Home
Browse frameworks
Contact us
SAMMY premium
Sign in
SAMMY works best on screens 1024px wide or larger.
NIST 800-53 v5
Browse NIST 800-53...
AIMA
ASVS
BSIMM 15
CIS Critical Security Controls
Cloud Controls Matrix
Cybersecurity Fundamentals
Cybersecurity Fundamentals 2.0
DSOMM
NIS2
NIST 800-171 Rev 2
NIST 800-171 Rev 3
NIST 800-34
NIST 800-53 v5
NIST CSF 2.0
NIST SSDF
OpenSAMM1.5
SAMM
Secure Controls Framework
Access Control
Policy and Procedures
Account Management
Automated System Account Management
Automated Temporary and Emergency Account Management
Disable Accounts
Automated Audit Actions
Inactivity Logout
Dynamic Privilege Management
Privileged User Accounts
Dynamic Account Management
Restrictions on Use of Shared and Group Accounts
Usage Conditions
Account Monitoring for Atypical Usage
Disable Accounts for High-risk Individuals
Access Enforcement
Dual Authorization
Mandatory Access Control
Discretionary Access Control
Security-relevant Information
Role-based Access Control
Revocation of Access Authorizations
Controlled Release
Audited Override of Access Control Mechanisms
Restrict Access to Specific Information Types
Assert and Enforce Application Access
Attribute-based Access Control
Individual Access
Discretionary and Mandatory Access Control
Information Flow Enforcement
Object Security and Privacy Attributes
Processing Domains
Dynamic Information Flow Control
Flow Control of Encrypted Information
Embedded Data Types
Metadata
One-way Flow Mechanisms
Security and Privacy Policy Filters
Human Reviews
Enable and Disable Security or Privacy Policy Filters
Configuration of Security or Privacy Policy Filters
Data Type Identifiers
Decomposition into Policy-relevant Subcomponents
Security or Privacy Policy Filter Constraints
Detection of Unsanctioned Information
Domain Authentication
Validation of Metadata
Approved Solutions
Physical or Logical Separation of Information Flows
Access Only
Modify Non-releasable Information
Internal Normalized Format
Data Sanitization
Audit Filtering Actions
Redundant/independent Filtering Mechanisms
Linear Filter Pipelines
Filter Orchestration Engines
Filter Mechanisms Using Multiple Processes
Failed Content Transfer Prevention
Process Requirements for Information Transfer
Separation of Duties
Least Privilege
Authorize Access to Security Functions
Non-privileged Access for Nonsecurity Functions
Network Access to Privileged Commands
Separate Processing Domains
Privileged Accounts
Privileged Access by Non-organizational Users
Review of User Privileges
Privilege Levels for Code Execution
Log Use of Privileged Functions
Prohibit Non-privileged Users from Executing Privileged Functions
Unsuccessful Logon Attempts
Purge or Wipe Mobile Device
Biometric Attempt Limiting
Use of Alternate Authentication Factor
System Use Notification
Previous Logon Notification
Unsuccessful Logons
Successful and Unsuccessful Logons
Notification of Account Changes
Additional Logon Information
Concurrent Session Control
Device Lock
Pattern-hiding Displays
Session Termination
User-initiated Logouts
Termination Message
Timeout Warning Message
Permitted Actions Without Identification or Authentication
Security and Privacy Attributes
Dynamic Attribute Association
Attribute Value Changes by Authorized Individuals
Maintenance of Attribute Associations by System
Association of Attributes by Authorized Individuals
Attribute Displays on Objects to Be Output
Maintenance of Attribute Association
Consistent Attribute Interpretation
Association Techniques and Technologies
Attribute Reassignment — Regrading Mechanisms
Attribute Configuration by Authorized Individuals
Remote Access
Monitoring and Control
Protection of Confidentiality and Integrity Using Encryption
Managed Access Control Points
Privileged Commands and Access
Protection of Mechanism Information
Disconnect or Disable Access
Authenticate Remote Commands
Wireless Access
Authentication and Encryption
Disable Wireless Networking
Restrict Configurations by Users
Antennas and Transmission Power Levels
Access Control for Mobile Devices
Restrictions for Classified Information
Full Device or Container-based Encryption
Use of External Systems
Limits on Authorized Use
Portable Storage Devices — Restricted Use
Non-organizationally Owned Systems — Restricted Use
Network Accessible Storage Devices — Prohibited Use
Portable Storage Devices - Prohibited Use
Information Sharing
Automated Decision Support
Information Search and Retrieval
Publicly Accessible Content
Data Mining Protection
Access Control Decisions
Transmit Access Authorization Information
No User or Process Identity
Reference Monitor
Awareness and Training
Policy and Procedures
Literacy Training and Awareness
Practical Exercises
Insider Threat
Social Engineering and Mining
Suspicious Communications and Anomalous System Behavior
Advanced Persistent Threat
Cyber Threat Environment
Role-based Training
Environmental Controls
Physical Security Controls
Practical Exercises
Processing Personally Identifiable Information
Training Records
Training Feedback
Audit and Accountability
Policy and Procedures
Event Logging
Content of Audit Records
Additional Audit Information
Limit Personally Identifiable Information Elements
Audit Log Storage Capacity
Transfer to Alternate Storage
Response to Audit Logging Process Failures
Storage Capacity Warning
Real-time Alerts
Configurable Traffic Volume Thresholds
Shutdown on Failure
Alternate Audit Logging Capability
Audit Record Review, Analysis, and Reporting
Automated Process Integration
Correlate Audit Record Repositories
Central Review and Analysis
Integrated Analysis of Audit Records
Correlation with Physical Monitoring
Permitted Actions
Full Text Analysis of Privileged Commands
Correlation with Information from Nontechnical Sources
Audit Record Reduction and Report Generation
Automatic Processing
Time Stamps
Protection of Audit Information
Hardware Write-once Media
Store on Separate Physical Systems or Components
Cryptographic Protection
Access by Subset of Privileged Users
Dual Authorization
Read-only Access
Store on Component with Different Operating System
Non-repudiation
Association of Identities
Validate Binding of Information Producer Identity
Chain of Custody
Validate Binding of Information Reviewer Identity
Audit Record Retention
Long-term Retrieval Capability
Audit Record Generation
System-wide and Time-correlated Audit Trail
Standardized Formats
Changes by Authorized Individuals
Query Parameter Audits of Personally Identifiable Information
Monitoring for Information Disclosure
Use of Automated Tools
Review of Monitored Sites
Unauthorized Replication of Information
Session Audit
System Start-up
Remote Viewing and Listening
Cross-organizational Audit Logging
Identity Preservation
Sharing of Audit Information
Disassociability
Assessment, Auithorization and Monitoring
Policy and Procedures
Control Assessments
Independent Assessors
Specialized Assessments
Leveraging Results from External Organizations
Information Exchange
Transfer Authorizations
Transitive Information Exchanges
Plan of Action and Milestones
Automation Support for Accuracy and Currency
Authorization
Joint Authorization — Intra-organization
Joint Authorization — Inter-organization
Continuous Monitoring
Independent Assessment
Trend Analyses
Risk Monitoring
Consistency Analysis
Automation Support for Monitoring
Penetration Testing
Independent Penetration Testing Agent or Team
Red Team Exercises
Facility Penetration Testing
Internal System Connections
Compliance Checks
Configuration Management
Policy and Procedures
Baseline Configuration
Automation Support for Accuracy and Currency
Retention of Previous Configurations
Development and Test Environments
Configure Systems and Components for High-risk Areas
Configuration Change Control
Automated Documentation, Notification, and Prohibition of Changes
Testing, Validation, and Documentation of Changes
Automated Change Implementation
Security and Privacy Representatives
Automated Security Response
Cryptography Management
Review System Changes
Prevent or Restrict Configuration Changes
Impact Analyses
Separate Test Environments
Verification of Controls
Access Restrictions for Change
Automated Access Enforcement and Audit Records
Dual Authorization
Privilege Limitation for Production and Operation
Limit Library Privileges
Configuration Settings
Automated Management, Application, and Verification
Respond to Unauthorized Changes
Least Functionality
Periodic Review
Prevent Program Execution
Registration Compliance
Unauthorized Software
Authorized Software
Confined Environments with Limited Privileges
Code Execution in Protected Environments
Binary or Machine Executable Code
Prohibiting The Use of Unauthorized Hardware
System Component Inventory
Updates During Installation and Removal
Automated Maintenance
Automated Unauthorized Component Detection
Accountability Information
Assessed Configurations and Approved Deviations
Centralized Repository
Automated Location Tracking
Assignment of Components to Systems
Configuration Management Plan
Assignment of Responsibility
Software Usage Restrictions
Open-source Software
User-installed Software
Software Installation with Privileged Status
Automated Enforcement and Monitoring
Information Location
Automated Tools to Support Information Location
Data Action Mapping
Signed Components
Contingency Planning
Policy and Procedures
Contingency Plan
Coordinate with Related Plans
Capacity Planning
Resume Mission and Business Functions
Continue Mission and Business Functions
Alternate Processing and Storage Sites
Coordinate with External Service Providers
Identify Critical Assets
Contingency Training
Simulated Events
Mechanisms Used in Training Environments
Contingency Plan Testing
Coordinate with Related Plans
Alternate Processing Site
Automated Testing
Full Recovery and Reconstitution
Self-challenge
Alternate Storage Site
Separation from Primary Site
Recovery Time and Recovery Point Objectives
Accessibility
Alternate Processing Site
Separation from Primary Site
Accessibility
Priority of Service
Preparation for Use
Inability to Return to Primary Site
Telecommunications Services
Priority of Service Provisions
Single Points of Failure
Separation of Primary and Alternate Providers
Provider Contingency Plan
Alternate Telecommunication Service Testing
System Backup
Testing for Reliability and Integrity
Test Restoration Using Sampling
Separate Storage for Critical Information
Transfer to Alternate Storage Site
Redundant Secondary System
Dual Authorization
Cryptographic Protection
System Recovery and Reconstitution
Transaction Recovery
Restore Within Time Period
Component Protection
Alternate Communications Protocols
Safe Mode
Alternative Security Mechanisms
Identification and Authentication
Policy and Procedures
Identification and Authentication (organizational Users)
Multi-factor Authentication to Privileged Accounts
Multi-factor Authentication to Non-privileged Accounts
Individual Authentication with Group Authentication
Access to Accounts — Separate Device
Access to Accounts — Replay Resistant
Single Sign-on
Acceptance of PIV Credentials
Out-of-band Authentication
Device Identification and Authentication
Cryptographic Bidirectional Authentication
Dynamic Address Allocation
Device Attestation
Identifier Management
Prohibit Account Identifiers as Public Identifiers
Identify User Status
Dynamic Management
Cross-organization Management
Pairwise Pseudonymous Identifiers
Attribute Maintenance and Protection
Authenticator Management
Password-based Authentication
Public Key-based Authentication
Change Authenticators Prior to Delivery
Protection of Authenticators
No Embedded Unencrypted Static Authenticators
Multiple System Accounts
Federated Credential Management
Dynamic Credential Binding
Biometric Authentication Performance
Expiration of Cached Authenticators
Managing Content of PKI Trust Stores
Gsa-approved Products and Services
In-person or Trusted External Party Authenticator Issuance
Presentation Attack Detection for Biometric Authenticators
Password Managers
Authentication Feedback
Cryptographic Module Authentication
Identification and Authentication (non-organizational Users)
Acceptance of PIV Credentials from Other Agencies
Acceptance of External Authenticators
Use of Defined Profiles
Acceptance of PIV-I Credentials
Disassociability
Service Identification and Authentication
Adaptive Authentication
Re-authentication
Identity Proofing
Supervisor Authorization
Identity Evidence
Identity Evidence Validation and Verification
In-person Validation and Verification
Address Confirmation
Accept Externally-proofed Identities
Incident Response
Policy and Procedures
Incident Response Training
Simulated Events
Automated Training Environments
Breach
Incident Response Testing
Automated Testing
Coordination with Related Plans
Continuous Improvement
Incident Handling
Automated Incident Handling Processes
Dynamic Reconfiguration
Continuity of Operations
Information Correlation
Automatic Disabling of System
Insider Threats
Insider Threats — Intra-organization Coordination
Correlation with External Organizations
Dynamic Response Capability
Supply Chain Coordination
Integrated Incident Response Team
Malicious Code and Forensic Analysis
Behavior Analysis
Security Operations Center
Public Relations and Reputation Repair
Incident Monitoring
Automated Tracking, Data Collection, and Analysis
Incident Reporting
Automated Reporting
Vulnerabilities Related to Incidents
Supply Chain Coordination
Incident Response Assistance
Automation Support for Availability of Information and Support
Coordination with External Providers
Incident Response Plan
Breaches
Information Spillage Response
Training
Post-spill Operations
Exposure to Unauthorized Personnel
Maintenance
Policy and Procedures
Controlled Maintenance
Automated Maintenance Activities
Maintenance Tools
Inspect Tools
Inspect Media
Prevent Unauthorized Removal
Restricted Tool Use
Execution with Privilege
Software Updates and Patches
Nonlocal Maintenance
Logging and Review
Comparable Security and Sanitization
Authentication and Separation of Maintenance Sessions
Approvals and Notifications
Cryptographic Protection
Disconnect Verification
Maintenance Personnel
Individuals Without Appropriate Access
Security Clearances for Classified Systems
Citizenship Requirements for Classified Systems
Foreign Nationals
Non-system Maintenance
Timely Maintenance
Preventive Maintenance
Predictive Maintenance
Automated Support for Predictive Maintenance
Field Maintenance
Media Protection
Policy and Procedures
Media Access
Media Marking
Media Storage
Automated Restricted Access
Media Transport
Custodians
Media Sanitization
Review, Approve, Track, Document, and Verify
Equipment Testing
Nondestructive Techniques
Dual Authorization
Remote Purging or Wiping of Information
Media Use
Prohibit Use of Sanitization-resistant Media
Media Downgrading
Documentation of Process
Equipment Testing
Controlled Unclassified Information
Classified Information
Physical and Environmental Protection
Policy and Procedures
Physical Access Authorizations
Access by Position or Role
Two Forms of Identification
Restrict Unescorted Access
Physical Access Control
System Access
Facility and Systems
Continuous Guards
Lockable Casings
Tamper Protection
Physical Barriers
Access Control Vestibules
Access Control for Transmission
Access Control for Output Devices
Link to Individual Identity
Monitoring Physical Access
Intrusion Alarms and Surveillance Equipment
Automated Intrusion Recognition and Responses
Video Surveillance
Monitoring Physical Access to Systems
Visitor Access Records
Automated Records Maintenance and Review
Limit Personally Identifiable Information Elements
Power Equipment and Cabling
Redundant Cabling
Automatic Voltage Controls
Emergency Shutoff
Emergency Power
Alternate Power Supply — Minimal Operational Capability
Alternate Power Supply — Self-contained
Emergency Lighting
Essential Mission and Business Functions
Fire Protection
Detection Systems – Automatic Activation and Notification
Suppression Systems – Automatic Activation and Notification
Inspections
Environmental Controls
Automatic Controls
Monitoring with Alarms and Notifications
Water Damage Protection
Automation Support
Delivery and Removal
Alternate Work Site
Location of System Components
Information Leakage
National Emissions and Tempest Policies and Procedures
Asset Monitoring and Tracking
Electromagnetic Pulse Protection
Component Marking
Facility Location
Planning
Policy and Procedures
System Security and Privacy Plans
Rules of Behavior
Social Media and External Site/application Usage Restrictions
Concept of Operations
Security and Privacy Architectures
Defense in Depth
Supplier Diversity
Central Management
Baseline Selection
Baseline Tailoring
Program Management
Information Security Program Plan
Information Security Program Leadership Role
Information Security and Privacy Resources
Plan of Action and Milestones Process
System Inventory
Inventory of Personally Identifiable Information
Measures of Performance
Enterprise Architecture
Offloading
Critical Infrastructure Plan
Risk Management Strategy
Authorization Process
Mission and Business Process Definition
Insider Threat Program
Security and Privacy Workforce
Testing, Training, and Monitoring
Security and Privacy Groups and Associations
Threat Awareness Program
Automated Means for Sharing Threat Intelligence
Protecting Controlled Unclassified Information on External Systems
Privacy Program Plan
Privacy Program Leadership Role
Dissemination of Privacy Program Information
Privacy Policies on Websites, Applications, and Digital Services
Accounting of Disclosures
Personally Identifiable Information Quality Management
Data Governance Body
Data Integrity Board
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Complaint Management
Privacy Reporting
Risk Framing
Risk Management Program Leadership Roles
Supply Chain Risk Management Strategy
Suppliers of Critical or Mission-essential Items
Continuous Monitoring Strategy
Purposing
Personnel Security
Policy and Procedures
Position Risk Designation
Personnel Screening
Classified Information
Formal Indoctrination
Information with Special Protective Measures
Citizenship Requirements
Personnel Termination
Post-employment Requirements
Automated Actions
Personnel Transfer
Access Agreements
Classified Information Requiring Special Protection
Post-employment Requirements
External Personnel Security
Personnel Sanctions
Position Descriptions
Personally Identifiable Information Processing and Transparency
Policy and Procedures
Authority to Process Personally Identifiable Information
Data Tagging
Automation
Personally Identifiable Information Processing Purposes
Data Tagging
Automation
Consent
Tailored Consent
Just-in-time Consent
Revocation
Privacy Notice
Just-in-time Notice
Privacy Act Statements
System of Records Notice
Routine Uses
Exemption Rules
Specific Categories of Personally Identifiable Information
Social Security Numbers
First Amendment Information
Computer Matching Requirements
Risk Assessment
Policy and Procedures
Security Categorization
Impact-level Prioritization
Risk Assessment
Supply Chain Risk Assessment
Use of All-source Intelligence
Dynamic Threat Awareness
Predictive Cyber Analytics
Vulnerability Monitoring and Scanning
Update Vulnerabilities to Be Scanned
Breadth and Depth of Coverage
Discoverable Information
Privileged Access
Automated Trend Analyses
Review Historic Audit Logs
Correlate Scanning Information
Public Disclosure Program
Technical Surveillance Countermeasures Survey
Risk Response
Privacy Impact Assessments
Criticality Analysis
Threat Hunting
System and Services Acquisition
Policy and Procedures
Allocation of Resources
System Development Life Cycle
Manage Preproduction Environment
Use of Live or Operational Data
Technology Refresh
Acquisition Process
Functional Properties of Controls
Design and Implementation Information for Controls
Development Methods, Techniques, and Practices
System, Component, and Service Configurations
Use of Information Assurance Products
Niap-approved Protection Profiles
Continuous Monitoring Plan for Controls
Functions, Ports, Protocols, and Services in Use
Use of Approved PIV Products
System of Records
Data Ownership
System Documentation
Security and Privacy Engineering Principles
Clear Abstractions
Least Common Mechanism
Modularity and Layering
Partially Ordered Dependencies
Efficiently Mediated Access
Minimized Sharing
Reduced Complexity
Secure Evolvability
Trusted Components
Hierarchical Trust
Inverse Modification Threshold
Hierarchical Protection
Minimized Security Elements
Least Privilege
Predicate Permission
Self-reliant Trustworthiness
Secure Distributed Composition
Trusted Communications Channels
Continuous Protection
Secure Metadata Management
Self-analysis
Accountability and Traceability
Secure Defaults
Secure Failure and Recovery
Economic Security
Performance Security
Human Factored Security
Acceptable Security
Repeatable and Documented Procedures
Procedural Rigor
Secure System Modification
Sufficient Documentation
Minimization
External System Services
Risk Assessments and Organizational Approvals
Identification of Functions, Ports, Protocols, and Services
Establish and Maintain Trust Relationship with Providers
Consistent Interests of Consumers and Providers
Processing, Storage, and Service Location
Organization-controlled Cryptographic Keys
Organization-controlled Integrity Checking
Processing and Storage Location — U.s. Jurisdiction
Developer Configuration Management
Software and Firmware Integrity Verification
Alternative Configuration Management
Hardware Integrity Verification
Trusted Generation
Mapping Integrity for Version Control
Trusted Distribution
Security and Privacy Representatives
Developer Testing and Evaluation
Static Code Analysis
Threat Modeling and Vulnerability Analyses
Independent Verification of Assessment Plans and Evidence
Manual Code Reviews
Penetration Testing
Attack Surface Reviews
Verify Scope of Testing and Evaluation
Dynamic Code Analysis
Interactive Application Security Testing
Development Process, Standards, and Tools
Quality Metrics
Security and Privacy Tracking Tools
Criticality Analysis
Attack Surface Reduction
Continuous Improvement
Automated Vulnerability Analysis
Reuse of Threat and Vulnerability Information
Incident Response Plan
Archive System or Component
Minimize Personally Identifiable Information
Developer-provided Training
Developer Security and Privacy Architecture and Design
Formal Policy Model
Security-relevant Components
Formal Correspondence
Informal Correspondence
Conceptually Simple Design
Structure for Testing
Structure for Least Privilege
Orchestration
Design Diversity
Customized Development of Critical Components
Developer Screening
Unsupported System Components
Specialization
System and Communications Protection
Policy and Procedures
Separation of System and User Functionality
Interfaces for Non-privileged Users
Disassociability
Security Function Isolation
Hardware Separation
Access and Flow Control Functions
Minimize Nonsecurity Functionality
Module Coupling and Cohesiveness
Layered Structures
Information in Shared System Resources
Multilevel or Periods Processing
Denial-of-service Protection
Restrict Ability to Attack Other Systems
Capacity, Bandwidth, and Redundancy
Detection and Monitoring
Resource Availability
Boundary Protection
Access Points
External Telecommunications Services
Deny by Default — Allow by Exception
Split Tunneling for Remote Devices
Route Traffic to Authenticated Proxy Servers
Restrict Threatening Outgoing Communications Traffic
Prevent Exfiltration
Restrict Incoming Communications Traffic
Host-based Protection
Isolation of Security Tools, Mechanisms, and Support Components
Protect Against Unauthorized Physical Connections
Networked Privileged Accesses
Prevent Discovery of System Components
Automated Enforcement of Protocol Formats
Fail Secure
Block Communication from Non-organizationally Configured Hosts
Dynamic Isolation and Segregation
Isolation of System Components
Separate Subnets for Connecting to Different Security Domains
Disable Sender Feedback on Protocol Validation Failure
Personally Identifiable Information
Unclassified National Security System Connections
Classified National Security System Connections
Unclassified Non-national Security System Connections
Connections to Public Networks
Separate Subnets to Isolate Functions
Transmission Confidentiality and Integrity
Cryptographic Protection
Pre- and Post-transmission Handling
Cryptographic Protection for Message Externals
Conceal or Randomize Communications
Protected Distribution System
Network Disconnect
Trusted Path
Irrefutable Communications Path
Cryptographic Key Establishment and Management
Availability
Symmetric Keys
Asymmetric Keys
Physical Control of Keys
Cryptographic Protection
Collaborative Computing Devices and Applications
Physical or Logical Disconnect
Disabling and Removal in Secure Work Areas
Explicitly Indicate Current Participants
Transmission of Security and Privacy Attributes
Integrity Verification
Anti-spoofing Mechanisms
Cryptographic Binding
Public Key Infrastructure Certificates
Mobile Code
Identify Unacceptable Code and Take Corrective Actions
Acquisition, Development, and Use
Prevent Downloading and Execution
Prevent Automatic Execution
Allow Execution Only in Confined Environments
Secure Name/address Resolution Service (authoritative Source)
Data Origin and Integrity
Secure Name/address Resolution Service (recursive or Caching Resolver)
Architecture and Provisioning for Name/address Resolution Service
Session Authenticity
Invalidate Session Identifiers at Logout
Unique System-generated Session Identifiers
Allowed Certificate Authorities
Fail in Known State
Thin Nodes
Decoys
Platform-independent Applications
Protection of Information at Rest
Cryptographic Protection
Offline Storage
Cryptographic Keys
Heterogeneity
Virtualization Techniques
Concealment and Misdirection
Randomness
Change Processing and Storage Locations
Misleading Information
Concealment of System Components
Covert Channel Analysis
Test Covert Channels for Exploitability
Maximum Bandwidth
Measure Bandwidth in Operational Environments
System Partitioning
Separate Physical Domains for Privileged Functions
Non-modifiable Executable Programs
No Writable Storage
Integrity Protection on Read-only Media
External Malicious Code Identification
Distributed Processing and Storage
Polling Techniques
Synchronization
Out-of-band Channels
Ensure Delivery and Transmission
Operations Security
Process Isolation
Hardware Separation
Separate Execution Domain Per Thread
Wireless Link Protection
Electromagnetic Interference
Reduce Detection Potential
Imitative or Manipulative Communications Deception
Signal Parameter Identification
Port and I/O Device Access
Sensor Capability and Data
Reporting to Authorized Individuals or Roles
Authorized Use
Notice of Collection
Collection Minimization
Usage Restrictions
Detonation Chambers
System Time Synchronization
Synchronization with Authoritative Time Source
Secondary Authoritative Time Source
Cross Domain Policy Enforcement
Alternate Communications Paths
Sensor Relocation
Dynamic Relocation of Sensors or Monitoring Capabilities
Hardware-enforced Separation and Policy Enforcement
Software-enforced Separation and Policy Enforcement
Hardware-based Protection
System and Information Integrity
Policy and Procedures
Flaw Remediation
Automated Flaw Remediation Status
Time to Remediate Flaws and Benchmarks for Corrective Actions
Automated Patch Management Tools
Automatic Software and Firmware Updates
Removal of Previous Versions of Software and Firmware
Malicious Code Protection
Updates Only by Privileged Users
Testing and Verification
Detect Unauthorized Commands
Malicious Code Analysis
System Monitoring
System-wide Intrusion Detection System
Automated Tools and Mechanisms for Real-time Analysis
Automated Tool and Mechanism Integration
Inbound and Outbound Communications Traffic
System-generated Alerts
Automated Response to Suspicious Events
Testing of Monitoring Tools and Mechanisms
Visibility of Encrypted Communications
Analyze Communications Traffic Anomalies
Automated Organization-generated Alerts
Analyze Traffic and Event Patterns
Wireless Intrusion Detection
Wireless to Wireline Communications
Correlate Monitoring Information
Integrated Situational Awareness
Analyze Traffic and Covert Exfiltration
Risk for Individuals
Privileged Users
Probationary Periods
Unauthorized Network Services
Host-based Devices
Indicators of Compromise
Optimize Network Traffic Analysis
Security Alerts, Advisories, and Directives
Automated Alerts and Advisories
Security and Privacy Function Verification
Automation Support for Distributed Testing
Report Verification Results
Software, Firmware, and Information Integrity
Integrity Checks
Automated Notifications of Integrity Violations
Centrally Managed Integrity Tools
Automated Response to Integrity Violations
Cryptographic Protection
Integration of Detection and Response
Auditing Capability for Significant Events
Verify Boot Process
Protection of Boot Firmware
Integrity Verification
Code Authentication
Time Limit on Process Execution Without Supervision
Runtime Application Self-protection
Spam Protection
Automatic Updates
Continuous Learning Capability
Information Input Validation
Manual Override Capability
Review and Resolve Errors
Predictable Behavior
Timing Interactions
Restrict Inputs to Trusted Sources and Approved Formats
Injection Prevention
Error Handling
Information Management and Retention
Limit Personally Identifiable Information Elements
Minimize Personally Identifiable Information in Testing, Training, and Research
Information Disposal
Predictable Failure Prevention
Transferring Component Responsibilities
Manual Transfer Between Components
Standby Component Installation and Notification
Failover Capability
Non-persistence
Refresh from Trusted Sources
Non-persistent Information
Non-persistent Connectivity
Information Output Filtering
Memory Protection
Fail-safe Procedures
Personally Identifiable Information Quality Operations
Automation Support
Data Tags
Collection
Individual Requests
Notice of Correction or Deletion
De-identification
Collection
Archiving
Release
Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
Statistical Disclosure Control
Differential Privacy
Validated Algorithms and Software
Motivated Intruder
Tainting
Information Refresh
Information Diversity
Information Fragmentation
Supply Chain Risk Management
Policy and Procedures
Supply Chain Risk Management Plan
Establish Scrm Team
Supply Chain Controls and Processes
Diverse Supply Base
Limitation of Harm
Sub-tier Flow Down
Provenance
Identity
Track and Trace
Validate as Genuine and Not Altered
Supply Chain Integrity — Pedigree
Acquisition Strategies, Tools, and Methods
Adequate Supply
Assessments Prior to Selection, Acceptance, Modification, or Update
Supplier Assessments and Reviews
Testing and Analysis
Supply Chain Operations Security
Notification Agreements
Tamper Resistance and Detection
Multiple Stages of System Development Life Cycle
Inspection of Systems or Components
Component Authenticity
Anti-counterfeit Training
Configuration Control for Component Service and Repair
Anti-counterfeit Scanning
Component Disposal
SC-18(2): Acquisition, Development, and Use
Acquisition, Development, and Use
SC-18(2): Acquisition, Development, and Use
Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements].
Implementation
Not applicable - Not applicable
Planned - The implementation is planned
In progress - The implementation is currently in progress
Partially implemented - The control is partially implemented
Implemented - The control is fully implemented
Alternative implementation - There is an alternative implementation in place (e.g., shared responsibility or inherited implementation)
Not applicable
Planned
In progress
Partially implemented
Implemented
Alternative implementation
Description
None.