The System and Information Integrity control family is designed to ensure the integrity of information processed within information systems and the integrity of the systems themselves. The controls within this family aim to prevent, detect, and respond to incidents that could compromise the integrity of information or the functionality of information systems. Integrity protections are crucial for maintaining the trustworthiness of data and the overall reliability of systems.

• Policy and Procedures (SI-1)- Main Control

  The Policy and Procedures (SI-1) control within the System and Information Integrity (SI) family focuses on the establishment and maintenance of policies and procedures to protect and maintain the integrity of an organization's information systems. This control ensures that formalized policies and procedures are in place to address information system integrity, prevent unauthorized changes, and facilitate timely detection and response to integrity violations.

• Flaw Remediation (SI-2)

  The Flaw Remediation (SI-2) subcontrol within the System and Information Integrity (SI) family focuses on the identification, prioritization, and timely remediation of software and hardware vulnerabilities in an organization's information systems. This control ensures that vulnerabilities are addressed promptly to prevent potential exploitation, data breaches, or system compromises.

• Flaw Remediation | Automated Flaw Remediation Status (SI-2(2))

  The Flaw Remediation | Automated Flaw Remediation Status (SI-2(2)) subcontrol within the System and Information Integrity (SI) family focuses on the implementation of automated mechanisms to track the status of flaw remediation efforts across an organization's information systems. This subcontrol ensures that automated processes are in place to monitor and report on the progress of vulnerability remediation, providing real-time visibility into the state of security.

• Malicious Code Protection (SI-3)- Main Control

  The Malicious Code Protection (SI-3) control within the System and Information Integrity (SI) family focuses on implementing measures to protect information systems and data from malicious code, including viruses, worms, trojans, and other types of malware. This control emphasizes the importance of preventing, detecting, and responding to malicious code threats to ensure the integrity and availability of systems and information.

• System Monitoring (SI-4)- Main Control

  The System Monitoring (SI-4) control within the System and Information Integrity (SI) family focuses on establishing a comprehensive system monitoring program that enables organizations to continuously observe, detect, and respond to security events and incidents within their information systems. This control encompasses the establishment and maintenance of monitoring capabilities to ensure the security and integrity of an organization's computing environment.

• System Monitoring | Automated Tools and Mechanisms for Real-time Analysis (SI-4(2))

  The System Monitoring | Automated Tools and Mechanisms for Real-time Analysis (SI-4(2)) subcontrol within the System and Information Integrity (SI) family emphasizes the use of automated tools and mechanisms to conduct real-time analysis of security-related data and events within an organization's information systems. This subcontrol aims to enhance an organization's ability to promptly detect and respond to security incidents and anomalies.

• System Monitoring | Inbound and Outbound Communications Traffic (SI-4(4))

  The System Monitoring | Inbound and Outbound Communications Traffic (SI-4(4)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring both inbound and outbound communications traffic to and from an organization's information systems. This subcontrol aims to provide comprehensive visibility into network activities, detect malicious traffic, and ensure the integrity and security of data transmissions.

• System Monitoring | System-generated Alerts (SI-4(5))

  The System Monitoring | System-generated Alerts (SI-4(5)) subcontrol within the System and Information Integrity (SI) family focuses on the generation and utilization of system-generated alerts to detect and respond to security incidents and anomalies within an organization's information systems. This subcontrol aims to enhance the automated identification of potential threats and irregularities.

• System Monitoring | Visibility of Encrypted Communications (SI-4(10))

  The System Monitoring | Visibility of Encrypted Communications (SI-4(10)) subcontrol within the System and Information Integrity (SI) family focuses on ensuring that organizations have the capability to inspect and gain visibility into encrypted communications for security monitoring purposes. This subcontrol aims to detect threats and malicious activities that may be hidden within encrypted traffic while preserving the confidentiality and integrity of sensitive data.

• System Monitoring | Automated Organization-generated Alerts (SI-4(12))

  The System Monitoring | Automated Organization-generated Alerts (SI-4(12)) subcontrol within the System and Information Integrity (SI) family focuses on the automated generation of alerts by an organization's systems and applications to detect and respond to security-related events and anomalies. This subcontrol aims to enhance an organization's ability to promptly identify and address security incidents and maintain the integrity and availability of information systems.

• System Monitoring | Wireless Intrusion Detection (SI-4(14))

  The System Monitoring | Wireless Intrusion Detection (SI-4(14)) subcontrol within the System and Information Integrity (SI) family focuses on the deployment of wireless intrusion detection mechanisms to monitor and protect wireless network environments. This subcontrol aims to enhance an organization's ability to detect and respond to unauthorized wireless network access and potential security threats in wireless communication.

• System Monitoring | Privileged Users (SI-4(20))

  The System Monitoring | Privileged Users (SI-4(20)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring the activities of privileged users within an organization's information systems. This subcontrol aims to enhance an organization's ability to detect and respond to potential security incidents involving privileged accounts, ensuring the integrity and confidentiality of sensitive data.

• System Monitoring | Unauthorized Network Services (SI-4(22))

  The System Monitoring | Unauthorized Network Services (SI-4(22)) subcontrol within the System and Information Integrity (SI) family focuses on monitoring an organization's network infrastructure to detect and prevent unauthorized or rogue network services from being deployed and operated. This subcontrol aims to enhance an organization's ability to maintain the integrity, confidentiality, and availability of its information systems by ensuring that only authorized and approved network services are in operation.

• Security Alerts, Advisories, and Directives (SI-5)- Main Control

  The Security Alerts, Advisories, and Directives (SI-5) control within the System and Information Integrity (SI) family focuses on establishing a mechanism for receiving, interpreting, and acting upon security alerts, advisories, and directives from authoritative sources. This control aims to enhance an organization's ability to respond effectively to emerging threats, vulnerabilities, and cybersecurity guidance.

• Security Alerts, Advisories, and Directives | Automated Alerts and Advisories (SI-5(1))

  The Security Alerts, Advisories, and Directives | Automated Alerts and Advisories (SI-5(1)) subcontrol within the System and Information Integrity (SI) family focuses on automating the process of receiving, interpreting, and disseminating security alerts, advisories, and directives from authoritative sources. This subcontrol aims to enhance an organization's ability to respond rapidly and consistently to emerging threats, vulnerabilities, and cybersecurity guidance.

• Security and Privacy Function Verification (SI-6)- Main Control

  The Security and Privacy Function Verification (SI-6) control within the System and Information Integrity (SI) family focuses on verifying that security and privacy functions, including mechanisms, policies, and procedures, are implemented correctly and effectively to protect information systems. This control aims to enhance an organization's ability to ensure that security and privacy safeguards are functioning as intended.

• Software, Firmware, and Information Integrity (SI-7)- Main Control

  The Software, Firmware, and Information Integrity (SI-7) control within the System and Information Integrity (SI) family focuses on ensuring the integrity of software and firmware components within an organization's information systems. This control aims to prevent unauthorized changes to software and firmware that could compromise the confidentiality, integrity, and availability of the organization's data and systems.

• Software, Firmware, and Information Integrity | Integrity Checks (SI-7(1))

  The Software, Firmware, and Information Integrity | Integrity Checks (SI-7(1)) subcontrol within the System and Information Integrity (SI) family focuses on implementing mechanisms for regularly checking the integrity of software, firmware, and information in an organization's information systems. This subcontrol aims to ensure that these components remain unaltered and free from unauthorized modifications that could compromise system security and data integrity.

• Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations (SI-7(2))

  The Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations (SI-7(2)) subcontrol within the System and Information Integrity (SI) family focuses on implementing automated mechanisms for promptly notifying relevant personnel or systems when integrity violations are detected in software, firmware, or information components. This subcontrol aims to facilitate rapid incident response and mitigation to address unauthorized changes that could compromise system security.

• Software, Firmware, and Information Integrity | Automated Response to Integrity Violations (SI-7(5))

  The Software, Firmware, and Information Integrity | Automated Response to Integrity Violations (SI-7(5)) subcontrol within the System and Information Integrity (SI) family focuses on automating the response to integrity violations detected in software, firmware, or information components. This subcontrol aims to expedite incident response efforts, reduce the impact of integrity violations, and mitigate potential risks.

• Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7(7))

  The Software, Firmware, and Information Integrity | Integration of Detection and Response (SI-7(7)) subcontrol within the System and Information Integrity (SI) family focuses on integrating the detection and response mechanisms to promptly and effectively address integrity violations in software, firmware, and information components. This subcontrol aims to streamline incident response efforts by combining the capabilities of identifying violations and taking immediate action.

• Memory Protection (SI-16)- Main Control

  The Memory Protection (SI-16) control within the System and Information Integrity (SI) family focuses on safeguarding the integrity and confidentiality of data stored in memory. This control aims to prevent unauthorized access, modification, or leakage of data residing in memory, which is critical for maintaining the overall security and reliability of an organization's information systems.

• Software, Firmware, and Information Integrity | Code Authentication (SI-7(15))

  The Code Authentication subcontrol SI-7(15) within the System and Information Integrity (SI) control family focuses on ensuring the authenticity of software and firmware code. This subcontrol emphasizes the importance of verifying that code comes from a trusted source and has not been tampered with during transmission or deployment.

• Spam Protection (SI-8)- Main Control

  The Spam Protection (SI-8) subcontrol is part of the System and Information Integrity control family and focuses on preventing and mitigating the impact of spam emails within an organization. Spam emails are unsolicited and often contain malicious content, posing significant security risks and potentially disrupting normal business operations. SI-8 aims to establish measures to filter and handle spam emails effectively.

• Spam Protection | Automatic Updates (SI-8(2))

  The SI-8(2) subcontrol, within the System and Information Integrity control family, focuses on the automatic updating of spam protection mechanisms. It is crucial to ensure that spam protection measures stay current and effective against evolving spam threats.

• Information Input Validation (SI-10)- Main Control

  The SI-10 subcontrol, under the System and Information Integrity control family, focuses on ensuring the integrity and security of information by validating and sanitizing input data received by information systems. It is critical for preventing malicious code injection and unauthorized access to sensitive information.

• Error Handling (SI-11)- Main Control

  The "Error Handling" subcontrol, SI-11, is a critical element of the System and Information Integrity control family. It focuses on managing errors and anomalies in information systems to ensure that they do not lead to security vulnerabilities, unauthorized access, or data breaches. Error handling involves the identification, reporting, and appropriate resolution of errors, faults, and abnormal system behavior.

• Information Management and Retention (SI-12)- Main Control

  The Information Management and Retention subcontrol, SI-12, is a fundamental component of the System and Information Integrity (SI) control family. It focuses on establishing policies and procedures for the effective management and retention of information assets throughout their lifecycle to ensure their integrity, availability, and confidentiality.

The Supply Chain Risk Management control in NIST 800-53 encompasses the strategies organizations use to address risks related to their supply chain. This control emphasizes maintaining the integrity, security, and resilience of products and services sourced from external vendors or partners. It involves evaluating and mitigating risks that could affect the organization's information systems and operations. Key components include assessing suppliers' security practices, monitoring for vulnerabilities, and implementing measures to manage and reduce supply chain risks.

• Supplier Assessments and Reviews (SR-6)- Main Control

  The Supplier Assessments and Reviews subcontrol (SR-6) is a crucial component of Supply Chain Risk Management. It involves assessing and reviewing the security practices and performance of suppliers or vendors providing hardware, software, and services to an organization. The goal is to ensure that these suppliers meet the required security standards and do not introduce vulnerabilities or risks into the organization's supply chain.

• Notification Agreements (SR-8)- Main Control

  The Notification Agreements subcontrol (SR-8) pertains to establishing agreements with suppliers and partners regarding the timely exchange of information related to security incidents, vulnerabilities, and threats within the supply chain. These agreements facilitate the sharing of critical information, allowing organizations to respond promptly to emerging risks and incidents that may impact the security of their supply chain.

• Tamper Resistance and Detection (SR-9)- Main Control

  The Tamper Resistance and Detection subcontrol (SR-9) focuses on implementing mechanisms and measures to safeguard the integrity of supply chain components, products, and systems. It involves the use of tamper-evident technologies and methods to detect and respond to any unauthorized physical access, tampering, or alterations that may compromise the security and trustworthiness of these components.

• Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle (SR-9(1))

  The Tamper Resistance and Detection subcontrol SR-9(1) specifically addresses the need for tamper-evident measures at multiple stages of the System Development Life Cycle (SDLC). It requires organizations to implement tamper-resistant technologies and practices not only during the production and manufacturing phases but also throughout the entire lifecycle of a system or product.

• Inspection of Systems or Components (SR-10)- Main Control

  The Inspection of Systems or Components subcontrol (SR-10) is a critical element of supply chain risk management. It involves a systematic process of inspecting and evaluating systems, components, or software obtained from external sources to ensure their integrity, authenticity, and compliance with established security standards and requirements.

• Component Authenticity (SR-11)- Main Control

  The Component Authenticity subcontrol (SR-11) is a critical element of supply chain risk management. It focuses on ensuring that all hardware and software components used in an organization's systems and products are genuine, free from tampering or counterfeiting, and come from trusted sources.

• Component Authenticity | Anti-counterfeit Training (SR-11(1))

  The Anti-counterfeit Training subcontrol (SR-11(1)) under Component Authenticity in Supply Chain Risk Management (SR-11) focuses on providing training to personnel involved in the procurement and supply chain management processes. This training equips them with the knowledge and skills necessary to identify counterfeit components and mitigate the risks associated with counterfeit or compromised hardware and software.

• Component Authenticity | Configuration Control for Component Service and Repair (SR-11(2))

  The Configuration Control for Component Service and Repair subcontrol (SR-11(2)) within the Component Authenticity category of Supply Chain Risk Management (SR-11) aims to establish robust configuration control processes for components undergoing service or repair. It ensures that any changes made during service or repair activities do not compromise the authenticity, integrity, or security of the components.

• Component Disposal (SR-12)- Main Control

  The Component Disposal subcontrol (SR-12) within the Supply Chain Risk Management (SR) category focuses on the secure and responsible disposal of electronic and electromechanical components and associated data. Proper disposal practices help mitigate risks associated with the potential compromise of sensitive information or the reintroduction of components into the supply chain after disposal.

• Acquisition Strategies, Tools, and Methods (SR-5)- Main Control

  The Acquisition Strategies, Tools, and Methods subcontrol (SR-5) within the Supply Chain Risk Management (SR) category focuses on developing and implementing strategies, tools, and methods to assess and manage supply chain risks effectively. It involves proactive measures to identify, evaluate, and mitigate risks associated with the acquisition of goods and services from suppliers and vendors.

• Supply Chain Controls and Processes (SR-3)- Main Control

  The Supply Chain Controls and Processes (SR-3) subcontrol focuses on the implementation of effective controls and processes within an organization's supply chain to manage and mitigate risks. It addresses the need to establish security measures and resilience strategies to safeguard the supply chain against disruptions and threats

• Supply Chain Risk Management Plan | Establish SCRM Team (SR-2(1))

  The Establish SCRM Team subcontrol (SR-2(1)) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It emphasizes the need for organizations to establish a dedicated Supply Chain Risk Management team responsible for overseeing and implementing strategies to mitigate risks associated with the supply chain.

• Supply Chain Risk Management Plan (SR-2)- Main Control

  The Supply Chain Risk Management Plan (SR-2) is a critical component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It focuses on the development and implementation of a comprehensive plan to manage and mitigate risks associated with an organization's supply chain.

• Policy and Procedures (SR-1)- Main Control

  The Policy and Procedures (SR-1) subcontrol is a fundamental component of the Supply Chain Risk Management (SR) control family within the NIST 800-53 framework. It involves the development and implementation of policies and procedures to govern and guide an organization's supply chain risk management efforts.

The System and Communications Protection control family is designed to ensure the security of information systems and the communications that occur within and between systems. This family addresses the protection of information at rest, in transit, and during processing. The controls within this family aim to prevent unauthorized access, detect and respond to security incidents, and establish secure communication channels to safeguard the confidentiality and integrity of information.

• Policy and Procedures (SC-1)- Main Control

  Control SC-1, part of the System and Communications Protection family in NIST 800-53, focuses on the development and implementation of policies and procedures for securing the organization's communication and information systems.

• Separation of System and User Functionality (SC-2)- Main Control

  Control SC-2, part of the System and Communications Protection family in NIST 800-53, emphasizes the importance of separating system functionality from user functionality. This separation helps protect information systems and data from unauthorized access and misuse.

• Security Function Isolation (SC-3)- Main Control

  Control SC-3, in the System and Communications Protection family of NIST 800-53, focuses on the isolation of security functions to prevent unauthorized access, tampering, or interference. It ensures that security mechanisms are protected from being compromised by other functions within the system.

• Information in Shared System Resources (SC-4)- Main Control

  Control SC-4 is part of the System and Communications Protection family within NIST 800-53. It focuses on protecting information residing in shared system resources. Shared system resources are components or services within an information system that are used by multiple users or processes concurrently. This control is essential for ensuring that sensitive data remains confidential and integrity is maintained when shared resources are utilized.

• Denial-of-service Protection (SC-5)- Main Control

  SC-5 - Denial-of-service Protection: This control falls under the "System and Communications Protection" family and focuses on protecting information systems and their components from denial-of-service (DoS) attacks. A DoS attack aims to disrupt or degrade the availability of an information system, making it inaccessible to users or causing severe performance degradation.

• Boundary Protection (SC-7)- Main Control

  SC-7 - Boundary Protection: This control is part of the "System and Communications Protection" family and focuses on establishing and maintaining protective measures at system boundaries to prevent unauthorized access and communication. It safeguards the security and integrity of an organization's systems and data.

• Boundary Protection | Access Points (SC-7(3))

  SC-7(3) - Boundary Protection | Access Points: This control falls under the "System and Communications Protection" family and focuses on securing access points where systems and networks connect with external networks or untrusted zones. It aims to prevent unauthorized access, malicious activities, and the exploitation of vulnerabilities at these entry and exit points.

• Boundary Protection | External Telecommunications Services (SC-7(4))

  SC-7(4) - Boundary Protection | External Telecommunications Services: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It focuses on securing and monitoring external telecommunications services that connect an organization's information systems to external networks or service providers.

• Boundary Protection | Deny by Default — Allow by Exception (SC-7(5))

  SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It emphasizes the security principle of "deny by default and allow by exception" when configuring network boundaries and security perimeters.

• Boundary Protection | Split Tunneling for Remote Devices (SC-7(7))

  SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It pertains to the use of split tunneling for remote devices connected to an organization's network.

• Boundary Protection | Route Traffic to Authenticated Proxy Servers (SC-7(8))

  SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers: This control is a specific subcontrol under the "Boundary Protection" control family within the "System and Communications Protection" category. It focuses on the practice of routing network traffic through authenticated proxy servers to enhance security.

• Boundary Protection | Fail Secure (SC-7(18))

  SC-7(18) - Boundary Protection | Fail Secure is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on ensuring that, in the event of a network security breach or failure, networked components and systems default to a secure state, minimizing the potential for unauthorized access and data exposure.

• Boundary Protection | Isolation of System Components (SC-7(21))

  SC-7(21) - Boundary Protection | Isolation of System Components is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol focuses on the need to isolate individual system components within an organization's network to minimize the risk of unauthorized access, data breaches, or lateral movement by attackers.

• Transmission Confidentiality and Integrity (SC-8)- Main Control

  SC-8 is a control in the "System and Communications Protection" family of the NIST 800-53 framework. It focuses on ensuring the confidentiality and integrity of data during transmission across communication channels and networks.

• Transmission Confidentiality and Integrity | Cryptographic Protection (SC-8(1))

  SC-8(1) is a subcontrol under the "Transmission Confidentiality and Integrity" control (SC-8) within the "System and Communications Protection" family of the NIST 800-53 framework. This subcontrol specifically focuses on the use of cryptographic protection to ensure the confidentiality and integrity of data during transmission.

• Network Disconnect (SC-10)- Main Control

  The Network Disconnect control, part of the System and Communications Protection family, focuses on the proper management of network connections, particularly in situations where it's necessary to disconnect a system or device from a network promptly. This control helps prevent unauthorized access, data breaches, and other security incidents by ensuring that network connections are managed effectively.

• Cryptographic Key Establishment and Management (SC-12)- Main Control

  Cryptographic Key Establishment and Management (SC-12) is a crucial control within the System and Communications Protection family. This control focuses on the secure generation, distribution, and management of cryptographic keys used to protect sensitive information. Effective key management is essential to maintain the confidentiality and integrity of data in a system.

• Cryptographic Key Establishment and Management | Availability (SC-12(1))

  Cryptographic Key Establishment and Management | Availability (SC-12(1)) is a specific subcontrol within SC-12, focusing on ensuring the availability of cryptographic keys when needed. Availability is one of the key aspects of secure key management, ensuring that cryptographic operations can be performed without disruption.

• Cryptographic Protection (SC-13)- Main Control

  Cryptographic Protection (SC-13) is a main control within the System and Communications Protection family of NIST Special Publication 800-53. This control focuses on the use of cryptographic techniques to protect the confidentiality and integrity of information and communications within an organization's information systems.

• Collaborative Computing Devices and Applications (SC-15)- Main Control

  The Collaborative Computing Devices and Applications subcontrol (SC-15) is part of the System and Communications Protection control family in NIST 800-53. This control addresses security considerations related to collaborative computing environments, including shared devices and applications. It focuses on ensuring that collaborative tools and technologies do not compromise the security and confidentiality of sensitive information.

• Public Key Infrastructure Certificates (SC-17)- Main Control

  The Public Key Infrastructure Certificates control (SC-17) is designed to ensure the proper management and use of Public Key Infrastructure (PKI) certificates within an organization's information systems. PKI certificates play a critical role in establishing secure communication channels and verifying the identity of individuals and entities in a digital environment.

• Mobile Code (SC-18)- Main Control

  The Mobile Code control (SC-18) is designed to manage the risks associated with the execution of mobile code on organizational information systems. Mobile code refers to software or scripts that can be executed remotely on a system, often without the user's explicit consent. Managing mobile code is crucial for protecting systems against potential security threats introduced by untrusted code execution.

• Secure Name/address Resolution Service (authoritative Source) (SC-20)- Main Control

  The "Secure Name/Address Resolution Service (Authoritative Source)" subcontrol (SC-20) falls under the System and Communications Protection (SC) family in NIST 800-53. It addresses the security requirements for ensuring the integrity and authenticity of the Name/Address Resolution Service (NARS), which is an authoritative source for resolving hostnames to IP addresses.

• Secure Name/address Resolution Service (recursive or Caching Resolver) (SC-21)- Main Control

  The "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" control (SC-21) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the security of recursive or caching resolvers within a DNS (Domain Name System) infrastructure. These resolvers are responsible for caching DNS query results and efficiently resolving domain names to IP addresses.

• Architecture and Provisioning for Name/address Resolution Service (SC-22)- Main Control

  The "Architecture and Provisioning for Name/Address Resolution Service" control (SC-22) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on the establishment and maintenance of secure architecture and provisioning for name/address resolution services, such as the Domain Name System (DNS).

• Session Authenticity (SC-23)- Main Control

  The "Session Authenticity" control (SC-23) is part of the System and Communications Protection (SC) family in NIST 800-53. It focuses on ensuring the authenticity of network sessions, particularly user sessions, to prevent unauthorized access and protect the integrity of communications.

• Fail in Known State (SC-24)- Main Control

  The "Fail in Known State" control, under NIST 800-53's System and Communications Protection (SC) family, focuses on ensuring that information systems and communications components are designed to enter a secure or known state in the event of a system failure or disruption. This control aims to prevent the system or component from becoming vulnerable or providing unauthorized access during or after a failure.

• Protection of Information at Rest (SC-28)- Main Control

  Subcontrol SC-28, within NIST 800-53's System and Communications Protection (SC) family, focuses on safeguarding sensitive information when it is at rest, meaning it is stored or archived on storage devices or media. The control aims to protect this information from unauthorized access, disclosure, alteration, or destruction while it is not in active use.

• Protection of Information at Rest | Cryptographic Protection (SC-28(1))

  Subcontrol SC-28(1), within NIST 800-53's System and Communications Protection (SC) family, focuses on the use of cryptographic protection to safeguard sensitive information when it is at rest. Cryptographic protection involves the use of encryption techniques to secure data stored on various types of storage media or devices, such as hard drives, solid-state drives, magnetic tapes, and optical discs. This subcontrol emphasizes the importance of encrypting sensitive data to prevent unauthorized access and disclosure.

• Process Isolation (SC-39)- Main Control

  Process Isolation (SC-39) is a control within the System and Communications Protection (SC) family of NIST Special Publication 800-53 Revision 5. It focuses on separating and isolating processes within an information system to prevent unauthorized access and reduce the risk of unauthorized data sharing.

The System and Services Acquisition control family addresses the processes and activities related to the acquisition of information systems, products, and services. The controls within this family are designed to ensure that organizations acquire, develop, and maintain systems that meet security requirements and adhere to established policies and procedures. The goal is to manage risks associated with the acquisition lifecycle, from the initial planning stages through the development, implementation, and ongoing maintenance of systems.

• Policy and Procedures (SA-1)- Main Control

  The Policy and Procedures (SA-1) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining comprehensive policies and procedures that govern the acquisition, development, and deployment of information systems and services within an organization. It provides the framework for ensuring that acquisitions align with security, compliance, and operational requirements.

• Allocation of Resources (SA-2)- Main Control

  The Allocation of Resources (SA-2) control is a vital component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that an organization allocates adequate resources, including budget, personnel, and infrastructure, to support the successful acquisition, development, and maintenance of information systems and services.

• System Development Life Cycle (SA-3)- Main Control

  The System Development Life Cycle (SA-3) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and managing a structured and well-documented system development life cycle (SDLC) process for the acquisition, development, and deployment of information systems and services.

• Acquisition Process (SA-4)- Main Control

  The Acquisition Process (SA-4) control is a fundamental component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and implementing a structured and comprehensive acquisition process that ensures the successful procurement, development, deployment, and management of information systems and services within an organization.

• Acquisition Process | Functional Properties of Controls (SA-4(1))

  The Acquisition Process | Functional Properties of Controls (SA-4(1)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that the functional properties of security controls, including effectiveness, compliance, and performance, are considered and evaluated during the acquisition process for information systems and services.

• Acquisition Process | Design and Implementation Information for Controls (SA-4(2))

  The Acquisition Process | Design and Implementation Information for Controls (SA-4(2)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that the design and implementation details of security controls are adequately documented and evaluated during the acquisition process for information systems and services.

• Acquisition Process | System, Component, and Service Configurations (SA-4(5))

  The Acquisition Process | System, Component, and Service Configurations (SA-4(5)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining secure configurations for systems, components, and services acquired during the acquisition process for information systems and services.

• Acquisition Process | Functions, Ports, Protocols, and Services in Use (SA-4(9))

  The Acquisition Process | Functions, Ports, Protocols, and Services in Use (SA-4(9)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on identifying and documenting the functions, ports, protocols, and services (FPPS) in use by acquired information systems and services.

• Acquisition Process | Use of Approved PIV Products (SA-4(10))

  The Acquisition Process | Use of Approved PIV Products (SA-4(10)) subcontrol is a specific component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on incorporating approved Personal Identity Verification (PIV) products into the acquisition process for information systems and services.

• System Documentation (SA-5)- Main Control

  The System Documentation (SA-5) control is part of the NIST 800-53 System and Services Acquisition control family. SA-5 focuses on establishing and maintaining comprehensive documentation for the acquired information system, including its design, configuration, and security features.

• Security and Privacy Engineering Principles (SA-8)- Main Control

  The Security and Privacy Engineering Principles (SA-8) control is a key component of the NIST 800-53 System and Services Acquisition control family. SA-8 emphasizes the incorporation of security and privacy principles into the system development life cycle to ensure that security and privacy controls are integrated from the outset.

• External System Services (SA-9)- Main Control

  Control SA-9 within the System and Services Acquisition family of NIST 800-53 addresses the security and privacy concerns associated with external system services. It focuses on managing the risks associated with connecting systems to external services, networks, and providers.

• External System Services | Identification of Functions, Ports, Protocols, and Services (SA-9(2))

  Control SA-9(2) within the System and Services Acquisition family of NIST 800-53 focuses on the need to identify and document the functions, ports, protocols, and services (FPPS) associated with external system services. It ensures that organizations have a clear understanding of the interactions and dependencies related to these services.

• Developer Configuration Management (SA-10)- Main Control

  Control SA-10 within the System and Services Acquisition family of NIST 800-53 focuses on establishing and maintaining developer configuration management processes. It emphasizes the importance of effectively managing the configuration of software and systems during development to ensure reliability and security.

• Developer Testing and Evaluation (SA-11)- Main Control

  Control SA-11 within the System and Services Acquisition family of NIST 800-53 focuses on the requirement for organizations to conduct systematic testing and evaluation of software, firmware, and other system components during the development process. It ensures that these components are rigorously assessed for functionality, security, and compliance with requirements.

• Development Process, Standards, and Tools (SA-15)- Main Control

  Control SA-15 within the System and Services Acquisition family of NIST 800-53 focuses on establishing and maintaining a structured development process that incorporates security standards and appropriate tools. It emphasizes the need to ensure that security considerations are integrated into the development lifecycle of systems, services, or products.

• Development Process, Standards, and Tools | Criticality Analysis (SA-15(3))

  Control SA-15(3) within the System and Services Acquisition family of NIST 800-53 focuses on incorporating criticality analysis as part of the development process. It emphasizes the need to assess and prioritize the criticality of systems, services, or products being developed to align security efforts with their importance.

• Developer-provided Training (SA-16)- Main Control

  Control SA-16, part of the System and Services Acquisition family in NIST 800-53, focuses on the importance of providing training to developers involved in the acquisition and development process. It aims to ensure that developers have the necessary knowledge and skills to build secure and reliable systems and services.

• Developer Security and Privacy Architecture and Design (SA-17)- Main Control

  Control SA-17, part of the System and Services Acquisition family in NIST 800-53, focuses on integrating security and privacy considerations into the architecture and design of systems and services during the development process. It ensures that security and privacy are foundational elements rather than afterthoughts.

• Developer Screening (SA-21)- Main Control

  Control SA-21, part of the System and Services Acquisition family in NIST 800-53, addresses the importance of screening and vetting individuals who are involved in the development of information systems and services. It focuses on ensuring that developers possess the necessary qualifications and trustworthiness to handle sensitive tasks.

• Unsupported System Components (SA-22)- Main Control

  Control SA-22, a part of the System and Services Acquisition family in NIST 800-53, addresses the management of unsupported system components within an organization's information systems. It emphasizes the importance of identifying, assessing, and mitigating risks associated with unsupported hardware or software components.

The Risk Assessment control family is designed to ensure that organizations systematically identify, analyze, and manage risks to their information systems and the data they process. The goal is to provide a structured approach to understanding and evaluating the potential impact of risks on organizational operations, assets, individuals, and other critical elements. By conducting risk assessments, organizations can make informed decisions about risk mitigation strategies, prioritize security efforts, and align security measures with organizational goals.

• Policy and Procedures (RA-1)- Main Control

  The Policy and Procedures subcontrol (RA-1) is an integral part of the Risk Assessment control within the NIST 800-53 framework. This subcontrol focuses on establishing, documenting, and maintaining comprehensive policies and procedures for conducting risk assessments within an organization. Risk assessments are essential for identifying, evaluating, and managing risks to information systems and data.

• Security Categorization (RA-2)- Main Control

  The Security Categorization subcontrol (RA-2) is a critical component of the Risk Assessment control within the NIST 800-53 framework. RA-2 focuses on the systematic process of categorizing information systems based on their security requirements. This categorization sets the foundation for determining the appropriate security controls and safeguards needed to protect these systems and the information they handle.

• Risk Assessment (RA-3)- Main Control

  The Risk Assessment subcontrol (RA-3) is a fundamental component of the Risk Assessment control within the NIST 800-53 framework. RA-3 focuses on the process of conducting systematic risk assessments for information systems and the data they handle. Risk assessments help organizations identify, analyze, and manage risks effectively to protect their assets, operations, and stakeholders.

• Risk Assessment | Supply Chain Risk Assessment (RA-3(1))

  The Supply Chain Risk Assessment subcontrol (RA-3(1)) is a specialized component of the Risk Assessment control within the NIST 800-53 framework. RA-3(1) specifically addresses the need to assess and manage risks associated with the supply chain, which can introduce vulnerabilities and threats to an organization's information systems and data.

• Vulnerability Monitoring and Scanning (RA-5)- Main Control

  The Vulnerability Monitoring and Scanning subcontrol (RA-5) is a crucial component of the Risk Assessment control within the NIST 800-53 framework. RA-5 focuses on the continuous monitoring of information systems to identify and address vulnerabilities that may pose risks to the confidentiality, integrity, and availability of data and operations.

• Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned (RA-5(2))

  The Update Vulnerabilities to Be Scanned (RA-5(2)) subcontrol is a vital component of the NIST 800-53 Risk Assessment control family. This subcontrol emphasizes the importance of maintaining an accurate and up-to-date list of vulnerabilities to be scanned for within an organization's information systems. It ensures that the vulnerability scanning process remains relevant and effective.

• Vulnerability Monitoring and Scanning | Discoverable Information (RA-5(4))

  The Discoverable Information (RA-5(4)) subcontrol is a crucial component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on the identification and assessment of discoverable information within an organization's information systems, ensuring that sensitive data, configuration details, and potential vulnerabilities are thoroughly examined.

• Vulnerability Monitoring and Scanning | Privileged Access (RA-5(5))

  The Privileged Access (RA-5(5)) subcontrol is a critical component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on assessing and managing vulnerabilities related to privileged access within an organization's information systems. It ensures that privileged accounts and roles are subject to thorough scrutiny to mitigate potential security risks.

• Vulnerability Monitoring and Scanning | Public Disclosure Program (RA-5(11))

  The Public Disclosure Program (RA-5(11)) subcontrol is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on establishing a structured and responsible program for disclosing vulnerabilities that have been identified within an organization's information systems to the public and relevant stakeholders.

• Risk Response (RA-7)- Main Control

  The Risk Response (RA-7) control is a pivotal component of the NIST 800-53 Risk Assessment control family. It focuses on defining and implementing an effective strategy for responding to identified risks and vulnerabilities within an organization's information systems and operations. This control ensures that risks are addressed promptly and efficiently to protect critical assets and data.

• Criticality Analysis (RA-9)- Main Control

  The Criticality Analysis (RA-9) control is a crucial component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on conducting criticality assessments to determine the importance and significance of information systems, assets, and processes within an organization. By understanding criticality, organizations can prioritize resources and efforts to protect their most essential components effectively.

The Personnel Security control family is designed to address the security aspects associated with the individuals who have access to information systems and the information processed by those systems. The objective is to ensure that individuals are trustworthy, adequately trained, and aware of their security responsibilities. Effective personnel security controls contribute to the overall protection of information systems and help prevent insider threats, unauthorized access, and other security risks associated with personnel actions.

• Policy and Procedures (PS-1)- Main Control

  Control PS-1, "Policy and Procedures," is part of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the establishment of clear and comprehensive policies and procedures that guide the organization's personnel security practices. By defining a structured framework for personnel security, organizations can mitigate risks associated with insider threats, unauthorized access, and other vulnerabilities stemming from human interactions.

• Position Risk Designation (PS-2)- Main Control

  Control PS-2, "Position Risk Designation," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of assessing the risk associated with different positions within an organization and designating appropriate levels of security clearance and access privileges based on the sensitivity of the information and systems the individuals in those positions handle.

• Personnel Screening (PS-3)- Main Control

  Control PS-3, "Personnel Screening," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol underscores the significance of implementing a thorough and consistent personnel screening process to evaluate the background, trustworthiness, and suitability of individuals before granting them access to sensitive information, systems, and facilities.

• Personnel Termination (PS-4)- Main Control

  Control PS-4, "Personnel Termination," is a crucial component of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need to have effective processes in place to manage the personnel termination process to prevent unauthorized access, data breaches, and potential security risks upon an individual's departure from the organization.

• Personnel Termination | Automated Actions (PS-4(2))

  Control PS-4(2), "Personnel Termination | Automated Actions," is a specific aspect of the Personnel Security family in NIST 800-53. This subcontrol focuses on the implementation of automated actions to ensure swift and accurate handling of personnel terminations, including the revocation of access privileges and retrieval of organizational assets.

• Personnel Transfer (PS-5)- Main Control

  Control PS-5, "Personnel Transfer," is an integral aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the need for a well-defined process to manage the transfer of personnel within the organization to ensure that access privileges and security measures are appropriately updated to align with their new roles and responsibilities.

• Access Agreements (PS-6)- Main Control

  Control PS-6, "Access Agreements," is a crucial aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of formalizing access agreements with personnel who have been granted access to sensitive resources, ensuring that they understand their security responsibilities and obligations.

• External Personnel Security (PS-7)- Main Control

  Control PS-7, "External Personnel Security," is a critical component of the Personnel Security family in NIST 800-53. This subcontrol addresses the need for organizations to establish security measures when external personnel, such as contractors, consultants, and temporary workers, are granted access to organizational resources, systems, or facilities.

• Personnel Sanctions (PS-8)- Main Control

  Control PS-8, "Personnel Sanctions," is a pivotal element of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of implementing sanctions when personnel violate security policies or engage in behavior that poses a risk to the organization's security posture.

• Position Descriptions (PS-9)- Main Control

  Control PS-9, "Position Descriptions," is a vital aspect of the Personnel Security family in NIST 800-53. This subcontrol highlights the importance of accurately defining the security roles and responsibilities of personnel within their respective position descriptions.

The Strategic Planning control family focuses on establishing and implementing processes for strategic planning to guide the overall direction of an organization's information security program. This includes defining the organization's risk tolerance, setting security objectives, and aligning security strategies with broader business goals. The goal is to ensure that information security is integrated into the organization's overarching strategic planning and decision-making processes.

• Policy and Procedures (PL-1)- Main Control

  Control PL-1 focuses on establishing and maintaining policies and procedures that guide the planning, implementation, and management of security controls within an organization. This control ensures a structured approach to achieving security objectives.

• System Security and Privacy Plans (PL-2)- Main Control

  Control PL-2 focuses on creating and maintaining comprehensive system security and privacy plans that outline the organization's approach to protecting information systems and the privacy of individuals. This control ensures that security and privacy considerations are integrated from the planning stages.

• Rules of Behavior (PL-4)- Main Control

  Subcontrol PL-4 focuses on establishing and disseminating rules of behavior that define acceptable and expected behavior for individuals accessing and using organizational information systems. These rules help promote proper security practices and reduce the risk of unauthorized actions

• Rules of Behavior | Social Media and External Site/application Usage Restrictions (PL-4(1))

  Subcontrol PL-4(1) focuses specifically on establishing rules of behavior that address the usage of social media platforms and external websites/applications by individuals who have access to organizational information systems. These rules aim to mitigate risks associated with inappropriate use of external online resources.

• Security and Privacy Architectures (PL-8)- Main Control

  Subcontrol PL-8 emphasizes the establishment of well-defined security and privacy architectures for information systems. These architectures provide a structured framework for integrating security and privacy controls into the design, development, and implementation of systems.

• Baseline Selection (PL-10)- Main Control

  Subcontrol PL-10 focuses on the process of selecting appropriate security and privacy baselines for information systems. Baselines serve as foundational security configurations that guide the implementation of security controls and ensure a consistent level of protection

• Baseline Tailoring (PL-11)- Main Control

  Subcontrol PL-11 emphasizes the process of customizing security and privacy baselines to match the specific requirements and characteristics of information systems. Tailoring baselines ensures that controls are relevant, effective, and appropriate for the unique risks and operational needs of each system.

The Physical and Environmental Protection control family addresses the safeguarding of information systems, equipment, and facilities from various physical threats and environmental hazards. The goal is to ensure the continued availability, integrity, and confidentiality of information and the supporting infrastructure. These controls encompass a range of protective measures, from controlling access to facilities to implementing safeguards against environmental risks such as fire, flood, and power failures. By implementing effective physical and environmental protection controls, organizations can enhance the resilience of their information systems against both intentional and unintentional physical threats.

• Policy and Procedures (PE-1)- Main Control

  Control PE-1 addresses the establishment of policies and procedures for the physical and environmental protection of an organization's facilities, resources, and information systems. This control ensures that proper measures are in place to safeguard against physical threats and environmental hazards.

• Physical Access Authorizations (PE-2)- Main Control

  Control PE-2 addresses the need to establish and enforce physical access authorizations to prevent unauthorized individuals from gaining access to an organization's facilities and information systems. This control ensures that only authorized personnel can enter secure areas.

• Physical Access Control (PE-3)- Main Control

  Control PE-3 addresses the implementation of access controls to prevent unauthorized physical access to an organization's facilities, resources, and information systems. This control ensures that only authorized individuals can enter secure areas.

• Physical Access Control | System Access (PE-3(1))

  Subcontrol PE-3(1) focuses on implementing access controls that prevent unauthorized individuals from gaining physical access to an organization's information systems. This subcontrol ensures that only authorized personnel can physically interact with sensitive systems and devices.

• Access Control for Transmission (PE-4)- Main Control

  Control PE-4 addresses the need to implement access controls for information transmissions. This control ensures that mechanisms are in place to safeguard the confidentiality and integrity of transmitted information, preventing unauthorized access and tampering.

• Access Control for Output Devices (PE-5)- Main Control

  Control PE-5 focuses on implementing access controls for output devices to protect the confidentiality, integrity, and availability of information being printed, displayed, or otherwise produced. This control ensures that only authorized individuals can access and interact with output devices.

• Monitoring Physical Access (PE-6)- Main Control

  Control PE-6 focuses on monitoring and logging physical access to facilities and secure areas. This control ensures that activities related to physical access are recorded, analyzed, and reviewed to detect and respond to unauthorized or suspicious activities.

• Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment (PE-6(1))

  Subcontrol PE-6(1) focuses on employing intrusion alarms and surveillance equipment to monitor and detect unauthorized physical access to facilities and sensitive areas. This subcontrol enhances the ability to promptly identify security breaches.

• Monitoring Physical Access | Monitoring Physical Access to Systems (PE-6(4))

  Subcontrol PE-6(4) focuses on monitoring and recording physical access to information systems and computing devices. This subcontrol ensures that access events to systems are tracked and analyzed to detect and respond to unauthorized or suspicious activities.

• Visitor Access Records (PE-8)- Main Control

  Control PE-8 focuses on establishing procedures for creating and maintaining records of visitor access to an organization's facilities. This control ensures that accurate and complete records are kept to track visitors' activities and access history.

• Visitor Access Records | Automated Records Maintenance and Review (PE-8(1))

  Subcontrol PE-8(1) focuses on implementing automated systems for maintaining and reviewing visitor access records. This subcontrol enhances the efficiency and accuracy of recordkeeping, facilitating timely audits and accountability.

• Power Equipment and Cabling (PE-9)- Main Control

  Control PE-9 focuses on implementing security measures to protect power equipment and cabling that support information systems and facilities. This control ensures the integrity and availability of power sources to prevent disruptions.

• Emergency Shutoff (PE-10)- Main Control

  Control PE-10 focuses on implementing emergency shutoff mechanisms to quickly and safely deactivate power equipment and systems in case of emergencies. This control enhances the ability to respond to critical situations and prevent further damage.

• Emergency Power (PE-11)- Main Control

  Control PE-11 focuses on establishing mechanisms to provide emergency power sources for critical information systems and facilities. This control ensures that essential operations can continue during power outages and disruptions.

• Emergency Power | Alternate Power Supply — Minimal Operational Capability (PE-11(1))

  Subcontrol PE-11(1) focuses on ensuring that critical information systems and facilities have alternate power supplies that provide minimal operational capability during power outages. This subcontrol enhances the ability to maintain essential operations during disruptions.

• Emergency Lighting (PE-12)- Main Control

  Control PE-12 focuses on implementing emergency lighting systems to provide illumination during power outages and disruptions. This control enhances the safety and usability of critical information systems and facilities during emergencies.

• Fire Protection (PE-13)- Main Control

  Control PE-13 focuses on implementing fire protection measures to prevent, detect, and respond to fires within information systems and facilities. This control safeguards critical assets and helps prevent damage and disruption.

• Fire Protection | Detection Systems — Automatic Activation and Notification (PE-13(1))

  Subcontrol PE-13(1) focuses on implementing automatic fire detection systems that activate promptly upon detecting a fire and provide timely notifications to relevant personnel. This subcontrol enhances the ability to detect fires early and initiate rapid responses.

• Fire Protection | Suppression Systems — Automatic Activation and Notification (PE-13(2))

  Subcontrol PE-13(2) focuses on implementing automatic fire suppression systems that activate promptly upon detecting a fire and provide notifications to relevant personnel. This subcontrol enhances the ability to quickly suppress fires and mitigate their impact.

• Environmental Controls (PE-14)- Main Control

  Control PE-14 focuses on implementing measures to control and monitor environmental conditions within information systems and facilities to prevent damage and ensure operational integrity. This control safeguards equipment and data from environmental hazards.

• Water Damage Protection (PE-15)- Main Control

  Control PE-15 focuses on implementing measures to prevent and mitigate water damage to information systems and equipment. This control safeguards against water-related incidents that can lead to equipment malfunction, data loss, and operational disruption.

• Water Damage Protection | Automation Support (PE-15(1))

  Subcontrol PE-15(1) focuses on utilizing automation to support water damage protection efforts. This subcontrol enhances the ability to quickly detect, respond to, and mitigate water-related incidents through automated monitoring and response systems.

• Delivery and Removal (PE-16)- Main Control

  Control PE-16 focuses on establishing procedures to control the delivery and removal of equipment and information assets from information systems and facilities. This control safeguards against unauthorized access, theft, and tampering during transportation.

• Alternate Work Site (PE-17)- Main Control

  Control PE-17 focuses on establishing procedures and safeguards for the secure operation of information systems at alternate work sites. This control ensures that information systems can be maintained and accessed securely even when operating outside the primary facility.

• Location of System Components (PE-18)- Main Control

  Control PE-18 focuses on ensuring that system components are located and positioned in a manner that minimizes the risk of unauthorized access, physical damage, and environmental hazards. This control safeguards the integrity and availability of information systems.

The Media Protection control family is designed to safeguard information system media, which includes physical and electronic storage devices, from unauthorized access, disclosure, alteration, destruction, and theft. Media protection measures are critical for preserving the confidentiality and integrity of information stored on various forms of media throughout their lifecycle. By implementing effective media protection controls, organizations can ensure that sensitive information remains secure, whether stored on physical media (e.g., hard drives, tapes) or electronic media (e.g., USB drives, optical discs).

• Policy and Procedures (MP-1)- Main Control

  The MP-1 control within NIST Special Publication 800-53 focuses on the establishment and implementation of policies and procedures to ensure the proper protection of media containing sensitive information. This control aims to prevent unauthorized access, disclosure, and loss of information stored on various types of media, including physical and digital media.

• Media Access (MP-2)- Main Control

  The MP-2 control within NIST Special Publication 800-53 focuses on controlling access to media that contain sensitive information. This control ensures that only authorized individuals have access to media, thereby reducing the risk of unauthorized disclosure, loss, or compromise of information stored on the media

• Media Marking (MP-3)- Main Control

  The Media Marking (MP-3) control within NIST Special Publication 800-53 focuses on implementing proper marking procedures for media containing sensitive information. This control ensures that media are appropriately labeled with clear markings indicating the classification and handling requirements.

• Media Storage (MP-4)- Main Control

  The Media Storage (MP-4) control within NIST Special Publication 800-53 focuses on implementing proper security measures for storing media containing sensitive information. This control ensures that media are stored in secure environments that prevent unauthorized access, damage, or theft.

• Media Transport (MP-5)- Main Control

  Control MP-5, part of the Media Protection family within NIST 800-53, addresses the secure transport of media containing sensitive information. This control ensures that media in transit are safeguarded against unauthorized access, tampering, or theft during transportation.

• Media Sanitization (MP-6)- Main Control

  Control MP-6 addresses the proper sanitization of media to ensure that sensitive information is removed from media prior to disposal, reuse, or release for reuse. This control aims to prevent unauthorized disclosure of information that may still reside on media even after its primary use.

• Media Sanitization | Review, Approve, Track, Document, and Verify (MP-6(1))

  Subcontrol MP-6(1) focuses on establishing a comprehensive process for reviewing, approving, tracking, documenting, and verifying media sanitization activities. This subcontrol ensures that media sanitization is carried out systematically and effectively, with proper oversight and accountability.

• Media Sanitization | Equipment Testing (MP-6(2))

  Subcontrol MP-6(2) emphasizes the importance of testing sanitization equipment to ensure that it effectively removes sensitive information from media. This subcontrol aims to validate the reliability and efficiency of the equipment used in the media sanitization process.

• Media Sanitization | Nondestructive Techniques (MP-6(3))

  Subcontrol MP-6(3) focuses on using nondestructive techniques to verify the effectiveness of media sanitization processes. Nondestructive techniques allow for the assessment of media without permanently altering or damaging it.

• Media Use (MP-7)- Main Control

  Control MP-7 addresses the secure and appropriate use of media containing sensitive information. This control ensures that media are used in a manner that aligns with security policies and minimizes the risk of unauthorized disclosure, tampering, or loss.

The Incident Response control family is designed to help organizations develop, implement, and maintain an organized and effective approach to managing and mitigating information security incidents. An incident response capability enables organizations to detect, respond to, and recover from incidents in a manner that minimizes damage, reduces recovery time, and mitigates the potential impact on information systems and data.

• Policy and Procedures (IR-1)- Main Control

  The Incident Response Policy and Procedures (IR-1) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing an organization-wide incident response policy and associated procedures. The control aims to ensure that the organization has a clear framework for detecting, responding to, and mitigating cybersecurity incidents effectively and efficiently.

• Incident Response Training (IR-2)- Main Control

  The Incident Response Training (IR-2) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing training to personnel involved in incident response activities. The control aims to ensure that individuals are equipped with the necessary knowledge and skills to effectively respond to cybersecurity incidents and mitigate their impact.

• Incident Response Training | Simulated Events (IR-2(1))

  The Incident Response Training | Simulated Events (IR-2(1)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with training through simulated events that replicate real-world cybersecurity incidents. The control aims to enhance the practical skills and decision-making abilities of responders by exposing them to realistic scenarios.

• Incident Response Training | Automated Training Environments (IR-2(2))

  The Incident Response Training | Automated Training Environments (IR-2(2)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with training through automated environments that simulate cybersecurity incidents. The control aims to enhance responders' technical skills and familiarity with incident response tools and technologies.

• Incident Response Testing (IR-3)- Main Control

  The Incident Response Testing (IR-3) control is a fundamental requirement within the Incident Response family of controls as outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing a comprehensive incident response testing program that allows organizations to assess the effectiveness of their incident response procedures, plans, and capabilities through regular testing and exercises.

• Incident Response Testing | Coordination with Related Plans (IR-3(2))

  The Incident Response Testing | Coordination with Related Plans (IR-3(2)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of coordinating incident response testing

• Incident Handling (IR-4)- Main Control

  The Incident Handling (IR-4) control is a central component of the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and maintaining a robust incident handling capability to effectively detect, respond to, and mitigate security incidents within an organization.

• Incident Handling | Automated Incident Handling Processes (IR-4(1))

  The Incident Handling | Automated Incident Handling Processes (IR-4(1)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the use of automation to streamline incident handling processes, ensuring efficient detection, response, and mitigation of security incidents.

• Incident Handling | Information Correlation (IR-4(4))

  The Incident Handling | Information Correlation (IR-4(4)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on the capability to correlate and analyze information from multiple sources during incident handling to gain a comprehensive understanding of the incident.

• Incident Handling | Integrated Incident Response Team (IR-4(11))

  The Incident Handling | Integrated Incident Response Team (IR-4(11)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of establishing a centralized and integrated incident response team that collaborates across organizational boundaries.

• Incident Monitoring (IR-5)- Main Control

  The Incident Monitoring (IR-5) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of monitoring for potential security incidents and unauthorized activities in order to detect and respond to them in a timely manner.

• Incident Monitoring | Automated Tracking, Data Collection, and Analysis (IR-5(1))

  The Automated Tracking, Data Collection, and Analysis (IR-5(1)) control is a subcontrol within the Incident Monitoring subfamily of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of automated mechanisms for tracking, collecting, and analyzing data related to potential security incidents.

• Incident Reporting (IR-6)- Main Control

  The Incident Reporting (IR-6) control is part of the Incident Response family of controls in NIST Special Publication 800-53. This control emphasizes the importance of establishing a formalized process for reporting and documenting security incidents within an organization.

• Incident Reporting | Automated Reporting (IR-6(1))

  The Incident Reporting | Automated Reporting (IR-6(1)) control is a subcontrol of the Incident Reporting control (IR-6) within the Incident Response family of controls in NIST Special Publication 800-53. This subcontrol emphasizes the need for organizations to implement automated mechanisms for incident reporting to expedite the reporting process and ensure timely response.

• Incident Reporting | Supply Chain Coordination (IR-6(3))

  The Incident Reporting | Supply Chain Coordination (IR-6(3)) control is a subcontrol of the Incident Reporting control (IR-6) within the Incident Response family of controls in NIST Special Publication 800-53. This subcontrol emphasizes the importance of coordinating incident reporting and response efforts with supply chain partners to address potential threats and vulnerabilities.

• Incident Response Assistance (IR-7)- Main Control

  The Incident Response Assistance (IR-7) control is part of the Incident Response family of controls in NIST Special Publication 800-53. It focuses on establishing mechanisms to provide and receive assistance during incident response activities from external sources and organizations.

• Incident Response Assistance | Automation Support for Availability of Information and Support (IR-7(1))

  The Incident Response Assistance | Automation Support for Availability of Information and Support (IR-7(1)) control is a specific subcontrol within the Incident Response Assistance family of controls in NIST Special Publication 800-53. It focuses on automating processes to ensure the availability of necessary information and support during incident response activities from external sources and organizations.

• Incident Response Plan (IR-8)- Main Control

  The Incident Response Plan (IR-8) control is a foundational component of the Incident Response family in NIST Special Publication 800-53. It emphasizes the development, documentation, and maintenance of a comprehensive incident response plan that outlines the organization's strategies, procedures, and guidelines for addressing and mitigating various types of security incidents.

The Maintenance control family is designed to ensure that information systems are properly maintained, updated, and patched to address vulnerabilities, enhance functionality, and support the overall security of the system throughout its lifecycle. Maintenance activities encompass both routine and emergency procedures, including the application of updates, patches, and configuration changes. By implementing effective maintenance controls, organizations can reduce the risk of security incidents related to unaddressed vulnerabilities and ensure the continued reliability and security of their information systems.

• Policy and Procedures (MA-1)- Main Control

  The MA-1 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the development and implementation of policies and procedures to guide the maintenance of information systems and assets throughout their lifecycle.

• Controlled Maintenance (MA-2)- Main Control

  The MA-2 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the implementation of controlled maintenance processes to ensure that changes to information systems and assets are carried out in a planned, coordinated, and secure manner.

• Controlled Maintenance | Automated Maintenance Activities (MA-2(2))

  The MA-2(2) control is a specific subcontrol of MA-2 in the Maintenance family of NIST Special Publication 800-53. It focuses on ensuring that automated maintenance activities are controlled and effectively managed to prevent unintended and unauthorized changes to systems and assets.

• Maintenance Tools (MA-3)- Main Control

  The MA-3 control is part of the Maintenance family in NIST Special Publication 800-53. It focuses on the secure use and management of maintenance tools to prevent unauthorized access, use, and potential compromise of systems and assets during maintenance activities.

• Maintenance Tools | Inspect Tools (MA-3(1))

  The MA-3(1) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on the regular inspection and evaluation of maintenance tools used within an organization to ensure their security, integrity, and compliance with established policies and procedures.

• Maintenance Tools | Inspect Media (MA-3(2))

  The MA-3(2) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on the regular inspection and evaluation of maintenance media (e.g., CDs, DVDs, USB drives) used within an organization to ensure their security, integrity, and compliance with established policies and procedures.

• Maintenance Tools | Prevent Unauthorized Removal (MA-3(3))

  The MA-3(3) control is a subcontrol of MA-3 in NIST Special Publication 800-53. It focuses on preventing unauthorized removal of maintenance tools and equipment from organizational facilities to ensure the security and availability of these tools.

• Nonlocal Maintenance (MA-4)- Main Control

  The MA-4 control in NIST Special Publication 800-53 addresses the security aspects of performing maintenance on information systems and components from a nonlocal location. It aims to establish safeguards and controls to ensure that nonlocal maintenance activities do not introduce security risks or compromise the confidentiality, integrity, and availability of the systems.

• Nonlocal Maintenance | Comparable Security and Sanitization (MA-4(3))

  The MA-4(3) control in NIST Special Publication 800-53 addresses the security considerations and sanitization practices for nonlocal maintenance activities. It focuses on ensuring that security measures for nonlocal maintenance are comparable to those used during local maintenance, and that proper sanitization is performed after nonlocal maintenance is completed.

• Maintenance Personnel (MA-5)- Main Control

  The MA-5 control in NIST Special Publication 800-53 addresses the selection, training, and management of personnel involved in system maintenance activities. This control aims to ensure that maintenance personnel have the appropriate skills, knowledge, and authorization to perform maintenance tasks while minimizing the risk of unauthorized access or unintentional disruptions.

• Maintenance Personnel | Individuals Without Appropriate Access (MA-5(1))

  The MA-5(1) control under NIST Special Publication 800-53 focuses on preventing individuals without appropriate access from conducting maintenance activities. This control ensures that only authorized personnel with the necessary qualifications and permissions are allowed to perform maintenance tasks on information systems.

• Timely Maintenance (MA-6)- Main Control

  The MA-6 control under NIST Special Publication 800-53 focuses on ensuring that timely maintenance activities are conducted to address vulnerabilities, apply patches, and keep information systems up-to-date. Timely maintenance is essential to mitigate security risks and maintain the overall integrity and functionality of the systems.

The Identification and Authentication control family is designed to ensure that only authorized individuals and entities are granted access to information systems. This is achieved through the unique identification of users and the authentication of their claimed identities before allowing access. By implementing strong identification and authentication controls, organizations can enhance the security of their information systems, protect sensitive data, and prevent unauthorized access.

• Policy and Procedures (IA-1)- Main Control

  The Identification and Authentication | Policy and Procedures control (IA-1) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of establishing clear policies and procedures for managing user identification and authentication within an organization. The control aims to ensure consistent and secure access to systems and data by authorized personnel.

• Identification and Authentication (organizational Users) (IA-2)- Main Control

  The Identification and Authentication (organizational Users) control (IA-2) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need for organizations to establish and implement mechanisms for identifying and authenticating organizational users accessing information systems. The control aims to ensure that only authorized personnel can access sensitive systems and data.

• Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts (IA-2(1))

  The Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts control (IA-2(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the necessity of implementing multi-factor authentication (MFA) for accessing privileged accounts within an organization. The control aims to enhance security by requiring an additional layer of authentication for accounts with elevated access privileges.

• Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts (IA-2(2))

  The Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts control (IA-2(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control underscores the importance of implementing multi-factor authentication (MFA) for accessing non-privileged accounts within an organization. The control aims to enhance security by adding an additional layer of authentication for accounts with standard access privileges.

• Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication (IA-2(5))

  The Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication control (IA-2(5)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to implement individual authentication for users even when group authentication is used. The control aims to enhance security by ensuring that each user's identity is verified, even within authenticated groups.

• Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant (IA-2(8))

  The Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant control (IA-2(8)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to implement replay-resistant authentication mechanisms for accessing accounts. The control aims to prevent unauthorized access by ensuring that captured authentication data cannot be reused to gain entry.

• Identification and Authentication (organizational Users) | Acceptance of PIV Credentials (IA-2(12))

  The Identification and Authentication (organizational Users) | Acceptance of PIV Credentials control (IA-2(12)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the need to accept Personal Identity Verification (PIV) credentials as a strong form of authentication. The control aims to enhance security by ensuring that PIV credentials are recognized and used for user identification.

• Device Identification and Authentication (IA-3)- Main Control

  The Device Identification and Authentication control (IA-3) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that devices used to access organizational systems are properly identified and authenticated before being granted access. The control aims to enhance the security of systems by verifying the identities of devices attempting to connect.

• Identifier Management (IA-4)- Main Control

  The Identifier Management control (IA-4) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on managing and controlling user and device identifiers to ensure the accurate and secure identification of individuals and devices accessing organizational systems. The control aims to enhance security by preventing unauthorized access through improper or compromised identifiers.

• Identifier Management | Identify User Status (IA-4(4))

  The Identifier Management | Identify User Status control (IA-4(4)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of accurately identifying and managing the status of users accessing organizational systems. The control aims to enhance security by ensuring that user accounts are active, disabled, or removed as appropriate, thereby preventing unauthorized access.

• Authenticator Management (IA-5)- Main Control

  The Authenticator Management control (IA-5) is a main control within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management of authenticators, which are credentials used to verify the identity of individuals, devices, or systems. The control aims to enhance security by ensuring the effective management and protection of authenticators to prevent unauthorized access.

• Authenticator Management | Password-based Authentication (IA-5(1))

  The Authenticator Management | Password-based Authentication control (IA-5(1)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management and security of password-based authentication methods. The control aims to enhance security by ensuring that passwords, as authenticators, are managed, stored, and used in a secure manner.

• Authenticator Management | Public Key-based Authentication (IA-5(2))

  The Authenticator Management | Public Key-based Authentication control (IA-5(2)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the management and security of public key-based authentication methods. The control aims to enhance security by ensuring that public key-based authentication mechanisms are properly managed, used, and protected.

• Authenticator Management | Protection of Authenticators (IA-5(6))

  The Authenticator Management | Protection of Authenticators control (IA-5(6)) is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the protection of authenticators from unauthorized access, loss, or theft. The control aims to enhance security by ensuring that authenticators are adequately safeguarded to prevent compromise.

• Authentication Feedback (IA-6)- Main Control

  The Authentication Feedback (IA-6) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on providing users with timely feedback during the authentication process. The control aims to enhance user experience and security by informing users about the status of their authentication attempts and guiding them toward successful login or corrective actions.

• Cryptographic Module Authentication (IA-7)- Main Control

  The Cryptographic Module Authentication (IA-7) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on ensuring the authenticity and integrity of cryptographic modules used in authentication processes. The control aims to enhance security by requiring organizations to verify the authenticity of cryptographic modules to prevent the use of tampered or unauthorized modules.

• Identification and Authentication (non-organizational Users) (IA-8)- Main Control

  The Identification and Authentication (non-organizational Users) (IA-8) control is part of the Identification and Authentication family of controls within NIST Special Publication 800-53. This control focuses on establishing identification and authentication mechanisms for non-organizational users accessing organizational systems and resources. The control aims to enhance security by ensuring that non-organizational users are appropriately identified and authenticated before gaining access.

• Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies (IA-8(1))

  The Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies (IA-8(1)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of Personal Identity Verification (PIV) credentials issued by other agencies for non-organizational users. The control aims to enhance interoperability and streamline access for users with PIV credentials issued by different entities.

• Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators (IA-8(2))

  The Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators (IA-8(2)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control addresses the acceptance of external authenticators, such as third-party identity providers, for non-organizational users. The control aims to enhance user convenience and streamline access by allowing users to leverage existing external credentials.

• Identification and Authentication (non-organizational Users) | Use of Defined Profiles (IA-8(4))

  The Identification and Authentication (non-organizational Users) | Use of Defined Profiles (IA-8(4)) control is a subcontrol within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on the use of defined authentication profiles for non-organizational users. The control aims to establish consistent and secure authentication methods based on specific user profiles.

• Re-authentication (IA-11)- Main Control

  The Re-authentication (IA-11) control is part of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on implementing mechanisms for requiring users to re-authenticate during an active session after a certain period of inactivity or based on specific events. The control aims to prevent unauthorized access to sensitive information and actions within an active session.

• Identity Proofing (IA-12)- Main Control

  The Identity Proofing (IA-12) control is a crucial component of the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing a reliable process for verifying the identity of individuals before granting them access to information systems or sensitive resources. The control aims to prevent unauthorized access by ensuring that only legitimate individuals are granted access privileges.

• Identity Proofing | Identity Evidence (IA-12(2))

  The Identity Proofing | Identity Evidence (IA-12(2)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing procedures for collecting and verifying identity evidence during the identity proofing process. The control aims to ensure that the evidence used for verifying an individual's identity is accurate, reliable, and in compliance with established standards.

• Identity Proofing | Identity Evidence Validation and Verification (IA-12(3))

  The Identity Proofing | Identity Evidence Validation and Verification (IA-12(3)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing robust procedures for validating and verifying the authenticity of identity evidence collected during the identity proofing process. The control aims to ensure that the evidence used for identity verification is accurate and reliable.

• Identity Proofing | In-person Validation and Verification (IA-12(4))

  The Identity Proofing | In-person Validation and Verification (IA-12(4)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on conducting in-person validation and verification of an individual's identity during the identity proofing process. The control aims to ensure that the identity verification process is based on direct and reliable interactions with the individual seeking access.

• Identity Proofing | Address Confirmation (IA-12(5))

  The Identity Proofing | Address Confirmation (IA-12(5)) control is a specific requirement within the Identification and Authentication family of controls outlined in NIST Special Publication 800-53. This control focuses on confirming the accuracy of an individual's address during the identity proofing process. The control aims to ensure that the address provided by the individual is valid and associated with the claimed identity.

The Contingency Planning control family is designed to help organizations prepare for and respond to disruptions in information system operations, ensuring the continued availability and integrity of critical information and services. Contingency planning involves the development, testing, and maintenance of comprehensive plans and procedures to address a range of potential incidents, including but not limited to natural disasters, technological failures, and malicious attacks. The ultimate goal is to minimize the impact of disruptions and facilitate the timely recovery of information systems and data.

• Contingency Plan | Coordinate with Related Plans (CP-2(1))

  This subcontrol, a part of the Contingency Planning family, emphasizes the importance of coordination between an organization's contingency plan and other related plans, such as incident response plans, disaster recovery plans, and business continuity plans. Coordination ensures that all aspects of response, recovery, and continuity efforts are aligned and integrated.

• Contingency Plan | Capacity Planning (CP-2(2))

  This subcontrol, part of the Contingency Planning family, focuses on the importance of capacity planning within the organization's contingency plan. Capacity planning ensures that sufficient resources, such as computing resources, storage, network bandwidth, and personnel, are available to support contingency operations during disruptions.

• Contingency Plan | Resume Mission and Business Functions (CP-2(3))

  This subcontrol, part of the Contingency Planning family, emphasizes the need for organizations to include strategies and procedures in their contingency plans for resuming mission-critical and business functions after a disruption. The goal is to ensure a smooth transition from contingency operations back to normal operations.

• Contingency Plan | Continue Mission and Business Functions (CP-2(5))

  This subcontrol, part of the Contingency Planning family, emphasizes the importance of including procedures in contingency plans that ensure the continuation of mission-critical and business functions during a disruption. The goal is to maintain essential operations without interruption, even when facing adverse events.

• Contingency Plan | Identify Critical Assets (CP-2(8))

  This subcontrol, part of the Contingency Planning family, focuses on identifying critical assets within an organization's contingency plan. Critical assets are those resources, systems, data, and facilities that are essential for the organization's continued operation and the delivery of essential services. Identifying these critical assets ensures that they receive special attention and prioritized protection during disruptions or disasters.

• Contingency Training (CP-3)- Main Control

  This control, part of the Contingency Planning family, focuses on providing training to personnel involved in contingency planning, response, and recovery efforts. Training ensures that individuals understand their roles and responsibilities during disruptions and can effectively execute the organization's contingency plans.

• Contingency Training | Simulated Events (CP-3(1))

  Subcontrol CP-3(1) under the Contingency Training control focuses on conducting simulated events as part of contingency training. Simulated events are designed to replicate real-life scenarios, allowing personnel to practice their roles and responsibilities in a controlled environment.

• Contingency Plan Testing (CP-4)- Main Control

  Subcontrol CP-4 focuses on the testing of contingency plans to ensure their effectiveness and the readiness of personnel to respond to disruptive events. Testing involves executing different scenarios, simulating real-life incidents, and evaluating the response procedures and recovery capabilities defined in the contingency plans.

• Contingency Plan Testing | Coordinate with Related Plans (CP-4(1))

  This subcontrol emphasizes the importance of coordinating contingency plan testing with other related plans and exercises to ensure consistency, alignment, and comprehensive readiness. Coordination enhances the organization's ability to respond effectively to disruptions and recover critical functions.

• Policy and Procedures (CP-1)- Main Control

  This subcontrol under Contingency Planning (CP-1) focuses on establishing and implementing policies and procedures for effective contingency planning. Contingency planning ensures that organizations have a well-defined strategy in place to respond to and recover from unexpected disruptions or disasters that could impact their information systems and data.

• Contingency Plan (CP-2)- Main Control

  This subcontrol under Contingency Planning (CP-2) focuses on the development and maintenance of a comprehensive contingency plan. A contingency plan outlines the specific actions, procedures, and resources that an organization will use to respond to and recover from unexpected disruptions or disasters that could impact its information systems and data.

• Contingency Plan Testing | Alternate Processing Site (CP-4(2))

  This subcontrol focuses on testing the contingency plan's capability to transition to an alternate processing site in the event of a disruption. Testing the ability to relocate critical operations to an alternate site is essential to ensure the organization's continued functionality during adverse conditions.

• Alternate Storage Site (CP-6)- Main Control

  The "Alternate Storage Site" subcontrol involves establishing and maintaining an alternate storage site to store and protect essential organizational information system resources and assets in the event of a disruption to the primary site.

• Alternate Storage Site | Separation from Primary Site (CP-6(1))

  The "Separation from Primary Site" subcontrol (CP-6(1)) emphasizes the requirement for the alternate storage site to be geographically separated from the primary site to ensure that both sites are not susceptible to the same risks and disruptions.

• Alternate Storage Site | Recovery Time and Recovery Point Objectives (CP-6(2))

  The "Recovery Time and Recovery Point Objectives" subcontrol (CP-6(2)) focuses on defining recovery time objectives (RTOs) and recovery point objectives (RPOs) for the alternate storage site to ensure timely and effective recovery of data and resources during an incident or disaster.

• Alternate Storage Site | Accessibility (CP-6(3))

  The "Accessibility" subcontrol (CP-6(3)) focuses on ensuring that the alternate storage site is readily accessible during an incident or disaster to support the recovery of critical systems and data.

• Alternate Processing Site (CP-7)- Main Control

  The "Alternate Processing Site" (CP-7) control focuses on establishing and maintaining a designated location where critical business functions can be performed in the event of a disruption or disaster at the primary site. This ensures continuity of operations and minimizes the impact of disruptions on an organization's essential activities.

• Alternate Processing Site | Separation from Primary Site (CP-7(1))

  The "Separation from Primary Site" (CP-7(1)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is sufficiently geographically separated from the primary site. This separation reduces the risk of both sites being affected by the same disruptive event.

• Alternate Processing Site | Accessibility (CP-7(2))

  The "Accessibility" (CP-7(2)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is readily accessible and reachable during a contingency event. Accessibility ensures that essential personnel, resources, and data can be effectively relocated to the alternate site to continue critical business operations.

• Alternate Processing Site | Priority of Service (CP-7(3))

  The "Priority of Service" (CP-7(3)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on establishing priorities for the allocation of resources and services at the alternate processing site during a contingency event. This ensures that critical business functions are resumed with the highest priority to minimize disruptions and maintain essential operations.

• Alternate Processing Site | Preparation for Use (CP-7(4))

  The "Preparation for Use" (CP-7(4)) subcontrol under the "Alternate Processing Site" control (CP-7) focuses on ensuring that the alternate processing site is fully prepared and ready for use during a contingency event. This includes setting up the necessary infrastructure, equipment, and resources to support the resumption of critical business functions.

• Telecommunications Services (CP-8)- Main Control

  The "Telecommunications Services" (CP-8) subcontrol under the "Contingency Planning" control (CP) focuses on ensuring that organizations have established plans and arrangements for maintaining essential telecommunications services during and after disruptions. This subcontrol addresses the critical role of telecommunications in maintaining communication and connectivity during contingency situations.

• Telecommunications Services | Priority of Service Provisions (CP-8(1))

  The "Priority of Service Provisions" (CP-8(1)) subcontrol is a part of the "Telecommunications Services" (CP-8) subcontrol under the "Contingency Planning" control (CP). It focuses on ensuring that organizations establish procedures for prioritizing telecommunications services during contingencies based on predefined criteria.

• Telecommunications Services | Single Points of Failure (CP-8(2))

  The "Single Points of Failure" (CP-8(2)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It emphasizes the importance of identifying and mitigating single points of failure in telecommunications systems to ensure the availability and continuity of critical communication services during contingencies.

• Telecommunications Services | Separation of Primary and Alternate Providers (CP-8(3))

  The "Separation of Primary and Alternate Providers" (CP-8(3)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It focuses on the importance of using different telecommunications service providers for primary and alternate communication capabilities to prevent a single point of failure in service delivery during contingencies.

• Telecommunications Services | Provider Contingency Plan (CP-8(4))

  The "Provider Contingency Plan" (CP-8(4)) subcontrol is a component of the "Telecommunications Services" (CP-8) subcontrol within the "Contingency Planning" control (CP). It focuses on ensuring that telecommunications service providers have their own contingency plans to address disruptions and maintain service availability in the event of incidents.

• System Backup (CP-9)- Main Control

  The "System Backup" (CP-9) control is part of the "Contingency Planning" (CP) family within the NIST Special Publication 800-53. This control focuses on establishing and maintaining a systematic approach to backup critical system data and information to support data recovery and restoration activities in the event of a contingency or disaster.

• System Backup | Testing for Reliability and Integrity (CP-9(1))

  The "Testing for Reliability and Integrity" (CP-9(1)) subcontrol is part of the "System Backup" (CP-9) control within the NIST Special Publication 800-53. This subcontrol emphasizes the importance of regularly testing the reliability and integrity of system backups to ensure that they can be successfully restored in the event of a contingency.

• System Backup | Test Restoration Using Sampling (CP-9(2))

  The "Test Restoration Using Sampling" (CP-9(2)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the need to validate the integrity and effectiveness of backup restoration processes through representative sampling of backup data.

• System Backup | Separate Storage for Critical Information (CP-9(3))

  The "Separate Storage for Critical Information" (CP-9(3)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the need to store critical information backups separately from routine backups to ensure their availability and integrity during contingency situations.

• System Backup | Transfer to Alternate Storage Site (CP-9(5))

  The "Transfer to Alternate Storage Site" (CP-9(5)) subcontrol is a component of the "System Backup" (CP-9) control within NIST Special Publication 800-53. This subcontrol emphasizes the importance of transferring backup data to an alternate storage site as part of contingency planning. Transferring backups to an off-site location helps ensure data availability and recovery in the event of a disaster or disruption at the primary site.

• System Backup | Cryptographic Protection (CP-9(8))

  The System Backup | Cryptographic Protection control (CP-9(8)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control focuses on enhancing the security of critical system backups by requiring cryptographic protection. By applying cryptographic mechanisms, organizations can ensure the confidentiality and integrity of backup data during storage, transfer, and restoration processes.

• System Recovery and Reconstitution (CP-10)- Main Control

  The System Recovery and Reconstitution control (CP-10) is part of the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control focuses on ensuring that critical information systems can be effectively recovered and reconstituted after a disruption or disaster. The objective is to minimize the impact of disruptions on organizational operations by establishing comprehensive recovery processes.

• System Recovery and Reconstitution | Transaction Recovery (CP-10(2))

  The System Recovery and Reconstitution | Transaction Recovery control (CP-10(2)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of ensuring the recovery and reconstitution of critical transactions during and after disruptions. The control aims to maintain data consistency and minimize the impact of disruptions on ongoing business processes.

• System Recovery and Reconstitution | Restore Within Time Period (CP-10(4))

  The System Recovery and Reconstitution | Restore Within Time Period control (CP-10(4)) is a subcontrol within the Contingency Planning family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of restoring critical systems within a defined time period after a disruption. The control aims to ensure timely recovery and reconstitution to minimize the impact of disruptions on organizational operations.

The Configuration Management control family is designed to establish and maintain a systematic approach to managing the configuration of information systems. Configuration management involves identifying and documenting system components, controlling changes to those components, and ensuring the integrity and security of the system throughout its lifecycle. By implementing robust configuration management controls, organizations can reduce the risk of unauthorized or unintended changes that could impact the confidentiality, integrity, and availability of their information systems.

• Information Location | Automated Tools to Support Information Location (CM-12(1))

  This subcontrol under Configuration Management (CM-12) focuses on the use of automated tools to support the management and tracking of information locations within an information system. Automated tools enhance the efficiency and accuracy of maintaining an inventory of information and data locations.

• Information Location (CM-12)- Main Control

  This control focuses on the management and control of information locations within an information system. It involves tracking the locations of information, data, and software components to ensure their integrity, availability, and confidentiality.

• Software Usage Restrictions (CM-10)- Main Control

  This main control under Configuration Management (CM-10) emphasizes the importance of establishing and enforcing software usage restrictions to prevent unauthorized or inappropriate software from being installed and executed on organizational systems.

• User-installed Software (CM-11)- Main Control

  This main control under Configuration Management (CM-11) focuses on managing user-installed software within the organization. It aims to establish processes and mechanisms to ensure that user-installed software is properly controlled, monitored, and evaluated to prevent security risks and maintain the integrity of organizational systems.

• Configuration Management Plan (CM-9)- Main Control

  This main control under Configuration Management (CM-9) emphasizes the need for organizations to develop and implement a Configuration Management Plan (CMP) that outlines the policies, procedures, and responsibilities for managing configuration items throughout their lifecycle.

• System Component Inventory | Accountability Information (CM-8(4))

  This subcontrol under Configuration Management (CM-8) emphasizes the need to include accountability information for each component within the organization's system component inventory.

• System Component Inventory | Automated Unauthorized Component Detection (CM-8(3))

  This subcontrol under Configuration Management (CM-8) focuses on implementing automated mechanisms to detect and identify unauthorized or unapproved components within the organization's system component inventory.

• System Component Inventory | Updates During Installation and Removal (CM-8(1))

  This subcontrol under Configuration Management (CM-8) focuses on ensuring that the system component inventory is promptly updated when components are installed, added, or removed from the organization's information system.

• System Component Inventory | Automated Maintenance (CM-8(2))

  This subcontrol under Configuration Management (CM-8) emphasizes the use of automated mechanisms to maintain the accuracy and currency of the organization's system component inventory.

• System Component Inventory (CM-8)- Main Control

  This control under Configuration Management (CM-8) focuses on maintaining an accurate and up-to-date inventory of system components within an organization's information system to effectively manage and secure its configuration.

• Least Functionality | Authorized Software — Allow-by-exception (CM-7(5))

  This subcontrol under Configuration Management (CM-7) focuses on implementing an "allow-by-exception" approach to control the installation and execution of authorized software on systems, in accordance with the principle of least functionality.

• Least Functionality | Prevent Program Execution (CM-7(2))

  This subcontrol under Configuration Management (CM-7) focuses on preventing the execution of unauthorized or unnecessary programs on systems and components to adhere to the principle of least functionality.

• Least Functionality | Periodic Review (CM-7(1))

  This subcontrol under Configuration Management (CM-7) focuses on conducting periodic reviews of system configurations to ensure that they continue to adhere to the principle of least functionality.

• Least Functionality (CM-7)- Main Control

  This main control under Configuration Management (CM-7) focuses on ensuring that systems and components are configured with the least functionality necessary for their intended purpose to reduce attack surfaces and minimize potential vulnerabilities.

• Configuration Settings | Automated Management, Application, and Verification (CM-6(1))

  This subcontrol under Configuration Management (CM-6) focuses on automating the management, application, and verification of configuration settings to ensure consistency and accuracy.

• Configuration Settings | Respond to Unauthorized Changes (CM-6(2))

  This subcontrol under Configuration Management (CM-6) focuses on promptly responding to and addressing unauthorized changes to configuration settings.

• Configuration Settings (CM-6)- Main Control

  This main control under Configuration Management (CM-6) focuses on establishing and maintaining configuration settings for information systems and components to ensure their security and functionality.

• Access Restrictions for Change | Automated Access Enforcement and Audit Records (CM-5(1))

  This subcontrol under Configuration Management (CM-5) focuses on the automated enforcement of access restrictions for making changes and the generation of audit records to track those changes. Automated enforcement and audit records enhance accountability and transparency in the change management process.

• Access Restrictions for Change (CM-5)- Main Control

  This control under Configuration Management (CM) focuses on implementing access restrictions to ensure that only authorized individuals can make changes to configurations. Access restrictions help prevent unauthorized or malicious changes that could compromise system security and stability.

• Impact Analyses | Verification of Controls (CM-4(2))

  This subcontrol under Configuration Management (CM-4) emphasizes the verification of security controls during impact analyses. Verifying controls ensures that proposed changes do not weaken existing security measures and helps maintain the overall security posture.

• Impact Analyses | Separate Test Environments (CM-4(1))

  This subcontrol under Configuration Management (CM-4) focuses on the use of separate test environments for conducting impact analyses on proposed changes. Separate test environments provide a controlled space to assess the effects of changes before they are implemented in production environments.

• Configuration Change Control | Cryptography Management (CM-3(6))

  This subcontrol under Configuration Change Control (CM-3) emphasizes the importance of managing cryptographic configurations during the change management process. Proper cryptography management ensures the integrity and confidentiality of sensitive information.

• Impact Analyses (CM-4)- Main Control

  This control under Configuration Management (CM) focuses on performing impact analyses to assess the potential effects of proposed changes on systems and environments before they are implemented. Impact analyses help organizations make informed decisions and manage risks associated with configuration changes.

• Configuration Change Control | Security and Privacy Representatives (CM-3(4))

  This subcontrol under Configuration Change Control (CM-3) emphasizes the involvement of security and privacy representatives in the change management process. Security and privacy representatives play a vital role in ensuring that configuration changes align with security and privacy requirements.

• Configuration Change Control | Testing, Validation, and Documentation of Changes (CM-3(2))

  This subcontrol under Configuration Change Control (CM-3) emphasizes the importance of testing, validating, and documenting changes to configuration items before they are implemented. Proper testing and documentation help ensure that changes do not introduce vulnerabilities or disruptions.

• Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes (CM-3(1))

  This subcontrol under Configuration Change Control (CM-3) focuses on using automation to enhance the documentation, notification, and prohibition aspects of the configuration change management process. Automation helps streamline change tracking, communication, and enforcement.

• Configuration Change Control (CM-3)- Main Control

  This main control under Configuration Management (CM) focuses on establishing and maintaining a formal process for managing changes to an organization's information system configurations. Proper change control ensures that changes are planned, documented, tested, and authorized to minimize risks and disruptions.

• Baseline Configuration | Retention of Previous Configurations (CM-2(3))

  This subcontrol under Baseline Configuration (CM-2) focuses on retaining previous versions of baseline configurations for an organization's information systems. Retaining previous configurations allows for historical reference and recovery in case of configuration-related issues or security incidents.

• Baseline Configuration | Configure Systems and Components for High-risk Areas (CM-2(7))

  This subcontrol under Baseline Configuration (CM-2) focuses on configuring systems and components for high-risk areas with specific security requirements. Systems and components in high-risk areas require tailored configurations to address elevated security concerns.

• Baseline Configuration | Automation Support for Accuracy and Currency (CM-2(2))

  This subcontrol under Baseline Configuration (CM-2) focuses on using automation to support the accuracy and currency of baseline configurations for an organization's information systems. Automation helps ensure that baseline configurations are consistently applied and promptly updated.

• Baseline Configuration (CM-2)- Main Control

  This control falls under the Configuration Management (CM) family and focuses on establishing and maintaining baseline configurations for an organization's information systems. Baseline configurations provide a reference point for authorized and secure system settings.

• Policy and Procedures (CM-1)- Main Control

  This control falls under the Configuration Management (CM) family and emphasizes the need for establishing and implementing configuration management policies and procedures. Configuration management involves managing and controlling the changes made to an organization's information systems and components.

Access control safeguards are implemented to ensure that only authorized individuals and systems have access to the information system and its resources. The primary goal is to prevent unauthorized access and limit access to only those with the necessary permissions based on their roles and responsibilities within the organization. Effective access control mechanisms contribute to the confidentiality, integrity, and availability of the information system and its data

• Policy and Procedures (AC-1)- Main Control

  The Access Control Policy and Procedures control (AC-1) focuses on the establishment and documentation of a comprehensive set of policies and procedures that govern the management of access to information systems and resources. This control ensures that access to sensitive data, applications, and systems is appropriately authorized, managed, and audited, thereby reducing the risk of unauthorized access and potential security breaches.

• Account Management (AC-2)- Main Control

  The Account Management control (AC-2) focuses on the establishment and enforcement of policies and procedures for the management of user accounts within an information system. This control ensures that user accounts are created, modified, and terminated in a secure and consistent manner, reducing the risk of unauthorized access and minimizing potential security vulnerabilities.

• Account Management | Automated System Account Management (AC-2(1))

  The Automated System Account Management subcontrol (AC-2(1)) focuses on the establishment and enforcement of automated procedures for the management of system and application accounts. This control ensures that the creation, modification, and termination of accounts within automated systems are handled consistently and securely, reducing the risk of unauthorized access and improving operational efficiency.

• Account Management | Automated Temporary and Emergency Account Management (AC-2(2))

  The Automated Temporary and Emergency Account Management subcontrol (AC-2(2)) focuses on the establishment and management of automated procedures for the creation and deactivation of temporary and emergency user accounts. This control ensures that temporary and emergency accounts are created only when needed, with strict controls in place to manage their lifecycle and mitigate potential security risks.

• Account Management | Disable Accounts (AC-2(3))

  The Disable Accounts subcontrol (AC-2(3)) focuses on the establishment of procedures for promptly disabling user accounts that are no longer needed or that have been compromised. This control ensures that inactive or compromised accounts are disabled to prevent unauthorized access, reducing the risk of security breaches and maintaining the integrity of the information system.

• Account Management | Automated Audit Actions (AC-2(4))

  The Automated Audit Actions subcontrol (AC-2(4)) focuses on the implementation of automated mechanisms to facilitate auditing of account management actions. This control ensures that account-related activities, such as account creation, modification, and deactivation, are logged and monitored automatically, enhancing accountability and helping to detect and respond to unauthorized or suspicious activities.

• Account Management | Inactivity Logout (AC-2(5))

  The Inactivity Logout subcontrol (AC-2(5)) focuses on automatically terminating user sessions after a defined period of inactivity. This control ensures that user accounts are logged out and access is revoked when users are inactive for a specified time, reducing the risk of unauthorized access and improving the overall security posture.

• Account Management | Usage Conditions (AC-2(11))

  The Usage Conditions subcontrol (AC-2(11)) focuses on defining and enforcing specific usage conditions for user accounts. This control ensures that user accounts are used only for authorized purposes and within defined boundaries, reducing the risk of misuse or unauthorized access.

• Account Management | Account Monitoring for Atypical Usage (AC-2(12))

  The Account Monitoring for Atypical Usage subcontrol (AC-2(12)) focuses on the continuous monitoring of user account activities to detect and respond to atypical usage patterns. This control ensures that user account behaviors are analyzed for anomalies, potential misuse, or unauthorized access, enhancing security and reducing the risk of breaches.

• Account Management | Disable Accounts for High-risk Individuals (AC-2(13))

  The Disable Accounts for High-risk Individuals subcontrol (AC-2(13)) focuses on promptly disabling user accounts for individuals with a higher risk profile. This control ensures that accounts associated with high-risk individuals, such as terminated employees or contractors, are promptly disabled to prevent unauthorized access and potential security breaches.

• Access Enforcement (AC-3)- Main Control

  The Access Enforcement control (AC-3) focuses on enforcing access control policies and mechanisms to ensure that only authorized individuals are granted access to information systems and resources. This control ensures that access decisions are made based on established rules and criteria, reducing the risk of unauthorized access and ensuring the security and confidentiality of sensitive information.

• Information Flow Enforcement (AC-4)- Main Control

  The Information Flow Enforcement control (AC-4) focuses on implementing mechanisms to control and enforce the flow of information between interconnected systems and components. This control ensures that information is properly categorized, labeled, and controlled as it moves across different levels of security, preventing unauthorized or unintended information disclosure.

• Information Flow Enforcement | Flow Control of Encrypted Information (AC-4(4))

  The Flow Control of Encrypted Information subcontrol (AC-4(4)) focuses on enforcing the appropriate flow of encrypted information based on its security attributes and associated controls. This control ensures that encrypted data is handled and transmitted securely while adhering to access controls.

• Separation of Duties (AC-5)- Main Control

  The Separation of Duties control (AC-5) aims to prevent conflicts of interest and ensure accountability by enforcing the principle of separation of duties. This control requires that tasks and responsibilities related to access control are distributed among different individuals or roles to minimize the risk of unauthorized actions or fraud.

• Least Privilege (AC-6) - Main Control

  The Least Privilege control (AC-6) focuses on ensuring that individuals and processes are granted only the minimum level of access necessary to perform their authorized tasks. This control helps mitigate the risk of unauthorized access and potential misuse of privileges.

• Least Privilege | Authorize Access to Security Functions (AC-6(1))

  The Authorize Access to Security Functions subcontrol (AC-6(1)) focuses on ensuring that only authorized individuals have access to security functions and capabilities. This control helps prevent unauthorized changes to security settings and configurations.

• Least Privilege | Non-privileged Access for Nonsecurity Functions (AC-6(2))

  The Non-privileged Access for Nonsecurity Functions subcontrol (AC-6(2)) emphasizes the importance of providing non-privileged access to individuals performing nonsecurity functions. This control helps prevent unnecessary elevation of privileges and reduces the risk of unauthorized actions.

• Least Privilege | Network Access to Privileged Commands (AC-6(3))

  The Network Access to Privileged Commands subcontrol (AC-6(3)) focuses on restricting network access to privileged commands. This control helps prevent unauthorized individuals from executing privileged commands remotely over the network.

• Least Privilege | Privileged Accounts (AC-6(5))

  The Privileged Accounts subcontrol (AC-6(5)) focuses on managing and controlling privileged accounts with elevated access privileges. This control aims to reduce the risk of unauthorized use and potential misuse of privileged accounts.

• Least Privilege | Review of User Privileges (AC-6(7))

  The Review of User Privileges subcontrol (AC-6(7)) focuses on conducting regular reviews of user privileges to ensure that individuals have only the necessary access rights and privileges required to perform their duties. This control helps maintain the principle of least privilege and reduces the risk of unauthorized access.

• Least Privilege | Log Use of Privileged Functions (AC-6(9))

  The Log Use of Privileged Functions subcontrol (AC-6(9)) focuses on logging the use of privileged functions and activities to provide an audit trail of actions performed with elevated privileges. This control helps enhance accountability, transparency, and oversight of privileged actions.

• Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions (AC-6(10))

  The Prohibit Non-privileged Users from Executing Privileged Functions subcontrol (AC-6(10)) focuses on preventing non-privileged users from executing privileged functions, thereby limiting the potential for unauthorized or accidental misuse of elevated privileges.

• Unsuccessful Logon Attempts (AC-7)- Main Control

  The Unsuccessful Logon Attempts control (AC-7) focuses on monitoring and limiting the number of unsuccessful logon attempts to prevent unauthorized access to information systems. This control helps protect against brute force attacks and unauthorized access attempts.

• System Use Notification (AC-8)- Main Control

  The System Use Notification control (AC-8) focuses on providing users with appropriate notification and warnings regarding the use of information systems before accessing them. This control helps users understand their responsibilities and the conditions under which they are allowed to access and use the systems.

• Concurrent Session Control (AC-10)- Main Control

  The Concurrent Session Control (AC-10) focuses on managing and controlling the number of active and concurrent user sessions within an information system. This control helps prevent unauthorized or excessive access to information resources and ensures that users have appropriate levels of access and accountability.

• Device Lock (AC-11)- Main Control

  The Device Lock (AC-11) control focuses on ensuring that information systems and devices are automatically locked or secured when not in use to prevent unauthorized access and protect sensitive information from exposure. This control aims to reduce the risk of unauthorized access and data breaches that may occur if devices are left unattended or unlocked.

• Device Lock | Pattern-hiding Displays (AC-11(1))

  The Device Lock | Pattern-hiding Displays (AC-11(1)) control focuses on preventing unauthorized individuals from observing or deducing patterns or characters entered by users during the device unlock process. This control enhances the confidentiality of authentication credentials and helps mitigate the risk of unauthorized access through observation or inference.

• Session Termination (AC-12)- Main Control

  The Session Termination (AC-12) control focuses on ensuring that user sessions are properly and securely terminated after a specified period of inactivity or when the user no longer requires access to the information system. This control helps prevent unauthorized access and data breaches by promptly terminating active sessions when they are no longer needed.

• Permitted Actions Without Identification or Authentication (AC-14)- Main Control

  The Permitted Actions Without Identification or Authentication (AC-14) control addresses the circumstances under which certain actions are allowed without requiring user identification and authentication. This control helps organizations strike a balance between security and operational needs by allowing specific actions to be performed without the overhead of full identification and authentication while still maintaining adequate security measures.

• Remote Access (AC-17)- Main Control

  The Remote Access (AC-17) control focuses on managing and controlling remote access to organizational information systems and resources. This control ensures that remote access is securely configured, monitored, and controlled to prevent unauthorized access and protect sensitive information.

• Remote Access | Monitoring and Control (AC-17(1))

  The Remote Access | Monitoring and Control (AC-17(1)) control focuses on implementing monitoring and control mechanisms for remote access to organizational information systems. This control ensures that remote access activities are monitored in real-time, and unauthorized or suspicious activities are detected and appropriately addressed.

• Remote Access | Protection of Confidentiality and Integrity Using Encryption (AC-17(2))

  The Remote Access | Protection of Confidentiality and Integrity Using Encryption (AC-17(2)) control focuses on ensuring the confidentiality and integrity of remote access communications by employing encryption mechanisms. This control aims to protect sensitive information transmitted between remote devices and organizational systems.

• Remote Access | Managed Access Control Points (AC-17(3))

  The Remote Access | Managed Access Control Points (AC-17(3)) control focuses on establishing managed access control points for remote access to organizational information systems. This control ensures that remote access is granted through secure and well-defined entry points, enhancing overall security.

• Remote Access | Privileged Commands and Access (AC-17(4))

  The Remote Access | Privileged Commands and Access (AC-17(4)) control focuses on controlling and limiting privileged commands and access for remote users. This control ensures that remote users have appropriate levels of authorization and are restricted from executing privileged commands unless explicitly authorized.

• Wireless Access (AC-18)- Main Control

  The Wireless Access (AC-18) control aims to manage and secure wireless communications within an organization's information system. It focuses on establishing policies, procedures, and technical measures to ensure the appropriate use of wireless technologies and to protect against unauthorized access, data breaches, and other security risks associated with wireless networks.

• Wireless Access | Authentication and Encryption (AC-18(1))

  The Wireless Access | Authentication and Encryption (AC-18(1)) control focuses on ensuring secure authentication and encryption mechanisms for wireless networks. It aims to prevent unauthorized access and protect the confidentiality of data transmitted over wireless connections.

• Wireless Access | Disable Wireless Networking (AC-18(3))

  The Wireless Access | Disable Wireless Networking (AC-18(3)) control focuses on the ability to disable wireless networking capabilities when they are not needed or authorized. This control helps prevent unauthorized access and potential security risks associated with wireless networks.

• Wireless Access | Restrict Configurations by Users (AC-18(4))

  The Wireless Access | Restrict Configurations by Users (AC-18(4)) control focuses on restricting users' ability to configure wireless settings on devices to prevent unauthorized or insecure wireless network connections.

• Wireless Access | Antennas and Transmission Power Levels (AC-18(5))

  The Wireless Access | Antennas and Transmission Power Levels (AC-18(5)) control focuses on managing the use of antennas and transmission power levels in wireless network devices to prevent unauthorized access and reduce the risk of signal interference.

• Access Control for Mobile Devices (AC-19)- Main Control

  The Access Control for Mobile Devices (AC-19) control focuses on establishing and enforcing access controls for mobile devices to ensure the confidentiality, integrity, and availability of information and systems.

• Access Control for Mobile Devices | Full Device or Container-based Encryption (AC-19(5))

  The Access Control for Mobile Devices | Full Device or Container-based Encryption (AC-19(5)) control focuses on ensuring the protection of sensitive data on mobile devices through the use of full device or container-based encryption. This control helps prevent unauthorized access to data in case of device loss or theft.

• Use of External Systems (AC-20)- Main Control

  The Use of External Systems (AC-20) control is designed to establish safeguards and controls when organizations interact with external systems, networks, or services. This control aims to manage and mitigate risks associated with connecting to, sharing information with, or relying on external entities.

• Use of External Systems | Limits on Authorized Use (AC-20(1))

  The Use of External Systems | Limits on Authorized Use (AC-20(1)) control focuses on defining and enforcing limitations on the authorized use of external systems, networks, or services to ensure that their usage aligns with the organization's security policies and objectives.

• Use of External Systems | Portable Storage Devices — Restricted Use (AC-20(2))

  The Use of External Systems | Portable Storage Devices — Restricted Use (AC-20(2)) control focuses on restricting the use of portable storage devices with external systems to minimize security risks and prevent unauthorized access, data leakage, and malware propagation.

• Information Sharing (AC-21)- Main Control

  The Information Sharing (AC-21) control focuses on facilitating the controlled sharing of information among organizations while ensuring that appropriate access controls and protections are in place to safeguard sensitive data.

• Publicly Accessible Content (AC-22)- Main Control

  The Publicly Accessible Content (AC-22) control focuses on establishing appropriate access controls and security measures to protect information and systems containing publicly accessible content from unauthorized access, modification, or disclosure.

The Awareness and Training control family emphasizes the importance of fostering a security-conscious culture within an organization by promoting awareness and delivering effective training programs. The goal is to ensure that individuals, including employees, contractors, and other users, are equipped with the knowledge and skills necessary to understand and fulfill their roles and responsibilities in safeguarding information systems and sensitive information.

• Policy and Procedures (AT-1)- Main Control

  The Awareness and Training Policy and Procedures (AT-1) control requires the establishment of policies and procedures to ensure that personnel receive appropriate awareness and training on security policies, procedures, and practices.

• Literacy Training and Awareness (AT-2)- Main Control

  The Literacy Training and Awareness (AT-2) control focuses on providing security training and awareness programs that cater to individuals with varying levels of technical literacy and expertise.

• Literacy Training and Awareness | Insider Threat (AT-2(2))

  The Insider Threat (AT-2(2)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing targeted training and awareness activities to educate personnel about insider threats, their risks, and preventive measures.

• Literacy Training and Awareness | Social Engineering and Mining (AT-2(3))

  The Social Engineering and Mining (AT-2(3)) subcontrol under Literacy Training and Awareness (AT-2) focuses on providing training and awareness activities to educate personnel about social engineering tactics and the risks associated with information mining.

• Role-based Training (AT-3)- Main Control

  The Role-based Training (AT-3) subcontrol under Awareness and Training (AT) focuses on providing training tailored to specific job roles within the organization. This ensures that individuals receive training that is relevant to their responsibilities and helps them better understand their role in maintaining information security.

• Training Records (AT-4)- Main Control

  The Training Records (AT-4) subcontrol under Awareness and Training (AT) focuses on maintaining accurate and up-to-date records of training activities and outcomes for individuals within the organization. These records help demonstrate compliance with training requirements, track progress, and ensure that personnel have received the necessary education and awareness to perform their roles securely and effectively.

The Audit and Accountability control family is designed to facilitate the creation, collection, and analysis of audit records to support the detection, response to, and investigation of security incidents. By implementing robust auditing mechanisms, organizations can establish a comprehensive and accurate record of activities within their information systems, aiding in the identification of unauthorized access, policy violations, and potential security threats.

• Audit Record Generation | Changes by Authorized Individuals (AU-12(3))

  This subcontrol extends AU-12 by emphasizing the requirement to generate audit records specifically for changes made by authorized individuals. It ensures that audit records are generated when authorized users modify critical configurations, settings, or data, enhancing accountability and facilitating the detection of unauthorized or inappropriate changes.

• Audit Record Generation | System-wide and Time-correlated Audit Trail (AU-12(1))

  This subcontrol expands upon AU-12 by emphasizing the need for a system-wide and time-correlated audit trail. It ensures that audit records are generated across the entire system environment and that these records can be correlated based on accurate timestamps. This capability enhances an organization's ability to reconstruct events, detect security incidents, and establish a comprehensive view of system behavior.

• Audit Record Generation (AU-12)- Main Control

  This control addresses the requirement for generating audit records that capture relevant information about system activities, events, and user actions. The purpose of this control is to ensure that audit records are generated consistently and comprehensively to provide a reliable record of system behavior and facilitate security monitoring, incident response, and accountability.

• Audit Record Retention (AU-11)- Main Control

  This control addresses the retention of audit records, ensuring that these records are maintained for a specified period to facilitate incident response, accountability, and compliance monitoring. Audit records contain valuable information about system activities, user actions, and security events, which are crucial for detecting and investigating security incidents, analyzing trends, and ensuring the accountability of system users and administrators.

• Non-repudiation (AU-10)- Main Control

  The AU-10 control addresses the establishment of non-repudiation measures to ensure that actions and events recorded in audit logs cannot be denied or disputed. It ensures that organizations implement mechanisms to reliably attribute actions to specific individuals or entities, enhancing accountability and trustworthiness.

• Protection of Audit Information | Access by Subset of Privileged Users (AU-9(4))

  The AU-9(4) subcontrol emphasizes restricting access to audit information to a subset of privileged users who have a legitimate need to review and analyze the records. It ensures that organizations grant access to audit data only to authorized personnel with a specific role in managing and maintaining the information.

• Policy and Procedures (AU-1)- Main Control

  The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-1 specifically addresses the need to develop and implement policies and procedures that guide the overall audit and accountability program.

• Event Logging (AU-2)- Main Control

  The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-2 specifically addresses the need to generate, record, and retain audit logs of events to provide an accurate record of system activity.

• Content of Audit Records (AU-3)- Main Control

  This main control under the Audit and Accountability (AU) control family focuses on specifying the necessary content for audit records to ensure the comprehensive capture of relevant information related to security events and incidents. It ensures that audit records contain essential details that support security monitoring, analysis, and incident response.

• Content of Audit Records | Additional Audit Information (AU-3(1))

  This subcontrol under AU-3 focuses on enhancing the content of audit records by including additional information beyond basic event details. By capturing more comprehensive information, organizations can improve their ability to analyze security events and detect potential threats.

• Audit Log Storage Capacity (AU-4)- Main Control

  The Audit Log Storage Capacity control, categorized under the Audit and Accountability family, pertains to the management of audit logs' storage capacity. It focuses on ensuring that systems have adequate storage space to retain audit records, thereby supporting effective security monitoring, incident response, and compliance with regulatory requirements.

• Response to Audit Logging Process Failures (AU-5)- Main Control

  This control ensures that appropriate actions are taken in response to failures in the audit logging process. It focuses on detecting, responding to, and resolving audit logging failures to maintain the integrity and availability of audit records, which are crucial for monitoring and assessing the security of information systems.

• Response to Audit Logging Process Failures | Storage Capacity Warning (AU-5(1))

  This control focuses on the timely response to audit logging process failures related to storage capacity warnings. It ensures that organizations promptly address situations where audit logs approach storage capacity limits, preventing potential disruptions to the audit trail and ensuring the availability and integrity of critical security-related data.

• Response to Audit Logging Process Failures | Real-time Alerts (AU-5(2))

  This control emphasizes the importance of real-time alerts as part of the response to audit logging process failures. It ensures that organizations promptly detect and respond to anomalies or disruptions in the audit logging process through automated real-time alerts. By receiving immediate notifications of audit logging failures, organizations can take swift corrective actions to maintain the availability and integrity of critical security event data.

• Audit Record Review, Analysis, and Reporting (AU-6)- Main Control

  This control focuses on the review, analysis, and reporting of audit records generated by information systems. It ensures that organizations establish processes for regularly examining audit records to detect and respond to security incidents, track system activities, and facilitate compliance monitoring and reporting.

• Audit Record Review, Analysis, and Reporting | Automated Process Integration (AU-6(1))

  This control focuses on the integration of automated processes into the audit record review, analysis, and reporting procedures. It ensures that organizations leverage technology to streamline and enhance the effectiveness of reviewing and analyzing audit records, enabling timely detection of security incidents, compliance violations, and system anomalies.

• Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories (AU-6(3))

  This control emphasizes the importance of correlating audit record repositories as part of the audit record review, analysis, and reporting process. It ensures that organizations effectively aggregate and correlate audit records from various sources to gain a comprehensive view of system activities, detect patterns, and facilitate timely incident response.

• Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records (AU-6(5))

  This control emphasizes the integration of audit records from multiple sources for comprehensive analysis, enabling organizations to detect complex and cross-system security incidents. It ensures that organizations have mechanisms in place to combine and correlate audit records from various components to gain a holistic understanding of system activities.

• Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring (AU-6(6))

  This control emphasizes the importance of correlating audit record analysis with physical monitoring activities to provide a comprehensive view of system security. It ensures that organizations integrate information from audit records with data from physical security systems to enhance incident detection, response, and overall situational awareness.

• Audit Record Reduction and Report Generation (AU-7)- Main Control

  This control focuses on the process of reducing the volume of audit records and generating summarized reports to facilitate efficient analysis and reporting while preserving essential information for compliance and incident response. It ensures that organizations strike a balance between retaining critical audit data and managing the storage and processing overhead associated with large volumes of audit records.

• Audit Record Reduction and Report Generation | Automatic Processing (AU-7(1))

  This subcontrol emphasizes the use of automated processing techniques to efficiently reduce the volume of audit records and generate reports. It ensures that organizations leverage technology to streamline the audit analysis and reporting process, enabling timely insights while minimizing manual effort.

• Time Stamps (AU-8)- Main Control

  The AU-8 control focuses on the accurate and consistent time stamping of audit records to establish a reliable timeline of events within information systems. It ensures that organizations maintain an accurate record of when specific actions and activities occurred, supporting incident investigation, accountability, and compliance requirements.

• Protection of Audit Information (AU-9)- Main Control

  The AU-9 control addresses the protection of audit information to ensure the confidentiality, integrity, and availability of audit records and related data. It ensures that organizations implement measures to safeguard audit logs, reports, and associated information from unauthorized access, modification, loss, and tampering.

• Protection of Audit Information | Store on Separate Physical Systems or Components (AU-9(2))

  The AU-9(2) subcontrol emphasizes the practice of storing audit information on separate physical systems or components to enhance its security and availability. It ensures that organizations isolate audit records from operational systems, reducing the risk of unauthorized access, modification, or loss.

• Protection of Audit Information | Cryptographic Protection (AU-9(3))

  The AU-9(3) subcontrol focuses on the use of cryptographic protection to secure audit information during storage and transmission. It ensures that organizations apply encryption and cryptographic mechanisms to safeguard the confidentiality and integrity of audit records and related data.

The Security Assessment and Authorization control family is designed to ensure that information systems are thoroughly assessed for security compliance and authorized to operate based on the results of those assessments. The controls within this family guide organizations in conducting comprehensive security assessments, determining the effectiveness of implemented security controls, and obtaining the necessary authorizations before systems are put into operation. This process supports the ongoing monitoring and management of security controls throughout the system's lifecycle.

• Internal System Connections (CA-9)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on managing internal system connections within an organization's information systems. Internal system connections involve network connections between components within an organization's infrastructure.

• Penetration Testing | Independent Penetration Testing Agent or Team (CA-8(1))

  This subcontrol under Penetration Testing (CA-8) focuses on the requirement to use independent penetration testing agents or teams to perform penetration testing activities. Independent testing agents or teams are individuals or groups not directly involved in the development or operation of the systems being tested.

• Penetration Testing (CA-8)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on conducting penetration testing as part of the security assessment process. Penetration testing involves simulating real-world attacks on information systems to identify vulnerabilities and weaknesses that could be exploited by malicious actors.

• Continuous Monitoring | Risk Monitoring (CA-7(4))

  This subcontrol under Continuous Monitoring (CA-7) emphasizes the importance of ongoing risk monitoring as part of the continuous monitoring program. Risk monitoring involves regularly assessing and reassessing the organization's risk posture, identifying changes in risk factors, and adapting security measures accordingly.

• Continuous Monitoring (CA-7)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the implementation of a continuous monitoring program. Continuous monitoring involves ongoing assessment of information systems, tracking changes, and identifying potential security risks or vulnerabilities in real time.

• Continuous Monitoring | Independent Assessment (CA-7(1))

  This subcontrol under Continuous Monitoring (CA-7) focuses on the requirement to conduct independent assessments as part of the continuous monitoring program. Independent assessments involve evaluations performed by individuals or teams not directly responsible for the operation of the information system, providing an objective view of the system's security posture.

• Authorization (CA-6)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the process of authorization. Authorization involves formally approving an information system to operate based on an assessment of its security controls and compliance with established security requirements.

• Plan of Action and Milestones (CA-5)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the establishment and management of a Plan of Action and Milestones (POA&M). A POA&M is a documented strategy for addressing and resolving weaknesses, vulnerabilities, and deficiencies identified during security assessments and authorizations.

• Information Exchange (CA-3)- Main Control

  This control falls under the Security Assessment and Authorization (SA&A) family and focuses on establishing processes for the secure exchange of information related to security assessment and authorization activities. It ensures that organizations can effectively share assessment results, authorization decisions, and associated documentation while maintaining confidentiality, integrity, and availability.

• Information Exchange | Transfer Authorizations (CA-3(6))

  This subcontrol under CA-3 extends the requirement for secure information exchange by focusing on transfer authorizations. It ensures that organizations establish procedures for authorizing and approving the transfer of information between systems or entities to maintain security and accountability.

• Control Assessments | Independent Assessors (CA-2(1))

  This subcontrol under CA-2 extends the requirement for control assessments by emphasizing the use of independent assessors to evaluate the effectiveness of security controls within information systems. It ensures that organizations involve third-party or internal assessors who are unbiased and free from conflicts of interest.

• Control Assessments | Specialized Assessments (CA-2(2))

  This subcontrol under CA-2 extends the requirement for control assessments by emphasizing the need for specialized assessments to evaluate specific security controls within information systems. It ensures that organizations conduct focused assessments tailored to the unique requirements of certain controls or technologies.

• Policy and Procedures (CA-1) - Main Control

  This control falls under the Security Assessment and Authorization (SA&A) family and focuses on the establishment of security assessment and authorization policies and procedures. It ensures that organizations define and document the processes and guidelines for conducting security assessments, authorizing systems, and managing the associated documentation.

• Control Assessments (CA-2)- Main Control

  This control is part of the Security Assessment and Authorization (SA&A) family and focuses on conducting control assessments to evaluate the effectiveness of security controls within information systems. It ensures that organizations regularly assess the security controls implemented in their systems to determine whether they are operating as intended and providing the desired level of security.