REF: NIST SP 800-53r5 Table C-1 thru C-20
ControlNumber | ControlName | ImplementedBy | Assurance |
AC-2(2) | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT | S | |
AC-2(3) | DISABLE ACCOUNTS | S | |
AC-2(4) | AUTOMATED AUDIT ACTIONS | S | |
AC-2(5) | INACTIVITY LOGOUT | O/S | |
AC-2(6) | DYNAMIC PRIVILEGE MANAGEMENT | S | |
AC-2(8) | DYNAMIC ACCOUNT MANAGEMENT | S | |
AC-2(11) | USAGE CONDITIONS | S | |
AC-2(12) | ACCOUNT MONITORING FOR ATYPICAL USAGE | O/S | |
AC-3 | Access Enforcement | S | |
AC-3(2) | DUAL AUTHORIZATION | S | |
AC-3(3) | MANDATORY ACCESS CONTROL | S | |
AC-3(4) | DISCRETIONARY ACCESS CONTROL | S | |
AC-3(5) | SECURITY-RELEVANT INFORMATION | S | |
AC-3(7) | ROLE-BASED ACCESS CONTROL | O/S | |
AC-3(8) | REVOCATION OF ACCESS AUTHORIZATIONS | O/S | |
AC-3(9) | CONTROLLED RELEASE | O/S | |
AC-3(11) | RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES | S | |
AC-3(12) | ASSERT AND ENFORCE APPLICATION ACCESS | S | |
AC-3(13) | ATTRIBUTE-BASED ACCESS CONTROL | S | |
AC-3(14) | INDIVIDUAL ACCESS | S | |
AC-3(15) | DISCRETIONARY AND MANDATORY ACCESS CONTROL | S | |
AC-4 | Information Flow Enforcement | S | |
AC-4(1) | OBJECT SECURITY AND PRIVACY ATTRIBUTES | S | |
AC-4(2) | PROCESSING DOMAINS | S | |
AC-4(3) | DYNAMIC INFORMATION FLOW CONTROL | S | |
AC-4(4) | FLOW CONTROL OF ENCRYPTED INFORMATION | S | |
AC-4(5) | EMBEDDED DATA TYPES | S | |
AC-4(6) | METADATA | S | |
AC-4(7) | ONE-WAY FLOW MECHANISMS | S | |
AC-4(8) | SECURITY AND PRIVACY POLICY FILTERS | S | |
AC-4(9) | HUMAN REVIEWS | O/S | |
AC-4(10) | ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS | S | |
AC-4(11) | CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS | S | |
AC-4(12) | DATA TYPE IDENTIFIERS | S | |
AC-4(13) | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS | S | |
AC-4(14) | SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS | S | |
AC-4(15) | DETECTION OF UNSANCTIONED INFORMATION | S | |
AC-4(17) | DOMAIN AUTHENTICATION | S | |
AC-4(19) | VALIDATION OF METADATA | S | |
AC-4(21) | PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS | O/S | |
AC-4(22) | ACCESS ONLY | S | |
AC-4(23) | MODIFY NON-RELEASABLE INFORMATION | O/S | |
AC-4(24) | INTERNAL NORMALIZED FORMAT | S | |
AC-4(25) | DATA SANITIZATION | S | |
AC-4(26) | AUDIT FILTERING ACTIONS | O/S | |
AC-4(27) | REDUNDANT/INDEPENDENT FILTERING MECHANISMS | S | |
AC-4(28) | LINEAR FILTER PIPELINES | S | |
AC-4(29) | FILTER ORCHESTRATION ENGINES | O/S | |
AC-4(30) | FILTER MECHANISMS USING MULTIPLE PROCESSES | S | |
AC-4(31) | FAILED CONTENT TRANSFER PREVENTION | S | |
AC-4(32) | PROCESS REQUIREMENTS FOR INFORMATION TRANSFER | S | |
AC-6(4) | SEPARATE PROCESSING DOMAINS | O/S | |
AC-6(8) | PRIVILEGE LEVELS FOR CODE EXECUTION | S | |
AC-6(9) | LOG USE OF PRIVILEGED FUNCTIONS | S | |
AC-6(10) | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS | S | |
AC-7 | Unsuccessful Logon Attempts | S | |
AC-7(2) | PURGE OR WIPE MOBILE DEVICE | S | |
AC-7(4) | USE OF ALTERNATE AUTHENTICATION FACTOR | O/S | |
AC-8 | System Use Notification | O/S | |
AC-9 | Previous Logon Notification | S | |
AC-9(1) | UNSUCCESSFUL LOGONS | S | |
AC-9(2) | SUCCESSFUL AND UNSUCCESSFUL LOGONS | S | |
AC-9(3) | NOTIFICATION OF ACCOUNT CHANGES | S | |
AC-9(4) | ADDITIONAL LOGON INFORMATION | S | |
AC-10 | Concurrent Session Control | S | |
AC-11 | Device Lock | S | |
AC-11(1) | PATTERN-HIDING DISPLAYS | S | |
AC-12 | Session Termination | S | |
AC-12(1) | USER-INITIATED LOGOUTS | O/S | |
AC-12(2) | TERMINATION MESSAGE | S | |
AC-12(3) | TIMEOUT WARNING MESSAGE | S | |
AC-16(1) | DYNAMIC ATTRIBUTE ASSOCIATION | S | |
AC-16(2) | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS | S | |
AC-16(3) | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM | S | |
AC-16(4) | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS | S | |
AC-16(5) | ATTRIBUTE DISPLAYS ON OBJECTS TO BE OUTPUT | S | |
AC-16(8) | ASSOCIATION TECHNIQUES AND TECHNOLOGIES | S | |
AC-17(1) | MONITORING AND CONTROL | O/S | |
AC-17(2) | PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION | S | |
AC-17(3) | MANAGED ACCESS CONTROL POINTS | S | |
AC-17(10) | AUTHENTICATE REMOTE COMMANDS | S | |
AC-18(1) | AUTHENTICATION AND ENCRYPTION | S | |
AC-18(3) | DISABLE WIRELESS NETWORKING | O/S | |
AC-21(1) | AUTOMATED DECISION SUPPORT | S | |
AC-21(2) | INFORMATION SEARCH AND RETRIEVAL | S | |
AC-24(1) | TRANSMIT ACCESS AUTHORIZATION INFORMATION | S | |
AC-24(2) | NO USER OR PROCESS IDENTITY | S | |
AC-25 | Reference Monitor | S | X |
AU-3 | Content of Audit Records | S | |
AU-3(1) | ADDITIONAL AUDIT INFORMATION | S | |
AU-4 | Audit Log Storage Capacity | O/S | |
AU-4(1) | TRANSFER TO ALTERNATE STORAGE | O/S | |
AU-5 | Response to Audit Logging Process Failures | S | |
AU-5(1) | STORAGE CAPACITY WARNING | S | |
AU-5(2) | REAL-TIME ALERTS | S | |
AU-5(3) | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS | S | |
AU-5(4) | SHUTDOWN ON FAILURE | S | |
AU-6(4) | CENTRAL REVIEW AND ANALYSIS | S | X |
AU-7 | Audit Record Reduction and Report Generation | S | X |
AU-7(1) | AUTOMATIC PROCESSING | S | X |
AU-8 | Time Stamps | S | |
AU-9 | Protection of Audit Information | S | |
AU-9(1) | HARDWARE WRITE-ONCE MEDIA | S | |
AU-9(2) | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS | S | |
AU-9(3) | CRYPTOGRAPHIC PROTECTION | S | |
AU-9(5) | DUAL AUTHORIZATION | O/S | |
AU-9(6) | READ-ONLY ACCESS | O/S | |
AU-10 | Non-repudiation | S | X |
AU-10(1) | ASSOCIATION OF IDENTITIES | S | X |
AU-10(2) | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY | S | X |
AU-10(3) | CHAIN OF CUSTODY | O/S | X |
AU-10(4) | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY | S | X |
AU-12 | Audit Record Generation | S | |
AU-12(1) | SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL | S | |
AU-12(2) | STANDARDIZED FORMATS | S | |
AU-12(3) | CHANGES BY AUTHORIZED INDIVIDUALS | S | |
AU-12(4) | QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE INFORMATION | S | |
AU-13(1) | USE OF AUTOMATED TOOLS | O/S | X |
AU-13(3) | UNAUTHORIZED REPLICATION OF INFORMATION | O/S | X |
AU-14 | Session Audit | S | X |
AU-14(1) | SYSTEM START-UP | S | X |
AU-14(3) | REMOTE VIEWING AND LISTENING | S | X |
CA-3(6) | TRANSFER AUTHORIZATIONS | O/S | X |
CA-3(7) | TRANSITIVE INFORMATION EXCHANGES | O/S | X |
CA-7(4) | RISK MONITORING | O/S | X |
CA-7(6) | AUTOMATION SUPPORT FOR MONITORING | O/S | X |
CA-9(1) | COMPLIANCE CHECKS | O/S | X |
CM-3(5) | AUTOMATED SECURITY RESPONSE | S | |
CM-3(8) | PREVENT OR RESTRICT CONFIGURATION CHANGES | S | |
CM-5(1) | AUTOMATED ACCESS ENFORCEMENT AND AUDIT RECORDS | S | |
CM-5(4) | DUAL AUTHORIZATION | O/S | |
CM-5(6) | LIMIT LIBRARY PRIVILEGES | O/S | |
CM-6 | Configuration Settings | O/S | |
CM-7 | Least Functionality | O/S | |
CM-7(1) | PERIODIC REVIEW | O/S | |
CM-7(2) | PREVENT PROGRAM EXECUTION | S | |
CM-7(4) | UNAUTHORIZED SOFTWARE | O/S | |
CM-7(5) | AUTHORIZED SOFTWARE | O/S | |
CM-7(7) | CODE EXECUTION IN PROTECTED ENVIRONMENTS | O/S | X |
CM-7(8) | BINARY OR MACHINE EXECUTABLE CODE | O/S | X |
CM-7(9) | PROHIBITING THE USE OF UNAUTHORIZED HARDWARE | O/S | X |
CM-11(2) | SOFTWARE INSTALLATION WITH PRIVILEGED STATUS | S | |
CM-11(3) | AUTOMATED ENFORCEMENT AND MONITORING | S | X |
CM-14 | Signed Components | O/S | X |
CP-4(5) | SELF-CHALLENGE | O/S | X |
CP-12 | Safe Mode | S | X |
CP-13 | Alternative Security Mechanisms | O/S | |
IA-2 | Identification and Authentication (Organizational Users) | O/S | |
IA-2(1) | MULTI-FACTOR AUTHENTICATION TO PRIVILEGED ACCOUNTS | S | |
IA-2(2) | MULTI-FACTOR AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS | S | |
IA-2(5) | INDIVIDUAL AUTHENTICATION WITH GROUP AUTHENTICATION | O/S | |
IA-2(6) | ACCESS TO ACCOUNTS — SEPARATE DEVICE | S | |
IA-2(8) | ACCESS TO ACCOUNTS — REPLAY RESISTANT | S | |
IA-2(10) | SINGLE SIGN-ON | S | |
IA-2(12) | ACCEPTANCE OF PIV CREDENTIALS | S | |
IA-2(13) | OUT-OF-BAND AUTHENTICATION | S | |
IA-3 | Device Identification and Authentication | S | |
IA-3(1) | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION | S | |
IA-4(5) | DYNAMIC MANAGEMENT | S | |
IA-4(9) | ATTRIBUTE MAINTENANCE AND PROTECTION | O/S | |
IA-5 | Authenticator Management | O/S | |
IA-5(1) | PASSWORD-BASED AUTHENTICATION | O/S | |
IA-5(2) | PUBLIC KEY-BASED AUTHENTICATION | S | |
IA-5(10) | DYNAMIC CREDENTIAL BINDING | S | |
IA-5(12) | BIOMETRIC AUTHENTICATION PERFORMANCE | S | |
IA-5(13) | EXPIRATION OF CACHED AUTHENTICATORS | S | |
IA-5(17) | PRESENTATION ATTACK DETECTION FOR BIOMETRIC AUTHENTICATORS | S | |
IA-5(18) | PASSWORD MANAGERS | S | |
IA-6 | Authentication Feedback | S | |
IA-7 | Cryptographic Module Authentication | S | |
IA-8 | Identification and Authentication (Non-Organizational Users) | S | |
IA-8(1) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES | S | |
IA-8(2) | ACCEPTANCE OF EXTERNAL AUTHENTICATORS | S | |
IA-8(4) | USE OF DEFINED PROFILES | S | |
IA-8(5) | ACCEPTANCE OF PIV-I CREDENTIALS | S | |
IA-9 | Service Identification and Authentication | O/S | |
IA-11 | Re-authentication | O/S | |
IR-4(5) | AUTOMATIC DISABLING OF SYSTEM | O/S | |
IR-4(14) | SECURITY OPERATIONS CENTER | O/S | |
MA-3(4) | RESTRICTED TOOL USE | O/S | |
MA-3(5) | EXECUTION WITH PRIVILEGE | O/S | |
MA-3(6) | SOFTWARE UPDATES AND PATCHES | O/S | |
MA-4(6) | CRYPTOGRAPHIC PROTECTION | O/S | |
MA-4(7) | DISCONNECT VERIFICATION | S | |
PE-5(2) | LINK TO INDIVIDUAL IDENTITY | S | |
PT-2(1) | DATA TAGGING | S | X |
PT-3(1) | DATA TAGGING | S | X |
RA-10 | Threat Hunting | O/S | X |
SA-8(1) | CLEAR ABSTRACTIONS | O/S | X |
SA-8(2) | LEAST COMMON MECHANISM | O/S | X |
SA-8(3) | MODULARITY AND LAYERING | O/S | X |
SA-8(4) | PARTIALLY ORDERED DEPENDENCIES | O/S | X |
SA-8(5) | EFFICIENTLY MEDIATED ACCESS | O/S | X |
SA-8(6) | MINIMIZED SHARING | O/S | X |
SA-8(7) | REDUCED COMPLEXITY | O/S | X |
SA-8(8) | SECURE EVOLVABILITY | O/S | X |
SA-8(9) | TRUSTED COMPONENTS | O/S | X |
SA-8(10) | HIERARCHICAL TRUST | O/S | X |
SA-8(11) | INVERSE MODIFICATION THRESHOLD | O/S | X |
SA-8(12) | HIERARCHICAL PROTECTION | O/S | X |
SA-8(13) | MINIMIZED SECURITY ELEMENTS | O/S | X |
SA-8(14) | LEAST PRIVILEGE | O/S | X |
SA-8(15) | PREDICATE PERMISSION | O/S | X |
SA-8(16) | SELF-RELIANT TRUSTWORTHINESS | O/S | X |
SA-8(17) | SECURE DISTRIBUTED COMPOSITION | O/S | X |
SA-8(18) | TRUSTED COMMUNICATIONS CHANNELS | O/S | X |
SA-8(19) | CONTINUOUS PROTECTION | O/S | X |
SA-8(20) | SECURE METADATA MANAGEMENT | O/S | X |
SA-8(21) | SELF-ANALYSIS | O/S | X |
SA-8(22) | ACCOUNTABILITY AND TRACEABILITY | O/S | X |
SA-8(23) | SECURE DEFAULTS | O/S | X |
SA-8(24) | SECURE FAILURE AND RECOVERY | O/S | X |
SA-8(25) | ECONOMIC SECURITY | O/S | X |
SA-8(26) | PERFORMANCE SECURITY | O/S | X |
SA-8(27) | HUMAN FACTORED SECURITY | O/S | X |
SA-8(28) | ACCEPTABLE SECURITY | O/S | X |
SA-8(29) | REPEATABLE AND DOCUMENTED PROCEDURES | O/S | X |
SA-8(30) | PROCEDURAL RIGOR | O/S | X |
SA-8(31) | SECURE SYSTEM MODIFICATION | O/S | X |
SA-8(32) | SUFFICIENT DOCUMENTATION | O/S | X |
SA-8(33) | MINIMIZATION | O/S | X |
SC-2 | Separation of System and User Functionality | S | X |
SC-2(1) | INTERFACES FOR NON-PRIVILEGED USERS | S | X |
SC-2(2) | DISASSOCIABILITY | S | X |
SC-3 | Security Function Isolation | S | X |
SC-3(1) | HARDWARE SEPARATION | S | X |
SC-3(2) | ACCESS AND FLOW CONTROL FUNCTIONS | S | X |
SC-3(3) | MINIMIZE NONSECURITY FUNCTIONALITY | O/S | X |
SC-3(4) | MODULE COUPLING AND COHESIVENESS | O/S | X |
SC-3(5) | LAYERED STRUCTURES | O/S | X |
SC-4 | Information in Shared System Resources | S | |
SC-4(2) | MULTILEVEL OR PERIODS PROCESSING | S | |
SC-5 | Denial-of-Service Protection | S | |
SC-5(1) | RESTRICT ABILITY TO ATTACK OTHER SYSTEMS | S | |
SC-5(2) | “CAPACITY, BANDWIDTH, AND REDUNDANCY” | S | |
SC-5(3) | DETECTION AND MONITORING | S | |
SC-6 | Resource Availability | S | X |
SC-7 | Boundary Protection | S | |
SC-7(3) | ACCESS POINTS | S | |
SC-7(5) | DENY BY DEFAULT — ALLOW BY EXCEPTION | S | |
SC-7(7) | SPLIT TUNNELING FOR REMOTE DEVICES | S | |
SC-7(8) | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS | S | |
SC-7(9) | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC | S | |
SC-7(10) | PREVENT EXFILTRATION | S | |
SC-7(11) | RESTRICT INCOMING COMMUNICATIONS TRAFFIC | S | |
SC-7(12) | HOST-BASED PROTECTION | S | |
SC-7(13) | “ISOLATION OF SECURITY TOOLS, MECHANISMS, AND SUPPORT COMPONENTS” | S | |
SC-7(14) | PROTECT AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS | S | |
SC-7(15) | NETWORKED PRIVILEGED ACCESSES | S | |
SC-7(16) | PREVENT DISCOVERY OF SYSTEM COMPONENTS | S | |
SC-7(17) | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS | S | |
SC-7(18) | FAIL SECURE | S | X |
SC-7(19) | BLOCK COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS | S | |
SC-7(20) | DYNAMIC ISOLATION AND SEGREGATION | S | |
SC-7(21) | ISOLATION OF SYSTEM COMPONENTS | O/S | X |
SC-7(22) | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS | S | X |
SC-7(23) | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE | S | |
SC-7(24) | PERSONALLY IDENTIFIABLE INFORMATION | O/S | |
SC-7(29) | SEPARATE SUBNETS TO ISOLATE FUNCTIONS | S | |
SC-8 | Transmission Confidentiality and Integrity | S | |
SC-8(1) | CRYPTOGRAPHIC PROTECTION | S | |
SC-8(2) | PRE- AND POST-TRANSMISSION HANDLING | S | |
SC-8(3) | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS | S | |
SC-8(4) | CONCEAL OR RANDOMIZE COMMUNICATIONS | S | |
SC-8(5) | PROTECTED DISTRIBUTION SYSTEM | S | |
SC-10 | Network Disconnect | S | |
SC-11 | Trusted Path | S | X |
SC-11(1) | IRREFUTABLE COMMUNICATIONS PATH | S | X |
SC-12 | Cryptographic Key Establishment and Management | O/S | |
SC-12(1) | AVAILABILITY | O/S | |
SC-12(2) | SYMMETRIC KEYS | O/S | |
SC-12(3) | ASYMMETRIC KEYS | O/S | |
SC-12(6) | PHYSICAL CONTROL OF KEYS | O/S | |
SC-13 | Cryptographic Protection | S | |
SC-15 | Collaborative Computing Devices and Applications | S | |
SC-15(1) | PHYSICAL OR LOGICAL DISCONNECT | S | |
SC-15(4) | EXPLICITLY INDICATE CURRENT PARTICIPANTS | S | |
SC-16 | Transmission of Security and Privacy Attributes | S | |
SC-16(1) | INTEGRITY VERIFICATION | S | |
SC-16(2) | ANTI-SPOOFING MECHANISMS | S | |
SC-16(3) | CRYPTOGRAPHIC BINDING | S | |
SC-17 | Public Key Infrastructure Certificates | O/S | |
SC-18(1) | IDENTIFY UNACCEPTABLE CODE AND TAKE CORRECTIVE ACTIONS | S | |
SC-18(3) | PREVENT DOWNLOADING AND EXECUTION | S | |
SC-18(4) | PREVENT AUTOMATIC EXECUTION | S | |
SC-18(5) | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS | S | |
SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | S | |
SC-20(2) | DATA ORIGIN AND INTEGRITY | S | |
SC-21 | Secure Name/Address Resolution Service (Recursive or Caching Resolver) | S | |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service | S | |
SC-23 | Session Authenticity | S | |
SC-23(1) | INVALIDATE SESSION IDENTIFIERS AT LOGOUT | S | |
SC-23(3) | UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS | S | |
SC-23(5) | ALLOWED CERTIFICATE AUTHORITIES | S | |
SC-24 | Fail in Known State | S | X |
SC-25 | Thin Nodes | S | |
SC-26 | Decoys | S | |
SC-27 | Platform-Independent Applications | S | |
SC-28 | Protection of Information at Rest | S | |
SC-28(1) | CRYPTOGRAPHIC PROTECTION | S | |
SC-28(3) | CRYPTOGRAPHIC KEYS | O/S | |
SC-32 | System Partitioning | O/S | X |
SC-32(1) | SEPARATE PHYSICAL DOMAINS FOR PRIVILEGED FUNCTIONS | O/S | X |
SC-34 | Non-Modifiable Executable Programs | S | X |
SC-35 | External Malicious Code Identification | S | |
SC-39 | Process Isolation | S | X |
SC-39(1) | HARDWARE SEPARATION | S | X |
SC-39(2) | SEPARATE EXECUTION DOMAIN PER THREAD | S | X |
SC-40 | Wireless Link Protection | S | |
SC-40(1) | ELECTROMAGNETIC INTERFERENCE | S | |
SC-40(2) | REDUCE DETECTION POTENTIAL | S | |
SC-40(3) | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION | S | |
SC-40(4) | SIGNAL PARAMETER IDENTIFICATION | S | |
SC-41 | Port and I/O Device Access | O/S | |
SC-42 | Sensor Capability and Data | S | |
SC-43 | Usage Restrictions | O/S | |
SC-44 | Detonation Chambers | S | |
SC-45 | System Time Synchronization | S | |
SC-45(1) | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE | S | |
SC-45(2) | SECONDARY AUTHORITATIVE TIME SOURCE | S | |
SC-46 | Cross Domain Policy Enforcement | S | |
SC-47 | Alternate Communications Paths | O/S | |
SC-48 | Sensor Relocation | O/S | |
SC-48(1) | DYNAMIC RELOCATION OF SENSORS OR MONITORING CAPABILITIES | O/S | |
SC-49 | Hardware-Enforced Separation and Policy Enforcement | O/S | X |
SC-50 | Software-Enforced Separation and Policy Enforcement | O/S | X |
SC-51 | Hardware-Based Protection | O/S | X |
SI-2(4) | AUTOMATED PATCH MANAGEMENT TOOLS | O/S | |
SI-2(5) | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES | O/S | |
SI-2(6) | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE | O/S | |
SI-3 | Malicious Code Protection | O/S | |
SI-3(4) | UPDATES ONLY BY PRIVILEGED USERS | O/S | |
SI-3(8) | DETECT UNAUTHORIZED COMMANDS | S | |
SI-4 | System Monitoring | O/S | X |
SI-4(1) | SYSTEM-WIDE INTRUSION DETECTION SYSTEM | O/S | X |
SI-4(2) | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME ANALYSIS | S | X |
SI-4(3) | AUTOMATED TOOL AND MECHANISM INTEGRATION | S | X |
SI-4(4) | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC | S | X |
SI-4(5) | SYSTEM-GENERATED ALERTS | S | X |
SI-4(7) | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS | S | X |
SI-4(11) | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES | O/S | X |
SI-4(12) | AUTOMATED ORGANIZATION-GENERATED ALERTS | O/S | X |
SI-4(13) | ANALYZE TRAFFIC AND EVENT PATTERNS | O/S | X |
SI-4(14) | WIRELESS INTRUSION DETECTION | S | X |
SI-4(15) | WIRELESS TO WIRELINE COMMUNICATIONS | S | X |
SI-4(16) | CORRELATE MONITORING INFORMATION | O/S | X |
SI-4(18) | ANALYZE TRAFFIC AND COVERT EXFILTRATION | O/S | X |
SI-4(20) | PRIVILEGED USERS | S | X |
SI-4(22) | UNAUTHORIZED NETWORK SERVICES | S | X |
SI-4(24) | INDICATORS OF COMPROMISE | S | X |
SI-4(25) | OPTIMIZE NETWORK TRAFFIC ANALYSIS | S | X |
SI-6 | Security and Privacy Function Verification | S | X |
SI-6(2) | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING | S | |
SI-7 | “Software, Firmware, and Information Integrity” | O/S | X |
SI-7(1) | INTEGRITY CHECKS | S | X |
SI-7(2) | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS | S | X |
SI-7(5) | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS | S | X |
SI-7(6) | CRYPTOGRAPHIC PROTECTION | S | X |
SI-7(8) | AUDITING CAPABILITY FOR SIGNIFICANT EVENTS | S | X |
SI-7(9) | VERIFY BOOT PROCESS | S | X |
SI-7(10) | PROTECTION OF BOOT FIRMWARE | S | X |
SI-7(12) | INTEGRITY VERIFICATION | O/S | X |
SI-7(15) | CODE AUTHENTICATION | S | X |
SI-7(17) | RUNTIME APPLICATION SELF-PROTECTION | O/S | X |
SI-8(2) | AUTOMATIC UPDATES | S | |
SI-8(3) | CONTINUOUS LEARNING CAPABILITY | S | |
SI-10 | Information Input Validation | S | X |
SI-10(1) | MANUAL OVERRIDE CAPABILITY | O/S | X |
SI-10(3) | PREDICTABLE BEHAVIOR | O/S | X |
SI-10(4) | TIMING INTERACTIONS | S | X |
SI-10(5) | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS | S | X |
SI-10(6) | INJECTION PREVENTION | S | X |
SI-11 | Error Handling | S | |
SI-13(4) | STANDBY COMPONENT INSTALLATION AND NOTIFICATION | O/S | X |
SI-15 | Information Output Filtering | S | X |
SI-16 | Memory Protection | S | X |
SI-17 | Fail-Safe Procedures | S | X |
SI-18 | Personally Identifiable Information Quality Operations | O/S | |
SI-18(1) | AUTOMATION SUPPORT | O/S | |
SI-18(2) | DATA TAGS | O/S | |
SI-18(3) | COLLECTION | O/S | |
SI-18(4) | INDIVIDUAL REQUESTS | O/S | |
SI-18(5) | NOTICE OF CORRECTION OR DELETION | O/S | |
SI-19 | De-Identification | O/S | |
SI-19(1) | COLLECTION | O/S | |
SI-19(2) | ARCHIVING | O/S | |
SI-19(3) | RELEASE | O/S | |
SI-19(4) | “REMOVAL, MASKING, ENCRYPTION, HASHING, OR REPLACEMENT OF DIRECT IDENTIFIERS” | S | |
SI-19(5) | STATISTICAL DISCLOSURE CONTROL | O/S | |
SI-19(6) | DIFFERENTIAL PRIVACY | O/S | |
SI-19(8) | MOTIVATED INTRUDER | O/S | |
SI-20 | Tainting | O/S | X |
SI-21 | Information Refresh | O/S | X |
SI-22 | Information Diversity | O/S | X |
SI-23 | Information Fragmentation | O/S | X |
SR-3 | Supply Chain Controls and Processes | O/S | X |