The System and Information Integrity control family is designed to ensure the integrity of information processed within information systems and the integrity of the systems themselves. The controls within this family aim to prevent, detect, and respond to incidents that could compromise the integrity of information or the functionality of information systems. Integrity protections are crucial for maintaining the trustworthiness of data and the overall reliability of systems.

• Information Management and Retention (SI-12)- Main Control

  The Information Management and Retention subcontrol, SI-12, is a fundamental component of the System and Information Integrity (SI) control family. It focuses on establishing policies and procedures for the effective management and retention of information assets throughout their lifecycle to ensure their integrity, availability, and confidentiality.

• Information Management and Retention | Limit Personally Identifiable Information Elements (SI-12(1))

  The "Limit Personally Identifiable Information Elements" subcontrol, SI-12(1), is an essential component of the System and Information Integrity control family. SI-12(1) focuses on reducing the risk associated with the storage and retention of Personally Identifiable Information (PII) by limiting the elements of PII collected and stored to only those necessary for authorized business purposes.

• Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research (SI-12(2))

  The "Minimize Personally Identifiable Information (PII) in Testing, Training, and Research" subcontrol, SI-12(2), is a crucial component of the System and Information Integrity control family. SI-12(2) focuses on the responsible and secure handling of PII during testing, training, and research activities to minimize risks associated with the exposure or misuse of sensitive personal information.

• Information Management and Retention | Information Disposal (SI-12(3))

  The Information Disposal subcontrol, SI-12(3), is a critical component of the System and Information Integrity control family. SI-12(3) focuses on ensuring that organizations properly dispose of sensitive information when it is no longer needed. Effective information disposal helps mitigate the risk of unauthorized access, data breaches, and the exposure of sensitive data.

• De-identification (SI-19)- Main Control

  The De-identification control SI-19 within the System and Information Integrity (SI) family focuses on the secure and responsible removal of personally identifiable information (PII) and other sensitive data from datasets, records, or information systems. De-identification is crucial for protecting individuals' privacy while still allowing organizations to use data for legitimate purposes.

• Personally Identifiable Information Quality Operations | Individual Requests (SI-18(4))

  The Personally Identifiable Information (PII) Quality Operations control SI-18(4) within the System and Information Integrity (SI) family focuses on responding to individual requests for accessing, correcting, or deleting their PII data. This subcontrol emphasizes the importance of establishing processes and procedures to handle such requests promptly, accurately, and in compliance with privacy regulations.

• Personally Identifiable Information Quality Operations (SI-18)- Main Control

  The Personally Identifiable Information (PII) Quality Operations (SI-18) control within the System and Information Integrity (SI) family focuses on ensuring the accuracy and quality of PII data collected, processed, and maintained by an organization. This control aims to protect the integrity and reliability of PII, which is crucial for maintaining trust, complying with privacy regulations, and preventing data breaches or identity theft.

• Policy and Procedures (SI-1)- Main Control

  The Policy and Procedures (SI-1) control within the System and Information Integrity (SI) family focuses on the establishment and maintenance of policies and procedures to protect and maintain the integrity of an organization's information systems. This control ensures that formalized policies and procedures are in place to address information system integrity, prevent unauthorized changes, and facilitate timely detection and response to integrity violations.

The System and Services Acquisition control family addresses the processes and activities related to the acquisition of information systems, products, and services. The controls within this family are designed to ensure that organizations acquire, develop, and maintain systems that meet security requirements and adhere to established policies and procedures. The goal is to manage risks associated with the acquisition lifecycle, from the initial planning stages through the development, implementation, and ongoing maintenance of systems.

• Boundary Protection | Personally Identifiable Information (SC-7(24))

  SC-7(24) is a subcontrol within the "Boundary Protection" control family in the "System and Communications Protection" category. This subcontrol specifically focuses on protecting Personally Identifiable Information (PII) from unauthorized access and disclosure at network boundaries.

• Developer Testing and Evaluation (SA-11)- Main Control

  Control SA-11 within the System and Services Acquisition family of NIST 800-53 focuses on the requirement for organizations to conduct systematic testing and evaluation of software, firmware, and other system components during the development process. It ensures that these components are rigorously assessed for functionality, security, and compliance with requirements.

• External System Services (SA-9)- Main Control

  Control SA-9 within the System and Services Acquisition family of NIST 800-53 addresses the security and privacy concerns associated with external system services. It focuses on managing the risks associated with connecting systems to external services, networks, and providers.

• Security and Privacy Engineering Principles | Minimization (SA-8(33))

  Control SA-8(33) within the System and Services Acquisition family of NIST 800-53 emphasizes the practice of minimization in security and privacy engineering. It encourages organizations to reduce the attack surface and potential privacy risks by minimizing the scope of system functionality and data collection to the essential requirements.

• Acquisition Process (SA-4)- Main Control

  The Acquisition Process (SA-4) control is a fundamental component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and implementing a structured and comprehensive acquisition process that ensures the successful procurement, development, deployment, and management of information systems and services within an organization.

• System Development Life Cycle (SA-3)- Main Control

  The System Development Life Cycle (SA-3) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and managing a structured and well-documented system development life cycle (SDLC) process for the acquisition, development, and deployment of information systems and services.

• Allocation of Resources (SA-2)- Main Control

  The Allocation of Resources (SA-2) control is a vital component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on ensuring that an organization allocates adequate resources, including budget, personnel, and infrastructure, to support the successful acquisition, development, and maintenance of information systems and services.

• Policy and Procedures (SA-1)- Main Control

  The Policy and Procedures (SA-1) control is a foundational component of the NIST 800-53 System and Services Acquisition control family. This subcontrol focuses on establishing and maintaining comprehensive policies and procedures that govern the acquisition, development, and deployment of information systems and services within an organization. It provides the framework for ensuring that acquisitions align with security, compliance, and operational requirements.

The Risk Assessment control family is designed to ensure that organizations systematically identify, analyze, and manage risks to their information systems and the data they process. The goal is to provide a structured approach to understanding and evaluating the potential impact of risks on organizational operations, assets, individuals, and other critical elements. By conducting risk assessments, organizations can make informed decisions about risk mitigation strategies, prioritize security efforts, and align security measures with organizational goals.

• Privacy Impact Assessments (RA-8)- Main Control

  The Privacy Impact Assessments (RA-8) control is an essential component of the NIST 800-53 Risk Assessment control family. This subcontrol focuses on conducting privacy impact assessments to identify, evaluate, and mitigate privacy risks associated with the processing of personal information within an organization's information systems and operations.

• Risk Response (RA-7)- Main Control

  The Risk Response (RA-7) control is a pivotal component of the NIST 800-53 Risk Assessment control family. It focuses on defining and implementing an effective strategy for responding to identified risks and vulnerabilities within an organization's information systems and operations. This control ensures that risks are addressed promptly and efficiently to protect critical assets and data.

• Risk Assessment (RA-3)- Main Control

  The Risk Assessment subcontrol (RA-3) is a fundamental component of the Risk Assessment control within the NIST 800-53 framework. RA-3 focuses on the process of conducting systematic risk assessments for information systems and the data they handle. Risk assessments help organizations identify, analyze, and manage risks effectively to protect their assets, operations, and stakeholders.

• Policy and Procedures (RA-1)- Main Control

  The Policy and Procedures subcontrol (RA-1) is an integral part of the Risk Assessment control within the NIST 800-53 framework. This subcontrol focuses on establishing, documenting, and maintaining comprehensive policies and procedures for conducting risk assessments within an organization. Risk assessments are essential for identifying, evaluating, and managing risks to information systems and data.

The PII Processing and Transparency control family is designed to establish and maintain controls that govern the processing of personally identifiable information (PII) within information systems. The controls aim to ensure that the collection, storage, and processing of PII align with applicable privacy laws, regulations, and organizational policies. Additionally, the controls promote transparency by providing individuals with clear and accessible information about how their PII is collected, used, and shared.

• Computer Matching Requirements (PT-8)- Main Control

  The Computer Matching Requirements subcontrol (PT-8) is part of the PII Processing and Transparency control within the NIST 800-53 framework. This subcontrol addresses the requirements and safeguards necessary when conducting computer matching activities involving Personally Identifiable Information (PII). Computer matching refers to the process of comparing and combining PII from multiple sources to make decisions or take actions.

• Specific Categories of Personally Identifiable Information | First Amendment Information (PT-7(2))

  The Specific Categories of Personally Identifiable Information | First Amendment Information subcontrol (PT-7(2)) falls under the PII Processing and Transparency control within the NIST 800-53 framework. This subcontrol addresses the unique handling and protection requirements for Personally Identifiable Information (PII) that pertains to First Amendment rights. First Amendment Information is particularly sensitive and requires special attention to safeguard an individual's freedom of speech and expression.

• Specific Categories of Personally Identifiable Information | Social Security Numbers (PT-7(1))

  Control PT-7(1), "Specific Categories of Personally Identifiable Information | Social Security Numbers," is a specific aspect of the Specific Categories of Personally Identifiable Information subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the protection and responsible handling of Social Security Numbers (SSNs) due to their sensitive nature and potential for identity theft.

• Specific Categories of Personally Identifiable Information (PT-7)- Main Control

  Control PT-7, "Specific Categories of Personally Identifiable Information," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of identifying and addressing specific categories of personally identifiable information (PII) that require special attention due to their sensitivity or regulatory considerations.

• System of Records Notice | Routine Uses (PT-6(1))

  Control PT-6(1), "System of Records Notice | Routine Uses," is a specific aspect of the System of Records Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on informing individuals about the routine uses of their personally identifiable information (PII) within systems of records.

• System of Records Notice | Exemption Rules (PT-6(2))

  Control PT-6(2), "System of Records Notice | Exemption Rules," is a specific aspect of the System of Records Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on informing individuals about any exemptions that may apply to the system of records under specific privacy regulations.

• System of Records Notice (PT-6)- Main Control

  Control PT-6, "System of Records Notice," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of informing individuals about the existence, purpose, and use of systems of records that contain their personally identifiable information (PII).

• Privacy Notice | Privacy Act Statements (PT-5(2))

  Control PT-5(2), "Privacy Notice | Privacy Act Statements," is a specific aspect of the Privacy Notice subcontrol within the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on the inclusion of Privacy Act statements in privacy notices, especially for federal agencies subject to the Privacy Act of 1974.

• Privacy Notice (PT-5)- Main Control

  Control PT-5, "Privacy Notice," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of providing individuals with clear and comprehensive privacy notices that explain how their personally identifiable information (PII) will be collected, used, shared, and protected.

• Consent (PT-4)- Main Control

  Control PT-4, "Consent," is a fundamental element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the importance of obtaining informed and explicit consent from individuals before processing their personally identifiable information (PII).

• Personally Identifiable Information Processing Purposes (PT-3)- Main Control

  Control PT-3, "Personally Identifiable Information Processing Purposes," is a foundational element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the need for organizations to clearly define and communicate the purposes for which personally identifiable information (PII) is processed to ensure transparency and align with privacy regulations.

• Authority to Process Personally Identifiable Information (PT-2)- Main Control

  Control PT-2, "Authority to Process Personally Identifiable Information," is a critical component of the PII Processing and Transparency family in NIST 800-53. This subcontrol focuses on ensuring that organizations have the necessary legal and regulatory authority to process personally identifiable information (PII) in accordance with applicable laws and regulations.

• Policy and Procedures (PT-1)- Main Control

  Control PT-1, "Policy and Procedures," is a foundational element of the PII Processing and Transparency family in NIST 800-53. This subcontrol emphasizes the need for organizations to establish clear policies and procedures governing the processing of personally identifiable information (PII) to ensure transparency, privacy, and compliance with relevant laws and regulations.

The Strategic Planning control family focuses on establishing and implementing processes for strategic planning to guide the overall direction of an organization's information security program. This includes defining the organization's risk tolerance, setting security objectives, and aligning security strategies with broader business goals. The goal is to ensure that information security is integrated into the organization's overarching strategic planning and decision-making processes.

• Access Agreements (PS-6)- Main Control

  Control PS-6, "Access Agreements," is a crucial aspect of the Personnel Security family in NIST 800-53. This subcontrol emphasizes the importance of formalizing access agreements with personnel who have been granted access to sensitive resources, ensuring that they understand their security responsibilities and obligations.

• Continuous Monitoring Strategy (PM-31)- Main Control

  Control PM-31, "Continuous Monitoring Strategy," under the Program Management family in NIST 800-53, focuses on the establishment of a comprehensive strategy for continuous monitoring within an organization. Continuous monitoring involves the ongoing assessment of security controls, vulnerabilities, and threats to ensure the consistent security and resilience of an organization's information systems and assets.

• Risk Framing (PM-28)- Main Control

  Subcontrol PM-28 focuses on establishing a structured approach to framing risks within the context of the organization's privacy program. It involves identifying, assessing, and communicating risks related to privacy to enable effective risk management decisions.

• Privacy Reporting (PM-27)- Main Control

  Subcontrol PM-27 focuses on establishing mechanisms to report on the privacy program's effectiveness and compliance with privacy requirements. It involves generating and disseminating reports that provide insight into privacy-related activities, risks, and outcomes to relevant stakeholders.

• Complaint Management (PM-26)- Main Control

  Subcontrol PM-26 focuses on establishing a structured process for handling complaints related to privacy and security concerns from individuals, customers, or stakeholders. It ensures that complaints are promptly addressed, investigated, and appropriate actions are taken to resolve the issues.

• Minimization of Personally Identifiable Information Used in Testing, Training, and Research (PM-25)- Main Control

  Subcontrol PM-25 focuses on reducing the use of personally identifiable information (PII) in testing, training, and research activities to protect individual privacy and prevent potential misuse of sensitive information.

• Data Integrity Board (PM-24)- Main Control

  Subcontrol PM-24 emphasizes the establishment of a Data Integrity Board responsible for ensuring the accuracy, completeness, and reliability of organizational data. The board oversees data quality and integrity processes to prevent unauthorized or unintentional modifications to data

• Personally Identifiable Information Quality Management (PM-22)- Main Control

  Subcontrol PM-22 focuses on maintaining the accuracy, integrity, and reliability of personally identifiable information (PII) collected, used, and stored by an organization. It emphasizes the importance of implementing processes to ensure that PII remains of high quality.

• Accounting of Disclosures (PM-21)- Main Control

  Subcontrol PM-21 emphasizes the need for organizations to maintain an accurate record of disclosures of personally identifiable information (PII) to external entities. The accounting of disclosures helps ensure transparency, accountability, and compliance with privacy regulations.

• Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services (PM-20(1))

  Subcontrol PM-20(1) focuses on ensuring that privacy policies, which outline how personal information is collected, used, and protected, are prominently displayed and easily accessible on websites, applications, and digital services. This ensures transparency and informs individuals about data handling practices.

• Privacy Program Leadership Role (PM-19)- Main Control

  Subcontrol PM-19 highlights the importance of designating specific individuals with the responsibility and authority to lead and oversee the organization's privacy program. This leadership role ensures that privacy considerations are integrated into the organization's overall information security strategy.

• Dissemination of Privacy Program Information (PM-20)- Main Control

  Subcontrol PM-20 emphasizes the importance of effectively communicating the organization's privacy program information to both internal stakeholders and external parties. This dissemination ensures that individuals are aware of privacy policies, practices, and their rights related to personal information.

• Privacy Program Plan (PM-18)- Main Control

  Subcontrol PM-18 emphasizes the importance of developing a comprehensive privacy program plan that outlines an organization's approach to managing and protecting individuals' privacy information. This plan ensures that privacy considerations are integrated into an organization's information security framework.

• Protecting Controlled Unclassified Information on External Systems (PM-17)- Main Control

  Subcontrol PM-17 addresses the need to protect controlled unclassified information (CUI) when it resides on external systems, such as cloud services or contractor-operated platforms. It focuses on ensuring the security and privacy of sensitive information even when it is processed or stored outside of the organization's boundaries.

• Testing, Training, and Monitoring (PM-14)- Main Control

  Subcontrol PM-14 focuses on ensuring the effectiveness of security and privacy controls through regular testing, training, and ongoing monitoring activities. This subcontrol emphasizes the importance of validating the organization's security measures, training personnel, and continuously monitoring for potential risks and vulnerabilities.

• Security and Privacy Workforce (PM-13)- Main Control

  Subcontrol PM-13 focuses on building and maintaining a skilled and knowledgeable security and privacy workforce. This involves recruiting, training, and retaining personnel with the expertise needed to effectively manage security and privacy controls within the organization.

• Mission and Business Process Definition (PM-11)- Main Control

  Subcontrol PM-11 focuses on defining and documenting the organization's mission and business processes. This involves understanding the organization's goals, objectives, and the processes that support its mission, ensuring that security and privacy considerations are integrated into these processes.

• Authorization Process (PM-10)- Main Control

  Subcontrol PM-10 focuses on establishing an authorization process to formally assess and approve the organization's information systems for operation. This process ensures that systems have met the necessary security and privacy requirements before being used.

• Risk Management Strategy (PM-9)- Main Control

  Subcontrol PM-9 focuses on developing and implementing a risk management strategy that outlines the organization's approach to identifying, assessing, and mitigating risks to its information systems and assets. This strategy guides risk management activities across the organization.

• Critical Infrastructure Plan (PM-8)- Main Control

  Subcontrol PM-8 focuses on establishing a critical infrastructure plan that identifies and prioritizes the organization's critical assets, systems, and functions. This plan helps ensure that essential operations are safeguarded and maintained during disruptions.

• Measures of Performance (PM-6)- Main Control

  Subcontrol PM-6 focuses on establishing and utilizing measures of performance (MOPs) to assess the effectiveness of the organization's information security and privacy program. MOPs help in evaluating the program's performance, identifying areas for improvement, and demonstrating progress.

• Enterprise Architecture (PM-7)- Main Control

  Subcontrol PM-7 focuses on integrating information security and privacy requirements into the organization's enterprise architecture. Enterprise architecture helps ensure that security and privacy considerations are embedded into the design and implementation of systems and solutions.

• System Inventory | Inventory of Personally Identifiable Information (PM-5(1))

  Subcontrol PM-5(1) focuses specifically on creating and maintaining an accurate inventory of systems that process, store, or transmit personally identifiable information (PII). This inventory helps in managing the privacy and security of sensitive information.

• Information Security and Privacy Resources (PM-3)- Main Control

  Subcontrol PM-3 focuses on ensuring that an organization allocates appropriate resources, including personnel, funding, and technology, to support the implementation of its information security and privacy program

• Plan of Action and Milestones Process (PM-4)- Main Control

  Subcontrol PM-4 emphasizes the importance of maintaining a robust Plan of Action and Milestones (POA&M) process. A POA&M outlines the organization's strategies for addressing and remediating identified weaknesses and vulnerabilities in its security and privacy controls.

• Central Management (PL-9)- Main Control

  Subcontrol PL-9 focuses on the establishment of centralized management capabilities for security and privacy controls within an organization. Centralized management involves the coordinated administration, monitoring, and enforcement of security and privacy policies across information systems.

• Security and Privacy Architectures (PL-8)- Main Control

  Subcontrol PL-8 emphasizes the establishment of well-defined security and privacy architectures for information systems. These architectures provide a structured framework for integrating security and privacy controls into the design, development, and implementation of systems.

• Rules of Behavior (PL-4)- Main Control

  Subcontrol PL-4 focuses on establishing and disseminating rules of behavior that define acceptable and expected behavior for individuals accessing and using organizational information systems. These rules help promote proper security practices and reduce the risk of unauthorized actions

• Rules of Behavior | Social Media and External Site/application Usage Restrictions (PL-4(1))

  Subcontrol PL-4(1) focuses specifically on establishing rules of behavior that address the usage of social media platforms and external websites/applications by individuals who have access to organizational information systems. These rules aim to mitigate risks associated with inappropriate use of external online resources.

• System Security and Privacy Plans (PL-2)- Main Control

  Control PL-2 focuses on creating and maintaining comprehensive system security and privacy plans that outline the organization's approach to protecting information systems and the privacy of individuals. This control ensures that security and privacy considerations are integrated from the planning stages.

• Policy and Procedures (PL-1)- Main Control

  Control PL-1 focuses on establishing and maintaining policies and procedures that guide the planning, implementation, and management of security controls within an organization. This control ensures a structured approach to achieving security objectives.

The Incident Response control family is designed to help organizations develop, implement, and maintain an organized and effective approach to managing and mitigating information security incidents. An incident response capability enables organizations to detect, respond to, and recover from incidents in a manner that minimizes damage, reduces recovery time, and mitigates the potential impact on information systems and data.

• Incident Response Plan | Breaches (IR-8(1))

  The Incident Response Plan | Breaches (IR-8(1)) control is a specific requirement within the Incident Response family of controls in NIST Special Publication 800-53. It focuses on the development and inclusion of breach-specific procedures and strategies within the organization's overall incident response plan.

• Incident Response Plan (IR-8)- Main Control

  The Incident Response Plan (IR-8) control is a foundational component of the Incident Response family in NIST Special Publication 800-53. It emphasizes the development, documentation, and maintenance of a comprehensive incident response plan that outlines the organization's strategies, procedures, and guidelines for addressing and mitigating various types of security incidents.

• Incident Response Assistance (IR-7)- Main Control

  The Incident Response Assistance (IR-7) control is part of the Incident Response family of controls in NIST Special Publication 800-53. It focuses on establishing mechanisms to provide and receive assistance during incident response activities from external sources and organizations.

• Incident Reporting (IR-6)- Main Control

  The Incident Reporting (IR-6) control is part of the Incident Response family of controls in NIST Special Publication 800-53. This control emphasizes the importance of establishing a formalized process for reporting and documenting security incidents within an organization.

• Impact Analyses (CM-4)- Main Control

  This control under Configuration Management (CM) focuses on performing impact analyses to assess the potential effects of proposed changes on systems and environments before they are implemented. Impact analyses help organizations make informed decisions and manage risks associated with configuration changes.

• Incident Monitoring (IR-5)- Main Control

  The Incident Monitoring (IR-5) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control emphasizes the importance of monitoring for potential security incidents and unauthorized activities in order to detect and respond to them in a timely manner.

• Incident Handling (IR-4)- Main Control

  The Incident Handling (IR-4) control is a central component of the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and maintaining a robust incident handling capability to effectively detect, respond to, and mitigate security incidents within an organization.

• Incident Response Testing (IR-3)- Main Control

  The Incident Response Testing (IR-3) control is a fundamental requirement within the Incident Response family of controls as outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing a comprehensive incident response testing program that allows organizations to assess the effectiveness of their incident response procedures, plans, and capabilities through regular testing and exercises.

• Incident Response Training | Breach (IR-2(3))

  The Incident Response Training | Breach (IR-2(3)) control is a subcontrol within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing incident response personnel with specialized training to effectively respond to data breaches and security incidents involving unauthorized access to sensitive information. The control aims to ensure that responders are equipped to handle breaches and mitigate their impact.

• Incident Response Training (IR-2)- Main Control

  The Incident Response Training (IR-2) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on providing training to personnel involved in incident response activities. The control aims to ensure that individuals are equipped with the necessary knowledge and skills to effectively respond to cybersecurity incidents and mitigate their impact.

• Policy and Procedures (IR-1)- Main Control

  The Incident Response Policy and Procedures (IR-1) control is a main control within the Incident Response family of controls outlined in NIST Special Publication 800-53. This control focuses on establishing and implementing an organization-wide incident response policy and associated procedures. The control aims to ensure that the organization has a clear framework for detecting, responding to, and mitigating cybersecurity incidents effectively and efficiently.

The Media Protection control family is designed to safeguard information system media, which includes physical and electronic storage devices, from unauthorized access, disclosure, alteration, destruction, and theft. Media protection measures are critical for preserving the confidentiality and integrity of information stored on various forms of media throughout their lifecycle. By implementing effective media protection controls, organizations can ensure that sensitive information remains secure, whether stored on physical media (e.g., hard drives, tapes) or electronic media (e.g., USB drives, optical discs).

• Media Sanitization (MP-6)- Main Control

  Control MP-6 addresses the proper sanitization of media to ensure that sensitive information is removed from media prior to disposal, reuse, or release for reuse. This control aims to prevent unauthorized disclosure of information that may still reside on media even after its primary use.

• Visitor Access Records | Limit Personally Identifiable Information Elements (PE-8(3))

  Subcontrol PE-8(3) focuses on reducing the amount of personally identifiable information (PII) elements captured in visitor access records. This subcontrol helps protect individuals' privacy by limiting the exposure of sensitive personal information.

• Policy and Procedures (MP-1)- Main Control

  The MP-1 control within NIST Special Publication 800-53 focuses on the establishment and implementation of policies and procedures to ensure the proper protection of media containing sensitive information. This control aims to prevent unauthorized access, disclosure, and loss of information stored on various types of media, including physical and digital media.

The Configuration Management control family is designed to establish and maintain a systematic approach to managing the configuration of information systems. Configuration management involves identifying and documenting system components, controlling changes to those components, and ensuring the integrity and security of the system throughout its lifecycle. By implementing robust configuration management controls, organizations can reduce the risk of unauthorized or unintended changes that could impact the confidentiality, integrity, and availability of their information systems.

• Policy and Procedures (CM-1)- Main Control

  This control falls under the Configuration Management (CM) family and emphasizes the need for establishing and implementing configuration management policies and procedures. Configuration management involves managing and controlling the changes made to an organization's information systems and components.

The Security Assessment and Authorization control family is designed to ensure that information systems are thoroughly assessed for security compliance and authorized to operate based on the results of those assessments. The controls within this family guide organizations in conducting comprehensive security assessments, determining the effectiveness of implemented security controls, and obtaining the necessary authorizations before systems are put into operation. This process supports the ongoing monitoring and management of security controls throughout the system's lifecycle.

• Policy and Procedures (CA-1) - Main Control

  This control falls under the Security Assessment and Authorization (SA&A) family and focuses on the establishment of security assessment and authorization policies and procedures. It ensures that organizations define and document the processes and guidelines for conducting security assessments, authorizing systems, and managing the associated documentation.

The Awareness and Training control family emphasizes the importance of fostering a security-conscious culture within an organization by promoting awareness and delivering effective training programs. The goal is to ensure that individuals, including employees, contractors, and other users, are equipped with the knowledge and skills necessary to understand and fulfill their roles and responsibilities in safeguarding information systems and sensitive information.

• Training Records (AT-4)- Main Control

  The Training Records (AT-4) subcontrol under Awareness and Training (AT) focuses on maintaining accurate and up-to-date records of training activities and outcomes for individuals within the organization. These records help demonstrate compliance with training requirements, track progress, and ensure that personnel have received the necessary education and awareness to perform their roles securely and effectively.

• Role-based Training (AT-3)- Main Control

  The Role-based Training (AT-3) subcontrol under Awareness and Training (AT) focuses on providing training tailored to specific job roles within the organization. This ensures that individuals receive training that is relevant to their responsibilities and helps them better understand their role in maintaining information security.

• Role-based Training | Processing Personally Identifiable Information (AT-3(5))

  The Role-based Training | Processing Personally Identifiable Information (AT-3(5)) subcontrol under Awareness and Training (AT) focuses on providing role-based training to individuals who handle or process personally identifiable information (PII). This training is designed to ensure that individuals understand the proper procedures for handling and protecting PII in accordance with organizational policies and privacy regulations.

• Literacy Training and Awareness (AT-2)- Main Control

  The Literacy Training and Awareness (AT-2) control focuses on providing security training and awareness programs that cater to individuals with varying levels of technical literacy and expertise.

• Policy and Procedures (AT-1)- Main Control

  The Awareness and Training Policy and Procedures (AT-1) control requires the establishment of policies and procedures to ensure that personnel receive appropriate awareness and training on security policies, procedures, and practices.

The Audit and Accountability control family is designed to facilitate the creation, collection, and analysis of audit records to support the detection, response to, and investigation of security incidents. By implementing robust auditing mechanisms, organizations can establish a comprehensive and accurate record of activities within their information systems, aiding in the identification of unauthorized access, policy violations, and potential security threats.

• Continuous Monitoring | Risk Monitoring (CA-7(4))

  This subcontrol under Continuous Monitoring (CA-7) emphasizes the importance of ongoing risk monitoring as part of the continuous monitoring program. Risk monitoring involves regularly assessing and reassessing the organization's risk posture, identifying changes in risk factors, and adapting security measures accordingly.

• Authorization (CA-6)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the process of authorization. Authorization involves formally approving an information system to operate based on an assessment of its security controls and compliance with established security requirements.

• Continuous Monitoring (CA-7)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the implementation of a continuous monitoring program. Continuous monitoring involves ongoing assessment of information systems, tracking changes, and identifying potential security risks or vulnerabilities in real time.

• Plan of Action and Milestones (CA-5)- Main Control

  This control falls under the Security Assessment and Authorization (SA) family and focuses on the establishment and management of a Plan of Action and Milestones (POA&M). A POA&M is a documented strategy for addressing and resolving weaknesses, vulnerabilities, and deficiencies identified during security assessments and authorizations.

• Control Assessments (CA-2)- Main Control

  This control is part of the Security Assessment and Authorization (SA&A) family and focuses on conducting control assessments to evaluate the effectiveness of security controls within information systems. It ensures that organizations regularly assess the security controls implemented in their systems to determine whether they are operating as intended and providing the desired level of security.

• Audit Record Retention (AU-11)- Main Control

  This control addresses the retention of audit records, ensuring that these records are maintained for a specified period to facilitate incident response, accountability, and compliance monitoring. Audit records contain valuable information about system activities, user actions, and security events, which are crucial for detecting and investigating security incidents, analyzing trends, and ensuring the accountability of system users and administrators.

• Content of Audit Records | Limit Personally Identifiable Information Elements (AU-3(3))

  This control, specified under the Audit and Accountability family, focuses on limiting the inclusion of personally identifiable information (PII) elements within audit records. The objective is to minimize the exposure of sensitive PII in audit logs while ensuring that relevant audit information is captured and retained for security monitoring and incident response purposes.

• Event Logging (AU-2)- Main Control

  The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-2 specifically addresses the need to generate, record, and retain audit logs of events to provide an accurate record of system activity.

• Policy and Procedures (AU-1)- Main Control

  The Audit and Accountability (AU) control family focuses on establishing policies and procedures for conducting audits, tracking and monitoring events, and ensuring accountability within an organization's information systems. AU-1 specifically addresses the need to develop and implement policies and procedures that guide the overall audit and accountability program.

Access control safeguards are implemented to ensure that only authorized individuals and systems have access to the information system and its resources. The primary goal is to prevent unauthorized access and limit access to only those with the necessary permissions based on their roles and responsibilities within the organization. Effective access control mechanisms contribute to the confidentiality, integrity, and availability of the information system and its data

• Policy and Procedures (AC-1)- Main Control

  The Access Control Policy and Procedures control (AC-1) focuses on the establishment and documentation of a comprehensive set of policies and procedures that govern the management of access to information systems and resources. This control ensures that access to sensitive data, applications, and systems is appropriately authorized, managed, and audited, thereby reducing the risk of unauthorized access and potential security breaches.

• Access Enforcement | Individual Access (AC-3(14))

  The Individual Access subcontrol (AC-3(14)) focuses on granting access to individuals based on their unique identities. This control ensures that each individual is granted access based on their personal attributes and credentials, and that access is not shared or compromised.