducing patterns or characters entered by users during the device unlock process. This control enhances the confidentiality of authentication credentials and helps mitigate the risk of unauthorized access through observation or inference.
Session Termination (AC-12)- Main Control

The Session Termination (AC-12) control focuses on ensuring that user sessions are properly and securely terminated after a specified period of inactivity or when the user no longer requires access to the information system. This control helps prevent unauthorized access and data breaches by promptly terminating active sessions when they are no longer needed.
Session Termination | User-initiated Logouts (AC-12(1))

The Session Termination | User-initiated Logouts (AC-12(1)) control focuses on empowering users to actively terminate their own sessions when they no longer require access to the information system. This control ensures that users have the ability to log out promptly and securely, reducing the risk of unauthorized access and protecting sensitive information.
Session Termination | Termination Message (AC-12(2))

The Session Termination | Termination Message (AC-12(2)) control focuses on displaying a clear and informative termination message to users when their sessions are about to be terminated due to inactivity. This control enhances user awareness, provides an opportunity for users to extend their sessions if needed, and helps prevent unintended session terminations.
Session Termination | Timeout Warning Message (AC-12(3))

The Session Termination | Timeout Warning Message (AC-12(3)) control focuses on displaying a warning message to users shortly before their session is about to be automatically terminated due to inactivity. This control enhances user awareness and provides users with an opportunity to extend their sessions if needed.
Permitted Actions Without Identification or Authentication (AC-14)- Main Control

The Permitted Actions Without Identification or Authentication (AC-14) control addresses the circumstances under which certain actions are allowed without requiring user identification and authentication. This control helps organizations strike a balance between security and operational needs by allowing specific actions to be performed without the overhead of full identification and authentication while still maintaining adequate security measures.
Automated Marking (AC-15)- Main Control,Malicious Code Protection | Nonsignature-based Detection (SI-3(7)),Media Use | Prohibit Use Without Owner (MP-7(1)),Permitted Actions Without Identification or Authentication | Necessary Uses (AC-14(1)),Remote Acces

The Automated Marking (AC-15) control focuses on automating the process of marking information with appropriate security labels, metadata, and other attributes. This ensures that information is properly classified, protected, and controlled throughout its lifecycle, aiding in the enforcement of access controls and facilitating information sharing based on its sensitivity.
Security and Privacy Attributes (AC-16)- Main Control

The Security and Privacy Attributes (AC-16) control focuses on ensuring that security and privacy attributes are associated with information throughout its lifecycle. This control helps organizations maintain consistent and accurate security and privacy settings, classifications, and controls for information, thereby safeguarding its confidentiality, integrity, and availability.
Security and Privacy Attributes | Dynamic Attribute Association (AC-16(1))

The Security and Privacy Attributes | Dynamic Attribute Association (AC-16(1)) control focuses on dynamically associating security and privacy attributes with information based on changing circumstances and contextual factors. This control ensures that information is consistently protected according to its current state and requirements, enhancing the organization's ability to adapt to evolving security and privacy needs.
Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals (AC-16(2))

The Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals (AC-16(2)) control focuses on allowing authorized individuals to modify or update security and privacy attributes associated with information, based on changing requirements or contextual factors. This control ensures that authorized personnel can make necessary adjustments while maintaining the accuracy and consistency of security and privacy protections.
Security and Privacy Attributes | Maintenance of Attribute Associations by System (AC-16(3))

The Security and Privacy Attributes | Maintenance of Attribute Associations by System (AC-16(3)) control focuses on ensuring that systems responsible for managing security and privacy attributes consistently maintain and apply attribute associations to information. This control helps prevent inconsistencies and ensures that information is appropriately protected throughout its lifecycle.
Security and Privacy Attributes | Association of Attributes by Authorized Individuals (AC-16(4))

The Security and Privacy Attributes | Association of Attributes by Authorized Individuals (AC-16(4)) control focuses on allowing authorized individuals to associate security and privacy attributes with information based on changing needs or specific circumstances. This control ensures that authorized personnel can dynamically adjust attribute associations while maintaining the accuracy and consistency of security and privacy protections.
Security and Privacy Attributes | Attribute Displays on Objects to Be Output (AC-16(5))

The Security and Privacy Attributes | Attribute Displays on Objects to Be Output (AC-16(5)) control focuses on ensuring that security and privacy attributes associated with objects are accurately displayed when those objects are being prepared for output or transfer. This control helps maintain transparency and ensures that recipients of the objects are aware of the associated security and privacy protections.
Security and Privacy Attributes | Maintenance of Attribute Association (AC-16(6))

The Security and Privacy Attributes | Maintenance of Attribute Association (AC-16(6)) control focuses on the ongoing management and maintenance of attribute associations to ensure that security and privacy attributes remain accurate and up-to-date over time. This control helps prevent misclassification and ensures that information receives the appropriate protection based on its current security and privacy requirements.
Security and Privacy Attributes | Consistent Attribute Interpretation (AC-16(7))

The Security and Privacy Attributes | Consistent Attribute Interpretation (AC-16(7)) control focuses on ensuring that security and privacy attributes are consistently interpreted and applied across the organization. This control helps prevent ambiguity and confusion regarding the meaning and implications of various attributes, leading to more effective security and privacy management.
Security and Privacy Attributes | Association Techniques and Technologies (AC-16(8))

The Security and Privacy Attributes | Association Techniques and Technologies (AC-16(8)) control focuses on the implementation of effective techniques and technologies for associating security and privacy attributes with information assets. This control ensures that the correct attributes are applied to information, enabling appropriate protection and management.
Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms (AC-16(9))

The Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms (AC-16(9)) control focuses on implementing mechanisms to reassign or regrade security and privacy attributes based on changes to information assets. This control ensures that attributes are updated to reflect the evolving security and privacy requirements of the organization.
Security and Privacy Attributes | Attribute Configuration by Authorized Individuals (AC-16(10))

The Security and Privacy Attributes | Attribute Configuration by Authorized Individuals (AC-16(10)) control focuses on establishing controls and processes for configuring security and privacy attributes by authorized individuals. This control ensures that only authorized personnel have the ability to configure attributes, maintaining the accuracy and integrity of attribute settings.
Remote Access (AC-17)- Main Control

The Remote Access (AC-17) control focuses on managing and controlling remote access to organizational information systems and resources. This control ensures that remote access is securely configured, monitored, and controlled to prevent unauthorized access and protect sensitive information.
Remote Access | Monitoring and Control (AC-17(1))

The Remote Access | Monitoring and Control (AC-17(1)) control focuses on implementing monitoring and control mechanisms for remote access to organizational information systems. This control ensures that remote access activities are monitored in real-time, and unauthorized or suspicious activities are detected and appropriately addressed.
Remote Access | Protection of Confidentiality and Integrity Using Encryption (AC-17(2))

The Remote Access | Protection of Confidentiality and Integrity Using Encryption (AC-17(2)) control focuses on ensuring the confidentiality and integrity of remote access communications by employing encryption mechanisms. This control aims to protect sensitive information transmitted between remote devices and organizational systems.
Remote Access | Managed Access Control Points (AC-17(3))

The Remote Access | Managed Access Control Points (AC-17(3)) control focuses on establishing managed access control points for remote access to organizational information systems. This control ensures that remote access is granted through secure and well-defined entry points, enhancing overall security.
Remote Access | Privileged Commands and Access (AC-17(4))

The Remote Access | Privileged Commands and Access (AC-17(4)) control focuses on controlling and limiting privileged commands and access for remote users. This control ensures that remote users have appropriate levels of authorization and are restricted from executing privileged commands unless explicitly authorized.
Remote Access | Protection of Mechanism Information (AC-17(6))

The Remote Access | Protection of Mechanism Information (AC-17(6)) control aims to safeguard the information related to remote access mechanisms, including configuration settings and credentials, from unauthorized access, disclosure, and tampering. This control ensures that the mechanisms used for remote access are properly configured and protected to maintain the security of the remote access infrastructure.
Remote Access | Additional Protection for Security Function Access (AC-17(7))

The Remote Access | Additional Protection for Security Function Access (AC-17(7)) control focuses on implementing additional security measures to protect access to critical security functions via remote access. This control aims to ensure that security functions, which are essential for the protection of the information system, remain secure even when accessed remotely.
Remote Access | Disable Nonsecure Network Protocols (AC-17(8))

The Remote Access | Disable Nonsecure Network Protocols (AC-17(8)) control focuses on preventing the use of nonsecure network protocols for remote access to the information system. This control aims to minimize the attack surface and potential vulnerabilities that may be exploited by attackers attempting to gain unauthorized access to the system through insecure network protocols.
Remote Access | Disconnect or Disable Access (AC-17(9))

The Remote Access | Disconnect or Disable Access (AC-17(9)) control addresses the need to promptly disconnect or disable remote access to an information system when it is no longer required or authorized. This control helps prevent unauthorized access and reduce the risk of security incidents arising from prolonged or unnecessary remote access privileges.
Remote Access | Authenticate Remote Commands (AC-17(10))

The Remote Access | Authenticate Remote Commands (AC-17(10)) control focuses on ensuring that remote commands issued to an information system are properly authenticated and authorized before execution. This control helps prevent unauthorized or malicious commands from being executed remotely, reducing the risk of unauthorized access or compromise.
Wireless Access (AC-18)- Main Control

The Wireless Access (AC-18) control aims to manage and secure wireless communications within an organization's information system. It focuses on establishing policies, procedures, and technical measures to ensure the appropriate use of wireless technologies and to protect against unauthorized access, data breaches, and other security risks associated with wireless networks.
Wireless Access | Authentication and Encryption (AC-18(1))

The Wireless Access | Authentication and Encryption (AC-18(1)) control focuses on ensuring secure authentication and encryption mechanisms for wireless networks. It aims to prevent unauthorized access and protect the confidentiality of data transmitted over wireless connections.
Wireless Access | Monitoring Unauthorized Connections (AC-18(2))

The Wireless Access | Monitoring Unauthorized Connections (AC-18(2)) control focuses on monitoring wireless networks for unauthorized connections and activities. It aims to detect and respond to potential security breaches in wireless environments.
Wireless Access | Disable Wireless Networking (AC-18(3))

The Wireless Access | Disable Wireless Networking (AC-18(3)) control focuses on the ability to disable wireless networking capabilities when they are not needed or authorized. This control helps prevent unauthorized access and potential security risks associated with wireless networks.
Wireless Access | Restrict Configurations by Users (AC-18(4))

The Wireless Access | Restrict Configurations by Users (AC-18(4)) control focuses on restricting users' ability to configure wireless settings on devices to prevent unauthorized or insecure wireless network connections.
Wireless Access | Antennas and Transmission Power Levels (AC-18(5))

The Wireless Access | Antennas and Transmission Power Levels (AC-18(5)) control focuses on managing the use of antennas and transmission power levels in wireless network devices to prevent unauthorized access and reduce the risk of signal interference.
Access Control for Mobile Devices (AC-19)- Main Control

The Access Control for Mobile Devices (AC-19) control focuses on establishing and enforcing access controls for mobile devices to ensure the confidentiality, integrity, and availability of information and systems.
Access Control for Mobile Devices | Use of Writable and Portable Storage Devices (AC-19(1))

The Access Control for Mobile Devices | Use of Writable and Portable Storage Devices (AC-19(1)) control focuses on controlling the use of writable and portable storage devices, such as USB drives and external hard drives, with mobile devices to prevent unauthorized access, data leakage, and malware propagation.
Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices (AC-19(2))

The Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices (AC-19(2)) control aims to manage the use of personally owned portable storage devices, such as USB drives and external hard drives, with organizational mobile devices to prevent unauthorized access, data exposure, and potential introduction of malware.
Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner (AC-19(3))

The Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner (AC-19(3)) control aims to manage the use of portable storage devices that have no identifiable owner with organizational mobile devices. This control helps prevent unauthorized access, data exposure, and potential introduction of malware from unidentified storage devices.
Access Control for Mobile Devices | Restrictions for Classified Information (AC-19(4))

The Access Control for Mobile Devices | Restrictions for Classified Information (AC-19(4)) control aims to enforce access controls and restrictions on the use of mobile devices that handle classified information. This control ensures that only authorized personnel with appropriate clearances can access and use classified information on mobile devices.
Access Control for Mobile Devices | Full Device or Container-based Encryption (AC-19(5))

The Access Control for Mobile Devices | Full Device or Container-based Encryption (AC-19(5)) control focuses on ensuring the protection of sensitive data on mobile devices through the use of full device or container-based encryption. This control helps prevent unauthorized access to data in case of device loss or theft.
Use of External Systems (AC-20)- Main Control

The Use of External Systems (AC-20) control is designed to establish safeguards and controls when organizations interact with external systems, networks, or services. This control aims to manage and mitigate risks associated with connecting to, sharing information with, or relying on external entities.
Use of External Systems | Limits on Authorized Use (AC-20(1))

The Use of External Systems | Limits on Authorized Use (AC-20(1)) control focuses on defining and enforcing limitations on the authorized use of external systems, networks, or services to ensure that their usage aligns with the organization's security policies and objectives.
Use of External Systems | Portable Storage Devices — Restricted Use (AC-20(2))

The Use of External Systems | Portable Storage Devices — Restricted Use (AC-20(2)) control focuses on restricting the use of portable storage devices with external systems to minimize security risks and prevent unauthorized access, data leakage, and malware propagation.
Use of External Systems | Non-organizationally Owned Systems — Restricted Use (AC-20(3))

The Use of External Systems | Non-organizationally Owned Systems — Restricted Use (AC-20(3)) control aims to restrict the use of non-organizationally owned systems within an organization's environment to minimize security risks and protect sensitive information.
Use of External Systems | Network Accessible Storage Devices — Prohibited Use (AC-20(4))

The Use of External Systems | Network Accessible Storage Devices — Prohibited Use (AC-20(4)) control aims to prevent the unauthorized use of network accessible storage devices brought in from external sources, such as personal USB drives or external hard drives.
Use of External Systems | Portable Storage Devices — Prohibited Use (AC-20(5))

The Use of External Systems | Portable Storage Devices — Prohibited Use (AC-20(5)) control aims to prevent the unauthorized use of portable storage devices brought in from external sources, such as USB drives or portable hard drives.
Information Sharing (AC-21)- Main Control

The Information Sharing (AC-21) control focuses on facilitating the controlled sharing of information among organizations while ensuring that appropriate access controls and protections are in place to safeguard sensitive data.
Information Sharing | Automated Decision Support (AC-21(1))

The Information Sharing | Automated Decision Support (AC-21(1)) control focuses on ensuring that automated decision support systems used for information sharing adhere to proper access controls and security measures to prevent unauthorized or inappropriate sharing of sensitive information.
Information Sharing | Information Search and Retrieval (AC-21(2))

The Information Sharing | Information Search and Retrieval (AC-21(2)) control focuses on establishing proper access controls and security measures for information search and retrieval systems to ensure that only authorized individuals can access and retrieve shared information.
Publicly Accessible Content (AC-22)- Main Control

The Publicly Accessible Content (AC-22) control focuses on establishing appropriate access controls and security measures to protect information and systems containing publicly accessible content from unauthorized access, modification, or disclosure.
Data Mining Protection (AC-23)- Main Control

The Data Mining Protection (AC-23) control aims to safeguard the privacy and confidentiality of individuals' personal information during data mining activities by imposing access controls and security measures.
Access Control Decisions (AC-24)- Main Control

The Access Control Decisions (AC-24) control involves establishing and enforcing access control policies and decisions based on organizational policies and security requirements.
Access Control Decisions | Transmit Access Authorization Information (AC-24(1))

The Transmit Access Authorization Information (AC-24(1)) control involves securely transmitting access authorization information between systems and entities to ensure that access control decisions are consistently enforced across different parts of the organization.
Access Control Decisions | No User or Process Identity (AC-24(2))

The No User or Process Identity (AC-24(2)) control ensures that access control decisions are not made solely based on user or process identity, but also take into account other relevant factors to prevent unauthorized access.
Reference Monitor (AC-25)- Main Control

The Reference Monitor (AC-25) control requires the implementation of a reference monitor that enforces access control policies and mediates access between subjects and objects based on predefined rules and permissions.

The Awareness and Training control family emphasizes the importance of fostering a security-conscious culture within an organization by promoting awareness and delivering effective training programs. The goal is to ensure that individuals, including employees, contractors, and other users, are equipped with the knowledge and skills necessary to understand and fulfill their roles and responsibilities in safeguarding information systems and sensitive information.

Policy and Procedures (AT-1)- Main Control

The Awareness and Training Policy and Procedures (AT-1) control requires the establishment of policies and procedures to ensure that personnel receive appropriate awareness and training on security policies, procedures, and practices.
Literacy Training and Awareness (AT-2)- Main Control

The Literacy Training and Awareness (AT-2) control focuses on providing security training and awareness programs that cater to individuals with varying levels of technical literacy and expertise.
Literacy Training and Awareness | Practical Exercises (AT-2(1))

The Practical Exercises (AT-2(1)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing hands-on, practical exercises to enhance the security knowledge and skills of personnel with varying levels of technical literacy.
Literacy Training and Awareness | Insider Threat (AT-2(2))

The Insider Threat (AT-2(2)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing targeted training and awareness activities to educate personnel about insider threats, their risks, and preventive measures.
Literacy Training and Awareness | Social Engineering and Mining (AT-2(3))

The Social Engineering and Mining (AT-2(3)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing training and awareness activities to educate personnel about social engineering tactics and the risks associated with information mining.
Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior (AT-2(4))

The Suspicious Communications and Anomalous System Behavior (AT-2(4)) subcontrol under Literacy Training and Awareness (AT-2) aims to provide training and awareness activities to help personnel recognize and appropriately respond to suspicious communications and anomalous behavior in the information system.
Literacy Training and Awareness | Advanced Persistent Threat (AT-2(5))

The Advanced Persistent Threat (AT-2(5)) subcontrol under Literacy Training and Awareness (AT-2) aims to provide training and awareness activities to help personnel understand and respond to advanced persistent threats, which are sophisticated and targeted cyberattacks that can evade traditional security measures.
Literacy Training and Awareness | Cyber Threat Environment (AT-2(6))

The Cyber Threat Environment (AT-2(6)) subcontrol under Literacy Training and Awareness (AT-2) focuses on educating personnel about the current cyber threat landscape, including emerging threats, vulnerabilities, and attack techniques.
Role-based Training (AT-3)- Main Control

The Role-based Training (AT-3) subcontrol under Awareness and Training (AT) focuses on providing training tailored to specific job roles within the organization. This ensures that individuals receive training that is relevant to their responsibilities and helps them better understand their role in maintaining information security.
Role-based Training | Environmental Controls (AT-3(1))

The Role-based Training | Environmental Controls (AT-3(1)) subcontrol under Awareness and Training (AT) focuses on providing role-based training that includes awareness of environmental controls. This training ensures that individuals understand how environmental factors can impact information security and how to appropriately respond to such conditions.
Role-based Training | Physical Security Controls (AT-3(2))

The Role-based Training | Physical Security Controls (AT-3(2)) subcontrol under Awareness and Training (AT) focuses on providing role-based training that includes awareness of physical security controls. This training ensures that individuals understand the importance of physical security measures and how to effectively contribute to maintaining a secure physical environment for information assets.
Role-based Training | Practical Exercises (AT-3(3))

The Role-based Training | Practical Exercises (AT-3(3)) subcontrol under Awareness and Training (AT) focuses on incorporating practical exercises into role-based training to enhance the understanding and application of security principles and procedures. Practical exercises simulate real-world scenarios to help individuals develop practical skills and experience in responding to security incidents.
Role-based Training | Suspicious Communications and Anomalous System Behavior (AT-3(4))

The Role-based Training | Suspicious Communications and Anomalous System Behavior (AT-3(4)) subcontrol under Awareness and Training (AT) focuses on providing role-based training to help individuals recognize and respond to suspicious communications and anomalous system behavior. This training enhances their ability to identify potential security threats and take appropriate actions to mitigate risks.
Role-based Training | Processing Personally Identifiable Information (AT-3(5))

The Role-based Training | Processing Personally Identifiable Information (AT-3(5)) subcontrol under Awareness and Training (AT) focuses on providing role-based training to individuals who handle or process personally identifiable information (PII). This training is designed to ensure that individuals understand the proper procedures for handling and protecting PII in accordance with organizational policies and privacy regulations.
Training Records (AT-4)- Main Control

The Training Records (AT-4) subcontrol under Awareness and Training (AT) focuses on maintaining accurate and up-to-date records of training activities and outcomes for individuals within the organization. These records help demonstrate compliance with training requirements, track progress, and ensure that personnel have received the necessary education and awareness to perform their roles securely and effectively.
Training Feedback (AT-6)- Main Control

The Training Feedback (AT-6) subcontrol under Awareness and Training (AT) focuses on collecting feedback from individuals who have participated in training activities. This feedback helps assess the effectiveness of training programs, identify areas for improvement, and tailor training content to better meet the needs of participants.

The Audit and Accountability control family is designed to facilitate the creation, collection, and analysis of audit records to support the detection, response to, and investigation of security incidents. By implementing robust auditing mechanisms, organizations can establish a comprehensive and accurate record of activities within their information systems, aiding in the identification of unauthorized access, policy violations, and potential security threats.

Policy and Procedures (AU-1)- Main Control

The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-1 specifically addresses the need to develop and implement policies and procedures that guide the overall audit and accountability program.
Event Logging (AU-2)- Main Control

The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-2 specifically addresses the need to generate, record, and retain audit logs of events to provide an accurate record of system activity.
Configuration Settings | Conformance Demonstration (CM-6(4)),Configuration Settings | Unauthorized Change Detection (CM-6(3)),Event Logging | Compilation of Audit Records from Multiple Sources (AU-2(1))

This subcontrol under the Audit and Accountability (AU) control family focuses on the compilation of audit records from multiple sources within an organization's information systems. It ensures that audit logs are collected and aggregated from various components, systems, and applications to provide a comprehensive view of system activity.
Event Logging | Selection of Audit Events by Component (AU-2(2))

This subcontrol under the Audit and Accountability (AU) control family focuses on the selection of specific audit events to be logged by individual components within an organization's information systems. It ensures that only relevant and necessary audit events are recorded, reducing the volume of audit logs while maintaining effective security monitoring.
Event Logging | Reviews and Updates (AU-2(3))

This subcontrol under the Audit and Accountability (AU) control family emphasizes the importance of regularly reviewing and updating the configuration of audit event logging to ensure that it remains effective in meeting the organization's security objectives. It helps ensure that audit logs continue to capture relevant and significant events and adapt to changes in the IT environment.
Content of Audit Records | Centralized Management of Planned Audit Record Content (AU-3(2)),Event Logging | Privileged Functions (AU-2(4))

This subcontrol under the Audit and Accountability (AU) control family focuses on ensuring that audit records consistently capture the necessary information across an organization's information systems. It emphasizes the need for centralized management of planned audit record content to ensure uniformity and completeness.
Content of Audit Records (AU-3)- Main Control

This main control under the Audit and Accountability (AU) control family focuses on specifying the necessary content for audit records to ensure the comprehensive capture of relevant information related to security events and incidents. It ensures that audit records contain essential details that support security monitoring, analysis, and incident response.
Content of Audit Records | Additional Audit Information (AU-3(1))

This subcontrol under AU-3 focuses on enhancing the content of audit records by including additional information beyond basic event details. By capturing more comprehensive information, organizations can improve their ability to analyze security events and detect potential threats.
Content of Audit Records | Limit Personally Identifiable Information Elements (AU-3(3))

This control, specified under the Audit and Accountability family, focuses on limiting the inclusion of personally identifiable information (PII) elements within audit records. The objective is to minimize the exposure of sensitive PII in audit logs while ensuring that relevant audit information is captured and retained for security monitoring and incident response purposes.
Audit Log Storage Capacity (AU-4)- Main Control

The Audit Log Storage Capacity control, categorized under the Audit and Accountability family, pertains to the management of audit logs' storage capacity. It focuses on ensuring that systems have adequate storage space to retain audit records, thereby supporting effective security monitoring, incident response, and compliance with regulatory requirements.
Audit Log Storage Capacity | Transfer to Alternate Storage (AU-4(1))

This control ensures that audit logs generated by information systems are transferred to alternate storage when their storage capacity is reached. The timely transfer of audit logs to alternate storage ensures the availability and integrity of audit records for potential forensic analysis, incident response, and compliance monitoring.
Response to Audit Logging Process Failures (AU-5)- Main Control

This control ensures that appropriate actions are taken in response to failures in the audit logging process. It focuses on detecting, responding to, and resolving audit logging failures to maintain the integrity and availability of audit records, which are crucial for monitoring and assessing the security of information systems.
Response to Audit Logging Process Failures | Storage Capacity Warning (AU-5(1))

This control focuses on the timely response to audit logging process failures related to storage capacity warnings. It ensures that organizations promptly address situations where audit logs approach storage capacity limits, preventing potential disruptions to the audit trail and ensuring the availability and integrity of critical security-related data.
Response to Audit Logging Process Failures | Real-time Alerts (AU-5(2))

This control emphasizes the importance of real-time alerts as part of the response to audit logging process failures. It ensures that organizations promptly detect and respond to anomalies or disruptions in the audit logging process through automated real-time alerts. By receiving immediate notifications of audit logging failures, organizations can take swift corrective actions to maintain the availability and integrity of critical security event data.
Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds (AU-5(3))

This control focuses on establishing configurable traffic volume thresholds as part of the response to audit logging process failures. It ensures that organizations can dynamically adjust logging parameters based on traffic levels to prevent log disruptions and maintain the availability and integrity of audit records, even during periods of high activity.
Response to Audit Logging Process Failures | Shutdown on Failure (AU-5(4))

This control focuses on the implementation of a "Shutdown on Failure" response strategy as part of addressing audit logging process failures. It ensures that, in the event of severe audit logging process failures, the affected information system is automatically shut down to prevent further compromise and preserve data integrity.
Response to Audit Logging Process Failures | Alternate Audit Logging Capability (AU-5(5))

This control focuses on establishing an alternate audit logging capability as part of the response to audit logging process failures. It ensures that organizations have a backup mechanism to continue recording audit logs in the event of primary audit logging failures, thereby preserving critical security event data.
Audit Record Review, Analysis, and Reporting (AU-6)- Main Control

This control focuses on the review, analysis, and reporting of audit records generated by information systems. It ensures that organizations establish processes for regularly examining audit records to detect and respond to security incidents, track system activities, and facilitate compliance monitoring and reporting.
Audit Record Review, Analysis, and Reporting | Automated Process Integration (AU-6(1))

This control focuses on the integration of automated processes into the audit record review, analysis, and reporting procedures. It ensures that organizations leverage technology to streamline and enhance the effectiveness of reviewing and analyzing audit records, enabling timely detection of security incidents, compliance violations, and system anomalies.
Audit Record Review, Analysis, and Reporting | Automated Security Alerts (AU-6(2))

This control focuses on the implementation of automated security alerts as part of the audit record review, analysis, and reporting process. It ensures that organizations promptly detect and respond to security incidents and anomalies by leveraging automated alerts generated from audit record analysis.
Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories (AU-6(3))

This control emphasizes the importance of correlating audit record repositories as part of the audit record review, analysis, and reporting process. It ensures that organizations effectively aggregate and correlate audit records from various sources to gain a comprehensive view of system activities, detect patterns, and facilitate timely incident response.
Audit Record Review, Analysis, and Reporting | Central Review and Analysis (AU-6(4))

This control emphasizes the centralization of audit record review, analysis, and reporting activities to ensure consistent and coordinated efforts across the organization. It ensures that organizations establish a centralized process for systematically examining audit records, detecting security incidents, and facilitating effective incident response.
Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records (AU-6(5))

This control emphasizes the integration of audit records from multiple sources for comprehensive analysis, enabling organizations to detect complex and cross-system security incidents. It ensures that organizations have mechanisms in place to combine and correlate audit records from various components to gain a holistic understanding of system activities.
Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring (AU-6(6))

This control emphasizes the importance of correlating audit record analysis with physical monitoring activities to provide a comprehensive view of system security. It ensures that organizations integrate information from audit records with data from physical security systems to enhance incident detection, response, and overall situational awareness.
Audit Record Review, Analysis, and Reporting | Permitted Actions (AU-6(7))

This control focuses on monitoring and reviewing permitted actions recorded in audit logs to ensure compliance with established security policies and regulations. It ensures that organizations systematically assess authorized activities to detect any potential misuse or abuse of privileges and maintain a strong security posture.
Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands (AU-6(8))

This control emphasizes the comprehensive analysis of audit records containing full text information of privileged commands executed within the information system. It ensures that organizations systematically examine the details of privileged actions to detect potential misuse, security breaches, or unauthorized activities.
Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources (AU-6(9))

This control focuses on the correlation of audit record analysis with information from nontechnical sources to enhance incident detection and response. It ensures that organizations integrate data from nontechnical sources, such as physical security reports or personnel interviews, to gain a holistic understanding of security events and potential threats.
Audit Record Review, Analysis, and Reporting | Audit Level Adjustment (AU-6(10))

This control emphasizes the capability to dynamically adjust the level of auditing and the types of audit records generated based on changing security requirements and operational needs. It ensures that organizations have the flexibility to modify audit settings to focus on specific areas of interest, improving efficiency and relevance of audit record analysis.
Audit Record Reduction and Report Generation (AU-7)- Main Control

This control focuses on the process of reducing the volume of audit records and generating summarized reports to facilitate efficient analysis and reporting while preserving essential information for compliance and incident response. It ensures that organizations strike a balance between retaining critical audit data and managing the storage and processing overhead associated with large volumes of audit records.
Audit Record Reduction and Report Generation | Automatic Processing (AU-7(1))

This subcontrol emphasizes the use of automated processing techniques to efficiently reduce the volume of audit records and generate reports. It ensures that organizations leverage technology to streamline the audit analysis and reporting process, enabling timely insights while minimizing manual effort.
Audit Record Reduction and Report Generation | Automatic Sort and Search (AU-7(2)),Information Input Restrictions (SI-9)- Main Control,Malicious Code Protection | Automatic Updates (SI-3(2)),Malicious Code Protection | Central Management (SI-3(1))

This subcontrol emphasizes the implementation of automated sorting and search capabilities for audit records and generated reports. It ensures that organizations can efficiently locate and retrieve relevant information from audit data, enabling timely analysis, reporting, and incident response.
Time Stamps (AU-8)- Main Control

The AU-8 control focuses on the accurate and consistent time stamping of audit records to establish a reliable timeline of events within information systems. It ensures that organizations maintain an accurate record of when specific actions and activities occurred, supporting incident investigation, accountability, and compliance requirements.
Time Stamps | Synchronization with Authoritative Time Source (AU-8(1))

The AU-8(1) subcontrol highlights the importance of synchronizing time stamps of audit records with an authoritative time source to ensure accuracy, consistency, and reliability. It ensures that organizations maintain a standardized and consistent time reference for audit events across information systems.
Protection of Audit Information (AU-9)- Main Control

The AU-9 control addresses the protection of audit information to ensure the confidentiality, integrity, and availability of audit records and related data. It ensures that organizations implement measures to safeguard audit logs, reports, and associated information from unauthorized access, modification, loss, and tampering.
Protection of Audit Information | Hardware Write-once Media (AU-9(1))

The AU-9(1) subcontrol focuses on the use of hardware write-once media to protect the integrity and immutability of audit information. It ensures that organizations employ specialized storage media that prevent modification or deletion of audit records once they are written, enhancing the reliability and credibility of the audit trail.
Protection of Audit Information | Store on Separate Physical Systems or Components (AU-9(2))

The AU-9(2) subcontrol emphasizes the practice of storing audit information on separate physical systems or components to enhance its security and availability. It ensures that organizations isolate audit records from operational systems, reducing the risk of unauthorized access, modification, or loss.
Protection of Audit Information | Cryptographic Protection (AU-9(3))

The AU-9(3) subcontrol focuses on the use of cryptographic protection to secure audit information during storage and transmission. It ensures that organizations apply encryption and cryptographic mechanisms to safeguard the confidentiality and integrity of audit records and related data.
Protection of Audit Information | Access by Subset of Privileged Users (AU-9(4))

The AU-9(4) subcontrol emphasizes restricting access to audit information to a subset of privileged users who have a legitimate need to review and analyze the records. It ensures that organizations grant access to audit data only to authorized personnel with a specific role in managing and maintaining the information.
Protection of Audit Information | Dual Authorization (AU-9(5))

The AU-9(5) subcontrol emphasizes the practice of dual authorization for accessing and modifying audit information. It ensures that critical actions involving audit records, such as access, modification, or deletion, require approval and verification from two authorized individuals before being executed.
Protection of Audit Information | Read-only Access (AU-9(6))

The AU-9(6) subcontrol emphasizes granting read-only access to audit information for authorized individuals. It ensures that organizations limit the ability to modify or delete audit records, preserving the integrity and reliability of the audit trail.
Protection of Audit Information | Store on Component with Different Operating System (AU-9(7))

The AU-9(7) subcontrol highlights the practice of storing audit information on a component with a different operating system from the operational system. It ensures that audit records are isolated from potential vulnerabilities or attacks that may target the primary operating system, enhancing the security and availability of the audit trail.
Non-repudiation (AU-10)- Main Control

The AU-10 control addresses the establishment of non-repudiation measures to ensure that actions and events recorded in audit logs cannot be denied or disputed. It ensures that organizations implement mechanisms to reliably attribute actions to specific individuals or entities, enhancing accountability and trustworthiness.
Non-repudiation | Association of Identities (AU-10(1))

The AU-10(1) subcontrol focuses on ensuring the accurate association of identities with recorded actions in audit logs. It requires organizations to implement measures that reliably link individuals or entities to their respective activities, enhancing the non-repudiation of recorded events.
Non-repudiation | Validate Binding of Information Producer Identity (AU-10(2))

The AU-10(2) subcontrol emphasizes the validation of the binding between the identity of the information producer and the actions recorded in audit logs. It requires organizations to implement measures that verify the authenticity and integrity of information generated by specific individuals or entities.
Non-repudiation | Chain of Custody (AU-10(3))

The AU-10(3) subcontrol focuses on establishing a clear and secure chain of custody for audit records, ensuring the integrity and authenticity of recorded actions. It requires organizations to implement mechanisms that track and document the movement and handling of audit logs to prevent unauthorized tampering or alteration.
Non-repudiation | Validate Binding of Information Reviewer Identity (AU-10(4))

The AU-10(4) subcontrol emphasizes the validation of the binding between the identity of information reviewers and their actions related to audit records. It requires organizations to implement measures that verify the authenticity and integrity of review activities conducted by specific individuals or entities.
Non-repudiation | Digital Signatures (AU-10(5))

This control focuses on ensuring the non-repudiation of information through the use of digital signatures. Non-repudiation ensures that the origin and integrity of information can be verified, and individuals cannot deny their involvement in creating or sending specific data. Digital signatures provide a cryptographic mechanism to achieve non-repudiation by securely associating a unique digital signature with a message or document, enabling authentication of the sender's identity and ensuring the integrity of the content.
Audit Record Retention (AU-11)- Main Control

This control addresses the retention of audit records, ensuring that these records are maintained for a specified period to facilitate incident response, accountability, and compliance monitoring. Audit records contain valuable information about system activities, user actions, and security events, which are crucial for detecting and investigating security incidents, analyzing trends, and ensuring the accountability of system users and administrators.
Audit Record Retention | Long-term Retrieval Capability (AU-11(1))

This subcontrol under AU-11 extends the requirement for audit record retention to include long-term retrieval capabilities. It ensures that audit records are not only retained for a specific period but are also preserved and accessible for an extended duration, as required by organizational policies, legal mandates, and historical analysis needs.
Audit Record Generation (AU-12)- Main Control

This control addresses the requirement for generating audit records that capture relevant information about system activities, events, and user actions. The purpose of this control is to ensure that audit records are generated consistently and comprehensively to provide a reliable record of system behavior and facilitate security monitoring, incident response, and accountability.
Audit Record Generation | System-wide and Time-correlated Audit Trail (AU-12(1))

This subcontrol expands upon AU-12 by emphasizing the need for a system-wide and time-correlated audit trail. It ensures that audit records are generated across the entire system environment and that these records can be correlated based on accurate timestamps. This capability enhances an organization's ability to reconstruct events, detect security incidents, and establish a comprehensive view of system behavior.
Audit Record Generation | Standardized Formats (AU-12(2))

This subcontrol extends AU-12 by emphasizing the importance of generating audit records in standardized formats. Standardized formats ensure consistency and interoperability when sharing, analyzing, and aggregating audit data across different systems and tools. This capability enhances an organization's ability to effectively monitor and respond to security events.
Audit Record Generation | Changes by Authorized Individuals (AU-12(3))

This subcontrol extends AU-12 by emphasizing the requirement to generate audit records specifically for changes made by authorized individuals. It ensures that audit records are generated when authorized users modify critical configurations, settings, or data, enhancing accountability and facilitating the detection of unauthorized or inappropriate changes.
Audit Record Generation | Query Parameter Audits of Personally Identifiable Information (AU-12(4))

This subcontrol extends AU-12 by emphasizing the need to audit query parameters that involve Personally Identifiable Information (PII). It ensures that audit records capture details of queries that access or manipulate PII, enhancing accountability and facilitating the detection of unauthorized or inappropriate access to sensitive personal data.
Monitoring for Information Disclosure (AU-13)- Main Control

This control addresses the requirement for monitoring systems to detect and prevent unauthorized information disclosure. It ensures that mechanisms are in place to monitor and analyze information flows, communications, and data transfers, identifying potential leaks or unauthorized disclosures of sensitive information.
Monitoring for Information Disclosure | Use of Automated Tools (AU-13(1))

This subcontrol under AU-13 extends the requirement for monitoring information disclosure by emphasizing the use of automated tools to enhance the effectiveness and efficiency of monitoring mechanisms. It ensures that organizations leverage automated tools to analyze information flows, communications, and data transfers, enabling prompt detection and response to potential unauthorized information disclosure incidents.
Monitoring for Information Disclosure | Review of Monitored Sites (AU-13(2))

This subcontrol extends AU-13 by emphasizing the importance of regularly reviewing the effectiveness and accuracy of monitoring mechanisms for information disclosure. It ensures that organizations conduct systematic assessments of the sites and systems being monitored, verifying that monitoring is comprehensive, up-to-date, and aligned with the organization's security objectives.
Monitoring for Information Disclosure | Unauthorized Replication of Information (AU-13(3))

This subcontrol under AU-13 extends the requirement for monitoring information disclosure by emphasizing the need to monitor for unauthorized replication of sensitive information. It ensures that organizations have mechanisms in place to detect and prevent unauthorized copying or replication of sensitive data, both within the organization's internal network and at external boundaries.
Session Audit (AU-14)- Main Control

This control addresses the requirement for monitoring and auditing user sessions to ensure accountability and detect unauthorized or suspicious activities. It ensures that organizations track and record user activities during a session, providing an audit trail that supports incident response, forensics, and accountability.
Session Audit | System Start-up (AU-14(1))

This subcontrol under AU-14 extends the requirement for session auditing by emphasizing the need to audit user activities during system start-up. It ensures that organizations monitor and record user actions and activities that occur when a system is initialized or restarted, enhancing accountability and detecting unauthorized or suspicious activities during this critical phase.
Session Audit | Capture and Record Content (AU-14(2))

This subcontrol under AU-14 extends the session auditing requirement by emphasizing the need to capture and record the content of user sessions. It ensures that organizations not only track user activities but also capture the actual content of commands, inputs, and outputs during a session, enhancing accountability and providing comprehensive information for incident response and forensic analysis.
Session Audit | Remote Viewing and Listening (AU-14(3))

This subcontrol under AU-14 extends the session auditing requirement by emphasizing the need to audit and monitor remote viewing and listening activities. It ensures that organizations track and record instances of remote access to systems, applications, or devices, enhancing accountability and providing a comprehensive audit trail of remote activities.
Alternate Audit Logging Capability (AU-15)- Main Control

This control addresses the requirement for having an alternate audit logging capability to ensure the availability and integrity of audit records even in the event of primary audit logging system failures. It ensures that organizations have a backup mechanism to capture and retain audit records when the primary logging system is unavailable.
Cross-organizational Audit Logging (AU-16)- Main Control

This control addresses the requirement for organizations to coordinate and collaborate on audit logging activities across different organizational entities or systems. It ensures that organizations establish mechanisms for sharing audit log information to facilitate incident response, forensic analysis, and accountability across multiple entities.
Cross-organizational Audit Logging | Identity Preservation (AU-16(1))

This subcontrol under AU-16 extends the requirement for cross-organizational audit logging by emphasizing the preservation of user and system identities when sharing audit log information across different entities or systems. It ensures that organizations maintain the integrity and accuracy of audit logs by preserving the identities associated with recorded activities.
Cross-organizational Audit Logging | Sharing of Audit Information (AU-16(2))

This subcontrol under AU-16 extends the requirement for cross-organizational audit logging by emphasizing the secure sharing of audit log information across different organizational entities or systems. It ensures that organizations have mechanisms in place to securely exchange audit log data while protecting the confidentiality, integrity, and availability of the shared information.
Cross-organizational Audit Logging | Disassociability (AU-16(3))

This subcontrol under AU-16 extends the requirement for cross-organizational audit logging by emphasizing the need to maintain disassociability of audit log information when sharing it across different organizational entities or systems. It ensures that shared audit log data is appropriately separated from sensitive information and identifiers to protect privacy and security.

The Security Assessment and Authorization control family is designed to ensure that information systems are thoroughly assessed for security compliance and authorized to operate based on the results of those assessments. The controls within this family guide organizations in conducting comprehensive security assessments, determining the effectiveness of implemented security controls, and obtaining the necessary authorizations before systems are put into operation. This process supports the ongoing monitoring and management of security controls throughout the system's lifecycle.

Policy and Procedures (CA-1) - Main Control

This control falls under the Security Assessment and Authorization (SA&A) family and focuses on the establishment of security assessment and authorization policies and procedures. It ensures that organizations define and document the processes and guidelines for conducting security assessments, authorizing systems, and managing the associated documentation.
Control Assessments (CA-2)- Main Control

This control is part of the Security Assessment and Authorization (SA&A) family and focuses on conducting control assessments to evaluate the effectiveness of security controls within information systems. It ensures that organizations regularly assess the security controls implemented in their systems to determine whether they are operating as intended and providing the desired level of security.
Control Assessments | Independent Assessors (CA-2(1))

This subcontrol under CA-2 extends the requirement for control assessments by emphasizing the use of independent assessors to evaluate the effectiveness of security controls within information systems. It ensures that organizations involve third-party or internal assessors who are unbiased and free from conflicts of interest.
Control Assessments | Specialized Assessments (CA-2(2))

This subcontrol under CA-2 extends the requirement for control assessments by emphasizing the need for specialized assessments to evaluate specific security controls within information systems. It ensures that organizations conduct focused assessments tailored to the unique requirements of certain controls or technologies.
Control Assessments | Leveraging Results from External Organizations (CA-2(3))

This subcontrol under CA-2 extends the requirement for control assessments by emphasizing the utilization of assessment results from external organizations or entities. It ensures that organizations can leverage existing assessment data to inform their own control assessment processes and decision-making.
Information Exchange (CA-3)- Main Control

This control falls under the Security Assessment and Authorization (SA&A) family and focuses on establishing processes for the secure exchange of information related to security assessment and authorization activities. It ensures that organizations can effectively share assessment results, authorization decisions, and associated documentation while maintaining confidentiality, integrity, and availability.
Information Exchange | Unclassified National Security System Connections (CA-3(1))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on unclassified connections between national security systems. It ensures that organizations establish secure communication channels for sharing assessment results, authorization decisions, and associated documentation related to national security systems.
Information Exchange | Classified National Security System Connections (CA-3(2))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on classified connections between national security systems. It ensures that organizations establish secure communication channels for sharing assessment results, authorization decisions, and associated documentation related to classified national security systems.
Information Exchange | Unclassified Non-national Security System Connections (CA-3(3))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on unclassified connections between non-national security systems. It ensures that organizations establish secure communication channels for sharing assessment results, authorization decisions, and associated documentation related to non-national security systems.
Information Exchange | Connections to Public Networks (CA-3(4))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on connections to public networks. It ensures that organizations establish secure communication channels for sharing assessment results, authorization decisions, and associated documentation when connecting to public networks.
Information Exchange | Restrictions on External System Connections (CA-3(5))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on establishing restrictions on external system connections. It ensures that organizations implement measures to control and manage the connections between their systems and external entities during information exchange.
Information Exchange | Transfer Authorizations (CA-3(6))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on transfer authorizations. It ensures that organizations establish procedures for authorizing and approving the transfer of information between systems or entities to maintain security and accountability.
Information Exchange | Transitive Information Exchanges (CA-3(7))

This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on transitive information exchanges. It ensures that organizations establish measures to control and secure information that is passed through multiple systems during the exchange process.
Continuous Monitoring | Types of Assessments (CA-7(2)),Security Certification (CA-4)- Main Control

This control falls under the Continuous Monitoring (CM) family and focuses on ensuring that information systems undergo security certification as part of the continuous monitoring process. Security certification involves evaluating the security controls and safeguards of an information system to determine its compliance with established security requirements and specifications.
Plan of Action and Milestones (CA-5)- Main Control

This control falls under the Security Assessment and Authorization (SA) family and focuses on the establishment and management of a Plan of Action and Milestones (POA&M). A POA&M is a documented strategy for addressing and resolving weaknesses, vulnerabilities, and deficiencies identified during security assessments and authorizations.
Plan of Action and Milestones | Automation Support for Accuracy and Currency (CA-5(1))

This subcontrol under CA-5 focuses on leveraging automation to support the accuracy and currency of the Plan of Action and Milestones (POA&M) process. Automation tools and technologies are used to enhance the effectiveness of tracking, managing, and reporting on corrective actions.
Authorization (CA-6)- Main Control

This control falls under the Security Assessment and Authorization (SA) family and focuses on the process of authorization. Authorization involves formally approving an information system to operate based on an assessment of its security controls and compliance with established security requirements.
Authorization | Joint Authorization — Intra-organization (CA-6(1))

This subcontrol under Authorization (CA-6) focuses on the concept of joint authorization within an organization. Joint authorization involves the collaboration between multiple authorizing officials to collectively assess and authorize an information system that serves shared purposes or supports multiple components within an organization.
Authorization | Joint Authorization — Inter-organization (CA-6(2))

This subcontrol under Authorization (CA-6) focuses on the concept of joint authorization across different organizations. Joint authorization in an inter-organizational context involves collaborating with external entities to assess and authorize shared information systems that support both organizations' missions or objectives.
Continuous Monitoring (CA-7)- Main Control

This control falls under the Security Assessment and Authorization (SA) family and focuses on the implementation of a continuous monitoring program. Continuous monitoring involves ongoing assessment of information systems, tracking changes, and identifying potential security risks or vulnerabilities in real time.
Continuous Monitoring | Independent Assessment (CA-7(1))

This subcontrol under Continuous Monitoring (CA-7) focuses on the requirement to conduct independent assessments as part of the continuous monitoring program. Independent assessments involve evaluations performed by individuals or teams not directly responsible for the operation of the information system, providing an objective view of the system's security posture.
Continuous Monitoring | Trend Analyses (CA-7(3))

This subcontrol under Continuous Monitoring (CA-7) focuses on conducting trend analyses as part of the continuous monitoring program. Trend analyses involve tracking and evaluating patterns and changes in security-related data over time to identify emerging threats, vulnerabilities, and risks.
Continuous Monitoring | Risk Monitoring (CA-7(4))

This subcontrol under Continuous Monitoring (CA-7) emphasizes the importance of ongoing risk monitoring as part of the continuous monitoring program. Risk monitoring involves regularly assessing and reassessing the organization's risk posture, identifying changes in risk factors, and adapting security measures accordingly.
Continuous Monitoring | Consistency Analysis (CA-7(5))

This subcontrol under Continuous Monitoring (CA-7) emphasizes the need for conducting consistency analysis as part of the continuous monitoring program. Consistency analysis involves evaluating the accuracy and completeness of security-related data across different sources and systems.
Continuous Monitoring | Automation Support for Monitoring (CA-7(6))

This subcontrol under Continuous Monitoring (CA-7) focuses on leveraging automation to support the monitoring activities within the continuous monitoring program. Automation involves using technology and tools to streamline data collection, analysis, and reporting, enhancing the efficiency and effectiveness of monitoring processes.
Penetration Testing (CA-8)- Main Control

This control falls under the Security Assessment and Authorization (SA) family and focuses on conducting penetration testing as part of the security assessment process. Penetration testing involves simulating real-world attacks on information systems to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
Penetration Testing | Independent Penetration Testing Agent or Team (CA-8(1))

This subcontrol under Penetration Testing (CA-8) focuses on the requirement to use independent penetration testing agents or teams to perform penetration testing activities. Independent testing agents or teams are individuals or groups not directly involved in the development or operation of the systems being tested.
Penetration Testing | Red Team Exercises (CA-8(2))

This subcontrol under Penetration Testing (CA-8) focuses on conducting red team exercises as part of the security assessment process. Red team exercises involve comprehensive testing by a specialized group (the "red team") that simulates real-world attacks to identify vulnerabilities, weaknesses, and potential attack vectors.
Penetration Testing | Facility Penetration Testing (CA-8(3))

This subcontrol under Penetration Testing (CA-8) focuses on conducting facility penetration testing as part of the security assessment process. Facility penetration testing involves assessing the physical security controls, access controls, and vulnerabilities of the physical environment where information systems are located.
Internal System Connections (CA-9)- Main Control

This control falls under the Security Assessment and Authorization (SA) family and focuses on managing internal system connections within an organization's information systems. Internal system connections involve network connections between components within an organization's infrastructure.
Internal System Connections | Compliance Checks (CA-9(1))

This subcontrol under Internal System Connections (CA-9) focuses on conducting compliance checks for internal system connections. Compliance checks involve assessing internal connections to ensure they adhere to established security policies, standards, and configurations.

The Configuration Management control family is designed to establish and maintain a systematic approach to managing the configuration of information systems. Configuration management involves identifying and documenting system components, controlling changes to those components, and ensuring the integrity and security of the system throughout its lifecycle. By implementing robust configuration management controls, organizations can reduce the risk of unauthorized or unintended changes that could impact the confidentiality, integrity, and availability of their information systems.

Policy and Procedures (CM-1)- Main Control

This control falls under the Configuration Management (CM) family and emphasizes the need for establishing and implementing configuration management policies and procedures. Configuration management involves managing and controlling the changes made to an organization's information systems and components.
Baseline Configuration (CM-2)- Main Control

This control falls under the Configuration Management (CM) family and focuses on establishing and maintaining baseline configurations for an organization's information systems. Baseline configurations provide a reference point for authorized and secure system settings.
Baseline Configuration | Reviews and Updates (CM-2(1))

This subcontrol under Baseline Configuration (CM-2) focuses on reviewing and updating baseline configurations for an organization's information systems. Regular reviews and updates ensure that baseline configurations remain accurate, relevant, and aligned with security requirements.
Baseline Configuration | Automation Support for Accuracy and Currency (CM-2(2))

This subcontrol under Baseline Configuration (CM-2) focuses on using automation to support the accuracy and currency of baseline configurations for an organization's information systems. Automation helps ensure that baseline configurations are consistently applied and promptly updated.
Baseline Configuration | Retention of Previous Configurations (CM-2(3))

This subcontrol under Baseline Configuration (CM-2) focuses on retaining previous versions of baseline configurations for an organization's information systems. Retaining previous configurations allows for historical reference and recovery in case of configuration-related issues or security incidents.
Baseline Configuration | Unauthorized Software (CM-2(4))

This subcontrol under Baseline Configuration (CM-2) focuses on preventing the installation and use of unauthorized software within an organization's information systems. Unauthorized software can introduce security vulnerabilities and disrupt system stability.
Baseline Configuration | Authorized Software (CM-2(5))

This subcontrol under Baseline Configuration (CM-2) focuses on maintaining an inventory of authorized software within an organization's information systems. Authorized software ensures that only approved and legitimate applications are used on systems.
Baseline Configuration | Development and Test Environments (CM-2(6))

This subcontrol under Baseline Configuration (CM-2) focuses on managing and controlling the baseline configurations of development and test environments to ensure consistency with security requirements and standards.
Baseline Configuration | Configure Systems and Components for High-risk Areas (CM-2(7))

This subcontrol under Baseline Configuration (CM-2) focuses on configuring systems and components for high-risk areas with specific security requirements. Systems and components in high-risk areas require tailored configurations to address elevated security concerns.
Configuration Change Control (CM-3)- Main Control

This main control under Configuration Management (CM) focuses on establishing and maintaining a formal process for managing changes to an organization's information system configurations. Proper change control ensures that changes are planned, documented, tested, and authorized to minimize risks and disruptions.
Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes (CM-3(1))

This subcontrol under Configuration Change Control (CM-3) focuses on using automation to enhance the documentation, notification, and prohibition aspects of the configuration change management process. Automation helps streamline change tracking, communication, and enforcement.
Configuration Change Control | Testing, Validation, and Documentation of Changes (CM-3(2))

This subcontrol under Configuration Change Control (CM-3) emphasizes the importance of testing, validating, and documenting changes to configuration items before they are implemented. Proper testing and documentation help ensure that changes do not introduce vulnerabilities or disruptions.
Configuration Change Control | Automated Change Implementation (CM-3(3))

This subcontrol under Configuration Change Control (CM-3) focuses on using automation to implement approved configuration changes, ensuring consistent and accurate application of changes while minimizing manual errors.
Configuration Change Control | Security and Privacy Representatives (CM-3(4))

This subcontrol under Configuration Change Control (CM-3) emphasizes the involvement of security and privacy representatives in the change management process. Security and privacy representatives play a vital role in ensuring that configuration changes align with security and privacy requirements.
Configuration Change Control | Automated Security Response (CM-3(5))

This subcontrol under Configuration Change Control (CM-3) focuses on utilizing automation to enable rapid and effective security responses to configuration changes. Automated security response helps organizations promptly identify and address potential security issues arising from changes.
Configuration Change Control | Cryptography Management (CM-3(6))

This subcontrol under Configuration Change Control (CM-3) emphasizes the importance of managing cryptographic configurations during the change management process. Proper cryptography management ensures the integrity and confidentiality of sensitive information.
Configuration Change Control | Review System Changes (CM-3(7))

This subcontrol under Configuration Change Control (CM-3) emphasizes the importance of reviewing system changes before their implementation. Regular reviews ensure that changes are consistent with organizational policies and security requirements.
Configuration Change Control | Prevent or Restrict Configuration Changes (CM-3(8))

This subcontrol under Configuration Change Control (CM-3) focuses on preventing or restricting unauthorized configuration changes that could potentially compromise the security and stability of systems.
Impact Analyses (CM-4)- Main Control

This control under Configuration Management (CM) focuses on performing impact analyses to assess the potential effects of proposed changes on systems and environments before they are implemented. Impact analyses help organizations make informed decisions and manage risks associated with configuration changes.
Impact Analyses | Separate Test Environments (CM-4(1))

This subcontrol under Configuration Management (CM-4) focuses on the use of separate test environments for conducting impact analyses on proposed changes. Separate test environments provide a controlled space to assess the effects of changes before they are implemented in production environments.
Impact Analyses | Verification of Controls (CM-4(2))

This subcontrol under Configuration Management (CM-4) emphasizes the verification of security controls during impact analyses. Verifying controls ensures that proposed changes do not weaken existing security measures and helps maintain the overall security posture.
Access Restrictions for Change (CM-5)- Main Control

This control under Configuration Management (CM) focuses on implementing access restrictions to ensure that only authorized individuals can make changes to configurations. Access restrictions help prevent unauthorized or malicious changes that could compromise system security and stability.
Access Restrictions for Change | Automated Access Enforcement and Audit Records (CM-5(1))

This subcontrol under Configuration Management (CM-5) focuses on the automated enforcement of access restrictions for making changes and the generation of audit records to track those changes. Automated enforcement and audit records enhance accountability and transparency in the change management process.
Access Restrictions for Change | Review System Changes (CM-5(2))

This subcontrol under Configuration Management (CM-5) focuses on the review of system changes made by authorized individuals to ensure that they comply with organizational policies and do not introduce security vulnerabilities.
Access Restrictions for Change | Signed Components (CM-5(3))

This subcontrol under Configuration Management (CM-5) focuses on ensuring that software components introduced or modified during the change process are digitally signed to verify their authenticity and integrity.
Access Restrictions for Change | Dual Authorization (CM-5(4))

This subcontrol under Configuration Management (CM-5) focuses on requiring dual authorization for making significant changes to configurations. Dual authorization ensures that high-impact changes receive additional oversight before implementation.
Access Restrictions for Change | Privilege Limitation for Production and Operation (CM-5(5))

This subcontrol under Configuration Management (CM-5) focuses on limiting privileged access during production and operation activities to prevent unauthorized or unnecessary changes to configurations.
Access Restrictions for Change | Limit Library Privileges (CM-5(6))

This subcontrol under Configuration Management (CM-5) focuses on limiting privileges for accessing configuration libraries to authorized individuals only, preventing unauthorized changes to stored configurations.
Access Restrictions for Change | Automatic Implementation of Security Safeguards (CM-5(7))

This subcontrol under Configuration Management (CM-5) focuses on automatically implementing security safeguards when changes are made to configurations to ensure that security controls are consistently applied.
Configuration Settings (CM-6)- Main Control

This main control under Configuration Management (CM-6) focuses on establishing and maintaining configuration settings for information systems and components to ensure their security and functionality.
Configuration Settings | Automated Management, Application, and Verification (CM-6(1))

This subcontrol under Configuration Management (CM-6) focuses on automating the management, application, and verification of configuration settings to ensure consistency and accuracy.
Configuration Settings | Respond to Unauthorized Changes (CM-6(2))

This subcontrol under Configuration Management (CM-6) focuses on promptly responding to and addressing unauthorized changes to configuration settings.
Least Functionality (CM-7)- Main Control

This main control under Configuration Management (CM-7) focuses on ensuring that systems and components are configured with the least functionality necessary for their intended purpose to reduce attack surfaces and minimize potential vulnerabilities.
Least Functionality | Periodic Review (CM-7(1))

This subcontrol under Configuration Management (CM-7) focuses on conducting periodic reviews of system configurations to ensure that they continue to adhere to the principle of least functionality.
Least Functionality | Prevent Program Execution (CM-7(2))

This subcontrol under Configuration Management (CM-7) focuses on preventing the execution of unauthorized or unnecessary programs on systems and components to adhere to the principle of least functionality.
Least Functionality | Registration Compliance (CM-7(3))

This subcontrol under Configuration Management (CM-7) focuses on ensuring that all devices and software are registered and comply with established configuration baselines to adhere to the principle of least functionality.
Least Functionality | Unauthorized Software — Deny-by-exception (CM-7(4))

This subcontrol under Configuration Management (CM-7) focuses on implementing a "deny-by-exception" approach to prevent the installation and execution of unauthorized software on systems, in alignment with the principle of least functionality.
Least Functionality | Authorized Software — Allow-by-exception (CM-7(5))

This subcontrol under Configuration Management (CM-7) focuses on implementing an "allow-by-exception" approach to control the installation and execution of authorized software on systems, in accordance with the principle of least functionality.
Least Functionality | Confined Environments with Limited Privileges (CM-7(6))

This subcontrol under Configuration Management (CM-7) focuses on creating confined environments with limited privileges for executing software, in alignment with the principle of least functionality.
Least Functionality | Code Execution in Protected Environments (CM-7(7))

This subcontrol under Configuration Management (CM-7) focuses on ensuring that code execution occurs within protected environments with limited privileges, in alignment with the principle of least functionality.
Least Functionality | Binary or Machine Executable Code (CM-7(8))

This subcontrol under Configuration Management (CM-7) focuses on managing the use of binary or machine executable code within the organization's systems to ensure least functionality and minimize potential security risks.
Least Functionality | Prohibiting The Use of Unauthorized Hardware (CM-7(9))

This subcontrol under Configuration Management (CM-7) focuses on preventing the use of unauthorized hardware within the organization's systems to ensure least functionality and minimize potential security risks.
System Component Inventory (CM-8)- Main Control

This control under Configuration Management (CM-8) focuses on maintaining an accurate and up-to-date inventory of system components within an organization's information system to effectively manage and secure its configuration.
System Component Inventory | Updates During Installation and Removal (CM-8(1))

This subcontrol under Configuration Management (CM-8) focuses on ensuring that the system component inventory is promptly updated when components are installed, added, or removed from the organization's information system.
System Component Inventory | Automated Maintenance (CM-8(2))

This subcontrol under Configuration Management (CM-8) emphasizes the use of automated mechanisms to maintain the accuracy and currency of the organization's system component inventory.
System Component Inventory | Automated Unauthorized Component Detection (CM-8(3))

This subcontrol under Configuration Management (CM-8) focuses on implementing automated mechanisms to detect and identify unauthorized or unapproved components within the organization's system component inventory.
System Component Inventory | Accountability Information (CM-8(4))

This subcontrol under Configuration Management (CM-8) emphasizes the need to include accountability information for each component within the organization's system component inventory.
System Component Inventory | No Duplicate Accounting of Components (CM-8(5))

This subcontrol under Configuration Management (CM-8) emphasizes the need to prevent duplicate accounting of components within the organization's system component inventory.
System Component Inventory | Assessed Configurations and Approved Deviations (CM-8(6))

This subcontrol under Configuration Management (CM-8) emphasizes the need to maintain records of assessed configurations and approved deviations within the organization's system component inventory.
System Component Inventory | Centralized Repository (CM-8(7))

This subcontrol under Configuration Management (CM-8) emphasizes the need to maintain a centralized repository for the organization's system component inventory.
System Component Inventory | Automated Location Tracking (CM-8(8))

This subcontrol under Configuration Management (CM-8) emphasizes the need to implement automated mechanisms for tracking the location of components in the organization's system component inventory.
System Component Inventory | Assignment of Components to Systems (CM-8(9))

This subcontrol under Configuration Management (CM-8) emphasizes the need to accurately assign components to specific systems within the organization's system component inventory.
Configuration Management Plan (CM-9)- Main Control

This main control under Configuration Management (CM-9) emphasizes the need for organizations to develop and implement a Configuration Management Plan (CMP) that outlines the policies, procedures, and responsibilities for managing configuration items throughout their lifecycle.
Configuration Management Plan | Assignment of Responsibility (CM-9(1))

This subcontrol under Configuration Management (CM-9) emphasizes the need for organizations to assign clear responsibilities for the development, implementation, and maintenance of the Configuration Management Plan (CMP).
Software Usage Restrictions (CM-10)- Main Control

This main control under Configuration Management (CM-10) emphasizes the importance of establishing and enforcing software usage restrictions to prevent unauthorized or inappropriate software from being installed and executed on organizational systems.
Software Usage Restrictions | Open-source Software (CM-10(1))

This subcontrol under Configuration Management (CM-10) emphasizes the need for organizations to establish specific controls and restrictions for the usage of open-source software to ensure that only approved and secure open-source software is used within the organization.
User-installed Software (CM-11)- Main Control

This main control under Configuration Management (CM-11) focuses on managing user-installed software within the organization. It aims to establish processes and mechanisms to ensure that user-installed software is properly controlled, monitored, and evaluated to prevent security risks and maintain the integrity of organizational systems.
User-installed Software | Alerts for Unauthorized Installations (CM-11(1)),Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components (RA-5(7))

This subcontrol under Configuration Management (CM-11) focuses on implementing mechanisms to detect unauthorized installations of user-installed software. By establishing alerts and notifications for unauthorized software installations, organizations can promptly identify and respond to potential security risks introduced by unapproved software.
User-installed Software | Software Installation with Privileged Status (CM-11(2))

This subcontrol under Configuration Management (CM-11) addresses the management of user-installed software that requires privileged status for installation. It focuses on controlling and monitoring the installation of software with elevated privileges to prevent unauthorized or malicious software from being installed on the system.
User-installed Software | Automated Enforcement and Monitoring (CM-11(3))

This subcontrol under Configuration Management (CM-11) focuses on implementing automated enforcement and monitoring mechanisms for user-installed software. It aims to ensure that only authorized software is installed and used on the system and to detect and prevent the installation of unauthorized or malicious software by users.
Information Location (CM-12)- Main Control

This control focuses on the management and control of information locations within an information system. It involves tracking the locations of information, data, and software components to ensure their integrity, availability, and confidentiality.
Information Location | Automated Tools to Support Information Location (CM-12(1))

This subcontrol under Configuration Management (CM-12) focuses on the use of automated tools to support the management and tracking of information locations within an information system. Automated tools enhance the efficiency and accuracy of maintaining an inventory of information and data locations.
Data Action Mapping (CM-13)- Main Control

This subcontrol under Configuration Management (CM-13) focuses on the creation and maintenance of mappings between information system components and associated data elements. These mappings help ensure that data actions, such as processing, storage, and transmission, are accurately tracked and managed.
Signed Components (CM-14)- Main Control

This subcontrol under Configuration Management (CM-14) focuses on ensuring the integrity and authenticity of software components through digital signatures. Digital signatures are used to verify that software components have not been tampered with and come from a trusted source.

The Contingency Planning control family is designed to help organizations prepare for and respond to disruptions in information system operations, ensuring the continued availability and integrity of critical information and services. Contingency planning involves the development, testing, and maintenance of comprehensive plans and procedures to address a range of potential incidents, including but not limited to natural disasters, technological failures, and malicious attacks. The ultimate goal is to minimize the impact of disruptions and facilitate the timely recovery of information systems and data.

Policy and Procedures (CP-1)- Main Control

This subcontrol under Contingency Planning (CP-1) focuses on establishing and implementing policies and procedures for effective contingency planning. Contingency planning ensures that organizations have a well-defined strategy in place to respond to and recover from unexpected disruptions or disasters that could impact their information systems and data.
Contingency Plan (CP-2)- Main Control

This subcontrol under Contingency Planning (CP-2) focuses on the development and maintenance of a comprehensive contingency plan. A contingency plan outlines the specific actions, procedures, and resources that an organization will use to respond to and recover from unexpected disruptions or disasters that could impact its information systems and data.
Contingency Plan | Coordinate with Related Plans (CP-2(1))

This subcontrol, a part of the Contingency Planning family, emphasizes the importance of coordination between an organization's contingency plan and other related plans, such as incident response plans, disaster recovery plans, and business continuity plans. Coordination ensures that all aspects of response, recovery, and continuity efforts are aligned and integrated.
Contingency Plan | Capacity Planning (CP-2(2))

This subcontrol, part of the Contingency Planning family, focuses on the importance of capacity planning within the organization's contingency plan. Capacity planning ensures that sufficient resources, such as computing resources, storage, network bandwidth, and personnel, are available to support contingency operations during disruptions.
Contingency Plan | Resume Mission and Business Functions (CP-2(3))

This subcontrol, part of the Contingency Planning family, emphasizes the need for organizations to include strategies and procedures in their contingency plans for resuming mission-critical and business functions after a disruption. The goal is to ensure a smooth transition from contingency operations back to normal operations.
Contingency Plan | Resume All Mission and Business Functions (CP-2(4))

This subcontrol, part of the Contingency Planning family, emphasizes the need for organizations to ensure that their contingency plans include procedures for resuming all mission-critical and business functions following a disruption. The goal is to recover and restore normal operations to full capacity as efficiently as possible.
Contingency Plan | Continue Mission and Business Functions (CP-2(5))

This subcontrol, part of the Contingency Planning family, emphasizes the importance of including procedures in contingency plans that ensure the continuation of mission-critical and business functions during a disruption. The goal is to maintain essential operations without interruption, even when facing adverse events.
Contingency Plan | Alternate Processing and Storage Sites (CP-2(6))

This subcontrol, part of the Contingency Planning family, focuses on the establishment and maintenance of alternate processing and storage sites to ensure the availability of critical systems, data, and services during disruptions or disasters. The goal is to have operational continuity by switching to these alternate sites in case the primary site becomes unavailable.
Contingency Plan | Coordinate with External Service Providers (CP-2(7))

This subcontrol, part of the Contingency Planning family, focuses on coordinating with external service providers to ensure the availability of critical services and resources during disruptions or disasters. The goal is to maintain operational continuity by collaborating with external parties to ensure the continued provision of essential functions.
Contingency Plan | Identify Critical Assets (CP-2(8))

This subcontrol, part of the Contingency Planning family, focuses on identifying critical assets within an organization's contingency plan. Critical assets are those resources, systems, data, and facilities that are essential for the organization's continued operation and the delivery of essential services. Identifying these critical assets ensures that they receive special attention and prioritized protection during disruptions or disasters.
Contingency Training (CP-3)- Main Control

This control, part of the Contingency Planning family, focuses on providing training to personnel involved in contingency planning, response, and recovery efforts. Training ensures that individuals understand their roles and responsibilities during disruptions and can effectively execute the organization's contingency plans.
Contingency Training | Simulated Events (CP-3(1))

Subcontrol CP-3(1) under the Contingency Training control focuses on conducting simulated events as part of contingency training. Simulated events are designed to replicate real-life scenarios, allowing personnel to practice their roles and responsibilities in a controlled environment.
Contingency Training | Mechanisms Used in Training Environments (CP-3(2))

Subcontrol CP-3(2) under the Contingency Training control focuses on the mechanisms used in training environments to enhance personnel's understanding of contingency plans and procedures. These mechanisms are designed to provide hands-on experience and practical training to ensure effective response during actual contingency events.
Contingency Plan Testing (CP-4)- Main Control

Subcontrol CP-4 focuses on the testing of contingency plans to ensure their effectiveness and the readiness of personnel to respond to disruptive events. Testing involves executing different scenarios, simulating real-life incidents, and evaluating the response procedures and recovery capabilities defined in the contingency plans.
Contingency Plan Testing | Coordinate with Related Plans (CP-4(1))

This subcontrol emphasizes the importance of coordinating contingency plan testing with other related plans and exercises to ensure consistency, alignment, and comprehensive readiness. Coordination enhances the organization's ability to respond effectively to disruptions and recover critical functions.
Contingency Plan Testing | Alternate Processing Site (CP-4(2))

This subcontrol focuses on testing the contingency plan's capability to transition to an alternate processing site in the event of a disruption. Testing the ability to relocate critical operations to an alternate site is essential to ensure the organization's continued functionality during adverse conditions.
Contingency Plan Testing | Automated Testing (CP-4(3))

This subcontrol focuses on utilizing automated testing processes to assess the effectiveness and readiness of the organization's contingency plan. Automated testing helps streamline the testing process and enables organizations to conduct tests more frequently and efficiently.
Contingency Plan Testing | Full Recovery and Reconstitution (CP-4(4))

This subcontrol involves testing the organization's contingency plan for its capability to achieve full recovery and reconstitution of IT systems and data after a disruption. The goal is to ensure that the plan can successfully restore operations and return to normal business activities.
Contingency Plan Testing | Self-challenge (CP-4(5))

The "Self-challenge" subcontrol involves assessing the organization's contingency plan through challenging its effectiveness and capabilities in responding to disruptions. This testing approach encourages critical evaluation and identification of weaknesses to enhance the plan's resilience.
Contingency Plan Update (CP-5)- Main Control

The "Contingency Plan Update" subcontrol involves maintaining and updating the contingency plan to ensure its currency, relevance, and effectiveness in responding to evolving threats and changes in the organization's environment.
Alternate Storage Site (CP-6)- Main Control

The "Alternate Storage Site" subcontrol involves establishing and maintaining an alternate storage site to store and protect essential organizational information system resources and assets in the event of a disruption to the primary site.
Alternate Storage Site | Separation from Primary Site (CP-6(1))

The "Separation from Primary Site" subcontrol (CP-6(1)) emphasizes the requirement for the alternate storage site to be geographically separated from the primary site to ensure that both sites are not susceptible to the same risks and disruptions.
Alternate Storage Site | Recovery Time and Recovery Point Objectives (CP-6(2))

The "Recovery Time and Recovery Point Objectives" subcontrol (CP-6(2)) focuses on defining recovery time objectives (RTOs) and recovery point objectives (RPOs) for the alternate storage site to ensure timely and effective recovery of data and resources during an incident or disaster.
Alternate Storage Site | Accessibility (CP-6(3))

The "Accessibility" subcontrol (CP-6(3)) focuses on ensuring that the alternate storage site is readily accessible during an incident or disaster to support the recovery of critical systems and data.
Alternate Processing Site (CP-7)- Main Control

The "Alternate Processing Site" (CP-7) control focuses on establishing and maintaining a designated location where critical business functions can be performed in the event of a disruption or disaster at the primary site. This ensures continuity of operations and minimizes the impact of disruptions on an organization's essential activities.
Alternate Processing Site | Separation from Primary Site (CP-7(1))

The "Separation from Primary Site" (CP-7(1)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is sufficiently geographically separated from the primary site. This separation reduces the risk of both sites being affected by the same disruptive event.
Alternate Processing Site | Accessibility (CP-7(2))

The "Accessibility" (CP-7(2)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is readily accessible and reachable during a contingency event. Accessibility ensures that essential personnel, resources, and data can be effectively relocated to the alternate site to continue critical business operations.
Alternate Processing Site | Priority of Service (CP-7(3))

The "Priority of Service" (CP-7(3)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on establishing priorities for the allocation of resources and services at the alternate processing site during a contingency event. This ensures that critical business functions are resumed with the highest priority to minimize disruptions and maintain essential operations.
Alternate Processing Site | Preparation for Use (CP-7(4))

The "Preparation for Use" (CP-7(4)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is fully prepared and ready for use during a contingency event. This includes setting up the necessary infrastructure, equipment, and resources to support the resumption of critical business functions.
Alternate Processing Site | Equivalent Information Security Safeguards (CP-7(5))

The "Equivalent Information Security Safeguards" (CP-7(5)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that equivalent information security safeguards are implemented at the alternate processing site as those in place at the primary site. This helps maintain consistent levels of security for sensitive information and critical business operations.
Alternate Processing Site | Inability to Return to Primary Site (CP-7(6))

The "Inability to Return to Primary Site" (CP-7(6)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on addressing situations where returning to the primary processing site becomes impossible due to certain factors such as a prolonged outage or destruction of the primary site. This subcontrol ensures that organizations have plans and measures in place to handle such scenarios effectively.
Telecommunications Services (CP-8)- Main Control

The "Telecommunications Services" (CP-8) subcontrol under the "Contingency Planning" control (CP) focuses on ensuring that organizations have established plans and arrangements for maintaining essential telecommunications services during and after disruptions. This subcontrol addresses the critical role of telecommunications in maintaining communication and connectivity during contingency situations.
Telecommunications Services | Priority of Service Provisions (CP-8(1))

The "Priority of Service Provisions" (CP-8(1)) subcontrol is a part of the "Telecommunications Services" (CP-8) subcontrol under the "Contingency Planning" control (CP). It focuses on ensuring that organizations establish procedures for prioritizing telecommunications services during contingencies based on predefined criteria.
Telecommunications Services | Single Points of Failure (CP-8(2))

The "Single Points of Failure" (CP-8(2)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It emphasizes the importance of identifying and mitigating single points of failure in telecommunications systems to ensure the availability and continuity of critical communication services during contingencies.
Telecommunications Services | Separation of Primary and Alternate Providers (CP-8(3))

The "Separation of Primary and Alternate Providers" (CP-8(3)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It focuses on the importance of using different telecommunications service providers for primary and alternate communication capabilities to prevent a single point of failure in service delivery during contingencies.
Telecommunications Services | Provider Contingency Plan (CP-8(4))

The "Provider Contingency Plan" (CP-8(4)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It focuses on ensuring that telecommunications service providers have their own contingency plans to address disruptions and maintain service availability in the event of incidents.
Telecommunications Services | Alternate Telecommunication Service Testing (CP-8(5))

The "Alternate Telecommunication Service Testing" (CP-8(5)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It focuses on the regular testing and validation of alternate telecommunication services to ensure their availability and effectiveness during contingencies.
System Backup (CP-9)- Main Control

The "System Backup" (CP-9) control is part of the "Contingency Planning" (CP) family within the NIST Special Publication 800-53. This control focuses on establishing and maintaining a systematic approach to backup critical system data and information to support data recovery and restoration activities in the event of a contingency or disaster.
System Backup | Testing for Reliability and Integrity (CP-9(1))

The "Testing for Reliability and Integrity" (CP-9(1)) subcontrol is part of the "System Backup" (CP-9) control within the NIST Special Publication 800-53. This subcontrol emphasizes the importance of regularly testing the reliability and integrity of system backups to ensure that they can be successfully restored in the event of a contingency.
System Backup | Test Restoration Using Sampling (CP-9(2))

The "Test Restoration Using Sampling" (CP-9(2)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the need to validate the integrity and effectiveness of backup restoration processes through representative sampling of backup data.
System Backup | Separate Storage for Critical Information (CP-9(3))

The "Separate Storage for Critical Information" (CP-9(3)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the need to store critical information backups separately from routine backups to ensure their availability and integrity during contingency situations.
System Backup | Protection from Unauthorized Modification (CP-9(4))

The "Protection from Unauthorized Modification" (CP-9(4)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol highlights the need to safeguard backups from unauthorized modifications to maintain their integrity and ensure their effectiveness during recovery and restoration efforts.
System Backup | Transfer to Alternate Storage Site (CP-9(5))

The "Transfer to Alternate Storage Site" (CP-9(5)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the importance of transferring backup data to an alternate storage site as part of contingency planning. Transferring backups to an off-site location helps ensure data availability and recovery in the event of a disaster or disruption at the primary site.
System Backup | Redundant Secondary System (CP-9(6))

The System Backup | Redundant Secondary System control (CP-9(6)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control aims to enhance the resilience of critical information systems by requiring the establishment of redundant secondary systems that can quickly assume operational functions in case of a primary system failure. The control is designed to minimize downtime and data loss, ensuring the continuity of essential business operations during disruptive events.
System Backup | Dual Authorization for Deletion or Destruction (CP-9(7))

The System Backup | Dual Authorization for Deletion or Destruction control (CP-9(7)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control aims to prevent accidental or unauthorized deletion or destruction of critical system backups by requiring dual authorization for such actions. The control enhances the integrity and availability of backups and reduces the risk of data loss.
System Backup | Cryptographic Protection (CP-9(8))

The System Backup | Cryptographic Protection control (CP-9(8)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control focuses on enhancing the security of critical system backups by requiring cryptographic protection. By applying cryptographic mechanisms, organizations can ensure the confidentiality and integrity of backup data during storage, transfer, and restoration processes.
System Recovery and Reconstitution (CP-10)- Main Control

The System Recovery and Reconstitution control (CP-10) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that critical information systems can be effectively recovered and reconstituted after a disruption or disaster. The objective is to minimize the impact of disruptions on organizational operations by establishing comprehensive recovery processes.
System Recovery and Reconstitution | Contingency Plan Testing (CP-10(1))

The System Recovery and Reconstitution | Contingency Plan Testing control (CP-10(1)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of regularly testing contingency plans to ensure their effectiveness in recovering and reconstituting critical information systems after disruptions. The control aims to identify gaps, refine procedures, and validate the organization's readiness for contingencies.
System Recovery and Reconstitution | Transaction Recovery (CP-10(2))

The System Recovery and Reconstitution | Transaction Recovery control (CP-10(2)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of ensuring the recovery and reconstitution of critical transactions during and after disruptions. The control aims to maintain data consistency and minimize the impact of disruptions on ongoing business processes.
System Recovery and Reconstitution | Compensating Security Controls (CP-10(3))

The System Recovery and Reconstitution | Compensating Security Controls control (CP-10(3)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control recognizes the potential need for using compensating security controls during the recovery and reconstitution process to maintain security posture when normal controls are temporarily unavailable. The control ensures that even during disruptions, security measures are effectively applied.
System Recovery and Reconstitution | Restore Within Time Period (CP-10(4))

The System Recovery and Reconstitution | Restore Within Time Period control (CP-10(4)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of restoring critical systems within a defined time period after a disruption. The control aims to ensure timely recovery and reconstitution to minimize the impact of disruptions on organizational operations.
System Recovery and Reconstitution | Failover Capability (CP-10(5))

The System Recovery and Reconstitution | Failover Capability control (CP-10(5)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish failover capabilities that enable the seamless transition of operations to alternate systems in case of disruptions. The control aims to enhance operational resilience and minimize downtime.
System Recovery and Reconstitution | Component Protection (CP-10(6))

The System Recovery and Reconstitution | Component Protection control (CP-10(6)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of protecting individual components or modules of critical systems during recovery and reconstitution efforts. The control aims to ensure that each component can be restored accurately, contributing to the overall successful recovery of the system.
Alternate Communications Protocols (CP-11)- Main Control

The Alternate Communications Protocols control (CP-11) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish alternate communications protocols to ensure the continued exchange of information during disruptions. The control aims to maintain effective communication channels and support critical operations.
Safe Mode (CP-12)- Main Control

The Safe Mode control (CP-12) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish and implement safe mode procedures for critical systems to ensure their continued operation during and after disruptions. The control aims to maintain essential functions and minimize operational impact.
Alternative Security Mechanisms (CP-13)- Main Control

The Alternative Security Mechanisms control (CP-13) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control highlights the need for organizations to establish and implement alternative security mechanisms to ensure the continued protection of critical systems and data during disruptions. The control aims to maintain appropriate security measures even when standard controls are unavailable.

The Identification and Authentication control family is designed to ensure that only authorized individuals and entities are granted access to information systems. This is achieved through the unique identification of users and the authentication of their claimed identities before allowing access. By implementing strong identification and authentication controls, organizations can enhance the security of their information systems, protect sensitive data, and prevent unauthorized access.

Policy and Procedures (IA-1)- Main Control

The Identification and Authentication | Policy and Procedures control (IA-1) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of establishing clear policies and procedures for managing user identification and authentication within an organization. The control aims to ensure consistent and secure access to systems and data by authorized personnel.
Identification and Authentication (organizational Users) (IA-2)- Main Control

The Identification and Authentication (organizational Users) control (IA-2) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish and implement mechanisms for identifying and authenticating organizational users accessing information systems. The control aims to ensure that only authorized personnel can access sensitive systems and data.
Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts (IA-2(1))

The Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts control (IA-2(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the necessity of implementing multi-factor authentication (MFA) for accessing privileged accounts within an organization. The control aims to enhance security by requiring an additional layer of authentication for accounts with elevated access privileges.
Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts (IA-2(2))

The Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts control (IA-2(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of implementing multi-factor authentication (MFA) for accessing non-privileged accounts within an organization. The control aims to enhance security by adding an additional layer of authentication for accounts with standard access privileges.
Identification and Authentication (organizational Users) | Local Access to Privileged Accounts (IA-2(3)),Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Replay Resistant (IA-2(9))

The Identification and Authentication (organizational Users) | Local Access to Privileged Accounts control (IA-2(3)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of implementing strong identification and authentication measures for local access to privileged accounts. The control aims to prevent unauthorized access to sensitive systems and data through physical or local means
Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts (IA-2(4))

The Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts control (IA-2(4)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of implementing robust identification and authentication measures for local access to non-privileged accounts. The control aims to prevent unauthorized access to systems and data through physical or local means.
Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication (IA-2(5))

The Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication control (IA-2(5)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to implement individual authentication for users even when group authentication is used. The control aims to enhance security by ensuring that each user's identity is verified, even within authenticated groups.
Identification and Authentication (organizational Users) | Access to Accounts —separate Device (IA-2(6))

The Identification and Authentication (organizational Users) | Access to Accounts — Separate Device control (IA-2(6)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to require separate devices for accessing different accounts to enhance security. The control aims to prevent unauthorized access to accounts by ensuring that users employ distinct devices for authentication.
Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Separate Device (IA-2(7))

The Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Separate Device control (IA-2(7)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to require separate devices for network access to non-privileged accounts. The control aims to enhance security by preventing unauthorized access to non-privileged accounts through the use of distinct devices.
Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant (IA-2(8))

The Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant control (IA-2(8)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to implement replay-resistant authentication mechanisms for accessing accounts. The control aims to prevent unauthorized access by ensuring that captured authentication data cannot be reused to gain entry.
Identification and Authentication (organizational Users) | Single Sign-on (IA-2(10))

The Identification and Authentication (organizational Users) | Single Sign-on control (IA-2(10)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of single sign-on (SSO) mechanisms to enhance user convenience and security by requiring only one set of credentials to access multiple systems and applications.
Identification and Authentication (organizational Users) | Remote Access — Separate Device (IA-2(11))

The Identification and Authentication (organizational Users) | Remote Access — Separate Device control (IA-2(11)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to use separate devices for remote access to enhance security. The control aims to prevent unauthorized access to systems and data by requiring users to use distinct devices for remote authentication.
Identification and Authentication (organizational Users) | Acceptance of PIV Credentials (IA-2(12))

The Identification and Authentication (organizational Users) | Acceptance of PIV Credentials control (IA-2(12)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to accept Personal Identity Verification (PIV) credentials as a strong form of authentication. The control aims to enhance security by ensuring that PIV credentials are recognized and used for user identification.
Identification and Authentication (organizational Users) | Out-of-band Authentication (IA-2(13))

The Identification and Authentication (organizational Users) | Out-of-band Authentication control (IA-2(13)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to use out-of-band authentication mechanisms for added security. The control aims to mitigate the risk of unauthorized access by requiring authentication factors to be transmitted through separate communication channels
Device Identification and Authentication (IA-3)- Main Control

The Device Identification and Authentication control (IA-3) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that devices used to access organizational systems are properly identified and authenticated before being granted access. The control aims to enhance the security of systems by verifying the identities of devices attempting to connect.
Device Identification and Authentication | Cryptographic Bidirectional Authentication (IA-3(1))

The Device Identification and Authentication | Cryptographic Bidirectional Authentication control (IA-3(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on using cryptographic techniques to establish bidirectional authentication between devices and systems. The control aims to enhance the security of device access by ensuring that both devices and systems verify each other's identities
Device Identification and Authentication | Cryptographic Bidirectional Network Authentication (IA-3(2))

The Device Identification and Authentication | Cryptographic Bidirectional Network Authentication control (IA-3(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of cryptographic techniques for bidirectional authentication between devices and systems over a network. The control aims to enhance the security of device access by ensuring secure identity verification across network connections.
Device Identification and Authentication | Dynamic Address Allocation (IA-3(3))

The Device Identification and Authentication | Dynamic Address Allocation control (IA-3(3)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on using dynamic address allocation mechanisms to enhance the security of device identification and authentication. The control aims to prevent unauthorized devices from gaining network access through the use of dynamically allocated addresses.
Device Identification and Authentication | Device Attestation (IA-3(4))

The Device Identification and Authentication | Device Attestation control (IA-3(4)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on using device attestation mechanisms to verify the integrity and authenticity of devices before granting them access. The control aims to enhance the security of device access by ensuring that only trusted and properly configured devices are allowed on the network.
Identifier Management (IA-4)- Main Control

The Identifier Management control (IA-4) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on managing and controlling user and device identifiers to ensure the accurate and secure identification of individuals and devices accessing organizational systems. The control aims to enhance security by preventing unauthorized access through improper or compromised identifiers.
Identifier Management | Prohibit Account Identifiers as Public Identifiers (IA-4(1))

The Identifier Management | Prohibit Account Identifiers as Public Identifiers control (IA-4(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control aims to prevent the use of account identifiers as public identifiers, which could potentially disclose sensitive information. The control enhances security by ensuring that account identifiers are not exposed to the public, reducing the risk of unauthorized access.
Identifier Management | Supervisor Authorization (IA-4(2))

The Identifier Management | Supervisor Authorization control (IA-4(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for supervisor authorization in the management and assignment of user identifiers. The control aims to enhance security by requiring supervisory approval for the creation and modification of user identifiers.
Identifier Management | Multiple Forms of Certification (IA-4(3))

The Identifier Management | Multiple Forms of Certification control (IA-4(3)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of multiple forms of certification for user identifiers to enhance the accuracy and security of identification. The control aims to strengthen authentication processes by requiring users to provide diverse forms of proof of identity.
Identifier Management | Identify User Status (IA-4(4))

The Identifier Management | Identify User Status control (IA-4(4)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of accurately identifying and managing the status of users accessing organizational systems. The control aims to enhance security by ensuring that user accounts are active, disabled, or removed as appropriate, thereby preventing unauthorized access.
Identifier Management | Dynamic Management (IA-4(5))

The Identifier Management | Dynamic Management control (IA-4(5)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the dynamic management of user identifiers to reflect changes in user roles and responsibilities. The control aims to enhance security by ensuring that user identifiers are regularly updated and aligned with users' current roles.
Identifier Management | Cross-organization Management (IA-4(6))

The Identifier Management | Cross-organization Management control (IA-4(6)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for effective management of user identifiers across different organizations or systems. The control aims to enhance security by ensuring that user identifiers are managed consistently and securely when interacting with external entities.
Authenticator Management | Automated Support for Password Strength Determination (IA-5(4)),Identifier Management | In-person Registration (IA-4(7))

The Authenticator Management | Automated Support for Password Strength Determination control (IA-5(4)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of automated tools to determine the strength of passwords. The control aims to enhance security by ensuring that passwords chosen by users meet specified strength criteria.
Identifier Management | Pairwise Pseudonymous Identifiers (IA-4(8))

The Identifier Management | Pairwise Pseudonymous Identifiers control (IA-4(8)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of pairwise pseudonymous identifiers to enhance user privacy and security. The control aims to reduce the exposure of users' real identifiers by assigning unique pseudonymous identifiers for interactions.
Identifier Management | Attribute Maintenance and Protection (IA-4(9))

The Identifier Management | Attribute Maintenance and Protection control (IA-4(9)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to maintain and protect user attributes associated with identifiers. The control aims to enhance security by ensuring the accuracy, confidentiality, and integrity of user attributes.
Authenticator Management (IA-5)- Main Control

The Authenticator Management control (IA-5) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of authenticators, which are credentials used to verify the identity of individuals, devices, or systems. The control aims to enhance security by ensuring the effective management and protection of authenticators to prevent unauthorized access.
Authenticator Management | Password-based Authentication (IA-5(1))

The Authenticator Management | Password-based Authentication control (IA-5(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management and security of password-based authentication methods. The control aims to enhance security by ensuring that passwords, as authenticators, are managed, stored, and used in a secure manner.
Authenticator Management | Public Key-based Authentication (IA-5(2))

The Authenticator Management | Public Key-based Authentication control (IA-5(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management and security of public key-based authentication methods. The control aims to enhance security by ensuring that public key-based authentication mechanisms are properly managed, used, and protected.
Authenticator Management | In-person or Trusted External Party Registration (IA-5(3))

The Authenticator Management | In-person or Trusted External Party Registration control (IA-5(3)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the registration process for authenticators with an in-person or trusted external party involvement. The control aims to enhance security by ensuring that authenticator registration is conducted through reliable and secure channels.
Authenticator Management | Change Authenticators Prior to Delivery (IA-5(5))

The Authenticator Management | Change Authenticators Prior to Delivery control (IA-5(5)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the practice of changing authenticators before they are delivered to users. The control aims to enhance security by ensuring that authenticators are not compromised during production and delivery.
Authenticator Management | Protection of Authenticators (IA-5(6))

The Authenticator Management | Protection of Authenticators control (IA-5(6)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the protection of authenticators from unauthorized access, loss, or theft. The control aims to enhance security by ensuring that authenticators are adequately safeguarded to prevent compromise.
Authenticator Management | No Embedded Unencrypted Static Authenticators (IA-5(7))

The Authenticator Management | No Embedded Unencrypted Static Authenticators control (IA-5(7)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the prevention of using embedded unencrypted static authenticators, such as hardcoded passwords or keys. The control aims to enhance security by ensuring that authenticators are not embedded in a static and unencrypted manner, which can lead to unauthorized access
Authenticator Management | Multiple System Accounts (IA-5(8))

The Authenticator Management | Multiple System Accounts control (IA-5(8)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of multiple system accounts for different roles and purposes. The control aims to enhance security by ensuring that multiple accounts are properly managed and their use is justified.
Authenticator Management | Federated Credential Management (IA-5(9))

The Authenticator Management | Federated Credential Management control (IA-5(9)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of federated credentials, allowing users to access multiple systems or services with a single set of credentials. The control aims to enhance security by ensuring the proper management and protection of federated credentials.
Authenticator Management | Dynamic Credential Binding (IA-5(10))

The Authenticator Management | Dynamic Credential Binding control (IA-5(10)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the practice of dynamically binding credentials to specific devices or contexts. The control aims to enhance security by ensuring that credentials are bound to the appropriate device or context at the time of authentication.
Authenticator Management | Hardware Token-based Authentication (IA-5(11))

The Authenticator Management | Hardware Token-based Authentication control (IA-5(11)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the use of hardware tokens for authentication purposes. The control aims to enhance security by requiring the use of hardware tokens, which provide an additional layer of authentication beyond traditional passwords.
Authenticator Management | Biometric Authentication Performance (IA-5(12))

The Authenticator Management | Biometric Authentication Performance control (IA-5(12)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the performance aspects of biometric authentication methods. The control aims to enhance security by ensuring that biometric authentication methods are accurately and reliably implemented to prevent unauthorized access.
Authenticator Management | Expiration of Cached Authenticators (IA-5(13))

The Authenticator Management | Expiration of Cached Authenticators control (IA-5(13)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the expiration of cached authenticators to enhance security by ensuring that cached credentials are invalidated after a specified period of time to reduce the risk of unauthorized access
Authenticator Management | Managing Content of PKI Trust Stores (IA-5(14))

The Authenticator Management | Managing Content of PKI Trust Stores control (IA-5(14)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of Public Key Infrastructure (PKI) trust stores, which contain certificates and public keys used for authentication. The control aims to enhance security by ensuring the proper management of trust store content to prevent unauthorized access.
Authenticator Management | GSA-approved Products and Services (IA-5(15))

The Authenticator Management | GSA-approved Products and Services control (IA-5(15)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the use of General Services Administration (GSA)-approved products and services for authentication purposes. The control aims to enhance security by ensuring that only authorized and vetted products and services are used for authentication.
Authenticator Management | In-person or Trusted External Party Authenticator Issuance (IA-5(16))

The Authenticator Management | In-person or Trusted External Party Authenticator Issuance control (IA-5(16)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the issuance of authenticators to users by requiring in-person or trusted external party involvement. The control aims to enhance security by ensuring that authenticators are issued through secure and reliable processes.
Authenticator Management | Presentation Attack Detection for Biometric Authenticators (IA-5(17))

The Authenticator Management | Presentation Attack Detection for Biometric Authenticators control (IA-5(17)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the need for detecting presentation attacks (spoofing) when using biometric authentication methods. The control aims to enhance security by implementing mechanisms to detect and prevent the use of fake or fabricated biometric data.
Authenticator Management | Password Managers (IA-5(18))

The Authenticator Management | Password Managers control (IA-5(18)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the use of password managers as a method for managing and securely storing authentication credentials. The control aims to enhance security by promoting the use of password managers to mitigate risks associated with weak and reused passwords.
Authentication Feedback (IA-6)- Main Control

The Authentication Feedback (IA-6) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on providing users with timely feedback during the authentication process. The control aims to enhance user experience and security by informing users about the status of their authentication attempts and guiding them toward successful login or corrective actions.
Cryptographic Module Authentication (IA-7)- Main Control

The Cryptographic Module Authentication (IA-7) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on ensuring the authenticity and integrity of cryptographic modules used in authentication processes. The control aims to enhance security by requiring organizations to verify the authenticity of cryptographic modules to prevent the use of tampered or unauthorized modules.
Identification and Authentication (non-organizational Users) (IA-8)- Main Control

The Identification and Authentication (non-organizational Users) (IA-8) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on establishing identification and authentication mechanisms for non-organizational users accessing organizational systems and resources. The control aims to enhance security by ensuring that non-organizational users are appropriately identified and authenticated before gaining access.
Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies (IA-8(1))

The Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies (IA-8(1)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of Personal Identity Verification (PIV) credentials issued by other agencies for non-organizational users. The control aims to enhance interoperability and streamline access for users with PIV credentials issued by different entities.
Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators (IA-8(2))

The Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators (IA-8(2)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of external authenticators, such as third-party identity providers, for non-organizational users. The control aims to enhance user convenience and streamline access by allowing users to leverage existing external credentials.
Identification and Authentication (non-organizational Users) | Use of FICAM-approved Products (IA-8(3))

The Identification and Authentication (non-organizational Users) | Use of FICAM-approved Products (IA-8(3)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the use of Federal Identity, Credential, and Access Management (FICAM)-approved products for authenticating non-organizational users. The control aims to ensure the use of trusted and interoperable authentication solutions.
Identification and Authentication (non-organizational Users) | Use of Defined Profiles (IA-8(4))

The Identification and Authentication (non-organizational Users) | Use of Defined Profiles (IA-8(4)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the use of defined authentication profiles for non-organizational users. The control aims to establish consistent and secure authentication methods based on specific user profiles.
Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials (IA-8(5))

The Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials (IA-8(5)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the acceptance of Personal Identity Verification Interoperable (PIV-I) credentials for non-organizational users. The control aims to enhance security and interoperability by recognizing PIV-I credentials from trusted external entities.
Identification and Authentication (non-organizational Users) | Disassociability (IA-8(6))

The Identification and Authentication (non-organizational Users) | Disassociability (IA-8(6)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the disassociability of personal attributes from authentication credentials for non-organizational users. The control aims to protect user privacy by minimizing the exposure of sensitive personal information.
Service Identification and Authentication (IA-9)- Main Control

The Service Identification and Authentication (IA-9) control is part of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring proper identification and authentication mechanisms are in place for accessing and using services within an organization's information system. The control aims to prevent unauthorized access to services and protect sensitive data.
Service Identification and Authentication | Information Exchange (IA-9(1)),Service Identification and Authentication | Transmission of Decisions (IA-9(2))

The Service Identification and Authentication | Information Exchange (IA-9(1)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring proper identification and authentication mechanisms are established when exchanging information between services within an organization's information system. The control aims to protect the confidentiality and integrity of information exchanged between services.
Adaptive Authentication (IA-10)- Main Control

The Adaptive Authentication (IA-10) control is part of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on implementing adaptive authentication mechanisms that dynamically adjust the level of authentication required based on risk factors and contextual information. The control aims to enhance security by responding to changing threat levels and user behavior.
Re-authentication (IA-11)- Main Control

The Re-authentication (IA-11) control is part of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on implementing mechanisms for requiring users to re-authenticate during an active session after a certain period of inactivity or based on specific events. The control aims to prevent unauthorized access to sensitive information and actions within an active session.
Identity Proofing (IA-12)- Main Control

The Identity Proofing (IA-12) control is a crucial component of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing a reliable process for verifying the identity of individuals before granting them access to information systems or sensitive resources. The control aims to prevent unauthorized access by ensuring that only legitimate individuals are granted access privileges.
Identity Proofing | Supervisor Authorization (IA-12(1))

The Identity Proofing | Supervisor Authorization (IA-12(1)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that identity proofing activities are conducted under the oversight and authorization of supervisors or designated personnel. The control aims to enhance accountability and prevent unauthorized or improper identity verification processes.
Identity Proofing | Identity Evidence (IA-12(2))

The Identity Proofing | Identity Evidence (IA-12(2)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing procedures for collecting and verifying identity evidence during the identity proofing process. The control aims to ensure that the evidence used for verifying an individual's identity is accurate, reliable, and in compliance with established standards.
Identity Proofing | Identity Evidence Validation and Verification (IA-12(3))

The Identity Proofing | Identity Evidence Validation and Verification (IA-12(3)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing robust procedures for validating and verifying the authenticity of identity evidence collected during the identity proofing process. The control aims to ensure that the evidence used for identity verification is accurate and reliable.
Identity Proofing | In-person Validation and Verification (IA-12(4))

The Identity Proofing | In-person Validation and Verification (IA-12(4)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on conducting in-person validation and verification of an individual's identity during the identity proofing process. The control aims to ensure that the identity verification process is based on direct and reliable interactions with the individual seeking access.
Identity Proofing | Address Confirmation (IA-12(5))

The Identity Proofing | Address Confirmation (IA-12(5)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on confirming the accuracy of an individual's address during the identity proofing process. The control aims to ensure that the address provided by the individual is valid and associated with the claimed identity.
Identity Proofing | Accept Externally-proofed Identities (IA-12(6))

The Identity Proofing | Accept Externally-proofed Identities (IA-12(6)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on allowing the acceptance of identities that have been externally proofed by trusted third parties. The control aims to leverage the validation and verification processes of reputable external entities to enhance the reliability of identity information.

The Incident Response control family is designed to help organizations develop, implement, and maintain an organized and effective approach to managing and mitigating information security incidents. An incident response capability enables organizations to detect, respond to, and recover from incidents in a manner that minimizes damage, reduces recovery time, and mitigates the potential impact on information systems and data.

Policy and Procedures (IR-1)- Main Control

The Incident Response Policy and Procedures (IR-1) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing an organization-wide incident response policy and associated procedures. The control aims to ensure that the organization has a clear framework for detecting, responding to, and mitigating cybersecurity incidents effectively and efficiently.
Incident Response Training (IR-2)- Main Control

The Incident Response Training (IR-2) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing training to personnel involved in incident response activities. The control aims to ensure that individuals are equipped with the necessary knowledge and skills to effectively respond to cybersecurity incidents and mitigate their impact.
Incident Response Training | Simulated Events (IR-2(1))

The Incident Response Training | Simulated Events (IR-2(1)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with training through simulated events that replicate real-world cybersecurity incidents. The control aims to enhance the practical skills and decision-making abilities of responders by exposing them to realistic scenarios.
Incident Response Training | Automated Training Environments (IR-2(2))

The Incident Response Training | Automated Training Environments (IR-2(2)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with training through automated environments that simulate cybersecurity incidents. The control aims to enhance responders' technical skills and familiarity with incident response tools and technologies.
Incident Response Training | Breach (IR-2(3))

The Incident Response Training | Breach (IR-2(3)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with specialized training to effectively respond to data breaches and security incidents involving unauthorized access to sensitive information. The control aims to ensure that responders are equipped to handle breaches and mitigate their impact.
Incident Response Testing (IR-3)- Main Control

The Incident Response Testing (IR-3) control is a fundamental requirement within the Incident Response family of controls as outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing a comprehensive incident response testing program that allows organizations to assess the effectiveness of their incident response procedures, plans, and capabilities through regular testing and exercises.
Incident Response Testing | Automated Testing (IR-3(1))

The Incident Response Testing | Automated Testing (IR-3(1)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on utilizing automated testing tools and technologies to simulate and evaluate incident response scenarios in a controlled and repeatable manner.
Incident Response Testing | Coordination with Related Plans (IR-3(2))

The Incident Response Testing | Coordination with Related Plans (IR-3(2)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of coordinating incident response testing
Incident Response Testing | Continuous Improvement (IR-3(3))

The Incident Response Testing | Continuous Improvement (IR-3(3)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish a process of continuous improvement for their incident response testing activities to enhance their incident response capabilities over time.
Incident Handling (IR-4)- Main Control

The Incident Handling (IR-4) control is a central component of the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and maintaining a robust incident handling capability to effectively detect, respond to, and mitigate security incidents within an organization.
Incident Handling | Automated Incident Handling Processes (IR-4(1))

The Incident Handling | Automated Incident Handling Processes (IR-4(1)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of automation to streamline incident handling processes, ensuring efficient detection, response, and mitigation of security incidents.
Incident Handling | Dynamic Reconfiguration (IR-4(2))

The Incident Handling | Dynamic Reconfiguration (IR-4(2)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control highlights the need for organizations to dynamically adjust their incident handling procedures and processes in response to evolving threats and changing circumstances.
Incident Handling | Continuity of Operations (IR-4(3))

The Incident Handling | Continuity of Operations (IR-4(3)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on maintaining effective incident response capabilities during disruptive events, ensuring the continuity of operations even in the face of incidents.
Incident Handling | Information Correlation (IR-4(4))

The Incident Handling | Information Correlation (IR-4(4)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on the capability to correlate and analyze information from multiple sources during incident handling to gain a comprehensive understanding of the incident.
Incident Handling | Automatic Disabling of System (IR-4(5))

The Incident Handling | Automatic Disabling of System (IR-4(5)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on the ability to automatically disable or isolate affected systems during an incident to prevent further propagation of threats and damage.
Incident Handling | Insider Threats (IR-4(6))

The Incident Handling | Insider Threats (IR-4(6)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to develop specific incident response procedures and strategies to address threats posed by insider actors within an organization.
Incident Handling | Insider Threats — Intra-organization Coordination (IR-4(7))

The Incident Handling | Insider Threats — Intra-organization Coordination (IR-4(7)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of establishing effective coordination and communication mechanisms within an organization to address insider threat incidents.
Incident Handling | Correlation with External Organizations (IR-4(8))

The Incident Handling | Correlation with External Organizations (IR-4(8)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of establishing communication and collaboration mechanisms with external organizations to enhance incident response capabilities.
Incident Handling | Dynamic Response Capability (IR-4(9))

The Incident Handling | Dynamic Response Capability (IR-4(9)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to maintain a dynamic incident response capability that adapts to evolving cyber threats and changing circumstances.
Incident Handling | Supply Chain Coordination (IR-4(10))

The Incident Handling | Supply Chain Coordination (IR-4(10)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of establishing effective coordination with supply chain partners to enhance incident response and mitigate risks associated with supply chain threats.
Incident Handling | Integrated Incident Response Team (IR-4(11))

The Incident Handling | Integrated Incident Response Team (IR-4(11)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of establishing a centralized and integrated incident response team that collaborates across organizational boundaries.
Incident Handling | Malicious Code and Forensic Analysis (IR-4(12))

The Incident Handling | Malicious Code and Forensic Analysis (IR-4(12)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on the effective handling of incidents involving malicious code and the use of forensic analysis techniques to investigate and understand the nature of security incidents.
Incident Handling | Behavior Analysis (IR-4(13))

The Incident Handling | Behavior Analysis (IR-4(13)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on analyzing the behavior of systems and networks to detect and respond to anomalous or malicious activities.
Incident Handling | Security Operations Center (IR-4(14))

The Incident Handling | Security Operations Center (IR-4(14)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the establishment and operation of a Security Operations Center (SOC) to monitor, detect, respond to, and mitigate security incidents in an organization's IT environment.
Incident Handling | Public Relations and Reputation Repair (IR-4(15))

The Incident Handling | Public Relations and Reputation Repair (IR-4(15)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish strategies and processes for managing public relations and repairing their reputation in the aftermath of a security incident.
Incident Monitoring (IR-5)- Main Control

The Incident Monitoring (IR-5) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of monitoring for potential security incidents and unauthorized activities in order to detect and respond to them in a timely manner.
Incident Monitoring | Automated Tracking, Data Collection, and Analysis (IR-5(1))

The Automated Tracking, Data Collection, and Analysis (IR-5(1)) control is a subcontrol within the Incident Monitoring subfamily of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of automated mechanisms for tracking, collecting, and analyzing data related to potential security incidents.
Incident Reporting (IR-6)- Main Control

The Incident Reporting (IR-6) control is part of the Incident Response family of controls in NIST Special Publication 800-53. This control emphasizes the importance of establishing a formalized process for reporting and documenting security incidents within an organization.
Incident Reporting | Automated Reporting (IR-6(1))

The Incident Reporting | Automated Reporting (IR-6(1)) control is a subcontrol of the Incident Reporting control (IR-6) within the Incident Response family of controls in NIST Special Publication 800-53. This subcontrol emphasizes the need for organizations to implement automated mechanisms for incident reporting to expedite the reporting process and ensure timely response.
Incident Reporting | Vulnerabilities Related to Incidents (IR-6(2))

The Incident Reporting | Vulnerabilities Related to Incidents (IR-6(2)) control is a subcontrol of the Incident Reporting control (IR-6) within the Incident Response family of controls in NIST Special Publication 800-53. This subcontrol emphasizes the need for organizations to report vulnerabilities that are discovered during incident response activities to relevant parties.
Incident Reporting | Supply Chain Coordination (IR-6(3))

The Incident Reporting | Supply Chain Coordination (IR-6(3)) control is a subcontrol of the Incident Reporting control (IR-6) within the Incident Response family of controls in NIST Special Publication 800-53. This subcontrol emphasizes the importance of coordinating incident reporting and response efforts with supply chain partners to address potential threats and vulnerabilities.
Incident Response Assistance (IR-7)- Main Control

The Incident Response Assistance (IR-7) control is part of the Incident Response family of controls in NIST Special Publication 800-53. It focuses on establishing mechanisms to provide and receive assistance during incident response activities from external sources and organizations.
Incident Response Assistance | Automation Support for Availability of Information and Support (IR-7(1))

The Incident Response Assistance | Automation Support for Availability of Information and Support (IR-7(1)) control is a specific subcontrol within the Incident Response Assistance family of controls in NIST Special Publication 800-53. It focuses on automating processes to ensure the availability of necessary information and support during incident response activities from external sources and organizations.
Incident Response Assistance | Coordination with External Providers (IR-7(2))

The Incident Response Assistance | Coordination with External Providers (IR-7(2)) control is a specific subcontrol within the Incident Response Assistance family of controls in NIST Special Publication 800-53. It focuses on establishing effective coordination and communication mechanisms with external assistance providers during incident response activities.
Incident Response Plan (IR-8)- Main Control

The Incident Response Plan (IR-8) control is a foundational component of the Incident Response family in NIST Special Publication 800-53. It emphasizes the development, documentation, and maintenance of a comprehensive incident response plan that outlines the organization's strategies, procedures, and guidelines for addressing and mitigating various types of security incidents.
Incident Response Plan | Breaches (IR-8(1))

The Incident Response Plan | Breaches (IR-8(1)) control is a specific requirement within the Incident Response family of controls in NIST Special Publication 800-53. It focuses on the development and inclusion of breach-specific procedures and strategies within the organization's overall incident response plan.
Information Spillage Response (IR-9)- Main Control

The Information Spillage Response (IR-9) control is part of the Incident Response family in NIST Special Publication 800-53. It focuses on establishing procedures and strategies to respond to incidents of information spillage, which involve the unauthorized or unintentional release of sensitive or classified information.
Information Spillage Response | Responsible Personnel (IR-9(1))

The Information Spillage Response | Responsible Personnel (IR-9(1)) control is a subcontrol under the Incident Response family in NIST Special Publication 800-53. It focuses on designating responsible personnel who are accountable for implementing the procedures and strategies for responding to incidents of information spillage.
Information Spillage Response | Training (IR-9(2))

The Information Spillage Response | Training (IR-9(2)) control is a subcontrol under the Incident Response family in NIST Special Publication 800-53. It emphasizes the need for organizations to provide training to personnel involved in responding to incidents of information spillage. This training ensures that personnel are equipped with the necessary skills and knowledge to effectively and efficiently respond to information spillage incidents.
Information Spillage Response | Post-spill Operations (IR-9(3))

The Information Spillage Response | Post-spill Operations (IR-9(3)) control is a subcontrol under the Incident Response family in NIST Special Publication 800-53. It emphasizes the need for organizations to conduct post-spill operations following an information spillage incident. These operations focus on restoring normal operations, analyzing the incident's impact, and implementing corrective actions to prevent future occurrences.
Information Spillage Response | Exposure to Unauthorized Personnel (IR-9(4))

The Information Spillage Response | Exposure to Unauthorized Personnel (IR-9(4)) control is a subcontrol under the Incident Response family in NIST Special Publication 800-53. It emphasizes the need for organizations to respond promptly and effectively to incidents where sensitive information has been exposed to unauthorized individuals, both internally and externally.
Integrated Information Security Analysis Team (IR-10)- Main Control

The Integrated Information Security Analysis Team (IR-10) control is a subcontrol under the Incident Response family in NIST Special Publication 800-53. It emphasizes the importance of establishing a centralized and coordinated team responsible for analyzing and responding to security incidents across the organization.

The Maintenance control family is designed to ensure that information systems are properly maintained, updated, and patched to address vulnerabilities, enhance functionality, and support the overall security of the system throughout its lifecycle. Maintenance activities encompass both routine and emergency procedures, including the application of updates, patches, and configuration changes. By implementing effective maintenance controls, organizations can reduce the risk of security incidents related to unaddressed vulnerabilities and ensure the continued reliability and security of their information systems.

Policy and Procedures (MA-1)- Main Control

The MA-1 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the development and implementation of policies and procedures to guide the maintenance of information systems and assets throughout their lifecycle.
Controlled Maintenance (MA-2)- Main Control

The MA-2 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the implementation of controlled maintenance processes to ensure that changes to information systems and assets are carried out in a planned, coordinated, and secure manner.
Controlled Maintenance | Record Content (MA-2(1))

The MA-2(1) control is a specific subcontrol of MA-2 in the Maintenance family of NIST Special Publication 800-53. It focuses on ensuring that records related to controlled maintenance activities are accurately documented and maintained.
Controlled Maintenance | Automated Maintenance Activities (MA-2(2))

The MA-2(2) control is a specific subcontrol of MA-2 in the Maintenance family of NIST Special Publication 800-53. It focuses on ensuring that automated maintenance activities are controlled and effectively managed to prevent unintended and unauthorized changes to systems and assets.
Maintenance Tools (MA-3)- Main Control

The MA-3 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the secure use and management of maintenance tools to prevent unauthorized access, use, and potential compromise of systems and assets during maintenance activities.
Maintenance Tools | Inspect Tools (MA-3(1))

The MA-3(1) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on the regular inspection and evaluation of maintenance tools used within an organization to ensure their security, integrity, and compliance with established policies and procedures.
Maintenance Tools | Inspect Media (MA-3(2))

The MA-3(2) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on the regular inspection and evaluation of maintenance media (e.g., CDs, DVDs, USB drives) used within an organization to ensure their security, integrity, and compliance with established policies and procedures.
Maintenance Tools | Prevent Unauthorized Removal (MA-3(3))

The MA-3(3) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on preventing unauthorized removal of maintenance tools and equipment from organizational facilities to ensure the security and availability of these tools.
Maintenance Tools | Restricted Tool Use (MA-3(4))

The MA-3(4) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on establishing restrictions and controls on the use of maintenance tools within an organization to prevent unauthorized or improper use.
Maintenance Tools | Execution with Privilege (MA-3(5))

The MA-3(5) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on ensuring that the execution of maintenance tools is carried out with appropriate privilege levels to prevent unauthorized or unintended system modifications.
Maintenance Tools | Software Updates and Patches (MA-3(6))

The MA-3(6) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on managing software updates and patches for maintenance tools to ensure that they remain current, secure, and free from vulnerabilities.
Nonlocal Maintenance (MA-4)- Main Control

The MA-4 control in NIST Special Publication 800-53 addresses the security aspects of performing maintenance on information systems and components from a nonlocal location. It aims to establish safeguards and controls to ensure that nonlocal maintenance activities do not introduce security risks or compromise the confidentiality, integrity, and availability of the systems.
Nonlocal Maintenance | Logging and Review (MA-4(1))

The MA-4(1) control under NIST Special Publication 800-53 addresses the logging and review of nonlocal maintenance activities. It focuses on establishing mechanisms to generate logs of nonlocal maintenance events and conducting regular reviews of these logs to ensure the security of the information system during remote maintenance activities.
Nonlocal Maintenance | Document Nonlocal Maintenance (MA-4(2))

The MA-4(2) control in NIST Special Publication 800-53 focuses on documenting nonlocal maintenance activities. It involves maintaining a record of all nonlocal maintenance performed on information systems, including the purpose, scope, individuals involved, and actions taken during the maintenance.
Nonlocal Maintenance | Comparable Security and Sanitization (MA-4(3))

The MA-4(3) control in NIST Special Publication 800-53 addresses the security considerations and sanitization practices for nonlocal maintenance activities. It focuses on ensuring that security measures for nonlocal maintenance are comparable to those used during local maintenance, and that proper sanitization is performed after nonlocal maintenance is completed.
Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions (MA-4(4))

The MA-4(4) control in NIST Special Publication 800-53 addresses the need for strong authentication and proper separation of maintenance sessions during nonlocal maintenance activities. It focuses on ensuring that only authorized personnel can perform nonlocal maintenance and that different maintenance sessions are isolated from each other to prevent unauthorized access and data leakage.
Nonlocal Maintenance | Approvals and Notifications (MA-4(5))

The MA-4(5) control in NIST Special Publication 800-53 addresses the need for formal approvals and notifications before conducting nonlocal maintenance activities. It ensures that maintenance activities are authorized by appropriate personnel and that stakeholders are informed of upcoming maintenance to minimize disruptions.
Nonlocal Maintenance | Cryptographic Protection (MA-4(6))

The MA-4(6) control in NIST Special Publication 800-53 focuses on the use of cryptographic protections during nonlocal maintenance activities. This control aims to safeguard sensitive information and data integrity during maintenance processes that involve remote access or transmission.
Nonlocal Maintenance | Disconnect Verification (MA-4(7))

The MA-4(7) control in NIST Special Publication 800-53 focuses on verifying the disconnection of nonlocal maintenance sessions after the maintenance activities have been completed. This control helps prevent unauthorized access to systems or data after remote maintenance sessions.
Maintenance Personnel (MA-5)- Main Control

The MA-5 control in NIST Special Publication 800-53 addresses the selection, training, and management of personnel involved in system maintenance activities. This control aims to ensure that maintenance personnel have the appropriate skills, knowledge, and authorization to perform maintenance tasks while minimizing the risk of unauthorized access or unintentional disruptions.
Maintenance Personnel | Individuals Without Appropriate Access (MA-5(1))

The MA-5(1) control under NIST Special Publication 800-53 focuses on preventing individuals without appropriate access from conducting maintenance activities. This control ensures that only authorized personnel with the necessary qualifications and permissions are allowed to perform maintenance tasks on information systems.
Maintenance Personnel | Security Clearances for Classified Systems (MA-5(2))

The MA-5(2) control under NIST Special Publication 800-53 addresses the requirement for maintenance personnel with appropriate security clearances to perform maintenance activities on classified information systems. This control ensures that individuals working on classified systems possess the necessary clearances to access sensitive information.
Maintenance Personnel | Citizenship Requirements for Classified Systems (MA-5(3))

The MA-5(3) control under NIST Special Publication 800-53 addresses the requirement for maintenance personnel working on classified information systems to meet specific citizenship requirements. This control ensures that individuals who have the appropriate legal status are authorized to access and maintain classified systems.
Maintenance Personnel | Foreign Nationals (MA-5(4))

The MA-5(4) control under NIST Special Publication 800-53 addresses the requirement for organizations to establish specific procedures and controls when allowing foreign national personnel to access and maintain information systems. This control ensures that foreign nationals who have access to sensitive systems are subjected to appropriate security measures.
Maintenance Personnel | Non-system Maintenance (MA-5(5))

The MA-5(5) control under NIST Special Publication 800-53 addresses the requirement for organizations to establish procedures and controls for non-system maintenance personnel who are granted access to information systems for maintenance activities. This control ensures that non-system maintenance personnel are subject to appropriate security measures to prevent unauthorized access and potential risks.
Timely Maintenance (MA-6)- Main Control

The MA-6 control under NIST Special Publication 800-53 focuses on ensuring that timely maintenance activities are conducted to address vulnerabilities, apply patches, and keep information systems up-to-date. Timely maintenance is essential to mitigate security risks and maintain the overall integrity and functionality of the systems.
Timely Maintenance | Preventive Maintenance (MA-6(1))

The MA-6(1) control within NIST Special Publication 800-53 focuses on the practice of preventive maintenance to proactively identify and address potential issues before they escalate into security vulnerabilities or system failures. Preventive maintenance helps ensure the ongoing reliability and security of information systems.
Timely Maintenance | Predictive Maintenance (MA-6(2))

The MA-6(2) control within NIST Special Publication 800-53 addresses the practice of predictive maintenance, which involves using data analytics and machine learning techniques to forecast potential issues in information systems. Predictive maintenance helps organizations proactively address maintenance needs and security vulnerabilities before they impact system performance or security.
Timely Maintenance | Automated Support for Predictive Maintenance (MA-6(3))

The MA-6(3) control within NIST Special Publication 800-53 addresses the use of automated tools and technologies to support predictive maintenance activities. These tools help organizations efficiently analyze and process large volumes of data for identifying potential system issues and security vulnerabilities.
Field Maintenance (MA-7)- Main Control

The MA-7 control within NIST Special Publication 800-53 addresses the secure execution of maintenance activities in field environments. It focuses on ensuring that maintenance activities conducted in the field follow established security protocols to prevent unauthorized access, data breaches, and other security risks.

The Media Protection control family is designed to safeguard information system media, which includes physical and electronic storage devices, from unauthorized access, disclosure, alteration, destruction, and theft. Media protection measures are critical for preserving the confidentiality and integrity of information stored on various forms of media throughout their lifecycle. By implementing effective media protection controls, organizations can ensure that sensitive information remains secure, whether stored on physical media (e.g., hard drives, tapes) or electronic media (e.g., USB drives, optical discs).

Policy and Procedures (MP-1)- Main Control

The MP-1 control within NIST Special Publication 800-53 focuses on the establishment and implementation of policies and procedures to ensure the proper protection of media containing sensitive information. This control aims to prevent unauthorized access, disclosure, and loss of information stored on various types of media, including physical and digital media.
Media Access (MP-2)- Main Control

The MP-2 control within NIST Special Publication 800-53 focuses on controlling access to media that contain sensitive information. This control ensures that only authorized individuals have access to media, thereby reducing the risk of unauthorized disclosure, loss, or compromise of information stored on the media
Media Access | Automated Restricted Access (MP-2(1))

The MP-2(1) control within NIST Special Publication 800-53 focuses on implementing automated mechanisms for restricted access to media. This control ensures that media containing sensitive information are automatically restricted from unauthorized access through technical means.
Media Access | Cryptographic Protection (MP-2(2)),Media Storage | Cryptographic Protection (MP-4(1)),Media Transport | Cryptographic Protection (MP-5(4))

The MP-2(2) control within NIST Special Publication 800-53 focuses on implementing cryptographic protections for media access. This control ensures that media containing sensitive information are encrypted to maintain the confidentiality and integrity of the data during access and transmission.
Media Marking (MP-3)- Main Control

The Media Marking (MP-3) control within NIST Special Publication 800-53 focuses on implementing proper marking procedures for media containing sensitive information. This control ensures that media are appropriately labeled with clear markings indicating the classification and handling requirements.
Media Storage (MP-4)- Main Control

The Media Storage (MP-4) control within NIST Special Publication 800-53 focuses on implementing proper security measures for storing media containing sensitive information. This control ensures that media are stored in secure environments that prevent unauthorized access, damage, or theft.
Media Storage | Automated Restricted Access (MP-4(2))

The Media Storage subcontrol MP-4(2) from the NIST 800-53 framework is designed to ensure the automated enforcement of restricted access to media storage. This control focuses on preventing unauthorized individuals or processes from accessing media storage containing sensitive information.
Media Transport (MP-5)- Main Control

Control MP-5, part of the Media Protection family within NIST 800-53, addresses the secure transport of media containing sensitive information. This control ensures that media in transit are safeguarded against unauthorized access, tampering, or theft during transportation.
Media Transport | Documentation of Activities (MP-5(2)),Media Transport | Protection Outside of Controlled Areas (MP-5(1))

Subcontrol MP-5(2) focuses on maintaining documentation of activities related to the secure transport of media containing sensitive information. This documentation provides an audit trail of actions taken during media transportation to ensure accountability, track security measures, and facilitate incident response.
Media Transport | Custodians (MP-5(3))

Subcontrol MP-5(3) focuses on designating and specifying custodians for media during transportation. Custodians are individuals responsible for safeguarding and overseeing the secure transport of media containing sensitive information.
Media Sanitization (MP-6)- Main Control

Control MP-6 addresses the proper sanitization of media to ensure that sensitive information is removed from media prior to disposal, reuse, or release for reuse. This control aims to prevent unauthorized disclosure of information that may still reside on media even after its primary use.
Media Sanitization | Review, Approve, Track, Document, and Verify (MP-6(1))

Subcontrol MP-6(1) focuses on establishing a comprehensive process for reviewing, approving, tracking, documenting, and verifying media sanitization activities. This subcontrol ensures that media sanitization is carried out systematically and effectively, with proper oversight and accountability.
Media Sanitization | Equipment Testing (MP-6(2))

Subcontrol MP-6(2) emphasizes the importance of testing sanitization equipment to ensure that it effectively removes sensitive information from media. This subcontrol aims to validate the reliability and efficiency of the equipment used in the media sanitization process.
Media Sanitization | Nondestructive Techniques (MP-6(3))

Subcontrol MP-6(3) focuses on using nondestructive techniques to verify the effectiveness of media sanitization processes. Nondestructive techniques allow for the assessment of media without permanently altering or damaging it.
Media Sanitization | Classified Information (MP-6(5)),Media Sanitization | Controlled Unclassified Information (MP-6(4)),Media Sanitization | Media Destruction (MP-6(6))

Subcontrol MP-6(5) addresses the specific requirements for sanitizing media containing classified information. This subcontrol ensures that the sanitization process for classified information meets the stringent security standards required for such sensitive data.
Media Sanitization | Dual Authorization (MP-6(7))

Subcontrol MP-6(7) emphasizes the requirement for dual authorization in the media sanitization process. Dual authorization involves the approval of two authorized individuals before media can be sanitized or disposed of.
Media Sanitization | Remote Purging or Wiping of Information (MP-6(8))

Subcontrol MP-6(8) addresses the secure remote purging or wiping of information from media that are no longer in an organization's physical possession. This subcontrol ensures that data can be effectively and irreversibly removed from media, even when they are remotely located.
Media Use (MP-7)- Main Control

Control MP-7 addresses the secure and appropriate use of media containing sensitive information. This control ensures that media are used in a manner that aligns with security policies and minimizes the risk of unauthorized disclosure, tampering, or loss.
Media Use | Prohibit Use of Sanitization-resistant Media (MP-7(2))

Subcontrol MP-7(2) emphasizes the importance of prohibiting the use of media that cannot be effectively sanitized. This subcontrol ensures that media that are resistant to sanitization methods are not used for sensitive information storage.
Media Downgrading (MP-8)- Main Control

Control MP-8 addresses the process of downgrading the classification or sensitivity level of media containing sensitive information. This control ensures that media are appropriately downgraded to reflect changes in the sensitivity of the information they contain.
Media Downgrading | Documentation of Process (MP-8(1))

Subcontrol MP-8(1) focuses on documenting the process of downgrading the classification or sensitivity level of media containing sensitive information. This subcontrol ensures that changes in media classification are well-documented and transparent.
Media Downgrading | Equipment Testing (MP-8(2))

Subcontrol MP-8(2) focuses on testing the equipment and tools used in the process of downgrading the classification or sensitivity level of media containing sensitive information. This subcontrol ensures that the equipment used for media downgrading is reliable and effective.
Media Downgrading | Controlled Unclassified Information (MP-8(3))

Subcontrol MP-8(3) addresses the downgrading of the classification or sensitivity level of media containing Controlled Unclassified Information (CUI). This subcontrol ensures that media with CUI are appropriately downgraded to reflect changes in their sensitivity.
Media Downgrading | Classified Information (MP-8(4))

Subcontrol MP-8(4) focuses on the downgrading of the classification or sensitivity level of media containing classified information. This subcontrol ensures that media with classified information are properly downgraded as needed to reflect changes in their classification.

The Physical and Environmental Protection control family addresses the safeguarding of information systems, equipment, and facilities from various physical threats and environmental hazards. The goal is to ensure the continued availability, integrity, and confidentiality of information and the supporting infrastructure. These controls encompass a range of protective measures, from controlling access to facilities to implementing safeguards against environmental risks such as fire, flood, and power failures. By implementing effective physical and environmental protection controls, organizations can enhance the resilience of their information systems against both intentional and unintentional physical threats.

Policy and Procedures (PE-1)- Main Control

Control PE-1 addresses the establishment of policies and procedures for the physical and environmental protection of an organization's facilities, resources, and information systems. This control ensures that proper measures are in place to safeguard against physical threats and environmental hazards.
Physical Access Authorizations (PE-2)- Main Control

Control PE-2 addresses the need to establish and enforce physical access authorizations to prevent unauthorized individuals from gaining access to an organization's facilities and information systems. This control ensures that only authorized personnel can enter secure areas.
Physical Access Authorizations | Access by Position or Role (PE-2(1))

Subcontrol PE-2(1) focuses on granting physical access authorization based on an individual's position or role within the organization. This subcontrol ensures that individuals can access only those areas and resources necessary for their job responsibilities.
Physical Access Authorizations | Two Forms of Identification (PE-2(2))

Subcontrol PE-2(2) emphasizes the requirement for individuals to provide two forms of identification to gain physical access to secure areas. This subcontrol enhances the security of access control systems by adding an additional layer of verification.
Physical Access Authorizations | Restrict Unescorted Access (PE-2(3))

Subcontrol PE-2(3) emphasizes the need to restrict unescorted access to secure areas by requiring individuals to be escorted by authorized personnel when entering sensitive locations. This subcontrol reduces the risk of unauthorized entry and enhances security.
Physical Access Control (PE-3)- Main Control

Control PE-3 addresses the implementation of access controls to prevent unauthorized physical access to an organization's facilities, resources, and information systems. This control ensures that only authorized individuals can enter secure areas.
Physical Access Control | System Access (PE-3(1))

Subcontrol PE-3(1) focuses on implementing access controls that prevent unauthorized individuals from gaining physical access to an organization's information systems. This subcontrol ensures that only authorized personnel can physically interact with sensitive systems and devices.
Physical Access Control | Facility and Systems (PE-3(2))

Subcontrol PE-3(2) focuses on implementing access controls that prevent unauthorized individuals from gaining physical access to an organization's facilities and systems. This subcontrol ensures that only authorized personnel can enter restricted areas and interact with critical systems.
Physical Access Control | Continuous Guards (PE-3(3))

Subcontrol PE-3(3) emphasizes the need for continuous monitoring of secure areas by security personnel to prevent unauthorized access. This subcontrol ensures that designated areas remain under constant surveillance to deter and detect unauthorized entry.
Physical Access Control | Lockable Casings (PE-3(4))

Subcontrol PE-3(4) focuses on securing devices and equipment that house sensitive information by using lockable casings. This subcontrol ensures that unauthorized individuals cannot physically access the internal components of these devices.
Physical Access Control | Tamper Protection (PE-3(5))

Subcontrol PE-3(5) focuses on implementing measures to protect against tampering with devices and systems that contain sensitive information. This subcontrol ensures that unauthorized attempts to access or manipulate systems are detected and prevented.
Physical Access Control | Facility Penetration Testing (PE-3(6))

Subcontrol PE-3(6) emphasizes the importance of conducting penetration testing on physical security controls within an organization's facilities. This subcontrol ensures that vulnerabilities and weaknesses in physical access controls are identified and addressed to prevent unauthorized access.
Physical Access Control | Physical Barriers (PE-3(7))

Subcontrol PE-3(7) emphasizes the use of physical barriers to prevent unauthorized access to facilities and sensitive areas. This subcontrol ensures that appropriate physical obstacles are in place to deter and prevent unauthorized entry.
Physical Access Control | Access Control Vestibules (PE-3(8))

Subcontrol PE-3(8) emphasizes the use of access control vestibules to enhance physical security. This subcontrol involves implementing a controlled area between the external and internal portions of a facility to prevent unauthorized access.
Access Control for Transmission (PE-4)- Main Control

Control PE-4 addresses the need to implement access controls for information transmissions. This control ensures that mechanisms are in place to safeguard the confidentiality and integrity of transmitted information, preventing unauthorized access and tampering.
Access Control for Output Devices (PE-5)- Main Control

Control PE-5 focuses on implementing access controls for output devices to protect the confidentiality, integrity, and availability of information being printed, displayed, or otherwise produced. This control ensures that only authorized individuals can access and interact with output devices.
Access Control for Output Devices | Access to Output by Authorized Individuals (PE-5(1))

Subcontrol PE-5(1) focuses on controlling access to output devices to ensure that only authorized individuals can retrieve, handle, or access the information produced by these devices. This subcontrol prevents unauthorized disclosure of sensitive information.
Access Control for Output Devices | Link to Individual Identity (PE-5(2))

Subcontrol PE-5(2) focuses on associating the output produced by output devices with the identity of the individual who initiated or accessed the output. This subcontrol enhances accountability and traceability of output-related activities.
Access Control for Output Devices | Marking Output Devices (PE-5(3))

Subcontrol PE-5(3) emphasizes the importance of visibly marking output devices to indicate their classification, sensitivity level, and authorized usage. This subcontrol helps prevent mishandling and unauthorized access to sensitive information produced by these devices.
Monitoring Physical Access (PE-6)- Main Control

Control PE-6 focuses on monitoring and logging physical access to facilities and secure areas. This control ensures that activities related to physical access are recorded, analyzed, and reviewed to detect and respond to unauthorized or suspicious activities.
Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment (PE-6(1))

Subcontrol PE-6(1) focuses on employing intrusion alarms and surveillance equipment to monitor and detect unauthorized physical access to facilities and sensitive areas. This subcontrol enhances the ability to promptly identify security breaches.
Monitoring Physical Access | Automated Intrusion Recognition and Responses (PE-6(2))

Subcontrol PE-6(2) focuses on implementing automated systems that recognize and respond to unauthorized physical access or intrusion attempts. This subcontrol enhances the speed and efficiency of detecting and addressing security breaches.
Monitoring Physical Access | Video Surveillance (PE-6(3))

Subcontrol PE-6(3) focuses on implementing video surveillance systems to monitor and record activities in areas requiring physical access control. This subcontrol enhances the ability to observe and respond to security incidents.
Monitoring Physical Access | Monitoring Physical Access to Systems (PE-6(4))

Subcontrol PE-6(4) focuses on monitoring and recording physical access to information systems and computing devices. This subcontrol ensures that access events to systems are tracked and analyzed to detect and respond to unauthorized or suspicious activities.
Visitor Control (PE-7)- Main Control,Vulnerability Monitoring and Scanning | Penetration Testing and Analyses (RA-5(9))

Control PE-7 focuses on establishing procedures for managing and controlling physical access by visitors to an organization's facilities. This control ensures that visitors are appropriately authorized, escorted, and monitored while on the premises.
Visitor Access Records (PE-8)- Main Control

Control PE-8 focuses on establishing procedures for creating and maintaining records of visitor access to an organization's facilities. This control ensures that accurate and complete records are kept to track visitors' activities and access history.
Visitor Access Records | Automated Records Maintenance and Review (PE-8(1))

Subcontrol PE-8(1) focuses on implementing automated systems for maintaining and reviewing visitor access records. This subcontrol enhances the efficiency and accuracy of recordkeeping, facilitating timely audits and accountability.
Visitor Access Records | Physical Access Records (PE-8(2))

Subcontrol PE-8(2) focuses on maintaining accurate records of physical access granted to visitors, including the areas they have accessed within an organization's facilities. This subcontrol enhances accountability and facilitates tracking of visitor movements.
Visitor Access Records | Limit Personally Identifiable Information Elements (PE-8(3))

Subcontrol PE-8(3) focuses on reducing the amount of personally identifiable information (PII) elements captured in visitor access records. This subcontrol helps protect individuals' privacy by limiting the exposure of sensitive personal information.
Power Equipment and Cabling (PE-9)- Main Control

Control PE-9 focuses on implementing security measures to protect power equipment and cabling that support information systems and facilities. This control ensures the integrity and availability of power sources to prevent disruptions.
Power Equipment and Cabling | Redundant Cabling (PE-9(1))

Subcontrol PE-9(1) focuses on implementing redundant cabling systems to ensure continuous power supply to critical information systems and facilities. This subcontrol enhances the resilience of power infrastructure and minimizes the risk of disruptions.
Power Equipment and Cabling | Automatic Voltage Controls (PE-9(2))

Subcontrol PE-9(2) focuses on implementing automatic voltage controls to regulate and stabilize the power supply to information systems and facilities. This subcontrol enhances the resilience of power infrastructure against voltage fluctuations.
Emergency Shutoff (PE-10)- Main Control

Control PE-10 focuses on implementing emergency shutoff mechanisms to quickly and safely deactivate power equipment and systems in case of emergencies. This control enhances the ability to respond to critical situations and prevent further damage.
Emergency Shutoff | Accidental and Unauthorized Activation (PE-10(1))

Subcontrol PE-10(1) focuses on implementing measures to prevent accidental or unauthorized activation of emergency shutoff mechanisms. This subcontrol helps avoid disruptions and potential safety hazards resulting from unintended shutoffs.
Emergency Power (PE-11)- Main Control

Control PE-11 focuses on establishing mechanisms to provide emergency power sources for critical information systems and facilities. This control ensures that essential operations can continue during power outages and disruptions.
Emergency Power | Alternate Power Supply — Minimal Operational Capability (PE-11(1))

Subcontrol PE-11(1) focuses on ensuring that critical information systems and facilities have alternate power supplies that provide minimal operational capability during power outages. This subcontrol enhances the ability to maintain essential operations during disruptions.
Emergency Power | Alternate Power Supply — Self-contained (PE-11(2))

Subcontrol PE-11(2) focuses on implementing self-contained alternate power supply mechanisms to sustain critical information systems and facilities during power outages. This subcontrol enhances the ability to maintain essential operations independently.
Emergency Lighting (PE-12)- Main Control

Control PE-12 focuses on implementing emergency lighting systems to provide illumination during power outages and disruptions. This control enhances the safety and usability of critical information systems and facilities during emergencies.
Emergency Lighting | Essential Mission and Business Functions (PE-12(1))

Subcontrol PE-12(1) focuses on ensuring that emergency lighting systems are strategically placed to illuminate areas critical for essential mission and business functions. This subcontrol enhances the safety and continuity of operations during power disruptions.
Fire Protection (PE-13)- Main Control

Control PE-13 focuses on implementing fire protection measures to prevent, detect, and respond to fires within information systems and facilities. This control safeguards critical assets and helps prevent damage and disruption.
Fire Protection | Detection Systems — Automatic Activation and Notification (PE-13(1))

Subcontrol PE-13(1) focuses on implementing automatic fire detection systems that activate promptly upon detecting a fire and provide timely notifications to relevant personnel. This subcontrol enhances the ability to detect fires early and initiate rapid responses.
Fire Protection | Suppression Systems — Automatic Activation and Notification (PE-13(2))

Subcontrol PE-13(2) focuses on implementing automatic fire suppression systems that activate promptly upon detecting a fire and provide notifications to relevant personnel. This subcontrol enhances the ability to quickly suppress fires and mitigate their impact.
Fire Protection | Automatic Fire Suppression (PE-13(3))

Subcontrol PE-13(3) focuses on implementing automatic fire suppression systems that deploy without human intervention upon detecting a fire. This subcontrol enhances the ability to rapidly control and extinguish fires, minimizing damage and risk.
Fire Protection | Inspections (PE-13(4))

Subcontrol PE-13(4) focuses on conducting regular inspections of fire protection systems, equipment, and facilities to ensure their continued effectiveness and compliance with safety standards. This subcontrol enhances the ability to identify and address potential fire hazards
Environmental Controls (PE-14)- Main Control

Control PE-14 focuses on implementing measures to control and monitor environmental conditions within information systems and facilities to prevent damage and ensure operational integrity. This control safeguards equipment and data from environmental hazards.
Environmental Controls | Automatic Controls (PE-14(1))

Subcontrol PE-14(1) focuses on implementing automatic controls for regulating environmental conditions within information systems and facilities. This subcontrol enhances the ability to maintain optimal environmental conditions without continuous manual intervention.
Environmental Controls | Monitoring with Alarms and Notifications (PE-14(2))

Subcontrol PE-14(2) focuses on implementing environmental monitoring systems that include alarms and notifications to alert personnel when environmental conditions deviate from established thresholds. This subcontrol enhances the ability to respond promptly to unfavorable environmental changes.
Water Damage Protection (PE-15)- Main Control

Control PE-15 focuses on implementing measures to prevent and mitigate water damage to information systems and equipment. This control safeguards against water-related incidents that can lead to equipment malfunction, data loss, and operational disruption.
Water Damage Protection | Automation Support (PE-15(1))

Subcontrol PE-15(1) focuses on utilizing automation to support water damage protection efforts. This subcontrol enhances the ability to quickly detect, respond to, and mitigate water-related incidents through automated monitoring and response systems.
Delivery and Removal (PE-16)- Main Control

Control PE-16 focuses on establishing procedures to control the delivery and removal of equipment and information assets from information systems and facilities. This control safeguards against unauthorized access, theft, and tampering during transportation.
Alternate Work Site (PE-17)- Main Control

Control PE-17 focuses on establishing procedures and safeguards for the secure operation of information systems at alternate work sites. This control ensures that information systems can be maintained and accessed securely even when operating outside the primary facility.
Location of System Components (PE-18)- Main Control

Control PE-18 focuses on ensuring that system components are located and positioned in a manner that minimizes the risk of unauthorized access, physical damage, and environmental hazards. This control safeguards the integrity and availability of information systems.
Location of System Components | Facility Site (PE-18(1))

Subcontrol PE-18(1) focuses on selecting and securing facility sites where system components are placed. This subcontrol ensures that facility sites are chosen with security, environmental, and accessibility considerations in mind.
Information Leakage (PE-19)- Main Control

Control PE-19 focuses on preventing the leakage of sensitive information through physical means, such as electromagnetic emanations, acoustic signals, and other unintended channels. This control safeguards against unauthorized disclosure of information.
Information Leakage | National Emissions Policies and Procedures (PE-19(1))

Subcontrol PE-19(1) focuses on adhering to national policies and procedures related to electromagnetic emissions and other information leakage prevention measures. This subcontrol ensures compliance with established standards and guidelines to mitigate the risk of unauthorized information disclosure.
Asset Monitoring and Tracking (PE-20)- Main Control

Control PE-20 focuses on implementing measures to monitor and track the physical location and status of information system assets. This control helps prevent unauthorized removal, loss, or tampering of assets and enhances overall asset management.
Electromagnetic Pulse Protection (PE-21)- Main Control

Control PE-21 focuses on implementing measures to protect information systems and assets against the effects of electromagnetic pulses (EMPs), which can disrupt or damage electronic components. This control safeguards the availability and integrity of critical systems.
Component Marking (PE-22)- Main Control

Control PE-22 focuses on implementing measures to mark and label components, equipment, and assets to provide information about their classification, usage, and security requirements. This control aids in proper identification and handling of components.
Facility Location (PE-23)- Main Control

Control PE-23 focuses on selecting and securing appropriate facility locations for housing information systems and assets. This control ensures that facility sites are chosen with consideration for security, environmental factors, and accessibility.

The Strategic Planning control family focuses on establishing and implementing processes for strategic planning to guide the overall direction of an organization's information security program. This includes defining the organization's risk tolerance, setting security objectives, and aligning security strategies with broader business goals. The goal is to ensure that information security is integrated into the organization's overarching strategic planning and decision-making processes.

Policy and Procedures (PL-1)- Main Control

Control PL-1 focuses on establishing and maintaining policies and procedures that guide the planning, implementation, and management of security controls within an organization. This control ensures a structured approach to achieving security objectives.
System Security and Privacy Plans (PL-2)- Main Control

Control PL-2 focuses on creating and maintaining comprehensive system security and privacy plans that outline the organization's approach to protecting information systems and the privacy of individuals. This control ensures that security and privacy considerations are integrated from the planning stages.
System Security and Privacy Plans | Concept of Operations (PL-2(1))

Subcontrol PL-2(1) focuses on incorporating the concept of operations (ConOps) into system security and privacy plans. This involves describing the operational context, environment, and scenarios under which the system will be used, to ensure that security and privacy controls align with operational requirements.
System Security and Privacy Plans | Functional Architecture (PL-2(2))

Subcontrol PL-2(2) focuses on incorporating the functional architecture of a system into system security and privacy plans. This involves documenting the system's components, their interactions, and their roles within the security and privacy context.
Security-related Activity Planning (PL-6)- Main Control,System Security Plan Update (PL-3)- Main Control,System Security and Privacy Plans | Plan and Coordinate with Other Organizational Entities (PL-2(3))

Subcontrol PL-6 focuses on planning security-related activities to ensure that security controls are effectively implemented and maintained throughout the system's lifecycle. This control ensures that security activities are well-coordinated and aligned with organizational objectives.
Rules of Behavior (PL-4)- Main Control

Subcontrol PL-4 focuses on establishing and disseminating rules of behavior that define acceptable and expected behavior for individuals accessing and using organizational information systems. These rules help promote proper security practices and reduce the risk of unauthorized actions
Rules of Behavior | Social Media and External Site/application Usage Restrictions (PL-4(1))

Subcontrol PL-4(1) focuses specifically on establishing rules of behavior that address the usage of social media platforms and external websites/applications by individuals who have access to organizational information systems. These rules aim to mitigate risks associated with inappropriate use of external online resources.
Privacy Impact Assessment (PL-5)- Main Control

Subcontrol PL-5 focuses on conducting Privacy Impact Assessments (PIAs) to identify and assess the potential privacy risks and impacts associated with the collection, use, disclosure, and management of personally identifiable information (PII) within organizational information systems.
Concept of Operations (PL-7)- Main Control

Subcontrol PL-7 emphasizes the creation and maintenance of a Concept of Operations (CONOPS) document that outlines the high-level strategy and operational framework for the management, security, and functionality of an information system. This document serves as a foundation for system design and operation.
Security and Privacy Architectures (PL-8)- Main Control

Subcontrol PL-8 emphasizes the establishment of well-defined security and privacy architectures for information systems. These architectures provide a structured framework for integrating security and privacy controls into the design, development, and implementation of systems.
Security and Privacy Architectures | Defense in Depth (PL-8(1))

Subcontrol PL-8(1) emphasizes the principle of Defense in Depth within security and privacy architectures. Defense in Depth involves implementing multiple layers of security controls to provide a comprehensive and resilient defense strategy against various threats and vulnerabilities.
Security and Privacy Architectures | Supplier Diversity (PL-8(2))

Subcontrol PL-8(2) focuses on ensuring supplier diversity in the development and implementation of security and privacy architectures. Supplier diversity involves engaging a diverse range of suppliers, including those from underrepresented groups, to enhance innovation, resilience, and security within the architecture.
Central Management (PL-9)- Main Control

Subcontrol PL-9 focuses on the establishment of centralized management capabilities for security and privacy controls within an organization. Centralized management involves the coordinated administration, monitoring, and enforcement of security and privacy policies across information systems.
Baseline Selection (PL-10)- Main Control

Subcontrol PL-10 focuses on the process of selecting appropriate security and privacy baselines for information systems. Baselines serve as foundational security configurations that guide the implementation of security controls and ensure a consistent level of protection
Baseline Tailoring (PL-11)- Main Control

Subcontrol PL-11 emphasizes the process of customizing security and privacy baselines to match the specific requirements and characteristics of information systems. Tailoring baselines ensures that controls are relevant, effective, and appropriate for the unique risks and operational needs of each system.

The Program Management control family addresses the overarching processes and activities necessary for effective management of an organization's information security program. This includes strategic planning, resource allocation, and coordination of security initiatives to ensure the continuous improvement of the organization's security posture. The controls within this family emphasize the need for a structured and well-coordinated approach to managing information security at the organizational level.

Information Security Program Plan (PM-1)- Main Control

Subcontrol PM-1 focuses on the development and maintenance of an overarching information security program plan. This plan outlines the organization's strategy, goals, objectives, and activities for managing information security effectively.
Information Security Program Leadership Role (PM-2)- Main Control

Subcontrol PM-2 focuses on designating a specific individual or role responsible for overseeing and leading the organization's information security program. This designated role ensures the coordination, implementation, and management of security initiatives.
Information Security and Privacy Resources (PM-3)- Main Control

Subcontrol PM-3 focuses on ensuring that an organization allocates appropriate resources, including personnel, funding, and technology, to support the implementation of its information security and privacy program
Plan of Action and Milestones Process (PM-4)- Main Control

Subcontrol PM-4 emphasizes the importance of maintaining a robust Plan of Action and Milestones (POA&M) process. A POA&M outlines the organization's strategies for addressing and remediating identified weaknesses and vulnerabilities in its security and privacy controls.
System Inventory (PM-5)- Main Control

Subcontrol PM-5 focuses on creating and maintaining an accurate and up-to-date inventory of all information systems, components, and assets within the organization. This inventory helps in managing security and privacy controls effectively.
System Inventory | Inventory of Personally Identifiable Information (PM-5(1))

Subcontrol PM-5(1) focuses specifically on creating and maintaining an accurate inventory of systems that process, store, or transmit personally identifiable information (PII). This inventory helps in managing the privacy and security of sensitive information.
Measures of Performance (PM-6)- Main Control

Subcontrol PM-6 focuses on establishing and utilizing measures of performance (MOPs) to assess the effectiveness of the organization's information security and privacy program. MOPs help in evaluating the program's performance, identifying areas for improvement, and demonstrating progress.
Enterprise Architecture (PM-7)- Main Control

Subcontrol PM-7 focuses on integrating information security and privacy requirements into the organization's enterprise architecture. Enterprise architecture helps ensure that security and privacy considerations are embedded into the design and implementation of systems and solutions.
Enterprise Architecture | Offloading (PM-7(1))

Subcontrol PM-7(1) focuses on addressing security and privacy requirements by offloading certain functions to external systems or services within the organization's enterprise architecture. Offloading helps reduce the attack surface and complexity of internal systems.
Critical Infrastructure Plan (PM-8)- Main Control

Subcontrol PM-8 focuses on establishing a critical infrastructure plan that identifies and prioritizes the organization's critical assets, systems, and functions. This plan helps ensure that essential operations are safeguarded and maintained during disruptions.
Risk Management Strategy (PM-9)- Main Control

Subcontrol PM-9 focuses on developing and implementing a risk management strategy that outlines the organization's approach to identifying, assessing, and mitigating risks to its information systems and assets. This strategy guides risk management activities across the organization.
Authorization Process (PM-10)- Main Control

Subcontrol PM-10 focuses on establishing an authorization process to formally assess and approve the organization's information systems for operation. This process ensures that systems have met the necessary security and privacy requirements before being used.
Mission and Business Process Definition (PM-11)- Main Control

Subcontrol PM-11 focuses on defining and documenting the organization's mission and business processes. This involves understanding the organization's goals, objectives, and the processes that support its mission, ensuring that security and privacy considerations are integrated into these processes.
Insider Threat Program (PM-12)- Main Control

Subcontrol PM-12 focuses on establishing an insider threat program to detect, prevent, and respond to threats posed by individuals with authorized access to an organization's systems and information. The program aims to identify potential insider threats and mitigate risks associated with malicious or unintentional actions by authorized personnel.
Security and Privacy Workforce (PM-13)- Main Control

Subcontrol PM-13 focuses on building and maintaining a skilled and knowledgeable security and privacy workforce. This involves recruiting, training, and retaining personnel with the expertise needed to effectively manage security and privacy controls within the organization.
Testing, Training, and Monitoring (PM-14)- Main Control

Subcontrol PM-14 focuses on ensuring the effectiveness of security and privacy controls through regular testing, training, and ongoing monitoring activities. This subcontrol emphasizes the importance of validating the organization's security measures, training personnel, and continuously monitoring for potential risks and vulnerabilities.
Security and Privacy Groups and Associations (PM-15)- Main Control

Subcontrol PM-15 emphasizes the establishment and participation in security and privacy groups and associations as a means to enhance collaboration, share best practices, and stay informed about emerging threats and trends. Being part of relevant groups and associations can help organizations strengthen their security and privacy posture.
Threat Awareness Program (PM-16)- Main Control

Subcontrol PM-16 emphasizes the need for organizations to establish a threat awareness program to continuously monitor and assess emerging threats and vulnerabilities. This program enhances an organization's ability to proactively respond to evolving security risks.
Threat Awareness Program | Automated Means for Sharing Threat Intelligence (PM-16(1))

Subcontrol PM-16(1) emphasizes the use of automated mechanisms to share threat intelligence efficiently and effectively. Automated sharing enhances an organization's ability to respond promptly to emerging threats by streamlining the process of receiving and disseminating threat information.
Protecting Controlled Unclassified Information on External Systems (PM-17)- Main Control

Subcontrol PM-17 addresses the need to protect controlled unclassified information (CUI) when it resides on external systems, such as cloud services or contractor-operated platforms. It focuses on ensuring the security and privacy of sensitive information even when it is processed or stored outside of the organization's boundaries.
Privacy Program Plan (PM-18)- Main Control

Subcontrol PM-18 emphasizes the importance of developing a comprehensive privacy program plan that outlines an organization's approach to managing and protecting individuals' privacy information. This plan ensures that privacy considerations are integrated into an organization's information security framework.
Privacy Program Leadership Role (PM-19)- Main Control

Subcontrol PM-19 highlights the importance of designating specific individuals with the responsibility and authority to lead and oversee the organization's privacy program. This leadership role ensures that privacy considerations are integrated into the organization's overall information security strategy.
Dissemination of Privacy Program Information (PM-20)- Main Control

Subcontrol PM-20 emphasizes the importance of effectively communicating the organization's privacy program information to both internal stakeholders and external parties. This dissemination ensures that individuals are aware of privacy policies, practices, and their rights related to personal information.
Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services (PM-20(1))

Subcontrol PM-20(1) focuses on ensuring that privacy policies, which outline how personal information is collected, used, and protected, are prominently displayed and easily accessible on websites, applications, and digital services. This ensures transparency and informs individuals about data handling practices.
Accounting of Disclosures (PM-21)- Main Control

Subcontrol PM-21 emphasizes the need for organizations to maintain an accurate record of disclosures of personally identifiable information (PII) to external entities. The accounting of disclosures helps ensure transparency, accountability, and compliance with privacy regulations.
Personally Identifiable Information Quality Management (PM-22)- Main Control

Subcontrol PM-22 focuses on maintaining the accuracy, integrity, and reliability of personally identifiable information (PII) collected, used, and stored by an organization. It emphasizes the importance of implementing processes to ensure that PII remains of high quality.
Data Governance Body (PM-23)- Main Control

Subcontrol PM-23 emphasizes the importance of establishing a data governance body responsible for overseeing and coordinating data-related activities within an organization. This body ensures that data is managed in a consistent, compliant, and effective manner.
Data Integrity Board (PM-24)- Main Control

Subcontrol PM-24 emphasizes the establishment of a Data Integrity Board responsible for ensuring the accuracy, completeness, and reliability of organizational data. The board oversees data quality and integrity processes to prevent unauthorized or unintentional modifications to data
Minimization of Personally Identifiable Information Used in Testing, Training, and Research (PM-25)- Main Control

Subcontrol PM-25 focuses on reducing the use of personally identifiable information (PII) in testing, training, and research activities to protect individual privacy and prevent potential misuse of sensitive information.
Complaint Management (PM-26)- Main Control

Subcontrol PM-26 focuses on establishing a structured process for handling complaints related to privacy and security concerns from individuals, customers, or stakeholders. It ensures that complaints are promptly addressed, investigated, and appropriate actions are taken to resolve the issues.
Privacy Reporting (PM-27)- Main Control

Subcontrol PM-27 focuses on establishing mechanisms to report on the privacy program's effectiveness and compliance with privacy requirements. It involves generating and disseminating reports that provide insight into privacy-related activities, risks, and outcomes to relevant stakeholders.
Risk Framing (PM-28)- Main Control

Subcontrol PM-28 focuses on establishing a structured approach to framing risks within the context of the organization's privacy program. It involves identifying, assessing, and communicating risks related to privacy to enable effective risk management decisions.
Risk Management Program Leadership Roles (PM-29)- Main Control

Subcontrol PM-29 emphasizes the importance of assigning clear and defined leadership roles within the organization's risk management program. It involves designating individuals with the responsibility to oversee and manage the risk management process effectively.
Supply Chain Risk Management Strategy (PM-30)- Main Control

Subcontrol PM-30 focuses on the development and implementation of a comprehensive supply chain risk management strategy. This strategy helps organizations identify, assess, and mitigate risks associated with their supply chain, ensuring the integrity and security of the products and services they acquire from external sources.
Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items (PM-30(1))

This subcontrol, under NIST 800-53 control PM-30 "Program Management," focuses on developing and implementing a comprehensive supply chain risk management strategy specifically tailored to address suppliers of critical or mission-essential items. The goal is to ensure that the organization's supply chain remains secure, resilient, and free from vulnerabilities that could potentially compromise the confidentiality, integrity, or availability of critical assets or systems.
Continuous Monitoring Strategy (PM-31)- Main Control

Control PM-31, "Continuous Monitoring Strategy," under the Program Management family in NIST 800-53, focuses on the establishment of a comprehensive strategy for continuous monitoring within an organization. Continuous monitoring involves the ongoing assessment of security controls, vulnerabilities, and threats to ensure the consistent security and resilience of an organization's information systems and assets.
Purposing (PM-32)- Main Control

Control PM-32, "Purposing," falls under the Program Management family of NIST 800-53. This subcontrol emphasizes the importance of defining the purpose and scope of an organization's information systems, including their components, functionalities, and intended operations. By clearly articulating the purpose of each system, organizations can align their security efforts with business objectives and regulatory requirements.

The Personnel Security control family is designed to address the security aspects associated with the individuals who have access to information systems and the information processed by those systems. The objective is to ensure that individuals are trustworthy, adequately trained, and aware of their security responsibilities. Effective personnel security controls contribute to the overall protection of information systems and help prevent insider threats, unauthorized access, and other security risks associated with personnel actions.

Policy and Procedures (PS-1)- Main Control

Control PS-1, "Policy and Procedures," is part of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the establishment of clear and comprehensive policies and procedures that guide the organization's personnel security practices. By defining a structured framework for personnel security, organizations can mitigate risks associated with insider threats, unauthorized access, and other vulnerabilities stemming from human interactions.
Position Risk Designation (PS-2)- Main Control

Control PS-2, "Position Risk Designation," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of assessing the risk associated with different positions within an organization and designating appropriate levels of security clearance and access privileges based on the sensitivity of the information and systems the individuals in those positions handle.
Personnel Screening (PS-3)- Main Control

Control PS-3, "Personnel Screening," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol underscores the significance of implementing a thorough and consistent personnel screening process to evaluate the background, trustworthiness, and suitability of individuals before granting them access to sensitive information, systems, and facilities.
Personnel Screening | Classified Information (PS-3(1))

Control PS-3(1), "Personnel Screening | Classified Information," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol highlights the need for enhanced personnel screening procedures when individuals require access to classified information, systems, or facilities. It emphasizes the importance of rigorously evaluating the trustworthiness and background of personnel before granting them access to sensitive classified resources.
Personnel Screening | Formal Indoctrination (PS-3(2))

Control PS-3(2), "Personnel Screening | Formal Indoctrination," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of providing formal indoctrination and security training to individuals who have successfully undergone the screening process and are granted access to sensitive information, systems, or facilities.
Personnel Screening | Information Requiring Special Protective Measures (PS-3(3))

Control PS-3(3), "Personnel Screening | Information Requiring Special Protective Measures," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol addresses the unique considerations associated with personnel who require access to information requiring special protective measures due to its exceptionally sensitive nature.
Personnel Screening | Citizenship Requirements (PS-3(4))

Control PS-3(4), "Personnel Screening | Citizenship Requirements," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol addresses the consideration of citizenship requirements when evaluating personnel for access to sensitive information, systems, or facilities.
Personnel Termination (PS-4)- Main Control

Control PS-4, "Personnel Termination," is a crucial component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need to have effective processes in place to manage the personnel termination process to prevent unauthorized access, data breaches, and potential security risks upon an individual's departure from the organization.
Personnel Termination | Post-employment Requirements (PS-4(1))

Control PS-4(1), "Personnel Termination | Post-employment Requirements," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol highlights the need to establish procedures for managing the post-employment requirements of departing personnel to ensure that their access privileges are appropriately revoked and that they understand their ongoing responsibilities to protect sensitive information.
Personnel Termination | Automated Actions (PS-4(2))

Control PS-4(2), "Personnel Termination | Automated Actions," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol focuses on the implementation of automated actions to ensure swift and accurate handling of personnel terminations, including the revocation of access privileges and retrieval of organizational assets.
Personnel Transfer (PS-5)- Main Control

Control PS-5, "Personnel Transfer," is an integral aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need for a well-defined process to manage the transfer of personnel within the organization to ensure that access privileges and security measures are appropriately updated to align with their new roles and responsibilities.
Access Agreements (PS-6)- Main Control

Control PS-6, "Access Agreements," is a crucial aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of formalizing access agreements with personnel who have been granted access to sensitive resources, ensuring that they understand their security responsibilities and obligations.
Access Agreements | Information Requiring Special Protection (PS-6(1))

Control PS-6(1), "Access Agreements | Information Requiring Special Protection," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol addresses the need for formalized access agreements when personnel are granted access to information that requires special protective measures due to its sensitive nature.
Access Agreements | Classified Information Requiring Special Protection (PS-6(2))

Control PS-6(2), "Access Agreements | Classified Information Requiring Special Protection," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol addresses the necessity of formalized access agreements for personnel granted access to classified information that requires exceptional protective measures due to its sensitive classification
Access Agreements | Post-employment Requirements (PS-6(3))

Control PS-6(3), "Access Agreements | Post-employment Requirements," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol addresses the need for access agreements to include post-employment requirements that departing personnel must adhere to, even after their departure from the organization.
External Personnel Security (PS-7)- Main Control

Control PS-7, "External Personnel Security," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol addresses the need for organizations to establish security measures when external personnel, such as contractors, consultants, and temporary workers, are granted access to organizational resources, systems, or facilities.
Personnel Sanctions (PS-8)- Main Control

Control PS-8, "Personnel Sanctions," is a pivotal element of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of implementing sanctions when personnel violate security policies or engage in behavior that poses a risk to the organization's security posture.
Position Descriptions (PS-9)- Main Control

Control PS-9, "Position Descriptions," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol highlights the importance of accurately defining the security roles and responsibilities of personnel within their respective position descriptions.

The PII Processing and Transparency control family is designed to establish and maintain controls that govern the processing of personally identifiable information (PII) within information systems. The controls aim to ensure that the collection, storage, and processing of PII align with applicable privacy laws, regulations, and organizational policies. Additionally, the controls promote transparency by providing individuals with clear and accessible information about how their PII is collected, used, and shared.

Policy and Procedures (PT-1)- Main Control

Control PT-1, "Policy and Procedures," is a foundational element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the need for organizations to establish clear policies and procedures governing the processing of personally identifiable information (PII) to ensure transparency, privacy, and compliance with relevant laws and regulations.
Authority to Process Personally Identifiable Information (PT-2)- Main Control

Control PT-2, "Authority to Process Personally Identifiable Information," is a critical component of the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on ensuring that organizations have the necessary legal and regulatory authority to process personally identifiable information (PII) in accordance with applicable laws and regulations.
Authority to Process Personally Identifiable Information | Data Tagging (PT-2(1))

Control PT-2(1), "Authority to Process Personally Identifiable Information | Data Tagging," is a specific aspect of the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the importance of applying data tags to personally identifiable information (PII) to indicate the legal basis for processing and enhance transparency.
Authority to Process Personally Identifiable Information | Automation (PT-2(2))

Control PT-2(2), "Authority to Process Personally Identifiable Information | Automation," is a specific aspect of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the use of automation to facilitate and enforce the proper identification and documentation of the legal basis for processing personally identifiable information (PII).
Personally Identifiable Information Processing Purposes (PT-3)- Main Control

Control PT-3, "Personally Identifiable Information Processing Purposes," is a foundational element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the need for organizations to clearly define and communicate the purposes for which personally identifiable information (PII) is processed to ensure transparency and align with privacy regulations.
Personally Identifiable Information Processing Purposes | Data Tagging (PT-3(1))

Control PT-3(1), "Personally Identifiable Information Processing Purposes | Data Tagging," is a specific aspect of the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the implementation of data tagging mechanisms to associate personally identifiable information (PII) with the specific processing purposes, enhancing transparency and accountability.
Personally Identifiable Information Processing Purposes | Automation (PT-3(2))

Control PT-3(2), "Personally Identifiable Information Processing Purposes | Automation," is a specific aspect of the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the use of automation to accurately associate personally identifiable information (PII) with its processing purposes, enhancing transparency and efficiency.
Consent (PT-4)- Main Control

Control PT-4, "Consent," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of obtaining informed and explicit consent from individuals before processing their personally identifiable information (PII).
Consent | Tailored Consent (PT-4(1))

Control PT-4(1), "Consent | Tailored Consent," is a specific aspect of the Consent subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the practice of tailoring consent requests to different processing purposes, ensuring that individuals provide informed and specific consent for each purpose.
Consent | Just-in-time Consent (PT-4(2))

Control PT-4(2), "Consent | Just-in-time Consent," is a specific aspect of the Consent subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the practice of obtaining consent from individuals at the time of data collection or immediately before processing, enhancing transparency and informed decision-making.
Consent | Revocation (PT-4(3))

Control PT-4(3), "Consent | Revocation," is a specific aspect of the Consent subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the practice of allowing individuals to revoke their consent for processing personally identifiable information (PII) at any time.
Privacy Notice (PT-5)- Main Control

Control PT-5, "Privacy Notice," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of providing individuals with clear and comprehensive privacy notices that explain how their personally identifiable information (PII) will be collected, used, shared, and protected.
Privacy Notice | Just-in-time Notice (PT-5(1))

Control PT-5(1), "Privacy Notice | Just-in-time Notice," is a specific aspect of the Privacy Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the practice of providing privacy notices to individuals at the time of data collection, enhancing their awareness and understanding of data processing practices
Privacy Notice | Privacy Act Statements (PT-5(2))

Control PT-5(2), "Privacy Notice | Privacy Act Statements," is a specific aspect of the Privacy Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the inclusion of Privacy Act statements in privacy notices, especially for federal agencies subject to the Privacy Act of 1974.
System of Records Notice (PT-6)- Main Control

Control PT-6, "System of Records Notice," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of informing individuals about the existence, purpose, and use of systems of records that contain their personally identifiable information (PII).
System of Records Notice | Routine Uses (PT-6(1))

Control PT-6(1), "System of Records Notice | Routine Uses," is a specific aspect of the System of Records Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on informing individuals about the routine uses of their personally identifiable information (PII) within systems of records.
System of Records Notice | Exemption Rules (PT-6(2))

Control PT-6(2), "System of Records Notice | Exemption Rules," is a specific aspect of the System of Records Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on informing individuals about any exemptions that may apply to the system of records under specific privacy regulations.
Specific Categories of Personally Identifiable Information (PT-7)- Main Control

Control PT-7, "Specific Categories of Personally Identifiable Information," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of identifying and addressing specific categories of personally identifiable information (PII) that require special attention due to their sensitivity or regulatory considerations.
Specific Categories of Personally Identifiable Information | Social Security Numbers (PT-7(1))

Control PT-7(1), "Specific Categories of Personally Identifiable Information | Social Security Numbers," is a specific aspect of the Specific Categories of Personally Identifiable Information subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the protection and responsible handling of Social Security Numbers (SSNs) due to their sensitive nature and potential for identity theft.
Specific Categories of Personally Identifiable Information | First Amendment Information (PT-7(2))

The Specific Categories of Personally Identifiable Information | First Amendment Information subcontrol (PT-7(2)) falls under the PII Processing and Transparency control within the NIST 800-53 framework. This subcontrol addresses the unique handling and protection requirements for Personally Identifiable Information (PII) that pertains to First Amendment rights. First Amendment Information is particularly sensitive and requires special attention to safeguard an individual's freedom of speech and expression.
Computer Matching Requirements (PT-8)- Main Control

The Computer Matching Requirements subcontrol (PT-8) is part of the PII Processing and Transparency control within the NIST 800-53 framework. This subcontrol addresses the requirements and safeguards necessary when conducting computer matching activities involving Personally Identifiable Information (PII). Computer matching refers to the process of comparing and combining PII from multiple sources to make decisions or take actions.

The Risk Assessment control family is designed to ensure that organizations systematically identify, analyze, and manage risks to their information systems and the data they process. The goal is to provide a structured approach to understanding and evaluating the potential impact of risks on organizational operations, assets, individuals, and other critical elements. By conducting risk assessments, organizations can make informed decisions about risk mitigation strategies, prioritize security efforts, and align security measures with organizational goals.

Policy and Procedures (RA-1)- Main Control

The Policy and Procedures subcontrol (RA-1) is an integral part of the Risk Assessment control within the NIST 800-53 framework. This subcontrol focuses on establishing, documenting, and maintaining comprehensive policies and procedures for conducting risk assessments within an organization. Risk assessments are essential for identifying, evaluating, and managing risks to information systems and data.
Security Categorization (RA-2)- Main Control

The Security Categorization subcontrol (RA-2) is a critical component of the Risk Assessment control within the NIST 800-53 framework. RA-2 focuses on the systematic process of categorizing information systems based on their security requirements. This categorization sets the foundation for determining the appropriate security controls and safeguards needed to protect these systems and the information they handle.
Security Categorization | Impact-level Prioritization (RA-2(1))

The Security Categorization | Impact-level Prioritization subcontrol (RA-2(1)) is a specific component of the Risk Assessment control within the NIST 800-53 framework. This subcontrol focuses on the process of determining and prioritizing the impact levels associated with information systems. Impact-level prioritization helps organizations allocate resources and apply security controls in a manner that effectively addresses the most critical risks.
Risk Assessment (RA-3)- Main Control

The Risk Assessment subcontrol (RA-3) is a fundamental component of the Risk Assessment control within the NIST 800-53 framework. RA-3 focuses on the process of conducting systematic risk assessments for information systems and the data they handle. Risk assessments help organizations identify, analyze, and manage risks effectively to protect their assets, operations, and stakeholders.
Risk Assessment | Supply Chain Risk Assessment (RA-3(1))

The Supply Chain Risk Assessment subcontrol (RA-3(1)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(1) specifically addresses the need to assess and manage risks associated with the supply chain, which can introduce vulnerabilities and threats to an organization's information systems and data.
Risk Assessment | Use of All-source Intelligence (RA-3(2))

The Use of All-source Intelligence subcontrol (RA-3(2)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(2) focuses on leveraging all-source intelligence to enhance the risk assessment process by incorporating external threat information and intelligence sources.
Risk Assessment | Dynamic Threat Awareness (RA-3(3))

The Dynamic Threat Awareness subcontrol (RA-3(3)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(3) focuses on the continuous monitoring of dynamic threat intelligence and the proactive assessment of emerging threats to information systems and data.
Risk Assessment | Predictive Cyber Analytics (RA-3(4))

The Predictive Cyber Analytics subcontrol (RA-3(4)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(4) focuses on leveraging predictive cyber analytics to anticipate and assess emerging cyber threats and vulnerabilities proactively.
Risk Assessment Update (RA-4)- Main Control

The Risk Assessment Update subcontrol (RA-4) is an essential component of the Risk Assessment control within the NIST 800-53 framework. RA-4 focuses on the need for organizations to periodically review and update their risk assessments to ensure they remain relevant and reflective of the evolving threat landscape and operational environment.
Vulnerability Monitoring and Scanning (RA-5)- Main Control

The Vulnerability Monitoring and Scanning subcontrol (RA-5) is a crucial component of the Risk Assessment control within the NIST 800-53 framework. RA-5 focuses on the continuous monitoring of information systems to identify and address vulnerabilities that may pose risks to the confidentiality, integrity, and availability of data and operations.
Vulnerability Monitoring and Scanning | Update Tool Capability (RA-5(1))

The Vulnerability Monitoring and Scanning | Update Tool Capability (RA-5(1)) subcontrol is a critical component of NIST 800-53's Risk Assessment control family. This subcontrol focuses on the continuous assessment of information system vulnerabilities and ensuring that the tools used for vulnerability monitoring and scanning are updated and capable of effectively identifying and mitigating vulnerabilities.
Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned (RA-5(2))

The Update Vulnerabilities to Be Scanned (RA-5(2)) subcontrol is a vital component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the importance of maintaining an accurate and up-to-date list of vulnerabilities to be scanned for within an organization's information systems. It ensures that the vulnerability scanning process remains relevant and effective.
Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage (RA-5(3))

The Breadth and Depth of Coverage (RA-5(3)) subcontrol is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the importance of comprehensively and thoroughly scanning an organization's information systems for vulnerabilities, ensuring that no critical weaknesses are left undetected.
Vulnerability Monitoring and Scanning | Discoverable Information (RA-5(4))

The Discoverable Information (RA-5(4)) subcontrol is a crucial component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on the identification and assessment of discoverable information within an organization's information systems, ensuring that sensitive data, configuration details, and potential vulnerabilities are thoroughly examined.
Vulnerability Monitoring and Scanning | Privileged Access (RA-5(5))

The Privileged Access (RA-5(5)) subcontrol is a critical component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on assessing and managing vulnerabilities related to privileged access within an organization's information systems. It ensures that privileged accounts and roles are subject to thorough scrutiny to mitigate potential security risks.
Vulnerability Monitoring and Scanning | Automated Trend Analyses (RA-5(6))

The Automated Trend Analyses (RA-5(6)) subcontrol is a critical component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the importance of leveraging automated tools and technologies to analyze vulnerability trends within an organization's information systems. It enables organizations to proactively identify emerging vulnerabilities and security patterns.
Vulnerability Monitoring and Scanning | Review Historic Audit Logs (RA-5(8))

The Review Historic Audit Logs (RA-5(8)) subcontrol is a vital component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on the systematic review of historic audit logs within an organization's information systems to identify vulnerabilities, security incidents, and patterns of unauthorized access.
Vulnerability Monitoring and Scanning | Correlate Scanning Information (RA-5(10))

The Correlate Scanning Information (RA-5(10)) subcontrol is a critical component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the need to collect and correlate scanning information from multiple sources to enhance the accuracy and effectiveness of vulnerability monitoring and scanning efforts.
Vulnerability Monitoring and Scanning | Public Disclosure Program (RA-5(11))

The Public Disclosure Program (RA-5(11)) subcontrol is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on establishing a structured and responsible program for disclosing vulnerabilities that have been identified within an organization's information systems to the public and relevant stakeholders.
Technical Surveillance Countermeasures Survey (RA-6)- Main Control

The Technical Surveillance Countermeasures Survey (RA-6) control is a fundamental component of the NIST 800-53 Risk Assessment control family. This control focuses on conducting surveys and assessments to detect and mitigate technical surveillance threats that could compromise the confidentiality and integrity of an organization's information systems, facilities, and operations.
Risk Response (RA-7)- Main Control

The Risk Response (RA-7) control is a pivotal component of the NIST 800-53 Risk Assessment control family. It focuses on defining and implementing an effective strategy for responding to identified risks and vulnerabilities within an organization's information systems and operations. This control ensures that risks are addressed promptly and efficiently to protect critical assets and data.
Privacy Impact Assessments (RA-8)- Main Control

The Privacy Impact Assessments (RA-8) control is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on conducting privacy impact assessments to identify, evaluate, and mitigate privacy risks associated with the processing of personal information within an organization's information systems and operations.
Criticality Analysis (RA-9)- Main Control

The Criticality Analysis (RA-9) control is a crucial component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on conducting criticality assessments to determine the importance and significance of information systems, assets, and processes within an organization. By understanding criticality, organizations can prioritize resources and efforts to protect their most essential components effectively.
Threat Hunting (RA-10)- Main Control

The Threat Hunting (RA-10) control is a critical component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on proactive threat hunting activities to identify and respond to potential security threats and vulnerabilities within an organization's information systems. Threat hunting enhances an organization's ability to detect and mitigate risks before they lead to security incidents.

The System and Services Acquisition control family addresses the processes and activities related to the acquisition of information systems, products, and services. The controls within this family are designed to ensure that organizations acquire, develop, and maintain systems that meet security requirements and adhere to established policies and procedures. The goal is to manage risks associated with the acquisition lifecycle, from the initial planning stages through the development, implementation, and ongoing maintenance of systems.

Policy and Procedures (SA-1)- Main Control

The Policy and Procedures (SA-1) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining comprehensive policies and procedures that govern the acquisition, development, and deployment of information systems and services within an organization. It provides the framework for ensuring that acquisitions align with security, compliance, and operational requirements.
Allocation of Resources (SA-2)- Main Control

The Allocation of Resources (SA-2) control is a vital component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that an organization allocates adequate resources, including budget, personnel, and infrastructure, to support the successful acquisition, development, and maintenance of information systems and services.
System Development Life Cycle (SA-3)- Main Control

The System Development Life Cycle (SA-3) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and managing a structured and well-documented system development life cycle (SDLC) process for the acquisition, development, and deployment of information systems and services.
System Development Life Cycle | Manage Preproduction Environment (SA-3(1))

The System Development Life Cycle | Manage Preproduction Environment (SA-3(1)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on the management and security of the preproduction environment during the system development life cycle (SDLC). The preproduction environment is where system testing, quality assurance, and security assessments take place before the system's full deployment.
System Development Life Cycle | Use of Live or Operational Data (SA-3(2))

The System Development Life Cycle | Use of Live or Operational Data (SA-3(2)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on managing the use of live or operational data during the system development life cycle (SDLC). Live data refers to actual production data or data that closely resembles production data and is used for testing and development purposes.
System Development Life Cycle | Technology Refresh (SA-3(3))

The System Development Life Cycle | Technology Refresh (SA-3(3)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on managing technology refresh and upgrade activities during the system development life cycle (SDLC). Technology refresh involves replacing or upgrading components, software, or infrastructure to maintain system effectiveness and security.
Acquisition Process (SA-4)- Main Control

The Acquisition Process (SA-4) control is a fundamental component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and implementing a structured and comprehensive acquisition process that ensures the successful procurement, development, deployment, and management of information systems and services within an organization.
Acquisition Process | Functional Properties of Controls (SA-4(1))

The Acquisition Process | Functional Properties of Controls (SA-4(1)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that the functional properties of security controls, including effectiveness, compliance, and performance, are considered and evaluated during the acquisition process for information systems and services.
Acquisition Process | Design and Implementation Information for Controls (SA-4(2))

The Acquisition Process | Design and Implementation Information for Controls (SA-4(2)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that the design and implementation details of security controls are adequately documented and evaluated during the acquisition process for information systems and services.
Acquisition Process | Development Methods, Techniques, and Practices (SA-4(3))

The Acquisition Process | Development Methods, Techniques, and Practices (SA-4(3)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that appropriate development methods, techniques, and practices are selected and employed during the acquisition process for information systems and services.
Acquisition Process | Assignment of Components to Systems (SA-4(4))

The Acquisition Process | Assignment of Components to Systems (SA-4(4)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on the structured assignment and tracking of components to systems during the acquisition process for information systems and services.
Acquisition Process | System, Component, and Service Configurations (SA-4(5))

The Acquisition Process | System, Component, and Service Configurations (SA-4(5)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining secure configurations for systems, components, and services acquired during the acquisition process for information systems and services.
Acquisition Process | Use of Information Assurance Products (SA-4(6))

The Acquisition Process | Use of Information Assurance Products (SA-4(6)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on incorporating information assurance products and solutions into the acquisition process for information systems and services.
Acquisition Process | NIAP-approved Protection Profiles (SA-4(7))

The Acquisition Process | NIAP-approved Protection Profiles (SA-4(7)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that acquired information systems and services align with security standards by utilizing Protection Profiles approved by the National Information Assurance Partnership (NIAP).
Acquisition Process | Continuous Monitoring Plan for Controls (SA-4(8))

The Acquisition Process | Continuous Monitoring Plan for Controls (SA-4(8)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on developing a continuous monitoring plan for security controls integrated into acquired information systems and services.
Acquisition Process | Functions, Ports, Protocols, and Services in Use (SA-4(9))

The Acquisition Process | Functions, Ports, Protocols, and Services in Use (SA-4(9)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on identifying and documenting the functions, ports, protocols, and services (FPPS) in use by acquired information systems and services.
Acquisition Process | Use of Approved PIV Products (SA-4(10))

The Acquisition Process | Use of Approved PIV Products (SA-4(10)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on incorporating approved Personal Identity Verification (PIV) products into the acquisition process for information systems and services.
Acquisition Process | System of Records (SA-4(11))

The Acquisition Process | System of Records (SA-4(11)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that personal information collected or maintained by acquired information systems and services is managed in compliance with privacy requirements.
Acquisition Process | Data Ownership (SA-4(12))

The Acquisition Process | Data Ownership (SA-4(12)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining clear data ownership responsibilities for data acquired and managed within information systems.
System Documentation (SA-5)- Main Control

The System Documentation (SA-5) control is part of the NIST 800-53 System and Services Acquisition control family. SA-5 focuses on establishing and maintaining comprehensive documentation for the acquired information system, including its design, configuration, and security features.
System Documentation | Functional Properties of Security Controls (SA-5(1))

The System Documentation | Functional Properties of Security Controls (SA-5(1)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on documenting the functional properties of security controls implemented within an acquired information system.
System Documentation | Security-relevant External System Interfaces (SA-5(2))

The System Documentation | Security-relevant External System Interfaces (SA-5(2)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on documenting the security aspects of external system interfaces that are relevant to the acquired information system.
System Documentation | High-level Design (SA-5(3))

The System Documentation | High-level Design (SA-5(3)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on documenting the high-level design aspects of the acquired information system, including its architecture, components, and functionality.
System Documentation | Low-level Design (SA-5(4))

The System Documentation | Low-level Design (SA-5(4)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on documenting the low-level design aspects of the acquired information system, including detailed technical specifications and component interactions.
System Documentation | Source Code (SA-5(5))

The System Documentation | Source Code (SA-5(5)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on documenting the source code of the acquired information system, which is essential for software development, maintenance, and security assessments.
Software Usage Restrictions (SA-6)- Main Control

The Software Usage Restrictions (SA-6) control is part of the NIST 800-53 System and Services Acquisition control family. SA-6 focuses on establishing and enforcing usage restrictions for software acquired or developed within an organization to mitigate security risks and ensure compliance with licensing agreements.
Supply Chain Protection | Acquisition Strategies / Tools / Methods (SA-12(1)),User-installed Software (SA-7)- Main Control

The User-installed Software (SA-7) control is part of the NIST 800-53 System and Services Acquisition control family. SA-7 focuses on managing and controlling the installation of software by end users to reduce security risks associated with unauthorized or unvetted software.
Security and Privacy Engineering Principles (SA-8)- Main Control

The Security and Privacy Engineering Principles (SA-8) control is a key component of the NIST 800-53 System and Services Acquisition control family. SA-8 emphasizes the incorporation of security and privacy principles into the system development life cycle to ensure that security and privacy controls are integrated from the outset.
Security and Privacy Engineering Principles | Clear Abstractions (SA-8(1))

The Security and Privacy Engineering Principles | Clear Abstractions (SA-8(1)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of establishing clear abstractions, or logical representations, of security and privacy controls within the acquired system's design and architecture
Security and Privacy Engineering Principles | Least Common Mechanism (SA-8(2))

The Security and Privacy Engineering Principles | Least Common Mechanism (SA-8(2)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing the least common mechanism principle in system design to reduce the risk of security and privacy breaches.
Security and Privacy Engineering Principles | Modularity and Layering (SA-8(3))

The Security and Privacy Engineering Principles | Modularity and Layering (SA-8(3)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing modular and layered security and privacy controls within system designs to enhance security and privacy protections.
Security and Privacy Engineering Principles | Partially Ordered Dependencies (SA-8(4))

The Security and Privacy Engineering Principles | Partially Ordered Dependencies (SA-8(4)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of managing and documenting partially ordered dependencies between security and privacy controls to ensure their effective implementation.
Security and Privacy Engineering Principles | Efficiently Mediated Access (SA-8(5))

The Security and Privacy Engineering Principles | Efficiently Mediated Access (SA-8(5)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing efficient and effective access control mechanisms to ensure that users and components can access resources securely and without unnecessary delays.
Security and Privacy Engineering Principles | Minimized Sharing (SA-8(6))

The Security and Privacy Engineering Principles | Minimized Sharing (SA-8(6)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of minimizing sharing of resources, data, and services between users, components, or processes to reduce security and privacy risks.
Security and Privacy Engineering Principles | Reduced Complexity (SA-8(7))

The Security and Privacy Engineering Principles | Reduced Complexity (SA-8(7)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of minimizing complexity in system design to enhance security and privacy.
Security and Privacy Engineering Principles | Secure Evolvability (SA-8(8))

The Security and Privacy Engineering Principles | Secure Evolvability (SA-8(8)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of designing systems with secure evolvability in mind, allowing for the adaptation and enhancement of security and privacy controls as threats and requirements evolve over time.
Security and Privacy Engineering Principles | Trusted Components (SA-8(9))

The Security and Privacy Engineering Principles | Trusted Components (SA-8(9)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of acquiring and integrating trusted components and services into a system's architecture to enhance security and privacy.
Security and Privacy Engineering Principles | Hierarchical Trust (SA-8(10))

The Security and Privacy Engineering Principles | Hierarchical Trust (SA-8(10)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of establishing a hierarchical trust model within a system's architecture to manage and control the level of trust assigned to various system components, services, and entities.
Security and Privacy Engineering Principles | Inverse Modification Threshold (SA-8(11))

The Security and Privacy Engineering Principles | Inverse Modification Threshold (SA-8(11)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of carefully evaluating and controlling modifications to system components, configurations, and architectures to maintain the security and privacy of the system.
Security and Privacy Engineering Principles | Hierarchical Protection (SA-8(12))

The Security and Privacy Engineering Principles | Hierarchical Protection (SA-8(12)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing a hierarchical protection model within a system's architecture to prioritize and enforce security and privacy protections based on the sensitivity and criticality of system components and data.
Security and Privacy Engineering Principles | Minimized Security Elements (SA-8(13))

The Security and Privacy Engineering Principles | Minimized Security Elements (SA-8(13)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of minimizing the number of security and privacy elements (e.g., controls, mechanisms) within a system to reduce complexity, improve manageability, and enhance security and privacy effectiveness.
Security and Privacy Engineering Principles | Least Privilege (SA-8(14))

The Security and Privacy Engineering Principles | Least Privilege (SA-8(14)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing the principle of least privilege within a system's architecture to restrict users and processes to only the minimum access and permissions necessary to perform their authorized tasks.
Security and Privacy Engineering Principles | Predicate Permission (SA-8(15))

The Security and Privacy Engineering Principles | Predicate Permission (SA-8(15)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing predicate-based permission models within a system's architecture to enable fine-grained access control based on conditional predicates or attributes.
Security and Privacy Engineering Principles | Self-reliant Trustworthiness (SA-8(16))

The Security and Privacy Engineering Principles | Self-reliant Trustworthiness (SA-8(16)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of designing and implementing systems that can independently assess and maintain their trustworthiness, even in dynamic and untrusted environments.
Security and Privacy Engineering Principles | Secure Distributed Composition (SA-8(17))

The Security and Privacy Engineering Principles | Secure Distributed Composition (SA-8(17)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of securely composing distributed systems and components to maintain trustworthiness, confidentiality, and integrity across interconnected elements.
Security and Privacy Engineering Principles | Trusted Communications Channels (SA-8(18))

The Security and Privacy Engineering Principles | Trusted Communications Channels (SA-8(18)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of establishing trusted communication channels to ensure the confidentiality, integrity, and authenticity of data exchanged between system components.
Security and Privacy Engineering Principles | Continuous Protection (SA-8(19))

The Security and Privacy Engineering Principles | Continuous Protection (SA-8(19)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of implementing continuous protection measures to safeguard systems and data against evolving security and privacy threats.
Security and Privacy Engineering Principles | Secure Metadata Management (SA-8(20))

The Security and Privacy Engineering Principles | Secure Metadata Management (SA-8(20)) subcontrol is a component of the NIST 800-53 System and Services Acquisition control family. This subcontrol emphasizes the importance of managing metadata in a secure and privacy-conscious manner to protect sensitive information and maintain data integrity.
Security and Privacy Engineering Principles | Self-analysis (SA-8(21))

SA-8(21) under the System and Services Acquisition family of controls in NIST 800-53 focuses on ensuring the incorporation of security and privacy engineering principles throughout the acquisition process. It specifically emphasizes the need for organizations to conduct self-analysis to evaluate and improve the effectiveness of security and privacy measures in their acquisition activities.
Security and Privacy Engineering Principles | Accountability and Traceability (SA-8(22))

SA-8(22) is a critical subcontrol within the System and Services Acquisition family of NIST 800-53 controls. It focuses on ensuring that organizations establish accountability and traceability mechanisms for the integration of security and privacy engineering principles into the acquisition processes. This control aims to create a framework where all stakeholders can be held accountable for the security and privacy aspects of acquisitions.
Security and Privacy Engineering Principles | Secure Defaults (SA-8(23))

SA-8(23) focuses on ensuring that organizations establish secure default configurations for systems and services acquired. It emphasizes the importance of configuring systems and services with security and privacy in mind from the outset, reducing vulnerabilities and risks associated with default settings.
Security and Privacy Engineering Principles | Secure Failure and Recovery (SA-8(24))

The SA-8(24) control within the System and Services Acquisition family of NIST 800-53 focuses on ensuring that security and privacy engineering principles are applied to the design and implementation of systems, particularly in the context of secure failure and recovery mechanisms. This control aims to enhance the overall resilience of the system by addressing the consequences of failure and promoting swift and secure recovery.
Security and Privacy Engineering Principles | Economic Security (SA-8(25))

Control SA-8(25) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of incorporating economic security considerations into the design and implementation of systems. Economic security involves assessing the potential financial impact of security and privacy failures and ensuring that systems are designed to mitigate these risks effectively.
Security and Privacy Engineering Principles | Performance Security (SA-8(26))

Control SA-8(26) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring that security and privacy engineering principles are applied to enhance the performance security of systems. Performance security ensures that systems maintain their intended functionality while safeguarding against security and privacy threats.
Security and Privacy Engineering Principles | Human Factored Security (SA-8(27))

Control SA-8(27) within the System and Services Acquisition family of NIST 800-53 focuses on the incorporation of human factors into security and privacy engineering principles. It aims to ensure that security measures are designed with a deep understanding of human behavior, capabilities, and limitations to improve overall system security and privacy.
Security and Privacy Engineering Principles | Acceptable Security (SA-8(28))

Control SA-8(28) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of establishing and maintaining acceptable security levels throughout the system development and acquisition lifecycle. It aims to ensure that security and privacy controls are aligned with the organization's risk tolerance and objectives.
Security and Privacy Engineering Principles | Repeatable and Documented Procedures (SA-8(29))

Control SA-8(29) within the System and Services Acquisition family of NIST 800-53 focuses on the importance of establishing repeatable and well-documented procedures for security and privacy engineering. It ensures that organizations maintain consistency in their approach to security and privacy throughout the system development and acquisition process
Security and Privacy Engineering Principles | Procedural Rigor (SA-8(30))

Control SA-8(30) within the System and Services Acquisition family of NIST 800-53 emphasizes the necessity of procedural rigor in applying security and privacy engineering principles. It ensures that organizations establish and adhere to systematic, well-defined processes to enhance the security and privacy of systems throughout their development and acquisition
Security and Privacy Engineering Principles | Secure System Modification (SA-8(31))

Control SA-8(31) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring that security and privacy engineering principles are applied when making modifications to a system. It emphasizes the importance of maintaining the security and privacy posture of a system when changes are introduced.
Security and Privacy Engineering Principles | Sufficient Documentation (SA-8(32))

Control SA-8(32) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of maintaining sufficient documentation related to security and privacy engineering principles throughout the system development and acquisition lifecycle. It ensures that essential information is well-documented to support security and privacy efforts effectively.
Security and Privacy Engineering Principles | Minimization (SA-8(33))

Control SA-8(33) within the System and Services Acquisition family of NIST 800-53 emphasizes the practice of minimization in security and privacy engineering. It encourages organizations to reduce the attack surface and potential privacy risks by minimizing the scope of system functionality and data collection to the essential requirements.
External System Services (SA-9)- Main Control

Control SA-9 within the System and Services Acquisition family of NIST 800-53 addresses the security and privacy concerns associated with external system services. It focuses on managing the risks associated with connecting systems to external services, networks, and providers.
External System Services | Risk Assessments and Organizational Approvals (SA-9(1))

Control SA-9(1) within the System and Services Acquisition family of NIST 800-53 focuses on the need to conduct risk assessments and obtain organizational approvals when considering the use of external system services. It ensures that organizations thoroughly evaluate the security and privacy risks associated with such services before acquiring or connecting to them.
External System Services | Identification of Functions, Ports, Protocols, and Services (SA-9(2))

Control SA-9(2) within the System and Services Acquisition family of NIST 800-53 focuses on the need to identify and document the functions, ports, protocols, and services (FPPS) associated with external system services. It ensures that organizations have a clear understanding of the interactions and dependencies related to these services.
External System Services | Establish and Maintain Trust Relationship with Providers (SA-9(3))

Control SA-9(3) within the System and Services Acquisition family of NIST 800-53 focuses on the importance of establishing and maintaining trust relationships with external service providers. It emphasizes the need to ensure that providers meet the organization's security and privacy requirements.
External System Services | Consistent Interests of Consumers and Providers (SA-9(4))

Control SA-9(4) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of aligning the interests of both consumers and providers of external system services to ensure a consistent approach to security and privacy. It focuses on addressing potential conflicts and discrepancies between the two parties.
External System Services | Processing, Storage, and Service Location (SA-9(5))

Control SA-9(5) within the System and Services Acquisition family of NIST 800-53 focuses on managing the processing, storage, and service location aspects of external system services. It addresses the security and privacy implications associated with where and how these functions are performed.
External System Services | Organization-controlled Cryptographic Keys (SA-9(6))

Control SA-9(6) within the System and Services Acquisition family of NIST 800-53 addresses the need for organizations to maintain control over cryptographic keys used in external system services. It emphasizes the importance of protecting sensitive information through secure key management practices.
External System Services | Organization-controlled Integrity Checking (SA-9(7))

Control SA-9(7) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for organizations to maintain control over integrity checking mechanisms used in external system services. It focuses on ensuring the data's integrity during transfer and processing.
External System Services | Processing and Storage Location — U.S. Jurisdiction (SA-9(8))

Control SA-9(8) within the System and Services Acquisition family of NIST 800-53 focuses on the requirement to ensure that the processing and storage of data by external system services occur within U.S. jurisdiction when necessary to comply with legal and regulatory requirements.
Developer Configuration Management (SA-10)- Main Control

Control SA-10 within the System and Services Acquisition family of NIST 800-53 focuses on establishing and maintaining developer configuration management processes. It emphasizes the importance of effectively managing the configuration of software and systems during development to ensure reliability and security.
Developer Configuration Management | Software and Firmware Integrity Verification (SA-10(1))

Control SA-10(1) within the System and Services Acquisition family of NIST 800-53 focuses on the requirement to verify the integrity of software and firmware during the development process. It ensures that software and firmware components remain unaltered and secure throughout their lifecycle.
Developer Configuration Management | Alternative Configuration Management Processes (SA-10(2))

Control SA-10(2) within the System and Services Acquisition family of NIST 800-53 addresses the need for organizations to establish alternative configuration management processes when standard configuration management practices cannot be applied. It ensures that even in non-standard scenarios, software and systems are effectively managed.
Developer Configuration Management | Hardware Integrity Verification (SA-10(3))

Control SA-10(3) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for organizations to verify the integrity of hardware components during the development process. It ensures that hardware remains secure, reliable, and free from unauthorized modifications.
Developer Configuration Management | Trusted Generation (SA-10(4))

Control SA-10(4) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring that software and firmware components are generated using trusted sources and processes. It aims to minimize the risk of compromised or malicious components in the development process.
Developer Configuration Management | Mapping Integrity for Version Control (SA-10(5))

Control SA-10(5) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring the integrity of mapping between the development versions of software and firmware components. It emphasizes the importance of accurately tracking changes and versions for security and accountability.
Developer Configuration Management | Trusted Distribution (SA-10(6))

Control SA-10(6) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring the trusted distribution of software and firmware components. It emphasizes the need to secure the distribution channels to prevent unauthorized alterations during transit.
Developer Configuration Management | Security and Privacy Representatives (SA-10(7))

Control SA-10(7) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of involving security and privacy representatives in the developer configuration management process. It ensures that security and privacy considerations are integrated from the early stages of development.
Developer Testing and Evaluation (SA-11)- Main Control

Control SA-11 within the System and Services Acquisition family of NIST 800-53 focuses on the requirement for organizations to conduct systematic testing and evaluation of software, firmware, and other system components during the development process. It ensures that these components are rigorously assessed for functionality, security, and compliance with requirements.
Developer Testing and Evaluation | Static Code Analysis (SA-11(1))

Control SA-11(1) within the System and Services Acquisition family of NIST 800-53 emphasizes the use of static code analysis as a method for assessing the security and quality of software and firmware components during the development process. It ensures that code is systematically reviewed for vulnerabilities and compliance with coding standards.
Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses (SA-11(2))

Control SA-11(2) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of conducting threat modeling and vulnerability analyses as part of the developer testing and evaluation process. It ensures that software, firmware, and system components are assessed for security vulnerabilities and potential threats.
Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence (SA-11(3))

Control SA-11(3) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for independent verification of assessment plans and evidence as part of the developer testing and evaluation process. It ensures that testing activities and their results are impartially assessed and validated.
Developer Testing and Evaluation | Manual Code Reviews (SA-11(4))

Control SA-11(4) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of conducting manual code reviews as part of the developer testing and evaluation process. It ensures that code is thoroughly examined by human experts for vulnerabilities and quality.
Developer Testing and Evaluation | Penetration Testing (SA-11(5))

Control SA-11(5) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of conducting penetration testing as a part of the developer testing and evaluation process. It ensures that software, firmware, and system components are subjected to simulated attacks to identify vulnerabilities and weaknesses.
Developer Testing and Evaluation | Attack Surface Reviews (SA-11(6))

Control SA-11(6) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for conducting attack surface reviews as a part of the developer testing and evaluation process. It ensures that the attack surface of software, firmware, and system components is thoroughly analyzed to identify potential entry points for attackers.
Developer Testing and Evaluation | Verify Scope of Testing and Evaluation (SA-11(7))

Control SA-11(7) within the System and Services Acquisition family of NIST 800-53 highlights the importance of verifying the scope of testing and evaluation activities during the development process. It ensures that testing efforts are focused on the right components and objectives.
Developer Testing and Evaluation | Dynamic Code Analysis (SA-11(8))

Control SA-11(8) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for dynamic code analysis as part of developer testing and evaluation. It ensures that software, firmware, and system components are tested while running to identify runtime vulnerabilities and security weaknesses.
Developer Testing and Evaluation | Interactive Application Security Testing (SA-11(9))

Control SA-11(9) within the System and Services Acquisition family of NIST 800-53 focuses on the importance of incorporating Interactive Application Security Testing (IAST) as a part of developer testing and evaluation. It ensures that applications are assessed for security vulnerabilities during runtime.
Supply Chain Protection (SA-12)- Main Control

Control SA-12 within the System and Services Acquisition family of NIST 800-53 emphasizes the need to protect the supply chain of information systems and services. It is designed to ensure that organizations establish and maintain effective safeguards to protect against supply chain risks and vulnerabilities.
Supply Chain Protection | Supplier Reviews (SA-12(2))

Control SA-12(2) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of conducting supplier reviews as part of the supply chain protection strategy. It ensures that organizations evaluate the trustworthiness and security practices of their suppliers to minimize supply chain risks.
Supply Chain Protection | Trusted Shipping and Warehousing (SA-12(3))

Control SA-12(3) within the System and Services Acquisition family of NIST 800-53 focuses on the need for trusted shipping and warehousing practices as part of supply chain protection. It ensures that organizations establish measures to protect the integrity and security of components and products during transit and storage within the supply chain.
Supply Chain Protection | Diversity of Suppliers (SA-12(4))

Control SA-12(4) within the System and Services Acquisition family of NIST 800-53 focuses on the importance of diversifying suppliers in supply chain management. It emphasizes that organizations should reduce supply chain risk by avoiding over-reliance on a single supplier.
Supply Chain Protection | Limitation of Harm (SA-12(5))

Control SA-12(5) within the System and Services Acquisition family of NIST 800-53 emphasizes the need for organizations to implement measures that limit harm in the event of a supply chain compromise. It focuses on preparing for and responding to supply chain incidents to minimize their impact.
Supply Chain Protection | Minimizing Procurement Time (SA-12(6))

Control SA-12(6) within the System and Services Acquisition family of NIST 800-53 focuses on minimizing procurement time as a strategy for enhancing supply chain protection. It emphasizes the importance of efficient procurement processes to reduce exposure to supply chain vulnerabilities.
Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update (SA-12(7))

Control SA-12(7) within the System and Services Acquisition family of NIST 800-53 emphasizes the need to conduct comprehensive assessments of components, products, or services from suppliers before selecting, accepting, or updating them in an organization's information systems. It focuses on ensuring that these acquisitions do not introduce vulnerabilities into the supply chain.
Supply Chain Protection | Use of All-source Intelligence (SA-12(8))

Control SA-12(8) within the System and Services Acquisition family of NIST 800-53 focuses on the utilization of all-source intelligence to enhance supply chain protection. It emphasizes the importance of leveraging intelligence sources to identify and respond to supply chain threats and vulnerabilities effectively.
Supply Chain Protection | Operations Security (SA-12(9))

Control SA-12(9) within the System and Services Acquisition family of NIST 800-53 focuses on operations security as a key component of supply chain protection. It emphasizes the need to secure and monitor supply chain operations to detect and respond to security incidents effectively.
Supply Chain Protection | Validate as Genuine and Not Altered (SA-12(10))

Control SA-12(10) within the System and Services Acquisition family of NIST 800-53 focuses on the validation of components, products, or services to ensure they are genuine and have not been altered maliciously during the supply chain process. It emphasizes the importance of integrity verification to prevent the introduction of counterfeit or tampered items.
Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors (SA-12(11))

Control SA-12(11) within the System and Services Acquisition family of NIST 800-53 focuses on conducting penetration testing and analysis of supply chain elements, processes, and actors. It emphasizes the need to assess the security of the supply chain ecosystem comprehensively.
Supply Chain Protection | Inter-organizational Agreements (SA-12(12))

Control SA-12(12) within the System and Services Acquisition family of NIST 800-53 focuses on the establishment of inter-organizational agreements to enhance supply chain protection. It emphasizes the importance of formal agreements with suppliers, partners, and stakeholders to manage and mitigate supply chain risks effectively.
Supply Chain Protection | Critical Information System Components (SA-12(13))

Control SA-12(13) within the System and Services Acquisition family of NIST 800-53 focuses on the protection of critical information system components within the supply chain. It emphasizes the need to identify, prioritize, and secure those components that are essential to the organization's mission and security.
Supply Chain Protection | Identity and Traceability (SA-12(14))

Control SA-12(14) within the System and Services Acquisition family of NIST 800-53 focuses on ensuring the identity and traceability of supply chain elements, components, and products. It emphasizes the need to establish and maintain mechanisms that enable the tracking of items throughout the supply chain.
Supply Chain Protection | Processes to Address Weaknesses or Deficiencies (SA-12(15))

Control SA-12(15) within the System and Services Acquisition family of NIST 800-53 focuses on establishing processes to address weaknesses or deficiencies identified within the supply chain. It emphasizes the importance of promptly addressing and mitigating vulnerabilities and risks to maintain supply chain security.
Trustworthiness (SA-13)- Main Control

Control SA-13 within the System and Services Acquisition family of NIST 800-53 focuses on establishing and maintaining trustworthiness as a key attribute for systems, services, and products acquired or developed. It emphasizes the importance of ensuring that trustworthiness characteristics are integral to the entire lifecycle of these acquisitions.
Criticality Analysis (SA-14)- Main Control

Control SA-14 within the System and Services Acquisition family of NIST 800-53 focuses on conducting criticality analysis for systems, services, and products to determine their importance and impact on an organization's mission and objectives. It emphasizes the need to prioritize security measures based on this analysis.
Criticality Analysis | Critical Components with No Viable Alternative Sourcing (SA-14(1))

Control SA-14(1) within the System and Services Acquisition family of NIST 800-53 addresses the need to conduct criticality analysis specifically for components within systems, services, or products that have no viable alternative sourcing options. It emphasizes the importance of identifying and securing these components due to their unique criticality.
Development Process, Standards, and Tools (SA-15)- Main Control

Control SA-15 within the System and Services Acquisition family of NIST 800-53 focuses on establishing and maintaining a structured development process that incorporates security standards and appropriate tools. It emphasizes the need to ensure that security considerations are integrated into the development lifecycle of systems, services, or products.
Development Process, Standards, and Tools | Quality Metrics (SA-15(1))

Control SA-15(1) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of using quality metrics as part of the development process, standards, and tools. It requires organizations to establish and maintain metrics that assess the quality and security of systems, services, or products being developed or acquired.
Development Process, Standards, and Tools | Security and Privacy Tracking Tools (SA-15(2))

Control SA-15(2) within the System and Services Acquisition family of NIST 800-53 focuses on the use of security and privacy tracking tools as part of the development process. It emphasizes the need for organizations to employ specialized tools to monitor, track, and manage security and privacy-related activities and requirements.
Development Process, Standards, and Tools | Criticality Analysis (SA-15(3))

Control SA-15(3) within the System and Services Acquisition family of NIST 800-53 focuses on incorporating criticality analysis as part of the development process. It emphasizes the need to assess and prioritize the criticality of systems, services, or products being developed to align security efforts with their importance.
Development Process, Standards, and Tools | Threat Modeling and Vulnerability Analysis (SA-15(4))

Control SA-15(4) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of incorporating threat modeling and vulnerability analysis into the development process. It requires organizations to systematically identify and address security threats and vulnerabilities during system and service development.
Development Process, Standards, and Tools | Attack Surface Reduction (SA-15(5))

Control SA-15(5) within the System and Services Acquisition family of NIST 800-53 focuses on reducing the attack surface of systems, services, or products during the development process. It emphasizes the need to minimize the opportunities for attackers to exploit vulnerabilities.
Development Process, Standards, and Tools | Continuous Improvement (SA-15(6))

Control SA-15(6) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of continuous improvement in the development process, standards, and tools. It requires organizations to establish mechanisms for ongoing assessment, refinement, and enhancement of their development practices.
Development Process, Standards, and Tools | Automated Vulnerability Analysis (SA-15(7))

Control SA-15(7) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of automated vulnerability analysis as part of the development process. It focuses on the need to employ automated tools and technologies to identify and address vulnerabilities efficiently and effectively.
Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information (SA-15(8))

Control SA-15(8) within the System and Services Acquisition family of NIST 800-53 emphasizes the importance of reusing threat and vulnerability information in the development process. It focuses on leveraging existing knowledge to enhance the security posture of systems, services, or products.
Development Process, Standards, and Tools | Use of Live Data (SA-15(9))

Control SA-15(9) within the System and Services Acquisition family of NIST 800-53 emphasizes the controlled use of live data in the development process. It recognizes the importance of replicating real-world conditions to improve the effectiveness of security testing and validation.
Development Process, Standards, and Tools | Incident Response Plan (SA-15(10))

Control SA-15(10) within the System and Services Acquisition family of NIST 800-53 focuses on the necessity of having an incident response plan in place as part of the development process. It emphasizes the importance of preparedness to effectively respond to security incidents that may occur during development.
Development Process, Standards, and Tools | Archive System or Component (SA-15(11))

Control SA-15(11) within the System and Services Acquisition family of NIST 800-53 focuses on the importance of archiving systems or components that are no longer in active use during the development process. It ensures that data and configurations are securely preserved for future reference and compliance.
Development Process, Standards, and Tools | Minimize Personally Identifiable Information (SA-15(12))

Control SA-15(12) within the System and Services Acquisition family of NIST 800-53 emphasizes the need to minimize the collection, storage, and use of personally identifiable information (PII) during the development process. It focuses on reducing the risk associated with handling sensitive personal data.
Developer-provided Training (SA-16)- Main Control

Control SA-16, part of the System and Services Acquisition family in NIST 800-53, focuses on the importance of providing training to developers involved in the acquisition and development process. It aims to ensure that developers have the necessary knowledge and skills to build secure and reliable systems and services.
Developer Security and Privacy Architecture and Design (SA-17)- Main Control

Control SA-17, part of the System and Services Acquisition family in NIST 800-53, focuses on integrating security and privacy considerations into the architecture and design of systems and services during the development process. It ensures that security and privacy are foundational elements rather than afterthoughts.
Developer Security and Privacy Architecture and Design | Formal Policy Model (SA-17(1))

Control SA-17(1), a subcontrol within the System and Services Acquisition family of NIST 800-53, emphasizes the importance of incorporating a formal policy model into the architecture and design of systems and services. A formal policy model provides a structured framework for defining and enforcing security and privacy policies.
Developer Security and Privacy Architecture and Design | Security-relevant Components (SA-17(2))

Control SA-17(2), a subcontrol within the System and Services Acquisition family of NIST 800-53, emphasizes the need to identify and prioritize security-relevant components during the architecture and design phase of system and service development. This control ensures that critical security and privacy considerations are applied to the most significant components.
Developer Security and Privacy Architecture and Design | Formal Correspondence (SA-17(3))

Control SA-17(3), a subcontrol within the System and Services Acquisition family of NIST 800-53, emphasizes the importance of establishing formal correspondence between the implemented security and privacy architecture and design and the documented security and privacy requirements and specifications.
Developer Security and Privacy Architecture and Design | Informal Correspondence (SA-17(4))

Control SA-17(4), a subcontrol within the System and Services Acquisition family of NIST 800-53, addresses the need for informal correspondence between the implemented security and privacy architecture and design and the documented security and privacy requirements and specifications.
Developer Security and Privacy Architecture and Design | Conceptually Simple Design (SA-17(5))

Control SA-17(5), a subcontrol within the System and Services Acquisition family of NIST 800-53, focuses on the importance of adopting a conceptually simple design approach in security and privacy architecture and design. A simpler design is often more transparent and easier to secure and protect.
Developer Security and Privacy Architecture and Design | Structure for Testing (SA-17(6))

Control SA-17(6), a subcontrol within the System and Services Acquisition family of NIST 800-53, emphasizes the importance of establishing a structured approach to testing within the security and privacy architecture and design. This control ensures that security and privacy controls are thoroughly evaluated and validated during the development process.
Developer Security and Privacy Architecture and Design | Structure for Least Privilege (SA-17(7))

Control SA-17(7), a subcontrol within the System and Services Acquisition family of NIST 800-53, focuses on the importance of structuring security and privacy architecture and design to adhere to the principle of least privilege. Least privilege ensures that individuals and processes are granted only the minimum access or permissions necessary to perform their tasks.
Developer Security and Privacy Architecture and Design | Orchestration (SA-17(8))

Control SA-17(8), a subcontrol within the System and Services Acquisition family of NIST 800-53, focuses on the need for orchestration in security and privacy architecture and design. Orchestration involves the coordinated management of security and privacy controls, policies, and processes to ensure their effective implementation and response to evolving threats.
Developer Security and Privacy Architecture and Design | Design Diversity (SA-17(9))

Control SA-17(9), a subcontrol within the System and Services Acquisition family of NIST 800-53, highlights the significance of incorporating design diversity into security and privacy architecture and design. Design diversity involves the deliberate use of varied security mechanisms, architectures, and techniques to enhance resilience and reduce the risk of single points of failure.
Tamper Resistance and Detection (SA-18)- Main Control

Control SA-18, a key component within the System and Services Acquisition family of NIST 800-53, addresses the critical aspect of tamper resistance and detection in information systems and services. Tamper resistance measures and detection mechanisms are essential for protecting systems against physical and logical attacks that could compromise their security and integrity.
Tamper Resistance and Detection | Multiple Phases of System Development Life Cycle (SA-18(1))

SA-18(1), a subcontrol within the Tamper Resistance and Detection control (SA-18) in the System and Services Acquisition family of NIST 800-53, emphasizes the importance of incorporating tamper-resistant measures and detection mechanisms across multiple phases of the system development life cycle (SDLC). This control ensures that security is considered from the initial design stage through development, testing, and operational deployment.
Tamper Resistance and Detection | Inspection of Systems or Components (SA-18(2))

SA-18(2) is a subcontrol within the Tamper Resistance and Detection control (SA-18) of NIST 800-53. This control emphasizes the importance of regularly inspecting systems or components for signs of tampering or unauthorized modifications. These inspections are crucial for maintaining the integrity and security of information systems.
Component Authenticity (SA-19)- Main Control

Control SA-19, part of the System and Services Acquisition family in NIST 800-53, addresses the critical issue of component authenticity in information systems and services. It focuses on ensuring that all hardware and software components used in an organization's systems are genuine and free from tampering or malicious alterations.
Component Authenticity | Anti-counterfeit Scanning (SA-19(4)),Component Authenticity | Anti-counterfeit Training (SA-19(1)),Component Authenticity | Component Disposal (SA-19(3)),Component Authenticity | Configuration Control for Component Service and Rep

Control SA-19 focuses on ensuring the authenticity of components used in information systems and services. It includes four subcontrols that provide specific guidance and actions for achieving this goal. These subcontrols are:

SA-19(1) - Anti-counterfeit Training:
This subcontrol emphasizes the importance of training personnel involved in component acquisition and inspection to detect counterfeit components. Training helps employees recognize the signs of counterfeit components and take appropriate action.

SA-19(2) - Configuration Control for Component Service and Repair:
SA-19(2) addresses the need for maintaining configuration control over components when they undergo service or repair. It ensures that the integrity and authenticity of components are preserved during these processes.

SA-19(3) - Component Disposal:
This subcontrol focuses on the secure disposal of components that have reached the end of their lifecycle. Proper disposal procedures help prevent discarded components from being used in counterfeit or malicious ways.

SA-19(4) - Anti-counterfeit Scanning:
SA-19(4) involves using scanning and verification mechanisms to detect counterfeit components during the acquisition process. It adds an additional layer of security to confirm the authenticity of acquired components.
Customized Development of Critical Components (SA-20)- Main Control

Control SA-20, as part of the System and Services Acquisition family in NIST 800-53, addresses the development of customized critical components used in information systems and services. It emphasizes the importance of ensuring the security, integrity, and reliability of these custom components.
Developer Screening (SA-21)- Main Control

Control SA-21, part of the System and Services Acquisition family in NIST 800-53, addresses the importance of screening and vetting individuals who are involved in the development of information systems and services. It focuses on ensuring that developers possess the necessary qualifications and trustworthiness to handle sensitive tasks.
Developer Screening | Validation of Screening (SA-21(1))

Subcontrol SA-21(1) is a component of the Developer Screening control within the System and Services Acquisition family of NIST 800-53. It emphasizes the importance of validating the screening process for individuals involved in system and service development to ensure its effectiveness and accuracy.
Unsupported System Components (SA-22)- Main Control

Control SA-22, a part of the System and Services Acquisition family in NIST 800-53, addresses the management of unsupported system components within an organization's information systems. It emphasizes the importance of identifying, assessing, and mitigating risks associated with unsupported hardware or software components.
Unsupported System Components | Alternative Sources for Continued Support (SA-22(1))

Subcontrol SA-22(1) is a component of the Unsupported System Components control within the System and Services Acquisition family of NIST 800-53. It focuses on identifying and utilizing alternative sources for continued support and maintenance of system components that have become unsupported by their original vendors.
Specialization (SA-23)- Main Control

Control SA-23, part of the System and Services Acquisition family in NIST 800-53, addresses the need for specialized security requirements and controls for information systems. It emphasizes tailoring security measures to meet the unique needs and risks of specialized systems and services.

The System and Communications Protection control family is designed to ensure the security of information systems and the communications that occur within and between systems. This family addresses the protection of information at rest, in transit, and during processing. The controls within this family aim to prevent unauthorized access, detect and respond to security incidents, and establish secure communication channels to safeguard the confidentiality and integrity of information.

Policy and Procedures (SC-1)- Main Control

Control SC-1, part of the System and Communications Protection family in NIST 800-53, focuses on the development and implementation of policies and procedures for securing the organization's communication and information systems.
Separation of System and User Functionality (SC-2)- Main Control

Control SC-2, part of the System and Communications Protection family in NIST 800-53, emphasizes the importance of separating system functionality from user functionality. This separation helps protect information systems and data from unauthorized access and misuse.
Separation of System and User Functionality | Interfaces for Non-privileged Users (SC-2(1))

Control SC-2(1), a subcontrol under the Separation of System and User Functionality (SC-2) main control in the System and Communications Protection family of NIST 800-53, focuses on ensuring that non-privileged users have access only to user interfaces and functionality, while privileged users have access to both user and system interfaces.
Separation of System and User Functionality | Disassociability (SC-2(2))

Control SC-2(2), a subcontrol under the Separation of System and User Functionality (SC-2) main control in the System and Communications Protection family of NIST 800-53, focuses on ensuring the disassociability of user-level functionality and data from system-level functionality and data. This control aims to prevent unintended interactions that could lead to security breaches or disruptions.
Security Function Isolation (SC-3)- Main Control

Control SC-3, in the System and Communications Protection family of NIST 800-53, focuses on the isolation of security functions to prevent unauthorized access, tampering, or interference. It ensures that security mechanisms are protected from being compromised by other functions within the system.
Security Function Isolation | Hardware Separation (SC-3(1))

Control SC-3(1) is a subcontrol under Security Function Isolation (SC-3) in the System and Communications Protection family of NIST 800-53. It emphasizes the need for hardware separation to isolate security functions from non-security functions within an information system. This control ensures that critical security mechanisms are physically segregated to prevent unauthorized access or interference.
Security Function Isolation | Access and Flow Control Functions (SC-3(2))

Control SC-3(2) is a subcontrol under Security Function Isolation (SC-3) in the System and Communications Protection family of NIST 800-53. It emphasizes the need for isolating access and flow control functions within an information system to prevent unauthorized access, tampering, or interference.
Security Function Isolation | Minimize Nonsecurity Functionality (SC-3(3))

Control SC-3(3) is a subcontrol under Security Function Isolation (SC-3) in the System and Communications Protection family of NIST 800-53. It emphasizes the need to minimize nonsecurity functionality within security components to reduce the attack surface and enhance security.
Security Function Isolation | Module Coupling and Cohesiveness (SC-3(4))

Control SC-3(4) is a subcontrol under Security Function Isolation (SC-3) in the System and Communications Protection family of NIST 800-53. It emphasizes the importance of assessing and managing the coupling and cohesiveness of security modules to ensure they operate effectively and independently.
Security Function Isolation | Layered Structures (SC-3(5))

Control SC-3(5) is a subcontrol under Security Function Isolation (SC-3) in the System and Communications Protection family of NIST 800-53. It emphasizes the importance of implementing layered security structures to enhance the isolation and effectiveness of security functions.
Information in Shared System Resources (SC-4)- Main Control

Control SC-4 is part of the System and Communications Protection family within NIST 800-53. It focuses on protecting information residing in shared system resources. Shared system resources are components or services within an information system that are used by multiple users or processes concurrently. This control is essential for ensuring that sensitive data remains confidential and integrity is maintained when shared resources are utilized.
Boundary Protection | Physically Separated Subnetworks (SC-7(1)),Information in Shared System Resources | Security Levels (SC-4(1))

SC-7(1) - Physically Separated Subnetworks: This control under the Boundary Protection family focuses on physically separating subnetworks within an organization's information system. The physical separation ensures that certain portions of the network are isolated from others, preventing unauthorized access and minimizing the risk of compromise.

SC-4(1) - Security Levels: This control under the Information in Shared System Resources family addresses the need to classify and assign security levels to the data stored or processed within shared system resources. Security levels help determine the appropriate safeguards and protections required for different types of information.
Information in Shared System Resources | Multilevel or Periods Processing (SC-4(2))

SC-4(2) - Multilevel or Periods Processing: This control, a subset of the "Information in Shared System Resources" family, focuses on the security of shared system resources that support multilevel or periods processing. Multilevel or periods processing refers to situations where information of varying security levels or classifications is processed on the same system, or where information is processed over different periods of time.
Denial-of-service Protection (SC-5)- Main Control

SC-5 - Denial-of-service Protection: This control falls under the "System and Communications Protection" family and focuses on protecting information systems and their components from denial-of-service (DoS) attacks. A DoS attack aims to disrupt or degrade the availability of an information system, making it inaccessible to users or causing severe performance degradation.
Denial-of-service Protection | Restrict Ability to Attack Other Systems (SC-5(1))

SC-5(1) - Restrict Ability to Attack Other Systems: This subcontrol is a part of the "Denial-of-service Protection" control (SC-5) in the "System and Communications Protection" family. Its focus is on measures to prevent an attacker from using the compromised system to launch attacks on other systems, a technique commonly associated with distributed denial-of-service (DDoS) attacks.
Denial-of-service Protection | Capacity, Bandwidth, and Redundancy (SC-5(2))

SC-5(2) - Capacity, Bandwidth, and Redundancy: This subcontrol is part of the "Denial-of-service Protection" control (SC-5) within the "System and Communications Protection" family. It focuses on ensuring that an organization's systems have the necessary capacity, bandwidth, and redundancy to handle legitimate traffic and mitigate the impact of denial-of-service attacks.
Denial-of-service Protection | Detection and Monitoring (SC-5(3))

SC-5(3) - Detection and Monitoring: This subcontrol is part of the "Denial-of-service Protection" control (SC-5) within the "System and Communications Protection" family. It focuses on the proactive detection and monitoring of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks to initiate timely response measures.
Resource Availability (SC-6)- Main Control

SC-6 - Resource Availability: This control is part of the "System and Communications Protection" family and focuses on ensuring the availability of critical system resources and services during and after adverse conditions, including natural disasters, cyberattacks, and other disruptions.
Boundary Protection (SC-7)- Main Control

SC-7 - Boundary Protection: This control is part of the "System and Communications Protection" family and focuses on establishing and maintaining protective measures at system boundaries to prevent unauthorized access and communication. It safeguards the security and integrity of an organization's systems and data.
Boundary Protection | Public Access (SC-7(2)),Boundary Protection | Response to Recognized Failures (SC-7(6)),Cryptographic Key Establishment and Management | PKI Certificates (SC-12(4)),Transmission Confidentiality (SC-9)- Main Control

SC-9 - Transmission Confidentiality: This control is part of the "System and Communications Protection" family and focuses on protecting the confidentiality of data during transmission. It ensures that sensitive information remains confidential and is not disclosed to unauthorized entities while in transit.
Boundary Protection | Access Points (SC-7(3))

SC-7(3) - Boundary Protection | Access Points: This control falls under the "System and Communications Protection" family and focuses on securing access points where systems and networks connect with external networks or untrusted zones. It aims to prevent unauthorized access, malicious activities, and the exploitation of vulnerabilities at these entry and exit points.
Boundary Protection | External Telecommunications Services (SC-7(4))

SC-7(4) - Boundary Protection | External Telecommunications Services: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It focuses on securing and monitoring external telecommunications services that connect an organization's information systems to external networks or service providers.
Boundary Protection | Deny by Default — Allow by Exception (SC-7(5))

SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It emphasizes the security principle of "deny by default and allow by exception" when configuring network boundaries and security perimeters.
Boundary Protection | Split Tunneling for Remote Devices (SC-7(7))

SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It pertains to the use of split tunneling for remote devices connected to an organization's network.
Boundary Protection | Route Traffic to Authenticated Proxy Servers (SC-7(8))

SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It focuses on the practice of routing network traffic through authenticated proxy servers to enhance security.
Boundary Protection | Restrict Threatening Outgoing Communications Traffic (SC-7(9))

SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It focuses on restricting outbound communications traffic that may pose threats or security risks.
Boundary Protection | Prevent Exfiltration (SC-7(10))

SC-7(10) - Boundary Protection | Prevent Exfiltration is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. It focuses on measures to prevent the unauthorized exfiltration or leakage of sensitive data from an organization's network.
Boundary Protection | Restrict Incoming Communications Traffic (SC-7(11))

SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on implementing measures to restrict and control incoming network traffic to protect an organization's systems and assets.
Boundary Protection | Host-based Protection (SC-7(12))

SC-7(12) - Boundary Protection | Host-based Protection is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on implementing measures to protect individual hosts (e.g., servers and workstations) from incoming network threats and attacks.
Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components (SC-7(13))

SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol emphasizes the need to isolate security tools, mechanisms, and support components from the primary network to enhance their effectiveness and reduce the risk of compromise.
Boundary Protection | Protect Against Unauthorized Physical Connections (SC-7(14))

SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on safeguarding against unauthorized physical connections to your information systems, which could potentially compromise their security.
Boundary Protection | Networked Privileged Accesses (SC-7(15))

SC-7(15) - Boundary Protection | Networked Privileged Accesses is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on securing networked privileged accesses to critical systems and resources.
Boundary Protection | Prevent Discovery of System Components (SC-7(16))

SC-7(16) - Boundary Protection | Prevent Discovery of System Components is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on preventing the unauthorized discovery of system components from external sources.
Boundary Protection | Automated Enforcement of Protocol Formats (SC-7(17))

SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on the automated enforcement of protocol formats to ensure that data exchanged between networked components adheres to predefined standards and formats.
Boundary Protection | Fail Secure (SC-7(18))

SC-7(18) - Boundary Protection | Fail Secure is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on ensuring that, in the event of a network security breach or failure, networked components and systems default to a secure state, minimizing the potential for unauthorized access and data exposure.
Boundary Protection | Block Communication from Non-organizationally Configured Hosts (SC-7(19))

SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on preventing communication between an organization's systems and hosts that are not properly configured or authorized, reducing the risk of unauthorized access and cyber threats.
Boundary Protection | Dynamic Isolation and Segregation (SC-7(20))

SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol emphasizes the importance of dynamically isolating and segregating network segments and components based on changing threat conditions and security requirements.
Boundary Protection | Isolation of System Components (SC-7(21))

SC-7(21) - Boundary Protection | Isolation of System Components is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on the need to isolate individual system components within an organization's network to minimize the risk of unauthorized access, data breaches, or lateral movement by attackers.
Boundary Protection | Separate Subnets for Connecting to Different Security Domains (SC-7(22))

SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on the need to use separate network subnets when connecting to different security domains to enhance network security and isolation.
Boundary Protection | Disable Sender Feedback on Protocol Validation Failure (SC-7(23))

SC-7(23) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. It focuses on enhancing network security by disabling sender feedback in response to protocol validation failures, reducing the risk of information leakage and potential attacks.
Boundary Protection | Personally Identifiable Information (SC-7(24))

SC-7(24) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol specifically focuses on protecting Personally Identifiable Information (PII) from unauthorized access and disclosure at network boundaries.
Boundary Protection | Unclassified National Security System Connections (SC-7(25))

SC-7(25) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on protecting connections to Unclassified National Security Systems (NSS) at network boundaries.
Boundary Protection | Classified National Security System Connections (SC-7(26))

SC-7(26) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on safeguarding connections to Classified National Security Systems (NSS) at network boundaries.
Boundary Protection | Unclassified Non-national Security System Connections (SC-7(27))

SC-7(27) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on safeguarding connections to Unclassified Non-national Security Systems (Non-NSS) at network boundaries.
Boundary Protection | Connections to Public Networks (SC-7(28))

SC-7(28) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on securing connections to public networks, which are external networks not controlled by the organization.
Boundary Protection | Separate Subnets to Isolate Functions (SC-7(29))

SC-7(29) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol emphasizes the importance of using separate subnets to isolate different functions or services within an organization's network.
Transmission Confidentiality and Integrity (SC-8)- Main Control

SC-8 is a control in the "System and Communications Protection" family of the NIST 800-53 framework. It focuses on ensuring the confidentiality and integrity of data during transmission across communication channels and networks.
Transmission Confidentiality and Integrity | Cryptographic Protection (SC-8(1))

SC-8(1) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol specifically focuses on the use of cryptographic protection to ensure the confidentiality and integrity of data during transmission.
Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling (SC-8(2))

SC-8(2) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol focuses on ensuring the confidentiality and integrity of data not only during transmission but also during its pre- and post-transmission phases.
Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals (SC-8(3))

SC-8(3) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol focuses on ensuring the confidentiality and integrity of external messages through cryptographic protection.
Transmission Confidentiality and Integrity | Conceal or Randomize Communications (SC-8(4))

SC-8(4) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol emphasizes the need to conceal or randomize communications to enhance security.
Transmission Confidentiality and Integrity | Protected Distribution System (SC-8(5))

SC-8(5) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol focuses on the implementation of a Protected Distribution System (PDS) to enhance the confidentiality and integrity of data during transmission.
Network Disconnect (SC-10)- Main Control

The Network Disconnect control, part of the System and Communications Protection family, focuses on the proper management of network connections, particularly in situations where it's necessary to disconnect a system or device from a network promptly. This control helps prevent unauthorized access, data breaches, and other security incidents by ensuring that network connections are managed effectively.
Trusted Path (SC-11)- Main Control

The Trusted Path control, part of the System and Communications Protection family, focuses on ensuring that users have a secure and trustworthy means to interact with information systems. This control helps prevent unauthorized or malicious applications from masquerading as legitimate interfaces, protecting the confidentiality, integrity, and availability of sensitive information.
Trusted Path | Irrefutable Communications Path (SC-11(1))

The Irrefutable Communications Path control, a subset of the Trusted Path control (SC-11), emphasizes the establishment of a communication channel that is unquestionably secure and trustworthy between users and information systems. This control aims to provide users with a means to verify the authenticity and integrity of their interactions with systems, leaving no room for doubt or manipulation.
Cryptographic Key Establishment and Management (SC-12)- Main Control

Cryptographic Key Establishment and Management (SC-12) is a crucial control within the System and Communications Protection family. This control focuses on the secure generation, distribution, and management of cryptographic keys used to protect sensitive information. Effective key management is essential to maintain the confidentiality and integrity of data in a system.
Cryptographic Key Establishment and Management | Availability (SC-12(1))

Cryptographic Key Establishment and Management | Availability (SC-12(1)) is a specific subcontrol within SC-12, focusing on ensuring the availability of cryptographic keys when needed. Availability is one of the key aspects of secure key management, ensuring that cryptographic operations can be performed without disruption.
Cryptographic Key Establishment and Management | Symmetric Keys (SC-12(2))

Cryptographic Key Establishment and Management | Symmetric Keys (SC-12(2)) is a specific subcontrol within SC-12, focusing on the secure management of symmetric cryptographic keys. Symmetric keys are used for encryption and decryption, and their proper management is critical to ensuring the confidentiality and integrity of sensitive information.
Cryptographic Key Establishment and Management | Asymmetric Keys (SC-12(3))

Cryptographic Key Establishment and Management | Asymmetric Keys (SC-12(3)) is a specific subcontrol within SC-12, focusing on the secure management of asymmetric cryptographic keys. Asymmetric keys, which consist of public and private key pairs, are used for secure data exchange, digital signatures, and authentication.
Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens (SC-12(5))

Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens (SC-12(5)) is a specific subcontrol within SC-12, focusing on the use of Public Key Infrastructure (PKI) certificates in combination with hardware tokens for secure cryptographic key management. This subcontrol helps ensure that cryptographic keys used in an organization's systems and communications are protected through the use of PKI certificates and hardware tokens.
Cryptographic Key Establishment and Management | Physical Control of Keys (SC-12(6))

Cryptographic Key Establishment and Management | Physical Control of Keys (SC-12(6)) is a specific subcontrol within SC-12, focusing on the physical protection of cryptographic keys. This subcontrol emphasizes the importance of safeguarding cryptographic keys from unauthorized access, theft, or tampering through physical security measures.
Cryptographic Protection (SC-13)- Main Control

Cryptographic Protection (SC-13) is a main control within the System and Communications Protection family of NIST Special Publication 800-53. This control focuses on the use of cryptographic techniques to protect the confidentiality and integrity of information and communications within an organization's information systems.
Concealment and Misdirection | Virtualization Techniques (SC-30(1)),Cryptographic Protection | FIPS-validated Cryptography (SC-13(1)),Transmission Preparation Integrity (SC-33)- Main Control
Cryptographic Protection | NSA-approved Cryptography (SC-13(2))

The Cryptographic Protection | NSA-approved Cryptography subcontrol (SC-13(2)) is a part of the System and Communications Protection control family in NIST 800-53. It focuses on the use of cryptography to protect sensitive information and communications. Specifically, this subcontrol emphasizes the importance of employing cryptographic algorithms and key management practices that have been approved by the National Security Agency (NSA). NSA-approved cryptography ensures that encryption methods and keys used to protect data meet rigorous security standards established by the NSA.
Cryptographic Protection | Individuals Without Formal Access Approvals (SC-13(3))

The Cryptographic Protection | Individuals Without Formal Access Approvals subcontrol (SC-13(3)) is a component of the System and Communications Protection control family in NIST 800-53. This subcontrol focuses on protecting sensitive information through cryptographic means when individuals who lack formal access approvals require access to the information. It recognizes that in certain situations, exceptions may be made to allow access to authorized personnel who do not possess formal access approvals due to exigent circumstances or special situations.
Cryptographic Protection | Digital Signatures (SC-13(4))

The Cryptographic Protection | Digital Signatures subcontrol (SC-13(4)) is part of the System and Communications Protection control family in NIST 800-53. This subcontrol focuses on the use of digital signatures to protect the integrity and authenticity of information exchanged or transmitted electronically. Digital signatures provide a means to verify the source and integrity of electronic documents and data.
Public Access Protections (SC-14)- Main Control

The Public Access Protections subcontrol (SC-14) is part of the System and Communications Protection control family in NIST 800-53. This control focuses on establishing and enforcing protections for public access to information systems. It is crucial to ensure that systems and resources accessible by the public are adequately protected to prevent unauthorized access, data breaches, and malicious activities.
Collaborative Computing Devices and Applications (SC-15)- Main Control

The Collaborative Computing Devices and Applications subcontrol (SC-15) is part of the System and Communications Protection control family in NIST 800-53. This control addresses security considerations related to collaborative computing environments, including shared devices and applications. It focuses on ensuring that collaborative tools and technologies do not compromise the security and confidentiality of sensitive information.
Collaborative Computing Devices and Applications | Physical or Logical Disconnect (SC-15(1))

The Physical or Logical Disconnect subcontrol (SC-15(1)) is a specific requirement under the Collaborative Computing Devices and Applications control (SC-15) within the NIST 800-53 framework. This subcontrol focuses on the security of collaborative computing devices and applications when they are physically or logically disconnected from the organization's network or information systems.
Collaborative Computing Devices and Applications | Blocking Inbound and Outbound Communications Traffic (SC-15(2))

The Blocking Inbound and Outbound Communications Traffic subcontrol (SC-15(2)) is a specific requirement under the Collaborative Computing Devices and Applications control (SC-15) within the NIST 800-53 framework. This subcontrol focuses on the security of collaborative computing devices and applications by regulating inbound and outbound communications traffic to and from these devices and applications.
Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas (SC-15(3))

The Disabling and Removal in Secure Work Areas subcontrol (SC-15(3)) is a specific requirement under the Collaborative Computing Devices and Applications control (SC-15) within the NIST 800-53 framework. This subcontrol emphasizes the importance of disabling or removing collaborative computing devices and applications in secure work areas when they are not in use to prevent unauthorized access and data breaches.
Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants (SC-15(4))

The Explicitly Indicate Current Participants subcontrol (SC-15(4)) is a specific requirement under the Collaborative Computing Devices and Applications control (SC-15) within the NIST 800-53 framework. This subcontrol emphasizes the importance of explicitly indicating the current participants in collaborative computing sessions to ensure accountability, transparency, and proper access control.
Transmission of Security and Privacy Attributes (SC-16)- Main Control

The Transmission of Security and Privacy Attributes control (SC-16) is designed to ensure that security and privacy attributes associated with information are accurately and securely transmitted along with the information itself. This control aims to maintain the integrity and confidentiality of these attributes during transmission.
Transmission of Security and Privacy Attributes | Integrity Verification (SC-16(1))

The Integrity Verification control (SC-16(1)) is a specific subcontrol within the broader Transmission of Security and Privacy Attributes (SC-16) control. SC-16(1) focuses on the importance of verifying the integrity of security and privacy attributes during transmission. It ensures that these attributes have not been tampered with or altered in any unauthorized way.
Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms (SC-16(2))

The Anti-spoofing Mechanisms control (SC-16(2)) is a specific subcontrol within the broader Transmission of Security and Privacy Attributes (SC-16) control. SC-16(2) focuses on the implementation of mechanisms that help prevent spoofing attacks during the transmission of security and privacy attributes. Spoofing attacks involve malicious actors impersonating legitimate entities to gain unauthorized access or manipulate data.
Transmission of Security and Privacy Attributes | Cryptographic Binding (SC-16(3))

The Cryptographic Binding control (SC-16(3)) is a specific subcontrol within the broader Transmission of Security and Privacy Attributes (SC-16) control. SC-16(3) emphasizes the use of cryptographic techniques to bind security and privacy attributes to the data they protect. Cryptographic binding ensures the integrity and confidentiality of attributes during transmission and storage.
Public Key Infrastructure Certificates (SC-17)- Main Control

The Public Key Infrastructure Certificates control (SC-17) is designed to ensure the proper management and use of Public Key Infrastructure (PKI) certificates within an organization's information systems. PKI certificates play a critical role in establishing secure communication channels and verifying the identity of individuals and entities in a digital environment.
Mobile Code (SC-18)- Main Control

The Mobile Code control (SC-18) is designed to manage the risks associated with the execution of mobile code on organizational information systems. Mobile code refers to software or scripts that can be executed remotely on a system, often without the user's explicit consent. Managing mobile code is crucial for protecting systems against potential security threats introduced by untrusted code execution.
Mobile Code | Identify Unacceptable Code and Take Corrective Actions (SC-18(1))

The "Identify Unacceptable Code and Take Corrective Actions" subcontrol (SC-18(1)) is part of the Mobile Code control (SC-18) within the System and Communications Protection (SC) family. It focuses on identifying and managing mobile code that is deemed unacceptable or potentially harmful to organizational information systems. This subcontrol emphasizes the need for continuous monitoring and proactive measures to address unacceptable code.
Mobile Code | Acquisition, Development, and Use (SC-18(2))

The "Acquisition, Development, and Use" subcontrol (SC-18(2)) is part of the Mobile Code control (SC-18) within the System and Communications Protection (SC) family. It focuses on managing the risks associated with the acquisition, development, and utilization of mobile code within an organization. This subcontrol emphasizes the need for a structured and secure approach to mobile code throughout its lifecycle.
Mobile Code | Prevent Downloading and Execution (SC-18(3))

The "Prevent Downloading and Execution" subcontrol (SC-18(3)) is part of the Mobile Code control (SC-18) within the System and Communications Protection (SC) family. It focuses on preventing the unauthorized downloading and execution of mobile code within an organization's information systems. This subcontrol aims to mitigate risks associated with uncontrolled or malicious mobile code execution.
Mobile Code | Prevent Automatic Execution (SC-18(4))

The "Prevent Automatic Execution" subcontrol (SC-18(4)) is part of the Mobile Code control (SC-18) within the System and Communications Protection (SC) family. This subcontrol emphasizes the importance of preventing the automatic execution of mobile code within an organization's information systems. It aims to mitigate the risks associated with uncontrolled or malicious code execution.
Mobile Code | Allow Execution Only in Confined Environments (SC-18(5))

The "Allow Execution Only in Confined Environments" subcontrol (SC-18(5)) is part of the Mobile Code control (SC-18) within the System and Communications Protection (SC) family. This subcontrol emphasizes the importance of allowing the execution of mobile code only within well-defined, controlled environments to mitigate security risks.
Voice Over Internet Protocol (SC-19)- Main Control

The "Voice Over Internet Protocol" (VOIP) subcontrol (SC-19) falls under the System and Communications Protection (SC) family in NIST 800-53. It addresses the security requirements specific to Voice Over Internet Protocol (VOIP) systems and services used for voice communication over IP networks.
Secure Name/address Resolution Service (authoritative Source) (SC-20)- Main Control

The "Secure Name/Address Resolution Service (Authoritative Source)" subcontrol (SC-20) falls under the System and Communications Protection (SC) family in NIST 800-53. It addresses the security requirements for ensuring the integrity and authenticity of the Name/Address Resolution Service (NARS), which is an authoritative source for resolving hostnames to IP addresses.
Secure Name/address Resolution Service (authoritative Source) | Child Subspaces (SC-20(1))

The "Child Subspaces" subcontrol (SC-20(1)) is a specific component of the broader "Secure Name/Address Resolution Service (Authoritative Source)" control (SC-20) within the System and Communications Protection (SC) family of NIST 800-53. SC-20(1) focuses on ensuring the security and integrity of child subspaces within the DNS (Domain Name System) authoritative source.
Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity (SC-20(2))

The "Data Origin and Integrity" subcontrol (SC-20(2)) is a specific component of the broader "Secure Name/Address Resolution Service (Authoritative Source)" control (SC-20) within the System and Communications Protection (SC) family of NIST 800-53. SC-20(2) focuses on ensuring the origin and integrity of data within the DNS (Domain Name System) authoritative source.
Secure Name/address Resolution Service (recursive or Caching Resolver) (SC-21)- Main Control

The "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" control (SC-21) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the security of recursive or caching resolvers within a DNS (Domain Name System) infrastructure. These resolvers are responsible for caching DNS query results and efficiently resolving domain names to IP addresses.
Secure Name/address Resolution Service (recursive or Caching Resolver) | Data Origin and Integrity (SC-21(1)),Sensor Capability and Data | Prohibit Use of Devices (SC-42(3))

The "Secure Name/Address Resolution Service (Recursive or Caching Resolver) | Data Origin and Integrity" control (SC-21(1)) is a specific enhancement of the SC-21 control. It focuses on ensuring the integrity of DNS data and verifying the origin of DNS responses within the context of recursive or caching resolvers.
Architecture and Provisioning for Name/address Resolution Service (SC-22)- Main Control

The "Architecture and Provisioning for Name/Address Resolution Service" control (SC-22) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the establishment and maintenance of secure architecture and provisioning for name/address resolution services, such as the Domain Name System (DNS).
Session Authenticity (SC-23)- Main Control

The "Session Authenticity" control (SC-23) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on ensuring the authenticity of network sessions, particularly user sessions, to prevent unauthorized access and protect the integrity of communications.
Session Authenticity | Invalidate Session Identifiers at Logout (SC-23(1))

The "Invalidate Session Identifiers at Logout" control is a specific requirement under NIST 800-53's System and Communications Protection (SC) family, focusing on ensuring the authenticity of network sessions. SC-23(1) addresses the need to invalidate session identifiers promptly when users log out or terminate their sessions, preventing unauthorized access to their accounts and enhancing session security.
Session Authenticity | User-initiated Logouts and Message Displays (SC-23(2))

The "User-initiated Logouts and Message Displays" control is a specific requirement under NIST 800-53's System and Communications Protection (SC) family, focusing on ensuring the authenticity of network sessions. SC-23(2) emphasizes user-initiated logouts and the display of messages to users, enhancing session security and user awareness.
Session Authenticity | Unique System-generated Session Identifiers (SC-23(3))

The "Unique System-generated Session Identifiers" control is a specific requirement under NIST 800-53's System and Communications Protection (SC) family, focusing on ensuring the authenticity of network sessions. SC-23(3) emphasizes the generation of unique system-generated session identifiers for each user session, enhancing session security by preventing session hijacking or unauthorized access.
Session Authenticity | Unique Session Identifiers with Randomization (SC-23(4))

The "Unique Session Identifiers with Randomization" control is a specific requirement under NIST 800-53's System and Communications Protection (SC) family, focusing on enhancing session authenticity for networked systems. SC-23(4) emphasizes the generation of unique session identifiers with added randomization to strengthen session security and prevent session hijacking or unauthorized access.
Session Authenticity | Allowed Certificate Authorities (SC-23(5))

The "Allowed Certificate Authorities" control is a specific requirement under NIST 800-53's System and Communications Protection (SC) family, focusing on enhancing session authenticity and security by specifying which certificate authorities (CAs) are permitted to issue digital certificates for use in secure communications.
Fail in Known State (SC-24)- Main Control

The "Fail in Known State" control, under NIST 800-53's System and Communications Protection (SC) family, focuses on ensuring that information systems and communications components are designed to enter a secure or known state in the event of a system failure or disruption. This control aims to prevent the system or component from becoming vulnerable or providing unauthorized access during or after a failure.
Thin Nodes (SC-25)- Main Control

The "Thin Nodes" control, part of NIST 800-53's System and Communications Protection (SC) family, focuses on securing information system nodes that have minimal processing capabilities, commonly referred to as "thin clients" or "thin nodes." Thin clients rely on centralized servers for processing and are often used to access applications and data remotely. This control aims to ensure the security and integrity of these thin nodes and their connections to the central servers.
Decoys (SC-26)- Main Control

The "Decoys" control, part of NIST 800-53's System and Communications Protection (SC) family, focuses on the use of decoy systems and deceptive techniques to detect, deter, or mitigate cyberattacks and unauthorized activities. Decoys are designed to mimic legitimate systems or resources, attracting potential attackers and diverting their attention away from actual critical systems and data.
Decoys | Detection of Malicious Code (SC-26(1))

Subcontrol SC-26(1) under the "Decoys" control, within NIST 800-53's System and Communications Protection (SC) family, focuses specifically on using decoys to detect malicious code within an organization's network or systems. Decoys, in this context, are strategically placed to lure and identify malicious code or malware that may be attempting to infiltrate or move laterally within the network.
Platform-independent Applications (SC-27)- Main Control

Subcontrol SC-27, within NIST 800-53's System and Communications Protection (SC) family, focuses on ensuring the security of platform-independent applications used within an organization. Platform-independent applications are designed to run on various operating systems and platforms, and this control aims to mitigate security risks associated with their use.
Protection of Information at Rest (SC-28)- Main Control

Subcontrol SC-28, within NIST 800-53's System and Communications Protection (SC) family, focuses on safeguarding sensitive information when it is at rest, meaning it is stored or archived on storage devices or media. The control aims to protect this information from unauthorized access, disclosure, alteration, or destruction while it is not in active use.
Protection of Information at Rest | Cryptographic Protection (SC-28(1))

Subcontrol SC-28(1), within NIST 800-53's System and Communications Protection (SC) family, focuses on the use of cryptographic protection to safeguard sensitive information when it is at rest. Cryptographic protection involves the use of encryption techniques to secure data stored on various types of storage media or devices, such as hard drives, solid-state drives, magnetic tapes, and optical discs. This subcontrol emphasizes the importance of encrypting sensitive data to prevent unauthorized access and disclosure.
Protection of Information at Rest | Offline Storage (SC-28(2))

Subcontrol SC-28(2) within NIST 800-53's System and Communications Protection (SC) family addresses the security of information when it is at rest and stored in offline or removable storage devices or media. Offline storage refers to data that is not actively connected to a network or system and is typically archived or stored on physical media such as tapes, external hard drives, or optical discs. This subcontrol emphasizes the need to protect sensitive data when it is stored offline to prevent unauthorized access and disclosure.
Protection of Information at Rest | Cryptographic Keys (SC-28(3))

Subcontrol SC-28(3) within NIST 800-53's System and Communications Protection (SC) family focuses on the security of cryptographic keys used to protect information at rest. Cryptographic keys are a critical component of encryption algorithms and play a pivotal role in safeguarding the confidentiality and integrity of stored data. This subcontrol emphasizes the need to manage cryptographic keys securely to prevent unauthorized access to sensitive information.
Heterogeneity (SC-29)- Main Control

Subcontrol SC-29 within NIST 800-53's System and Communications Protection (SC) family addresses the importance of heterogeneity in an organization's information technology (IT) environment. Heterogeneity refers to the diversity of hardware, software, and network components used within an organization's IT infrastructure. This diversity can enhance security by reducing vulnerabilities associated with a homogeneous environment.
Heterogeneity | Virtualization Techniques (SC-29(1))

Subcontrol SC-29(1) within NIST 800-53's System and Communications Protection (SC) family focuses on the use of virtualization techniques to enhance the heterogeneity of an organization's information technology (IT) environment. Virtualization allows for the creation of multiple virtual instances or environments on a single physical system, which can be leveraged to introduce diversity and improve security.
Concealment and Misdirection (SC-30)- Main Control

Subcontrol SC-30 within NIST 800-53's System and Communications Protection (SC) family emphasizes the use of concealment and misdirection techniques to enhance an organization's overall cybersecurity posture. Concealment and misdirection techniques involve hiding and obfuscating sensitive information and network activities to deter and confuse potential attackers.
Concealment and Misdirection | Randomness (SC-30(2))

Subcontrol SC-30(2) within NIST 800-53's System and Communications Protection (SC) family focuses on the use of randomness as a concealment and misdirection technique to enhance cybersecurity defenses. Randomness introduces unpredictability into various aspects of an organization's systems and communications, making it more challenging for malicious actors to predict and exploit vulnerabilities.
Concealment and Misdirection | Change Processing and Storage Locations (SC-30(3))

Subcontrol SC-30(3) within NIST 800-53's System and Communications Protection (SC) family focuses on enhancing cybersecurity by periodically changing the processing and storage locations of an organization's critical data and assets. This practice adds an element of unpredictability, making it more challenging for potential attackers to locate and exploit sensitive information
Concealment and Misdirection | Misleading Information (SC-30(4))

Subcontrol SC-30(4) within NIST 800-53's System and Communications Protection (SC) family focuses on enhancing cybersecurity by deliberately introducing misleading information into an organization's systems and communications. This practice aims to deceive potential attackers, making it more challenging for them to distinguish between real and fabricated data, thereby enhancing the security posture.
Concealment and Misdirection | Concealment of System Components (SC-30(5))

Subcontrol SC-30(5) within NIST 800-53's System and Communications Protection (SC) family focuses on enhancing cybersecurity by concealing the existence and identity of critical system components. By obscuring the details of these components, organizations can reduce their exposure to potential attackers, making it more challenging for adversaries to gain insights into system architecture and vulnerabilities.
Covert Channel Analysis (SC-31)- Main Control

Subcontrol SC-31 within NIST 800-53's System and Communications Protection (SC) family focuses on identifying and mitigating covert channels that could be exploited by malicious actors to compromise the confidentiality or integrity of information systems. Covert channels are unintended or hidden communication paths within a system that allow the unauthorized transfer of information. These channels can bypass security controls and represent a potential security risk.
Covert Channel Analysis | Test Covert Channels for Exploitability (SC-31(1))

Subcontrol SC-31(1) under NIST 800-53's System and Communications Protection (SC) family focuses on conducting tests to determine whether identified covert channels within an information system are exploitable. Covert channels are unintended or hidden communication paths that may be exploited by malicious actors to compromise the confidentiality or integrity of information systems.
Covert Channel Analysis | Maximum Bandwidth (SC-31(2))

Subcontrol SC-31(2) under NIST 800-53's System and Communications Protection (SC) family focuses on limiting the maximum bandwidth available for covert channels within an information system. Covert channels are unintended or hidden communication paths that may be exploited by malicious actors to compromise the confidentiality or integrity of information systems. By constraining the available bandwidth for covert channels, organizations can reduce the potential for data leakage or unauthorized information transfer.
Covert Channel Analysis | Measure Bandwidth in Operational Environments (SC-31(3))

Subcontrol SC-31(3) under NIST 800-53's System and Communications Protection (SC) family emphasizes the importance of measuring and monitoring bandwidth utilization in operational environments. This control is designed to help organizations detect and analyze covert channels that may exploit bandwidth to compromise the confidentiality or integrity of information systems. By continuously measuring bandwidth, organizations can identify unusual or unauthorized communication patterns and respond to potential covert channel activity effectively.
System Partitioning (SC-32)- Main Control

System Partitioning (SC-32) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This control focuses on the need to isolate different parts or components of an information system to prevent unauthorized access and limit the potential impact of security breaches. System partitioning involves logical or physical separation of components within an information system, such as separating user-facing components from system management functions.
System Partitioning | Separate Physical Domains for Privileged Functions (SC-32(1))

Separate Physical Domains for Privileged Functions (SC-32(1)) is a specific subcontrol within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol emphasizes the need to isolate privileged functions within an information system physically. Privileged functions typically include system management and administration activities that require elevated access rights.
Non-modifiable Executable Programs (SC-34)- Main Control

Non-modifiable Executable Programs (SC-34) is a subcontrol within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This control focuses on ensuring the integrity and security of executable programs that are essential to the operation of an information system.
Non-modifiable Executable Programs | No Writable Storage (SC-34(1))

No Writable Storage (SC-34(1)) is a specific subcontrol under the broader System and Communications Protection (SC-34) control family in NIST Special Publication 800-53 Revision 5. This subcontrol focuses on preventing the presence of writable storage locations, such as directories or folders, on systems that execute non-modifiable executable programs. The goal is to minimize the risk of unauthorized modifications to critical software components.
Non-modifiable Executable Programs | Integrity Protection on Read-only Media (SC-34(2))

Integrity Protection on Read-only Media (SC-34(2)) is a specific subcontrol under the broader System and Communications Protection (SC-34) control family in NIST Special Publication 800-53 Revision 5. This subcontrol focuses on ensuring the integrity of non-modifiable executable programs that are stored on read-only media, such as CDs or DVDs, by preventing any unauthorized alterations or tampering.
Non-modifiable Executable Programs | Hardware-based Protection (SC-34(3))

Hardware-based Protection (SC-34(3)) is a specific subcontrol under the broader System and Communications Protection (SC-34) control family in NIST Special Publication 800-53 Revision 5. This subcontrol focuses on ensuring the security and integrity of non-modifiable executable programs through the use of hardware-based mechanisms and protections.
External Malicious Code Identification (SC-35)- Main Control

External Malicious Code Identification (SC-35) is a main control in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This control focuses on the capability to identify and protect against malicious code introduced externally to an information system.
Distributed Processing and Storage (SC-36)- Main Control

Distributed Processing and Storage (SC-36) is a main control in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This control focuses on managing and securing distributed information processing and storage capabilities.
Distributed Processing and Storage | Polling Techniques (SC-36(1))

Distributed Processing and Storage | Polling Techniques (SC-36(1)) is a subcontrol under the main control SC-36 in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on managing and securing distributed information processing and storage capabilities through effective polling techniques.
Distributed Processing and Storage | Synchronization (SC-36(2))

Distributed Processing and Storage | Synchronization (SC-36(2)) is a subcontrol under the main control SC-36 in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on managing and securing synchronization mechanisms used in distributed environments.
Out-of-band Channels (SC-37)- Main Control

Out-of-band Channels (SC-37) is a control in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This control focuses on the secure management and utilization of out-of-band communication channels in information systems.
Out-of-band Channels | Ensure Delivery and Transmission (SC-37(1))

Ensure Delivery and Transmission (SC-37(1)) is a specific subcontrol within the Out-of-band Channels control (SC-37) in the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on measures to guarantee the reliable delivery and transmission of information over out-of-band communication channels.
Operations Security (SC-38)- Main Control

Operations Security (SC-38) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. It focuses on safeguarding the security of an organization's operations, including the planning, execution, and management of information system activities.
Process Isolation (SC-39)- Main Control

Process Isolation (SC-39) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. It focuses on separating and isolating processes within an information system to prevent unauthorized access and reduce the risk of unauthorized data sharing.
Process Isolation | Hardware Separation (SC-39(1))

Hardware Separation (SC-39(1)) is a subcontrol under the broader Process Isolation control (SC-39) within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on isolating processes from each other through physical hardware separation to prevent unauthorized access and data sharing.
Process Isolation | Separate Execution Domain Per Thread (SC-39(2))

Separate Execution Domain Per Thread (SC-39(2)) is a subcontrol under the Process Isolation control (SC-39) within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. This subcontrol emphasizes the need to create separate execution domains for individual threads or processes within an information system to prevent unauthorized interactions and enhance security.
Wireless Link Protection (SC-40)- Main Control

Wireless Link Protection (SC-40) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. It focuses on securing wireless communications and connections within an organization's information systems. The control aims to safeguard the confidentiality, integrity, and availability of data transmitted over wireless networks.
Wireless Link Protection | Electromagnetic Interference (SC-40(1))

Electromagnetic Interference (SC-40(1)) is a specific subcontrol within the System and Communications Protection (SC-40) control family of NIST Special Publication 800-53 Revision 5. It focuses on mitigating the risks associated with electromagnetic interference (EMI) that can disrupt or compromise wireless communications and connections within an organization's information systems.
Wireless Link Protection | Reduce Detection Potential (SC-40(2))

Reduce Detection Potential (SC-40(2)) is a specific subcontrol within the System and Communications Protection (SC-40) control family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on minimizing the risk of unauthorized detection of wireless communications and connections within an organization's information systems.
Wireless Link Protection | Imitative or Manipulative Communications Deception (SC-40(3))

Imitative or Manipulative Communications Deception (SC-40(3)) is a specific subcontrol within the System and Communications Protection (SC) control family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on protecting wireless communications by addressing the risk of imitative or manipulative deception tactics employed by adversaries.
Wireless Link Protection | Signal Parameter Identification (SC-40(4))

Signal Parameter Identification (SC-40(4)) is a specific subcontrol within the System and Communications Protection (SC) control family of NIST Special Publication 800-53 Revision 5. This subcontrol focuses on protecting wireless communications by identifying and monitoring the parameters of wireless signals to detect anomalies and potential threats.
Port and I/O Device Access (SC-41)- Main Control

The Port and I/O Device Access (SC-41) control within the System and Communications Protection (SC) family focuses on managing and controlling the access to input/output (I/O) devices and ports on information systems. This control ensures that only authorized individuals and systems are granted access to these critical interfaces, reducing the risk of unauthorized data exfiltration, malware injection, or other malicious activities.
Sensor Capability and Data (SC-42)- Main Control

The Sensor Capability and Data (SC-42) control within the System and Communications Protection (SC) family is designed to ensure the effective operation and security of sensor systems used to monitor and detect security-related events in an organization's information systems. This control encompasses the management, integrity, and protection of sensor data to enhance an organization's situational awareness and incident response capabilities.
Sensor Capability and Data | Reporting to Authorized Individuals or Roles (SC-42(1))

The Sensor Capability and Data | Reporting to Authorized Individuals or Roles (SC-42(1)) subcontrol is a critical component of the System and Communications Protection (SC) family. It focuses on ensuring that sensor systems effectively report security-related events and anomalies to authorized individuals or roles within the organization. This subcontrol helps maintain situational awareness and enables timely incident response by ensuring that the right people have access to the relevant sensor data.
Sensor Capability and Data | Authorized Use (SC-42(2))

The Sensor Capability and Data | Authorized Use (SC-42(2)) subcontrol is an integral component of the System and Communications Protection (SC) family. Its primary objective is to ensure that the use of sensor systems and the data they generate is limited to authorized purposes within the organization. By establishing clear boundaries on the use of sensor capabilities and data, this subcontrol helps prevent misuse or unauthorized access to sensitive information.
Sensor Capability and Data | Notice of Collection (SC-42(4))

The Sensor Capability and Data | Notice of Collection (SC-42(4)) subcontrol is a vital component within the System and Communications Protection (SC) family. Its primary objective is to ensure that individuals whose information is collected and processed by sensor systems are informed of this data collection. Providing notice of collection is a fundamental privacy and transparency measure that helps individuals understand how their data is being used.
Sensor Capability and Data | Collection Minimization (SC-42(5))

The Sensor Capability and Data | Collection Minimization (SC-42(5)) subcontrol is a critical component of the System and Communications Protection (SC) family. It focuses on ensuring that organizations collect only the minimum amount of data necessary for the intended purpose from sensor systems. This minimization principle enhances privacy protection and reduces the risk associated with excessive data collection.
Usage Restrictions (SC-43)- Main Control

The Usage Restrictions (SC-43) control within the System and Communications Protection (SC) family is designed to ensure that organizations impose and enforce restrictions on the usage of information system resources. This control helps prevent unauthorized or excessive use of system resources, mitigating the risk of system degradation, denial of service, and security breaches.
Detonation Chambers (SC-44)- Main Control

The Detonation Chambers (SC-44) control within the System and Communications Protection (SC) family focuses on safeguarding an organization's information systems by isolating and analyzing potentially malicious code or content in controlled environments known as detonation chambers. This control aims to protect the integrity and security of an organization's IT infrastructure by identifying and mitigating threats before they can impact operational systems.
System Time Synchronization (SC-45)- Main Control

The System Time Synchronization (SC-45) control within the System and Communications Protection (SC) family is dedicated to ensuring that the timekeeping functions across an organization's information systems are synchronized accurately. This control is essential for maintaining the integrity of security-related data, event correlation, and compliance with audit requirements.
System Time Synchronization | Synchronization with Authoritative Time Source (SC-45(1))

The System Time Synchronization | Synchronization with Authoritative Time Source (SC-45(1)) subcontrol is a crucial element of the System and Communications Protection (SC) family. Its primary objective is to ensure that an organization's information systems synchronize their time with an authoritative time source accurately and consistently. Accurate time synchronization is essential for maintaining data integrity, facilitating event correlation, and supporting security incident response.
System Time Synchronization | Secondary Authoritative Time Source (SC-45(2))

The System Time Synchronization | Secondary Authoritative Time Source (SC-45(2)) subcontrol is an essential element within the System and Communications Protection (SC) family. Its primary goal is to enhance the reliability and availability of time synchronization by establishing a secondary authoritative time source. This secondary source serves as a backup to ensure continuous and accurate timekeeping in case the primary authoritative time source experiences disruptions.
Cross Domain Policy Enforcement (SC-46)- Main Control

The Cross Domain Policy Enforcement (SC-46) control within the System and Communications Protection (SC) family focuses on implementing measures and policies that govern the secure exchange of information between different security domains within an organization. This control is essential for maintaining data integrity, confidentiality, and access control when information crosses boundaries between security domains.
Alternate Communications Paths (SC-47)- Main Control

The Alternate Communications Paths (SC-47) control within the System and Communications Protection (SC) family focuses on ensuring the availability and resilience of communication capabilities in the face of disruptions or failures in primary communication channels. This control is critical for maintaining continuity of operations and emergency response capabilities by establishing backup communication paths.
Sensor Relocation (SC-48)- Main Control

The Sensor Relocation (SC-48) control within the System and Communications Protection (SC) family addresses the need to ensure the continued functionality of security sensors and monitoring systems when environmental conditions or operational requirements necessitate their relocation. This control is crucial for maintaining a consistent security posture and situational awareness even in dynamic or challenging environments.
Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities (SC-48(1))

The Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities (SC-48(1)) subcontrol is a critical component within the System and Communications Protection (SC) family. Its primary objective is to address the dynamic relocation of security sensors or monitoring capabilities in response to changing threat landscapes, operational requirements, or environmental factors. This subcontrol ensures that the security posture remains effective and adaptive in the face of evolving challenges.
Hardware-enforced Separation and Policy Enforcement (SC-49)- Main Control

The Hardware-enforced Separation and Policy Enforcement (SC-49) control within the System and Communications Protection (SC) family is designed to ensure that security policies and access controls are consistently and effectively enforced through hardware-based mechanisms. This control emphasizes the use of physical hardware to provide strong separation between different security domains and to enforce security policies at the lowest level.
Software-enforced Separation and Policy Enforcement (SC-50)- Main Control

The Software-enforced Separation and Policy Enforcement (SC-50) control within the System and Communications Protection (SC) family focuses on the implementation of software-based measures to ensure effective separation and enforcement of security policies between different security domains or systems. This control emphasizes the use of software controls to manage access, protect data, and enforce security policies within an organization's information systems.
Hardware-based Protection (SC-51)- Main Control

The Hardware-based Protection (SC-51) control within the System and Communications Protection (SC) family emphasizes the use of physical hardware measures to safeguard an organization's information systems. This control focuses on employing hardware-based security mechanisms to protect against various threats, including physical attacks, unauthorized access, and data breaches.

The System and Information Integrity control family is designed to ensure the integrity of information processed within information systems and the integrity of the systems themselves. The controls within this family aim to prevent, detect, and respond to incidents that could compromise the integrity of information or the functionality of information systems. Integrity protections are crucial for maintaining the trustworthiness of data and the overall reliability of systems.

Policy and Procedures (SI-1)- Main Control

The Policy and Procedures (SI-1) control within the System and Information Integrity (SI) family focuses on the establishment and maintenance of policies and procedures to protect and maintain the integrity of an organization's information systems. This control ensures that formalized policies and procedures are in place to address information system integrity, prevent unauthorized changes, and facilitate timely detection and response to integrity violations.
Flaw Remediation (SI-2)

The Flaw Remediation (SI-2) subcontrol within the System and Information Integrity (SI) family focuses on the identification, prioritization, and timely remediation of software and hardware vulnerabilities in an organization's information systems. This control ensures that vulnerabilities are addressed promptly to prevent potential exploitation, data breaches, or system compromises.
Flaw Remediation | Central Management (SI-2(1))

The Flaw Remediation | Central Management (SI-2(1)) subcontrol within the System and Information Integrity (SI) family focuses on the establishment of a centralized management system for tracking, prioritizing, and coordinating the remediation of software and hardware vulnerabilities across an organization's information systems. This subcontrol ensures that vulnerabilities are efficiently addressed through a coordinated effort.
Flaw Remediation | Automated Flaw Remediation Status (SI-2(2))

The Flaw Remediation | Automated Flaw Remediation Status (SI-2(2)) subcontrol within the System and Information Integrity (SI) family focuses on the implementation of automated mechanisms to track the status of flaw remediation efforts across an organization's information systems. This subcontrol ensures that automated processes are in place to monitor and report on the progress of vulnerability remediation, providing real-time visibility into the state of security.
Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions (SI-2(3))

The Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions (SI-2(3)) subcontrol within the System and Information Integrity (SI) family focuses on establishing benchmarks and timeframes for remediating identified flaws and vulnerabilities within an organization's information systems. This subcontrol emphasizes setting specific goals for remediation and tracking progress to ensure that vulnerabilities are addressed promptly and effectively.
Flaw Remediation | Automated Patch Management Tools (SI-2(4))

The Flaw Remediation | Automated Patch Management Tools (SI-2(4)) subcontrol within the System and Information Integrity (SI) family focuses on the use of automated patch management tools to facilitate the efficient and timely remediation of vulnerabilities in an organization's information systems. This subcontrol emphasizes the importance of automation in applying patches and updates to address known security flaws.
Flaw Remediation | Automatic Software and Firmware Updates (SI-2(5))

The Flaw Remediation | Automatic Software and Firmware Updates (SI-2(5)) subcontrol within the System and Information Integrity (SI) family emphasizes the importance of enabling and configuring automatic software and firmware updates to address identified vulnerabilities promptly. This subcontrol focuses on automating the process of updating and patching software and firmware to enhance security.
Flaw Remediation | Removal of Previous Versions of Software and Firmware (SI-2(6))

The Flaw Remediation | Removal of Previous Versions of Software and Firmware (SI-2(6)) subcontrol within the System and Information Integrity (SI) family focuses on the removal or deactivation of previous, outdated versions of software and firmware to mitigate security risks associated with known vulnerabilities. This subcontrol ensures that organizations maintain a clean and secure environment by eliminating the use of obsolete software and firmware.
Malicious Code Protection (SI-3)- Main Control

The Malicious Code Protection (SI-3) control within the System and Information Integrity (SI) family focuses on implementing measures to protect information systems and data from malicious code, including viruses, worms, trojans, and other types of malware. This control emphasizes the importance of preventing, detecting, and responding to malicious code threats to ensure the integrity and availability of systems and information.
Malicious Code Protection | Authenticate Remote Commands (SI-3(9)),Malicious Code Protection | Non-privileged Users (SI-3(3))

The Malicious Code Protection | Authenticate Remote Commands (SI-3(9)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring that remote commands and scripts are authenticated and authorized before execution on information systems. This subcontrol aims to prevent malicious code or unauthorized commands from being executed remotely, reducing the risk of compromise or disruption.
Malicious Code Protection | Updates Only by Privileged Users (SI-3(4))

The Malicious Code Protection | Updates Only by Privileged Users (SI-3(4)) subcontrol within the System and Information Integrity (SI) family focuses on restricting the ability to apply updates and patches to software and firmware to privileged users only. This subcontrol ensures that only authorized personnel with the necessary privileges can make changes to system configurations, reducing the risk of unauthorized code alterations or malicious updates.
Malicious Code Protection | Portable Storage Devices (SI-3(5)),System Monitoring | Protection of Monitoring Information (SI-4(8))

The Malicious Code Protection | Portable Storage Devices (SI-3(5)) subcontrol within the System and Information Integrity (SI) family focuses on mitigating the risk associated with the introduction of malicious code from portable storage devices, such as USB drives, external hard drives, and other removable media. This subcontrol aims to prevent unauthorized or infected devices from introducing malware into an organization's information systems.
Malicious Code Protection | Testing and Verification (SI-3(6))

The Malicious Code Protection | Testing and Verification (SI-3(6)) subcontrol within the System and Information Integrity (SI) family focuses on conducting rigorous testing and verification of security controls and mechanisms related to malicious code protection. This subcontrol ensures that security controls designed to prevent, detect, and mitigate malicious code threats are effectively tested and validated to provide a high level of confidence in their functionality.
Malicious Code Protection | Detect Unauthorized Commands (SI-3(8))

The Malicious Code Protection | Detect Unauthorized Commands (SI-3(8)) subcontrol within the System and Information Integrity (SI) family focuses on the implementation of mechanisms to detect and prevent the execution of unauthorized or malicious commands within an organization's information systems. This subcontrol is designed to identify and respond to any attempts to run unauthorized code or commands that could compromise the security and integrity of the systems.
Malicious Code Protection | Malicious Code Analysis (SI-3(10))

The Malicious Code Protection | Malicious Code Analysis (SI-3(10)) subcontrol within the System and Information Integrity (SI) family focuses on the systematic analysis of malicious code, such as viruses, worms, trojans, and other malware, to understand their characteristics, behavior, and potential impact. This subcontrol aims to enhance an organization's ability to detect, respond to, and mitigate malicious code threats effectively.
System Monitoring (SI-4)- Main Control

The System Monitoring (SI-4) control within the System and Information Integrity (SI) family focuses on establishing a comprehensive system monitoring program that enables organizations to continuously observe, detect, and respond to security events and incidents within their information systems. This control encompasses the establishment and maintenance of monitoring capabilities to ensure the security and integrity of an organization's computing environment.
System Monitoring | System-wide Intrusion Detection System (SI-4(1))

The System Monitoring | System-wide Intrusion Detection System (SI-4(1)) subcontrol within the System and Information Integrity (SI) family focuses on the implementation of a system-wide intrusion detection system (IDS) to continuously monitor and detect unauthorized activities and potential security breaches within an organization's information systems. This subcontrol aims to enhance an organization's ability to identify and respond to intrusion attempts promptly.
System Monitoring | Automated Tools and Mechanisms for Real-time Analysis (SI-4(2))

The System Monitoring | Automated Tools and Mechanisms for Real-time Analysis (SI-4(2)) subcontrol within the System and Information Integrity (SI) family emphasizes the use of automated tools and mechanisms to conduct real-time analysis of security-related data and events within an organization's information systems. This subcontrol aims to enhance an organization's ability to promptly detect and respond to security incidents and anomalies.
System Monitoring | Automated Tool and Mechanism Integration (SI-4(3))

The System Monitoring | Automated Tool and Mechanism Integration (SI-4(3)) subcontrol within the System and Information Integrity (SI) family focuses on the integration of various automated tools and mechanisms used for security monitoring, analysis, and incident response. This subcontrol aims to ensure that these tools work cohesively, share relevant data, and provide a unified view of security events to enhance the organization's ability to detect and respond to security incidents effectively.
System Monitoring | Inbound and Outbound Communications Traffic (SI-4(4))

The System Monitoring | Inbound and Outbound Communications Traffic (SI-4(4)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring both inbound and outbound communications traffic to and from an organization's information systems. This subcontrol aims to provide comprehensive visibility into network activities, detect malicious traffic, and ensure the integrity and security of data transmissions.
System Monitoring | System-generated Alerts (SI-4(5))

The System Monitoring | System-generated Alerts (SI-4(5)) subcontrol within the System and Information Integrity (SI) family focuses on the generation and utilization of system-generated alerts to detect and respond to security incidents and anomalies within an organization's information systems. This subcontrol aims to enhance the automated identification of potential threats and irregularities.
System Monitoring | Restrict Non-privileged Users (SI-4(6))

The System Monitoring | Restrict Non-privileged Users (SI-4(6)) subcontrol within the System and Information Integrity (SI) family focuses on restricting non-privileged users' access to logs and security monitoring tools. This subcontrol aims to prevent unauthorized or inappropriate access to sensitive security information and ensures that only authorized personnel can review and analyze security data.
System Monitoring | Automated Response to Suspicious Events (SI-4(7))

The System Monitoring | Automated Response to Suspicious Events (SI-4(7)) subcontrol within the System and Information Integrity (SI) family focuses on automating the response to suspicious security events and incidents. This subcontrol aims to enhance an organization's ability to react rapidly to emerging threats and security incidents, reducing manual intervention and minimizing potential damage.
System Monitoring | Testing of Monitoring Tools and Mechanisms (SI-4(9))

The System Monitoring | Testing of Monitoring Tools and Mechanisms (SI-4(9)) subcontrol within the System and Information Integrity (SI) family focuses on the regular testing and evaluation of security monitoring tools and mechanisms to ensure their effectiveness in identifying and responding to security threats and vulnerabilities. This subcontrol aims to maintain the reliability and accuracy of monitoring systems.
System Monitoring | Visibility of Encrypted Communications (SI-4(10))

The System Monitoring | Visibility of Encrypted Communications (SI-4(10)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring that organizations have the capability to inspect and gain visibility into encrypted communications for security monitoring purposes. This subcontrol aims to detect threats and malicious activities that may be hidden within encrypted traffic while preserving the confidentiality and integrity of sensitive data.
System Monitoring | Analyze Communications Traffic Anomalies (SI-4(11))

The System Monitoring | Analyze Communications Traffic Anomalies (SI-4(11)) subcontrol within the System and Information Integrity (SI) family focuses on the proactive analysis of communications traffic to identify and investigate anomalies and suspicious patterns. This subcontrol aims to enhance an organization's ability to detect and respond to emerging threats and security incidents.
System Monitoring | Automated Organization-generated Alerts (SI-4(12))

The System Monitoring | Automated Organization-generated Alerts (SI-4(12)) subcontrol within the System and Information Integrity (SI) family focuses on the automated generation of alerts by an organization's systems and applications to detect and respond to security-related events and anomalies. This subcontrol aims to enhance an organization's ability to promptly identify and address security incidents and maintain the integrity and availability of information systems.
System Monitoring | Analyze Traffic and Event Patterns (SI-4(13))

The System Monitoring | Analyze Traffic and Event Patterns (SI-4(13)) subcontrol within the System and Information Integrity (SI) family focuses on the continuous analysis of network traffic and event patterns to detect and respond to security threats and suspicious activities. This subcontrol aims to enhance an organization's ability to identify and mitigate security incidents proactively.
System Monitoring | Wireless Intrusion Detection (SI-4(14))

The System Monitoring | Wireless Intrusion Detection (SI-4(14)) subcontrol within the System and Information Integrity (SI) family focuses on the deployment of wireless intrusion detection mechanisms to monitor and protect wireless network environments. This subcontrol aims to enhance an organization's ability to detect and respond to unauthorized wireless network access and potential security threats in wireless communication.
System Monitoring | Wireless to Wireline Communications (SI-4(15))

The System Monitoring | Wireless to Wireline Communications (SI-4(15)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring and protecting the security of wireless-to-wireline communications interfaces. This subcontrol aims to ensure the integrity and confidentiality of data transmitted between wireless and wired networks and to detect and respond to security threats in these communication channels.
System Monitoring | Correlate Monitoring Information (SI-4(16))

The System Monitoring | Correlate Monitoring Information (SI-4(16)) subcontrol within the System and Information Integrity (SI) family focuses on the correlation of monitoring information from various sources to provide a comprehensive and contextual view of an organization's security posture. This subcontrol aims to enhance an organization's ability to detect and respond to complex security incidents by identifying patterns and relationships within monitoring data.
System Monitoring | Integrated Situational Awareness (SI-4(17))

The System Monitoring | Integrated Situational Awareness (SI-4(17)) subcontrol within the System and Information Integrity (SI) family focuses on achieving a holistic and integrated view of an organization's security posture by aggregating and correlating monitoring information from various sources. This subcontrol aims to enhance an organization's ability to proactively identify, respond to, and manage security incidents and vulnerabilities effectively.
System Monitoring | Analyze Traffic and Covert Exfiltration (SI-4(18))

The System Monitoring | Analyze Traffic and Covert Exfiltration (SI-4(18)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring and analyzing network traffic to detect and respond to covert data exfiltration attempts. This subcontrol aims to enhance an organization's ability to identify and mitigate insider threats or malicious activities that attempt to steal sensitive data while evading detection.
System Monitoring | Risk for Individuals (SI-4(19))

The System Monitoring | Risk for Individuals (SI-4(19)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring and assessing risks to individuals' privacy and personal information resulting from system activities. This subcontrol aims to enhance an organization's ability to safeguard the privacy of individuals by detecting and addressing privacy-related risks.
System Monitoring | Privileged Users (SI-4(20))

The System Monitoring | Privileged Users (SI-4(20)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring the activities of privileged users within an organization's information systems. This subcontrol aims to enhance an organization's ability to detect and respond to potential security incidents involving privileged accounts, ensuring the integrity and confidentiality of sensitive data.
System Monitoring | Probationary Periods (SI-4(21))

The System Monitoring | Probationary Periods (SI-4(21)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring and controlling the activities of individuals who are in probationary periods, have temporary access, or are undergoing security clearance reviews. This subcontrol aims to enhance an organization's ability to protect sensitive information by ensuring that individuals with limited or uncertain trustworthiness do not pose security risks.
System Monitoring | Unauthorized Network Services (SI-4(22))

The System Monitoring | Unauthorized Network Services (SI-4(22)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring an organization's network infrastructure to detect and prevent unauthorized or rogue network services from being deployed and operated. This subcontrol aims to enhance an organization's ability to maintain the integrity, confidentiality, and availability of its information systems by ensuring that only authorized and approved network services are in operation.
System Monitoring | Host-based Devices (SI-4(23))

The System Monitoring | Host-based Devices (SI-4(23)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring the security and integrity of host-based devices within an organization's information systems. This subcontrol aims to enhance an organization's ability to detect and respond to security incidents, vulnerabilities, and unauthorized changes on individual devices to ensure the overall integrity and functionality of the systems.
System Monitoring | Indicators of Compromise (SI-4(24))

The System Monitoring | Indicators of Compromise (SI-4(24)) subcontrol within the System and Information Integrity (SI) family focuses on actively monitoring and analyzing network and system activities for indicators of compromise (IOCs). IOCs are telltale signs that an information system may have been compromised or is under attack. This subcontrol aims to enhance an organization's ability to detect and respond to security incidents promptly to minimize potential damage.
System Monitoring | Optimize Network Traffic Analysis (SI-4(25))

The System Monitoring | Optimize Network Traffic Analysis (SI-4(25)) subcontrol within the System and Information Integrity (SI) family focuses on improving the efficiency and effectiveness of network traffic analysis for security purposes. This subcontrol aims to enhance an organization's ability to monitor and respond to security incidents by optimizing the analysis of network traffic data.
Security Alerts, Advisories, and Directives (SI-5)- Main Control

The Security Alerts, Advisories, and Directives (SI-5) control within the System and Information Integrity (SI) family focuses on establishing a mechanism for receiving, interpreting, and acting upon security alerts, advisories, and directives from authoritative sources. This control aims to enhance an organization's ability to respond effectively to emerging threats, vulnerabilities, and cybersecurity guidance.
Security Alerts, Advisories, and Directives | Automated Alerts and Advisories (SI-5(1))

The Security Alerts, Advisories, and Directives | Automated Alerts and Advisories (SI-5(1)) subcontrol within the System and Information Integrity (SI) family focuses on automating the process of receiving, interpreting, and disseminating security alerts, advisories, and directives from authoritative sources. This subcontrol aims to enhance an organization's ability to respond rapidly and consistently to emerging threats, vulnerabilities, and cybersecurity guidance.
Security and Privacy Function Verification (SI-6)- Main Control

The Security and Privacy Function Verification (SI-6) control within the System and Information Integrity (SI) family focuses on verifying that security and privacy functions, including mechanisms, policies, and procedures, are implemented correctly and effectively to protect information systems. This control aims to enhance an organization's ability to ensure that security and privacy safeguards are functioning as intended.
Security and Privacy Function Verification | Automation Support for Distributed Testing (SI-6(2))

The Security and Privacy Function Verification | Automation Support for Distributed Testing (SI-6(2)) subcontrol within the System and Information Integrity (SI) family focuses on leveraging automation to support distributed testing of security and privacy functions across the organization's information systems. This subcontrol aims to enhance an organization's ability to efficiently and comprehensively verify the effectiveness of security and privacy controls.
Security and Privacy Function Verification | Report Verification Results (SI-6(3))

The Security and Privacy Function Verification | Report Verification Results (SI-6(3)) subcontrol within the System and Information Integrity (SI) family focuses on the requirement to document and report the results of security and privacy function verification activities. This subcontrol aims to ensure that organizations have a clear record of the verification process and its outcomes, which can be used for decision-making, auditing, and compliance purposes.
Software, Firmware, and Information Integrity (SI-7)- Main Control

The Software, Firmware, and Information Integrity (SI-7) control within the System and Information Integrity (SI) family focuses on ensuring the integrity of software and firmware components within an organization's information systems. This control aims to prevent unauthorized changes to software and firmware that could compromise the confidentiality, integrity, and availability of the organization's data and systems.
Software, Firmware, and Information Integrity | Integrity Checks (SI-7(1))

The Software, Firmware, and Information Integrity | Integrity Checks (SI-7(1)) subcontrol within the System and Information Integrity (SI) family focuses on implementing mechanisms for regularly checking the integrity of software, firmware, and information in an organization's information systems. This subcontrol aims to ensure that these components remain unaltered and free from unauthorized modifications that could compromise system security and data integrity.
Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations (SI-7(2))

The Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations (SI-7(2)) subcontrol within the System and Information Integrity (SI) family focuses on implementing automated mechanisms for promptly notifying relevant personnel or systems when integrity violations are detected in software, firmware, or information components. This subcontrol aims to facilitate rapid incident response and mitigation to address unauthorized changes that could compromise system security.
Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools (SI-7(3))

The Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools (SI-7(3)) subcontrol within the System and Information Integrity (SI) family focuses on centrally managing and coordinating integrity-checking tools and mechanisms across an organization's information systems. This subcontrol aims to streamline and enhance the effectiveness of integrity verification processes by centralizing management and control.
Software, Firmware, and Information Integrity | Tamper-evident Packaging (SI-7(4))

The Software, Firmware, and Information Integrity | Tamper-evident Packaging (SI-7(4)) subcontrol within the System and Information Integrity (SI) family focuses on the use of tamper-evident packaging for physical or digital media containing software, firmware, or sensitive information. This subcontrol aims to protect the integrity of these components during storage, transportation, and distribution by providing clear indications of tampering or unauthorized access.
Software, Firmware, and Information Integrity | Automated Response to Integrity Violations (SI-7(5))

The Software, Firmware, and Information Integrity | Automated Response to Integrity Violations (SI-7(5)) subcontrol within the System and Information Integrity (SI) family focuses on automating the response to integrity violations detected in software, firmware, or information components. This subcontrol aims to expedite incident response efforts, reduce the impact of integrity violations, and mitigate potential risks.
Software, Firmware, and Information Integrity | Cryptographic Protection (SI-7(6))

The Software, Firmware, and Information Integrity | Cryptographic Protection (SI-7(6)) subcontrol within the System and Information Integrity (SI) family focuses on the use of cryptographic protections to safeguard the integrity of software, firmware, and sensitive information components. This subcontrol aims to prevent unauthorized changes, tampering, or alterations by applying cryptographic measures, such as digital signatures or encryption.
Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7(7))

The Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7(7)) subcontrol within the System and Information Integrity (SI) family focuses on integrating the detection and response mechanisms to promptly and effectively address integrity violations in software, firmware, and information components. This subcontrol aims to streamline incident response efforts by combining the capabilities of identifying violations and taking immediate action.
Software, Firmware, and Information Integrity | Auditing Capability for Significant Events (SI-7(8))

The Software, Firmware, and Information Integrity | Auditing Capability for Significant Events (SI-7(8)) subcontrol within the System and Information Integrity (SI) family focuses on implementing auditing capabilities to monitor and record significant events related to software, firmware, and information components. This subcontrol aims to provide organizations with the means to detect and investigate integrity violations by maintaining detailed event logs.
Software, Firmware, and Information Integrity | Verify Boot Process (SI-7(9))

The Software, Firmware, and Information Integrity | Verify Boot Process (SI-7(9)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring the integrity of the boot process for software, firmware, and information components. This subcontrol aims to verify that these components are loaded securely and have not been tampered with during the boot-up sequence.
Personally Identifiable Information Quality Operations | Notice of Correction or Deletion (SI-18(5))

The Personally Identifiable Information (PII) Quality Operations | Notice of Correction or Deletion (SI-18(5)) subcontrol within the System and Information Integrity (SI) family focuses on establishing procedures to notify individuals or data subjects when corrections or deletions are made to their PII. This subcontrol ensures transparency and accountability in managing PII by keeping individuals informed of changes to their personal data.
Predictable Failure Prevention | Standby Component Installation and Notification (SI-13(4))

The Predictable Failure Prevention | Standby Component Installation and Notification (SI-13(4)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring the availability and reliability of critical system components by having standby components readily available and notifying relevant personnel when they are installed. This subcontrol aims to minimize downtime and disruptions caused by predictable component failures.
Predictable Failure Prevention | Failover Capability (SI-13(5))

The Predictable Failure Prevention | Failover Capability (SI-13(5)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring the availability and reliability of critical systems by implementing failover capabilities. This subcontrol aims to minimize downtime and disruptions caused by predictable failures of primary systems by seamlessly transitioning to backup systems.
Non-persistence (SI-14)- Main Control

The Non-persistence (SI-14) control within the System and Information Integrity (SI) family focuses on reducing the persistence of information in various system components, ensuring that sensitive data or configurations are not retained longer than necessary. This control helps mitigate the risk of unauthorized access or data exposure due to residual information being left behind in system components.
Non-persistence | Refresh from Trusted Sources (SI-14(1))

The Non-persistence | Refresh from Trusted Sources (SI-14(1)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring that system components, including software and configurations, are periodically refreshed or updated from trusted sources. This subcontrol aims to minimize the risk of unauthorized or compromised information persisting within system components and enhance system and information integrity.
Non-persistence | Non-persistent Information (SI-14(2))

The Non-persistence | Non-persistent Information (SI-14(2)) subcontrol within the System and Information Integrity (SI) family focuses on the management of non-persistent information within system components. Non-persistent information is data that is intentionally designed to be temporary and should not be retained longer than necessary for operational purposes. This subcontrol aims to reduce the risk of sensitive or temporary data being unintentionally retained within system components, thereby enhancing system and information integrity.
Non-persistence | Non-persistent Connectivity (SI-14(3))

The Non-persistence | Non-persistent Connectivity (SI-14(3)) subcontrol within the System and Information Integrity (SI) family focuses on managing non-persistent network connections within the organization's IT environment. Non-persistent connectivity refers to network connections that are intentionally designed to be temporary and should not be retained longer than necessary for operational purposes. This subcontrol aims to reduce the risk of unauthorized or unnecessary network connections, thereby enhancing system and information integrity
Information Output Filtering (SI-15)- Main Control

The Information Output Filtering (SI-15) control within the System and Information Integrity (SI) family focuses on the prevention of unauthorized or sensitive information from being disclosed or released through various information output channels. This control aims to filter and control the information that leaves an organization's information systems, enhancing the protection of sensitive data and ensuring system and information integrity.
Memory Protection (SI-16)- Main Control

The Memory Protection (SI-16) control within the System and Information Integrity (SI) family focuses on safeguarding the integrity and confidentiality of data stored in memory. This control aims to prevent unauthorized access, modification, or leakage of data residing in memory, which is critical for maintaining the overall security and reliability of an organization's information systems.
Fail-safe Procedures (SI-17)- Main Control

The Fail-safe Procedures (SI-17) control within the System and Information Integrity (SI) family focuses on the development and implementation of procedures that ensure system operations can be safely terminated or transitioned into a secure state in the event of a failure or security incident. This control aims to reduce the potential impact of system failures, breaches, or other unexpected events on the integrity and availability of critical information systems and data.
Personally Identifiable Information Quality Operations (SI-18)- Main Control

The Personally Identifiable Information (PII) Quality Operations (SI-18) control within the System and Information Integrity (SI) family focuses on ensuring the accuracy and quality of PII data collected, processed, and maintained by an organization. This control aims to protect the integrity and reliability of PII, which is crucial for maintaining trust, complying with privacy regulations, and preventing data breaches or identity theft.
Personally Identifiable Information Quality Operations | Automation Support (SI-18(1))

The Personally Identifiable Information (PII) Quality Operations control SI-18(1) within the System and Information Integrity (SI) family focuses on automating processes and mechanisms to enhance the quality and accuracy of PII data collected, processed, and maintained by an organization. This subcontrol emphasizes the use of automated tools and technologies to validate, correct, and monitor PII data, ensuring its integrity while minimizing human error.
Personally Identifiable Information Quality Operations | Data Tags (SI-18(2))

The Personally Identifiable Information (PII) Quality Operations control SI-18(2) within the System and Information Integrity (SI) family focuses on the use of data tagging mechanisms to enhance the quality and accuracy of PII data collected, processed, and maintained by an organization. This subcontrol emphasizes the importance of labeling or tagging PII data to identify and manage it effectively, ensuring its integrity and compliance with data handling policies.
Personally Identifiable Information Quality Operations | Collection (SI-18(3))

The Personally Identifiable Information (PII) Quality Operations control SI-18(3) within the System and Information Integrity (SI) family focuses on ensuring the quality and accuracy of PII data collected by an organization. This subcontrol emphasizes the importance of implementing measures during data collection processes to minimize errors, omissions, and inaccuracies in PII data, thereby enhancing its integrity.
Personally Identifiable Information Quality Operations | Individual Requests (SI-18(4))

The Personally Identifiable Information (PII) Quality Operations control SI-18(4) within the System and Information Integrity (SI) family focuses on responding to individual requests for accessing, correcting, or deleting their PII data. This subcontrol emphasizes the importance of establishing processes and procedures to handle such requests promptly, accurately, and in compliance with privacy regulations.
Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges (SI-7(11))

The Software, Firmware, and Information Integrity control SI-7(11) within the System and Information Integrity (SI) family focuses on protecting the integrity of software and firmware in confined environments with limited privileges. This subcontrol emphasizes the need to establish secure environments where software and firmware can operate with restricted privileges to mitigate the risk of unauthorized alterations and maintain their integrity.
De-identification (SI-19)- Main Control

The De-identification control SI-19 within the System and Information Integrity (SI) family focuses on the secure and responsible removal of personally identifiable information (PII) and other sensitive data from datasets, records, or information systems. De-identification is crucial for protecting individuals' privacy while still allowing organizations to use data for legitimate purposes.
De-identification | Collection (SI-19(1))

The De-identification control SI-19(1) within the System and Information Integrity (SI) family focuses on the responsible and secure collection of data, with a particular emphasis on personally identifiable information (PII) and sensitive data. This subcontrol underscores the importance of implementing measures to ensure that data collection processes prioritize privacy and data protection.
De-identification | Archiving (SI-19(2))

The De-identification control SI-19(2) within the System and Information Integrity (SI) family focuses on the responsible and secure archiving of data, particularly emphasizing personally identifiable information (PII) and sensitive data. This subcontrol highlights the importance of implementing measures to protect the privacy and security of archived data while retaining its integrity.
De-identification | Release (SI-19(3))

The De-identification control SI-19(3) within the System and Information Integrity (SI) family focuses on the secure and responsible release of data, with a particular emphasis on personally identifiable information (PII) and sensitive data. This subcontrol underscores the importance of implementing measures to protect privacy and data security when sharing or releasing data to authorized parties.
De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers (SI-19(4))

The De-identification control SI-19(4) within the System and Information Integrity (SI) family emphasizes the importance of implementing secure and privacy-preserving techniques to de-identify data, especially personally identifiable information (PII) and sensitive data. This subcontrol focuses on the secure removal, masking, encryption, hashing, or replacement of direct identifiers to protect individuals' privacy while retaining data utility.
De-identification | Statistical Disclosure Control (SI-19(5))

The De-identification control SI-19(5) within the System and Information Integrity (SI) family focuses on the application of statistical disclosure control techniques to protect sensitive data, particularly personally identifiable information (PII). This subcontrol emphasizes the importance of using statistical methods to reduce the risk of re-identification while preserving data utility.
De-identification | Differential Privacy (SI-19(6))

The De-identification control SI-19(6) within the System and Information Integrity (SI) family focuses on the implementation of differential privacy techniques to protect sensitive data, especially personally identifiable information (PII). This subcontrol highlights the importance of preserving individual privacy while allowing for the useful analysis of data.
De-identification | Validated Algorithms and Software (SI-19(7))

The De-identification control SI-19(7) within the System and Information Integrity (SI) family emphasizes the importance of using validated algorithms and software for implementing de-identification techniques. This subcontrol focuses on ensuring the reliability and effectiveness of the algorithms and tools used to protect sensitive data, especially personally identifiable information (PII).
De-identification | Motivated Intruder (SI-19(8))

The De-identification control SI-19(8) within the System and Information Integrity (SI) family focuses on safeguarding sensitive data, especially personally identifiable information (PII), from motivated intruders who may attempt to re-identify de-identified data. This subcontrol emphasizes the need to consider advanced threats and attackers with a strong motivation to breach data privacy.
Tainting (SI-20)- Main Control

The Tainting control SI-20 within the System and Information Integrity (SI) family addresses the prevention and management of data tainting. Data tainting refers to the contamination or compromise of data integrity, which can occur due to various factors, including unauthorized access, manipulation, or exposure.
Information Refresh (SI-21)- Main Control

The Information Refresh control SI-21 within the System and Information Integrity (SI) family addresses the need for organizations to periodically refresh and update information to ensure its accuracy, relevancy, and reliability. Information that becomes outdated or obsolete may pose risks to decision-making, compliance, and system functionality.
Information Diversity (SI-22)- Main Control

The Information Diversity control SI-22 within the System and Information Integrity (SI) family focuses on the importance of diversifying information sources and data to enhance data integrity, accuracy, and reliability. Information that comes from a variety of sources is less susceptible to single points of failure or manipulation.
Information Fragmentation (SI-23)- Main Control

The Information Fragmentation control SI-23 within the System and Information Integrity (SI) family emphasizes the importance of fragmenting and segregating information into smaller, more manageable components. This fragmentation helps safeguard data integrity and confidentiality by reducing the potential impact of unauthorized access or data compromise.
Predictable Failure Prevention | Time Limit on Process Execution Without Supervision (SI-13(2))

The Predictable Failure Prevention control SI-13(2) within the System and Information Integrity (SI) family focuses on mitigating the risk of predictable failures in information systems by implementing time limits on process execution without supervision. By setting these time limits, organizations can prevent processes from running indefinitely and potentially causing system failures or resource exhaustion.
Software, Firmware, and Information Integrity | Protection of Boot Firmware (SI-7(10))

The Protection of Boot Firmware subcontrol SI-7(10) within the System and Information Integrity (SI) control family is designed to ensure the integrity and security of an organization's boot firmware. Boot firmware is a critical component of the system startup process, and protecting it is vital to prevent unauthorized access, tampering, or malware infection from occurring during system boot-up.
Software, Firmware, and Information Integrity | Integrity Verification (SI-7(12))

The Integrity Verification subcontrol SI-7(12) within the System and Information Integrity (SI) control family focuses on ensuring the integrity of software, firmware, and information throughout their lifecycle. This subcontrol emphasizes the importance of verifying the integrity of these components to prevent unauthorized modifications, corruption, or tampering.
Software, Firmware, and Information Integrity | Code Execution in Protected Environments (SI-7(13))

The Code Execution in Protected Environments subcontrol SI-7(13) within the System and Information Integrity (SI) control family focuses on executing code within secure and protected environments. This subcontrol emphasizes the importance of executing code in a controlled and secure manner to prevent malicious or unauthorized code execution.
Software, Firmware, and Information Integrity | Binary or Machine Executable Code (SI-7(14))

The Binary or Machine Executable Code subcontrol SI-7(14) within the System and Information Integrity (SI) control family focuses on ensuring the integrity of binary or machine-executable code within information systems. This subcontrol emphasizes the importance of verifying and protecting the integrity of code that is directly executable by hardware or software components.
Software, Firmware, and Information Integrity | Code Authentication (SI-7(15))

The Code Authentication subcontrol SI-7(15) within the System and Information Integrity (SI) control family focuses on ensuring the authenticity of software and firmware code. This subcontrol emphasizes the importance of verifying that code comes from a trusted source and has not been tampered with during transmission or deployment.
Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision (SI-7(16))

The Time Limit on Process Execution Without Supervision subcontrol SI-7(16) within the System and Information Integrity (SI) control family focuses on setting time limits for executing software and firmware processes without human supervision. This subcontrol emphasizes the importance of mitigating risks associated with unattended execution of code.
Software, Firmware, and Information Integrity | Runtime Application Self-protection (SI-7(17))

The Runtime Application Self-protection (RASP) subcontrol SI-7(17) within the System and Information Integrity (SI) control family focuses on enhancing the security of software and firmware by implementing self-protection mechanisms during runtime. This subcontrol aims to detect and respond to security threats and vulnerabilities in real-time, minimizing the potential impact of attacks.
Spam Protection (SI-8)- Main Control

The Spam Protection (SI-8) subcontrol is part of the System and Information Integrity control family and focuses on preventing and mitigating the impact of spam emails within an organization. Spam emails are unsolicited and often contain malicious content, posing significant security risks and potentially disrupting normal business operations. SI-8 aims to establish measures to filter and handle spam emails effectively.
Spam Protection | Central Management (SI-8(1))

The SI-8(1) subcontrol, part of the System and Information Integrity control family, focuses on the central management of spam protection mechanisms within an organization's email infrastructure. Central management ensures the consistent and effective implementation of spam protection policies, configurations, and updates across the organization.
Spam Protection | Automatic Updates (SI-8(2))

The SI-8(2) subcontrol, within the System and Information Integrity control family, focuses on the automatic updating of spam protection mechanisms. It is crucial to ensure that spam protection measures stay current and effective against evolving spam threats.
Spam Protection | Continuous Learning Capability (SI-8(3))

The SI-8(3) subcontrol, part of the System and Information Integrity control family, emphasizes the importance of continuous learning for spam protection mechanisms. It involves the ongoing improvement and adaptation of spam filters and rules based on the evolving nature of spam threats.
Information Input Validation (SI-10)- Main Control

The SI-10 subcontrol, under the System and Information Integrity control family, focuses on ensuring the integrity and security of information by validating and sanitizing input data received by information systems. It is critical for preventing malicious code injection and unauthorized access to sensitive information.
Information Input Validation | Review and Resolve Errors (SI-10(2))

Subcontrol SI-10(2) under the System and Information Integrity control family focuses on the review and resolution of errors that arise during the process of input validation. It is essential to identify and rectify errors promptly to maintain the integrity and security of information systems.
Information Input Validation | Manual Override Capability (SI-10(1))

Subcontrol SI-10(1) under the System and Information Integrity control family addresses the need for a manual override capability within information systems' input validation processes. This capability allows authorized personnel to bypass automated validation mechanisms under specific circumstances, such as emergency situations or when automated validation cannot adequately handle a particular input.
Predictable Failure Prevention | Manual Transfer Between Components (SI-13(3))

Subcontrol SI-13(3) within the System and Information Integrity control family focuses on preventing predictable failures related to manual transfers of information between system components. It addresses the need for organizations to establish procedures and safeguards for manually moving data between different parts of their information systems.
Predictable Failure Prevention | Transferring Component Responsibilities (SI-13(1))

Subcontrol SI-13(1) within the System and Information Integrity control family addresses the need for organizations to establish and implement procedures to prevent predictable failures that may occur when responsibilities are transferred between system components. This subcontrol emphasizes the importance of maintaining the integrity, availability, and security of an organization's information systems during such transitions.
Predictable Failure Prevention (SI-13)- Main Control

The Predictable Failure Prevention subcontrol, SI-13, is a critical element within the System and Information Integrity control family. SI-13 focuses on minimizing the risk of system failures and disruptions due to predictable and preventable events that can adversely impact information systems. It is designed to ensure that organizations implement measures to identify, assess, and mitigate potential failures before they occur.
Information Management and Retention | Information Disposal (SI-12(3))

The Information Disposal subcontrol, SI-12(3), is a critical component of the System and Information Integrity control family. SI-12(3) focuses on ensuring that organizations properly dispose of sensitive information when it is no longer needed. Effective information disposal helps mitigate the risk of unauthorized access, data breaches, and the exposure of sensitive data.
Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research (SI-12(2))

The "Minimize Personally Identifiable Information (PII) in Testing, Training, and Research" subcontrol, SI-12(2), is a crucial component of the System and Information Integrity control family. SI-12(2) focuses on the responsible and secure handling of PII during testing, training, and research activities to minimize risks associated with the exposure or misuse of sensitive personal information.
Information Management and Retention | Limit Personally Identifiable Information Elements (SI-12(1))

The "Limit Personally Identifiable Information Elements" subcontrol, SI-12(1), is an essential component of the System and Information Integrity control family. SI-12(1) focuses on reducing the risk associated with the storage and retention of Personally Identifiable Information (PII) by limiting the elements of PII collected and stored to only those necessary for authorized business purposes.
Error Handling (SI-11)- Main Control

The "Error Handling" subcontrol, SI-11, is a critical element of the System and Information Integrity control family. It focuses on managing errors and anomalies in information systems to ensure that they do not lead to security vulnerabilities, unauthorized access, or data breaches. Error handling involves the identification, reporting, and appropriate resolution of errors, faults, and abnormal system behavior.
Information Input Validation | Injection Prevention (SI-10(6))

The "Injection Prevention" subcontrol, SI-10(6), is a crucial component of the Information Input Validation control within the System and Information Integrity (SI) control family. It focuses on preventing injection attacks by validating and sanitizing input data to ensure that it does not contain malicious code or commands that could compromise the integrity and security of an information system.
Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats (SI-10(5))

The "Restrict Inputs to Trusted Sources and Approved Formats" subcontrol, SI-10(5), is a critical component of the Information Input Validation control within the System and Information Integrity (SI) control family. It focuses on ensuring that inputs to information systems originate from trusted sources and adhere to approved data formats and structures.
Information Input Validation | Timing Interactions (SI-10(4))

The "Timing Interactions" subcontrol, SI-10(4), is a critical component of the Information Input Validation control within the System and Information Integrity (SI) control family. It focuses on preventing security vulnerabilities that may arise from timing-related interactions with data inputs.
Information Input Validation | Predictable Behavior (SI-10(3))

The "Predictable Behavior" subcontrol, SI-10(3), is a vital component of the Information Input Validation control within the System and Information Integrity (SI) control family. It aims to prevent security vulnerabilities arising from data inputs that exhibit predictable or deterministic behavior patterns.
Information Management and Retention (SI-12)- Main Control

The Information Management and Retention subcontrol, SI-12, is a fundamental component of the System and Information Integrity (SI) control family. It focuses on establishing policies and procedures for the effective management and retention of information assets throughout their lifecycle to ensure their integrity, availability, and confidentiality.

The Supply Chain Risk Management control family addresses the identification, assessment, and mitigation of risks associated with the supply chain, with a focus on ensuring the security of information systems and the integrity of products and services. The controls within this family aim to establish a systematic approach to managing the security risks introduced by the supply chain, including risks related to the sourcing, development, distribution, and maintenance of information systems.

Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update (SR-5(2))

The Acquisition Strategies, Tools, and Methods subcontrol SR-5(2) focuses on conducting assessments prior to the selection, acceptance, modification, or update of supply chain elements within an organization's information system. This subcontrol aims to identify and mitigate potential risks associated with the acquisition of hardware, software, and services from external sources.
Supplier Assessments and Reviews (SR-6)- Main Control

The Supplier Assessments and Reviews subcontrol (SR-6) is a crucial component of Supply Chain Risk Management. It involves assessing and reviewing the security practices and performance of suppliers or vendors providing hardware, software, and services to an organization. The goal is to ensure that these suppliers meet the required security standards and do not introduce vulnerabilities or risks into the organization's supply chain.
Supplier Assessments and Reviews | Testing and Analysis (SR-6(1))

The Supplier Assessments and Reviews subcontrol SR-6(1) focuses on the testing and analysis of suppliers' security practices, products, or services. This subcontrol is a critical component of supply chain risk management, aimed at ensuring that suppliers meet the organization's security standards and do not introduce vulnerabilities into the supply chain.
Supply Chain Operations Security (SR-7)- Main Control

The Supply Chain Operations Security subcontrol (SR-7) focuses on ensuring the security of supply chain operations. It encompasses activities and measures designed to protect the integrity, confidentiality, and availability of supply chain processes, systems, and information. This subcontrol aims to prevent, detect, and respond to security risks that may arise during the sourcing, acquisition, and distribution of products and services from suppliers.
Notification Agreements (SR-8)- Main Control

The Notification Agreements subcontrol (SR-8) pertains to establishing agreements with suppliers and partners regarding the timely exchange of information related to security incidents, vulnerabilities, and threats within the supply chain. These agreements facilitate the sharing of critical information, allowing organizations to respond promptly to emerging risks and incidents that may impact the security of their supply chain.
Tamper Resistance and Detection (SR-9)- Main Control

The Tamper Resistance and Detection subcontrol (SR-9) focuses on implementing mechanisms and measures to safeguard the integrity of supply chain components, products, and systems. It involves the use of tamper-evident technologies and methods to detect and respond to any unauthorized physical access, tampering, or alterations that may compromise the security and trustworthiness of these components.
Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle (SR-9(1))

The Tamper Resistance and Detection subcontrol SR-9(1) specifically addresses the need for tamper-evident measures at multiple stages of the System Development Life Cycle (SDLC). It requires organizations to implement tamper-resistant technologies and practices not only during the production and manufacturing phases but also throughout the entire lifecycle of a system or product.
Inspection of Systems or Components (SR-10)- Main Control

The Inspection of Systems or Components subcontrol (SR-10) is a critical element of supply chain risk management. It involves a systematic process of inspecting and evaluating systems, components, or software obtained from external sources to ensure their integrity, authenticity, and compliance with established security standards and requirements.
Component Authenticity (SR-11)- Main Control

The Component Authenticity subcontrol (SR-11) is a critical element of supply chain risk management. It focuses on ensuring that all hardware and software components used in an organization's systems and products are genuine, free from tampering or counterfeiting, and come from trusted sources.
Component Authenticity | Anti-counterfeit Training (SR-11(1))

The Anti-counterfeit Training subcontrol (SR-11(1)) under Component Authenticity in Supply Chain Risk Management (SR-11) focuses on providing training to personnel involved in the procurement and supply chain management processes. This training equips them with the knowledge and skills necessary to identify counterfeit components and mitigate the risks associated with counterfeit or compromised hardware and software.
Component Authenticity | Configuration Control for Component Service and Repair (SR-11(2))

The Configuration Control for Component Service and Repair subcontrol (SR-11(2)) within the Component Authenticity category of Supply Chain Risk Management (SR-11) aims to establish robust configuration control processes for components undergoing service or repair. It ensures that any changes made during service or repair activities do not compromise the authenticity, integrity, or security of the components.
Component Authenticity | Anti-counterfeit Scanning (SR-11(3))

The Anti-counterfeit Scanning subcontrol (SR-11(3)) within the Component Authenticity category of Supply Chain Risk Management (SR-11) focuses on implementing processes and technologies to detect and prevent counterfeit components from entering an organization's supply chain. Counterfeit components can compromise the integrity and security of systems and pose significant risks.
Component Disposal (SR-12)- Main Control

The Component Disposal subcontrol (SR-12) within the Supply Chain Risk Management (SR) category focuses on the secure and responsible disposal of electronic and electromechanical components and associated data. Proper disposal practices help mitigate risks associated with the potential compromise of sensitive information or the reintroduction of components into the supply chain after disposal.
Acquisition Strategies, Tools, and Methods | Adequate Supply (SR-5(1))

The Adequate Supply subcontrol (SR-5(1)) within the Supply Chain Risk Management (SR) category focuses on ensuring that an organization maintains an adequate supply of critical components and materials essential for its operations. This subcontrol aims to mitigate supply chain risks associated with disruptions or shortages that could impact the organization's ability to deliver products or services
Acquisition Strategies, Tools, and Methods (SR-5)- Main Control

The Acquisition Strategies, Tools, and Methods subcontrol (SR-5) within the Supply Chain Risk Management (SR) category focuses on developing and implementing strategies, tools, and methods to assess and manage supply chain risks effectively. It involves proactive measures to identify, evaluate, and mitigate risks associated with the acquisition of goods and services from suppliers and vendors.
Provenance | Supply Chain Integrity — Pedigree (SR-4(4))

The Supply Chain Integrity - Pedigree subcontrol (SR-4(4)) within the Provenance category of Supply Chain Risk Management (SR) focuses on establishing and maintaining the integrity of an item's supply chain pedigree. It involves tracking and verifying the origin, ownership, and history of critical components, products, or services throughout the supply chain to ensure they have not been compromised or tampered with.
Provenance | Validate as Genuine and Not Altered (SR-4(3))

The Provenance subcontrol SR-4(3) addresses the need to validate that supply chain items, components, products, or services are genuine and have not been altered or compromised. It involves establishing mechanisms and processes to verify the authenticity and integrity of these items as they traverse the supply chain.
Provenance | Track and Trace (SR-4(2))

The Provenance subcontrol SR-4(2) addresses the need to track and trace supply chain items, components, products, or services throughout their lifecycle. It involves establishing mechanisms and processes to monitor the movement and handling of these items to ensure their integrity and authenticity.
Provenance | Identity (SR-4(1))

The Provenance subcontrol SR-4(1) addresses the need to verify and establish the identity of individuals, entities, and components within the supply chain. It emphasizes the importance of ensuring that all elements are authentic, trustworthy, and not subject to unauthorized substitution or tampering.
Provenance (SR-4)- Main Control

The Provenance subcontrol SR-4 focuses on supply chain provenance, ensuring the integrity, authenticity, and security of all components and software used within an organization's information systems. This control helps organizations trace the origin and history of hardware, software, and firmware components to reduce the risk of counterfeit, tampered, or malicious items entering the supply chain.
Supply Chain Controls and Processes | Sub-tier Flow Down (SR-3(3))

The Sub-tier Flow Down subcontrol (SR-3(3)) focuses on ensuring that security requirements and controls flow down through the various tiers of a supply chain. It emphasizes the importance of organizations not only securing their direct suppliers but also extending these security requirements to sub-tier suppliers to mitigate risks effectively.
Supply Chain Controls and Processes | Limitation of Harm (SR-3(2))

The Limitation of Harm subcontrol (SR-3(2)) focuses on minimizing the potential harm resulting from supply chain compromises or security incidents. It emphasizes the importance of having strategies and mechanisms in place to contain, isolate, or mitigate the impact of such incidents when they occur.
Supply Chain Controls and Processes | Diverse Supply Base (SR-3(1))

The Diverse Supply Base subcontrol (SR-3(1)) emphasizes the importance of maintaining a diverse and resilient supplier network. It is designed to reduce the risk of supply chain disruptions by ensuring that organizations are not overly reliant on a single supplier or source.
Supply Chain Controls and Processes (SR-3)- Main Control

The Supply Chain Controls and Processes (SR-3) subcontrol focuses on the implementation of effective controls and processes within an organization's supply chain to manage and mitigate risks. It addresses the need to establish security measures and resilience strategies to safeguard the supply chain against disruptions and threats
Supply Chain Risk Management Plan | Establish SCRM Team (SR-2(1))

The Establish SCRM Team subcontrol (SR-2(1)) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It emphasizes the need for organizations to establish a dedicated Supply Chain Risk Management team responsible for overseeing and implementing strategies to mitigate risks associated with the supply chain.
Supply Chain Risk Management Plan (SR-2)- Main Control

The Supply Chain Risk Management Plan (SR-2) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It focuses on the development and implementation of a comprehensive plan to manage and mitigate risks associated with an organization's supply chain.
Policy and Procedures (SR-1)- Main Control

The Policy and Procedures (SR-1) subcontrol is a fundamental component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It involves the development and implementation of policies and procedures to govern and guide an organization's supply chain risk management efforts.

NIST 800-53 ALL

NIST 800-53 ALL

Policy and Procedures (AC-1)- Main Control

Account Management (AC-2)- Main Control

Account Management | Automated System Account Management (AC-2(1))

Account Management | Automated Temporary and Emergency Account Management (AC-2(2))

Account Management | Disable Accounts (AC-2(3))

Account Management | Automated Audit Actions (AC-2(4))

Account Management | Inactivity Logout (AC-2(5))

Account Management | Dynamic Privilege Management (AC-2(6))

Account Management | Privileged User Accounts (AC-2(7))

Account Management | Dynamic Account Management (AC-2(8))

Account Management | Restrictions on Use of Shared and Group Accounts (AC-2(9))

Account Management | Shared and Group Account Credential Change (AC-2(10))

Account Management | Usage Conditions (AC-2(11))

Account Management | Account Monitoring for Atypical Usage (AC-2(12))

Account Management | Disable Accounts for High-risk Individuals (AC-2(13))

Access Enforcement (AC-3)- Main Control

Access Enforcement | Restricted Access to Privileged Functions (AC-3(1))

Access Enforcement | Dual Authorization (AC-3(2))

Access Enforcement | Mandatory Access Control (AC-3(3))

Access Enforcement | Discretionary Access Control (AC-3(4))

Access Enforcement | Security-relevant Information (AC-3(5))

Access Enforcement | Protection of User and System Information (AC-3(6))

Access Enforcement | Role-based Access Control (AC-3(7))

Access Enforcement | Revocation of Access Authorizations (AC-3(8))

Access Enforcement | Controlled Release (AC-3(9))

Access Enforcement | Audited Override of Access Control Mechanisms (AC-3(10))

Access Enforcement | Restrict Access to Specific Information Types (AC-3(11))

Access Enforcement | Assert and Enforce Application Access (AC-3(12))

Access Enforcement | Attribute-based Access Control (AC-3(13))

Access Enforcement | Individual Access (AC-3(14))

Access Enforcement | Discretionary and Mandatory Access Control (AC-3(15))

Information Flow Enforcement (AC-4)- Main Control

Information Flow Enforcement | Object Security and Privacy Attributes (AC-4(1))

Information Flow Enforcement | Processing Domains (AC-4(2))

Information Flow Enforcement | Dynamic Information Flow Control (AC-4(3))

Information Flow Enforcement | Flow Control of Encrypted Information (AC-4(4))

Information Flow Enforcement | Embedded Data Types (AC-4(5))

Information Flow Enforcement | Metadata (AC-4(6))

Information Flow Enforcement | One-way Flow Mechanisms (AC-4(7))

Information Flow Enforcement | Security and Privacy Policy Filters (AC-4(8))

Information Flow Enforcement | Human Reviews (AC-4(9))

Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters (AC-4(10))

Information Flow Enforcement | Configuration of Security or Privacy Policy Filters (AC-4(11))

Information Flow Enforcement | Data Type Identifiers (AC-4(12))

Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents (AC-4(13))

Information Flow Enforcement | Security or Privacy Policy Filter Constraints (AC-4(14))

Information Flow Enforcement | Detection of Unsanctioned Information (AC-4(15))

Information Flow Enforcement | Information Transfers on Interconnected Systems (AC-4(16)),Security and Privacy Function Verification | Notification of Failed Security Tests (SI-6(1)),Supervision and Review — Access Control (AC-13)- Main Control,Time Stamp

Information Flow Enforcement | Domain Authentication (AC-4(17))

Information Flow Enforcement | Security Attribute Binding (AC-4(18))

Information Flow Enforcement | Validation of Metadata (AC-4(19))

Information Flow Enforcement | Approved Solutions (AC-4(20))

Information Flow Enforcement | Physical or Logical Separation of Information Flows (AC-4(21))

Information Flow Enforcement | Access Only (AC-4(22))

Information Flow Enforcement | Modify Non-releasable Information (AC-4(23))

Information Flow Enforcement | Internal Normalized Format (AC-4(24))

Information Flow Enforcement | Data Sanitization (AC-4(25))

Information Flow Enforcement | Audit Filtering Actions (AC-4(26))

Information Flow Enforcement | Redundant/independent Filtering Mechanisms (AC-4(27))

Information Flow Enforcement | Linear Filter Pipelines (AC-4(28))

Information Flow Enforcement | Filter Orchestration Engines (AC-4(29))

Information Flow Enforcement | Filter Mechanisms Using Multiple Processes (AC-4(30))

Information Flow Enforcement | Failed Content Transfer Prevention (AC-4(31))

Information Flow Enforcement | Process Requirements for Information Transfer (AC-4(32))

Separation of Duties (AC-5)- Main Control

Least Privilege (AC-6) - Main Control

Least Privilege | Authorize Access to Security Functions (AC-6(1))

Least Privilege | Non-privileged Access for Nonsecurity Functions (AC-6(2))

Least Privilege | Network Access to Privileged Commands (AC-6(3))

Least Privilege | Separate Processing Domains (AC-6(4))

Least Privilege | Privileged Accounts (AC-6(5))

Least Privilege | Privileged Access by Non-organizational Users (AC-6(6))

Least Privilege | Review of User Privileges (AC-6(7))

Least Privilege | Privilege Levels for Code Execution (AC-6(8))

Least Privilege | Log Use of Privileged Functions (AC-6(9))

Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions (AC-6(10))

Unsuccessful Logon Attempts (AC-7)- Main Control

Unsuccessful Logon Attempts | Automatic Account Lock (AC-7(1))