Home
Browse frameworks
Contact us
SAMMY premium
Sign in
SAMMY works best on screens 1024px wide or larger.
CIS Critical Security Controls
Browse CIS Critical...
AIMA
ASVS
BSIMM 15
CIS Critical Security Controls
Cloud Controls Matrix
CRA Framework
Cybersecurity Fundamentals
Cybersecurity Fundamentals 2.0
DSOMM
NIS2
NIST 800-171 Rev 2
NIST 800-171 Rev 3
NIST 800-34
NIST 800-53 v5
NIST CSF 2.0
NIST SSDF
OpenSAMM1.5
SAMM
Secure Controls Framework
Inventory and Control of Enterprise Assets
Establish and Maintain Detailed Enterprise Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use a Passive Asset Discovery Tool
Inventory and Control of Software Assets
Establish and Maintain a Software Inventory
Ensure Authorized Software is Currently Supported
Address Unauthorized Software
Utilize Automated Software Inventory Tools
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Data Protection
Establish and Maintain a Data Management Process
Establish and Maintain a Data Inventory
Configure Data Access Control Lists
Enforce Data Retention
Securely Dispose of Data
Encrypt Data on End-User Devices
Establish and Maintain a Data Classification Scheme
Document Data Flows
Encrypt Data on Removable Media
Encrypt Sensitive Data in Transit
Encrypt Sensitive Data at Rest
Segment Data Processing and Storage Based on Sensitivity
Deploy a Data Loss Prevention Solution
Log Sensitive Data Access
Secure Configuration of Enterprise Assets and Software
Establish and Maintain a Secure Configuration Process
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Configure Automatic Session Locking on Enterprise Assets
Implement and Manage a Firewall on Servers
Implement and Manage a Firewall on End-User Devices
Securely Manage Enterprise Assets and Software
Manage Default Accounts on Enterprise Assets and Software
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Configure Trusted DNS Servers on Enterprise Assets
Enforce Automatic Device Lockout on Portable End-User Devices
Enforce Remote Wipe Capability on Portable End-User Devices
Separate Enterprise Workspaces on Mobile End-User Devices
Account Management
Establish and Maintain an Inventory of Accounts
Use Unique Passwords
Disable Dormant Accounts
Restrict Administrator Privileges to Dedicated Administrator Accounts
Establish and Maintain an Inventory of Service Accounts
Centralize Account Management
Access Control Management
Establish an Access Granting Process
Establish an Access Revoking Process
Require MFA for Externally-Exposed Applications
Require MFA for Remote Network Access
Require MFA for Administrative Access
Establish and Maintain an Inventory of Authentication and Authorization Systems
Centralize Access Control
Define and Maintain Role-Based Access Control
Continuous Vulnerability Management
Establish and Maintain a Vulnerability Management Process
Establish and Maintain a Remediation Process
Perform Automated Operating System Patch Management
Perform Automated Application Patch Management
Perform Automated Vulnerability Scans of Internal Enterprise Assets
Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Remediate Detected Vulnerabilities
Audit Log Management
Establish and Maintain an Audit Log Management Process
Collect Audit Logs
Ensure Adequate Audit Log Storage
Standardize Time Synchronization
Collect Detailed Audit Logs
Collect DNS Query Audit Logs
Collect URL Request Audit Logs
Collect Command-Line Audit Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Collect Service Provider Logs
Email and Web Browser Protections
Ensure Use of Only Fully Supported Browsers and Email Clients
Use DNS Filtering Services
Maintain and Enforce Network-Based URL Filters
Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Malware Defenses
Deploy and Maintain Anti-Malware Software
Configure Automatic Anti-Malware Signature Updates
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Enable Anti-Exploitation Features
Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software
Data Recovery
Establish and Maintain a Data Recovery Process
Perform Automated Backups
Protect Recovery Data
Establish and Maintain an Isolated Instance of Recovery Data
Test Data Recovery
Network Infrastructure Management
Ensure Network Infrastructure is Up-to-Date
Establish and Maintain a Secure Network Architecture
Securely Manage Network Infrastructure
Establish and Maintain Architecture Diagram(s)
Centralize Network Authentication, Authorization, and Auditing (AAA)
Use of Secure Network Management and Communication Protocols
Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
Establish and Maintain Dedicated Computing Resources for All Administrative Work
Network Monitoring and Defense
Centralize Security Event Alerting
Deploy a Host-Based Intrusion Detection Solution
Deploy a Network Intrusion Detection Solution
Perform Traffic Filtering Between Network Segments
Manage Access Control for Remote Assets
Collect Network Traffic Flow Logs
Deploy a Host-Based Intrusion Prevention Solution
Deploy a Network Intrusion Prevention Solution
Deploy Port-Level Access Control
Perform Application Layer Filtering
Tune Security Event Alerting Thresholds
Security Awareness and Skills Training
Establish and Maintain a Security Awareness Program
Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices
Train Workforce on Data Handling Best Practices
Train Workforce Members on Causes of Unintentional Data Exposure
Train Workforce Members on Recognizing and Reporting Security Incidents
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Conduct Role-Specific Security Awareness and Skills Training
Service Provider Management
Establish and Maintain an Inventory of Service Providers
Establish and Maintain a Service Provider Management Policy
Classify Service Providers
Ensure Service Provider Contracts Include Security Requirements
Assess Service Providers
Monitor Service Providers
Securely Decommission Service Providers
Application Software Security
Establish and Maintain a Secure Application Development Process
Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Perform Root Cause Analysis on Security Vulnerabilities
Establish and Manage an Inventory of Third-Party Software Components
Use Up-to-Date and Trusted Third-Party Software Components
Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Use Standard Hardening Configuration Templates for Application Infrastructure
Separate Production and Non-Production Systems
Train Developers in Application Security Concepts and Secure Coding
Apply Secure Design Principles in Application Architectures
Leverage Vetted Modules or Services for Application Security Components
Implement Code-Level Security Checks
Conduct Application Penetration Testing
Conduct Threat Modeling
Incident Response Management
Designate Personnel to Manage Incident Handling
Establish and Maintain Contact Information for Reporting Security Incidents
Establish and Maintain an Enterprise Process for Reporting Incidents
Establish and Maintain an Incident Response Process
Assign Key Roles and Responsibilities
Define Mechanisms for Communicating During Incident Response
Conduct Routine Incident Response Exercises
Conduct Post-Incident Reviews
Establish and Maintain Security Incident Thresholds
Penetration Testing
Establish and Maintain a Penetration Testing Program
Perform Periodic External Penetration Tests
Remediate Penetration Test Findings
Validate Security Measures
Perform Periodic Internal Penetration Tests
10,6: Centrally Manage Anti-Malware Software
10,6: Centrally Manage Anti-Malware Software
Centrally manage anti-malware software.
✕
Not applicable - Not applicable
None - None
Informal - Informal
Partially written - Partially written
Written - Written
Approved and communicated - Approved and communicated
Not applicable
None
Informal
Partially written
Written
Approved and communicated
✕
Not applicable - Not applicable
Not implemented - Not implemented
Parts of policy implemented - Parts of policy implemented
Implemented on some systems - Implemented on some systems
Implemented on most systems - Implemented on most systems
Implemented on all systems - Implemented on all systems
Not applicable
Not implemented
Parts of policy implemented
Implemented on some systems
Implemented on most systems
Implemented on all systems
✕
Not applicable - Not applicable
Not automated - Not automated
Parts of policy automated - Parts of policy automated
Automated on some systems - Automated on some systems
Automated on most systems - Automated on most systems
Automated on all systems - Automated on all systems
Not applicable
Not automated
Parts of policy automated
Automated on some systems
Automated on most systems
Automated on all systems
✕
Not applicable - Not applicable
Not reported - Not reported
Parts of policy reported - Parts of policy reported
Reported on some systems - Reported on some systems
Reported on most systems - Reported on most systems
Reported on all systems - Reported on all systems
Not applicable
Not reported
Parts of policy reported
Reported on some systems
Reported on most systems
Reported on all systems
Description
Centrally manage anti-malware software.
✕