Access Control (AC) ensures only authorized users can access systems, limiting their functions based on permissions for security.

• Privacy Notice [AC 08]

• Session Lock [AC 09]

• Auto Session Termination [AC 10]

• Remote Access Monitoring [AC 11]

• Cryptography for Remote Access [AC 12]

• Managed Access Points [AC 13]

• Privileged Remote Execution [AC 14]

• Wireless Access Authorization [AC 15]

• Wireless Access Security [AC 16]

• Mobile Device Control [AC 17]

• Mobile CUI Encryption [AC 18]

• External System Access [AC 19]

• Portable Storage Control [AC 20]

• Publicly Accessible CUI Control [AC 21]

• MFA for Remote Maintenance [AC 22]

• Maintenance Supervision [AC 23]

• Access Screening [AC 24]

• Personnel Actions Protection [AC 25]

• Unauthorized Use Detection [AC 26]

• Access Restriction [AC 01]

• Function Restriction [AC 02]

• CUI Flow Control [AC 03]

• Duty Separation [AC 04]

• Least Privilege [AC 05]

• Non-Privileged Access [AC 06]

• Privileged Function Restriction [AC 07]

Audit and Accountability (AU) ensures system activity is logged and reviewed, enabling tracking, analysis, and accountability for actions

• Event Log Review [AU 03]

• Audit Failure Alerting [AU 04]

• Audit Correlation [AU 05]

• Audit Record Reporting [AU 06]

• Time Stamp Synchronization [AU 07]

• Audit Protection [AU 08]

• Audit Access Restriction [AU 09]

• Audit Log Retention [AU 01]

• User Action Traceability [AU 02]

Awareness and Training (AT) ensures personnel are educated on security risks, policies, and procedures, fostering informed decision-making.

• Security Awareness [AT 01]

• Assigned Security Training [AT 02]

• Insider Threat Training [AT 03]

Configuration Management (CM) involves establishing, maintaining, and controlling system configurations, ensuring security and consistency throughout the system lifecycle.

• System Baseline Management [CM 01]

• Security Configuration Settings [CM 02]

• System Change Management [CM 03]

• Change Impact Analysis [CM 04]

• Access Restrictions for Changes [CM 05]

• Least Functionality Configuration [CM 06]

• Disable Nonessential Functions [CM 07]

• Software Policy Enforcement [CM 08]

• User-Installed Software Control [CM 09]

Continuous Monitoring (CM) involves ongoing assessment of security controls and system status to detect vulnerabilities and ensure operational integrity.

• Continuous Monitoring [CM 10]

Identification and Authentication (IA) ensures proper identification and verification of users, processes, or devices before granting system access.

• Multifactor Authentication [IA 04]

• Replay-Resistant Authentication [IA 05]

• Identifier Reuse Prevention [IA 06]

• Inactive Identifier Disablement [IA 07]

• Password Complexity Requirement [IA 08]

• Password Reuse Prohibition [IA 09]

• Temporary Password Use [IA 10]

• Password Cryptography [IA 11]

• Authentication Information Obscurity [IA 12]

• Unsuccessful Logon Limit [IA 01]

• System User Identification [IA 02]

• Authentication Requirement [IA 03]

Incident Response (IR) defines procedures for detecting, analyzing, responding to, and recovering from cybersecurity incidents to minimize impact.

• Incident Handling Capability [IR 01]

• Incident Documentation and Reporting [IR 02]

• Incident Response Testing [IR 03]

Media Protection (MP) ensures the confidentiality, integrity, and availability of media containing sensitive information through proper handling, storage, and disposal.

• Backup CUI Protection [MP 10]

• CUI at Rest Protection [MP 11]

• Off-Site Equipment Sanitization [MP 01]

• Media Protection of CUI [MP 02]

• Limit Access to Media [MP 03]

• Media Sanitization or Destruction [MP 04]

• Media Marking [MP 05]

• Media Access Control [MP 06]

• Cryptographic Protection of Media [MP 07]

• Removable Media Control [MP 08]

• Ownerless Portable Device Prohibition [MP 09]

Physical and Environmental Security (PE) safeguards organizational systems and facilities from physical threats, unauthorized access, and environmental hazards.

• Physical Access Limitation [PE 01]

• Facility and Infrastructure Protection [PE 02]

• Visitor Escort and Monitoring [PE 03]

• Physical Access Logging [PE 04]

• Physical Access Control Management [PE 05]

• CUI Safeguarding at Alternate Sites [PE 06]

Risk Assessment (RA) identifies and evaluates risks to organizational operations, assets, and individuals to guide security measures and decisions.

• Risk Assessment for Operations [RA 01]

• Security Control Assessment [CA 01]

• Plan of Action for Vulnerabilities [CA 02]

• System Security Plan Documentation [CA 03]

Security Operations (OP) focuses on monitoring, detecting, and responding to security incidents and managing overall security operations.

• Security Alert Monitoring [OP 01]

System and Communications Protection (SC) ensures the confidentiality, integrity, and availability of systems and their communications, managing security boundaries.

• Subnetworks for Public Systems [SC 10]

• Default Network Denial [SC 11]

• Prevent Split Tunneling [SC 12]

• Cryptographic Transmission Protection [SC 13]

• Terminate Communications After Inactivity [SC 14]

• Cryptographic Key Management [SC 15]

• FIPS-Validated Cryptography [SC 16]

• Remote Collaborative Device Activation Control [SC 17]

• Mobile Code Control [SC 18]

• VoIP Technology Control [SC 19]

• Communication Session Authenticity [SC 20]

• System Flaw Reporting and Correction [SC 21]

• Malicious Code Protection [SC 22]

• Malicious Code Update [SC 23]

• Real-Time System Scanning [SC 24]

• Inbound/Outbound Traffic Monitoring [SC 25]

• System Maintenance [SC 01]

• Maintenance Control [SC 02]

• Diagnostic Media Malicious Code Scan [SC 03]

• Vulnerability Scanning [SC 04]

• Vulnerability Remediation [SC 05]

• Communications Monitoring and Protection [SC 06]

• System Security Design [SC 07]

• User/System Function Separation [SC 08]

• Prevent Unauthorized Data Transfer [SC 09]